Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), covered entities (e.g. healthcare providers and health plans) must notify the Department of Health and Human Services (“HHS”) of breaches of unsecured protected health information (“PHI”).1 The information provided to HHS provides organizations with a high level of insight concerning the types of breaches that occur in the healthcare industries.

The data collected by HHS concerning breaches affecting 500 or more individuals in 2014 shows that low-tech breaches remain the most common form of data loss in the health sector – surpassing more publicized hacking events.

Things to consider when reviewing your information security program in light of HHS data:

  1. Are all laptops encrypted?
  2. Is laptop encryption full-disk (e.g., does it apply to the entire hard drive)?
  3. Is laptop encryption also file-level (e.g., would it apply if files were removed from the hard drive)?
  4. Do you permit other types of portable media in your environment like USB drives?
  5. If so, are those devices encrypted at the disk or file-level?
  6. Are passwords enforced on laptops and other types of portable media?

The following provides a snapshot of information concerning healthcare data breaches.


The quantity of breaches caused by theft of hardware of all types.2


The quantity of theft involving stolen laptops.3


The quantity of breaches caused by hacking/IT intrusions.4


The quantity of breaches caused by improper disposal.5