Mandatory reporting has had a positive impact on the reported number of medical data breaches. First published this year, the Department of Health and Human Services (HHS) Breach List has identified 214 breaches to-date. Unfortunately, the HHS database provides insufficient information for the public to know what types of records were placed at risk. The HHS breach report does not detail whether names, x-rays or Social Security Numbers (SSN) were included in the exposed data. The public has no way of knowing just how minor or serious the data exposure was for any given incident. Media has helped by reporting more details for some breach events.
In addition, state mandated reporting of all breaches - by several state Attorneys Generals - increased public reporting, but only applies if an individual in that state might be affected. In 2010, New Hampshire listed 96 breaches and Maryland reported 160. Wisconsin and Vermont have small lists of reported breach events.
Approximately 200 breaches, 29% of the 662 total reported by the ITRC, were credited to information provided by these “mandatory reporting” states. This is a clear argument for mandatory reporting to achieve transparency for the public.
Highlights of the ITRC Breach List analysis include:
Paper breaches account for nearly 20% (1/5th) of known breaches and typically go unnoticed until a consumer reports the problem to local media. There is generally no mandatory reporting requirement for paper breaches.
Malicious attacks still account for more breaches than human error, with hacking at 17.1% and insider theft at 15.4%.
38.5% (255) of listed breaches did not identify the manner in which the information was exposed. This indicates a clear lack of transparency and full reporting to the public.
51% of publicly reported breaches indicated the number of records exposed, totaling