Nearly 15 million individuals were affected by more than 450 large-scale health data breaches in 2010 and 2011, investigators said in a recent report to Congress. The theft of devices containing protected information continued to be the biggest source of Health Information Portability and Accountability Act violations, they added.

About half of all breaches each year have been due to stolen storage devices, investigators from the Department of Health and Human Services’ Office of Civil Rights noted.

The $10 million in HIPAA fines collected since June 2013 will be “low compared to what’s coming up,” said Health and Human Services Chief Regional Civil Rights Counsel Jerome Meites in a June speech at the American Bar Association conference. While Meites said his views were his own, he believes the government will be looking to make an example out of non-compliant providers.

Unauthorized access to records and improper disclosure are top reasons cited for HIPAA breaches. Long-term care operators and other providers are under increasing pressure to keep personal health information shielded from unauthorized parties. Large-scale prosecutions have not occurred in the long-term care profession, which nonetheless remains on high alert about other provider breakdowns noted in the media.

Until 2011, the vast majority of HIPAA privacy breaches were due to direct provider breakdown or accidents, OCR investigators reported. Starting in 2011, however, business associates of providers became the most common source of most large-scale breaches.

Additionally, nearly 30% of all large breaches involved paper records in 2011, researchers noted.

OCR officials said they successfully resolved more than 90% of the 77,000 allegations of HIPAA privacy and security rule violations. More than half did not qualify as “an eligible case” under HIPAA prosecution rules.