The threats to patient data are increasing, and increasingly public. They typically do not come from some nefarious hackers, either. Rather, security breaches are usually the result of human error.
For example, the Department of Health and Human Services (HHS) reported in April 2010 that over just six months, 64 healthcare organizations suffered breaches of patient medical records so serious that they warranted public reporting under the Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of the 2009 stimulus act. HITECH requires prompt notification of breaches of “unsecured protected health information” involving 500 or more individuals. The April list, documenting security failures from September 2009 through March 2010, involved 23 hospitals, 13 insurance plans, 13 physician practices and four clinics. And while the median size breach affected 2,667 records, one insurer had almost one million records exposed. These weren’t the result of criminal schemes — the vast majority of these security failures, including the largest ones, stemmed from a laptop or disk being lost or stolen.