Nextgov

The private health information of more than 6 million people has been compromised by digital security breaches since August 2009 -- and those are just the big cases. The Health and Human Services does not release information about breaches affecting fewer than 500 people.

The disconcerting statistics are included in a new report by RedSpin Inc., an IT security audit firm in Carpinteria, Calif. "Breach Report 2010: Protected Health Information," looked at 225 breaches reported under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The breaches occurred in all but seven states, the District of Columbia and Puerto Rico, the auditors reported. The average breach affected about 27,000 people. Incidents traced to portable media, such as laptop computers, affected an average of 66,000 people.

Other details in the report:

--An average of 82 days passed between discovery of the security breach and HHS notification or updates. HITECH requires that HHS be notified of major breaches within 60 days.

--The bulk of the breaches, 78 percent, resulted from just 10 incidents. Half of those were traced to the theft of common storage media such as a desktop computer, network server or portable device.

--Six out of 10 breaches were intentional and malicious.

--Business associates with access to health information were responsible for four out of 10 breaches.

"It is clear that protected health information is actively targeted and has successfully been compromised by a malicious threat-source,"say RedSpin auditors. "This trend will likely increase as health-care IT initiatives are deployed across the industry as a result of financial incentives associated with 'meaningful use' objectives."

The auditors recommend reducing security risks by:

--Encrypting protected health information data in storage and in transit.

--Improving training for users.

--Implementing a mobile device security policy.

--Periodically reviewing security controls.