Why the Increase in Data Breaches Involving PHI?

The answer is: Money, Money, Money…

The street value of a stolen medical identity is worth $50 versus $1 for a stolen Social Security number according to AHIMA¹, the American Health Information Management Association. According to the annual report to Congress this week by the Department of Health and Human Services (HHS), theft of PHI was the most common cause of data breaches involving PHI in 2009 and again in 2010 – occurring in 50% of all health care data breaches. View the complete report here .

2009: 27 incidents of 45 involved theft affecting 1,468,578 individuals

2010: 99 incidents of 207 involved theft affecting 2,979,121 individuals

The impact on the health care industry has been estimated in the tens of billions of dollars annually. The impact on individuals may be serious harm to their health.

What should entities who are entrusted with protecting PHI do?

According the report, most entities who experienced breaches of PHI of 500 or more records did take action to mitigate the potential consequences of the breaches and prevent future breaches, including:

1. Revising policies and procedures;

2. Improving physical security by installing new security systems or by relocating equipment or records to a more secure area;

3. Training or retraining workforce members who handle protected health information;

4. Providing free credit monitoring to customers;

5. Adopting encryption technologies;

6. Imposing sanctions on workforce members who violated policies and procedures primarily in response to serious employee errors, removing protected health information from the facility against policy, and unauthorized access;

7. Changing passwords;

8. Performing a new risk assessment; and

9. Revising business associate contracts to more explicitly require protection for confidential information.

¹AHIMA, Mitigating Medical Identity Theft.