With just over a year having passed since the health data breach notification rules mandated by the Health Information Technology for Economic and Clinical Health HITECH Act went into effect, and interesting contrast has emerged between the breaches disclosed to the Department of Health and Human Services HHS by HIPAA-covered entities and business associates and those disclosed to the Federal Trade Commission FTC by organizations that provide personal health records PHRs and associated services, but are not covered by HIPAA. As reported on Monday and evidenced by the complete listing of breaches posted by the FTC, as far as the FTC is aware there have been no major breaches those involving 500 or more individuals in the past year. All 13 of the breaches reported to the FTC involved lost or stolen credentials, which presumably could result in an unauthorized party gaining access to a user’s personal health information, but no actual loss of data seems to have been involved. It may or may not be interesting to note that all the breaches reported also came from one company: Microsoft. In contrast, the current count of breaches reported to HHS is 181, all of which involve 500 or more individuals, many of which apparently involve loss or theft of data or laptops or other paper or electronic record storage devices.
Lots of health data breaches reported to HHS, only trivial ones to FTC