More than 60% of people in one state. About 6% of the U.S. And that does not include small breaches.
We analyzed data made public by the Department of Health and Human Services ("DHS") and compared it to 2010 U.S. census data. From 9/2009 through 4/2012, about 6% of the public was "affected by" breaches of protected health care information ("PHI").
Summary of PHI Data Breaches
As shown in the chart below, non paper-only data breaches affected many people in the U.S., with a lot of state-by-state variation.
The percentages are rounded. And, to make the chart more readable, we left out states where less than 2% of the population was affected.
Encryption and Secure Cloud Services
The breaches in the DHS data set include data in emails, xrays, laptops, computers, other portable devices, etc. It's difficult to separate out the purely digital data breaches, but the number appears to be large. For example, paper-only breaches made up only about 3% of the total.
Many such data breaches could probably be avoided by implementing strong encryption on all stationary and portable devices, robust data and media handling procedures, and rigorous training of staff. However, that is not always a practical solution.
Stakes Outweigh the Odds?
We all know where the path paved by good intentions leads. The best procedures and training are usually not enough when you're risking an accidental breach of PHI.
In other words, no matter how many times you tell a doctor not to leave a laptop in a hotel room or a briefcase with data DVDs on a plane, it's still going to happen. One such incident can affect the privacy of many patients and can have disastrous financial consequences to the health care provider.
For example, the Virginia 61% breach rate is almost entirely due to one incident apparently involving the loss of backup computer tapes with information on almost 5 MILLION people.
Secure Cloud Solutions Can Help
An increasingly practical and more secure solution to prevent even more breaches, and often reduce IT and training budgets is to use SaaS (Software as a Service), with data residing in a secure private cloud; and to use secure cloud-based email hosting, archiving and encryption.
That way, data, presentations, etc. are not automatically stored on the computer or other device, or are at least encrypted. And emails are not stored on it at all. That makes it much more difficult for thieves to get the sensitive data. If the device is lost or stolen, the user can simply change their password and prevent further exposure.
Additionally, some services (like our premium edition hosted email) include a "remote wipe" function that allows the account administrators to factory reset smartphones, PDAs, etc. if they fall into the wrong hands.
Organizations like financial institutions, health-care providers and law firms can take advantage of secure and affordable cloud-based email encryption.
No matter what data loss prevention strategy an organization chooses, other critical factors, such as employee training and GPS tracking, can also help mitigate data loss. There are many articles online that provide tips on implementing a complete cloud-based strategy.
Follow This Developing Story
We are planning to dig deeper into this data set to see what else it might reveal and perhaps update it as DHS provides additional data over time.
Subscribe to this blog using your RSS-based reader and feel free to register using your email address. It's completely free and we won't spam you :)
DHS did not participate in this analysis and nothing in this article is meant to imply any endorsement by DHS. or any other entity.