Top 5: Data breach winners and losers by state

By Erin McCann, Associate Editor, HealthcareIT News

In an epoch of Web hackers, procedural slackers, unauthorized users and viewers, PC pinchers and server swindlers, it’s a hard knock life for patient privacy.

Nearly 20 million patient health records have been compromised since the Aug. 2009 Breach Notification Rule, which requires that HIPAA-covered groups give notification following a data breach involving 500 or more individuals. And breach numbers haven’t shown signs of waning any time soon.

In fact, according to a 2011 Redspin report, which collected data from the Department of Health and Human Services (HHS), the total number of records breached jumped 97 percent within a single year. Moreover, according to some reports, data breaches can cost the healthcare industry, on average, $6.5 billion annually.

Such alarming numbers, together with the indiscriminate nature of breaches, means privacy is a luxury these days. This luxury, however, is not one typically bought or afforded, but rather one where you cross your fingers and hope for the best.

So who are the biggest offenders by state?

Generally, states with the highest population have the highest number of data breaches. For instance, California and Texas top the list, banking the highest number of data breaches in the nation. However, when population is taken into consideration, the numbers change substantially.

Using data from the HHS, here are the best and the worst states in terms of number of records breach per 1,000 people.

Blacklisted: Top 5 states with the highest number of data breaches

1.  Virginia – 607 data breaches per 1,000 people
Although only having seven data breaches since the 2009 Breach Notification Rule, health organizations in Virginia have compromised the privacy and security of some 4,919,457 individuals. That’s more than half of the state’s population, which the U.S. Census Bureau has pegged at 8,096,604. Responsible for the bulk of that is the TRICARE Management Activity breach, which occurred Sept. 14, 2011. This single breach compromised the personal health information (PHI) of nearly 5 million people, effectively catapulting Virginia to the top of the list.

2.  Utah – 279 data breaches per 1,000 people
Again, the number of data breaches alone is not responsible for Utah’s No. 2 position on this list. Rather, one of the state’s three data breaches involved the Utah Department of Health compromising PHI of 780,000 patients in March 2012. Overall, healthcare groups in Utah have compromised the PHI of some 786,998 individuals

3.  Washington, D.C. – 208 data breaches per 1,000 people
Healthcare groups in D.C. have had nine data breaches since 2009, affecting the PHI of some 128,465 individuals. Howard University Hospital was responsible for the two of the most significant breaches – one in Jan. and the s[econd in March – involving the PHI of some 101,104 individuals.

4.  New Hampshire – 176 data breaches per 1,000 people
Healthcare groups in the Granite State have had a mere two data breaches since 2009, but one of the two incidents involved the PHI of 231,400 individuals back in Nov. 2010, when Dover-based Seacoast Radiology, PA announced that a server containing patient information had been hacked. The total number of health records compromised is 232,171.

5.  Tennessee – 167 data breaches per 1,000 people
Healthcare groups in the state have seen a significant number of data breaches comparative to Tennessee’s population, with 17. To date, health organizations in the state have seen the PHI of some 1,072,646 individuals compromised, with the bulk of that number coming from a Blue Cross Blue Shield of Tennessee data breach that may have compromised the PHI of more than 1 million patients.

Here are the states with a rather polished and predominantly clean record when it comes to healthcare data breaches involving 500 individuals or more.

The Golden Children: Top 5 states with the fewest number of data breaches

1.  Hawaii – 0
2.  Maine – 0
3.  South Dakota – 0
4.  Vermont – 0
5.  North Dakota – 1 data breach per 1,000 people.

In a single breach event, the Bismarck, N.D.-based Medcenter One announced an Oct. 1 breach involving the theft of a laptop containing limited personal information of 650 hearing aid patients.

Data used from the U.S. Census Bureau and the Department of Health and Human Services.

Share Article: