Preventing a Data Breach and Protecting Health Records

On February 17, 2010 the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed, changing the landscape of the healthcare industry dramatically. Incentives, sanctions and penalties regarding non-compliance with the security and privacy of electronic protected health information have been implemented for healthcare providers and their business associates.  It’s anticipated that there will be a significant amount of electronic health information being exchanged between providers and associates so federal regulations were implemented to improve security and reduce vulnerabilities. There are administrative, physical and technical safeguards that must be in place in every covered entity and business associate.

As of September 23, 2010, there were 166 data breach incidents involving over 500 individuals reported to the Department of Health and Human Services (HHS) and posted on their website. These incidents involved 4,905,768 individuals who had their PHI compromised. The largest of these incidents exposed 1,220,000 individuals in December 2009 resulting from the theft of an unencrypted laptop.

The purpose of this white paper is to review and analyze all of the breaches posted on the HHS website that have occurred between September 23, 2009 and September 23, 2010. We’ve identified which types of breaches and locations were affected, and highlighted common vulnerabilities and risks. We then offer insight into the best practices for preventing reportable breaches from occurring to help significantly reduce risk of governmental enforcement actions and costs.

For additional information, contact Jorge Rey.


Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.