HHS Wall of Shame Breaches

HHS Wall of Shame exposes the not so careful…

Tod Ferran, CISSP, QSA
By: Tod Ferran
With an average of 1.5 million unique visitors per month on hhs.gov (complete.com), the Wall of Shameis an extremely public record of healthcare organizations with PHI breaches of 500 records or more. The interesting thing about the Wall of Shame is that it’s actually a requirement of HITECH [section 13402(e)(4)] that The Department of Health and Human Services (HHS) Secretary enables public awareness of patient data breaches.

HHS Wall of Shame Breaches
One of many HHS pages filled with compromised entities
Don’t want to end up on the Wall? Get more info on HIPAA compliance plans, vulnerability scans, and HIPAA Privacy and Security policies.

According to Cintas, two-thirds of US adults would not return to a business (or healthcare organization) if their personal information were stolen. I can say with confidence that brand degradation and patient exodus will likely occur every time an organization shames their name through a data breach. How do I know this? As a well-informed patient, I always check The Wall before giving my business (and information!) to a new dentist or doctor.

What do the stats tell us?

By analyzing the Wall of Shame, I can tell you that as of May 2014:
  • The total number of breaches reported to the HHS exceeds 990
  • 238 organizations were reported on the WoS as breached in 2013 (that’s 4.5 breaches a week!)
  • 7.7 million records were compromised in 2013
  • In the history of the Wall of Shame, 72 breaches occurred because of hacking
  • The three largest breaches ever reported were 4,901,432 (TRICARE), 4,029,530 (Advocate Health and Hospitals Corporation) and 1,900,000 (Health Net, Inc.)
  • 7 health care organizations reported security breaches that involved one million or more records
  • In the history of the Wall of Shame, the total number of individuals affected is over 31 million.
  • Business associates are involved in 27% of reported breaches
  • Who knows how many records unreported breaches (under 500 individuals affected) would add to this list…

"It'll never happen to me"

If you are a healthcare organization, I hope this post has inspired you to reconsider the common false assumptions of medical practices nationwide. “It’ll never happen to me.” “My legal guy takes care of HIPAA.” Those thoughts are what get organizations breached and sent into the corner wearing a dunce cap.

Was this post interesting? Then share it!

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.