The Massachusetts Office of Consumer Affairs and Business Regulation received nearly 2000 data breach notifications affecting nearly 3.2 million individuals between October 31, 2007 and September 30, 2011, according to a report released on Monday. 

The health care industry experienced only 214 of the nearly 2000 breaches, but it had more affected individuals than any other industry.  Of the more than 980,000 individuals subject to health care-related breaches, 800,000 came from a breach at one particular hospital in 2010.  The report found that the health care industry was subject to the second largest number of data breaches during the period analyzed in the report, behind only breaches of financial data such as debit and credit card information.

The report is a product of the Commonwealth’s 2007 Data Security Breach Law, which requires all individuals and entities who own or license personal information of Massachusetts residents to provide notice of any data security breach.  “Personal information” is defined as a combination of a resident’s first name and last name, or first initial and last name, and one or more items such as the individuals Social Security number, state-issued identification number, or credit or debit card number. 

In addition, the Office of Consumer Affairs and Business Regulation’s Data Security Regulations, which went into effect in March 2010, require any individual or entity storing or transmitting a Massachusetts resident’s personal information to create a written security plan that details how that information will be protected from theft or loss.  The regulations require that personal information is encrypted if transmitted over public networks, the Internet, or carried on portable devices such as laptops or compact discs.

Barbara Anthony, Undersecretary of Consumer Affairs and Business Regulation, indicated in a statement that a significant number of the data breaches occurred due to inadequate encryption of electronic information.  Ms. Anthony noted that “encrypting data remains the key to protecting our personal and financial information.”

It is important to note that, in addition to the Massachusetts law and regulations, health care entities also have security and data breach notification obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Health care entities that store or transmit personal information of Massachusetts residents should be aware of their responsibilities to maintain the security of such information in a manner that is consistent with both state and federal standards and to report any data breaches to both the Commonwealth and to the federal government, under both Massachusetts law and HIPAA.