More on Quality and Safety

Three of top 6 data breaches of 2011 were in healthcare

Three of the top six most significant data breaches of 2011 took place in the healthcare industry says the Privacy Rights Clearinghouse, a nonprofit consumer protection and advocacy organization.

Breaches at Sutter Physicians Services/Sutter Medical Foundation came in third, Health Net came in fifth and Tricare Management Activity/Science Applications International Corporation came in sixth.

PRC has tracked breaches since 2005 and publishes a yearly chronology of those breaches. In a press release announcing its top six picks for the most significant data breaches of 2011, the organization said this year had some of the biggest breaches since it began tracking them. The group tracked 535 breaches involving 30.4 million sensitive records. Of those 535 breaches, 190 of them were in the healthcare system.

HIMSS20 Digital

Learn on-demand, earn credit, find products and solutions. Get Started >>

A number of reports have been sounding the alarm over data breaches in healthcare.

Earlier this month, a study conducted by the Ponemon Institute found that the frequency of data breaches in healthcare have increased by 32 percent in the last year, at an estimated cost to the industry of $6.5 billion.

[See also: Ponemon study says data breaches cost U.S. healthcare $6.5B annually.]

What’s more, the industry isn’t prepared to plug the security holes, said a report issued last fall by PricewaterhouseCooper’s Health Research Institute.

[See also: PwC: Health industry under-prepared to protect privacy.]

“Medical breaches are particularly significant and harmful because of the sensitivity of personal information exposed, in addition to, often, Social Security numbers and dates of birth,” noted PRC in a statement.

The breaches PRC tracked over the last year are actually far fewer than the public knows said the organization’s director, Beth Givens, in the statement accompanying the release of the group’s top six. "This is a conservative number," said Givens in the press release. "We generally learn about breaches that garner media attention. Unfortunately, many do not. And, because many states do not require companies to report data breaches to a central clearinghouse, data breaches occur that we never hear about. Our chronology is only a sampling."

PRC’s six most significant data breaches of 2011:

  1. Sony PlayStation: An external intrusion on its network and music service caused Sony to block users for seven days. Hackers gained access to 101.6 million records.
  2. Epsilon: The email service provider reported a breach of 75 client companies. Conservative estimates of the number of customer emails breached are 50 to 60 million.
  3. Sutter Physicians Services/Sutter Medical Foundation: A company-issued desktop computer was stolen from Sutter’s Medical Foundation offices. More than 4 million patients had their information exposed.
  4. Texas Comptroller’s Office: Data from three state agencies ended up on a public server and was there for nearly a year before the exposure was noticed.
  5. Health Net: Nine data servers went missing. The servers contained personal information for more than 1.9 million current and former policy owners.
  6. Tricare Management Activity, Science Applications International Corp.: Backup tapes of patient data from the military health system spanning nearly two decades were stolen from the car of an employee who was transporting the data.

Follow HFN associate editor Stephanie Bouchard on Twitter @SBouchardHFN.