Information security experts are calling 2011 one of the worst years for data security breaches in the last 10 years. Since 2002, 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.8 Alabama, Kentucky, New Mexico and South Dakota have no security breach laws.9 In 2011, at least 14 states introduced legislation expanding the scope of laws, setting additional requirements related to notification or changing penalties for those responsible for breaches.10
The HITECH Act includes new provisions that amend HIPAA with regard to PHI, and other federal regulations with regard to personal health records. Under the HITECH Act, as of September 23, 2009, with a few common sense exceptions, a covered entity is required to notify the subject of a breach of unsecured PHI that causes or poses a significant risk of financial, reputational or other harm to the individual. For a breach event involving 500 or more individuals, the HITECH Act requires covered entities to notify the HHS immediately. For breach events involving less than 500 individuals, the HITECH Act provides that a covered entity may maintain a log of such breaches and annually submit the log to HHS.
Since September 23, 2009, HHS received 252 reports of breach events involving 500 or more individuals. Covered entities notified 7.8 million individuals of these breaches. The most common causes reported for these large breach events were: (1) theft; (2) intentional unauthorized access to, use or disclosure of PHI; (3) human error; and (4) loss of electronic media or paper records containing PHI.
Since September 23, 2009, HHS received 30,521 reports of breaches involving less than 500 individuals. Covered entities notified 62,000 individuals of these breaches. The most common cause reported for these smaller breach events was misdirected information such as a test results sent to the wrong patient.