In calendar year 2010, HIPAA-covered entities notified the Health and Human Services Department of 207 breaches that affected 500 or more individuals. This resulted in breach notifications being sent to approximately 5.4 million individuals, finds an HHS report.

The most common cause of these large breaches in 2010 was theft, according to an annual report (.pdf) submitted to congressional committees. The report covers breaches between Sept. 23, 2009 and Dec. 31, 2010.

Forty-eight percent of the breaches in 2010 involved theft, and the largest reported theft affected approximately 1.9 million individuals, write HHS report authors. The breach involved the theft of electronic medical record information saved on back-up tapes at an EMR vendor's site. Another 20 percent of 2010 incidents were attributable to laptop theft. 

Revising policies was the most common remedial action, following a breach, but for large breaches involving the theft or loss of electronic data, about half of notifiers said encryption technologies were being implemented to avoid future breaches, says the report.

In 2010, HHS received more than 25,000 reports of smaller breaches (each affecting less than 500 individuals). These smaller breaches affected more than 50,000 individuals in all and the primary cause was misdirected communications.

Section 13402(i) of the HITECH Act (.pdf) requires the HHS secretary to prepare and submit to Congress an annual report on the breaches at the department and the actions taken in response to those breaches. HIPAA-covered entities are required to notify affected individuals, HHS and in some cases the media following the discovery of a breach of unsecured protected health information.

For more:
- see the HHS report (.pdf)
- see related coverage at FierceHealthcare

Related Articles:
Audio: VA CIO Roger Baker's August IT report 
IRS e-help desk wrongly discloses taxpayer data  
DHS program risks collecting, sharing more PII than needed