A total of 225 breaches of protected health information (PHI) affecting 6,067,751 individuals have been recorded since the HIPAA breach notification rule was issued in August 2009 pursuant to the HITECH Act, according to a report by Redspin, a provider of HIPAA risk analysis and IT assessment services.

According to the report:

  • Single breaches affecting over 500 individuals have taken place across 43 states, the District of Columbia, and Puerto Rico.
  • 27,000 individuals, on average, are affected by a single breach.
  • 82 days, on average, pass between breach discovery and notification/update to HHS.
  • 40% of records breached involve business associates.
  • 61% of breaches are a result of malicious intent.

To reduce the risk and impact of a future breach, the report recommends that covered entities and business associates should: (1) implement encryption on all PHI in storage and transit; (2) strengthen information security user awareness and training programs; (3) implement a mobile device security policy; and (4) ensure that business associate due diligence includes a periodic review of implemented controls.

The report also warns that “business associates are data rich targets that are consequently likely to see an increase in malicious activity,” underscoring the need for covered entities carefully to select and contract with their business associates and for business associates to implement robust physical, administrative and technical safeguards.

The full report is available here.