The “Wall of Shame” numbers do not really tell the entire story on the size of the breach issue in healthcare?

When we ask healthcare organizations about their data breach risk we consistently get two answers:

The first thing we hear is a version of this statement:
“There really are not a lot of breaches that happen in healthcare to organizations our size, so I don’t think it will happen in our facility”
and in the second breath we hear a version of this statement;
“but we know we have employees that are snooping in patient records.”

So what is the correct answer? It won’t happen to you? Or you currently know it is happening but don’t know how to see or stop it? Snooping in patient records is the same as a breach.

The “Wall of Shame” does an injustice to healthcare organizations as it fosters a false sense of security. While it is a good first step, the “Wall of Shame” is only for breaches that affect more than 500 individuals.

However, for a more accurate representation of the breach issue in healthcare, we also need to look at reported breaches that affected under 500 individuals. However, these numbers do not get released as often as the over 500 group, due to the reporting requirements allowing notification to take place up to 60 days after the end of the year that the breach was detected. We were curious to see what those numbers were so we looked at the last two completed years of the Office of Civil Rights Annual Report to Congress from 2011 and 2012 which details all breaches, including those affecting less than 500 individuals. There were 458 combined breaches affecting more than 500 individuals per breach. However, there were 46,899 reported breaches that affected less than 500 individual patients in that same time period.

Graph1 The number of healthcare breaches affecting over and under 500 patients

Why do we keep saying there were only 458 breaches when there were really 47,357 total reported breaches in those two years? What no one references is that the “Wall of Shame” numbers everyone keeps talking about, represent less than 1% of healthcare breaches.

But is THAT really ALL the breaches that happened?  What about the breaches that go undetected and or unreported (yes, it does happen). There are statistics that show between 80-94% of breaches are undetected or unreported. If we calculate the numbers using the 94% undetected or unreported figure, which is from a former FBI Cyber Agent, that would mean that in 2011 and 2012 there were 789,283 healthcare beaches. That number is extremely different than the 458 that everyone seems to focus on!

Graph2 Total reported and estimated unreported and undetected healthcare breaches

We have a problem, but it’s a problem that can be controlled. Healthcare organizations which are taking patient privacy seriously are taking steps to control employee snooping, however the key with detecting snooping is determining what the proper data use is and then start with monitoring that use. By monitoring data use, you can get better control of snooping than with a system that just monitors misuse by rules alone. With this type of monitoring system in place, we can work together and reduce the number of healthcare data breaches.