As PHI breaches including billions of entities become more common, review teams need to adjust how they approach these incidents.
Canopy Software just released a case study highlighting how our services and application enabled us to identify 4.28 billion potentially-reportable entities after a hospital system’s data breach. We then consolidated an accurate notification list of 3 million entities in only 15 days.
Our partner needed to find affected individuals in over 6,000 PHI and PII-dense documents, each consisting of thousands of pages. The large scope of this breach meant that by using only their pre-existing systems, our partner’s client would not have been able to follow laws mandating that they quickly notify impacted individuals. Even if our partner hired a team of a few hundred reviewers to find PHI and PII in the data, completing this project likely would have taken years.
Why This Matters
The size of breaches containing PHI is increasing, meaning that review teams need to increase their capacity in order to quickly compile notification lists.
While data breach response laws vary by jurisdiction, all American healthcare organizations fall under the purview of HIPAA.
“The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information." 1
Regardless of the breach’s size, teams are required to quickly (often within 60 days) notify affected individuals. Similar GDPR regulations cover citizens of the EU, and other laws regulating data breach notification timelines are continuing to emerge worldwide.
According to HIPAA Journal, the median size of a healthcare data breach has drastically increased recently. Between 2010 and 2018, the median size was approximately 2000 to 2600 records.2 In 2019, this jumped to 3,784, and although the full 2020 data is not yet available, the median breach size for September 2020 was 16,038 records.3 In November 2020, ≥ 100,000 individuals were affected in each of the largest 3 reported data breaches.4 The number of records included in each individual healthcare data breach is skyrocketing as healthcare providers and organizations transmit more data digitally.
With more records in each breach, there are more pieces of PII and PHI for reviewers to find before they can successfully create an accurate notification list. An increasing number of organizations are going to face the same challenge highlighted in our case: when the breach is large enough, it is impossible for a reasonably-sized human review team to quickly and accurately compile a notification list.
To learn more about how Canopy helped our partner overcome this challenge, download our most recent case study.