Shostack + Friends Blog Archive


Lessons from HHS Breach Data

PHIPrivacy asks “do the HHS breach reports offer any surprises?

It’s now been a full year since the new breach reporting requirements went into effect for HIPAA-covered entities. Although I’ve regularly updated this blog with new incidents revealed on HHS’s web site, it might be useful to look at some statistics for the first year’s worth of reports.

I’ll add that the HHS web site “Breaches Affecting 500 or More Individuals,” offers data about 181 breaches in CSV and XML formats.

But Dissent asks what we can learn. Two things strike me immediately. First, 181 breaches, no one out of business. Perhaps not a surprise, but many people seem to need reminders since the bad meme had been around so long. Second, and also in the bad meme category, let’s look at insiders. There were 10 incidents, (6% of all incidents involving 500 or more people). They impacted 50,491 people (1% of all people.) We sometimes hear that incidents involving insiders are the most damaging or impactful. The unauthorized access incidents (which is a separate category from hacking) had a lower mean number impacted than hacking, improper disposal, loss, theft, business associates, laptops, desktop computers, portable electronic devices or network servers. In fact, the only categories which impacted fewer people were “theft, unauthorized access” and “paper records.” Now, it’s true that unauthorized access is not the same word as insiders. In fact, unauthorized access likely includes both insiders and access control failures (the “spreadsheet on a website” pattern). It’s also true that there were quite damaging incidents that involved fewer than 500 people (the “peeking” pattern). It’s even possible that those were the worst incidents. But we have no evidence for that claim. Still.

But the biggest, most important lesson is that Dissent can ask not “what did HHS learn from this,” but rather, “What can we learn from this?”