By: Emily Mullin

The breach report, conducted by IT security auditing company RedSpin, analyzes the full data set of breaches as reported to the secretary of the U.S. Department of Health and Human Services since the Health Information Technology for Economic and Clinical Health, or HITECH, Act took effect in 2009.
 

“Ultimately, improvements in healthcare IT security must be measured by the reduction of the number of breach incidents and people impacted,” RedSpin says in the report.
 

In 2011, an average of 49,396 patient records were affected per breach – a whopping 80 percent increase from 2010. Since August 2009, nearly 19.2 million patient health records have been affected by breaches.
 

At least one large IT data breach incident – one involving more than 500 individuals – has been reported in 46 out of 50 states, the District of Columbia and Puerto Rico. Not surprisingly, the most breaches have happened in the five most populous states – 45 percent of breaches occurred in California, 33 percent in Texas, 25 percent in New York, 18 percent in Florida and 19 percent in Illinois. 
 

To date, a large percentage of all personal health information breaches – 39 percent – have occurred on a laptop or other portable media, the easiest type of device for thieves to steal or employees to lose. Another 24 percent of breaches happened on paper and nearly 15 percent of breaches occurred on computers. 
 

Breaches by business associates have increased, too – an unsettling trend. Business associates are third-party vendors, suppliers, consultants, and contractors that health organizations and providers entrust with personal health information to perform services on their behalf. By law, business associates must commit to having security controls in place to protect patient data. But since October 2009, breaches of patient information at business associates have made up 59 percent of all breaches reported. Worse, total records breached at business associates grew 76 percent in 2011 from 2010.