Health Breach Analysis
Tom Gruen
October 1, 2019
Breach of Health Information Analysis
#Import the data from a web-hosted source
archive = read_csv("https://myxavier-my.sharepoint.com/:x:/g/personal/asayj_xavier_edu/Eag9x4eBBhpGsDXrEnOtDdEB0oS4pDZ-AHerbFDvBCGesA?download=1")
investigation = read_csv("https://myxavier-my.sharepoint.com/:x:/g/personal/asayj_xavier_edu/EVJ-vt7ABJVCqkDgdBp0YW0BV9iPB7SbQ-rWuqbAD5SA7Q?download=1")Question 1
Number of Reported Breaches (*Top 5% were omitted)
sandbox %>%
mutate(year = year(`Breach Submission Date`)) %>%
filter(percent_rank(`Individuals Affected`) <.95) %>%
group_by(year) %>%
summarise(Count = n()) %>%
ggplot(aes(x = year, y = Count)) +
geom_bar(stat = "Identity")
Question 2
Average Healthcare Data Breach Size by Year (*Top 5% were omitted)
Question 2
Largest healthcare data breaches
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Breach Submission Date | BT1 | BT2 | BT3 | BT4 | BT5 | BT6 | Loc1 | Loc2 | Loc3 | Loc4 | Loc5 | Loc6 | Loc7 | Loc8 | Business Associate Present | Web Description | X | day | year |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Anthem, Inc. Affiliated Covered Entity | IN | Health Plan | 78800000 | 2015-03-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Anthem, Inc. Affiliated Covered Entity IN Health Plan 78800000 | Friday | 2015 |
| Anthem (Working file) | IN | Health Plan | 78800000 | 2015-02-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Anthem (Working file) IN Health Plan 78800000 | Friday | 2015 |
| Premera Blue Cross | WA | Health Plan | 11000000 | 2015-03-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Premera Blue Cross WA Health Plan 1.1e+07 | Tuesday | 2015 |
| Excellus Health Plan, Inc. | NY | Health Plan | 10000000 | 2015-09-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Excellus Health Plan, Inc. NY Health Plan 1e+07 | Wednesday | 2015 |
| Science Applications International Corporation (SA | VA | Business Associate | 4900000 | 2011-11-04 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Science Applications International Corporation (SA VA Business Associate 4900000 | Friday | 2011 | |
| University of California, Los Angeles Health | CA | Healthcare Provider | 4500000 | 2015-07-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | University of California, Los Angeles Health CA Healthcare Provider 4500000 | Friday | 2015 |
| Community Health Systems Professional Services Corporations | TN | Business Associate | 4500000 | 2014-08-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Community Health Systems Professional Services Corporations TN Business Associate 4500000 | Thursday | 2014 |
| Community Health Systems Professional Services Corporation | TN | Business Associate | 4500000 | 2014-08-20 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Community Health Systems Professional Services Corporation TN Business Associate 4500000 | Wednesday | 2014 |
| Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group | IL | Healthcare Provider | 4029530 | 2013-08-23 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan. This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country. âWe hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individualsâ ePHI is secure,â said OCR Director Jocelyn Samuels. âThis includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.â OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (“AMG”). The combined breaches affected the ePHI of approximately 4 million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCRâs investigations into these incidents revealed that Advocate failed to: â¢conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI; â¢implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center; â¢obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and â¢reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight. Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois. | Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group IL Healthcare Provider 4029530 | Friday | 2013 |
| Medical Informatics Engineering | IN | Business Associate | 3900000 | 2015-07-23 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | Yes | NA | Medical Informatics Engineering IN Business Associate 3900000 | Thursday | 2015 |
| Banner Health | AZ | Healthcare Provider | 3620000 | 2016-08-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | Other | NA | NA | NA | NA | NA | NA | No | NA | Banner Health AZ Healthcare Provider 3620000 | Wednesday | 2016 |
| Newkirk Products, Inc. | NY | Business Associate | 3466120 | 2016-08-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Newkirk Products, Inc. NY Business Associate 3466120 | Tuesday | 2016 |
| 21st Century Oncology | FL | Healthcare Provider | 2213597 | 2016-03-04 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No |
Failure to protect the health records of millions of persons costs entity millions of dollars 21st Century Oncology, Inc. (21CO) has agreed to pay $2.3 million in lieu of potential civil money penalties to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and adopt a comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. 21CO is a provider of cancer care services and radiation oncology. With their headquarters located in Fort Myers, Florida, 21CO operates and manages 179 treatment centers, including 143 centers located in 17 states and 36 centers located in seven countries in Latin America. On two separate occasions in 2015, the Federal Bureau of Investigation (FBI) notified 21CO that patient information was illegally obtained by an unauthorized third party and produced 21CO patient files purchased by an FBI informant. As part of its internal investigation, 21CO determined that the attacker may have accessed 21COâs network SQL database as early as October 3, 2015, through the remote desktop protocol from an exchange server within 21COâs network. 21CO determined that 2,213,597 individuals were affected by the impermissible access to their names, social security numbers, physiciansâ names, diagnoses, treatment, and insurance information. OCRâs subsequent investigation revealed that 21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI); failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; and disclosed protected health information (PHI) to third party vendors without a written business associate agreement. âPeople need to trust that their private health information will remain exactly that; private,â said OCR Director Roger Severino. âItâs not just my hope that covered entities will learn from this example and proactively find and address their security risks, itâs what the law requires.â In addition to a $2.3 million monetary settlement, a corrective action plan requires 21CO to complete a risk analysis and risk management plan, revise policies and procedures, educate its workforce on policies and procedures, provide all maintained business associate agreements to OCR, and submit an internal monitoring plan. On May 25, 2017, 21CO filed for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York. The settlement with OCR will resolve OCRâs claims against 21CO and the corrective action plan will ensure that the reorganized entity emerges from bankruptcy with a strong HIPAA compliance program in place. The settlement with OCR was approved by the Bankruptcy Court on December 11, 2017. The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/21CO/index.html. |
21st Century Oncology FL Healthcare Provider 2213597 | Friday | 2016 |
| Xerox State Healthcare, LLC | TX | Business Associate | 2000000 | 2014-09-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Network Server | Other | Other Portable Electronic Device | NA | NA | Yes | Xerox State Healthcare, LLC TX Business Associate 2e+06 | Wednesday | 2014 | ||
| IBM | NY | Business Associate | 1900000 | 2011-04-14 | Unknown | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | IBM NY Business Associate 1900000 | Thursday | 2011 | |
| GRM Information Management Services | NJ | Business Associate | 1700000 | 2011-02-11 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | Other | NA | NA | NA | NA | NA | NA | Yes | Unencrypted clinical system backup tapes that contained the electronic protected health information (ePHI) of 1,700,000 individuals were stolen from the unlocked vehicle of an employee of the covered entity’s (CE) business associate (BA). The ePHI included names, medical record numbers, social security numbers, addresses, telephone numbers, health plan numbers, dates of birth, dates of admission, dates of treatment, dates of discharge, dates of death, mother’s name, next of kin, clinical information related to diagnosis, treatment, prognosis, laboratory tests and results, and medications. Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and affected individuals. As a result of OCR’s investigation, the CE terminated its BA agreement and installed encryption software on backup media. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. | GRM Information Management Services NJ Business Associate 1700000 | Friday | 2011 |
| Iowa Health System d/b/a UnityPoint Health | IA | Business Associate | 1421107 | 2018-07-30 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Iowa Health System d/b/a UnityPoint Health IA Business Associate 1421107 | Monday | 2018 | |
| AvMed, Inc. | FL | Health Plan | 1220000 | 2010-06-03 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Two laptop computers with questionable encryption (each containing the electronic protected health information (ePHI) of 350,000 individuals) were stolen from the covered entity’s (CE) premises. The types of ePHI involved included demographic and clinical information, diagnoses/conditions, medications, lab results, and other treatment data. After discovering the breach, the CE reported the theft to law enforcement and worked with the local police to recover the laptops. As a result of OCR’s investigation, the CE developed and implemented new policies and procedures to comply with the Security Rule. The CE also provided breach notification to all affected individuals, HHS, and the media and placed an accounting of disclosures in the medical records of all affected individuals. | AvMed, Inc. FL Health Plan 1220000 | Thursday | 2010 |
| CareFirst BlueCross BlueShield | MD | Health Plan | 1100000 | 2015-05-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | CareFirst BlueCross BlueShield MD Health Plan 1100000 | Wednesday | 2015 |
| Montana Department of Public Health & Human Services | MT | Health Plan | 1062509 | 2014-07-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Montana Department of Public Health and Human Services, the covered entity (CE), experienced a server hacking incident due to an undetected and unpatched application code vulnerability, which allowed misuse of its information system resources for about 9 months. The incident affected over 1 million individualsâ demographic, clinical, and/or financial information. Upon discovery, the CE immediately took the affected server offline, reported the incident to state and federal law enforcement, and conducted an investigation with assistance from an independent forensics firm. The CE provided breach notification to HHS, affected individuals, and the media. It also set up a call center and offered credit monitoring and identity theft services for all eligible individuals. OCR confirmed that the CE implemented a number of corrective actions as a result of this incident, including technical enhancements and safeguards to protect its information systems and network resources. OCR provided substantial technical assistance, and the CE implemented alternate safeguards, policies, and procedures to more effectively identify and remediate potential vulnerabilities in its server-hosted applications. | Montana Department of Public Health & Human Services MT Health Plan 1062509 | Monday | 2014 |
| The Nemours Foundation | FL | Healthcare Provider | 1055489 | 2011-10-07 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | A locked cabinet was removed from an IT service desk area at the Wilmington, Delaware facility of the covered entity (CE), The Nemours Foundation during an August 2011 remodeling project. The cabinet housed three unencrypted backup tapes containing the electronic protected health information (ePHI) of 1,055,489 individuals. The ePHI involved in the breach included patientsâ names, addresses, social security numbers, diagnoses and procedure codes. The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of free credit monitoring to affected individuals. Following the incident, the CE hired a private investigator to assist in locating the missing backup tapes; however, they were not recovered. Additionally, the CE retained Navigant Consulting to assess the recoverability of the information and to conduct a validation review of CEâs internal analyses. In response to the incident, the CE improved safeguards by encrypting all backup tapes, storage devices, and electronic media that may contain e-PHI, moving backup tapes to a secure off-site facility, installing non-movable storage cabinets in its data centers, and implementing two-factor authentication for access to ePHI. It also hired a system administrator to manage and audit backup procedures, retrained staff, and updated and created HIPAA policies and procedures, including role-based access to cabinets containing backup data. OCR obtained assurances that the corrective actions listed above were carried out. | The Nemours Foundation FL Healthcare Provider 1055489 | Friday | 2011 |
| BlueCross BlueShield of Tennessee, Inc. | TN | Health Plan | 1023209 | 2010-11-01 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | BlueCross BlueShield of Tennessee, Inc. TN Health Plan 1023209 | Monday | 2010 | |
| Sutter Medical Foundation | AL | Healthcare Provider | 943434 | 2011-11-17 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Sutter Medical Foundation AL Healthcare Provider 943434 | Thursday | 2011 | |
| Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants | AZ | Healthcare Provider | 882590 | 2016-08-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Valley Anesthesiology Consultants, Inc., d/b/a Valley Anesthesiology and Pain Consultants, was acquired by Sheridan Healthcorp, Inc., and became its subsidiary. A third party may have gained unauthorized access to the CEâs computer systems on March 30, 2016, affecting 88,590 individuals. The types of electronic protected health information (ePHI) that were potentially accessed included demographic and clinical information. In response to the breach, the CE immediately disabled the account through which unauthorized access was potentially gained. A forensics firm investigated the breach and reported that approximately nine additional foreign internet protocol (IP) addresses attempted to use remote desktop protocols to access various parts of the CEâs computer systems using accounts with administrator privileges. The CE âblacklistedâ these IP addresses as the investigation continued in order to allow the firewall to block any attempts to access the electronic health record program through the remote desktop protocol. The forensics firm also identified fifteen suspicious local accounts and three administration accounts that were potentially compromised. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice in accordance with the Breach Notification Rule. OCR provided technical assistance regarding the CEâs obligations to conduct a comprehensive and current security risk analysis and implement a corresponding risk management/mitigation plan to address any findings. OCR also provided TA regarding the CEâs obligations to document evidence of its implemented security awareness training program, to include training material (not just email reminders), and a record of completion by workforce and management. Additionally, OCR stated the expectation that the CE clarify why non-ePHI applications are not governed by the same user access review procedures. | Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants AZ Healthcare Provider 882590 | Friday | 2016 |
| Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates | NJ | Business Associate | 839711 | 2014-01-03 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates NJ Business Associate 839711 | Friday | 2014 | |
| Iron Mountain Data Products, Inc. (now known as | PA | Business Associate | 800000 | 2010-07-19 | Loss | NA | NA | NA | NA | NA | Electronic Medical Record | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | Yes | Iron Mountain Data Products, Inc. (now known as PA Business Associate 8e+05 | Monday | 2010 | |
| Utah Department of Technology Services | UT | Business Associate | 780000 | 2012-04-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | OCR opened an investigation of the covered entity (CE), Utah Department of Health, after it reported that a hacker had gained access to the network server of it business associate (BA), Utah Department of Technology Services (DTS). During the cyberattack, the hacker copied the unencrypted electronic protected health information (ePHI) of approximately 780,000 individuals to an internet protocol address in Romania. The ePHI involved in the breach included names, addresses, birth dates, social security numbers, physiciansâ names, and procedure codes designed for billing purposes. The CE provided breach notification to HHS, affected individuals, and the media, and provided free credit monitoring to affected individuals. Following the breach, the CE entered into a BA agreement with DTS. It also improved safeguards by developing an incident response plan, improving its password management process, strengthening its security practices to include encryption and improved firewalls, and completing a new risk analysis and risk management plan. OCR obtained assurances that the CE implemented the corrective actions noted above. | Utah Department of Technology Services UT Business Associate 780000 | Wednesday | 2012 |
| County of Los Angeles Departments of Health and Mental Health | CA | Healthcare Provider | 749017 | 2016-12-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | County of Los Angeles Departments of Health and Mental Health CA Healthcare Provider 749017 | Friday | 2016 | |
| AHMC Healthcare Inc. and affiliated Hospitals | CA | Healthcare Provider | 729000 | 2013-10-25 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Two unencrypted laptop computers containing the protected health information (PHI) of 729,000 individuals were stolen from a secure office on October 23, 2013. The types of PHI involved in the breach included financial information, diagnoses, conditions, treatment information, and demographic information. The covered entity (CE), AHMC, provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE implemented and maintained an encryption plan. It also developed policies and procedures regarding access to and receipt and removal of electronic PHI (ePHI). It also improved safeguards to reduce risks and vulnerabilities to ePHI. As a result of this investigation, OCR provided technical assistance to the CE regarding its obligations to implement and maintain policies and procedures that comply with the Privacy and Security Rules, conduct an accurate and thorough risk analysis, and implement a risk management plan. OCR also provided technical assistance regarding encryption. | AHMC Healthcare Inc. and affiliated Hospitals CA Healthcare Provider 729000 | Friday | 2013 |
| Commonwealth Health Corporation | KY | Healthcare Provider | 697800 | 2017-03-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Commonwealth Health Corporation KY Healthcare Provider 697800 | Wednesday | 2017 |
| Virginia Department of Medical Assistance Services (VA-DMAS) | VA | Health Plan | 697586 | 2015-03-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Virginia Department of Medical Assistance Services (VA-DMAS) VA Health Plan 697586 | Thursday | 2015 |
| Bon Secours Health System Incorporated | MD | Healthcare Provider | 651971 | 2016-08-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Bon Secours Health System Incorporated MD Healthcare Provider 651971 | Friday | 2016 |
| CA Department of Developmental Services | CA | Health Plan | 582174 | 2018-04-06 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | CA Department of Developmental Services CA Health Plan 582174 | Friday | 2018 |
| MSK Group | TN | Healthcare Provider | 566236 | 2018-05-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | MSK Group TN Healthcare Provider 566236 | Tuesday | 2018 |
| Georgia Department of Community Health | GA | Health Plan | 557779 | 2015-03-02 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Georgia Department of Community Health GA Health Plan 557779 | Monday | 2015 |
| LifeBridge Health, Inc | MD | Healthcare Provider | 538127 | 2018-05-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | LifeBridge Health, Inc MD Healthcare Provider 538127 | Tuesday | 2018 |
| Peachtree Orthopaedic Clinic | GA | Healthcare Provider | 531000 | 2016-11-18 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Peachtree Orthopaedic Clinic GA Healthcare Provider 531000 | Friday | 2016 |
| EISENHOWER MEDICAL CENTER | CA | Healthcare Provider | 514330 | 2011-03-30 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | EISENHOWER MEDICAL CENTER CA Healthcare Provider 514330 | Wednesday | 2011 | |
| Health Management Concepts, Inc. | FL | Business Associate | 502416 | 2018-08-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Health Management Concepts, Inc. FL Business Associate 502416 | Wednesday | 2018 |
| Airway Oxygen, Inc. | MI | Healthcare Provider | 500000 | 2017-06-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Airway Oxygen, Inc. MI Healthcare Provider 5e+05 | Friday | 2017 |
| Radiology Regional Center, PA | FL | Healthcare Provider | 483063 | 2016-02-12 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | On December 19, 2015, 12 boxes containing 483,063 patientsâ records fell off of the business associateâs (BA) truck and onto the street while being transported to the incinerator. The types of PHI in the records included patientsâ names, addresses, dates of birth, social security numbers, claims information, credit card/bank information, diagnosis codes, lab results, and treatment information. The CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its website. It also activated a call center on January 12th, 2016, which provided information about the breach for 90 days, and provided identity protection for one year to the affected individuals. In response to the incident, the CE opened an internal investigation and interviewed all relevant staff and its business associate. The CE ended its business relationship with the BA, Lee County Solid Waste Division, and improved safeguards by changed the process for recordsâ destruction. OCR obtained assurances that the CE implemented the corrective actions listed above. | Radiology Regional Center, PA FL Healthcare Provider 483063 | Friday | 2016 |
| Puerto Rico Department of Health - Triple S Management Corp. | PR | Health Plan | 475000 | 2010-11-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | On November 5, 2010, the Puerto Rico Department of Health (DOH), a hybrid entity, reported on behalf of the covered entity (CE), Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico, that it discovered that two former staff members of the business associates (BAs) Triple-S Salud (TSS) and Triple-C, improperly accessed restricted areas of TSSâ proprietary internet IPA database managed by Triple-C, Inc. The staff members, who were employed by a competitor, were able to gain access to the database because their access rights were not terminated upon leaving the employment of TSS. As a result, the electronic protected health information in the database, including 400,000 of the CEâs membersâ names, contract numbers, home addresses, diagnostic codes, and treatment codes, was accessed. DOH provided breach notification to HHS, and TSS provided breach notification to affected individuals, and the media. Due to OCRâs investigation, the CE committed to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and retrain its staff within a specified period. | Puerto Rico Department of Health - Triple S Management Corp. PR Health Plan 475000 | Thursday | 2010 |
| AU Medical Center, INC | GA | Healthcare Provider | 417000 | 2018-08-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | AU Medical Center, INC GA Healthcare Provider 417000 | Thursday | 2018 | |
| St Joseph Health System | TX | Healthcare Provider | 405000 | 2014-02-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | A computer server containing the records of 405,124 patients of the covered entity (CE), St. Joseph Health System, was hacked during a power surge. The electronic protected health information (ePHI) on the server included names, dates of birth, social security numbers, medical information, bank account information, and addresses. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved administrative and technical security and developed and revised policies and procedures addressing the breach. OCR obtained assurances that the CE implemented the corrective actions listed. | St Joseph Health System TX Healthcare Provider 405000 | Wednesday | 2014 |
| California Correctional Health Care Services | CA | Healthcare Provider | 400000 | 2016-05-15 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | California Correctional Health Care Services CA Healthcare Provider 4e+05 | Sunday | 2016 |
| Spartanburg Regional Healthcare System | SC | Healthcare Provider | 400000 | 2011-05-27 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Three unencrypted desktop computers and one unencrypted laptop computer in need of repair were stolen from an IT employeeâs vehicle when he stopped at his home when transporting the equipment from an offsite location to the main hospital. The home stop was against the CEâs internal policies and procedures and exposed the protected health information (PHI) of 402,647 patients, including names, addresses, dates of birth and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media and also offered affected individuals one year of free credit monitoring. In response to the breach, the CE revised its new employee and upper management orientation materials to reflect updated HIPAA revisions. The CE encrypted all of the hard drives on its computers. It also updated policies and procedures regarding electronic data and use of company vehicles. Additionally, the CE began distributing an information security newsletter to employees. The CE sanctioned the involved employee for violating the CEâs handling of computer equipment policy. OCR obtained assurances that the CE implemented the corrective actions listed above. | Spartanburg Regional Healthcare System SC Healthcare Provider 4e+05 | Friday | 2011 |
| Triple-S Salud, Inc. - Breach Case#2 | PR | Health Plan | 398000 | 2014-01-24 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes |
Triple-S Management Corporation (âTRIPLE-Sâ), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. âOCR remains committed to strong enforcement of the HIPAA Rules,â said OCR Director Jocelyn Samuels. âThis case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.â TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entitiesâ compliance with HIPAA Rules. OCRâs investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiariesâ PHI; Impermissible disclosure of its beneficiariesâ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA. âTriple-S is committed to protecting the privacy and security of its beneficiariesâ health information and implementing the Corrective Action Plan entered into with OCR,â said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. âWe are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCRâs technical assistance to date, and look forward to our collaboration in the future.â |
Triple-S Salud, Inc. - Breach Case#2 PR Health Plan 398000 | Friday | 2014 |
| Triple-S Salud, Inc. | PR | Health Plan | 398000 | 2010-11-18 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No |
Triple-S Management Corporation (âTRIPLE-Sâ), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. âOCR remains committed to strong enforcement of the HIPAA Rules,â said OCR Director Jocelyn Samuels. âThis case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.â TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entitiesâ compliance with HIPAA Rules. OCRâs investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiariesâ PHI; Impermissible disclosure of its beneficiariesâ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA. âTriple-S is committed to protecting the privacy and security of its beneficiariesâ health information and implementing the Corrective Action Plan entered into with OCR,â said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. âWe are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCRâs technical assistance to date, and look forward to our collaboration in the future.â |
Triple-S Salud, Inc. PR Health Plan 398000 | Thursday | 2010 |
| Community Health Plan of Washington | WA | Health Plan | 381504 | 2016-12-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | Other | NA | NA | NA | NA | NA | NA | No | Transactions Application Group, Inc., a business associate (BA) for the covered entity (CE), Community Health Plan of Washington, failed to properly secure a port on a computer network server used for transferring electronic files (a File Transfer Protocol (FTP) server), resulting in an incident of unauthorized access to electronic protected health information (ePHI) maintained at the BA. The breach affected 381,504 individuals and included individualsâ names, addresses, dates of birth, social security numbers, and certain coding information related to health care claims. The CE provided breach notification to the affected parties, the media, and HHS, and offered one year of free credit and identity theft monitoring. The CE also implemented additional technical safeguards. OCR obtained assurances that the CE implemented the corrective actions listed above . | Community Health Plan of Washington WA Health Plan 381504 | Wednesday | 2016 |
| Georgia Department of Community Health | GA | Health Plan | 355127 | 2015-03-02 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Georgia Department of Community Health GA Health Plan 355127 | Monday | 2015 |
| Affinity Health Plan, Inc. | NY | Health Plan | 344579 | 2010-04-14 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780. Affinity Health Plan is a not-for-profit managed care plan serving the New York metropolitan area. filed a breach report with the HHS Office for Civil Rights (OCR) on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive. estimated that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents. settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent, said OCR Director Leon Rodriguez. ‘HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.’ addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI. | Affinity Health Plan, Inc. NY Health Plan 344579 | Wednesday | 2010 |
| Sutherland Healthcare Solutions, Inc. | NJ | Business Associate | 342197 | 2014-05-22 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | Yes | \ | Sutherland Healthcare Solutions, Inc. NJ Business Associate 342197 | Thursday | 2014 | |
| Emory Healthcare | GA | Healthcare Provider | 315000 | 2012-04-18 | Other | Unknown | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | On February 20, 2012, the covered entity (CE), Emory Healthcare, discovered that ten unencrypted back-up compact disks (CDs) containing electronic protected health information (ePHI) were missing. The types of ePHI involved in the breach included clinical and demographic data for 315,000 surgical patients treated at three locations between September 1990 and April 2007. The information on the CDs could only easily be read using decommissioned software. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE required every department to inventory and properly store or destroy PHI. It also distributed educational material to all staff. OCR obtained assurances that the CE implemented the corrective actions listed above. | Emory Healthcare GA Healthcare Provider 315000 | Wednesday | 2012 |
| Touchstone Medical Imaging, LLC | TN | Healthcare Provider | 307528 | 2014-10-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Touchstone Medical Imaging, LLC TN Healthcare Provider 307528 | Friday | 2014 | |
| Beacon Health System | IN | Healthcare Provider | 306789 | 2015-05-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Beacon Health System IN Healthcare Provider 306789 | Friday | 2015 | |
| SSM Health St. Mary’s Hospital - Jefferson City | MO | Healthcare Provider | 301000 | 2018-07-30 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | SSM Health St. Mary’s Hospital - Jefferson City MO Healthcare Provider 301000 | Monday | 2018 |
| Central Ohio Urology Group, Inc. | OH | Healthcare Provider | 300000 | 2016-09-23 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Electronic protected health information (ePHI) contained on the covered entityâs (CE) computer server was compromised by an unauthorized third-party from July 18 to August 2, 2016. The PHI involved in the compromised server included full names, Social Security numbers, dates of birth, home addresses, driversâ licenses, claims information, credit/bank account numbers, and treatment notes pertaining to 300,000 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice on its website. Following the breach, the CE retained a forensic firm, conducted a new risk assessment, installed an enhanced firewall system, updated its anti-virus software, and implemented safeguards related to access. OCR obtained written assurances that the CE implemented the corrective actions listed above. | Central Ohio Urology Group, Inc. OH Healthcare Provider 3e+05 | Friday | 2016 |
| Women’s Health Care Group of PA, LLC | PA | Healthcare Provider | 300000 | 2017-07-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Women’s Health Care Group of PA, LLC PA Healthcare Provider 3e+05 | Saturday | 2017 |
| Oklahoma State University Center for Health Sciences | OK | Healthcare Provider | 279865 | 2018-01-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Oklahoma State University Center for Health Sciences OK Healthcare Provider 279865 | Friday | 2018 |
| Urology Austin, PLLC | TX | Healthcare Provider | 279663 | 2017-03-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Urology Austin, PLLC TX Healthcare Provider 279663 | Wednesday | 2017 |
| Shred-it International Inc. | TX | Business Associate | 277014 | 2013-07-11 | Improper Disposal | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Shred-it International Inc. TX Business Associate 277014 | Thursday | 2013 | |
| Med Associates, Inc. | NY | Business Associate | 276057 | 2018-06-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Med Associates, Inc. NY Business Associate 276057 | Thursday | 2018 |
| Pacific Alliance Medical Center | CA | Healthcare Provider | 266123 | 2017-08-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Pacific Alliance Medical Center CA Healthcare Provider 266123 | Thursday | 2017 |
| Seacoast Radiology, PA | NH | Healthcare Provider | 231400 | 2011-01-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Seacoast Radiology, PA NH Healthcare Provider 231400 | Monday | 2011 | |
| South Carolina Department of Health and Human Services | SC | Health Plan | 228435 | 2012-04-24 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), South Carolina Department of Health and Human Services, discovered that an employee sent Medicaid reports to her personal email from January 31, 2012, through April 4, 2012. The breach affected 228,435 individuals and the types of protected health information (PHI) involved in the breach included names, addresses, phone numbers, social security numbers and for 22,648 individuals, their Medicaid identification numbers. The CE provided timely breach notification to HHS, affected individuals, and the media. CE also posted notification about the breach on its website. In response to the breach, CE suspended access to most of its ad hoc electronic reporting, initiated a comprehensive review of its privacy and security safeguards, contacted local and federal law enforcement, and sanctioned the responsible employee. The CE also revised its security policies to restrict employee access to PHI to only that necessary for the individualâs job function and implemented an automated monitoring system to track user activity in its computer system. CE also implemented annual privacy and security training. OCR obtained assurances that the CE implemented the corrective actions listed above. | South Carolina Department of Health and Human Services SC Health Plan 228435 | Tuesday | 2012 | |
| Indian Health Service | MD | Health Plan | 214000 | 2014-04-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Indian Health Service MD Health Plan 214000 | Tuesday | 2014 | |
| Premier Healthcare, LLC | IN | Healthcare Provider | 205748 | 2016-03-04 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On January 4, 2016, the covered entity (CE), Premier Healthcare, LLC, discovered that an unencrypted laptop computer had been stolen from its administrative office in Bloomington, Indiana. The breach affected 205,748 individuals and included addresses, zip codes, dates of birth, names, social security numbers, claims information, credit card and bank account information, and medical information. In March 2016, the missing laptop was returned to the CE in the mail anonymously. The CE consulted with a forensics firm which extricated the hard drive, conducted an analysis, and determined that the laptop had not been turned on and no one had accessed its contents during the time it was missing. The CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its website. The CE also established a toll-free telephone number for individuals to call to obtain additional information about the breach. Following the breach, the CE encrypted all of its computers, improved physical safeguards, and implemented new security procedures. OCR obtained documentation from the CE substantiating its implementation of the corrective actions listed above. Indiana University Health Southern Indiana Physicians, Inc. (IUH) acquired the CE, effective May 1, 2017. As part of that transaction, IUH acquired all of the assets of the CE and the CE has ceased operations except for some final activities in winding down its affairs. | Premier Healthcare, LLC IN Healthcare Provider 205748 | Friday | 2016 |
| MedEvolve | AR | Business Associate | 205434 | 2018-07-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | MedEvolve AR Business Associate 205434 | Tuesday | 2018 |
| Athens Orthopedic Clinic, P.A. | GA | Healthcare Provider | 201000 | 2016-07-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Athens Orthopedic Clinic, P.A. GA Healthcare Provider 201000 | Friday | 2016 |
| Digital Archive Management | TX | Business Associate | 189489 | 2013-05-07 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Digital Archive Management TX Business Associate 189489 | Tuesday | 2013 | |
| RCR Technology Corporation | IN | Business Associate | 187533 | 2013-07-01 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | RCR Technology Corporation IN Business Associate 187533 | Monday | 2013 | |
| Millennium Medical Management Resources, Inc. | IL | Business Associate | 180111 | 2010-04-29 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | Millennium Medical Management Resources, Inc. IL Business Associate 180111 | Thursday | 2010 | |
| Peachtree Neurological Clinic, P.C. | GA | Healthcare Provider | 176295 | 2017-07-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Peachtree Neurological Clinic, P.C. GA Healthcare Provider 176295 | Friday | 2017 |
| Empi Inc and DJO, LLC | MN | Healthcare Provider | 160000 | 2015-08-20 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Empi Inc and DJO, LLC MN Healthcare Provider 160000 | Thursday | 2015 |
| Walgreen Co. | IL | Healthcare Provider | 160000 | 2014-12-15 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Walgreens, mailed patient notification letters to incorrect third parties. The letters included first and last names, addresses, dates of birth, phone numbers, provider names, and details of the vaccines administered and affected approximately 160,000 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and placed notice on its website. Following the breach, the CE resolved issues in its use of the electronic health record (EHR) that were factors in the breach, updated data in the prescriber database and trained its staff on the new requirements. As a result of OCRâs investigation, Walgreens improved safeguards by resolving two issues in its use of the EHR. | Walgreen Co. IL Healthcare Provider 160000 | Monday | 2014 |
| Ankle + Foot Center of Tampa Bay, Inc. | FL | Healthcare Provider | 156000 | 2011-01-03 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity’s (CE) network server, containing the electronic protected health information (ePHI) of 136,000 patients, was hacked. The types of ePHI involved in the breach were demographic and clinical information, including diagnoses and other treatment data. Following the breach, the CE hired a third party vendor to resolve a data crash and to create a data back-up plan in order to restore office functioning. To implement adequate safeguards, the CE also employed a cloud service with increased security as the new network server. Additionally, the CE contacted the local FBI office to assist with the CE’s internal investigation of the breach and provided breach notification to all affected individuals, the media, and HHS. As a result of OCR’s investigation, the CE developed and implemented new protocols to comply with the Security Rule. In addition, the CE provided and initiated new trainings for its staff, completed hiring of a new network vendor, implemented a new electronic health records system, and accounted for the disclosures in the affected individuals’ medical records. | Ankle + Foot Center of Tampa Bay, Inc. FL Healthcare Provider 156000 | Monday | 2011 |
| Advantage Consolidated LLC | OR | Healthcare Provider | 151626 | 2015-03-18 | Hacking/IT Incident | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | In February 2015, the covered entity (CE), Advantage Consolidated, LLC, reported that the access credentials of one of its users were wrongfully, acquired through the use of malicious software that had been installed on the user’s computer. The intrusion was detected by the CE’s intrusion detection system. The breach affected the e-PHI (names, addresses, DOBs, and SSNs of 151,626 individuals. The CE provided breach notification to HHS, the affected individuals, and to the media. Following the breach, the CE updated its risk analysis and risk management plan and enhanced its electronic and technical security. OCR obtained assurances that the CE implemented the corrective actions noted above. | Advantage Consolidated LLC OR Healthcare Provider 151626 | Wednesday | 2015 |
| St. Peter’s Ambulatory Surgery Center LLC - d/b/a St. Peter’s Surgery & Endoscopy Center | NY | Healthcare Provider | 134512 | 2018-02-28 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | St. Peter’s Ambulatory Surgery Center LLC - d/b/a St. Peter’s Surgery & Endoscopy Center NY Healthcare Provider 134512 | Wednesday | 2018 |
| Oklaholma State Dept. of Health | OK | Healthcare Provider | 132940 | 2011-04-11 | Theft | NA | NA | NA | NA | NA | Laptop | Paper/Films | NA | NA | NA | NA | NA | NA | No | Oklaholma State Dept. of Health OK Healthcare Provider 132940 | Monday | 2011 | |
| Siemens Medical Solutions, USA, Inc | PA | Business Associate | 130495 | 2010-06-04 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity’s business associate (BA), Siemens Medical Solutions USA, Inc., shipped seven unencrypted compact disks (CDs) that contained the electronic protected health information (ePHI) of 130,495 individuals to the covered entity (CE), Lincoln Medical and Mental Health Center. The CD’s, containing back-up data, were lost in transit. The ePHI included names, addresses, social security numbers, medical record numbers, health plan information, dates of birth, dates of admission and discharge, diagnostic and procedural codes, and driver’s license numbers. The CE provided breach notification to affected individuals, HHS, and the media. Upon discovery of the breach, the CE directed the BA to cease using the shipping service as a means of transporting the CDs. As a result of OCR’s investigation, the BA adopted a procedure to encrypt CDs. The CE also implemented a procedure for a senior employee of the BA to physically deliver the encrypted CDs to the CE. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. | Siemens Medical Solutions, USA, Inc PA Business Associate 130495 | Friday | 2010 |
| Arkansas Oral & Facial Surgery Center | AR | Healthcare Provider | 128000 | 2017-09-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Arkansas Oral & Facial Surgery Center AR Healthcare Provider 128000 | Sunday | 2017 |
| Alere Home Monitoring, Inc | CA | Healthcare Provider | 116506 | 2012-10-18 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Alere Home Monitoring, Inc CA Healthcare Provider 116506 | Thursday | 2012 | |
| Medical Card System/MCS-HMO/MCS Advantage/MCS Life | PR | Business Associate | 115000 | 2010-11-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | Medical Card System/MCS-HMO/MCS Advantage/MCS Life PR Business Associate 115000 | Tuesday | 2010 | |
| Community Mercy Health Partners | OH | Healthcare Provider | 113528 | 2016-01-25 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Community Mercy Health Partners, the covered entity, (the CE) reported that law enforcement officials found paper records belonging to the CE in a dumpster. The breach affected 113,528 individuals. The information consisted of records related to lab studies performed at the CE and included demographic and clinical information such as patient names, addresses, dates of birth, driverâs license information, social security numbers, diagnosis and condition information, lab results, medications and other treatment information. The CE responded to the breach by conducting an investigation to determine the cause of the breach; providing notice to those affected by the breach and providing substitute notice on its website; and offering free credit monitoring to individuals whose social security numbers or financial information may have been compromised by the breach. The CE took voluntary action to dismiss the subcontractor involved in the breach from all of its projects; re-educating the Property Contractor involved in the breach about business associate agreements and reiterating that training on the handling, storage, and disposal of PHI is required before each project begins; re-educating laboratory leaders and staff on records retention; immediately reducing the number of remaining records slated for long-term storage in accordance with its records retention and disposal policies; and implementing new internal controls to aid in the mitigation of risk. OCR obtained assurances that the CE implemented the corrective actions noted above. | Community Mercy Health Partners OH Healthcare Provider 113528 | Monday | 2016 |
| Crescent Health Inc. - a Walgreens Company | CA | Healthcare Provider | 109000 | 2013-02-22 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Crescent Health Inc. - a Walgreens Company CA Healthcare Provider 109000 | Friday | 2013 | |
| McLaren Medical Group, Mid-Michigan Physicians Imaging Center | MI | Healthcare Provider | 106008 | 2017-08-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | McLaren Medical Group, Mid-Michigan Physicians Imaging Center MI Healthcare Provider 106008 | Thursday | 2017 |
| Memorial Healthcare System | FL | Healthcare Provider | 105646 | 2012-08-16 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Memorial Healthcare System FL Healthcare Provider 105646 | Thursday | 2012 | |
| Governor’s Office of Information Technology | CO | Business Associate | 105470 | 2010-07-09 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | Yes | Governor’s Office of Information Technology CO Business Associate 105470 | Friday | 2010 | |
| Boys Town National Research Hospital | NE | Healthcare Provider | 105309 | 2018-07-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Boys Town National Research Hospital NE Healthcare Provider 105309 | Friday | 2018 | |
| NRAD Medical Associates, P.C. | NY | Healthcare Provider | 97000 | 2014-06-20 | Hacking/IT Incident | Unauthorized Access/Disclosure | NA | NA | NA | NA | Desktop Computer | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | NRAD Medical Associates, P.C. NY Healthcare Provider 97000 | Friday | 2014 | |
| Hartford Hospital | CT | Business Associate | 93500 | 2011-04-05 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes |
A workforce member of the covered entity’s (CE) business associate (BA) saved the electronic protected health information (ePHI) of approximately 93,500 patients on an unsecured computer drive in order to do work from home, and subsequently lost the hard drive. The PHI included names, addresses, dates of birth, marital status, social security numbers and medical record numbers. Following the breach, the workforce member involved was sanctioned for violating the CE’s policies. The CE provided breach notification to the media, HHS, and all affected individuals. It also offered all affected individuals 2 years of free identity protection services. In addition, the CE disabled the ability for all of its computing devices to download ePHI via USB connection ports. Further, it began implementing malicious software prevention utilities as well as data encryption controls to supplement its portable computing devices. OCR obtained assurances that the CE implemented the corrective action listed above. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. |
Hartford Hospital CT Business Associate 93500 | Tuesday | 2011 |
| Harrisburg Gastroenterology Ltd | PA | Healthcare Provider | 93323 | 2017-04-28 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Harrisburg Gastroenterology Ltd PA Healthcare Provider 93323 | Friday | 2017 |
| Washington State Health Care Authority (HCA) | WA | Health Plan | 91187 | 2016-02-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | A workforce member impermissibly emailed the protected health information (PHI) of 141,288 individuals to an unauthorized personal email account that belonged to another state employee related to the workforce member. The types of PHI involved in the breach included addresses, dates of birth, names, other identifiers, social security numbers, diagnoses, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the covered entity (CE), Washington State Health Care Authority, updated all relevant policies and procedures, implemented additional security measures, and retrained employees. The CE updated its access management program and hired new staff to focus solely on managing access to electronic systems. It also sanctioned the employee involved in the breach. OCR obtained written assurances that the CE implemented the corrective actions listed above. | Washington State Health Care Authority (HCA) WA Health Plan 91187 | Tuesday | 2016 | |
| Jacobi Medical Center | NY | Healthcare Provider | 90060 | 2015-04-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Jacobi Medical Center NY Healthcare Provider 90060 | Tuesday | 2015 | |
| Southeast Eye Institute, P.A. dba eye Associates of Pinellas | FL | Healthcare Provider | 87314 | 2016-05-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Southeast Eye Institute, P.A., the covered entity (CE), discovered that its business associate (BA), Bizmatics Inc., suffered a breach after a hacker accessed its servers. The breach affected 87,000 individuals and included patients’ names, addresses, social security numbers, and health visit information. The CE timely sent breach notification to HHS, to affected individuals, to the media, and posted notification on the main page of its website. The CE did not have a BA agreement with Bizmatics at the time of the breach, but following the breach, the CE decided to terminate its relationship with the BA. After terminating its relationship with the BA, the CE received a certificate of records destruction from the, which confirmed that all of the CEâs patient records stored by the BA were destroyed. OCR obtained assurances that the CE implemented the corrective actions listed above. | Southeast Eye Institute, P.A. dba eye Associates of Pinellas FL Healthcare Provider 87314 | Thursday | 2016 |
| SCAN Health Plan | CA | Health Plan | 87069 | 2016-08-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Person(s) with electronic account access impermissibly used a sales database containing the protected health information of the covered entity’s (CE) prospective and enrolled members. Approximately 87,069 individuals were affected. The electronic PHI (ePHI) involved in the breach included names, addresses, phone numbers, dates of birth, social security numbers (of 498 individuals), and sales call notes related to diagnoses/health conditions, medications, and physicians’ names. The CE provided breach notification to HHS, affected individual, and the media. Following the breach, the CE implemented procedures to increase the monitoring of the database and enhanced its technical security procedures regarding authentication for database access. OCRâs investigation resulted in the CE enhancing its practices for safeguarding ePHI. | SCAN Health Plan CA Health Plan 87069 | Monday | 2016 |
| VisionQuest Eyecare | IN | Healthcare Provider | 85995 | 2017-03-02 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | VisionQuest Eyecare IN Healthcare Provider 85995 | Thursday | 2017 |
| OH Muhlenberg, LLC | KY | Healthcare Provider | 84681 | 2015-11-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Network Server | Other Portable Electronic Device | NA | NA | NA | No | The FBI notified the covered entity (CE), OH Muhlenberg, LLC, on September 16, 2015, that its information system had been infected with malware known as âQuakBot.â Based on the CEâs internal investigation, it determined that the malware may have been present on its system as early as January 1, 2012 and may have affected its entire patient database of 84,506 patients. The types of protected health information (PHI) involved included names, dates of birth, addresses, phone numbers, driverâs licenses/state identification information, social security numbers, credit card/bank account numbers, health insurance information, and clinical information. In response to the breach, the CE decommissioned affected computers, replaced older computer hardware, implemented revised policies and procedures, improved antivirus protection and provided security awareness training to its workforce. The CE provided breach notification to HHS, to affected individuals, to the media and on its website. OCR obtained assurances that the CE implemented the corrective actions listed above | OH Muhlenberg, LLC KY Healthcare Provider 84681 | Friday | 2015 | |
| Patient Care Services at Saint Francis, Inc. | OK | Healthcare Provider | 84000 | 2011-04-06 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Patient Care Services at Saint Francis, Inc. OK Healthcare Provider 84000 | Wednesday | 2011 | |
| Providence Hospital | MI | Healthcare Provider | 83945 | 2010-04-05 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Providence Hospital MI Healthcare Provider 83945 | Monday | 2010 | |
| Democracy Data & Communications, LLC ( | VA | Business Associate | 83000 | 2009-12-08 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | In its breach report and during the course of OCR’s investigation, the covered entity advised that it took various corrective actions to prevent a reoccurrence of the breach. Specifically, the covered entity conducted a risk assessment which revealed that the breach posed a significant risk of financial, reputational, or other harm to the 83,000 members. The covered entity sent notification letters to 83,000 members apologizing for the breach and offered a year of free credit monitoring and a $25,000 insurance policy against identity theft ($10,000 for New York residents). The covered entity also provided training to its call centers on November 29, 2009 to answer inquiries from callers concerned about the breach. In addition, media outlets were contacted to alert of a breach in states in which more than 500 members were impacted by the breach. The covered entity advised that media outlets were identified based on location of membership impacted, as well as ensuring it was a major media outlet and press releases were sent to 21 major media outlets on December 18, 2009. The covered entity also created and implemented a new policy titled ‘Personal Health Information and Personal Identifiable Information Data Security and Handling Policy Acknowledgement Form’ that centralized all data requests through a ‘Team Track’ which is an internal electronic submission request that ensures all PHI requested data receives the sign off of the Privacy Officer and Security Officer prior to release. Further, the covered entity also provided a mandatory annual computer-based training to all staff in May 2010. | Democracy Data & Communications, LLC ( VA Business Associate 83000 | Tuesday | 2009 |
| Aventura Hospital and Medical Center | FL | Healthcare Provider | 82601 | 2014-09-11 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On or around May 28, 2014, the covered entity (CE), Aventura Hospital and Medical Center, discovered that an employee of Valesco Ventures, a contractor that provides staffing and ancillary services, had inappropriately accessed the protected health information (PHI) of about 82,601 patients that included demographic information. The CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its website. The CE offered credit monitoring and identity theft protection to all affected individuals. Following the breach, the CE re-trained its workforce on its HIPAA Privacy and Security policies and procedures. Additionally, the CE updated its audit functions to capture similar unauthorized activities in the future. The CE reviewed all access of the systemâs users and made changes as needed; it also increased the approval level before anyone can have access to the system. The CE revised its business associate contracts with its business partners. The CE also improved technical safeguards by performing a new risk analysis and creating an updated risk management plan. OCR obtained assurances that the CE implemented the corrective actions listed above. | Aventura Hospital and Medical Center FL Healthcare Provider 82601 | Thursday | 2014 |
| Valesco Ventures | FL | Business Associate | 82601 | 2014-09-09 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | Yes | Valesco Ventures FL Business Associate 82601 | Tuesday | 2014 | |
| Center for Orthopaedic Specialists - Providence Medical Institute (PMI) | CA | Healthcare Provider | 81550 | 2018-04-18 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Center for Orthopaedic Specialists - Providence Medical Institute (PMI) CA Healthcare Provider 81550 | Wednesday | 2018 |
| City of Philadelphia Fire Department Emergency Medical Services Unit | PA | Healthcare Provider | 81463 | 2015-04-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | Paper/Films | NA | NA | NA | NA | NA | NA | Yes | In 2012 a rogue employee of the covered entityâs (CE) business associate (BA), Intermedix (dba Advanced Data Processing, Inc.), improperly accessed and disclosed the account information of individuals served by 27 ambulance agencies in 17 states. The CE was initially notified that none of its data was involved; however, on February 3, 2015, the CE was notified by law enforcement in Opa-Locka, Florida that a sheet of paper containing account information regarding the CEâs services was found on a person arrested on that date. Following the 2015 notification, the BAâs investigation confirmed 34 known disclosures, 746 likely disclosures and 80,684 individualsâ protected health information (PHI) that was at risk of disclosure. The types of PHI involved in the breach included demographic information, social security numbers, and health insurance information. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. The BA offered 36 months of free credit monitoring and fraud resolution services. Following the breach, the BA created an information security team within its Compliance Department, integrated new security measures into its billing system, and developed a new user interface placing further restrictions on employees based on specific job roles. The CE revised the BA agreement. OCR also obtained assurances that the BA implemented the corrective measured listed above. | City of Philadelphia Fire Department Emergency Medical Services Unit PA Healthcare Provider 81463 | Thursday | 2015 |
| Emblem Health - GHI | NY | Health Plan | 81122 | 2016-11-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | Other | Paper/Films | NA | NA | NA | NA | NA | No | NA | Emblem Health - GHI NY Health Plan 81122 | Tuesday | 2016 |
| Washington University School of Medicine | MO | Healthcare Provider | 80270 | 2017-03-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Washington University School of Medicine MO Healthcare Provider 80270 | Saturday | 2017 | |
| Emory Healthcare | GA | Healthcare Provider | 79930 | 2017-02-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Emory Healthcare GA Healthcare Provider 79930 | Tuesday | 2017 |
| Tennessee Rural Health Improvement Association | TN | Health Plan | 79000 | 2015-01-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | A business associate (BA), BlueCross BlueShield, created a mailing list of its members for the purpose of selling Medicare Advantage marketing products, an activity that was outside of that permitted by the BA agreement. This breached affected 79,000 individuals and included their demographic information. The covered entity (CE), Tennessee Rural Health Improvement Association, provided breach notification to its members that were enrolled in the Medicare supplement insurance plans and non-Medicare insurance plans, as well as to HHS and the media. Following the breach, the CE revised its policies, implemented new technical safeguards, and improved physical security. In addition, it retrained its workforce on the appropriate usage of protected health information (PHI), and minimum necessary determinations for the use and disclosure of PHI. OCR reviewed the BA agreement in place between the CE and BA and determined that it met the requirements of the HIPAA Breach Notification Rule. OCR obtained assurances that the CE implemented the corrective actions listed above. | Tennessee Rural Health Improvement Association TN Health Plan 79000 | Tuesday | 2015 |
| Area Agency on Aging, Ohio District 5 | OH | Business Associate | 78042 | 2011-06-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | Area Agency on Aging, Ohio District 5 OH Business Associate 78042 | Monday | 2011 | |
| Salina Family Healthcare Center | KS | Healthcare Provider | 77337 | 2017-08-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | No | NA | Salina Family Healthcare Center KS Healthcare Provider 77337 | Wednesday | 2017 |
| Central Dermatology Center, P.A. | NC | Healthcare Provider | 76258 | 2014-11-07 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Central Dermatology Center, P.A. NC Healthcare Provider 76258 | Friday | 2014 |
| UW Medicine, Privacy Manager - Breach | WA | Healthcare Provider | 76183 | 2013-11-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No |
The University of Washington Medicine (UWM) has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations. UWM is an affiliated covered entity, which includes designated health care components and other entities under the control of the University of Washington, including University of Washington Medical Center, the primary teaching hospital of the University of Washington School of Medicine. Affiliated covered entities must have in place appropriate policies and processes to assure HIPAA compliance with respect to each of the entities that are part of the affiliated group. The settlement includes a monetary payment of $750,000, a corrective action plan, and annual reports on the organizationâs compliance efforts. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) initiated its investigation of the UWM following receipt of a breach report on November 27, 2013, which indicated that the electronic protected health information (e-PHI) of approximately 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organizationâs IT system, affecting the data of two different groups of patients: 1) approximately 76,000 patients involving a combination of patient names, medical record numbers, dates of service, and/or charges or bill balances; and 2) approximately 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, social security numbers, insurance identification or Medicare numbers. OCRâs investigation indicated UWMâs security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the Security Rule. However, UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments. âAll too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,â said OCR Director Jocelyn Samuels. âAn effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.â The Resolution Agreement and Corrective Action Plan can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uwm/index.html HHS offers guidance on how your organization can conduct a HIPAA Risk Analysis: http://www.healthit.gov/providers-professionals/security-risk-assessment |
UW Medicine, Privacy Manager - Breach WA Healthcare Provider 76183 | Wednesday | 2013 |
| Amerigroup Texas, Inc. | VA | Business Associate | 75026 | 2014-04-10 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Amerigroup Texas, Inc. VA Business Associate 75026 | Thursday | 2014 | |
| Stephenville Medical & Surgical Clinic | TX | Healthcare Provider | 75000 | 2017-01-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Stephenville Medical & Surgical Clinic, reported that an employee accidentally emailed a master list of patients whose charts had been purged and/or destroyed to an unauthorized recipient, resulting in the impermissible disclosure of the protected health information (PHI) of approximately 61,701 individuals. The PHI included demographic information. Following discovery of the breach, the CE sanctioned the employee responsible for the breach, implemented additional safeguards, and revised and updated its policies and procedures. OCR provided technical assistance regarding individual and media notification requirements and confirmed that the CE completed the required breach notifications. The CE also offered the affected individuals free credit monitoring services. | Stephenville Medical & Surgical Clinic TX Healthcare Provider 75000 | Monday | 2017 |
| Visionworks Inc. | TX | Health Plan | 74944 | 2014-11-10 | Loss | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Visionworks Inc., mislaid a partially encrypted, decommissioned computer server from its in-store lab in Annapolis, Maryland which was not recovered. The serverâs hard drive contained the unencrypted protected health information (PHI) of approximately 74,000 individuals. The PHI on the server contained demographic, financial, and clinical information. Following the breach, the CE fully encrypted all servers at all of their locations and replaced servers. The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of free credit monitoring. The CE also sent letters to each State Attorney General and posted information on the CEâs website regarding the server incident. In addition, the CE re-trained workforce members, instituted new training requirements on privacy and security awareness, and provided refresher training on incident management. Following OCRâs investigation, the CE secured servers with cable locks and tested and installed a maximum security system that encrypts all hard drives on each server. Additionally, the CE completed a company-wide server inventory and hard drive destruction and performed a physical audit of all serversâ boxes. In addition, the CE created a comprehensive system disposal plan. | Visionworks Inc. TX Health Plan 74944 | Monday | 2014 |
| Tufts Associated Health Maintenance Organization, Inc. | MA | Health Plan | 70320 | 2018-02-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Tufts Associated Health Maintenance Organization, Inc. MA Health Plan 70320 | Friday | 2018 |
| North East Medical Services (NEMS) | CA | Healthcare Provider | 69246 | 2015-07-31 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), North East Medical Services, reported that on July 11, 2015, an unencrypted laptop computer used to store electronic protected health information (ePHI) was stolen from the trunk of a workforce memberâs car. At the time of the breach, the laptop stored ePHI associated with 69,246 individuals. The ePHI included patientsâ names, dates of birth, genders, contact information, payers/insurers, diagnoses, medications, treatment information, test results, appointment information, and, in some cases, social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE implemented encryption technology. It also updated relevant policies and procedures, including its policy on the use of encryption technology and strengthened password requirements for access to ePHI. Additionally, the CE sanctioned the workforce member responsible for the breach and provided additional training to all workforce members on its policies and procedures on uses and disclosures of PHI and encryption technology, In response to OCRâs investigation, the CE performed an updated Risk Analysis. | North East Medical Services (NEMS) CA Healthcare Provider 69246 | Friday | 2015 |
| Medical Colleagues of Texas, LLP | TX | Healthcare Provider | 68631 | 2016-05-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | An unauthorized user obtained remote access to the computer network located at the covered entity (CE), Medical Colleagues of Texas. The types of protected health information (PHI) involved in the breach included the names, addresses, social security numbers, driverâs license numbers, health insurance information, and medical treatment information of approximately 68,631 individuals. As a result of the breach, the CE improved safeguards, and updated policies and procedures. Further, the CE provided breach notification to HHS, affected individuals, and the media and provided free credit monitoring to affected individuals. OCR obtained assurances that the CE implemented the corrective actions listed above. | Medical Colleagues of Texas, LLP TX Healthcare Provider 68631 | Wednesday | 2016 |
| Siemens Medical Solutions, USA | PA | Business Associate | 66601 | 2012-08-10 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | Siemens Medical Solutions, USA PA Business Associate 66601 | Friday | 2012 | |
| Morehead Memorial Hospital | NC | Healthcare Provider | 66000 | 2017-09-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No |
In late June 2017, employees at Morehead Memorial Hospital, the covered entity (CE), began reporting suspicious phishing emails to the information technology department. Through its contracted forensic investigator, Navigant Consulting, the CE found that two employee email accounts were compromised and protected health information (PHI) for about 66,000 individuals was exposed. The exposed PHI included treatment information, payment information, names, business reports, diagnostic information and for 1,200 individuals, their social security numbers as well. In response to the breach, the CE reset password for all employee accounts. The CE also added phishing information to employee training materials and created an internal website to improve reporting and notification of security incidents. The CE also verbally reminded employees directly involved with the compromised accounts about being vigilant and careful when email attachments. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. OCR obtained assurances that the CE implemented the corrective actions noted above. In response to the breach, Morehead initiated a master password reset for all employee accounts. Supplementary information on phishing was added to employee training materials and an internal website was created for better reporting and notification of security incidents. No employees were sanctioned; however, those directly involved with the compromised accounts were verbally reminded about being vigilant and careful in opening email attachments. Morehead provided timely and compliant breach notification to HHS, the affected individuals, and prominent media outlets in the affected jurisdictions. Substitute notice was posted on Moreheadâs website in a timely and compliant manner as well. |
Morehead Memorial Hospital NC Healthcare Provider 66000 | Friday | 2017 | |
| Apria Healthcare, Inc. | CA | Healthcare Provider | 65700 | 2012-10-10 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Apria Healthcare, Inc. CA Healthcare Provider 65700 | Wednesday | 2012 | |
| East Valley Community Health Center, Inc. | CA | Healthcare Provider | 65000 | 2016-12-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | East Valley Community Health Center, Inc. CA Healthcare Provider 65000 | Thursday | 2016 |
| Primary Care Specialists, Inc. | TN | Healthcare Provider | 65000 | 2017-03-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Primary Care Specialists, Inc. TN Healthcare Provider 65000 | Thursday | 2017 |
| University of Miami | FL | Healthcare Provider | 64846 | 2012-09-07 | Other | Unauthorized Access/Disclosure | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Two employees of the covered entity (CE), University of Miami Hospital, printed patientsâ face sheets in excess of their job duties and sold them over a period of 19 months before the activity was discovered by police while on an unrelated house raid. Following notification by the police, the CE conducted an internal investigation and determined that the breach potentially involved the protected health information (PHI) of 64,846 individuals. The PHI involved in the breach included demographic and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. It also applied sanctions to the involved employees. Following the breach, the CE disseminated educational material to the workforce and reviewed its HIPAA policies and procedures. It also deployed a program which monitors its electronic systems to safeguard against inappropriate use. OCR obtained assurance that the CE took the corrective actions listed above. The CE also confirmed its plan to continue to perform frequent access reviews, periodic audit trail reviews, and to create and retain audit logs for routine analysis. | University of Miami FL Healthcare Provider 64846 | Friday | 2012 |
| The Oregon Clinic, P.C. (âThe Oregon Clinicâ) | OR | Healthcare Provider | 64487 | 2018-05-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | The Oregon Clinic, P.C. (âThe Oregon Clinicâ) OR Healthcare Provider 64487 | Tuesday | 2018 | |
| Urgent Care Clinic of Oxford | MS | Healthcare Provider | 64000 | 2016-09-30 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On August 2, 2016, the covered entity (CE), Urgent Care Clinic of Oxford, discovered that its server was hacked by an unauthorized third party. The CE investigated and determined that the hackers gained access to the server through an administrative account set up by the CEâs technology contractor. The types of protected health information (PHI) involved in the breach included patient names, addresses, dates of birth, driverâs licenses, social security numbers, claims information, diagnoses and conditions, lab results, and medications, affecting approximately 64,000 individuals. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE immediately shut down its serverâs remote access, contacted law enforcement, hired forensic investigators and installed a new network sonic wall to protect its entire system. OCR provided technical assistance to the CE regarding risk analysis and risk management. Consequently, the CE altered its policies and procedures to include full monthly testing of its server and a new risk assessment in accordance with OCRâs Security Risk Assessment Tool. Moreover, the CE retrained its workforce on its updated policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed above. | Urgent Care Clinic of Oxford MS Healthcare Provider 64000 | Friday | 2016 |
| Florida Agency Persons for Disabilities | FL | Health Plan | 63627 | 2018-03-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Florida Agency Persons for Disabilities FL Health Plan 63627 | Thursday | 2018 | |
| Middletown Medical P.C. | NY | Healthcare Provider | 63551 | 2018-03-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Middletown Medical P.C. NY Healthcare Provider 63551 | Thursday | 2018 |
| The Neurological Institute of Savannah & Center for Spine | GA | Healthcare Provider | 63425 | 2011-08-15 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | The Neurological Institute of Savannah & Center for Spine GA Healthcare Provider 63425 | Monday | 2011 | |
| St.Vincent Hospital and Health Care Center, Inc. | IN | Healthcare Provider | 63325 | 2015-02-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), St. Vincent Health, mismailed letters about a closed practice, affecting approximately 63,325 individuals. The types of protected health information (PHI) involved in the breach included patients’ names, addresses and, in some cases, information regarding upcoming appointments. Following the breach, the CE executed a business associate agreement with a new vender for its marketing and mailing initiatives and utilized new software for its marketing initiatives to provide additional accountability and controls. Additionally, the CE added more verification steps to its mailing process. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions noted above. | St.Vincent Hospital and Health Care Center, Inc. IN Healthcare Provider 63325 | Friday | 2015 |
| St. Vincent Hospital and Health Care Center, Inc. | IN | Business Associate | 63325 | 2014-07-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | St. Vincent Hospital and Health Care Center, Inc. IN Business Associate 63325 | Wednesday | 2014 | |
| Children’s Mercy Hospital | MO | Healthcare Provider | 63049 | 2018-01-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Children’s Mercy Hospital MO Healthcare Provider 63049 | Wednesday | 2018 | |
| Cincinnati Childrens Hospital Medical Center | OH | Healthcare Provider | 60998 | 2010-06-01 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
An unencrypted laptop computer containing the electronic protected health information (ePHI) of 60,998 individuals was stolen out of a workforce member’s car. The ePHI stored on the laptop included names, medical record numbers, and services received. The covered entity (CE) provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE established a new internal procedure to encrypt all new computers before they are given to employees. OCR obtained assurances that the CE implemented the corrective action listed above. |
Cincinnati Childrens Hospital Medical Center OH Healthcare Provider 60998 | Tuesday | 2010 |
| State of Tennessee State Insurance Plan | TN | Health Plan | 60582 | 2014-08-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), State of Tennessee State Insurance Plan, discovered on June 10, 2014, that Onsite Health Diagnostics, a subcontractor of its business associate (BA) American Healthways Services, experienced a security incident in which an unknown source gained unauthorized access to its online scheduler during the period from January 4, 2014 to April 11, 2014. The incident resulted in unauthorized access to an information table containing names, dates of birth, addresses, email addresses, phone numbers, and genders of 60,582 individuals. The CE had a BA agreement in place with the BA. The CE provided breach notification to HHS and demanded that the BA submit a corrective action plan to make sure the problem that led to the breach had been remediated. The subcontractor provided breach notification to HHS, sent individual notification, and provided media notice. The subcontractor offered identity protection to the affected individuals and transitioned customers to an improved scheduling system. OCR obtained assurances from the CE that the CE, BA, and subcontractor implemented the corrective actions noted above. | State of Tennessee State Insurance Plan TN Health Plan 60582 | Friday | 2014 |
| Onsite Health Diagnostics (OHD) | TX | Business Associate | 60582 | 2014-08-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Onsite Health Diagnostics (OHD) TX Business Associate 60582 | Friday | 2014 | |
| Ohio Department of Mental Health and Addiction Services | OH | Healthcare Provider | 59000 | 2016-04-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Ohio Department of Mental Health and Addiction Services OH Healthcare Provider 59000 | Friday | 2016 |
| L.A. Gay & Lesbian Center | CA | Healthcare Provider | 59000 | 2013-12-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | L.A. Gay & Lesbian Center CA Healthcare Provider 59000 | Tuesday | 2013 | |
| Triple-S Salud | PR | Health Plan | 56853 | 2014-05-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No |
Triple-S Management Corporation (âTRIPLE-Sâ), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. âOCR remains committed to strong enforcement of the HIPAA Rules,â said OCR Director Jocelyn Samuels. âThis case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.â TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entitiesâ compliance with HIPAA Rules. OCRâs investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiariesâ PHI; Impermissible disclosure of its beneficiariesâ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA. âTriple-S is committed to protecting the privacy and security of its beneficiariesâ health information and implementing the Corrective Action Plan entered into with OCR,â said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. âWe are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCRâs technical assistance to date, and look forward to our collaboration in the future.â |
Triple-S Salud PR Health Plan 56853 | Thursday | 2014 |
| Omnicell, Inc. | CA | Business Associate | 56820 | 2012-12-31 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | An electronic medication dispensing device was stolen from the locked car of an Omnicell employee. Omnicell is a business associate (BA) of the covered entity (CE), Sentara. The protected health information that was involved in the breach included patient names, birth dates, patient numbers, medical record numbers, and clinical information of 56,820 of the CE’s patients. Breach notification was provided to HHS, the media and affected individuals. The BA represented to the CE that they had recently completed a risk analysis containing details of implemented administrative, physical and technical safeguards. The BA informed the CE that they have in place a security awareness and training program and provided information regarding its education of workforce members. As a result of OCR’s investigation, OCR obtained an executive summary of the BA’s risk analysis and a copy of the CE’s most recent risk analysis. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. | Omnicell, Inc. CA Business Associate 56820 | Monday | 2012 |
| Boston Baskin Cancer Foundation | TN | Healthcare Provider | 56694 | 2015-02-02 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On December 2, 2014, a Boston Baskin Cancer Foundation employeeâs laptop computer and external hard drive were stolen. The external hard drive contained the electronic protected health information (ePHI) of 56,000 individuals and included patients’ names, dates of birth, social security numbers, addresses, phone numbers, clinic medical record numbers, and the first and last dates seen by the clinic. The investigation concluded that the ePHI was copied and stored on an unencrypted external hard. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media, and offered affected individuals complimentary credit monitoring. In response to the breach, the CE deployed software to prevent the downloading of unencrypted documents from computers to portable media. The CE implemented a policy requiring employees to create a passcode for their mobile devices. The CE also revised its risk management policy and established procedures for the removal of hardware and electronic media containing ePHI. After the breach the CE retrained staff and physicians on its HIPAA policies. OCR obtained assurances that the CE implemented the corrective actions listed above. | Boston Baskin Cancer Foundation TN Healthcare Provider 56694 | Monday | 2015 |
| Stanford School of Medicine & LP Children Hosp, Privacy Manager Breach | CA | Healthcare Provider | 56500 | 2013-01-23 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Stanford School of Medicine (SOM) and Stanford Children’s Hospital (SCH)(formerly Lucile Packard Children’s Hospital), reported that on January 9, 2013, a SOM workforce member’s password-protected laptop was stolen from the workforce memberâs vehicle. The CE reported that the electronic protected health information (ePHI) stored on the laptop was unencrypted. The ePHI of approximately 56,500 individuals may have been affected by this incident. The ePHI included demographic and clinical information related to SCH patient care and SOM research. Following this incident, the CE contacted law enforcement, notified the affected individuals, offered identity protection services to the affected individuals, established a call center to assist affected individuals with questions or concerns, and submitted notification to the media and HHS. The CE reported that there was no evidence of unauthorized access to the ePHI stored on the laptop. As a result of the breach and OCRâs corresponding investigation, the CE sanctioned the workforce member for violating HIPAA policies, and retrained workforce members on data security policies. SCH implemented enhanced administrative and technical safeguards to ensure secure email communications; and. The CE also initiated plans to implement an improved risk management process. | Stanford School of Medicine & LP Children Hosp, Privacy Manager Breach CA Healthcare Provider 56500 | Wednesday | 2013 |
| Enterprise Services LLC | IN | Business Associate | 56075 | 2017-06-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | Other | NA | NA | NA | NA | NA | NA | Yes | NA | Enterprise Services LLC IN Business Associate 56075 | Tuesday | 2017 |
| Dignity Health | CA | Healthcare Provider | 55947 | 2018-05-31 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Dignity Health CA Healthcare Provider 55947 | Thursday | 2018 | |
| Sutherland Healthcare Solutions | CA | Business Associate | 55900 | 2014-03-21 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | Yes | On March 21, 2014, the covered entity (CE), San Francisco General Hospital & Trauma Center reported that eight desktop computers were stolen from Southerland Healthcare Solutions, Inc., the CEâs business associate (BA). The computers contained the electronic protected health information (ePHI) of 27,676 individuals. The ePHI involved in the breach included names, addresses, birth dates, social security numbers, admission and discharge information, treatment location, diagnosis and billing information. The CE provided breach notification to HHS, affected individuals and the media. The CE trained its workforce members on the policies and procedures for responding and reporting security incidents. OCR obtained assurances that the CE implemented the corrective actions noted above. | Sutherland Healthcare Solutions CA Business Associate 55900 | Friday | 2014 |
| Horizon Healthcare Services Inc. doing business as Horizon Blue Cross Blue Shield of New Jersey and its affiliates | NJ | Health Plan | 55700 | 2016-12-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Horizon Healthcare Services Inc. doing business as Horizon Blue Cross Blue Shield of New Jersey and its affiliates NJ Health Plan 55700 | Friday | 2016 |
| ABCD Pediatrics, P.A. | TX | Healthcare Provider | 55447 | 2017-03-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | ABCD Pediatrics, P.A., the covered entity (CE) reported that its electronic health records system was hacked and ransomware began encrypting protected health information (PHI) stored on its servers. The PHI included patient names, addresses, dates of birth, Social Security numbers, driversâ license information, diagnoses, medical conditions, lab results, medications, other treatments, and claims information. Approximately 55,447 individuals were affected by the breach. The CE took several corrective action steps to resolve the issue raised in the breach report. The corrective action taken included closing down remote access to terminal services and requiring workforce members to use a Virtual Private Network for remote access. The CE also conducted audits and disabled inactive user accounts, strengthened password requirements, and implemented account lockout policies. During the investigation, OCR verified that the CE implemented encryption on laptops and mobile devices. OCR provided technical assistance concerning the breach notification policies of the CE and received revised versions of those policies. The CE also revised policies regarding periodic risk analyses to update its Security Rule requirements in accordance with OCRâs technical assistance. | ABCD Pediatrics, P.A. TX Healthcare Provider 55447 | Sunday | 2017 |
| Banner Health | AZ | Healthcare Provider | 55207 | 2014-03-05 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Banner Health AZ Healthcare Provider 55207 | Wednesday | 2014 | |
| Cancer Care Group, P.C. | IN | Healthcare Provider | 55000 | 2012-08-28 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No |
$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cancer Care paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Cancer Care Group is a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics throughout Indiana. On August 29, 2012, OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employeeâs car. The bag contained the employeeâs computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients. OCRâs subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Careâs ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility. âOrganizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patientsâ health information,â said OCR Director Jocelyn Samuels. âFurther, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.â Cancer Care has taken corrective action with regard to the specific requirements of the Privacy and Security Rules that are at the core of this enforcement action, as well as actions to come into compliance with the other provisions of the HIPAA Rules. The Resolution Agreement and Corrective Action Plan (CAP) can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cancercare.html HHS offers guidance on how your organization can conduct a HIPAA Risk Analysis: http://www.healthit.gov/providers-professionals/security-risk-assessment To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/ocr/office. ### |
Cancer Care Group, P.C. IN Healthcare Provider 55000 | Tuesday | 2012 |
| Lebanon Internal Medicine Associates | PA | Healthcare Provider | 55000 | 2011-11-02 | Improper Disposal | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Lebanon Internal Medicine Associates PA Healthcare Provider 55000 | Wednesday | 2011 | |
| Molina Healthcare | CA | Health Plan | 54203 | 2015-09-18 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | Yes | A former employee of the covered entityâs (CE) business associate (BA), CVS Health, impermissibly exfiltrated the CEâs member information from its systems and saved the protected health information (PHI) onto his personal computer. The PHI involved in the breach included full names, member identification numbers, health card numbers, plan codes and states, and start and end dates. The breach affected approximately 54,203 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and also provided substitute notification. The CE also offered individuals one year of free identity theft protection membership. As a result of this incident, the CE required the BA to improve safeguards by enhancing security for the BAâs fraud management tool and databases containing PHI, and updating its security procedures. OCR reviewed the CEâs policies, procedures, and/or documentation related to impermissible disclosures, safeguards, business associates, and breach notification and obtained assurances that the BA implemented the corrective actions listed above. | Molina Healthcare CA Health Plan 54203 | Friday | 2015 |
| Praxair Healthcare Services, Inc. (Home Care Supply in NY) | CT | Healthcare Provider | 54165 | 2010-04-19 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop computer was stolen from the covered entity’s office by a former employee after it had been damaged. The laptop computer contained the PHI of approximately 54,165 individuals. The computer contained a limited amount of PHI, including client names and one or more of the following: addresses, phone numbers, social security numbers, insurance provider names and policy numbers, medical diagnostic codes or medical equipment. Following the breach, the covered entity notified all affected individuals, the media, and HHS of the breach. Additionally, the covered entity completed its laptop encryption project to cover all PHI stored on computers in the office. Additionally, OCR’s investigation resulted in the covered entity reinforcing the requirements of HIPAA to its employees. | Praxair Healthcare Services, Inc. (Home Care Supply in NY) CT Healthcare Provider 54165 | Monday | 2010 |
| Onco360 and CareMed Specialty Pharmacy | KY | Healthcare Provider | 53173 | 2018-01-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Onco360 and CareMed Specialty Pharmacy KY Healthcare Provider 53173 | Friday | 2018 | |
| Valley Hope Association | KS | Healthcare Provider | 52076 | 2016-02-26 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On December 30, 2015, a Valley Hope Association employee’s work-issued laptop computer was stolen from her vehicle. The incident affected approximately 52,076 individuals. The protected health information (PHI) stored on the laptop included names, addresses, dates of birth, phone numbers, social security numbers, medical record numbers, treatment types and locations, as well as health insurance, financial, and medication information. The employee immediately reported the incident to the local police and the covered entity (CE). The CE conducted a forensic analysis and concluded that the system had not been accessed following the theft. Following the breach, the CE terminated the computerâs access to its computer network, reset the userâs password, and verified the laptop had no open connections to other electronic systems. The CE encrypted all devices containing PHI and implemented the use of software to mask social security numbers. The CE also developed an information security and privacy committee, updated its policies and procedures manual, and trained staff on its updated policies and procedures relating to password use and development, automatic time outs on electronic devices, malicious malware, and network access rights. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on the home page of its website. OCR obtained assurances that the CE implemented the corrective actions listed above. | Valley Hope Association KS Healthcare Provider 52076 | Friday | 2016 |
| Network Health | WI | Health Plan | 51232 | 2017-09-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Network Health WI Health Plan 51232 | Friday | 2017 | |
| InSync Computer Solutions, Inc. | AL | Business Associate | 50918 | 2014-07-11 | Other | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | InSync Computer Solutions, Inc. AL Business Associate 50918 | Friday | 2014 | |
| Lancaster County EMS | SC | Healthcare Provider | 50000 | 2015-06-04 | Improper Disposal | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | A safe containing two unencrypted computer flash drives and two unencrypted hard drives went missing from the administration building of covered entity (CE), Lancaster County EMS. The protected health information (PHI) stored on the missing hard drives and flash drives included patients’ names, addresses, dates of birth, social security numbers, medications, medical histories, medical treatment, and healthcare insurance information for 55,000 individuals. The CE provided breach notification to HHS, the 55,000 affected individuals, and the media. In response to the breach, the CE implemented universal controls to ensure that only the CE’s devices can connect to its network.. The CE also implemented security controls and physical safeguards to further restrict access to its server room. In addition, the CE implemented video security system monitoring of its server room. OCR obtained assurances that the CE implemented the corrective actions listed above. | Lancaster County EMS SC Healthcare Provider 50000 | Thursday | 2015 |
| AT&T Group Health Plan | TX | Health Plan | 50000 | 2015-03-23 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | AT&T Group Health Plan TX Health Plan 50000 | Monday | 2015 |
| Alamance Caswell Local Management Entity | NC | Business Associate | 50000 | 2012-01-10 | Other | Unauthorized Access/Disclosure | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | Yes | Alamance Caswell Local Management Entity NC Business Associate 50000 | Tuesday | 2012 | ||
| Iron Mountain | CA | Business Associate | 49714 | 2014-08-15 | Improper Disposal | Loss | Theft | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Iron Mountain CA Business Associate 49714 | Friday | 2014 | |
| Kaiser Foundation Hospital- Orange County | CA | Healthcare Provider | 49000 | 2013-11-22 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Kaiser Foundation Hospital - Orange County, misplaced a portable computer drive containing the protected health information (PHI) of 49,000 individuals. The types of PHI involved in the breach included names, dates of birth, and medications. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach the CE began phasing out the use of flash drives or similar devices and initiated a plan to replace computers, and store PHI on secured servers behind the CEâs firewall. OCR provided technical assistance on conducting a security risk analysis, and as a result of its investigation OCR informed the CE that it is required to conduct an enterprise-wide security risk analysis. | Kaiser Foundation Hospital- Orange County CA Healthcare Provider 49000 | Friday | 2013 |
| North Carolina Department of Health and Human Services | NC | Health Plan | 48752 | 2014-01-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | North Carolina Department of Health and Human Services NC Health Plan 48752 | Tuesday | 2014 |
| Visionworks Inc. | TX | Health Plan | 47683 | 2014-11-21 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Visionworks Inc. TX Health Plan 47683 | Friday | 2014 |
| Oklahoma Department of Human Services | OK | Health Plan | 47000 | 2017-12-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | An unauthorized source accessed a state assessment computer server, located at and maintained by an outside vendor. The server contained state assessment information that included names and social security numbers of 47,000 current and former clients of the covered entity (CE), Oklahoma Department of Human Services. As a result of OCRâs technical assistance, the CE provided breach notification to HHS, affected individuals, and the media and posted substitute notification on its website. Due to OCRâs investigation, the CE entered into a business associate agreement with the outside vendor. OCR obtained assurances that the CE implemented the corrective actions noted above. The CE also began researching the possibility of creating a HIPAA “hybrid entity.â | Oklahoma Department of Human Services OK Health Plan 47000 | Tuesday | 2017 |
| Torrance Memorial Medical Center | CA | Healthcare Provider | 46632 | 2017-06-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Torrance Memorial Medical Center CA Healthcare Provider 46632 | Monday | 2017 | |
| Administracion de Seguros de Salud - Triple S Salud Inc (BA) | PR | Business Associate | 46473 | 2014-04-15 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | On March 27, 2014, the covered entity (CE), Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico, reported that on January 14, 2014, it became aware that sometime before October 9, 2013, a former employee of Triple-S Saludâs business associate (BA), Triple-S Advantage Solutions, copied beneficiariesâ electronic protected health information (ePHI) onto a compact disk which he took home for an unspecified period of time and which he subsequently downloaded onto a computer at his new employer. The ePHI included beneficiary enrollment information, including names, dates of births, contract numbers, health insurance claim number, home addresses, and social security numbers of 54,384 of the CEâs beneficiaries. The CE provided breach notification to HHS, affected individuals, and the media. Due to OCRâs investigation, the CE committed to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and re-train its staff within a specified period. | Administracion de Seguros de Salud - Triple S Salud Inc (BA) PR Business Associate 46473 | Tuesday | 2014 |
| Blue Springs Family Care, P.C. | MO | Healthcare Provider | 44979 | 2018-07-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Blue Springs Family Care, P.C. MO Healthcare Provider 44979 | Tuesday | 2018 |
| GOLDEN HEART ADMINISTRATIVE PROFESSIONALS | AK | Business Associate | 44600 | 2018-07-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | GOLDEN HEART ADMINISTRATIVE PROFESSIONALS AK Business Associate 44600 | Monday | 2018 |
| Methodist Dallas Medical Center | TX | Healthcare Provider | 44000 | 2013-12-06 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Methodist Dallas Medical Center TX Healthcare Provider 44000 | Friday | 2013 | |
| Eye Institute of Corpus Christi | TX | Healthcare Provider | 43961 | 2016-02-26 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | After review of the response from the entity, OCR determined that a breach of protected health information did not occur. | Eye Institute of Corpus Christi TX Healthcare Provider 43961 | Friday | 2016 |
| Aspire Indiana, Inc. | IN | Healthcare Provider | 43890 | 2015-01-07 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Aspire Indiana, Inc. IN Healthcare Provider 43890 | Wednesday | 2015 |
| Henry Ford Health System | MI | Healthcare Provider | 43563 | 2017-12-01 | Theft | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Henry Ford Health System MI Healthcare Provider 43563 | Friday | 2017 | |
| Froedtert Health | WI | Healthcare Provider | 43549 | 2013-02-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Froedtert Health WI Healthcare Provider 43549 | Tuesday | 2013 | |
| Freelancers Insurance Company | NY | Health Plan | 43068 | 2015-03-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Freelancers Insurance Company NY Health Plan 43068 | Tuesday | 2015 |
| Coplin Health Systems | WV | Healthcare Provider | 43000 | 2017-12-29 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On December 29, 2017, the covered entity (CE), Coplin Health System, reported that a password-protect, unencrypted laptop computer issued to a part-time employee was stolen from his automobile. The employee notified law enforcement and the CE immediately notified its information technology (IT) department of the theft. Further inquiry determined that the employee did not store protected health information (PHI) on the laptop, but used it to access and use the CEâs online Electronic Health Record (EHR) system and email system. The CE could not eliminate the risk that the laptop could have contained some PHI saved by prior users. At the time of the theft, the CE had an encryption policy in place requiring all laptops issued to employees to be encrypted. The CE immediately cancelled the credentials issued to the employee that enabled him to access its IT systems, including the EHR system. The CEâs IT department monitored itsâ IT systems for any signs of unauthorized access and is expected to do so indefinitely. The CE counseled the employee policies and procedures with regard to security for laptops. Following the breach, the CE ensured that every laptop in its inventory was either encrypted or removed from active service. The CE also began implementing a mobile device management solution that will allow it to remotely wipe any CHS-owned devices that might be lost or stolen in the future. OCR obtained copy of the CEâs current risk assessment, its breach notification to affected individuals, and copies of HIPAA policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. | Coplin Health Systems WV Healthcare Provider 43000 | Friday | 2017 |
| The Union Labor Life Insurance Company | MD | Healthcare Provider | 42713 | 2014-06-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | The Union Labor Life Insurance Company MD Healthcare Provider 42713 | Friday | 2014 |
| Aultman Hospital | OH | Healthcare Provider | 42625 | 2018-05-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Aultman Hospital OH Healthcare Provider 42625 | Friday | 2018 | |
| Alliance Health Networks, LLC | UT | Healthcare Provider | 42372 | 2016-02-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On December 17, 2015, the covered entity (CE), Alliance Health Networks, LLC., discovered that a test database containing protected health information (PHI) was accessible to the public via the Internet. The breach affected approximately 42,372 individuals, and their unsecured PHI included names, addresses, telephone numbers, email addresses, medications, and some clinical information. The CE provided breach notification to affected individuals, the media, and HHS. The CE also mitigated the effects of the breach by immediately securing the database, implementing monitoring of its test databases, performing weekly vulnerability scans of its systems, and updating its policies to ensure that production data is not used in test databases. In resolving the breach, OCR provided the CE with technical assistance regarding necessary changes to its policies and procedures, as well its risk management process. | Alliance Health Networks, LLC UT Healthcare Provider 42372 | Monday | 2016 |
| Holland Eye Surgery and Laser Center | MI | Healthcare Provider | 42200 | 2018-05-18 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Holland Eye Surgery and Laser Center MI Healthcare Provider 42200 | Friday | 2018 |
| Safe Ride Services, Inc | AZ | Healthcare Provider | 42000 | 2012-05-01 | Hacking/IT Incident | Unauthorized Access/Disclosure | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Safe Ride Services, Inc AZ Healthcare Provider 42000 | Tuesday | 2012 | |
| University of Wisconsin-Madison School of Pharmacy | WI | Business Associate | 41437 | 2014-01-30 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | University of Wisconsin-Madison School of Pharmacy WI Business Associate 41437 | Thursday | 2014 | |
| The Corvallis Clinic, P.C. | OR | Healthcare Provider | 41000 | 2014-12-19 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A personal laptop computer belonging to an employee of the covered entity (CE), The Corvallis Clinic, P.C., was stolen from the employeeâs locked automobile. The stolen laptop contained the electronic protected health information (ePHI) of 41,000 individuals and included patientsâ names, addresses, dates of birth, phone numbers, appointment dates, and the names of treating providers. The CE provided the required notifications under the Breach Notification Rule. Following the breach the CE sanctioned the involved employee and implemented network access control software that restricts employees from gaining access to internal network resources using personally owned equipment. OCRâs investigation confirmed that the appropriate notifications were made and that corrective action steps were taken. | The Corvallis Clinic, P.C. OR Healthcare Provider 41000 | Friday | 2014 |
| Greigh I. Hirata M.D. Inc, dba. Fetal Diagnostic Institute of the Pacific | HI | Healthcare Provider | 40800 | 2018-08-30 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Greigh I. Hirata M.D. Inc, dba. Fetal Diagnostic Institute of the Pacific HI Healthcare Provider 40800 | Thursday | 2018 |
| MedWatch LLC | FL | Business Associate | 40621 | 2018-04-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | MedWatch LLC FL Business Associate 40621 | Friday | 2018 |
| Stamford Podiatry Group .P.C | CT | Healthcare Provider | 40491 | 2016-05-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Stamford Podiatry Group .P.C CT Healthcare Provider 40491 | Wednesday | 2016 |
| Silicon Valley Eyecare Optometry and Contact Lenses | CA | Healthcare Provider | 40000 | 2010-05-13 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | A computer network server and a television were stolen from the covered entity (CE), Silicon Valley Eyecare. The CEâs network sever contained the electronic protected health information (ePHI) of approximately 40,000 individuals and included demographic information, social security numbers, diagnoses, and insurance information. The CE investigated the incident and provided breach notification to HHS, affected individuals, and media. As a result of OCRâs investigation, the CE provided its most recent risk analysis, risk management plan, security training program, and policies and procedures regarding administrative, physical and technical safeguards. | Silicon Valley Eyecare Optometry and Contact Lenses CA Healthcare Provider 40000 | Thursday | 2010 |
| Seton Family of Hospitals | TX | Healthcare Provider | 39000 | 2015-04-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Seton Family of Hospitals, the covered entity (CE), experienced two email phishing attacks. The attacks involved protected health information (PHI) including the names, dates of birth, social security numbers, and treatment information of approximately 39,160 individuals. Upon discovering the breach, the CE took steps to immediately disable affected email accounts. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved technical security and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. | Seton Family of Hospitals TX Healthcare Provider 39000 | Friday | 2015 | |
| Self Regional Healthcare | SC | Healthcare Provider | 38906 | 2014-07-25 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On May 25, 2014, a password-protected, unencrypted laptop computer containing the protected health information (PHI) of 38,906 patients was stolen from the covered entityâs (CE) administrative offices during a break-in. The PHI involved in the breach included patientsâ names, social security numbers, driver license numbers, treating physician names, insurance policy numbers, patient account numbers, service dates, diagnosis/procedure information, payment card information, financial account information, and possibly addresses. The CE provided breach notification to HHS, the media, and affected individuals, and offered credit monitoring. The CE also contacted the local police department and conducted an internal investigation. Following the breach the CE revised its HIPAA policies and procedures and retrained its entire workforce on its policies and procedures. The CE also improved facility access safeguards and encrypted computers. OCR obtained assurances that the CE implemented the corrective actions listed above. | Self Regional Healthcare SC Healthcare Provider 38906 | Friday | 2014 |
| Indiana State Medical Association | IN | Health Plan | 38351 | 2015-03-06 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Indiana State Medical Association IN Health Plan 38351 | Friday | 2015 |
| Legacy Health | OR | Healthcare Provider | 38000 | 2018-08-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Legacy Health OR Healthcare Provider 38000 | Monday | 2018 | |
| Martin Luther King Jr. Health Center, Inc. | NY | Business Associate | 37000 | 2013-10-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | A transcription companyâs subcontractor misconfigured its server, such that search engines, such as Google, were able to locate the server and index the records on that machine, including names, dates of service, medical record number, dates of birth and types of procedures/diagnoses). Martin Luther King Jr. Health Center, the covered entity (CE) who had retained the transcription company, Professional Transaction Services (PTC), provided breach notification to HHS, affected individuals, and the media. Once the CE learned of the breach, it initiated an investigation and learned that PTCâs subcontractor immediately disabled the server, destroyed the hard drive that stored the PHI, and worked with Google to remove the PHI from the Google caches. The CE also engaged a technical consultant to conduct forensic analyses and work to ensure that affected patientsâ records could no longer be found by the most commonly used internet search engines. The CE also terminated its relationship with PTC and engaged a new transcription company. OCR obtained assurances that the CE implemented the corrective actions listed. | Martin Luther King Jr. Health Center, Inc. NY Business Associate 37000 | Friday | 2013 |
| Ortho Montana, PSC | MT | Healthcare Provider | 37000 | 2011-02-08 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop containing the electronic protected health information (ePHI) of approximately 37,000 patients was lost or stolen when the laptop was taken to an event by a workforce member. Following the breach, the covered entity (CE) sanctioned the workforce member who responsible for handling the laptop. As a result of OCR’s investigation, the CE conducted a risk analysis and developed a risk management plan. The CE also removed ePHI from laptops and encrypted laptops, tablets, and cellular smart phones. Additionally, the CE developed new procedures and revised existing procedures in order to safeguard ePHI . | Ortho Montana, PSC MT Healthcare Provider 37000 | Tuesday | 2011 |
| Vascular Surgical Associates | GA | Healthcare Provider | 36496 | 2016-11-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Vascular Surgical Associates GA Healthcare Provider 36496 | Thursday | 2016 |
| Jersey City Medical Center | NJ | Healthcare Provider | 36400 | 2014-08-07 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Jersey City Medical Center NJ Healthcare Provider 36400 | Thursday | 2014 | |
| Triple-S Advantage, Inc. | NA | Health Plan | 36305 | 2018-02-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Triple-S Advantage, Inc. NA Health Plan 36305 | Friday | 2018 |
| Center for Orthopedic Research and Education, Inc. | AZ | Healthcare Provider | 35488 | 2012-12-21 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Center for Orthopedic Research and Education, Inc. AZ Healthcare Provider 35488 | Friday | 2012 | |
| MD Manage (Vcarve LLC) | NJ | Business Associate | 35357 | 2014-10-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | MD Manage (Vcarve LLC) NJ Business Associate 35357 | Wednesday | 2014 | |
| ATI Holdings, LLC and its subsidiaries | IL | Healthcare Provider | 35136 | 2018-03-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | ATI Holdings, LLC and its subsidiaries IL Healthcare Provider 35136 | Monday | 2018 | |
| City of Houston Medical Plan | TX | Health Plan | 34637 | 2018-03-22 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | City of Houston Medical Plan TX Health Plan 34637 | Thursday | 2018 |
| Quest Diagnostics | NJ | Healthcare Provider | 34055 | 2016-12-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Quest Diagnostics NJ Healthcare Provider 34055 | Monday | 2016 |
| St. Mark’s Surgical Center, LLC | FL | Healthcare Provider | 33877 | 2017-08-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | St. Mark’s Surgical Center, LLC FL Healthcare Provider 33877 | Wednesday | 2017 |
| Confluence Health | WA | Healthcare Provider | 33821 | 2018-07-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Confluence Health WA Healthcare Provider 33821 | Friday | 2018 | |
| Santa Rosa Memorial Hospital, Privacy Manager Breach | CA | Healthcare Provider | 33702 | 2014-06-13 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | A thumb drive containing data pertaining to X-rays provided between February 2, 2009 and May 13, 2014, was believed to have been stolen from a staff member’s locker during a burglary that occurred on June 2, 2014, at the Santa Rosa Memorial Imaging Center. The thumb drive contained information pertaining to X-rays provided by the Redwood Regional Medical Group and Santa Rosa Memorial Hospital. The types of electronic protected health information (ePHI) included in the breach included names, medical record numbers, dates of birth, genders, dates and times of service, body part(s) examined, names of technologists, and data related to the amount of radiation to produce the X-ray. The breach affected approximately 33,702 individuals. This breach was resolved as part of the Resolution Agreement and Corrective Action Plan for St. Joseph Health which may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sjh. | Santa Rosa Memorial Hospital, Privacy Manager Breach CA Healthcare Provider 33702 | Friday | 2014 |
| Rainbow Children’s Clinic | TX | Healthcare Provider | 33698 | 2016-10-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On August 3, 2016, a hacker accessed the covered entity’s (CE) computer system and subsequently launched a ransomware attack, which began encrypting data stored on the CE’s computer servers. The CE immediately shut down its computer system to prevent loss of patient information, and promptly launched an investigation. The CE retained an independent computer forensic expert to assist with the investigation and discovered that some patient records were irretrievably deleted. The CE provided breach notification to HHS, affected individuals, and the media. The CE did not receive any indication that any personal data was misused. However, out of an abundance of caution, the CE offered affected patients identity protection services. Following the breach, the CE installed new anti-virus protection software on all machines operating on its network. It also implemented a policy that specifies staff will be trained on the following topics: how to identify/handle potential scams/hoaxes; how protection software operates; good security practices for web browsing, sharing files, email attachments; risks of installing unsupported software, and; what to do when anti-virus and mal-ware protection software detects a computer virus or worm. OCR obtained assurances that the CE implemented the corrective actions noted above. | Rainbow Children’s Clinic TX Healthcare Provider 33698 | Monday | 2016 |
| Cedars-Sinai Health System | CA | Healthcare Provider | 33136 | 2014-09-10 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Cedars-Sinai Health System, reported that an employeeâs unencrypted laptop computer was stolen during a residential burglary. Although the computer was used primarily for troubleshooting pathology software, some electronic protected health information (ePHI) of approximately 33,136 individuals was potentially stored in temporary files on the laptopâs hard drive. The CE terminated the laptopâs remote access capabilities and conducted an internal investigation. Although the CEâs laptops are encrypted as per its policy, the encryption for this laptop was disabled by a helpdesk service provider when providing assistance. The CE provided breach notification to HHS, affected individuals, and the media, and posted notice of the incident on its website. The CE has not learned of any identity theft or other misuse of the potentially affected information resulting from this incident. Following OCRâs investigation, the CE updated its policies and procedures related to the storage, transmission and encryption of ePHI, as well as the enforcement of its employeesâ adherence to these policies and procedures. | Cedars-Sinai Health System CA Healthcare Provider 33136 | Wednesday | 2014 |
| County of Los Angeles | CA | Healthcare Provider | 33000 | 2010-09-17 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | County of Los Angeles CA Healthcare Provider 33000 | Friday | 2010 | |
| MMM Healthcare, Inc. | PR | Healthcare Provider | 32390 | 2011-05-09 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Thieves broke into the MMM Healthcare, Inc. facility located in Humacao, Puerto Rico and stole four unencrypted desktop computers containing 32,390 health plan membersâ electronic protected health information (ePHI). The ePHI stored in the stolen computers included names, addresses, phone numbers, Medicare numbers, diagnosis and treatment information, health plan names, health plan member identification numbers, health plan enrollment information, health care claim information, and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE repaired a damaged wall and improved physical security for the facility and the surrounding premises. As a result of OCRâs investigation, the CE encrypted all computers located at its regional offices. OCR obtained assurances that the CE implemented the corrective actions listed above. Additionally, OCR stated its expectation that the CE will perform a thorough and accurate risk analysis and establish a risk management plan. In addition, OCR stated its expectation that the CE will implement contingency operations procedures, implement its security policies and procedures, and regularly patch and update its IT infrastructure. OCR stated an expectation for the CE to encrypt ePHI where appropriate, and document the technical safeguards implemented to prohibit the unauthorized copying and removal of PHI and ePHI from the premises. | MMM Healthcare, Inc. PR Healthcare Provider 32390 | Monday | 2011 |
| M2ComSys Inc. | NV | Business Associate | 32151 | 2013-08-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | M2ComSys Inc. NV Business Associate 32151 | Thursday | 2013 | |
| MedAssets | NJ | Business Associate | 32008 | 2011-08-18 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | MedAssets NJ Business Associate 32008 | Thursday | 2011 | |
| Cogent Healthcare, Inc. | TN | Business Associate | 32000 | 2013-08-30 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes |
Cogent Healthcare, Inc., a business associate (BA) providing management services for 24 providers of hospitalist services, submitted a breach report to HHS on behalf of these covered entities. The BA’s privacy officer found that protected health information (PHI) for which the BA was responsible was accessible on a File Transfer Protocol (FTP) Internet site. The PHI involved in the breach affected approximately 32,151 individuals and included patients’ names, physicians’ names, dates of birth, diagnoses, treatment summaries, medical histories, medical record numbers and related information. determined that the reporting entity is a BA and the incident occurred prior to the September 23, 2013, enforcement date. OCR provided the BA with technical assistance regarding current HIPAA Privacy and Security Rule BA requirements. |
Cogent Healthcare, Inc. TN Business Associate 32000 | Friday | 2013 |
| Pulmonary Specialists of Louisville, PSC | KY | Healthcare Provider | 32000 | 2017-11-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Pulmonary Specialists of Louisville, PSC KY Healthcare Provider 32000 | Monday | 2017 |
| MetroPlus Health Plan, Inc. | NY | Health Plan | 31980 | 2014-11-20 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An employee of Metro Plus Health Plan, Inc., emailed two unencrypted files to her personal and work email addresses containing the electronic protected health information (ePHI) of 31,980 members of the health plan, which included membersâ names, addresses, dates of birth and social security numbers. Metro Plus Health Plan, the covered entity (CE), provided breach notification to HHS, the media, and affected individuals, including the offer of one year of credit monitoring services. The CE also documented the unauthorized disclosure of its membersâ ePHI for accounting of disclosure purposes. Following the breach, the CE conducted an internal investigation, sanctioned the employee, ensured the ePHI was deleted from the employeeâs personal email account, and reminded its employees regarding prohibitions against emailing membersâ ePHI to personal email accounts. Additionally, the CE is expected to conduct a risk analysis and implement a corresponding risk management plan as required by the Security Rule. | MetroPlus Health Plan, Inc. NY Health Plan 31980 | Thursday | 2014 | |
| WellPoint, Inc. | IN | Health Plan | 31700 | 2010-07-30 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | WellPoint, Inc. IN Health Plan 31700 | Friday | 2010 | |
| Central Utah Clinic | UT | Healthcare Provider | 31677 | 2014-08-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Central Utah Clinic UT Healthcare Provider 31677 | Thursday | 2014 | |
| Acadiana Computer Systems, Inc. | LA | Business Associate | 31151 | 2018-08-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Acadiana Computer Systems, Inc. LA Business Associate 31151 | Friday | 2018 | |
| Sport and Spine Rehab | MD | Healthcare Provider | 31120 | 2017-08-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | No | Sport and Spine Rehabilitation, the covered entity (CE), reported that on June 3, 2017, through remote access, a cyber attacker successfully executed a ransomware attack that encrypted the data stored on its computer servers, potentially affecting 34,000 individuals. The types of protected health information (PHI) that were involved included patientsâ names, addresses, dates of birth, social security numbers, and medical information. The CE immediately shut down the computer network and contracted with Lore Systems, Inc. to perform a full security sweep of the server infrastructure and perform a number of corrective actions. Lore Systems, Inc. informed the CE that the attack infected the âcloudâ server, at which point files were encrypted on the CEâs virtual office server (VOS) through the mapped network drive. The CE confirmed that all encrypted files were limited to just the data folder on the VOS server. The CE provided breach notification to HHS, affected individuals, and the media. The CE hired Provendatarecovery.com to restore the files to their original locations and ensure the computer server environment was clean. The CE indicated that manual scans across all devices are performed once per week and that all devices are protected by on-access or on-demand scanning. OCR reviewed a copy of the CEâs policies and procedures on uses and disclosures of PHI and safeguards, the CEâs risk analysis, its training program, and the security measures implemented to address risks and vulnerabilities. OCR obtained assurances that the CE implemented the corrective actions listed. | Sport and Spine Rehab MD Healthcare Provider 31120 | Tuesday | 2017 |
| Laser & Dermatologic Surgery Center | MO | Healthcare Provider | 31000 | 2016-06-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | An unauthorized user accessed the covered entity’s (CE) computer server several times between March 1, 2016, and March 21, 2016. The server contained patientsâ names, addresses, dates of birth, and social security numbers affecting approximately 31,000 individuals. The CE, Laser & Dermatologic Surgery Center, provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE implemented firewall lockdowns that prevented external access into its computer network and decommissioned all of its breached electronic systems. The CE also completed additional network segmentation by creating a new domain and network, then wiped and rebuilt computer workstations and moved them to a secure network. The CE also trained staff on its Security Awareness policies and procedures. OCR obtained assurances that the CE implemented the corrective actions noted above. | Laser & Dermatologic Surgery Center MO Healthcare Provider 31000 | Tuesday | 2016 |
| SEIM JOHNSON, LLP | NE | Business Associate | 30972 | 2016-02-08 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | A business associate (BA), Seim Johnson, LLP, reported on behalf of 10 health care provider clients that its health care auditor took his firm-issued laptop computer on a non-business weekend trip. When the employee arrived home from this trip, he discovered the backpack containing the laptop was missing. The laptop contained the protected health information (PHI) of 30,972 individuals and included demographic, clinical, and financial information. The BA provided breach notification to HHS, affected individuals, and the media. After investigating this incident, the BA determined that the laptop may not have been effectively encrypted. Following the breach, the BA sanctioned the involved employee and its security officer, retrained employees on security risks involving portable devices, and implemented new policies and procedures. OCR obtained assurances that the BA implemented the corrective actions listed above. | SEIM JOHNSON, LLP NE Business Associate 30972 | Monday | 2016 |
| Mississippi State Department of Health | MS | Healthcare Provider | 30799 | 2018-03-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Mississippi State Department of Health MS Healthcare Provider 30799 | Monday | 2018 | |
| Agency for Health Care Administration | FL | Health Plan | 30000 | 2018-01-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Agency for Health Care Administration FL Health Plan 30000 | Friday | 2018 | |
| Sony Pictures Entertainment Health and Welfare Benefits Plan (the Plan) | CA | Health Plan | 30000 | 2014-12-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Network Server | NA | NA | NA | NA | NA | No | OCR determined that no breach occurred in this case. | Sony Pictures Entertainment Health and Welfare Benefits Plan (the Plan) CA Health Plan 30000 | Friday | 2014 |
| REEVE-WOODS EYE CENTER | CA | Healthcare Provider | 30000 | 2014-11-15 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | OCR investigated the covered entity (CE), Reeve-Woods Eye Center, after the CE reported a breach of 43,000 individualsâ electronic protected health information (ePHI) regarding malware that infiltrated its electronic network on, or around, August 1 through September 17, 2014. The malware caused, among other things, the system to disclose screenshots and keystrokes outside the CEâs network. The types of ePHI involved in the breach included patients’ names, social security numbers, dates of birth, addresses, telephone numbers, dates of service, insurance information, diagnosis codes, treatment information, and medical histories. The CE informed and cooperated with the FBI regarding the incident. In response to OCRâs contact in this matter, the CE ensured the proper breach notifications were provided, cleared the system of the malware, and took steps to increase its safeguards and technical security measures. | REEVE-WOODS EYE CENTER CA Healthcare Provider 30000 | Saturday | 2014 |
| Seguin Dermatology, Office of Robert J. Magnon, MD | TX | Healthcare Provider | 29969 | 2016-11-30 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | An unauthorized user obtained remote access to the computer system of the covered entity (CE), Seguin Dermatology. The protected health information (PHI) potentially affected included the names, addresses, dates of birth, and social security numbers of approximately 29,969 individuals. As a result of the breach, the CE improved safeguards, updated its policies and procedures, and trained its workforce members on better practices to protect PHI. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions listed. | Seguin Dermatology, Office of Robert J. Magnon, MD TX Healthcare Provider 29969 | Wednesday | 2016 |
| SSM Health | MO | Healthcare Provider | 29579 | 2017-12-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | SSM Health MO Healthcare Provider 29579 | Thursday | 2017 |
| Inogen, Inc. | CA | Healthcare Provider | 29528 | 2018-04-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Inogen, Inc. CA Healthcare Provider 29528 | Tuesday | 2018 | |
| Integrity Transitional Hospital | TX | Healthcare Provider | 29514 | 2016-10-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On February 7, 2018, OCR received notification from Integrity Transitional Hospital’s Chief Operating Officer that Integrity ceased all healthcare business activities, effective September 1, 2017. OCR verified this information. Under these circumstances Integrity is no longer a covered entity and is not subject to the requirements of HIPAA. | Integrity Transitional Hospital TX Healthcare Provider 29514 | Friday | 2016 |
| St. Luke’s Cornwall Hospital | NY | Healthcare Provider | 29156 | 2015-12-30 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | St. Luke’s Cornwall Hospital NY Healthcare Provider 29156 | Wednesday | 2015 |
| Midwest Orthopedic Pain and Spine | MO | Healthcare Provider | 29153 | 2016-07-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Midwest Orthopedic Pain and Spine MO Healthcare Provider 29153 | Tuesday | 2016 |
| The University of Texas MD Anderson Cancer Center | TX | Healthcare Provider | 29021 | 2013-01-24 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The University of Texas MD Anderson Cancer Center TX Healthcare Provider 29021 | Thursday | 2013 | |
| Care 1st Health Plan | CA | Business Associate | 29000 | 2010-07-06 | Loss | Other | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | Care 1st Health Plan CA Business Associate 29000 | Tuesday | 2010 | |
| Gibson General Hospital | IN | Healthcare Provider | 28893 | 2012-12-26 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop computer containing the electronic protected health information (ePHI) of 28,893 individuals was stolen from the home of one of the covered entityâs (CE) employeeâs during a burglary. The ePHI included names, addresses, telephone numbers, social security numbers, medical record numbers, plan beneficiary numbers, and clinical information. The CE, Gibson General Hospital, provided breach notification to HHS, affected individuals, and the media, as well as substitute notice. Following the breach, the CE offered one year of free credit monitoring services to affected individuals. The CE also improved safeguards by encrypting all its laptop computers. As a result of OCRâs investigation, the CE implemented new security policies and procedures related to safeguarding ePHI. | Gibson General Hospital IN Healthcare Provider 28893 | Wednesday | 2012 |
| CareAll Management, LLC | TN | Healthcare Provider | 28300 | 2014-08-12 | Improper Disposal | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | CareAll Management, LLC TN Healthcare Provider 28300 | Tuesday | 2014 | |
| New West Health Services d/b/a New West Medicare | MT | Health Plan | 28209 | 2016-01-15 | Loss | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), New West Health Services, dba New West Medicare, after it reported that an employeeâs unencrypted laptop computer was stolen from a hotel meeting room. The types of electronic protected health information (ePHI) involved in the breach included demographic information, social security numbers, Medicare claim numbers, financial information, diagnoses, medical histories, and prescription information, and affected 28,209 individuals. The CE provided breach notification to HHS, affected individuals, and the media and provided individuals’ with free credit monitoring and identity theft protection services. Following the breach, the CE improved safeguards by recalling all of its laptops to ensure they were encrypted, installing geo-location capabilities on all of its laptops, and installing remote wiping software on all of its company-issued BlackBerry devices. The CE also sanctioned the employee whose laptop was stolen, retrained its staff on HIPAA privacy and security requirements, and created a new data incident response plan. OCR obtained assurances that the CE implemented the corrective actions noted above. Due to financial considerations, the CE announced that it will cease all operations in 2017 after it fulfills its 2016 insurance plan requirements. | New West Health Services d/b/a New West Medicare MT Health Plan 28209 | Friday | 2016 |
| Health Plus Amerigroup | NY | Business Associate | 28187 | 2013-03-01 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity’s (CE) business associate (BA), Health Plus Amerigroup, mailed an unencrypted compact disk that contained the electronic protected health information (ePHI) of 28,187 individuals to the CE, The Brookdale University Hospital and Medical Center. OCR closed this breach report and consolidated into an existing breach report filed by OHP PHSP, Inc. regarding the same issues. | Health Plus Amerigroup NY Business Associate 28187 | Friday | 2013 |
| OHP PHSP, Inc. | NY | Business Associate | 28187 | 2012-12-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | During the course of investigating this incident OCR learned that the reporting entity is not a covered entity. | OHP PHSP, Inc. NY Business Associate 28187 | Friday | 2012 |
| ABB, Inc. | NC | Healthcare Provider | 28012 | 2017-09-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On August 25, 2017, four employees of the covered entity (CE), ABB, Inc.âs health plan, were the victims of an email phishing scheme, potentially exposing the names, dates of birth, addresses, social security numbers, and insurance member identification numbers of 28,017 individuals. The CE provided breach notification to HHS, affected individuals and the media. At the time of the breach and currently, the CE trained its employees on its HIPAA policies and procedures and had a policy in place concerning suspicious emails. In response to the breach, the CE strengthened its technical security policies and procedures, and implemented additional security measures for its email system to protect against email cyberattacks. OCR obtained assurances that the CE implemented the corrective actions listed above. | ABB, Inc. NC Healthcare Provider 28012 | Monday | 2017 | |
| New Jersey Spine Center | NJ | Healthcare Provider | 28000 | 2016-09-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | No | NA | New Jersey Spine Center NJ Healthcare Provider 28000 | Thursday | 2016 |
| HealthPartners Inc | MN | Health Plan | 27839 | 2014-03-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | No | HealthPartners Inc MN Health Plan 27839 | Friday | 2014 | |
| Sovereign Medical Group, LLC | NJ | Healthcare Provider | 27800 | 2012-12-27 | Hacking/IT Incident | Theft | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Sovereign Medical Group, LLC, after it reported that its data files were corrupted and were inaccessible on its network server. The CE received a ransom note from a hacker advising that if it paid the specified amount the CE could regain access to its files. The breach affected 27,800 individuals and the types of electronic protected health information (ePHI) included demographic information, social security numbers, driverâs license numbers, insurance information, dates of services, claims information, diagnoses, and procedure codes. Upon discovering the breach, the CE filed reports with the police department, the county prosecutorâs office, and the Federal Bureau of Investigations. The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of free credit monitoring services to the affected individuals. As a result of the breach, the CE closed inbound communication ports to the contaminated server, deployed a web-filtering mechanism to scan and monitor all outbound traffic, and disabled all wireless networks. OCR provided the CE with technical assistance regarding the HIPAA Security Rule. | Sovereign Medical Group, LLC NJ Healthcare Provider 27800 | Thursday | 2012 |
| Blount Memorial Hospital, Inc | TN | Healthcare Provider | 27799 | 2012-10-17 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
The covered entity (CE), Blount Memorial Hospital, reported that a laptop computer containing the electronic protected health information (ePHI) of 27,799 individuals was stolen from a workforce member’s home. The ePHI involved in the breach included demographic and other financial information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE reviewed its privacy and security policies and procedures, encrypted all of its laptops, and improved its HIPAA training. As a result of OCR’s investigation, OCR provided technical assistance regarding the CE’s security incident procedures and risk management plan. OCR also reviewed the CE’s HIPAA policies and procedures that were created or revised in response to the breach. |
Blount Memorial Hospital, Inc TN Healthcare Provider 27799 | Wednesday | 2012 |
| Wal-Mart Stores, Inc. | AR | Healthcare Provider | 27393 | 2016-06-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | OCR opened an investigation of the covered entity (CE), Wal-Mart Stores, after it discovered an erroneous mailing of refund checks by its business associate (BA), Harte-Hanks Direct Marketing/Kansas City, LLC. This breach resulted in unauthorized disclosure of 27,379 individualsâ protected health information, which included names, store locations, refund amounts, prescription or order numbers, and order dates. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions noted above. | Wal-Mart Stores, Inc. AR Healthcare Provider 27393 | Wednesday | 2016 |
| UNC Health Care System | NC | Healthcare Provider | 27113 | 2017-12-08 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | UNC Health Care System NC Healthcare Provider 27113 | Friday | 2017 |
| T&P Consulting, INC. d/b/a Quantum Health Consulting | PR | Business Associate | 27098 | 2012-03-12 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | OCR opened an investigation of the covered entity (CE), Centro De Servicios de Cuidados Dirigidos, Inc. d/b/a Metro Salud grupo Profesional, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 27,098 individuals were stolen from a staff member of the CEâs business associate (BA), Quantum Health. The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCRâs investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices. Lastly, the CE also provided media notification and notification to all individuals affected by the breach. | T&P Consulting, INC. d/b/a Quantum Health Consulting PR Business Associate 27098 | Monday | 2012 |
| The University of Texas at Arlington | TX | Healthcare Provider | 27000 | 2010-07-23 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No |
A file server at the Office of Health Services was compromised and impermissibly accessed. The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source. The protected health information involved in the breach included names, addresses diagnostic codes, name of medication prescribed, medication costs and some social security numbers. Following the discovery of the breach, UTA removed the server from the network, notified the affected individuals and notified local media. Following the breach, the covered entity also replaced the operating system and implemented additional technical safeguards. |
The University of Texas at Arlington TX Healthcare Provider 27000 | Friday | 2010 |
| WellCare Health Plans, Inc. | FL | Health Plan | 26942 | 2018-09-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | WellCare Health Plans, Inc. FL Health Plan 26942 | Friday | 2018 |
| Brandywine Pediatrics, P.A. | DE | Healthcare Provider | 26873 | 2016-12-23 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Brandywine Pediatrics, P.A. DE Healthcare Provider 26873 | Friday | 2016 |
| Illinois Valley Podiatry Group | IL | Healthcare Provider | 26588 | 2016-03-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | No | Bizmatics, Inc., a business associate (BA) that provided online storage and management of patient health records for the covered entity (CE), Illinois Valley Podiatry Group, discovered an unauthorized access to the servers on which the CE’s patient files were stored. The breach affected 26,588 individuals’ electronic protected health information (ePHI). The types of ePHI involved in the breach included diagnoses and conditions, medications, and other treatment information. The CE provided breach notification to HHS and the media and posted substitute notice on its website. The BA provided breach notification to affected individuals at the direction of the CE. As a result of OCRâs investigation, the CE executed a new BA agreement with Bizmatics with provisions regarding the use, disclosure, and safeguarding of protected health information (PHI). OCR obtained documented assurances that the BA and CE implemented the corrective actions noted above. | Illinois Valley Podiatry Group IL Healthcare Provider 26588 | Tuesday | 2016 |
| Jamaica Hospital Medical Center | NY | Healthcare Provider | 26162 | 2014-05-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Jamaica Hospital Medical Center, the covered entity (CE), reported a breach occurring from August 1, 2011 through March 27, 2014, resulting from five employees impermissibly accessing the protected health information (PHI) of 26,162 patients who had been seen in the CEâs Emergency Department. The PHI included patient names, addresses, dates of birth, Social Security Numbers, diagnoses, insurance information, age, sex, telephone number and dates of admission. The five employees disclosed the PHI to third parties for solicitation purposes. The CE provided breach notification to HHS, the media, and the affected individuals, and posted notice to its website. Following the breach, the CE terminated the five employees and redesigned work flows to allow for greater oversight of employees. OCR provided technical assistance to the CE on corrective action needed to demonstrate the CEâs compliance. OCR obtained assurances that the CE implemented the corrective actions listed. Additionally, the CE is expected to conduct a comprehensive and thorough risk analysis, implement a corresponding remediation plan, and implement improvements to its processes regarding information system activity review and information access management. | Jamaica Hospital Medical Center NY Healthcare Provider 26162 | Friday | 2014 |
| Highlands Cashier Hospital | NC | Healthcare Provider | 26115 | 2014-12-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | A business associate (BA), Computer Programs and Systems, Inc., adjusted the covered entity’s (CE) firewall in a manner that potentially exposed the protected health information (PHI) of 26,115 individuals on the internet. The types of PHI included patients’ names, addresses, dates of birth, treatment information, and social security numbers (for 21,072 individuals). The CE sent timely breach notification to HHS, affected individuals, and the media. The CE also posted notification about the breach on its website. In response to the breach, the CE implemented additional firewall safeguard procedures, began monitoring traffic to and from its website, and began conducting external vulnerability scans. OCR obtained assurances that the CE implemented the corrective actions listed above. | Highlands Cashier Hospital NC Healthcare Provider 26115 | Thursday | 2014 |
| Arkansas Department of Human Services | AR | Health Plan | 26000 | 2017-09-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Arkansas Department of Human Services AR Health Plan 26000 | Friday | 2017 | |
| Tampa Bay Surgery Center | FL | Healthcare Provider | 25848 | 2017-06-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Tampa Bay Surgery Center, was notified by the FBI that on May 4, 2017, patient information had been posted online. Based on the CEâs internal investigation, it was determined that a cyber-attacker known as âThe Dark Overlordâ had compromised remote access to its information system and stole a spreadsheet containing the names, dates of birth, addresses, and social security numbers of 25,848 individuals. The CE provided breach notification to HHS, to affected individuals, to the media and posted notice on its website. In response to the breach, the CE substantially revised its technical security safeguards, including access controls. OCR obtained assurances that the CE implemented the corrective actions listed above. | Tampa Bay Surgery Center FL Healthcare Provider 25848 | Tuesday | 2017 |
| Computer Programs and Systems, Inc. | AL | Business Associate | 25764 | 2014-11-26 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Computer Programs and Systems, Inc. AL Business Associate 25764 | Wednesday | 2014 |
| Virginia Premier Health Plan (VPHP) | VA | Business Associate | 25513 | 2014-01-10 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Virginia Premier Health Plan, a business associate (BA) of the covered entity (CE), Virginia Department of Medical Assistance Services (VA-DMAS), mailed incorrect postcards to Virginia Medicaid members. The breach included 13,357 postcards that were mailed to the wrong address and 12,156 postcards that contained incorrect services information. The information did not include social security numbers or financial information. The BA provided breach notification to HHS, the media, and to affected individuals in English and Spanish. Following this breach, the BA improved safeguards by retraining employees on safeguards for protected health information, updating procedures for mailings, and implementing additional quality control checks. OCR obtained assurances that the BA implemented the corrective action listed above. | Virginia Premier Health Plan (VPHP) VA Business Associate 25513 | Friday | 2014 |
| InfoCrossing, Inc. | MO | Business Associate | 25461 | 2013-09-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | InfoCrossing, Inc. MO Business Associate 25461 | Friday | 2013 | |
| Assurecare Risk Management, Inc. | IL | Business Associate | 25330 | 2011-07-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), Gypsum Management & Supply, Inc. Medical and Dental Plan, is a management company for a network of drywall supply yards that offers group health plans for its employees. On May 9, 2011, the computer server of the CEâs former business associate (BA), Assurecare Risk Management, Inc., was hacked, exposing the demographic, clinical, and health insurance information for 25,330 of the CEâs employees, many of whom no longer worked with the CE at the time of the breach. The CE provided breach notification to HHS, to affected individuals, and to the media. Because the breach incident involved a BA and occurred prior to the September 23, 2013, compliance date, OCR verified that the CE had a proper BA agreement in place that restricted the BAâs use and disclosure of protected health information (PHI) and required the BA to safeguard all PHI. The CEâs internal investigation revealed little activity on the server as a result of the hack. In addition, no reports of misuse of information have been reported. OCR obtained assurances that the CE took the corrective actions listed above. | Assurecare Risk Management, Inc. IL Business Associate 25330 | Thursday | 2011 |
| Santa Cruz County Health Services Agency | CA | Healthcare Provider | 25000 | 2016-09-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Santa Cruz County Health Services Agency, reported a breach of unsecured PHI when a break-in occurred at the CEâs storage area. The CE initially reported that the breach affected approximately 25,000 individuals. However, an internal investigation, conducted with law enforcement assistance, revealed later that no breach had occurred because the break-in did not affect the paper records. OCR provided technical assistance to the CE. The CE implemented additional physical safeguards, updated its HIPAA policies and procedures and trained its staff on privacy and security awareness. | Santa Cruz County Health Services Agency CA Healthcare Provider 25000 | Friday | 2016 |
| Fort Worth Allergy and Asthma Associates | TX | Healthcare Provider | 25000 | 2010-08-05 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No |
Several computers, including a server, were stolen during a burglary at the covered entity’s (CE) premises. The breach affected approximately 25,000 individuals and included names, addresses, dates of birth, social security numbers, driver license numbers, diagnoses, and conditions. Following the breach, the CE provided breach notification to affected individuals, the media, and HHS. It also improved physical security and began using a new model for its management practices with an off-site encrypted database. After the initiation of OCR’S investigation, the CE amended its business associate agreement. |
Fort Worth Allergy and Asthma Associates TX Healthcare Provider 25000 | Thursday | 2010 |
| Saint Agnes Health Care, Inc. | MD | Healthcare Provider | 24967 | 2015-04-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Saint Agnes Health Care, Inc. MD Healthcare Provider 24967 | Friday | 2015 | |
| WellCare Health Plans, Inc. | FL | Health Plan | 24809 | 2017-01-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On January 27, 2017, WellCare Health Plans, Inc., the covered entity (CE), submitted a Breach Report stating that Summit Reinsurance, a reinsurer for the CE, had experienced a data security event. OCR has reviewed the matter, and based on our review, OCR has determined that no violation of the HIPAA laws occurred. | WellCare Health Plans, Inc. FL Health Plan 24809 | Friday | 2017 |
| Pioneer Valley Pathology | MA | Business Associate | 24750 | 2010-08-25 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | A Boston Globe employee discovered the unsecured paper medical records of Pioneer Valley Pathology, a group practice with offices inside Holyoke Medical Center (HMC), at a trash transfer station. The breach affected approximately 24,750 individuals. The PHI involved in the breach included names, addresses, dates of birth, social security numbers, insurance information, and medical information. HMC is not the covered entity (CE) responsible for this breach and it field the breach report in error. OCR provided HMC with technical assistance related to breach notification. OCR opened a compliance review against the CE responsible for this breach. | Pioneer Valley Pathology MA Business Associate 24750 | Wednesday | 2010 |
| Our Lady of Peace Hospital | KY | Healthcare Provider | 24600 | 2010-12-29 | Loss | Theft | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Our Lady of Peace Hospital KY Healthcare Provider 24600 | Wednesday | 2010 | |
| PMC Medicare Choice | PR | Health Plan | 24361 | 2011-05-09 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Thieves broke into the PMC Medicare Choice facility located in Humacao, Puerto Rico and stole four unencrypted desktop computers containing 24,361 health plan membersâ electronic protected health information (ePHI). The ePHI included names, addresses, phone numbers, Medicare HIC numbers, diagnosis and treatment information, health plan names, health plan member identification numbers, health plan enrollment information, health care claim information, and social security numbers. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE repaired a damaged wall and improved security at the facility and the surrounding premises. OCR obtained assurances that the CE implemented the corrective actions noted above. As a result of OCRâs investigation, the CE encrypted all computers located at its regional offices. OCR stated its expectation that the CE will perform a thorough and accurate risk analysis and establish a risk management plan. In addition, OCR stated an expectation that the CE will implement contingency operations procedures, implement its facility security planâs policies and procedures, and regularly patch and update its IT infrastructure. OCR also stated an expectation that the CE will encrypt and decrypt ePHI where appropriate and document the technical safeguards implemented to prohibit the unauthorized copying and removal of PHI and ePHI. | PMC Medicare Choice PR Health Plan 24361 | Monday | 2011 |
| Public Health Trust of Miami-Dade County, Florida | FL | Healthcare Provider | 24188 | 2016-02-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Public Health Trust of Miami-Dade County, Florida FL Healthcare Provider 24188 | Friday | 2016 |
| Decatur County General Hospital | TN | Healthcare Provider | 24000 | 2018-01-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Decatur County General Hospital TN Healthcare Provider 24000 | Friday | 2018 |
| Emory Healthcare | GA | Healthcare Provider | 24000 | 2017-12-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Emory Healthcare GA Healthcare Provider 24000 | Friday | 2017 | |
| Montefiore Medical Center | NY | Healthcare Provider | 23753 | 2010-07-23 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Montefiore Medical Center, after it reported three unencrypted desktop computers were stolen that contained the electronic protected health information (ePHI) of 23,753 individuals. The ePHI included names, medical record numbers, dates of birth, parent or guardian contact numbers, asthma diagnoses, vaccination information, and number of visits to the school health clinic. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. As a result of OCR’s investigation, the CE updated its building alarm to include additional motion sensors and installed surveillance cameras. Further, the CE encrypted all of its computers, advised that no ePHI is stored on desktop hard drives, removed all ePHI from its computers, and stored ePHI on the centralized secured network servers. The CE also revised its policy and procedure on password management and provided training to all staff on its new policy. | Montefiore Medical Center NY Healthcare Provider 23753 | Friday | 2010 |
| Mayfield Clinic Inc | OH | Healthcare Provider | 23341 | 2016-04-23 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An unauthorized person sent a fraudulent email with an attachment that triggered a download of a ransomware virus to 23,341 email addresses held by the covered entityâs (CEâs) business associate (BA) on its behalf. The protected health information (PHI) involved in the breach included email addresses. The CE sent an email notification to affected individuals on the day of the incident and sent another email notification two days later. The CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its web site. Following the breach, the CE assessed system controls, provided anti-scanning updates to its employeesâ email, deleted the email addresses it maintained on its BAâs systems, and put a hold on the future electronic distribution of newsletters. OCR obtained written assurances that the CE implemented the corrective actions listed above. | Mayfield Clinic Inc OH Healthcare Provider 23341 | Saturday | 2016 | |
| Prosthetic & Orthotic Care, Inc. | MO | Healthcare Provider | 23015 | 2016-08-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Prosthetic & Orthotic Care, Inc. MO Healthcare Provider 23015 | Sunday | 2016 |
| National Counseling Group | VA | Healthcare Provider | 23000 | 2016-03-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | National Counseling Group VA Healthcare Provider 23000 | Monday | 2016 | |
| Aon Consulting | PA | Business Associate | 22642 | 2010-09-07 | Other | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | The business associate prepared a document as part of a request for proposal for the covered entity’s vision benefit program which mistakenly included protected health information of 22,642 individuals. The document was posted online for five days. The protected health information involved in the breach included social security numbers, dates of birth, gender, zip codes, and vision plan enrollment information. In response to this incident, the covered entity implemented additional safeguards to prevent this type of impermissible disclosure of protected health information. In particular, the covered entity will now require several layers of review before allowing public disclosure of documents prepared by the business associate. The covered entity also took steps to enforce the requirements of its business associate agreement with Aon Consulting. Aon will provide affected individuals with free credit monitoring, fraud resolution resources, and identity theft insurance. Additionally, the business associate has provided assurances to the covered entity that it has taken steps to prevent this type of impermissible disclosure in the future. | Aon Consulting PA Business Associate 22642 | Tuesday | 2010 |
| Cook County Health & Hospitals System | IL | Healthcare Provider | 22511 | 2014-01-11 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Cook County Health and Hospital Systems, reported that on November 12, 2013, as part of a public health project between the CE and another academic medical center, a physician at the CE sent an unencrypted email with an excel attachment to a collaborator outside the CEâs firewall. The attachment contained the protected health information (PHI) of 22,511 individuals. The attachment was not encrypted as required by organizational policy. The types of PHI involved in the breach included demographic information and lab results. The CE provided breach notification to HHS, affected individuals, and the media. The CE disciplined the employee with a 14 day suspension, implemented a new email security program, and retrained its employees and staff on the program. OCR obtained documentation from the CE that it implemented the corrective actions listed above. | Cook County Health & Hospitals System IL Healthcare Provider 22511 | Saturday | 2014 | |
| St. Joseph Heritage Healthcare | CA | Healthcare Provider | 22012 | 2010-04-23 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | 22 computers were stolen from Clinical Management Service office.Five of the stolen computers contained the protected health information of approximately 22,012 individuals. The protected health information involved in the breach included name, date of birth, social security number, referral number, encounter number, facility, member ID, diagnosis, procedure, and/or diagnosis code. As a result of this incident, St. Joseph notified the potentially affected individuals, notified the local media, installed security cameras, re-trained employees, and installed encryption software on all laptops and Computers enterprise-wide. OCR’s investigation resulted in the covered entity improving their physical and technological safeguards and retraining employees. | St. Joseph Heritage Healthcare CA Healthcare Provider 22012 | Friday | 2010 |
| Reid Hospital & Health Care Services | IN | Healthcare Provider | 22001 | 2011-05-06 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted, password protected laptop computer was stolen from an employeeâs home on April 2, 2011. The covered entity (CE), Reid Hospital & Health Care Services, reported that this breach affected 22,001 individuals and that the laptop contained names, social security numbers, Medicare numbers, and some reports entitled âpsychiatric services.â The CE investigated the breach and provided breach notification to HHS, affected individuals, and the media. As a result of OCRâs investigation, the CE completed encryption of its laptop and desktop computers, implemented safeguards for its email system and smartphones, and updated its mobile media policy. It also completed a new risk analysis and implemented action steps in its risk management plan. OCR obtained assurances that the CE implemented the corrective actions listed above. | Reid Hospital & Health Care Services IN Healthcare Provider 22001 | Friday | 2011 |
| Cleveland Medical Associates, PLLC | TN | Healthcare Provider | 22000 | 2017-06-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Cleveland Medical Associates, PLLC TN Healthcare Provider 22000 | Tuesday | 2017 |
| North Ottawa Medical Group | MI | Healthcare Provider | 22000 | 2016-06-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | North Ottawa Medical Group MI Healthcare Provider 22000 | Thursday | 2016 |
| AssuranceMD f/k/a Harbor Group | PA | Business Associate | 22000 | 2013-05-07 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes |
An unsecured hard drive containing the electronic protected health information (ePHI) of up to 22,000 individuals was lost in transit between Dr. Andrew F. Brooker’s business associate, AssuranceMD, and a subcontracted electronic medical records storage company. The ePHI involved in the breach included patients’ names, diagnoses/conditions, lab results, other clinical information and for some patients, addresses, dates of birth and/or social security numbers. Dr. Brooker provided breach notification to HHS and affected individuals. Following the breach he updated his HIPAA policies and procedures. OCR obtained assurances that the corrective action steps listed above were completed. Prior to completion of additional corrective actions, Dr. Brooker notified OCR that he had sold his private practice. |
AssuranceMD f/k/a Harbor Group PA Business Associate 22000 | Tuesday | 2013 |
| Franciscan Physician Network of Illinois and Specialty Physicians of Illinois, LLC (formerly known as WellGroup Health Partners, LLC) | IL | Healthcare Provider | 22000 | 2017-12-09 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Franciscan Physician Network of Illinois and Specialty Physicians of Illinois, LLC (formerly known as WellGroup Health Partners, LLC) IL Healthcare Provider 22000 | Saturday | 2017 |
| Elderplan, Inc. | NY | Health Plan | 22000 | 2017-08-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Elderplan, Inc. NY Health Plan 22000 | Saturday | 2017 | |
| New York State Office of Mental Health | NY | Healthcare Provider | 21880 | 2016-08-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | New York State Office of Mental Health NY Healthcare Provider 21880 | Monday | 2016 |
| CBS Consolidated, Inc. | NE | Business Associate | 21856 | 2017-09-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | CBS Consolidated, Inc. NE Business Associate 21856 | Tuesday | 2017 |
| Denton Heart Group - Affiliate of HealthTexas Provider Network | TX | Healthcare Provider | 21665 | 2017-03-10 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | An unauthorized individual stole the external computer hard drive of the covered entity (CE), Denton Heart Group. The protected health information (PHI) potentially affected included the names, addresses, dates of birth, and social security numbers of approximately 21,556 individuals. As a result of the breach, the CE improved safeguards and trained its workforce members on better practices to protect PHI. Further, the CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions listed. | Denton Heart Group - Affiliate of HealthTexas Provider Network TX Healthcare Provider 21665 | Friday | 2017 |
| Reliable Respiratory | MA | Healthcare Provider | 21311 | 2018-09-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Reliable Respiratory MA Healthcare Provider 21311 | Saturday | 2018 | |
| Harris County | TX | Health Plan | 21000 | 2013-07-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Harris County TX Health Plan 21000 | Tuesday | 2013 | |
| Thomas Jefferson University Hospitals, Inc. | PA | Healthcare Provider | 21000 | 2010-08-09 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Thomas Jefferson University Hospitals, Inc. PA Healthcare Provider 21000 | Monday | 2010 | |
| Ernest T. Bice, Jr. DDS, P.A. | TX | Healthcare Provider | 21000 | 2010-03-10 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Three unencrypted external back-up drives were stolen from a safe in the covered entity’s locked office. The laptop computer contained the protected health information of approximately 21,000 individuals. The protected health information involved in the breach included names, addresses phone numbers, dates of birth, social security numbers, insurance information, and treatment histories. Following the breach, the covered entity moved back-up data offsite and encrypted all workstations. Additionally, OCR’s investigation resulted in the covered entity improving their physical safeguards and in retraining employees. | Ernest T. Bice, Jr. DDS, P.A. TX Healthcare Provider 21000 | Wednesday | 2010 |
| Blue Shield of California | CA | Health Plan | 20764 | 2016-01-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On December 7, 2015, Blue Shield of California, the covered entity (CE), discovered that its servers were breached via social engineering at its call centers in Costa Rica. The breach affected 20,764 patientsâ protected health information (PHI). The types of PHI involved included patientsâ names, addresses, dates of births, and social security numbers. The CE provided breach notification to HHS, affected individuals, the media. In response to the breach, the CE disabled all existing login credentials and manually distributed new passwords. It trained all call center workforce members about the risks of social engineering and implemented two-factor authentication for external access to its network via its virtual private network (VPN). The CE also provided OCR with additional documentation as relevant to the breach investigation, including its HIPAA Notice of Privacy Practices Policy. OCR obtained assurances that the CE implemented the corrective actions listed above. | Blue Shield of California CA Health Plan 20764 | Thursday | 2016 |
| Rape & Brooks Orthodontics, P.C. | AL | Healthcare Provider | 20744 | 2011-03-28 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Network Server | Other | Other Portable Electronic Device | NA | NA | NA | NA | No | On February 4, 2011, covered entityâs (CE) facility was broken into and a computer server, three desktop computers, and an external hard drive were stolen, affecting the demographic, clinical and financial information of approximately 20,744 individuals. The CE, Rape & Brooks Orthodontics, P.C., provided breach notification to HHS, affected individuals, and the media. As a result of this incident, the CE increased physical security by upgrading its alarm system, changing and installing additional locks, and storing its server in a locked data closet. The CE also improved technical safeguards by implementing double-layered password protection on its computers and encrypting data on external hard drives. OCR obtained and reviewed the CEâs relevant HIPAA policies and procedures. | Rape & Brooks Orthodontics, P.C. AL Healthcare Provider 20744 | Monday | 2011 |
| Medical Management, LLC (MML) | NC | Business Associate | 20512 | 2015-05-15 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Medical Management LLC provides billing services as a business associate (BA) for more than 30 medical facilities in various states, with BA agreements in place for each covered entity (CE). On March 16, 2015, the IRS notified the BA that one of its employees was involved in an identity theft ring. The employee confessed to the activity and was terminated. The BA determined that, during her employment, the employee had access to 30,556 patientâs records containing protected health information (PHI), including demographic information (names, dates of birth and social security numbers). The BA notified each CE of the breach, established a call center, sent letters to the potentially affected individuals on behalf of its CEs, offered credit monitoring and ID theft protection, sent media notice to 12 newspapers, and notified HHS. In response to the breach, the BA upgraded to an improved billing system with more security controls, masked social security numbers where appropriate, and retrained its staff. In addition, the BA implemented software for tracking and monitoring access and user activity, which is monitored by IT staff, in order to identify any abnormal access. OCR obtained assurances that the BA implemented the corrective actions listed above. | Medical Management, LLC (MML) NC Business Associate 20512 | Friday | 2015 |
| Lifespan Corporation | RI | Healthcare Provider | 20431 | 2017-04-21 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Lifespan Corporation RI Healthcare Provider 20431 | Friday | 2017 |
| Carpenters Benefit Funds of Philadelphia | PA | Health Plan | 20015 | 2018-08-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Carpenters Benefit Funds of Philadelphia PA Health Plan 20015 | Friday | 2018 | |
| Quraishi, Nisar A | NY | Healthcare Provider | 20000 | 2014-10-22 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Tribeca Medical Center, reported that on October 21, 2014, patientsâ medical records stored in the CEâs storage shed were stolen. The breach affected potentially 20,000 patients and the protected health information (PHI) included names, addresses, zip codes, telephone numbers, dates of birth, social security numbers, health plan information, diagnoses, medical and clinical histories. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCRâs investigation, the CE has ceased storing PHI in the storage unit. | Quraishi, Nisar A NY Healthcare Provider 20000 | Wednesday | 2014 |
| Indiana Internal Medicine Consultants | IN | Healthcare Provider | 20000 | 2012-03-09 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop computer that contained the electronic protected health information (ePHI) of approximately 20,000 individuals was stolen from the covered entity’s (CE) laboratory manager’s office. The ePHI involved in the breach included patients’ names, dates of birth, clinic identification numbers, and laboratory results. Following the breach, the CE reported the theft to the building management company. The management company investigated the theft and determined that cleaning personnel had stolen the laptop. The company reported that the patient information was not compromised, as the database could not be accessed without propriety software and specialized assistance. As a result of OCR’s investigation, physical security was improved by housing the replacement laptop in a locked drawer in a locked office with limited staff access. The CE also implemented a new policy prohibiting the storage of PHI on the laptop computer and updated additional policies and procedures to enhance safeguards for systems containing PHI. | Indiana Internal Medicine Consultants IN Healthcare Provider 20000 | Friday | 2012 |
| Northstar Healthcare Acquisitions LLC | TX | Healthcare Provider | 19898 | 2016-04-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | A laptop computer containing the electronic protected health information (ePHI) of 19,898 individuals was stolen from vehicle of an employee of Equalize Revenue Cycle Management (ERCM). ERCM is a business associate (BA) of Northstar Healthcare Acquisitions, LLC, the covered entity (CE). The ePHI included insurance and treatment information and other demographic information. Upon discovering the breach, the BA informed law enforcement. The BA notified the affected individuals, provided substitute notice via its website, and media notification. The BA offered one year of free credit monitoring services to affected individuals. Following the breach, the BA adopted encryption technologies, revised policies and procedures, and conducted an updated risk analysis. The BA also sanctioned the workforce members involved and retrained employees. OCR obtained assurances that the BA implemented the corrective action listed above. OCR also verified that the CE had a proper BA agreement in place, which restricted the BAâs use and disclosure of PHI and required the BA to safeguard all PHI. | Northstar Healthcare Acquisitions LLC TX Healthcare Provider 19898 | Thursday | 2016 |
| NorthStar Anesthesia | TX | Healthcare Provider | 19807 | 2018-07-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | NorthStar Anesthesia TX Healthcare Provider 19807 | Friday | 2018 | |
| Integrated Health Solutions PC | PA | Healthcare Provider | 19776 | 2016-05-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), Integrated Health Solutions (IHS), notified HHS of a potential breach of unsecured electronic protected health information (ePHI) through its business associate (BA), Bizmatics. Specifically, the BA experienced a hacking or information technology incident which may have exposed up to 19,776 of the CE’s patient records. OCR obtained a copy of the signed BA agreement between the CE and BA. OCR obtained assurances from the CE that all Security Rule policies and procedures are in place. This review has been consolidated into another review of this BA. | Integrated Health Solutions PC PA Healthcare Provider 19776 | Wednesday | 2016 |
| Ashland Women’s Health | KY | Healthcare Provider | 19727 | 2017-04-04 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Ashland Women’s Health KY Healthcare Provider 19727 | Tuesday | 2017 |
| Multi-Speciality Collection Services, LLC | CA | Business Associate | 19651 | 2011-08-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Multi-Speciality Collection Services, LLC CA Business Associate 19651 | Monday | 2011 | |
| Leo Edwards, Jr., M.D. | TX | Healthcare Provider | 19564 | 2017-02-28 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | An unauthorized user obtained remote access to the computer system of Leo Edwards, Jr. M.D., the covered entity (CE). The protected health information (PHI) potentially affected included the names, addresses, dates of birth, social security numbers, and medical information for approximately 19,564 individuals. As a result of the breach, the CE improved its security posture, updated its policies and procedures, and trained its workforce members on better practices to protect patient information. Further, the CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions listed. | Leo Edwards, Jr., M.D. TX Healthcare Provider 19564 | Tuesday | 2017 |
| Pain Treatment Centers of America | AR | Healthcare Provider | 19397 | 2016-04-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | Yes |
PIMS TN: 16-235969 Covered Entity: Pain Treatment Centers of America OCR opened an investigation of the covered entity (CE), Pain Treatment Centers of America, after it reported a hacking attacking on its business associateâs (BA), Bizmatics, data servers. This breach resulted in unauthorized access to the BA/s customer records including those of the CE. The breach encompassed 17,339 individualsâ information, which included individualsâ names, addresses, dates of birth, driver’s license numbers, social security numbers, claims information, diagnoses/conditions, lab results, medications and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media and also provided and identity theft and credit monitoring service to affected individuals. As a result of OCRâs investigation, the CE updated its BA agreement with the BA to reflect all requirements of 45 C.F.R. §§ 164.314 (a) and 164.504(a). |
Pain Treatment Centers of America AR Healthcare Provider 19397 | Monday | 2016 |
| Pediatric and Adult Allergy, PC | IA | Healthcare Provider | 19222 | 2010-09-11 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Pediatric and Adult Allergy, PC IA Healthcare Provider 19222 | Saturday | 2010 | |
| Medical Oncology Hematology Consultants,PA | DE | Healthcare Provider | 19203 | 2017-08-29 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Medical Oncology Hematology Consultants,PA DE Healthcare Provider 19203 | Tuesday | 2017 |
| University of Oklahoma - Tulsa, Neurology Clinic | OK | Healthcare Provider | 19200 | 2010-09-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | University of Oklahoma - Tulsa, Neurology Clinic OK Healthcare Provider 19200 | Monday | 2010 | |
| Lee D. Pollan, DMD, PC | NY | Healthcare Provider | 19178 | 2013-01-11 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE) after it reported an unencrypted laptop was stolen that contained the electronic protected health information (ePHI) of 19,178 individuals. The ePHI included names, addresses, zip codes, dates of birth, social security numbers, claims information, and diagnosis codes. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR’s investigation, the CE encrypted the backup drive of the contents of the laptop computer. The CE also trained all staff on the use of encryption to safeguard data on personal computers and mobile devices. | Lee D. Pollan, DMD, PC NY Healthcare Provider 19178 | Friday | 2013 |
| Oncology Consultants, P.A. | TX | Healthcare Provider | 19114 | 2017-08-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Network Server | NA | NA | NA | NA | No | NA | Oncology Consultants, P.A. TX Healthcare Provider 19114 | Tuesday | 2017 | |
| Orlando Orthopaedic Center | FL | Healthcare Provider | 19101 | 2018-07-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Orlando Orthopaedic Center FL Healthcare Provider 19101 | Friday | 2018 |
| UnitedHealth Group health plan single affiliated covered entity | MN | Health Plan | 19100 | 2012-05-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | UnitedHealth Group health plan single affiliated covered entity MN Health Plan 19100 | Friday | 2012 | |
| South Sunflower County Hospital | MS | Healthcare Provider | 19000 | 2015-02-04 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A local merchant sent a package with shredded documents containing protected health information (PHI) from the covered entity (CE), South Sunflower County Hospital, used as packing material. The PHI included the dates of service, providersâ names, diagnoses, patientsâ names, social security numbers, and dates of birth of 19,345 individuals. The CE retrieved the remaining shredded documents and stored them in a locked room with limited access. The CE provided breach notification to HHS, affected individuals, and the media. The CE investigated and modified its policies and procedures. It contracted with a document shredding company to destroy all hospital paper waste containing PHI and initiated a process to convert health records to an electronic format. As a result of the investigation, OCR reviewed the CEâs HIPAA policies and procedures. | South Sunflower County Hospital MS Healthcare Provider 19000 | Wednesday | 2015 |
| Advanced Fertility Center of Chicago | IL | Healthcare Provider | 19000 | 2016-12-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | No | NA | Advanced Fertility Center of Chicago IL Healthcare Provider 19000 | Thursday | 2016 |
| Integranetics | KY | Business Associate | 18871 | 2011-02-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Integranetics KY Business Associate 18871 | Monday | 2011 | |
| Aetna Inc. | CT | Business Associate | 18854 | 2016-11-28 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Aetna Inc. CT Business Associate 18854 | Monday | 2016 |
| Durango Family Medicine, P.C. | CO | Healthcare Provider | 18790 | 2017-06-06 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | During the course of its review of the subject breach report, OCR decided to consolidate the matter into its review of a separate breach report, filed by Mercy Family Medicine, and arising from the same incident. | Durango Family Medicine, P.C. CO Healthcare Provider 18790 | Tuesday | 2017 |
| Pacific Ocean Pediatrics | CA | Healthcare Provider | 18637 | 2017-05-15 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Pacific Ocean Pediatrics, reported a breach when three computers and two external hard drives were stolen from the CEâs office after a cleaning crew member left an exterior door unlocked. The breach affected approximately 18,637 individuals, who were the CEâs patients and parents of patients. The protected health information (PHI) included names, addresses, dates of birth, phone numbers, sex, insurance information, and entire charted medical history of patients including symptoms, tests, diagnosis, and prescriptions. The CE immediately reported the theft to law enforcement. The CE provided timely breach notification to HHS, affected individuals, and the media. Substitute notice was also provided. The CE consulted with an IT professional to implement additional protective measures to prevent a similar breach occurring in the future. Following the incident, the CE improved physical security at its facility, installed a firewall, encrypted electronic devices that store PHI, and adopted new and revised policies and procedures to safeguard PHI. The CE has trained workforce members on the new and revised policies. OCR obtained assurances that the CE implemented the corrective actions noted above. OCR also provided the CE technical assistance regarding the risk analysis and risk management provisions of the Security Rule. | Pacific Ocean Pediatrics CA Healthcare Provider 18637 | Monday | 2017 |
| Anthem, Inc. | IN | Health Plan | 18580 | 2017-07-24 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Anthem, Inc. IN Health Plan 18580 | Monday | 2017 | |
| University Medical Center Physicians | TX | Healthcare Provider | 18500 | 2018-08-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | University Medical Center Physicians TX Healthcare Provider 18500 | Thursday | 2018 | |
| Barnes-Jewish Hospital | MO | Healthcare Provider | 18436 | 2018-03-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Barnes-Jewish Hospital MO Healthcare Provider 18436 | Monday | 2018 |
| Franciscan Health, Highline Medical Center | WA | Healthcare Provider | 18399 | 2016-09-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | A business associate (BA) inadvertently left files containing the covered entityâs (CE) patient information accessible via the internet from mid-April 2016 to June 13, 2016. The BA assured the CE, CHI Franciscan Health, Highline Medical Center, that it secured the files on June 13, 2016. The types of ePHI involved included patients names, dates of service, health insurance information, and social security numbers and affected approximately 18,399 individuals. OCR reviewed the applicable BA agreement that was in place at the time of the breach. Following the breach, the CE discontinued its BA relationship with the BA. In addition, the BA provided validation that it deleted all of the files in its computer systems that contained information about the CEâs patients. OCR obtained assurances that the CE notified all affected individuals, submitted notification to the media offered free credit monitoring services to all living affected individuals, and created a 24/7 call center for patients and other concerned individuals, so that such individuals could get up-to-date information on the breach and receive assistance as needed. | Franciscan Health, Highline Medical Center WA Healthcare Provider 18399 | Thursday | 2016 |
| Global Care Delivery, Inc. | TX | Business Associate | 18213 | 2015-06-12 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | Five password-protected, but unencrypted laptop computers were stolen from Global Care Delivery, a business associate (BA) of the covered entity (CE), North Shore LIJ Health System in September 2014. The laptops contained the protected health information (PHI) of 18,213 individuals, including names, dates of birth, insurance identification numbers (which contained social security numbers), and diagnoses and/or treatment codes related to claims. The BA notified police at the time of the incident, but did not notify the CE until May 11, 2015. The BA retained Knoll, Inc. to assist with individual notification and provide call center services to answer questions from individuals impacted by the breach. Breach notification was provided to HHS and affected individuals, and the BA offered complimentary one-year identity theft protection services. The business relationship between the CE and BA ended effective May 11, 2015. The BA has closed its business. | Global Care Delivery, Inc. TX Business Associate 18213 | Friday | 2015 |
| North Los Angeles County Regional Center | CA | Business Associate | 18162 | 2013-03-04 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | North Los Angeles County Regional Center CA Business Associate 18162 | Monday | 2013 | |
| Children’s National Medical Center | DC | Healthcare Provider | 18000 | 2015-02-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Employees of the covered entity (CE), Childrenâs National Medical Center (CNMS), responded to phishing emails they believed were legitimate emails. Over 20,000 individuals were affected by the breach which involved demographic, clinical and health insurance information, including a limited number of social security numbers. The CE provided breach notification to HHS, affected individuals, and the media, and offered 12 months of free identity monitoring for those whose social security number was compromised. Following the breach, the CE identified source attacks, remediated accounts, removed exfiltration software, and implemented safeguards to increase firewall protections and inspection of e-mails (monitoring, scanning, and rewriting of embedded Internet addresses). In addition, the CE updated its security policy and retrained employees. OCR obtained assurances that the CE has implemented the corrective actions listed above. | Children’s National Medical Center DC Healthcare Provider 18000 | Tuesday | 2015 | |
| Terrell County Health Department | GA | Healthcare Provider | 18000 | 2013-02-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On December 6, 2012, the Dawson Police Department notified the covered entity (CE), Terrell County Health Department, that an employee was suspected of the identity theft of at least two of the CEâs patients. All patients that the employee had access to records for during her employment were potentially affected, totaling 18,000 individuals. The protected health information (PHI) involved in the breach included demographic, clinical, financial, and health insurance information. The CE provided breach notification to HHS, affected individuals, and the media. The CE terminated the offending employee and re-educated the workforce on its HIPAA policies. The CE also improved its HIPAA training materials, risk analysis procedure, operation software, and auditing methods. OCR obtained assurances that the corrective actions were taken. | Terrell County Health Department GA Healthcare Provider 18000 | Monday | 2013 |
| L.A. Care Health Plan | CA | Health Plan | 18000 | 2012-11-17 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | L.A. Care Health Plan CA Health Plan 18000 | Saturday | 2012 | |
| Central City Concern | OR | Healthcare Provider | 17914 | 2014-05-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Law enforcement investigated a former employee of the covered entity (CE), Central City Concern, for identity theft and notified the CE that the former employee admitted to misusing approximately 15 Employment Access Center (EAC) clientsâ information. The personal information involved in the breach included names, social security numbers, addresses, dates of birth and other identifiers, but no data from the CEâs health care component. The CE provided breach notification to HHS, the media, and all 17,914 clients whose information was accessible by the former employee, as well as posting substitute notice on its website. It also provided a year of free credit monitoring for affected individuals. As a result of the incident, the CE improved safeguards for the EAC database. The CE also contracted with a third party to complete a security risk assessment of all its locations and updated its privacy and security policies and procedures. OCRâs investigation confirmed that the appropriate notifications were made and that corrective actions steps were taken. | Central City Concern OR Healthcare Provider 17914 | Monday | 2014 |
| American Health Inc. | PR | Health Plan | 17776 | 2014-04-03 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No |
Triple-S Management Corporation (âTRIPLE-Sâ), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. âOCR remains committed to strong enforcement of the HIPAA Rules,â said OCR Director Jocelyn Samuels. âThis case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.â TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entitiesâ compliance with HIPAA Rules. OCRâs investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiariesâ PHI; Impermissible disclosure of its beneficiariesâ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA. âTriple-S is committed to protecting the privacy and security of its beneficiariesâ health information and implementing the Corrective Action Plan entered into with OCR,â said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. âWe are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCRâs technical assistance to date, and look forward to our collaboration in the future.â |
American Health Inc. PR Health Plan 17776 | Thursday | 2014 |
| Capital Digestive Care, Inc. | MD | Healthcare Provider | 17639 | 2018-04-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Capital Digestive Care, Inc. MD Healthcare Provider 17639 | Monday | 2018 |
| Metropolitan Urology Group | WI | Business Associate | 17634 | 2017-03-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Metropolitan Urology Group WI Business Associate 17634 | Friday | 2017 |
| Walgreen Co. | IL | Healthcare Provider | 17350 | 2013-12-06 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Walgreen Co. IL Healthcare Provider 17350 | Friday | 2013 | |
| TRUEbenefits LLC | WA | Business Associate | 17309 | 2017-08-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | TRUEbenefits LLC WA Business Associate 17309 | Monday | 2017 | |
| Raleigh Orthopaedic Clinic | NC | Healthcare Provider | 17300 | 2013-04-30 | Improper Disposal | Theft | Unauthorized Access/Disclosure | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No |
Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement. HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure. Raleigh Orthopaedic is a provider group practice that operates clinics and an orthopaedic surgery center in the Raleigh, North Carolina area. OCR initiated its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013. OCRâs investigation indicated that Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopedic failed to execute a business associate agreement with this entity prior to turning over the x-rays (and PHI). âHIPAAâs obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,â said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). âIt is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.â In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired. |
Raleigh Orthopaedic Clinic NC Healthcare Provider 17300 | Tuesday | 2013 |
| Dr. Q Pain and Spine d/b/a Arkansas Spine and Pain | AR | Healthcare Provider | 17100 | 2016-07-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | A virus or malware was potentially installed on the information systems of Bizmatics, Inc., a business associate (BA) of the covered entity, Arkansas Spine and Pain (CE). Approximately 17,100 individuals’ electronic medical records were compromised, but the BA and CE were unable to determine whose records or what information, if any, was accessed. OCR obtained a copy of the BA agreement in place between the CE and this BA. This review has been addressed by a separate review of the BA. | Dr. Q Pain and Spine d/b/a Arkansas Spine and Pain AR Healthcare Provider 17100 | Monday | 2016 |
| Neeley-Nemeth, LLP d/b/a Barton Oaks Dental Group | TX | Healthcare Provider | 17090 | 2017-05-18 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Neeley-Nemeth, LLP d/b/a Barton Oaks Dental Group TX Healthcare Provider 17090 | Thursday | 2017 |
| Family Service Rochester | MN | Healthcare Provider | 17037 | 2017-02-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On January 26, 2017, the covered entity (CE), Family Service Rochester, discovered that an unauthorized user had accessed its computer server, which contained the names, addresses, dates of birth, and social security numbers of approximately 17,037 patients. On the day the CE discovered the breach, it terminated all access to both its remote desktop and the compromised âprogramsâ account. The CE also reviewed all accounts with access to the computer drive to ensure compliance with its password policy. The CE ensured that all accounts that had not been used in the past 90 days were disabled. The CE provided breach notification to HHS, affected individuals, and the media. As part of its risk analysis and risk management process, the CE also reviewed and revised its HIPAA policies and procedures. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | Family Service Rochester MN Healthcare Provider 17037 | Friday | 2017 |
| Our Lady of the Lake Regional Medical Center | LA | Healthcare Provider | 17000 | 2012-05-18 | Loss | Theft | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A physicianâs personally owned laptop computer, which was used to conduct business on behalf of the covered entity (CE), Our Lady of the Lake Regional Medical Center, was either misplaced or stolen. The laptop contained the electronic protected health information (ePHI) of 17,339 individuals and included patientsâ names, ages, dates and times of admission/discharge, race, health coverage, medical history, and results of ICU treatments. The CE provided breach notification to HHS, affected individuals, established a call center, and employed a service to provide identity protection services. As a result of OCRâs investigation, the CE established and finalized controls and policies on personally owned devices used on behalf of the CE. | Our Lady of the Lake Regional Medical Center LA Healthcare Provider 17000 | Friday | 2012 |
| Roberts S. Smith M.D. Inc. | GA | Healthcare Provider | 17000 | 2011-12-13 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Roberts S. Smith M.D. Inc. GA Healthcare Provider 17000 | Tuesday | 2011 | |
| Lower Umpqua Hospital | OR | Business Associate | 17000 | 2011-06-08 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | Lower Umpqua Hospital OR Business Associate 17000 | Wednesday | 2011 | |
| Kmart Pharmacy #7623 | LA | Business Associate | 16988 | 2013-01-31 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Kmart Pharmacy #7623 LA Business Associate 16988 | Thursday | 2013 | |
| Montefiore Medical Center | NY | Healthcare Provider | 16820 | 2010-07-23 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Two unencrypted desktop computers containing the electronic protected health information (ePHI) of 16,820 individuals were stolen from the covered entity (CE). The ePHI included medical record numbers, dates of birth, admission /discharge dates, billing codes, and social security numbers. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals. It also provide substitute notification by posting on its website. As a result of OCR’s investigation, the CE replaced its building alarm and installed bars on the windows. In addition, the CE directed its staff to save patient data only on a centralized network drive, moved all ePHI stored on desktop hard drives to centralized secured network servers, and encrypted all of its computers. The CE also revised its policy and procedure on password management and provided training to all staff on its new policy. | Montefiore Medical Center NY Healthcare Provider 16820 | Friday | 2010 |
| Independence Blue Cross, LLC | PA | Business Associate | 16762 | 2018-09-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Independence Blue Cross, LLC PA Business Associate 16762 | Monday | 2018 |
| Chase Brexton Health Care | MD | Healthcare Provider | 16562 | 2017-10-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An unauthorized user gained access to four employeesâ email accounts after a phishing attack. The breach included the protected health information of 16,562 individuals and included names, addresses, dates of birth, financial information, and diagnostic information. Following the breach, the covered entity implemented two-factor authentication for its email system and trained employees on cybersecurity. OCR reviewed the covered entityâs risk analysis to ensure compliance with the Security Rule. | Chase Brexton Health Care MD Healthcare Provider 16562 | Tuesday | 2017 | |
| Hackensack Sleep and Pulmonary Center | NJ | Healthcare Provider | 16474 | 2017-11-28 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Hackensack Sleep and Pulmonary Center NJ Healthcare Provider 16474 | Tuesday | 2017 |
| Kmart Corporation | IL | Healthcare Provider | 16446 | 2014-02-10 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | Other | NA | NA | NA | NA | NA | NA | No | Kmart Corporation IL Healthcare Provider 16446 | Monday | 2014 | |
| Iowa Health System d/b/a UnityPoint Health | IA | Business Associate | 16429 | 2018-04-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Iowa Health System d/b/a UnityPoint Health IA Business Associate 16429 | Monday | 2018 | |
| UnitedHealth Group health plan single affiliated covered entity | MN | Health Plan | 16291 | 2010-06-04 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No |
Paper correspondence to certain members in UnitedHealth’s prescription drug plans were in advertently sent to the incorrect temporary address due to a database administration error. Approximately 16,291 individuals were affected by the breach. UnitedHealth member’s name, plan number and in some instances, date of birth and/or limited medical information. United Health reported that it stopped using PDI’s proprietary database for address updates and made outbound verifications calls to members to get accurate temporary addresses. United Health reported that it revised its address update process. |
UnitedHealth Group health plan single affiliated covered entity MN Health Plan 16291 | Friday | 2010 |
| Longs Peak Family Practice, P.C. | CO | Healthcare Provider | 16238 | 2017-12-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Longs Peak Family Practice, P.C. CO Healthcare Provider 16238 | Wednesday | 2017 |
| King of Prussia Dental Associates | PA | Healthcare Provider | 16228 | 2016-09-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | King of Prussia Dental Associatesâ network server was hacked. The breach affected the electronic protected health information (ePHI) of 16,768 individuals and included names, dates of birth, social security numbers, and addresses, as well as clinical information. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE strengthened its technical safeguards, including its firewalls and anti-virus protection. OCR reviewed the CE’s risk analysis to ensure compliance with the Security Rule. The CE provided OCR with assurances it would continue to strengthen its technical safeguards. | King of Prussia Dental Associates PA Healthcare Provider 16228 | Tuesday | 2016 |
| ENT and Allergy Center | AR | Healthcare Provider | 16200 | 2016-05-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | One or more hackers attacked the data servers of Bizmatics, a business associate (BA) for the covered entity (CE), ENT & Allergy Center, which resulted in unauthorized access to Bizmaticsâ customer records including those of the CE. Approximately 16,200 patientâs electronic medical records were compromised. The types of protected health information involved in the breach included demographic and clinical information. OCR opened an investigation of the CE to determine if the CE complied with the HIPAA Privacy and Security Rules with respect to business associate contracts. OCR reviewed the business associate agreement between the CE and BA and determined that it appears to be consistent with the requirements of the Privacy and Security Rules. OCR initiated a separate investigation of Bizmatics. | ENT and Allergy Center AR Healthcare Provider 16200 | Tuesday | 2016 |
| Travis Software Corp. | TX | Business Associate | 16200 | 2011-01-18 | Loss | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | Travis Software Corp. TX Business Associate 16200 | Tuesday | 2011 | |
| New England Dermatology, P.C. | MA | Healthcare Provider | 16154 | 2018-07-13 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | New England Dermatology, P.C. MA Healthcare Provider 16154 | Friday | 2018 |
| Oakland Family Services | MI | Healthcare Provider | 16107 | 2015-09-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Oakland Family Services MI Healthcare Provider 16107 | Wednesday | 2015 | |
| USC Keck and Norris Hospitals | CA | Healthcare Provider | 16000 | 2016-09-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On August 1, 2016, after being notified that certain files were inaccessible, the covered entity (CE) detected ransomware which had encrypted files on two of its computer servers. The servers stored hospital operational manuals as well records containing the electronic protected health information (ePHI) of potentially 16,000 individuals. The types of ePHI involved in the breach included names, demographic information, dates of birth, treatment information, diagnoses, and in some cases social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. The CE quickly identified the malware and shut down the impacted servers. The CE fully restored the data on the encrypted files through back up data without paying ransom. The CE implemented additional technical measures to improve malware prevention and detection. OCRâs investigation resulted in the CE improving its safeguards. OCR obtained assurances that the CE implemented the corrective actions noted above. | USC Keck and Norris Hospitals CA Healthcare Provider 16000 | Wednesday | 2016 |
| Children’s Medical Clinics of East Texas | TX | Healthcare Provider | 16000 | 2015-10-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | A workforce member of Childrenâs Medical Clinics of East Texas, the covered entity (CE), took pictures of protected health information (PHI) displayed on a workstation computer and disclosed the pictures to a former workforce member. The PHI potentially included names, dates of birth, and the diagnoses and treatment information of 15,916 individuals. Upon discovering the breach, the CE filed a police report. The CE provided breach notification to HHS, affected individuals, and the media. The CE also improved physical security, administrative and technical safeguards and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. | Children’s Medical Clinics of East Texas TX Healthcare Provider 16000 | Wednesday | 2015 |
| HealthEquity, Inc. | UT | Business Associate | 16000 | 2018-06-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | HealthEquity, Inc. UT Business Associate 16000 | Tuesday | 2018 | |
| Singh and Arora Oncology Hematology, P.C. | MI | Healthcare Provider | 16000 | 2016-10-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Singh and Arora Oncology Hematology, P.C. MI Healthcare Provider 16000 | Friday | 2016 |
| HeartCare Consultants | FL | Healthcare Provider | 16000 | 2016-05-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | HeartCare Consultants FL Healthcare Provider 16000 | Wednesday | 2016 |
| Knoxville Heart Group, Inc. | TN | Healthcare Provider | 15995 | 2018-04-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Knoxville Heart Group, Inc. TN Healthcare Provider 15995 | Friday | 2018 | |
| Institute for Women’s Health | TX | Healthcare Provider | 15761 | 2017-08-18 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Institute for Womenâs Health, the covered entity (CE), reported that a keylogger virus on its computer network captured information keyed into the CEâs system for more than a month. The protected health information (PHI) of 15,761 individuals was involved in the breach. The types of PHI included demographic, financial, and clinical information. The CE notified the affected individuals and the media. During the investigation, OCR provided technical assistance concerning a risk analysis which the CE subsequently provided. Based on further technical assistance from OCR, the CE updated and implemented technical and procedural changes to prevent a similar event from occurring in the future and retrained its staff. | Institute for Women’s Health TX Healthcare Provider 15761 | Friday | 2017 |
| HealthCare Partners | CA | Healthcare Provider | 15677 | 2011-06-16 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | HealthCare Partners CA Healthcare Provider 15677 | Thursday | 2011 | |
| Mercy Iowa City | IA | Healthcare Provider | 15625 | 2016-03-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | No | NA | Mercy Iowa City IA Healthcare Provider 15625 | Friday | 2016 | |
| USACS Management Group, Ltd. | OH | Business Associate | 15552 | 2018-05-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | USACS Management Group, Ltd. OH Business Associate 15552 | Tuesday | 2018 | |
| Kaiser Permanente Medical Care Program | CA | Healthcare Provider | 15500 | 2010-01-12 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | An unencrypted portable hard drive containing the electronic protected health information (ePHI) of approximately 15,500 individuals was stolen from the vehicle of the covered entity’s (CE) employee. The ePHI involved in the breach included names, medical record numbers, and treatment information. A subset of records may also have included dates of birth, age, gender, and phone numbers. Following the breach, the responsible employee was terminated for violating the CE’s policies. OCR obtained assurances of the CE’s policies and procedures for safeguarding ePHI and verification that the CE provided breach notification to affected individuals, the media, and HHS. In addition, the CE deployed encryption software for removable media. | Kaiser Permanente Medical Care Program CA Healthcare Provider 15500 | Tuesday | 2010 |
| University Gastroenterology, Inc. | RI | Healthcare Provider | 15478 | 2016-09-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | University Gastroenterology, Inc. RI Healthcare Provider 15478 | Thursday | 2016 |
| 2020 On-Site Optometry | MA | Business Associate | 15400 | 2017-02-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | 2020 On-Site Optometry MA Business Associate 15400 | Monday | 2017 |
| Colorado Department of Health Care Policy & Financing | CO | Health Plan | 15380 | 2014-10-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | On July 30 and September 3, 2014, a business associate (BA) mistakenly sent postcards to the covered entityâs (CE) clients that contained viewable protected health information (PHI). The breached PHI included names, addresses, and referred to each clientâs status as a public assistance client receiving behavioral health care services. The resulting breach affected approximately 15,380 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE and its BA ceased using postcards to conduct client satisfaction operations and implemented new policies and procedures to address the circumstances that led to the breach. The CE and BA also counseled and trained the employee responsible for approving the postcard and provided additional privacy training to all workforce members of the departments responsible for approving such mailings. OCR obtained assurances that the CE and BA implemented the corrective actions noted above. | Colorado Department of Health Care Policy & Financing CO Health Plan 15380 | Friday | 2014 |
| Western Health Screening | MT | Business Associate | 15326 | 2017-04-14 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | Western Health Screening contracts with hospitals to provide onsite blood screenings at hospital-sponsored health fairs. On February 7, 2017, while one of the its employees was en route to a health fair, a portable electronic storage device (a “jump drive”) containing unsecured electronic protected health information (ePHI) and five laptop computers were stolen from the employeeâs car. The laptops were encrypted, but the jump drive was not. The types of ePHI involved in the breach included the names, addresses, zip codes and social security numbers of 15,326 patients. Western Health provided breach notification to HHS, affected individuals and the media. Following the breach Western Health sanctioned the employee who was involved, retrained employees, and encrypted all of its jump drives. OCR obtained assurances that Western Health implemented the corrective actions noted above. | Western Health Screening MT Business Associate 15326 | Friday | 2017 |
| Boston Medical Center | MA | NA | 15265 | 2014-04-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Boston Medical Center MA NA 15265 | Tuesday | 2014 | |
| MetroPlus Health Plan, Inc. | NY | Health Plan | 15212 | 2017-09-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | MetroPlus Health Plan, Inc., the covered entity (CE), reported a breach of PHI when an employee emailed Excel spreadsheets to her own and a family memberâs personal email addresses. The PHI contained the electronic protected health information (ePHI) of 15,212 members which included demographic information, limited medical information, and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned the employee, ensured that the ePHI was deleted from the personal email addresses and the device used by the employeeâs family member, and reminded all workforce members not to use personal email accounts to conduct the CEâs business. The CE also documented the impermissible disclosure of its membersâ ePHI for accounting of disclosure purposes. As a result of OCRâs investigation, extensive technical assistance was provided, and the CE is expected to perform a thorough and accurate enterprise wide risk analysis and establish a risk management plan, to regularly review records of information system activity and implement security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network. OCR stated the expectation that the CE will provide periodic security training to workforce members on safeguarding ePHI in transmission, and on its policies and procedures regarding breach notification. | MetroPlus Health Plan, Inc. NY Health Plan 15212 | Friday | 2017 | |
| David G. Simon, DMD, PA, d/b/a Simon Orthodontics | FL | Healthcare Provider | 15129 | 2018-08-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | David G. Simon, DMD, PA, d/b/a Simon Orthodontics FL Healthcare Provider 15129 | Friday | 2018 |
| Barnes-Jewish St. Peters Hospital | MO | Healthcare Provider | 15046 | 2018-03-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Barnes-Jewish St. Peters Hospital MO Healthcare Provider 15046 | Monday | 2018 |
| Advanced ENT Head & Neck Surgery | CA | Healthcare Provider | 15000 | 2017-05-31 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Laptop | Other | Other Portable Electronic Device | Paper/Films | NA | No | A workforce member of the covered entity (CE), Advanced ENT Head and Neck Surgery, surreptitiously took pictures of patients, recorded conversations with patients, and made paper copies of patientsâ legal identification, payment information, and paper medical records. The workforce member also stole several mobile devices containing electronic protected health information (ePHI) and in some cases, posted the breached information to a social media account. The breach affected approximately 15,000 individuals, and the types of PHI and ePHI involved included clinical, demographic and financial information. The CE provided breach notification to HHS and also notified other enforcement agencies with jurisdiction over the breach incident. In response to the breach, which the CE discovered around May 1, 2017, the CE adopted encryption technologies, improved password requirements, updated its Security Rule Risk Management Plan, implemented new technical safeguards, improved physical security, and revised its HIPAA policies and procedures. The CE also sanctioned the involved workforce member, which in this case included terminated of employment. OCR has closed its investigation because this case has been accepted for investigation by the Department of Justice. | Advanced ENT Head & Neck Surgery CA Healthcare Provider 15000 | Wednesday | 2017 | |
| Data Image, Inc. | OH | Business Associate | 15000 | 2012-05-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Data Image, Inc. OH Business Associate 15000 | Tuesday | 2012 | |
| Community Action partnership of Natrona County | WY | Healthcare Provider | 15000 | 2011-04-20 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Community Action Partnership of Natrona County, reported a breach affecting approximately 15,000 individuals, wherein it asserted that a virus had infected a computer and exported data. The CE provided breach notification to HHS and the media. Upon investigation, the CE determined that no protected health information was exported or breached. As a result of OCR’s compliance review, the CE improved safeguards to protect its computers from viruses and malware, conducted a risk analysis, drafted a risk management plan, and revised or developed its HIPAA policies and procedures. | Community Action partnership of Natrona County WY Healthcare Provider 15000 | Wednesday | 2011 |
| Merkle Direct Marketing | MD | Business Associate | 15000 | 2010-01-11 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity’s (CE) business associate (BA) mailed protected health information (PHI) of approximately 15,000 individuals to incorrect addresses due to an error in its quarterly address update process. The mailing contained demographic information, explanations of benefits, clinical information, and diagnoses. Upon discovery of the breach, the CE collected the returned mail and verified that it had not been delivered, and updated its HIPAA policies and procedures. Following OCR’s investigation, the CE was able to recover all or nearly all of the misdirected envelopes. | Merkle Direct Marketing MD Business Associate 15000 | Monday | 2010 |
| State of New Hampshire, Department of Health and Human Services | NH | Healthcare Provider | 15000 | 2016-12-30 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | State of New Hampshire, Department of Health and Human Services NH Healthcare Provider 15000 | Friday | 2016 |
| Mary Ruth Buchness, MD, Dermatologist, P.C. | NY | Healthcare Provider | 14910 | 2015-12-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Mary Ruth Buchness, MD, Dermatologist, P.C. NY Healthcare Provider 14910 | Friday | 2015 | |
| University of California Davis Health | CA | Healthcare Provider | 14900 | 2017-07-06 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | University of California Davis Health CA Healthcare Provider 14900 | Thursday | 2017 | |
| ZDI | CA | Business Associate | 14829 | 2013-04-29 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | This case, along with two companion cases , involved data lost due to damage and/or opening of priority mail during processing and transit through the United States Post Office. In this case, potentially 15,000 individuals may have been affected. The types of protected health information (PHI) involved in the breach included names, social security numbers, group names, and group numbers. The data was not recovered. The covered entity (CE), Delta Dental, provided breach notification to HHS, affected individuals, and the media. It also took immediate and appropriate steps to mitigate potential damages to individuals and to reduce the likelihood of recurrence. From December 2013 to case closure in September 2015, no further incidents occurred, and OCR determined that the CEâs corrective actions were effective. | ZDI CA Business Associate 14829 | Monday | 2013 |
| Spectrum Health Ssytems, Inc. | MA | Healthcare Provider | 14750 | 2011-10-20 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Spectrum Health Ssytems, Inc. MA Healthcare Provider 14750 | Thursday | 2011 | |
| Southcentral Foundation | AK | Healthcare Provider | 14719 | 2016-12-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Southcentral Foundation AK Healthcare Provider 14719 | Friday | 2016 | |
| Diamond Institute for Fertility and Menopause, LLC | NJ | Healthcare Provider | 14633 | 2017-04-28 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Diamond Institute for Fertility and Menopause, LLC NJ Healthcare Provider 14633 | Friday | 2017 |
| Fairview Health Services | MN | Healthcare Provider | 14623 | 2011-09-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted laptop computer storing the electronic protected health information (ePHI) of approximately 14,623 individuals was stolen from the locked vehicle of a workforce member of Accretive Health, a business associate (BA) of the covered entity (CE), Fairview Health Services. The ePHI included individualsâ names, addresses, dates of birth, social security numbers, financial information, and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. It also provided complimentary credit monitoring services to affected individuals. Following the breach, the CE investigated the root cause of the breach, developed a new policy which addresses the risks associated with sharing sensitive data with third parties, and obtained assurances from the BA that it would undertake appropriate corrective actions. OCR obtained a copy of the BA agreement between the CE and the BA at the time of the breach. OCR also obtained evidence and assurances that the CE implemented the corrective actions listed. | Fairview Health Services MN Healthcare Provider 14623 | Tuesday | 2011 |
| University of Florida | FL | Healthcare Provider | 14519 | 2013-04-03 | Other | Theft | Unauthorized Access/Disclosure | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | University of Florida FL Healthcare Provider 14519 | Wednesday | 2013 | |
| Soundental Associates, PC | CT | Healthcare Provider | 14511 | 2012-11-21 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Soundental Associates, PC CT Healthcare Provider 14511 | Wednesday | 2012 | |
| Louisiana State University Health Sciences Center-New Orleans | LA | Healthcare Provider | 14500 | 2015-09-15 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Louisiana State University Health Sciences Center â New Orleans, the covered entity (CE), reported that an unencrypted laptop was stolen from a physicianâs personal vehicle resulting in the theft of protected health information (PHI) of approximately 14,500 individuals. The types of PHI involved in the breach included clinical and demographic information. Following the breach, the CE notified HHS, affected individuals, and the media. As a result of OCRâs investigation, the CE began to identify all unencrypted electronic devices and encrypt them, and implemented a method to address data backup. OCR obtained assurances that the CE implemented the corrective actions listed above. | Louisiana State University Health Sciences Center-New Orleans LA Healthcare Provider 14500 | Tuesday | 2015 |
| Ransom Memorial Hospital | KS | Healthcare Provider | 14329 | 2018-09-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Ransom Memorial Hospital KS Healthcare Provider 14329 | Tuesday | 2018 | |
| Francisco Jaume, D.O. | AZ | Healthcare Provider | 14236 | 2016-10-04 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Francisco Jaume, D.O. the covered entity (CE), reported a breach of 14,246 patientsâ protected health information (PHI) when it suffered a ransomware (malware) attack starting on August 22, 2016. The types of PHI involved included patientsâ names, addresses, medical information, and social security numbers. The CE provided breach notification to affected individuals, the media, and HHS. Immediately after discovering the breach, the CE worked to regain control of its data and investigated the incident using forensic analysis. As a result of the incident and OCRâs investigation, the CE implemented additional safeguards, such as regular remote monitoring and monthly reporting of intrusion activity, anti-virus management, changed/strengthened system passwords, and revised backup processes. In addition, the CE trained staff and revised its HIPAA policies and procedures. OCR obtained assurances that the CE implemented the corrective actions above. | Francisco Jaume, D.O. AZ Healthcare Provider 14236 | Tuesday | 2016 |
| Sacred Heart Health System, Inc. | FL | Healthcare Provider | 14177 | 2015-03-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | Sacred Heart Health System, Inc.âs business associate (BA), St. Vincent Health, Inc., a third party billing vendor, was subject to an email phishing attack resulting in the exposure of protected health information for 14,177 individuals. This case has been consolidated with an investigation of the BA. | Sacred Heart Health System, Inc. FL Healthcare Provider 14177 | Monday | 2015 | |
| Rady Children’s Hospital - San Diego | CA | Healthcare Provider | 14121 | 2014-06-24 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Rady Children’s Hospital - San Diego CA Healthcare Provider 14121 | Tuesday | 2014 | ||
| UMass Memorial Medical Group, Inc. | MA | Healthcare Provider | 14100 | 2015-01-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | UMass Memorial Medical Group, Inc. MA Healthcare Provider 14100 | Friday | 2015 |
| Universal Care, Inc. DBA Brand New Day | CA | Health Plan | 14005 | 2017-02-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | On February 10, 2017, Universal Care, Inc., DBA Brand New Day, the covered entity, reported to OCR that an unauthorized individual had downloaded electronic protected health information (ePHI) related to the CE’s members. The ePHI was on a computer system maintained by a third-party vendor, a business associate (BA). The breach affected the clinical and demographic information of approximately 14,005 individuals. Following the breach incident, the CE obtained assurances from the BA that it had implemented additional administrative and technical safeguards to prevent unauthorized access to ePHI in the future. The CE provided breach notification to HHS, affected individuals, and the media. It also offered 12 months of free credit monitoring services to the affected individuals. OCR obtained assurances that the CE implemented the corrective action measures described. | Universal Care, Inc. DBA Brand New Day CA Health Plan 14005 | Friday | 2017 |
| Women and Infant’s Hospital | RI | Healthcare Provider | 14004 | 2012-11-05 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No |
Care New England Health System (CNE), on behalf of each of the covered entities under its common ownership or control, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement includes a monetary payment of $400,000 and a comprehensive corrective action plan. CNE provides centralized corporate support for its subsidiary affiliated covered entities, which include a number of hospitals and health care providers in Massachusetts and Rhode Island. These functions include, but are not limited to, finance, human resources, information services and technical support, insurance, compliance and administrative functions. On November 5, 2012, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) received notification from Woman & Infants Hospital of Rhode Island (WIH), a covered entity member of CNE, of the loss of unencrypted backup tapes containing the ultrasound studies of approximately 14,000 individuals, including patient name, data of birth, date of exam, physician names, and, in some instances Social Security Numbers. As WIHâs business associate, CNE provides centralized corporate support including technical support and information security for WIHâs information systems. WIH provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005, that was not updated until August 28, 2015, as a result of OCRâs investigation, and therefore, did not incorporate revisions required under the HIPAA Omnibus Final Rule. OCRâs investigation found the following: ⢠From September 23, 2014 until August 28, 2015, WIH disclosed protected health information (PHI) and allowed its business associate, CNE, to create, receive, maintain, or transmit PHI on its behalf, without obtaining satisfactory assurances as required under HIPAA. WIH failed to renew or modify its existing written business associate agreement with CNE to include the applicable implementation specifications required by the HIPAA Privacy and Security Rules. ⢠From September 23, 2014, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI. âThis case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule, said OCR Director Jocelyn Samuels. âThe Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting. A sample Business Associate Agreement can be found on OCRâs website to assist covered entities in complying with this requirement.â With respect to the underlying breach, on July 17, 2014, WIH entered into a consent judgment with the Massachusetts Attorney Generalâs Office (AGO), and reached a settlement of $150,000. OCR found the consent judgment to sufficiently cover most of the conduct in this breach, including the failure to implement appropriate safeguards related to the handling of the PHI contained on the backup tapes and the failure to provide timely notification to the affected individuals. While the AGOâs actions do not legally preclude OCR from imposing civil money penalties, OCR determined not to include additional potential violations in this case for the purposes of settlement, given that such potential violations had already been addressed by the AGO and based on OCRâs policy approach to concurrent cases with State AGOs. The Resolution Agreement and Corrective Action Plan may be found on the OCR website athttp://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/wih |
Women and Infant’s Hospital RI Healthcare Provider 14004 | Monday | 2012 |
| Oregon’s Health CO-OP | OR | Health Plan | 14000 | 2015-06-01 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A personal laptop belonging to an Oregon Health CO-OP’s employee was stolen from his unattended, locked car. The laptop was unencrypted and contained the electronic protected health information (ePHI) of approximately 14,000 individuals. The e-PHI involved in the breach was demographic information and included names, addresses, social security numbers, dates of birth, health plan identification numbers, and health plan numbers. Following the breach, the covered entity (CE) sanctioned the employee, implemented additional technical safeguards to prevent the downloading of e-PHI onto a personal electronic device, and trained its employees on these technical safeguards. OCR provided the CE with technical assistance regarding risk analysis and risk management implementation. | Oregon’s Health CO-OP OR Health Plan 14000 | Monday | 2015 |
| Accretive Health | IL | Business Associate | 14000 | 2012-02-06 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | Accretive Health IL Business Associate 14000 | Monday | 2012 | |
| Augusta Data Storage, Inc | GA | Business Associate | 14000 | 2010-06-21 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Augusta Data Storage, Inc GA Business Associate 14000 | Monday | 2010 | |
| Surgical Dermatology Group | AL | Healthcare Provider | 14000 | 2017-08-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Surgical Dermatology Group AL Healthcare Provider 14000 | Saturday | 2017 |
| Special Agents Mutual Benefit Association | MD | Health Plan | 13942 | 2018-03-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Special Agents Mutual Benefit Association MD Health Plan 13942 | Tuesday | 2018 |
| Coordinated Health | PA | Healthcare Provider | 13907 | 2014-10-31 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Coordinated Health PA Healthcare Provider 13907 | Friday | 2014 | |
| PRN Medical Services, LLC dba Symbius Medical, LLC | AZ | Healthcare Provider | 13877 | 2014-07-29 | Other | Theft | Unauthorized Access/Disclosure | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | No | PRN Medical Services, LLC dba Symbius Medical, LLC AZ Healthcare Provider 13877 | Tuesday | 2014 | ||
| Aultman Hospital | OH | Healthcare Provider | 13867 | 2010-08-05 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A password-protected laptop, which was maintained by the covered entity (CE), Aultman Hospital, was stolen from an employeeâs car, which contained the electronic protected health information (ePHI) of approximately 13,867 individuals, including patientsâ names, dates of birth, telephone numbers, social security numbers, insurance identification, and health information related to home health services. The CE provided breach notification to HHS, affected individuals, and the media, posted notification of the breach on its website, and reported the theft to the local police department. The CE also offered one year of free credit monitoring services to affected individuals. Following the breach, the CE revised its HIPAA policies and procedures, enhanced encryption and updated software on its laptops, sanctioned employee(s) involved in the breach incident, and retrained its workforce on the revised policies and procedures. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. | Aultman Hospital OH Healthcare Provider 13867 | Thursday | 2010 |
| American Home Patient | TN | Healthcare Provider | 13861 | 2017-03-06 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | American Home Patient TN Healthcare Provider 13861 | Monday | 2017 |
| Uncommon Care, P.A. | NC | Healthcare Provider | 13674 | 2016-06-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Uncommon Care, P.A., the covered entity (CE), discovered that its business associate (BA), Bizmatics, Inc., was the victim of a computer hacking incident. The incident resulted in potential unauthorized access to the CEâs electronic medical records stored on Bizmaticsâ servers. The breach affected 13,674 individuals and included patients’ addresses, dates of birth, names, social security numbers, diagnoses, test results, medications, and other treatment information. The CE sent timely breach notification to HHS, to affected individuals, and to the media. The CE also posted notification about the breach on its website. In response to the breach, the CE offered one year of free credit monitoring to the affected individuals. Prior to OCR’s investigation, the CE determined that its BA agreement with the BA was not fully executed and entered into an effective BA agreement on June 7, 2016. The CE decided to continue its services contract with the BA and obtained assurances from the BA that improvements have been and will be made to its computer network, servers, and network monitoring activities. OCR obtained assurances that the CE implemented the corrective actions listed above. | Uncommon Care, P.A. NC Healthcare Provider 13674 | Tuesday | 2016 |
| Dennis Flynn MD | IL | Healthcare Provider | 13646 | 2014-08-19 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Dennis Flynn MD IL Healthcare Provider 13646 | Tuesday | 2014 | |
| Esther V. Rettig, M.D., P.A. | KS | Healthcare Provider | 13500 | 2018-03-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | No | NA | Esther V. Rettig, M.D., P.A. KS Healthcare Provider 13500 | Thursday | 2018 |
| Black River Medical Center | MO | Healthcare Provider | 13443 | 2018-06-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Black River Medical Center MO Healthcare Provider 13443 | Wednesday | 2018 | |
| Cahaba Government Benefit Administrators, LLC | AL | Business Associate | 13412 | 2011-05-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Cahaba Government Benefit Administrators, LLC AL Business Associate 13412 | Wednesday | 2011 | |
| Family Tree Health Clinic | TX | Healthcare Provider | 13402 | 2017-06-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Family Tree Health Clinic, the covered entity (CE), reported that a ransomware attack on its computer system resulted in the system being encrypted and data held for ransom. The CE determined that the demographic, financial, and clinical information of 13,402 individuals was involved in the breach. The CE provided breach notification to HHS, affected individuals and the media. The CE also implemented technical safeguards, updated procedures, and retrained its staff. OCR obtained assurances that the CE implemented the corrective actions noted above. | Family Tree Health Clinic TX Healthcare Provider 13402 | Monday | 2017 |
| Triple S Salud Inc. | PR | Business Associate | 13336 | 2013-11-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | On November 8, 2013, the covered entity (CE), Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico reported to HHS that on September 23, 2013, they became aware that a vendor doing business with its business associate (BA), Triple-S Salud, disclosed protected health information (PHI) on the outside of a pamphlet mailed to beneficiaries on September 20, 2013. The PHI disclosed in the breach included the names, mailing addresses, and the health insurance claim numbers of 13,336 of the CEâs members. The CE and BA each provided breach notification to affected individuals and the CE provided breach notification to the media. As a result of OCRâs investigation, the CE committed to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and retrain its staff within a specified time. | Triple S Salud Inc. PR Business Associate 13336 | Friday | 2013 |
| Professional Dermatology Care, P.C. | VA | Healthcare Provider | 13237 | 2016-08-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Professional Dermatology Care, P.C. VA Healthcare Provider 13237 | Tuesday | 2016 |
| Loi Luu | CA | Healthcare Provider | 13177 | 2014-11-14 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | OCR investigated the covered entity (CE), Loi Luu, M.D., after the CE reported a breach of 13,177 individualsâ protected health information (PHI) and electronic PHI due to lost or stolen computer equipment and compromised lab results on, or around September 17, 2014. The breach affected patientsâ names, addresses, phone numbers, dates of birth, social security numbers, medical insurance information and/or blood test results. The CE reported the incident to local law enforcement. In response to OCRâs contact in this matter, the CE ensured the proper breach notifications were provided, took steps to prevent the risk of future physical theft incidents at its office (such as by adding locks, cameras, and alarms), increased its technical controls of ePHI (such as utilizing encrypted software and conducting risk assessments), adopted HIPAA policies and procedures, and engaged in HIPAA training. The CE provided documentation of these corrective steps to OCR. | Loi Luu CA Healthcare Provider 13177 | Friday | 2014 |
| Bryan Myers, MD PC, Ashley DeWitt, DO PC, Michael Nobles, MD PC | TN | Healthcare Provider | 13150 | 2016-12-30 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Premier Womenâs Health Center, discovered on November 2, 2016, that its EHR server had been infected with malware, affecting the electronic protected health information (ePHI) of 13,150 individuals. Information stored on the affected server included names, addresses, dates of birth, social security numbers, diagnoses/conditions, lab results, medications and other treatment information. The CE was able to disconnect the server from the network before any data was exfiltrated. The CE provided breach notification to HHS, to affected individuals, and to the media. OCR provided technical assistance to the CE regarding media notice and the performance of risk analyses. In response to the breach, the CE improved technical safeguards on its information system including upgrading firmware and software. The CE also implemented all new HIPAA policies and re-trained its workforce in May 2017. It initiated an enterprise-wide risk analysis through the aid of legal counsel. OCR obtained assurances that the CE implemented the corrective actions listed above. | Bryan Myers, MD PC, Ashley DeWitt, DO PC, Michael Nobles, MD PC TN Healthcare Provider 13150 | Friday | 2016 |
| Baystate Health, Inc. | MA | Healthcare Provider | 13112 | 2016-10-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On July 27, 2016, a phishing e-mail was sent to 155 employees of the covered entity (CE), Baystate Health, Inc. Five employees responded to the phishing e-mail, which allowed the hackers to gain access to their e-mail accounts, potentially affecting the protected health information (PHI) of 13,112 individuals. The types of PHI that was potentially exposed may have included patientsâ names, demographic information, dates of birth, diagnoses, treatments, medical record numbers, and in some instances, health insurance identification numbers. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE retrained employees, issued additional phishing reminders to all employees, and incorporated additional information about phishing into various trainings. Additionally, the CE improved technical safeguards. OCR reviewed the CE’s HIPAA policies and procedures as related to this breach for compliance with the Privacy and Security Rule and obtained assurances that the CE implemented the corrective actions listed above. | Baystate Health, Inc. MA Healthcare Provider 13112 | Friday | 2016 | |
| Louisiana Healthcare Connections | LA | Health Plan | 13086 | 2016-02-02 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Louisiana Healthcare Connections, the covered entity (CE), reported that a former workforce member downloaded the electronic protected health information (ePHI) of 13,086 individuals. The types of ePHI included full names, Medicaid identification numbers and effective dates, dates of birth, phone numbers, and address information. The CE provided breach notification to HHS, affected individuals, and the media. It also notified law enforcement. Additionally, the CE implemented improved administrative and technical safeguards, disabled the involved workforce member’s account access, revised policies and procedures, and retrained staff. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | Louisiana Healthcare Connections LA Health Plan 13086 | Tuesday | 2016 |
| University of Miami | FL | Healthcare Provider | 13074 | 2014-02-12 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), University of Miami Health System, reported that on or around June 27, 2013, it learned from Iron Mountain, its business associate (BA), that 15 boxes containing patientsâ protected health information (PHI) were lost during the transfer between its new and old storage/shredding vendors. The boxes contained a mix of billing and research records of 13,074 patients that included financial and clinical information. Following the breach, the CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its website. The CE offered credit monitoring and identity theft protection to all affected individuals. The CE and BA reviewed the BAâs processes for the transfer, pick up, and storage of records and worked together to revise procedures for safeguarding archived PHI. The CE required the BA to re-train all of its personnel who handle the CEâs data and re-trained its workforce on its HIPAA Privacy and Security policies and procedures. Additionally, the CE hired a new HIPAA Privacy Officer, revised procedures for retaining records in order to avoid sending records containing billing information to off-site storage, and developed a new sanctions policy specific to privacy violations. The CE also improved technical safeguards by implementing the Fair Warning System, a cloud-based security solution. OCR obtained assurances that the CE implemented the corrective actions listed above. | University of Miami FL Healthcare Provider 13074 | Wednesday | 2014 |
| PST Services, Inc | GA | Business Associate | 13074 | 2012-10-08 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | PST Services, Inc GA Business Associate 13074 | Monday | 2012 | |
| MedSpring of Texas, PA | TX | Healthcare Provider | 13034 | 2018-07-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | MedSpring of Texas, PA TX Healthcare Provider 13034 | Friday | 2018 | |
| Mercy Health Love County Hospital and Clinic | OK | Healthcare Provider | 13004 | 2017-09-20 | Theft | NA | NA | NA | NA | NA | Laptop | Paper/Films | NA | NA | NA | NA | NA | NA | No | NA | Mercy Health Love County Hospital and Clinic OK Healthcare Provider 13004 | Wednesday | 2017 |
| The Ambulatory Surgery Center at St. Mary | PA | Healthcare Provider | 13000 | 2016-07-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | The Ambulatory Surgery Center at St. Mary PA Healthcare Provider 13000 | Thursday | 2016 |
| Pediatric Gastroenterology, Hepatology & Nutrition of Florida, P.A. | FL | Healthcare Provider | 13000 | 2015-08-24 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On June 25, 2015, the Tampa Police Department notified the covered entity (CE), Pediatric Gastroenterology, Hepatology & Nutrition of Florida, P.A., that paper printouts from their facility were found during a criminal investigation. An employee of the CE removed appointment sheets containing the names, social security numbers, dates of birth, and account numbers of 13,000 patients from the premises without authorization. The CE provided breach notification to HHS and affected individuals and set up a toll free number to answer questions. Following the breach the CE reviewed its policies and retrained staff on its HIPAA privacy and security policies. The CE also implemented physical security procedures to reduce the risk of unauthorized access to printed documents and implemented role based access procedures to limit access to electronic PHI. The CE also improved administrative safeguards by requiring random background checks on its employees throughout the duration of their employment. OCR obtained assurances that the CE implemented the corrective actions noted. The CE also terminated the involved employee’s employment. The employee was criminally investigated for actions related to this breach. | Pediatric Gastroenterology, Hepatology & Nutrition of Florida, P.A. FL Healthcare Provider 13000 | Monday | 2015 |
| Siouxland Anesthesiology, Ltd. | SD | Healthcare Provider | 13000 | 2015-07-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Siouxland Anesthesiology, the covered entity (CE), reported it was the subject of a criminal malware attack. The CE reported that hackers infiltrated one of its computer servers and installed malware that left patientsâ electronic protected health information (ePHI) vulnerable to unauthorized access. The exposed ePHI included patientsâ names, addresses, dates of birth, and, in some cases, Social Security numbers. The breach affected approximately 13,000 individuals. Following the breach report to the individuals, media and HHS, the CE investigated the incident and provided affected individuals with credit monitoring information and contact information should they have questions regarding the breach. In response to the breach and OCRâs review, the CE took a number of actions to address and mitigate the effects of the breach including: disabling the compromised server and replacing it with a new server; examining all work stations to ensure they were secure; and, establishing user controls and updating its password management procedures. In the course of its review, OCR provided the CE with technical assistance regarding necessary changes to its policies and procedures, and the requirements to conduct periodic thorough enterprise wide risk analyses and to review and update its risk management process. | Siouxland Anesthesiology, Ltd. SD Healthcare Provider 13000 | Friday | 2015 |
| Gulf Coast Health Care Services Inc | FL | Healthcare Provider | 13000 | 2012-10-15 | Hacking/IT Incident | Theft | Unauthorized Access/Disclosure | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Two former employees of the covered entity (CE) took a list of patient information to a competitorâs office. The list contained the names, dates of birth, addresses and phone numbers of 13,000 patientsâevery active and inactive patient treated by the CE. The CE ceased operations on October 31, 2013, and eventually filed for voluntary dissolution with the Florida Secretary of State effective July 27, 2015. OCR obtained assurances that the CE is no longer in business. | Gulf Coast Health Care Services Inc FL Healthcare Provider 13000 | Monday | 2012 |
| The Feinstein Institute for Medical Reserch | NY | Healthcare Provider | 13000 | 2012-09-14 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
Feinstein Institute for Medical Research (Feinstein) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Feinstein will pay $3.9 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program; an effort it has already begun. Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,â said OCR Director Jocelyn Samuels. âFor individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.â Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation and is sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices. After receiving a breach notification from Feinstein involving unsecured electronic protected health information (ePHI), OCR initiated an investigation to ascertain the entityâs compliance with HIPAA Rules. OCRâs investigation indicated that the following occurred: ⢠Feinstein impermissibly disclosed the ePHI of 13,000 individuals when an Feinstein-owned laptop computer containing ePHI was left unsecured in the back seat of an employeeâs car; ⢠Feinstein failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI held by Feinstein, including the ePHI on the aforementioned laptop computer; ⢠Feinstein failed to implement policies and procedures for granting access to ePHI by its workforce members; ⢠Feinstein failed to implement physical safeguards for a laptop that contained ePHI to restrict access to unauthorized users; ⢠Feinstein failed to implement policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility; and, ⢠Feinstein failed to implement a mechanism to encrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption to safeguard ePHI. The settlement requires Feinstein to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of ePHI that includes: ⢠A risk analysis and a risk management plan; ⢠A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; ⢠Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; ⢠A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce. |
The Feinstein Institute for Medical Reserch NY Healthcare Provider 13000 | Friday | 2012 |
| Fairbanks Hospital | IN | Healthcare Provider | 12994 | 2016-12-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Fairbanks Hospital IN Healthcare Provider 12994 | Friday | 2016 |
| Phoebe Putney Memorial Hospital | GA | Healthcare Provider | 12937 | 2014-01-07 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | Paper/Films | NA | NA | NA | NA | NA | NA | No | On April 9, 2012, Phoebe Putney Memorial Hospital, Inc., the covered entity (CE), learned from law enforcement that an employee of Phoebe Home Care (PHC), a department of the CE, improperly accessed patients’ protected health information (PHI) with the intent to process fraudulent tax returns. An internal investigation and audit concluded that the employee accessed the medical records in a combination of paper and electronic form. The PHI affected 2,354 individuals and contained patientsâ names, dates of birth and social security numbers. In response to the breach, the CE sanctioned the responsible employee. The CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its website. The CE improved safeguards by locking cabinets containing patient files, creating a security access hierarchy to assure role-based access to PHI, and encrypting laptop computers. Additionally, the CE removed social security numbers from its referral form and removed employee social security numbers from its software system. The CE implemented monthly audits on its electronic medical records system and established an annual HIPAA in-service training program for management and staff. OCR obtained assurances that the CE implemented the corrective actions listed above. | Phoebe Putney Memorial Hospital GA Healthcare Provider 12937 | Tuesday | 2014 |
| Phoebe Putney Memorial Hospital, Inc. | GA | Healthcare Provider | 12937 | 2012-05-24 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | Paper/Films | NA | NA | NA | NA | NA | NA | No | Phoebe Putney Memorial Hospital, Inc. GA Healthcare Provider 12937 | Thursday | 2012 | |
| CVS Health | RI | Healthcare Provider | 12914 | 2015-06-26 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | CVS Health Store 3976, the covered entity (CE), was looted and burned during rioting activity that occurred in the city of Baltimore, Maryland, and some computers containing electronic protected health information (ePHI) were stolen. 12,914 individuals were affected by the incident. The specific type of PHI on the stolen computers included patientsâ first and last names, partial dates of birth, addresses, medication names, medication dosage, and prescription number. CVS Health provided OCR with assurances that individuals affected by this breach and the media were notified in accordance with the Breach Notification Rule. All individuals affected by the breach were given 1 year of free credit monitoring by the CE. | CVS Health RI Healthcare Provider 12914 | Friday | 2015 |
| Lucile Packard Childrens Hospital, Privacy Manager Breach | CA | Healthcare Provider | 12900 | 2013-06-13 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Stanford School of Medicine (SOM) and Stanford Children’s Hospital (SCH)(formerly Lucile Packard Children’s Hospital), reported that on May 8, 2013, a workforce memberâs laptop was stolen from a badge-access controlled area of the hospital. SCH employed the workforce member; however, SOM owned and managed the laptop. The laptop was password-protected, but not encrypted. The electronic protected health information (ePHI) of approximately 12,900 individuals may have been affected by this breach. The type of ePHI involved included clinical and demographic information. The CE reported the theft to law enforcement, notified the affected individuals, offered identity protection services at no cost to the affected individuals, established a toll-free call center to assist affected individuals with questions or concerns, and submitted notification to the media and HHS. Following the breach and OCRâs corresponding investigation, the CE sanctioned the workforce member for violating its HIPAA policies, ensured that SOMâs devices were encrypted and compliant with data security policies, and restricted SCH usersâ ability to download attachments to unencrypted devices. The CE also initiated plans to implement an improved risk management process. | Lucile Packard Childrens Hospital, Privacy Manager Breach CA Healthcare Provider 12900 | Thursday | 2013 |
| The Neurology Foundation, Inc. | RI | Healthcare Provider | 12861 | 2017-09-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Network Server | Other Portable Electronic Device | Paper/Films | NA | NA | NA | No | NA | The Neurology Foundation, Inc. RI Healthcare Provider 12861 | Friday | 2017 |
| Hand & Upper Extremity Centers dba Hand Rehabilitation Specialists | CA | Healthcare Provider | 12806 | 2017-09-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On July 5, 2017, the covered entity (CE), Hand & Upper Extremity Centers dba Hand Rehabilitation Specialists, was informed that the hacker group, the Dark Overlord, may have breached their computer network. The CE reported the notice to the Ventura County Sheriff’s High Tech Task Force, who began a forensic information technology investigation in consultation with the Federal Bureau of Investigation. This investigation is ongoing. To date, law enforcement has found no evidence of any information leaving the CE’s system. However, unauthorized access has not been ruled out, and out of an abundance of caution, the CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE changed passwords, updated access control logs, updated its email policy and procedures, and added technical and administrative security improvements. OCR obtained assurances that the CE implemented the voluntary corrective actions noted above. | Hand & Upper Extremity Centers dba Hand Rehabilitation Specialists CA Healthcare Provider 12806 | Friday | 2017 |
| Briggs & Stratton Corporation | WI | Health Plan | 12789 | 2017-09-29 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Network Server | NA | NA | NA | NA | NA | No | NA | Briggs & Stratton Corporation WI Health Plan 12789 | Friday | 2017 |
| Florida Hospital | FL | Healthcare Provider | 12784 | 2011-10-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Florida Hospital FL Healthcare Provider 12784 | Thursday | 2011 | |
| North Carolina Department of Health and Human Services | NC | Health Plan | 12731 | 2017-02-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | North Carolina Department of Health and Human Services NC Health Plan 12731 | Thursday | 2017 | |
| Florida Hospital | FL | Healthcare Provider | 12724 | 2018-05-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Florida Hospital FL Healthcare Provider 12724 | Thursday | 2018 |
| The McLean Hospital Corporation | MA | Healthcare Provider | 12673 | 2015-07-28 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | The McLean Hospital Corporation MA Healthcare Provider 12673 | Tuesday | 2015 |
| Clay County Hospital | IL | Healthcare Provider | 12621 | 2014-12-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | On November 2, 2014, the covered entityâs (CE) president received an anonymous email threatening to release the protected health information (PHI) of hospital clinic patients to the public unless he or she received a substantial payment from the CE. This threat could have affected patients who visited the hospital on or before February 2012, approximately 12,621 individuals. The CE determined that the CEâs servers were not hacked nor were its information systems compromised. OCR determined that the voluntary corrective actions of the CE resolved this matter. Nonetheless, the CE provided breach notification to HHS, potentially affected individuals, and the media, and offered identity theft protection to the notified individuals. Additionally, the CE developed an encryption program and network auditing program. It re-trained staff on its newly implemented programs and its privacy and security policies. OCR obtained documented assurances that the CE implemented corrective action steps noted above.. | Clay County Hospital IL Healthcare Provider 12621 | Friday | 2014 |
| Shands at UF | FL | Healthcare Provider | 12580 | 2010-03-01 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
A laptop containing certain information collected on approximately 12,580 individuals referred to Shands at UF GI Clinical Services was stolen from the private residence of an employee. The stolen information included patient names, social security numbers, and medical record numbers. As a result of the incident, the employee was counseled by her supervisor, issued written corrective action with a 3-day suspension, and provided additional HIPAA training. OCR reviewed Shands at UF’s most recent Risk Analysis and Risk Management Plans and they revealed no high risk findings related to encryption, workstation use, or physical security. OCR’s investigation found that Shands at UF has implemented appropriate technical safeguards, such as secure VPN network connections and network storage for workforce usage, encrypted USB portable flash drives, and PGP whole disk encryption. |
Shands at UF FL Healthcare Provider 12580 | Monday | 2010 |
| Logan County Emergeny Ambulance Service Authority | WV | Healthcare Provider | 12563 | 2011-11-08 | Loss | Theft | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Logan County Emergeny Ambulance Service Authority WV Healthcare Provider 12563 | Tuesday | 2011 | |
| Kmart Corporation | IL | Healthcare Provider | 12542 | 2013-04-03 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Kmart Corporation IL Healthcare Provider 12542 | Wednesday | 2013 | |
| Montefiore Medical Center | NY | Healthcare Provider | 12517 | 2015-07-22 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Montefiore Medical Center NY Healthcare Provider 12517 | Wednesday | 2015 |
| San Juan County New Mexico | NM | Healthcare Provider | 12500 | 2016-05-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | An unauthorized user obtained remote access to a workstation located at the covered entity (CE), San Juan County New Mexico. The protected health information (PHI) potentially affected included the names, addresses, health assessments, and clinical information of approximately 12,500 individuals. As a result of the breach, the CE improved safeguards, updated policies and procedures, and provided affected individuals with free credit monitoring. Further, the CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions listed. | San Juan County New Mexico NM Healthcare Provider 12500 | Tuesday | 2016 |
| Concordia Plan Services on behalf of the Concordia Health Plan | MO | Health Plan | 12500 | 2015-04-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Concordia Plan Services on behalf of the Concordia Health Plan MO Health Plan 12500 | Thursday | 2015 |
| Independence Blue Cross and AmeriHealth New Jersey | PA | Health Plan | 12450 | 2014-12-26 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Members of the covered entityâs (CE) maintenance team improperly disposed of four boxes of paper records containing the protected health information (PHI) of approximately 12,450 individuals in error during the course of an office move within the building. The trash was collected by the CEâs trash removal vendor the next day and transported to a recycling plant. The PHI involved in the breach included names, addresses, identification numbers (including social security numbers), home phone numbers, physician information, health care plans, and group numbers. The CE was not able to determine whether or not someone at the recycling center may have acquired or viewed the PHI. The CE, Independence Blue Cross, provided breach notification to HHS, the media, and affected individuals. The CE offered all members who had their member identification number compromised one year of free credit monitoring. As a result of OCRâs investigation, the CE revised its policies and procedures for trash disposal, as well as maintenance and disposal of provider reports. The CE also sent a reminder to all associates regarding its policies and procedures for proper handling of paper documents and proper disposal of trash and documents containing PHI. Furthermore, the CE sanctioned the employees responsible for the incident. The CE initiated plans to provide additional staff training on its HIPAA policies and procedures for trash disposal. | Independence Blue Cross and AmeriHealth New Jersey PA Health Plan 12450 | Friday | 2014 |
| CHI Franciscan Health Hospice-Tacoma | WA | Healthcare Provider | 12413 | 2016-11-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | CHI Franciscan Health Hospice-Tacoma WA Healthcare Provider 12413 | Monday | 2016 |
| New Mexico Oncology Hematology Consultants, LTD | NM | Healthcare Provider | 12354 | 2013-12-31 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), New Mexico Oncology Hematology Consultants, reported the November 13, 2013, theft of a laptop computer from its Albuquerque office. The unencrypted laptop contained the protected health information (PHI) of 12,354 individuals including patients’ names, medical record numbers, dates of birth, addresses, telephone numbers, clinical testing results, diagnoses, treatment information, and insurance information. Following discovery of the breach, the CE strengthened its security program by conducting a new risk analysis, implementing additional physical safeguards, and encrypting mobile devices. It also revised administrative policies and retrained staff. The CE provided breach notification to HHS, the media, and affected individuals. OCR obtained assurances that the CE implemented the corrective actions noted above. | New Mexico Oncology Hematology Consultants, LTD NM Healthcare Provider 12354 | Tuesday | 2013 |
| United HomeCare Services, Inc. | FL | Healthcare Provider | 12299 | 2013-03-09 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On January 8, 2013, an employeeâs unencrypted laptop (owned by the covered entity (CE), United HomeCare Services, Inc.,) was stolen from her locked vehicle. The laptop contained demographic data, including names, dates of birth, addresses, and social security numbers, as well as clinical and health insurance information affecting 12,299 patients of the CE and 1,318 clients of its subsidiary, United Home Care Services of Southwest Florida, LLC. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. In response to the breach, the CE encrypted its portable devices and provided specialized training to its workforce. OCR obtained assurances that the CE implemented the corrective actions listed above. The employee at fault was suspended without pay for 5 days and resigned shortly thereafter. | United HomeCare Services, Inc. FL Healthcare Provider 12299 | Saturday | 2013 |
| Centura Health | CO | Healthcare Provider | 12286 | 2014-04-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | OCR initiated an investigation after the covered entity (CE), Centura Health, reported that it experienced a phishing attack. Because a few of its employees inadvertently responded to the fraudulent email by clicking on a link and providing their usernames and passwords, these employeesâ email accounts may have been accessible to the attacker(s). The CE detected and contained the incident because less than 5% of its employees received the phishing email. The compromised email accounts resulted in a breach of 12,286 individualsâ electronic protected health information (ePHI) in the form of demographic (names, addresses, dates of birth, telephone numbers, social security numbers, other identifiers), clinical (diagnoses, lab results, medications, other treatment) and/or financial (claims) information. The CE provided breach notification to HHS, affected individuals, and the media. The CE also notified the Federal Bureau of Investigation and offered free credit monitoring services to the individuals who had their social security number or financial information potentially compromised. Following the breach, the CE updated its risk management plan which included escalating in priority its implementation of certain previously identified security measures; retrained all its employees, and enhanced its annual compliance education training to provide additional content regarding phishing scams. OCR obtained assurance that the CE implemented the corrective actions noted above. | Centura Health CO Healthcare Provider 12286 | Tuesday | 2014 | |
| St. Joseph Health System | CA | Healthcare Provider | 12234 | 2012-02-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | St. Joseph Health (SJH) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following the report that files containing electronic protected health information (ePHI) were publicly accessible through internet search engines from 2011 until 2012. SJH, a nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan. SJHâs range of services includes 14 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations throughout California and in parts of Texas and New Mexico. On February 14, 2012, SJH reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that certain files it created for its participation in the meaningful use program, which contained ePHI, were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines. The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information. OCRâs investigation indicated the following potential violations of the HIPAA Rules: ⢠From February 1, 2011 to February 13, 2012, SJH potentially disclosed the PHI of 31,800 individuals; ⢠Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI; ⢠Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule. In addition to the $2,140,500 settlement, SJH has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sjh. | St. Joseph Health System CA Healthcare Provider 12234 | Wednesday | 2012 |
| Shop-Rite Supermarkets, Incorporated | NY | Healthcare Provider | 12172 | 2017-11-03 | Improper Disposal | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Shop-Rite Supermarkets, Incorporated NY Healthcare Provider 12172 | Friday | 2017 |
| Athens Heart Center, P.C. | GA | Healthcare Provider | 12158 | 2018-04-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Athens Heart Center, P.C. GA Healthcare Provider 12158 | Monday | 2018 |
| Memorial Hermann Health System, reporting on behalf of Memorial Hermann Health System Employee Group Health Plan | TX | Health Plan | 12061 | 2016-07-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Memorial Hermann Health System, reported that between December 12, 2015, and May 23, 2016, Memorial Hermann Health Solutions, the plan administrator for the Memorial Hermann Health System Employee Group Health Plan, impermissibly disclosed the protected health information (PHI) of 12,061 plan members to the CEâs primary care physicians (PCP). The disclosure included plan membersâ names, addresses, dates of birth, telephone numbers and member identification. The plan members did not have an existing relationship with the PCP at the time of the disclosure, and therefore the disclosure was not for treatment purposes. The error occurred while implementing a new process in 2014, which was not effectively communicated to the leadership of the Health Plan. The CE met with the new leadership of the Health Plan to ensure the plan complies with its obligations to control data flow and to ensure the planâs appropriate use of shared data. Following the incident, the CE provided evidence it notified affected individuals, the media, and posted substitute notification on its website. | Memorial Hermann Health System, reporting on behalf of Memorial Hermann Health System Employee Group Health Plan TX Health Plan 12061 | Wednesday | 2016 |
| Grays Harbor Pediatrics, PLLC | WA | Healthcare Provider | 12009 | 2011-01-21 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Grays Harbor Pediatrics, PLLC WA Healthcare Provider 12009 | Friday | 2011 | |
| Implants, Dentures & Dental | NV | Healthcare Provider | 12000 | 2015-06-10 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | Laptop | Network Server | Other | Other Portable Electronic Device | NA | NA | NA | No | Implants, Dentures and Dental, Inc., the covered entity (CE), reported that on June 8, 2015, its computer server was removed from its facility without its consent. The CE reported that it worked with law enforcement to investigate the incident. The server contained the electronic protected health information (ePHI) of approximately 12,000 individuals. The types of ePHI involved in this incident included digital x-rays, demographic, financial, and clinical information. Following the removal of the server, the CE’s employees were unable to access practice management software. In response to the incident, the CE reported that it adopted encryption technologies, changed passwords, and strengthened password requirements. Additionally, the CE revised its business associate (BA) contracts, as the removal of the server was related to a complicated BA arrangement. The CE also reported that it implemented new technical safeguards, improved physical security, performed risk assessments, and provided workforce members and business associates with additional HIPAA training. Following OCRâs investigation of the incident, the CE reported that it had closed its business. OCR independently confirmed that the CE is no longer open for business. | Implants, Dentures & Dental NV Healthcare Provider 12000 | Wednesday | 2015 |
| Western Regional Center for Brain and Spine Surgery | NV | Healthcare Provider | 12000 | 2014-07-12 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Western Regional Center for Brain and Spine Surgery NV Healthcare Provider 12000 | Saturday | 2014 | |
| VNA of Southeastern Ct. | CT | Healthcare Provider | 12000 | 2010-11-11 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | VNA of Southeastern Ct. CT Healthcare Provider 12000 | Thursday | 2010 | |
| Blue Cross & Blue Shield of Rhode Island | RI | Health Plan | 12000 | 2010-04-21 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No |
A covered entity (CE) donated a file cabinet containing the protected health information (PHI) of 12,000 individuals before cleaning it out. The PHI included members’ names, addresses, telephone numbers, social security numbers, and Medicare identification numbers. The covered entity (CE) provided breach notification to HHS, the affected individuals, and media, and offered all affected individuals free credit monitoring for a period of one year. Following the breach, the CE sanctioned the employees involved in the incident and held a mandatory training regarding the HIPAA Privacy and Security Rule for all departments involved in the breach. The CE also revised the policy for office moves. OCR obtained assurances that the CE implemented the corrective action listed above. |
Blue Cross & Blue Shield of Rhode Island RI Health Plan 12000 | Wednesday | 2010 |
| Centra | VA | Healthcare Provider | 11982 | 2011-01-12 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Centra VA Healthcare Provider 11982 | Wednesday | 2011 | |
| Wyoming Department of Health | WY | Health Plan | 11935 | 2013-12-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Wyoming Department of Health, transferred a copy of the Women Infants and Children benefit program backup database via the internet to a business associate using an unsecured method. Approximately 11,935 individuals were affected by the breach, potentially disclosing demographic information, dates of birth, gender, and identification numbers. The CE notified affected individuals, the media, and the Secretary. Following OCRâs investigation, the CE conducted an enterprise-wide risk analysis, developed a risk management plan, and revised its organizational structure in order to hybridize into covered and non-covered functions. OCR obtained assurances that the CE implemented these corrective action steps. | Wyoming Department of Health WY Health Plan 11935 | Thursday | 2013 |
| Aetna Inc. | CT | Health Plan | 11887 | 2017-08-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Aetna Inc. CT Health Plan 11887 | Tuesday | 2017 |
| Adult Internal Medicine of North Scottsdale | AZ | Healthcare Provider | 11798 | 2017-09-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Adult Internal Medicine of North Scottsdale AZ Healthcare Provider 11798 | Friday | 2017 |
| Medical Information Management Systems, LLC | FL | Business Associate | 11707 | 2017-02-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | A business associate (BA), Medical Information Management Systems, LLC (MIMS), a Sheridan Healthcorp, Inc. subsidiary, was part of the electronic network at Valley Anesthesiology and Pain Consultants (VAPC), which suffered a cyberattack when a third party may have gained unauthorized access to the network, including the BAâs computer server(s) on March 30, 2016. VAPC discovered the incident on June 13, 2016, and identified the MIMS server that may have been compromised on July 22, 2016. MIMS was a BA of First Assistant Associates (FAA) at the time, providing billing and collection services. The incident compromised not only electronic protected health information (ePHI) at VAPC, but also ePHI regarding 11,707 individuals in the MIMS server who were FAA patients. OCR opened a separate review of the VAPC breach. The types of ePHI that were potentially accessed in the MIMS server included patient names, dates of birth, addresses, health insurance information, clinical information, and some social security numbers. In response to the breach, MIMS/VAPC installed a virtual privacy network (VPN) device to improve the security of remote access to the network and disabled the compromised network accounts. MIMS/VAPC âblacklistedâ the internet addresses identified in the incident to block any additional attempts from those actors to access the electronic health record program (EHR) through the remote desktop protocol. After the breach, MIMS/VAPC rebuilt the compromised server, implemented centralized logging for key systems, whitelisted service provider internet addresses, and switched their antivirus and EHR programs. The BA provided breach notification to FAA as well as to HHS, affected individuals, and the media; however, notice to HHS was not timely. OCR provided technical assistance regarding the BAâs obligations to conduct a comprehensive and current security risk analysis and implement a corresponding risk management/mitigation plan to address any findings. | Medical Information Management Systems, LLC FL Business Associate 11707 | Thursday | 2017 |
| Delta Dental of California | CA | Health Plan | 11646 | 2012-01-19 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Delta Dental of California CA Health Plan 11646 | Thursday | 2012 | |
| Fondren Orthopedic Group L.L.P. | TX | Healthcare Provider | 11552 | 2018-04-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Fondren Orthopedic Group L.L.P. TX Healthcare Provider 11552 | Monday | 2018 |
| Kaiser Foundation Health Plan of Colorado | CO | Health Plan | 11551 | 2014-08-12 | Other | Unauthorized Access/Disclosure | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Kaiser Foundation Health Plan of Colorado, reported that on July 24, 2014, it erroneously mailed letters containing protected health information (PHI) to incorrect recipients, affecting 11,551 individuals. Each letter contained the name of another program member in a chronic condition management program. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, the CE sanctioned and retrained the responsible employee. | Kaiser Foundation Health Plan of Colorado CO Health Plan 11551 | Tuesday | 2014 |
| American Health Inc. | PR | Health Plan | 11531 | 2014-05-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No |
Triple-S Management Corporation (âTRIPLE-Sâ), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. âOCR remains committed to strong enforcement of the HIPAA Rules,â said OCR Director Jocelyn Samuels. âThis case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.â TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entitiesâ compliance with HIPAA Rules. OCRâs investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiariesâ PHI; Impermissible disclosure of its beneficiariesâ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA. âTriple-S is committed to protecting the privacy and security of its beneficiariesâ health information and implementing the Corrective Action Plan entered into with OCR,â said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. âWe are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCRâs technical assistance to date, and look forward to our collaboration in the future.â |
American Health Inc. PR Health Plan 11531 | Sunday | 2014 |
| Guardian Pharmacy of Jacksonville | FL | Healthcare Provider | 11521 | 2018-03-30 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Guardian Pharmacy of Jacksonville FL Healthcare Provider 11521 | Friday | 2018 | |
| DaVita | CA | Healthcare Provider | 11500 | 2013-11-05 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | DaVita CA Healthcare Provider 11500 | Tuesday | 2013 | |
| McKesson Pharmacy Systems LLC | GA | Business Associate | 11440 | 2010-08-05 | Other | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | McKesson Pharmacy Systems LLC GA Business Associate 11440 | Thursday | 2010 | |
| Susan M Hughes Center | NJ | Healthcare Provider | 11400 | 2016-12-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Susan M Hughes Center NJ Healthcare Provider 11400 | Tuesday | 2016 |
| Agent Benefits Corporation | MI | Business Associate | 11387 | 2011-05-26 | Hacking/IT Incident | Unauthorized Access/Disclosure | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Agent Benefits Corporation MI Business Associate 11387 | Thursday | 2011 | |
| Carson Valley Medical Center | NV | Healthcare Provider | 11368 | 2017-04-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On April 4, 2017, the covered entity (CE), Carson Valley Medical Center in Gardnerville, Nevada, reported that a spreadsheet containing protected health information (PHI) may have been compromised by an unauthorized user as a result of an email scam. The electronic PHI included the names, discharge dates, billing account numbers, and locations of services for 11,368 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE implemented technical safeguards, updated its security risk analysis, and trained staff. OCR provided technical assistance regarding the HIPAA Security Rule. | Carson Valley Medical Center NV Healthcare Provider 11368 | Tuesday | 2017 | |
| Sinai Health System | IL | Healthcare Provider | 11347 | 2017-12-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Sinai Health System IL Healthcare Provider 11347 | Friday | 2017 | |
| CarePlus Health Plan [case #HU1800066] | KY | Health Plan | 11248 | 2018-02-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | CarePlus Health Plan [case #HU1800066] KY Health Plan 11248 | Monday | 2018 |
| Robert Witham, MD, FACP | OR | Healthcare Provider | 11136 | 2012-06-06 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Robert Witham, MD, FACP OR Healthcare Provider 11136 | Wednesday | 2012 | |
| Emergence Health Network | TX | Healthcare Provider | 11100 | 2015-10-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Texas Health & Human Services Commission, detected unauthorized remote login activity from Asia to a computer server belonging to a business associate (BA), Emergence Health Network, which had been compromised by a brute force attack. The attack potentially affected the names, addresses, dates of birth, demographic, financial, clinical, and treatment information of approximately 11,000 individuals being discharged from El Paso County Jail. Following the breach, the BA retired outdated software, implemented new policies and procedures to require regular patching of software, installed a new intrusion protection detection system, updated firewalls, strengthened configurations on servers, and implemented internet protocol filtering. It also implemented a new training program for workforce members. Following OCRâs investigation, the BA updated its Breach Notification Policy. | Emergence Health Network TX Healthcare Provider 11100 | Friday | 2015 |
| Molina Healthcare of California | CA | Health Plan | 11081 | 2011-12-17 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Molina Healthcare of California CA Health Plan 11081 | Saturday | 2011 | |
| Cottage Health | CA | Healthcare Provider | 11000 | 2015-12-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Cottage Health CA Healthcare Provider 11000 | Tuesday | 2015 |
| David DiGiallorenzo, D.M.D. | PA | Healthcare Provider | 11000 | 2014-06-19 | Hacking/IT Incident | Unauthorized Access/Disclosure | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | An individual hacked into the Dentrix software of the covered entity (CE), Lanap & Implant Center of Pennsylvania (David DiGiallorenzo), and posted patientsâ protected health information (PHI) on a âBitTorrentâ website (which distributes files over the Internet), piratebay.com. The breach involved the PHI of 11,000 individuals and included names, as well as dates of birth and social security numbers for some of the individuals. The CE provided breach notification to HHS, affected individuals whose PHI was compromised, and the media, as well as substitute notification. Following the breach, the CE received security updates from Dentrix. As a result of OCRâs investigation, the CE increased safeguards by implementing security measures on its electronic systems. | David DiGiallorenzo, D.M.D. PA Healthcare Provider 11000 | Thursday | 2014 |
| Apria Healthcare, Inc., Privacy Manager Breach | CA | Healthcare Provider | 11000 | 2012-08-15 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On August 13, 2012, the covered entity (CE), Apria Healthcare, Inc., reported that an unencrypted laptop computer was stolen from a workforce memberâs locked vehicle. The laptop contained the electronic protected health information (ePHI) of 65,700 individuals. The PHI involved in the breach included names, addresses, birth dates, social security numbers, and isolated instances of driverâs licenses, financial and medical information. The CE provided breach notification to HHS, the affected individuals and the media. The CE sanctioned the workforce member, encrypted all laptop and desktop computers, and retrained workforce members. OCR obtained assurances that the CE implemented the corrective actions noted above. | Apria Healthcare, Inc., Privacy Manager Breach CA Healthcare Provider 11000 | Wednesday | 2012 |
| Joseph A. Gagnon d/b/a Goldthwait Associates | MA | Business Associate | 11000 | 2010-10-01 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Joseph A. Gagnon d/b/a Goldthwait Associates MA Business Associate 11000 | Friday | 2010 | |
| Kansas Department for Aging and Disability Services | KS | Healthcare Provider | 11000 | 2018-04-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Kansas Department for Aging and Disability Services KS Healthcare Provider 11000 | Tuesday | 2018 |
| Bluetail Medical Group | MO | Healthcare Provider | 11000 | 2017-08-02 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Bluetail Medical Group MO Healthcare Provider 11000 | Wednesday | 2017 |
| Appalachian Gastroenterology, P.A. | NC | Healthcare Provider | 11000 | 2016-12-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Appalachian Gastroenterology, P.A. NC Healthcare Provider 11000 | Saturday | 2016 |
| Duke University Health System | NC | Healthcare Provider | 10993 | 2014-08-29 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Duke University Health System NC Healthcare Provider 10993 | Friday | 2014 | |
| Carolina Digestive Health Associates, PA | NC | Healthcare Provider | 10988 | 2018-04-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Carolina Digestive Health Associates, PA NC Healthcare Provider 10988 | Thursday | 2018 |
| SUPERVALU Group Health Plan | MN | Health Plan | 10946 | 2015-04-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | SUPERVALU Group Health Plan MN Health Plan 10946 | Friday | 2015 |
| Bronx Lebanon Hospital Center | NY | Business Associate | 10930 | 2013-10-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | A transcription companyâs subcontractor misconfigured its server, such that search engines, such as Google, were able to locate the server and index the records on that machine, including names, dates of service, medical record number, dates of birth and types of procedures/diagnoses for patients of the covered entity (CE), Bronx Lebanon Hospital Center. The CE that had retained the transcription company, Professional Transaction Services (PTC), provided breach notification to HHS, affected individuals, and the media. Once the CE learned of the breach, it initiated an investigation and learned that PTCâs subcontractor immediately disabled the server, destroyed the hard drive that stored the PHI, and worked with Google to remove the protected health information (PHI) from the Google caches. The CE also engaged a technical consultant to conduct forensic analyses and work to ensure that affected patientsâ records could no longer be found by commonly used internet search engines. The CE also terminated its relationship with PTC and engaged a new transcription company. OCR obtained assurances that the CE implemented the corrective actions listed. | Bronx Lebanon Hospital Center NY Business Associate 10930 | Friday | 2013 |
| Thomasville Eye Center | GA | Healthcare Provider | 10891 | 2016-09-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Thomasville Eye Center, discovered that one of its employees opened a credit account for a patient without authorization. The employee was able to access patient names, addresses, dates of birth, Social Security numbers, and billing information. Although the CE only knows of one patient being impacted, the employee accessed records of 11,137 individuals during her employment, all of whom may have been affected. The CE provided breach notification to HHS, the individuals who may have been affected, the media, and on its website. Following the breach, the CE retrained employees and revised policies and procedures to limit employee access to protected information. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also terminated the employee involved, notified local law enforcement, and the FBI. | Thomasville Eye Center GA Healthcare Provider 10891 | Wednesday | 2016 |
| Mount Sinai Beth Israel | NY | Healthcare Provider | 10793 | 2014-10-03 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Mount Sinai Beth Israel NY Healthcare Provider 10793 | Friday | 2014 | |
| Service Coordination, Inc. | MD | Business Associate | 10766 | 2014-04-17 | Hacking/IT Incident | Unauthorized Access/Disclosure | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Service Coordination, Inc. MD Business Associate 10766 | Thursday | 2014 | |
| Jay C. Platt, DDS | IN | Healthcare Provider | 10705 | 2011-12-05 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Jay C. Platt, DDS IN Healthcare Provider 10705 | Monday | 2011 | |
| Planned Parenthood of Greater Washington and North Idaho | WA | Healthcare Provider | 10700 | 2016-08-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | In August 2016, the covered entity (CE), Planned Parenthood of Greater Washington and North Idaho (PPGWNI), reported that its business associate (BA), athenahealth, inc., inadvertently sent some e-mails, inviting individuals to the CE’s online portal, to the wrong addresses, The e-mails included the first and last names of 10,700 individuals. Upon discovery of the breach, the CE and BA shut down the portal to determine the root cause of the breach and to implement additional safeguards. The CE provided breach notification to HHS, affected individuals, and the media. The BA and CE reestablished the online portal after re-confirming permissions and processes related to the business associate contract/relationship. OCR obtained documented assurances that the CE and BA implemented the corrective actions noted above. | Planned Parenthood of Greater Washington and North Idaho WA Healthcare Provider 10700 | Friday | 2016 | |
| Rotech Healthcare Inc. | FL | Healthcare Provider | 10680 | 2013-10-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A former employee of the covered entity (CE), Rotech, removed and retained electronic files from a company computer, some of which contained the protected health information (PHI) of employees in relation to the CEâs group health plan. The demographic, clinical and financial information of 10,680 individuals was affected by the breach. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE updated its policies and procedures regarding downloading of information from company-issued computers to external devices, retrieval of company-issued removable media from departing employees, and destruction of PHI and ePHI. The CE improved safeguards by disabling USB ports on most computers and encrypting all company laptops. Additionally, the CE conducted a HIPAA gap analysis, implemented a process for periodic analysis, and updated and secured the methods used to back up data. Finally, the CE obtained outside experts to assist in reviewing and enhancing HIPAA training and retrained employees. OCR obtained assurances that the corrective actions listed above were completed. | Rotech Healthcare Inc. FL Healthcare Provider 10680 | Tuesday | 2013 |
| Memorial Hermann Health System | TX | Healthcare Provider | 10604 | 2014-08-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | On July 7, 2014, Memorial Hermann Health System’s audit program identified that a workforce member had inappropriately accessed the protected health information (PHI) of approximately 10,600 individuals. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. It also promptly terminated the involved workforce member. OCR reviewed copies of the CE’s policies and procedures related to the incident and information related to its HIPAA training program and audit protocols in place at the time of the incident. Following the incident, the CE took corrective actions including expanding its IT audit program and hiring additional audit staff. | Memorial Hermann Health System TX Healthcare Provider 10604 | Friday | 2014 |
| DentaQuest | MA | Business Associate | 10515 | 2010-06-09 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes |
A car containing an unencrypted laptop computer was stolen from West Monroe Partners, a contractor for the covered entity’s (CE) business associate (BA), DentaQuest. The laptop stored a database containing the electronic protected health information (ePHI) of approximately 76,000 individuals, including data on 10,515 of the CE’s members. The types of PHI involved in the breach included names, social security numbers, dates, and certain provider identification numbers. The CE and BA worked together to provide breach notification to affected individuals and the media, and offered free credit monitoring and enhanced credit services to affected individuals for one year. The CE reported the breach to HHS and provided substitute notification on its website. The BA implemented procedures to ensure that any third party laptops connecting to its network employ disk encryption. Further, the BA established a policy to prohibit contractors from storing PHI on laptops. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. |
DentaQuest MA Business Associate 10515 | Wednesday | 2010 |
| Riaz Baber, M.D., S.C. | IL | Healthcare Provider | 10500 | 2017-09-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Riaz Baber, M.D., S.C. IL Healthcare Provider 10500 | Thursday | 2017 |
| Lee Miller Rehabilitation Associates | MD | Healthcare Provider | 10480 | 2012-02-29 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Lee Miller Rehabilitation Associates MD Healthcare Provider 10480 | Wednesday | 2012 | |
| Jefferson Medical Associates, P.A. | MS | Healthcare Provider | 10401 | 2016-07-29 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Jefferson Medical Associates, P.A. MS Healthcare Provider 10401 | Friday | 2016 |
| Aflac | GA | Health Plan | 10396 | 2018-05-29 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Aflac GA Health Plan 10396 | Tuesday | 2018 | |
| Indiana University Health Arnett | IN | Healthcare Provider | 10350 | 2013-05-13 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Indiana University Health Arnett IN Healthcare Provider 10350 | Monday | 2013 | |
| Texas Health Partners | TX | Business Associate | 10345 | 2011-08-17 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | Texas Health Partners TX Business Associate 10345 | Wednesday | 2011 | |
| Primary Health Care, Inc. | IA | Healthcare Provider | 10313 | 2018-03-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Primary Health Care, Inc. IA Healthcare Provider 10313 | Friday | 2018 | |
| WYATT DENTAL GROUP, LLC | LA | Healthcare Provider | 10271 | 2012-11-05 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | The Louisiana State Police and the FBI notified the covered entity (CE) that a former employee was involved in identify theft affecting the protected health information (PHI) of the CEâs patients. Approximately 10,271 patientsâ PHI was involved in the breach; however, the CEâs investigation concluded that after the Dept. of Public Safety and Corrections investigation, only 10 patients were affected. The PHI involved in the breach included names, addresses, and social security numbers. The CE provided breach notification to HHS, the media, and all patients whose names were included in their business associateâs (BA) information system. To prevent a similar breach from happening in the future, the BA reviewed its system and assured the CE and OCR that its system was designed to comply with the regulations under HIPAA. As a result of OCRâs investigation, the CE provided OCR with a copy of its HIPAA policies and procedures. | WYATT DENTAL GROUP, LLC LA Healthcare Provider 10271 | Monday | 2012 |
| Plastic Surgery Associates of South Dakota | SD | Healthcare Provider | 10229 | 2017-07-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Plastic Surgery Associates of South Dakota SD Healthcare Provider 10229 | Thursday | 2017 |
| Region Ten Community Services Board | VA | Healthcare Provider | 10228 | 2013-09-26 | Theft | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Region Ten Community Services Board, reported that multiple employees had responded to an email, appearing to come from an internal sender, informing them that their mailboxes had exceeded limits and instructing them to follow a link to enter username and password. A forensic investigation was conducted which did not show that any sensitive client information was compromised. However, in an effort to mitigate any potential harm the CE sent notification to over 10,000 individuals, sent a press release to a local news station and also posted information about the occurrence on its website. The CE engaged the services of a technology consulting firm and has provided OCR written assurance that it has implemented updates to its computer network including an additional firewall | Region Ten Community Services Board VA Healthcare Provider 10228 | Thursday | 2013 | |
| Northeast OB/GYN Associates | TX | Healthcare Provider | 10198 | 2017-08-18 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Network Server | NA | NA | NA | NA | NA | No | Northeast OB/GYN Associates, the Covered Entity, (âCEâ) reported that a keylogger virus on its computer network captured information keyed into the CEâs system for more than a month. The CE reported that the protected health information (PHI) of 10,198 individuals was involved in the breach. The types of PHI included demographic, financial, and clinical information. The CE notified the affected individuals and the media. During the course of the investigation, OCR determined that the CE retrained its staff and implemented technical and procedural changes to prevent a similar event from occurring in the future. | Northeast OB/GYN Associates TX Healthcare Provider 10198 | Friday | 2017 |
| Yanez Dental Corporation | CA | Healthcare Provider | 10190 | 2011-07-04 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | Yanez Dental Corporation CA Healthcare Provider 10190 | Monday | 2011 | |
| Hawaiâi Medical Service Association | HI | Health Plan | 10179 | 2016-01-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Between April and November 2015, the covered entity (CE), Hawai’i Medical Service Association, mistakenly sent care management letters to incorrect addresses, affecting approximately 10,179 patientsâ protected health information (PHI). The types of PHI involved in the breach included names and the implied suggestion that individuals may have certain medical conditions. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE updated its risk analysis and risk management plan and enhanced physical security. OCR obtained assurances that the CE implemented the corrective actions noted above. | Hawaiâi Medical Service Association HI Health Plan 10179 | Friday | 2016 |
| Verity Medical Foundation | CA | Healthcare Provider | 10164 | 2017-01-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Verity Medical Foundation, the covered entity (CE), reported a breach that occurred when one of its websites, www.sanjosemed.com, was compromised and was being used to distribute malware to website visitors. The breach affected approximately 9,353 individuals who were patients of the San Jose Medical Group, which joined the CE in 2012. The types of protected health information (PHI) involved included names, addresses, dates of birth, medical record numbers, and the last 4 digits of credit card numbers. The CE provided breach notification to HHS, affected individuals, and the media, and also provided substitute notice. Upon discovery of the breach, the CE immediately disabled the website to prevent incidents such as this occurring in the future. OCR obtained assurances that the CE implemented the corrective actions listed above. | Verity Medical Foundation CA Healthcare Provider 10164 | Wednesday | 2017 |
| PVHS-ICM Employee Health and Wellness, LLC as covered entity and business associate | CO | Healthcare Provider | 10143 | 2017-07-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | PVHS-ICM Employee Health and Wellness, LLC as covered entity and business associate CO Healthcare Provider 10143 | Monday | 2017 |
| 24 ON Physicians PC | GA | Business Associate | 10104 | 2014-08-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On June 10, 2014, 24 ON Physicians, the covered entity (CE), discovered that its business associate (BA), PST Services, hired an off-shore subcontractor GeBBS, which repurposed a computer server containing the protected health information (PHI) of 10,104 of the CEâs patients. The re-use of server made the PHI potentially available over the Internet from December 1, 2013, to April 17, 2014. The PHI included patients’ names, invoice numbers, procedure codes, charge amounts, balances due, policy numbers, billing-related status comments, and dates of service. In response to this breach, the CE ensured that the server was taken off-line and the PHI was destroyed. The subcontractor submitted documentation stating that all of the breached PHI was destroyed. The CE informed OCR that it no longer works with the subcontractor. The CE provided breach notification to HHS, affected individuals and the media. It also provided affected individuals with one year of free credit monitoring. The CE initiated a plan to work with its BAs to strengthen security protocols to prevent this type of breach from occurring in the future. OCR obtained assurances that the CE and BA implemented the corrective actions listed above.. | 24 ON Physicians PC GA Business Associate 10104 | Friday | 2014 |
| PST Services Inc, a McKesson Co. | GA | Business Associate | 10104 | 2014-08-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | PST Services Inc, a McKesson Co. GA Business Associate 10104 | Friday | 2014 | |
| Loma Linda University School of Dentistry | CA | Healthcare Provider | 10100 | 2010-08-11 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Three password protected desktop computers and an auxiliary hard drive containing electronic protected health information (ePHI) was stolen from the covered entity (CE), Redlands Periodontal Group, Loma Linda University School of Dentistry. The ePHI involved in the breach included the demographic information of 10,100 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, The CE conducted an on-site audit of the periodontal clinic and conducted a risk assessment of the 16 clinics under the purview of the School of Dentistry. The CE improved safeguards by replacing the clinicâs computers with computers that do not contain local hard drive storage, issuing remote access credentials, relocating paper patient charts, and deactivating access to network resources from the periodontal facility. It also decommissioned associated equipment and networks, and disposed of computing equipment used in conjunction with daily operations at the periodontal facility. In addition, the CE retrained staff regarding its HIPAA policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. | Loma Linda University School of Dentistry CA Healthcare Provider 10100 | Wednesday | 2010 |
| New York City Health & Hospitals Corporation | NY | Healthcare Provider | 10058 | 2014-10-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | New York City Health & Hospitals Corporation NY Healthcare Provider 10058 | Friday | 2014 | |
| StayWell Health Management, LLC | MN | Business Associate | 10024 | 2014-02-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | On February 21, 2014, StayWell Health Management, LLC, a business associate (BA) of the covered entity (CE), Missouri Consolidated Health Care Plan, erroneously made a spreadsheet accessible via an electronic link on the internet. The spreadsheet included participantsâ complete names, email addresses, unique internal identification numbers, current status in the wellness program, information regarding email notifications, and whether a participant had completed two program surveys. Approximately 10,024 individuals were affected by the breach. The BA provided breach notification to affected individuals and the media. The CE provided breach notification to HHS. Following the breach, the CE ensured that the BA removed the spreadsheet from public accessibility via the internet and implemented the use of a legacy system in order to safeguard electronic protected health information (ePHI) in transit. The CE also updated its Privacy and Security Policy, to include encryption standards for safeguarding data in process, in transit, and at rest. OCR obtained documented assurances that the CE and BA implemented the corrective actions listed above. | StayWell Health Management, LLC MN Business Associate 10024 | Friday | 2014 |
| Elmcroft Senior Living, Inc. | TX | Healthcare Provider | 10000 | 2018-05-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Elmcroft Senior Living, Inc. TX Healthcare Provider 10000 | Monday | 2018 |
| White Coats Wellness | FL | Business Associate | 10000 | 2017-07-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | White Coats Wellness FL Business Associate 10000 | Monday | 2017 | |
| Maryland Medical Center/Dr. Morrill | MD | Healthcare Provider | 10000 | 2016-12-28 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | On November 3, 2016, a cyber-attacker accessed the covered entityâs (CE) practice computer system to deny access to certain portions of its computer system until a ransom was paid. The CE, Maryland Medical Center, shut down the system and utilized its backup to recover the lost information. The compromised information consisted of correspondence to patients regarding test results utilizing patient names, date of birth, social security number. The documents targeted by the virus affected approximately 10,000 individuals. After the compromise, the CE put the computer system in safe mode, conducted a virus scan, and quarantined and destroyed computer viruses. The CE confirmed that it closed the system network and password protected the Wi-Fi. The CE implemented a procedure requiring pre-approval of all electronic devices connected to its systems and requiring a firewall for remote access to the virtual private network (VPN). The CE sanctioned the employee responsible for the breach and retrained all employees. OCR reviewed the CEâs current risk assessment and obtained assurances that the CE implemented the corrective actions listed. | Maryland Medical Center/Dr. Morrill MD Healthcare Provider 10000 | Wednesday | 2016 |
| Pediatric Group LLC | IL | Healthcare Provider | 10000 | 2015-08-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On August 21, 2015, an unknown entity hacked into the covered entity’s (CE) electronic database utilizing a Crypto Locker computer virus, and the virus attached to some of the CE’s Portable Document Format (PDF) files which contained patientsâ names, dates of birth, clinical information, and other personal identifiers. The virus then blocked the CE’s access to the aforementioned PDF files and the CE received an email message demanding a $500.00 ransom in order to gain access to the locked PDF files. Approximately 10,000 individuals were affected by the breach. Upon discovering the breach, the CE conducted a breach risk assessment which indicated that there was a low overall probability that protected health information (PHI) was compromised, and therefore, breach notification to individuals and the media was not required. The CE reported the breach incident to the Internet Crime Complaint Center, a division of the Federal Bureau of Investigations. To prevent similar breaches from happening in the future, the CE retained a computer forensic firm to assist with the analysis of the ransomware incident, and installed anti-malware products on all its computers. The CE trained staff on its policies and procedures regarding Cyber Security Awareness. OCR obtained documented assurances that the CE implemented the corrective actions noted above. | Pediatric Group LLC IL Healthcare Provider 10000 | Friday | 2015 |
| Bulloch Pediatric Group, LLC | GA | Healthcare Provider | 10000 | 2014-09-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Bullock Pediatric Group, LLC, rented two locked storage units from a facility that was burglarized for its metal shelves. Boxes containing the protected health information (PHI) of approximately 10,000 individuals were strewn about on the floor along with the documents in the boxes. The documents contained demographic, financial, and clinical information, including Explanation of Benefits (EOB) forms from insurance companies, cleared checks, credit card information, balance sheets, end of day reports, some social security numbers, and possibly names and addresses. The CE provided breach notification to HHS, affected individuals, and the media, and posted notification on its website. It also offered one year of free credit monitoring. Following the breach, the CE moved its documents to another storage facility with improved safeguards. In addition, the CE destroyed documents pursuant to the state medical record retention laws. OCR obtained assurances that the CE implemented the corrective actions listed above. | Bulloch Pediatric Group, LLC GA Healthcare Provider 10000 | Thursday | 2014 |
| Iron Mountain Incorporated | MA | Business Associate | 10000 | 2014-08-15 | Loss | Theft | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Iron Mountain Incorporated MA Business Associate 10000 | Friday | 2014 | |
| Olson & White Orthodontics | MO | Healthcare Provider | 10000 | 2013-09-03 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | On July 22, 2013, two desktop computers that contained protected health information (PHI) were stolen from the covered entity (CE), Olson & White Orthodontics, during a break-in. The names, addresses, dates of birth, social security numbers, claims information, diagnoses, and treatment information affecting 10,000 were reportedly disclosed. The CE utilized a system for encryption to protect its PHI; however, a software oversight may have resulted in some PHI being stored in an unencrypted manner on the stolen computers. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. Following the breach, the CE reported the theft to the proper authorities, added offsite data backup storage, and improved physical safeguards. Additionally, it retrained staff and eliminating office procedures that resulted in the storage of unencrypted PHI. As a result of OCRâs investigation, the CE updated its uses and disclosures policy and provided training on the updated policy. The CE also provided OCR documentation of its corrective actions. | Olson & White Orthodontics MO Healthcare Provider 10000 | Tuesday | 2013 |
| Elbowoods Memorial Health Center | ND | Health Plan | 10000 | 2013-08-21 | Improper Disposal | NA | NA | NA | NA | NA | Desktop Computer | Other | Other Portable Electronic Device | Paper/Films | NA | NA | NA | NA | No | On or about October 1, 2011 contractors discovered abandoned protected health information (PHI) at the Mandan, Hidatsa, and Arikara Nationsâ Minne-Tohe facility. Materials included cardboard boxes, file cabinets, and binders containing printed PHI; pharmaceutical bags containing printed PHI on medication containers in a caged area with a broken or open padlock; and twelve (12) computer towers, three (3) mini-sized computers, and a lap-top hard drive containing electronic PHI. The covered entity (CE), discovered an additional binder of PHI on May 15, 2013. The CE estimated that 10,000 individualsâ PHI was stored at Minne-Tohe prior to a move to the Elbowoods Memorial Health Center facility. OCR provided the CE with substantial technical assistance. As a result of OCRâs investigation, the CE relocated the stored materials to its new facility, conducted a risk analysis, developed a risk management plan, and developed policies and procedures to safeguard PHI. | Elbowoods Memorial Health Center ND Health Plan 10000 | Wednesday | 2013 |
| Dent Neurologic Institute | NY | Healthcare Provider | 10000 | 2013-05-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | A workforce member of the covered entity (CE), Dent Neurologic Group, LLP erroneously sent an unencrypted email with a spreadsheet containing 10,202 patientsâ protected health information (PHI) to the wrong patients. The types of PHI in the spreadsheet included patientsâ names, addresses, active/former patient status, dates of last appointments, scheduling codes, and physiciansâ names. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE implemented an email security appliance that encrypts emails and filters incoming messages for malware, viruses and spam as well as filter outgoing messages for identifiers. The CE also updated its email encryption policy and procedure, implemented its policy and procedure for encryption and password protection of electronic documents, and updated its training program for handling emails. Additionally, the CE sanctioned, counseled and retrained the workforce member. As a result of OCRâs investigation and technical assistance, the CE provided evidence of its remediation of Windows XP devices as well as an updated risk analysis to incorporate physical safeguards, penetration testing, and a corresponding Security Risk Assessment Report. The CE is expected to conduct a risk analysis that addresses all potential risks and vulnerabilities in the entire operation and to implement a risk management plan and corresponding risk mitigation activities. | Dent Neurologic Institute NY Healthcare Provider 10000 | Tuesday | 2013 | |
| Advanced Data Processing, Inc. | FL | Healthcare Clearing House | 10000 | 2012-11-29 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | On or around June 15, 2012, an employee of the covered entity (CE), Advanced Data Processing, Inc. (ADP), dba Intermedix, who had access to patientsâ protected health information (PHI) as part of her job, inappropriately accessed the PHI of approximately 10,000 individuals and sold the information to third parties. An addendum to the initial breach report, submitted on April 3, 2015, expanded the breach to an additional 2,360 individuals. The PHI involved in the breach included patient names, social security numbers, addresses, dates of birth, claims, and other financial information. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice. Following the breach, the CE engaged a third party to review its network environment and make recommendations for security enhancements. It implemented data loss prevention technology to identify electronic PHI and block transmittal of sensitive information and a log management and analysis solution to automate collection, analysis, archival and recovery of log data. The CE implemented policies and procedures for disposal and reuse of mobile devices, as well as for the secure transport of sensitive information to, from, and between data centers. The CE also created an information security team and appointed a committee to address compliance. Additionally, the CE improved its employee training program and launched a vendor management program to ensure the safeguarding of ePHI by its business associates. OCR obtained assurances that the CE implemented the correction actions listed above. The CE also initiated upgrades to its data center security and workstation antivirus technology. | Advanced Data Processing, Inc. FL Healthcare Clearing House 10000 | Thursday | 2012 |
| T & P Consulting, Inc. d/b/a Quantum Health Consulting | PR | Business Associate | 10000 | 2012-03-12 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE) filed a breach report with OCR after an external hard drive and laptop computer containing electronic protected health information (ePHI) of 39,609 individuals were stolen from the CE’s Business Associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and the dates of the service. Immediately following the breach, the CE conducted a risk assessment, filed a breach report and provided OCR a copy of its BA agreement. Additionally, the CE notified all affected individuals of the breach and issued a press release. As a result of OCR’s investigation, the CE required the BA to revise its security practices to include laptop encryption and restrictions on the use of portable media devices as outlined in the BA’s newly developed security policies and procedures. | T & P Consulting, Inc. d/b/a Quantum Health Consulting PR Business Associate 10000 | Monday | 2012 |
| Brian J Daniels D.D.S.,Paul R Daniels D.D.S. | AZ | Healthcare Provider | 10000 | 2011-04-04 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Brian J Daniels D.D.S.,Paul R Daniels D.D.S. AZ Healthcare Provider 10000 | Monday | 2011 | |
| Goodwill Industries of Greater Grand Rapids, Inc. | MI | Healthcare Provider | 10000 | 2010-01-15 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No |
On December 15, 2009, a safe was stolen from Goodwill’s off-site facility, which contained five unencrypted back-up tapes. The breach affected approximately 10,000 individuals. The protected health information involved in the breach included full names, addresses, dates of birth, reasons for referral, dates of service, miscellaneous demographics, and, in some cases, Social Security numbers. The covered entity moved the off-site storage of back-up tapes to a new site controlled by Goodwill. The tapes are now kept in a commercial grade safe with a combination lock. The actions taken by Goodwill prior to OCR’s formal investigation brought the covered entity into compliance. |
Goodwill Industries of Greater Grand Rapids, Inc. MI Healthcare Provider 10000 | Friday | 2010 |
| Detroit Department of Health and Wellness Promotion | MI | Healthcare Provider | 10000 | 2009-12-15 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Detroit Department of Health and Wellness Promotion MI Healthcare Provider 10000 | Tuesday | 2009 | |
| Wells Pharmacy Network | FL | Healthcare Provider | 10000 | 2018-08-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | No | NA | Wells Pharmacy Network FL Healthcare Provider 10000 | Friday | 2018 | |
| Longwood Orthopedic Associates, Inc. | MA | Healthcare Provider | 10000 | 2018-07-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Longwood Orthopedic Associates, Inc. MA Healthcare Provider 10000 | Friday | 2018 | |
| E-dreamz, Inc. | NC | Business Associate | 9988 | 2013-05-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | The credit card information of 9,988 patients of the covered entity (CE), Presbyterian Anesthesia Associates, P.A. (now known as Providence Anesthesia Associates, P.A.), was compromised when an unauthorized person gained access to the servers of E-dreamz, the CEâs website hosting business associate (BA). The protected health information (PHI) involved in the breach included patientsâ names, addresses, phone numbers, email addresses, and credit card information. The CE provided breach notification to HHS, the media, and affected individuals, and offered them a year of free credit monitoring and identity theft protection. The CE also notified the FBI, North Carolinaâs Attorney General, and all major credit card companies. In response to the breach, the CE hired an outside forensic computer specialist to investigate. Additionally, the CE terminated its service agreement with the BA and entered into a satisfactory BA agreement with a new website hosting vendor. The BA agreement prohibits storage of any PHI on the vendorâs servers. The CE also reviewed and updated its HIPAA policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. | E-dreamz, Inc. NC Business Associate 9988 | Wednesday | 2013 |
| Union Lake Supermarket, LLC | NJ | Healthcare Provider | 9956 | 2018-02-28 | Improper Disposal | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Union Lake Supermarket, LLC NJ Healthcare Provider 9956 | Wednesday | 2018 |
| Bruce G. Peller, DMD, PA | NC | Healthcare Provider | 9953 | 2012-06-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Dr. Bruce Peller DMD, PA, discovered on April 27, 2012, that an unauthorized individual gained access to patients’ protected health information (PHI) and compiled a list of such information. The CE determined that 9,953 individuals may have been affected and the following information may have been accessed: patients’ names, legal guardians (if applicable), dates of birth, addresses, phone numbers, email addresses, treatment dates, internal identification numbers and account balances. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE obtained an injunction that required the destruction or return of PHI, implemented a stronger training program for its workforce, and improved its privacy and security policies. OCR obtained assurances that the CE implemented the corrective actions listed above. | Bruce G. Peller, DMD, PA NC Healthcare Provider 9953 | Monday | 2012 |
| Texas Health Harris Methodist Hospital Azle | TX | Healthcare Provider | 9922 | 2011-02-13 | Loss | Theft | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Texas Health Harris Methodist Hospital Azle TX Healthcare Provider 9922 | Sunday | 2011 | |
| Holy Cross Hospital, Inc. | FL | Healthcare Provider | 9900 | 2013-09-24 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | An employee accessed and used protected health information (PHI) outside of her job duties to file fraudulent tax returns. The PHI involved in the breach included the names, addresses and social security numbers of 9,900 individuals. The covered entity (CE), Holy Cross Hospital, provided breach notification to HHS, affected individuals, and the media. The CE retrained staff, disseminated educational material, and implemented an extensive risk management plan to bolster procedures for auditing and monitoring PHI use and access. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also terminated the employment of the involved employee. | Holy Cross Hospital, Inc. FL Healthcare Provider 9900 | Tuesday | 2013 |
| University of California San Francisco , Privacy Manager Breach | CA | Healthcare Provider | 9861 | 2014-03-12 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | On or about January 11, 2014, unencrypted desktop computers and unencrypted portable computer drives were stolen from the covered entity (CE), University of California San Francisco Family Medicine Center. The types of protected health information (PHI) involved in the breach included names, dates of birth, mailing addresses, medical record numbers, social security numbers, and health insurance identification numbers, affecting 9,861 individuals. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE improved physical safeguards, changed or disabled usernames and passwords for accounts that were potentially at risk of compromise, and encrypted the remaining computers at the affected location as well as the replacement computers. OCR obtained assurances that the CE implemented the corrective actions noted above. | University of California San Francisco , Privacy Manager Breach CA Healthcare Provider 9861 | Wednesday | 2014 |
| New Jersey Department of Human Services | NJ | Health Plan | 9825 | 2013-11-22 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity’s (CE) business associate (BA), Island Peer Review Organization, lost an unencrypted and not password-protected portable computer drive (a “USB” drive) that contained 9,825 patientsâ names, addresses, dates of birth, social security numbers, clinical information, diagnoses, conditions, and identification numbers (including member identification, Medicaid identification, subscriber identification, patient account number and patient control number). The CE, New Jersey Department of Human Services, provided breach notification to HHS, and the BA notified affected individuals and the media. Following the breach, the BA recovered all of the USB drives used by employees and retrained these employees on the BAâs security policies and the appropriate use of encryption on portable electronic media. As a result of OCRâs investigation and technical assistance, the BA retrained certain staff and implemented a policy requiring staff to use only portable media purchased by the BA’s Information Systems Department. The BA installed technical safeguards on all computers so only approved portable devices are allowed access while any other types can be rendered as âread onlyâ or unusable. Further, the CE indicated that the BA’s device access will be monitored and logged to guard against employees who attempt to copy data to unauthorized devices. OCR advised the CE of the requirements to perform a thorough and accurate risk analysis and establish a risk management plan. | New Jersey Department of Human Services NJ Health Plan 9825 | Friday | 2013 |
| Sorenson Communications/CaptionCall Group Health Plan | UT | Health Plan | 9800 | 2014-04-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Sorenson Communications filed a breach report on behalf of its CaptionCall Group Health Plan indicating that, between February 20 and March 3, 2014, an unknown third party hacked into the CaptionCall account with Sorensonâs payroll vendor which compromised employment-related information gathered by Sorenson from and about its employees, their dependents, beneficiaries, and/or emergency contacts. The breach affected approximately 9,800 individuals. Sorenson provided notice to HHS, affected individuals, and the media. After verifying the circumstances of the breach and the character of the breached information, OCR closed the breach upon determining that the hacked data constituted employment records, which are excluded from the definition of PHI. | Sorenson Communications/CaptionCall Group Health Plan UT Health Plan 9800 | Thursday | 2014 |
| Cardiology Center of Acadiana | LA | Healthcare Provider | 9681 | 2017-04-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Cardiology Center of Acadiana LA Healthcare Provider 9681 | Friday | 2017 |
| Salina Health Education dba Salina Healthcare Center | KS | Healthcare Provider | 9640 | 2014-06-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Salina Family Healthcare Center, sent an email containing electronic protected health information (ePHI) to a third party as part of a research case study. The types of PHI involved in the breach included names, dates of birth, addresses, chart numbers, and procedure codes affecting approximately 9,640 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The CE responded to the breach by obtaining assurances that the email was destroyed by the third party, and sanctioning the responsible employee. As a result of OCRâs investigation, the CE updated and trained staff on its policies relating to the e-mailing of PHI and uses and disclosures of PHI. | Salina Health Education dba Salina Healthcare Center KS Healthcare Provider 9640 | Thursday | 2014 | |
| National Seating & Mobility, Inc. | TN | Healthcare Provider | 9627 | 2015-06-12 | Theft | NA | NA | NA | NA | NA | Laptop | Paper/Films | NA | NA | NA | NA | NA | No | On April 14, 2015, two unencrypted tablet computers, a smartphone, and a backpack containing paper filesâwere stolen from two company vehicles of the covered entity (CE), National Seating & Mobility, Inc. The breach involved the protected health information (PHI) of 9,627 individuals and included demographic, clinical and financial information. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. In response to the breach, the CE revised its policies and procedures, encrypted its desktop, laptop and tablet computers and employed remote wiping and tracking technology. OCR obtained assurances that the CE implemented the corrective actions listed above. | National Seating & Mobility, Inc. TN Healthcare Provider 9627 | Friday | 2015 | |
| Gulf Breeze Family Eyecare, Inc | FL | Healthcare Provider | 9626 | 2013-06-17 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Network Server | Paper/Films | NA | NA | NA | No | Gulf Breeze Family Eyecare, Inc FL Healthcare Provider 9626 | Monday | 2013 | ||
| Fred’s Stores of Tennessee, Incorporated | TN | Healthcare Provider | 9624 | 2016-09-29 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Fred’s Stores of Tennessee, Incorporated TN Healthcare Provider 9624 | Thursday | 2016 |
| Network Pharmacy Knoxville | TN | Healthcare Provider | 9602 | 2014-01-15 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Network Pharmacy Knoxville TN Healthcare Provider 9602 | Wednesday | 2014 | |
| City of Norwood | OH | Healthcare Provider | 9577 | 2013-05-20 | Loss | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | City of Norwood OH Healthcare Provider 9577 | Monday | 2013 | |
| The Neighborhood Christian Clinic | AZ | Healthcare Provider | 9565 | 2012-04-09 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The Neighborhood Christian Clinic AZ Healthcare Provider 9565 | Monday | 2012 | |
| Thrivent Financial for Lutherans | WI | Health Plan | 9500 | 2010-03-03 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On January 29, 2010, there was a break-in at one of the Thrivent’s offices and five laptop computers were stolen; four of the five laptops were recovered. The missing laptop computer contained the protected health information of approximately 9,400 individuals. The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCR’s formal investigation brought the CE into compliance. | Thrivent Financial for Lutherans WI Health Plan 9500 | Wednesday | 2010 |
| The Medical College of Wisconsin, Inc. | WI | Healthcare Provider | 9500 | 2017-11-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | The Medical College of Wisconsin, Inc. WI Healthcare Provider 9500 | Friday | 2017 | |
| Memorial Healthcare System | FL | Health Plan | 9497 | 2012-04-13 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No |
Memorial Healthcare System (MHS) has paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and agreed to implement a robust corrective action plan. MHS is a nonprofit corporation which operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary health care facilities throughout the South Florida area. MHS is also affiliated with physician offices through an Organized Health Care Arrangement (OHCA). MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individualsâ names, dates of birth, and social security numbers. The login credentials of a former employee of an affiliated physicianâs office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating usersâ right of access, as required by the HIPAA Rules. Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012. âAccess to ePHI must be provided only to authorized users, including affiliated physician office staffâ said Robinsue Frohboese, Acting Director, HHS Office for Civil Rights. âFurther, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.â |
Memorial Healthcare System FL Health Plan 9497 | Friday | 2012 |
| North Memorial Health Care | MN | Healthcare Provider | 9497 | 2011-09-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities. âTwo major cornerstones of the HIPAA Rules were overlooked by this entity,â said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). âOrganizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.â OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associateâs workforce memberâs locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals. OCRâs investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorialâs hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial. The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure – including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan. |
North Memorial Health Care MN Healthcare Provider 9497 | Tuesday | 2011 |
| SW Seattle Orthopaedic and Sports Medicine | WA | Healthcare Provider | 9493 | 2010-10-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No |
A database web server, containing the electronic protected health information (EPHI) of 9,493 individuals, was breached by an unknown, external person(s) for use as a game server. Although there was no indication of access to EPHI, the EPHI on the database web server included names, dates of birth, types of x-rays, and dates of x-rays. Following the breach, the covered entity relocated two servers to its more secure primary data center and removed the Internet access line that resulted in the breach. Additionally, OCR’s investigation resulted in the covered entity improving their administrative safeguards, such as incident response and reporting. |
SW Seattle Orthopaedic and Sports Medicine WA Healthcare Provider 9493 | Friday | 2010 |
| H.E.L.P. Financial Corporation | MI | Business Associate | 9475 | 2010-12-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes |
A programming error in a business associate’s IT system caused the PHI of patients to be printed on letters sent to other patients. The printing error affected approximately 9475 individuals.The protected health information involved in the breach included patient names, medical record numbers and account balances. Following the discovery of the breach, the BA corrected the programming error and implemented additional quality checks. Additionally, the BA notified the affected individuals and the CE notified the local media. |
H.E.L.P. Financial Corporation MI Business Associate 9475 | Friday | 2010 |
| Phoenix Health Plan | AZ | Health Plan | 9393 | 2011-04-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Network Server | NA | NA | NA | NA | No | Phoenix Health Plan AZ Health Plan 9393 | Monday | 2011 | ||
| Charles River Medical Associates, pc | MA | Healthcare Provider | 9387 | 2018-01-08 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Charles River Medical Associates, pc MA Healthcare Provider 9387 | Monday | 2018 |
| United Dynacare, LLC dba Dynacare Laboratories | WI | Healthcare Provider | 9328 | 2013-11-18 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On October 22, 2013, the covered entity (CE) learned that one of its employeeâs car was stolen with a mobile data drive (âflash driveâ) that stored a database with protected health information (PHI). The unencrypted flash drive contained the electronic PHI of approximately 9,328 individuals. The types of ePHI involved in the breach included patientsâ names, addresses, birth dates, social security numbers, and gender. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned employees, improved safeguards related to encryption and mobile devices, updated and implemented policies and procedures, and retrained its workforce. The flash drive was recovered after the breach notifications were mailed. The forensic analysis of the recovered flash drive indicated that there was no evidence of unauthorized access of information. OCR obtained assurances that the CE implemented the corrective actions listed above. | United Dynacare, LLC dba Dynacare Laboratories WI Healthcare Provider 9328 | Monday | 2013 |
| Ashley and Gray DDS | MO | Healthcare Provider | 9309 | 2010-01-19 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Ashley and Gray DDS MO Healthcare Provider 9309 | Tuesday | 2010 | |
| Golden Rule Insurance Company | IN | Health Plan | 9305 | 2017-12-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Golden Rule Insurance Company IN Health Plan 9305 | Monday | 2017 |
| University of Oklahoma Department of Urology | OK | Healthcare Provider | 9300 | 2015-10-10 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On October 10, 2015, the covered entity (CE), University of Oklahoma Health Sciences Center, reported a breach affecting approximately 9,300 individuals. An unencrypted laptop computer used by a former physician in the Pediatric Urology program was stolen from his vehicle. The laptop contained protected health information (PHI) including patientsâ first and last names, medical record numbers, and dates of birth, and in some cases, patientsâ age, physiciansâ names, and diagnosis, treatment, and/or billing codes. The CE provided the required breach notifications to HHS, affected individuals, and the media. Following discovery of the incident, the CE implemented additional technical safeguards for devices containing electronic PHI and retrained workforce members regarding safeguarding PHI. The CE also revised its physician exit interview to require physicians to attest that all PHI had been removed from personally owned devices at the time of departure. OCR obtained assurances the CE implemented the corrective actions listed above. | University of Oklahoma Department of Urology OK Healthcare Provider 9300 | Saturday | 2015 |
| FastHealth Corporation | AL | Business Associate | 9289 | 2017-06-29 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | FastHealth Corporation AL Business Associate 9289 | Thursday | 2017 |
| Doctors First Choice Billings, Inc | FL | Business Associate | 9255 | 2014-06-11 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Doctors First Choice Billings, Inc FL Business Associate 9255 | Wednesday | 2014 |
| Madison Street Provider Network | CO | Business Associate | 9129 | 2017-04-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Madison Street Provider Network CO Business Associate 9129 | Wednesday | 2017 |
| Harrisburg Endoscopy and Surgery Center | PA | Healthcare Provider | 9092 | 2017-04-28 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Harrisburg Endoscopy and Surgery Center PA Healthcare Provider 9092 | Friday | 2017 |
| Wyoming Department of Health | WY | Health Plan | 9023 | 2010-03-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Wyoming Department of Health WY Health Plan 9023 | Tuesday | 2010 | |
| Barry University | FL | Healthcare Provider | 9017 | 2013-12-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | Laptop | Network Server | NA | NA | NA | NA | NA | NA | No | Barry University, the covered entity (CE), discovered on May 13, 2013, that a laptop was infected with malware. The protected health information (PHI) for 8,741 individuals was potentially exposed, including names, dates of birth, social security numbers, driverâs license numbers, banking/credit card information, medical record numbers, health insurance information, diagnoses, and treatment information. Due to a lengthy investigation, the CE performed its breach notification obligations outside of the 60 day timeframe required by the Breach Notification Rule. OCR provided technical assistance to the CE on this topic. Although late, the CE provided breach notification to HHS, affected individuals, and the media, as well as on its website. In response to the breach, the CE retained a compliance consultant, performed a risk assessment, revised its policies and procedures, improved its training program and implemented additional technical safeguards. OCR obtained assurances that it has implemented the corrective actions listed above. | Barry University FL Healthcare Provider 9017 | Tuesday | 2013 |
| Surgical Care Affiliates | AL | Business Associate | 9009 | 2016-05-16 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | Surgical Care Affiliates, the covered entity (âCEâ), discovered that on March 17, 2016, a laptop computer had been stolen from an employeeâs house. The laptop was password protected; however the employeeâs username and password were with the laptop at the time of the theft. There was no patient information stored on the laptop, but Outlook emails were potentially cached on the hard drive. The CE opened an internal investigation and determined that 9,009 individuals may have had their names, addresses, dates of birth, social security numbers, treatment information, and health insurance information exposed as a result of this incident. The CE provided timely breach notification to HHS, to affected individuals, on its website, and to the media. In response to the breach, the CE retrained the employee involved to reinforce its existing HIPAA policies pertaining to the safeguarding of electronic devices and password management, and provided free credit monitoring to the affected individuals whose social security numbers may have been exposed. OCR obtained assurances that the CE implemented the corrective actions listed above. | Surgical Care Affiliates AL Business Associate 9009 | Monday | 2016 |
| Orlantino Dyoco, M.D. | CA | Healthcare Provider | 9000 | 2015-08-03 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) reported to OCR that its office was burglarized, and a laptop and desktop computer, as well as its backup data were stolen. The computers contained the protected health information (PHI) of approximately 9,000 individuals. The PHI involved in the breach included names, addresses, dates of birth, some social security numbers, and claims information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE strengthened its physical safeguards, encrypted its computers, and began storing its backup data at an off-site encrypted server. OCRâs investigation resulted in the CE undertaking a new risk analysis and risk management plan and enhancing its practices for safeguarding PHI and ePHI. | Orlantino Dyoco, M.D. CA Healthcare Provider 9000 | Monday | 2015 |
| Counseling and Psychotherapy of Throggs Neck | NY | Healthcare Provider | 9000 | 2010-09-21 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Counseling and Psychotherapy of Throggs Neck, after it reported that a password protected, unencrypted desktop computer was stolen which contained the protected health information (PHI) of 9,000 individuals. The PHI involved in the breach included names, addresses, dates of birth, social security numbers, diagnosis, patient notes and demographics. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE encrypted all of its patient databases and word processing programs on all computers. The CE improved physical safeguards by changing locks and fixing one of the entrance doors to the building to ensure that it automatically closes. The CE also placed security guards at all five entrances to the building and installed a video surveillance system. The CE also implemented internal safeguards and a policy to ensure that the last person in the office ensures rooms are vacant and the suite doors are locked upon leaving. As a result of OCRâs investigation the CE agreed to include effective dates and revision dates on its policies and to include documentation on the front page of its manual regarding annual reviews of the policies. | Counseling and Psychotherapy of Throggs Neck NY Healthcare Provider 9000 | Tuesday | 2010 |
| D. Andrew Loomis MD, Paula Schulze MD,Tammara Stefanelli MD, Christen Vu DO, Anja Crider MD | WA | Healthcare Provider | 9000 | 2017-05-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | D. Andrew Loomis MD, Paula Schulze MD,Tammara Stefanelli MD, Christen Vu DO, Anja Crider MD WA Healthcare Provider 9000 | Wednesday | 2017 |
| RR Donnelley (a sub-BA for UnitedHealth Group) | IL | Business Associate | 8911 | 2013-01-30 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | Yes | RR Donnelley (a sub-BA for UnitedHealth Group) IL Business Associate 8911 | Wednesday | 2013 | |
| Silver Cross Hospital | IL | Healthcare Provider | 8862 | 2017-08-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Silver Cross Hospital IL Healthcare Provider 8862 | Friday | 2017 |
| Pair Networks Inc. | PA | Business Associate | 8845 | 2014-02-26 | Other | Unauthorized Access/Disclosure | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Pair Networks Inc. PA Business Associate 8845 | Wednesday | 2014 | |
| Omnicare, Inc | KY | Healthcare Provider | 8845 | 2011-03-10 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Omnicare, Inc KY Healthcare Provider 8845 | Thursday | 2011 | |
| Pittman Family Dental | OH | Healthcare Provider | 8830 | 2015-12-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | An unauthorized third-party accessed protected health information (PHI), according to the forensic firm that the covered entity (CE), Pittman Family Dental, retained to investigate abnormal activity on its computer server. Approximately 8,830 individuals were affected by the breach. The server included full names, social security numbers (of 5,007 individuals), driverâs license numbers, dates of birth, home addresses, treatment notes, and insurance information. The CE provided breach notification to HHS, affected individuals, and the media. To prevent a similar breach from happening in the future, the CE scrubbed and reinstalled its server, installed an anti-virus/malware solution, and contracted with a company to provide an updated risk analysis and additional training. OCR obtained written assurances that the CE implemented the corrective actions listed above. | Pittman Family Dental OH Healthcare Provider 8830 | Thursday | 2015 |
| Tufts Associated Health Maintenance Organization, Inc. and Tufts Insurance Company | MA | Health Plan | 8830 | 2014-04-24 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Tufts Associated Health Maintenance Organization, Inc. and Tufts Insurance Company MA Health Plan 8830 | Thursday | 2014 | |
| Med Assets | NJ | Business Associate | 8795 | 2011-08-08 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes |
An unencrypted hard drive containing the electronic protected health information (ePHI) of 8,795 individuals was stolen from an employee of the covered entity’s (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Clara Maass Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR’s investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA’s computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. |
Med Assets NJ Business Associate 8795 | Monday | 2011 |
| Children’s Heart Center | NV | Healthcare Provider | 8791 | 2015-04-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | An employee was arrested on-site for suspicion of identity theft after using electronic protected health information (ePHI) obtained while employed by the covered entity (CE) to open a credit card account in another individualâs name. The employee had a criminal history which was not identified during the CEâs hiring process. The CE provided breach notification to HHS, affect individuals, and the media. It also cooperated with the subsequent law enforcement investigation. Following the breach, the CE sanctioned the employee and terminated and replaced its vendor for background checks of potential employees. The CE also improved its physical security, enhanced technical safeguards for ePHI, formed a committee to formalize written policies for safeguarding ePHI, and enhanced staff training. OCR obtained assurances that the CE implemented the corrective actions noted above. | Children’s Heart Center NV Healthcare Provider 8791 | Friday | 2015 |
| East Central Kansas Area Agency on Aging | KS | Business Associate | 8750 | 2017-10-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | East Central Kansas Area Agency on Aging KS Business Associate 8750 | Tuesday | 2017 |
| HealthCare for Women, Inc. | MA | Healthcare Provider | 8727 | 2013-03-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | HealthCare for Women, Inc. MA Healthcare Provider 8727 | Wednesday | 2013 | |
| Florida Hospital | FL | Healthcare Provider | 8700 | 2015-03-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Law enforcement discovered paper records belonging to the covered entity (CE), Florida Hospital, during the course of an investigation. An internal investigation revealed that two employees had been accessing and printing records in excess of their job duties. The protected health information (PHI) involved in the breach included demographic data (including social security numbers), clinical information, and health insurance information affecting 8,816 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and posted notice on its website. In response to the breach, the CE retrained its staff and began the process of masking social security numbers and eliminating the need to print facesheets. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also terminated the employees involved in the breach. | Florida Hospital FL Healthcare Provider 8700 | Friday | 2015 |
| Marketing Clique | TX | Health Plan | 8700 | 2015-02-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | The business associate (BA) of Lone Star Circle of Care, the Covered Entity (CE) reported a breach of unsecured protected health information which affected 8,700 individuals. The breach was the result of a backup file inadvertently uploaded by the BA onto the CEâs website. The file contained the protected health information of patients who used the website to request appointments, prescription refills or other inquiries. The CE secured the data contained in the backup file, removed the pages that individuals use to make appointments and refill requests, and disabled the mobile application. The CE also terminated its business associate agreement with the BA, Marketing Clique. Further, during the investigation, OCR received confirmation that the BA was no longer doing business. The CE provided breach notification to HHS, the media, and the affected individuals. OCR examined CEâs policies concerning administrative, physical and technical safeguards implemented by the CE. As a result of the investigation, OCR provided technical assistance to the CE regarding the risk analysis and risk management plan and breach notification to individuals. The CE provided OCR with documentation of the corrective actions taken. | Marketing Clique TX Health Plan 8700 | Friday | 2015 |
| Stronghold Counseling Services, Inc. | SD | Healthcare Provider | 8500 | 2013-02-21 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Stronghold Counseling Services, after it reported that a desktop computer was missing from its facility. The computer contained protected health information (PHI) on appointments, client insurance, payments, and demographics, including social security numbers, as well as some client letters and reports. The breach affected 8,500 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised its procedures for encryption and implemented a risk analysis/risk management process. OCR provided technical assistance to the CE regarding the risk analysis and risk management requirements of the Security Rule and the requirements of the Breach Notification Rule. | Stronghold Counseling Services, Inc. SD Healthcare Provider 8500 | Thursday | 2013 |
| NYU School of Medicine Faculty Group Practice | NY | Healthcare Provider | 8488 | 2012-07-23 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NYU School of Medicine Faculty Group Practice NY Healthcare Provider 8488 | Monday | 2012 | |
| Valley Family Medicine | VA | Healthcare Provider | 8450 | 2017-11-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Valley Family Medicine VA Healthcare Provider 8450 | Friday | 2017 |
| Hill Country Memorial Hospital | TX | Healthcare Provider | 8449 | 2017-04-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Hill Country Memorial Hospital TX Healthcare Provider 8449 | Friday | 2017 | |
| Elizabeth L. Brown, MD, PLLC | WV | Healthcare Provider | 8436 | 2017-05-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) reports that her single provider practice was the target of a ransomware attack that affected records in the CEâs billing and scheduling program on or about March 14, 2017, and affected records in its electronic medical record program on or about March 28, 2017. The types of protected health information (PHI) involved in the breach included the names, addresses, dates of birth, medical information, driver’s license numbers, social security numbers, and insurance claim information of 8,436 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The CE thoroughly investigated the incident with the assistance of third party experts to ensure that its systems were secure and that it recovered all affected data. The CE took a number of additional measures to safeguard its election PHI, such as using unique credentials for all levels of system access, password protecting all workstations, revising levels of access for staff, and changing its remote access system. The CE began selecting a cloud-based vendor to replace its present system with the intention of migrating all electronic medical records to the new platform. OCR reviewed the CEâs policies and procedures on uses and disclosures of PHI and safeguards, a copy of its risk analysis, and the security measures implemented to address risks and vulnerabilities. OCR obtained assurances that the CE implemented the corrective actions listed above. | Elizabeth L. Brown, MD, PLLC WV Healthcare Provider 8436 | Friday | 2017 |
| Billings Clinic | MT | Healthcare Provider | 8435 | 2018-07-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Billings Clinic MT Healthcare Provider 8435 | Friday | 2018 | |
| Advanced Spine & Pain Center | TX | Healthcare Provider | 8352 | 2017-09-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Advanced Spine & Pain Center TX Healthcare Provider 8352 | Wednesday | 2017 |
| Walgreen Co. | IL | Healthcare Provider | 8345 | 2015-08-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On June 8, 2015, the covered entity (CE), Walgreens Pharmacy, reported that its vendor, Kurtzman Carson Consultants LLC, mailed lawsuit settlement postcards to individuals that included protected health information (PHI) in addition to addresses that was viewable during the postal route. The PHI included the prescription information, insurance and other health information of approximately 8,345 individuals. The CE mitigated the breach by directing the vendor to remove information from the affected individualsâ contact information for future mailings related to the proposed class action settlement and revised applicable policies and procedures. The CE provided breach notification to HHS, affected individuals, and the media and established a call center to field consumer questions. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | Walgreen Co. IL Healthcare Provider 8345 | Friday | 2015 |
| Health Net, Inc. | CA | Health Plan | 8331 | 2013-07-02 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity, Health Net, Inc. (HN), erroneously mailed identification cards for 8,331 members to their former addresses due to a system error by its contractor, Cognizant Technology Services. HN also acts as a business associate for some other covered entities. The types of protected health information (PHI) included demographic information, such as membersâ names. HN provided breach notification to HHS, affected individuals, and the media. Following the breach, HN uncovered and corrected the programming error and developed and implemented a new program to help ensure that the syncing of beneficiary addresses between specific enrollment files and HNâs master address file is accurate. OCR provided technical assistance regarding security risk analysis and determined that HN must conduct an enterprise-wide security risk analysis.. | Health Net, Inc. CA Health Plan 8331 | Tuesday | 2013 |
| Thomas H. Boyd Memorial Hospital | IL | Healthcare Provider | 8300 | 2015-05-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A facility where the covered entity (CE) had stored its medical records since 1994 was sold to a third party and possession of this property was given to the new owner for five days, unbeknownst to the CE. The protected health information (PHI) involved in the breach included the clinical, demographic and financial information of 8,300 individuals. Upon discovery of the breach, the CE immediately retrieved all records at the facility. There was no evidence that the records were otherwise compromised. The CE provided breach notification to HHS, affected individuals, and the media. The CE retrained employees on its revised policies and procedures, including the proper storage of PHI and distribution of its revised policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. | Thomas H. Boyd Memorial Hospital IL Healthcare Provider 8300 | Thursday | 2015 |
| Franciscan Medical Group | WA | Healthcare Provider | 8300 | 2014-03-28 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Numerous employees of the CE responded to an email phishing attack which requested the employeeâs email username and password to authenticate their accounts. As a result, a number of employee direct deposit paychecks were diverted without notification and any electronic protected health information (ePHI) stored on the affected email accounts was made accessible. The affected email accounts contained the combined ePHI of 8,311 individuals. The ePHI involved in the breach included patientsâ demographic, clinical and health insurance information and in some cases, social security numbers. In response to the incident, the affected users changed their passwords and the CE adjusted web filters. The CE improved technical safeguards to prevent future phishing attacks of this nature and accelerated the time table for its existing phishing education campaign for all employees. The CE provided a year of free credit monitoring and identity theft protection services to affected individuals. OCRâs investigation confirmed that the appropriate notifications were made and that corrective actions steps were taken. | Franciscan Medical Group WA Healthcare Provider 8300 | Friday | 2014 | |
| Cerebral Palsy Research Foundation of Kansas, Inc. | KS | Healthcare Provider | 8300 | 2018-05-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Cerebral Palsy Research Foundation of Kansas, Inc. KS Healthcare Provider 8300 | Tuesday | 2018 |
| University of California, San Francisco | CA | Healthcare Provider | 8294 | 2013-11-22 | Theft | NA | NA | NA | NA | NA | Laptop | Paper/Films | NA | NA | NA | NA | NA | NA | No | On September 25, 2013, a personal laptop computer containing electronic protected health information (ePHI), and paper documents containing PHI, were stolen out of a physicianâs locked car, affecting 8,294 individuals. The stolen laptop contained unencrypted ePHI, including patientsâ names, addresses, social security numbers, dates of birth, diagnoses, conditions, lab results, medications, and other treatment related-ePHI. The covered entity (CE), University of California San Francisco, provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE updated its policy on safeguarding ePHI to specifically address personally owned electronic devices, including the requirement that they be encrypted, and that ePHI transported offsite must stay within the direct possession of the workforce member. OCR obtained written assurances that the CE implemented the corrective actions listed above. | University of California, San Francisco CA Healthcare Provider 8294 | Friday | 2013 |
| Mid Continent Credit Services, Inc. | KS | Business Associate | 8275 | 2011-11-14 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity’s (CE), Lawrence Memorial Hospital, business associate (BA), performed a security update to the CE’s website that potentially allowed the impermissible disclosure of 8,275 individuals’ electronic protected health information (ePHI). The ePHI consisted of names, addresses, other demographic information, and credit card/bank account numbers. Upon discovering the breach, CE shut down its website, removed all identified cached pages containing ePHI, started actions to terminate the relationship with the BA, and updated its breach notification policy. CE also provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website. It offered credit monitoring service to affected individuals. As a result of OCR’s investigation, CE finalized its new breach notification policy, updated its BA contracts, and re-trained staff on its privacy, security, and breach notification polices. | Mid Continent Credit Services, Inc. KS Business Associate 8275 | Monday | 2011 |
| Bronson Healthcare Group | MI | Healthcare Provider | 8256 | 2017-12-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Bronson Healthcare Group MI Healthcare Provider 8256 | Tuesday | 2017 | |
| Baylor Heart and Vascular Center | TX | Healthcare Provider | 8241 | 2011-01-25 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | A portable ultrasound machine containing electronic protected health information (ePHI) of approximately 8,241 individuals was stolen from the covered entity’s (CE) facility. The ePHI involved in the breach included patient names, dates of birth, and limited health information. Upon discovery of the breach, the CE conducted a privacy and security assessment of its portable machines to identify vulnerabilities. Following OCR’s investigation, the CE updated its privacy and security policies, retrained its employees, and increased physical security to ensure reasonable safeguards. | Baylor Heart and Vascular Center TX Healthcare Provider 8241 | Tuesday | 2011 |
| Centene Management Corporation | MO | Health Plan | 8208 | 2015-10-15 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | An employee of a business associate (BA), Centene Management Company, impermissibly downloaded several data files containing the protected health information (PHI) of 8,208 individuals to an unauthorized removable storage device and then resigned from the organization. The former employee returned his company issued laptop on March 23, 2015. However, in violation of standard procedures, the laptop was not connected to the network for processing/reimagining at the time it was returned which allowed the impermissible downloads to go undetected. On October 8, 2015, a data loss prevention tool discovered the impermissible downloads when the former employeeâs laptop was connected to the network for processing. The PHI involved in the breach included names, addresses, dates of birth, medical identification numbers, and in some cases social security numbers. The PHI downloaded belonged to members of the covered entities, Bridgeway Health Solutions and Superior Health Plan. The BA provided breach notification to HHS, affected individuals, and the media and also provided substitute notice. In response to the breach, the BA implemented and communicated a policy to help ensure the timely processing of returned information technology equipment. It also implemented a policy and software solution prohibiting the downloading of data to unauthorized, external storage. OCR provided technical assistance regarding the risk analysis and risk management provisions of the Security Rule. | Centene Management Corporation MO Health Plan 8208 | Thursday | 2015 |
| University of Tennessee Medical Center | TN | Healthcare Provider | 8200 | 2010-11-30 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | University of Tennessee Medical Center TN Healthcare Provider 8200 | Tuesday | 2010 | |
| Silver Creek Fitness & Physical Therapy, Silver Creek Physical Therapy Gilroy, Silver Creek Physical Therapy Sunnyvale, Silver Creek Physical Therapy | CA | Healthcare Provider | 8009 | 2016-10-24 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | An electronic data storage account belonging to a business associate (BA), Rehab Billing Solutions, was accessible to persons outside its organization from May, 2016 to September 11, 2016. A third party security researcher from a software company accessed and downloaded protected health information (PHI) about the covered entityâs (CE) patients from this account. The types of PHI potentially involved in the breach included names, Medicare numbers, dates of birth, social security numbers, driverâs license numbers, prescriptions, treatment locations, treatment dates, and progress notes. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the BA took steps to secure the storage account and launched an investigation . The CE worked with the BA to confirm that the security researcher deleted all of the downloaded information. The CE offered one year of free credit monitoring and identity restoration services to all affected individuals. OCR reviewed the BA agreement between the CE and the BA and obtained assurances that the CE and BA implemented the corrective actions noted above. | Silver Creek Fitness & Physical Therapy, Silver Creek Physical Therapy Gilroy, Silver Creek Physical Therapy Sunnyvale, Silver Creek Physical Therapy CA Healthcare Provider 8009 | Monday | 2016 |
| Louisiana Health Cooperative, Inc. in Rehabilitation | LA | Health Plan | 8000 | 2016-11-30 | Hacking/IT Incident | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | OCR opened an investigation of the covered entity (CE), Louisiana Health Cooperative, Inc., after it reported a breach involving its business associate (BA), Summit Reinsurance Services, Inc. The BA discovered ransomware on a server containing the unencrypted electronic protected health information (ePHI) of approximately 8,000 members of the CE. The ePHI included social security numbers, insurance and treatment information, and other demographic information. Upon discovery of the breach, the BA initiated an investigation to determine the nature and extent of the attack as well as to assess the system vulnerabilities. The CE provided breach notification to HHS and posted substitute notice on its website. The BA provided breach notification to the affected individuals and the media. OCR verified that CE had a proper BA agreement in place, which restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. | Louisiana Health Cooperative, Inc. in Rehabilitation LA Health Plan 8000 | Wednesday | 2016 |
| Triple-C, Inc. | PR | Business Associate | 8000 | 2014-01-24 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Triple-C, Inc. PR Business Associate 8000 | Friday | 2014 | |
| South Shore Physicians, PC | NY | Healthcare Provider | 8000 | 2013-09-16 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The protected health information (PHI) of approximately 8000 individuals was purposely taken by an employee for identity theft purposes. The employee took copies of patientsâ names, dates of birth, mailing addresses, social security numbers, bank account numbers, credit card numbers and medical information. The covered entity (CE) had to wait in order to report the breach to OCR due to the criminal investigation by the New York City police and district attorneyâs office. The CE hired a consultant to conduct an investigation, risk analysis, risk management plan. Additionally, the CEâs consultant reviewed its Privacy and Security Rule policies and procedures and retrained staff. Lastly, the CE notified the patients regarding this incident as required by the Breach Notification Rule. OCR obtained assurances that the CE implemented the corrective actions listed above. | South Shore Physicians, PC NY Healthcare Provider 8000 | Monday | 2013 |
| CENTER FOR ARTHRITIS & RHEUMATIC DISEASES | FL | Healthcare Provider | 8000 | 2011-05-11 | Theft | NA | NA | NA | NA | NA | Other | Paper/Films | NA | NA | NA | NA | NA | NA | No | CENTER FOR ARTHRITIS & RHEUMATIC DISEASES FL Healthcare Provider 8000 | Wednesday | 2011 | |
| University of Pittsburgh Student Health Center | PA | Healthcare Provider | 8000 | 2010-04-02 | Loss | Theft | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | University of Pittsburgh Student Health Center PA Healthcare Provider 8000 | Friday | 2010 | |
| Cardiology Consultants/Baptist Health Care Corporation | FL | Healthcare Provider | 8000 | 2010-02-18 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No |
A desktop computer that contained the e-PHI of approximately 8,000 individuals was stolen from the covered entity’s (CE) locked medical suite. The PHI involved in the breach included names, dates of birth, medical record numbers, ultrasound information, exam dates, and reasons for the ultrasound. The computer that was stolen used proprietary software and a special electronic key to access the PHI. The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notification on its website. Following the breach, the CE worked with law enforcement to identify the possible suspect. The CE upgraded its facility access controls to include proximity card readers for every location that stores PHI. As a result of OCR’s investigation the CE updated its risk analysis and carried out additional risk management activities. |
Cardiology Consultants/Baptist Health Care Corporation FL Healthcare Provider 8000 | Thursday | 2010 |
| Illinois Department of Healthcare and Family Services | IL | Health Plan | 8000 | 2018-04-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Illinois Department of Healthcare and Family Services IL Health Plan 8000 | Thursday | 2018 |
| Brevard Physician Associates | FL | Healthcare Provider | 7976 | 2017-10-24 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Brevard Physician Associates, reported a breach when three computers were stolen from its facility. One of the computers contained protected health information (PHI) for 7,976 individuals. The PHI included names, clinical information, and insurance information. The CE provided breach notification to HHS, affected individuals, media, and posted substitute notice on its website. During the course of the investigation, the CE initiated procedures to remotely wipe the contents of the stolen computerâs hard drives once they connect to the Internet. The CE pledged to begin encrypting data at rest on all of their computers. The CE also installed a number of additional physical safeguards such as surveillance cameras and locks to deter and prevent unauthorized access. OCR obtained the policies and procedures from the CE concerning its access controls, and other administrative, physical and technical safeguards. | Brevard Physician Associates FL Healthcare Provider 7976 | Tuesday | 2017 |
| Riverside County Regional Medical Center | CA | Healthcare Provider | 7925 | 2015-01-29 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Riverside County Regional Medical Center CA Healthcare Provider 7925 | Thursday | 2015 |
| Quantum Health Consulting | PR | Business Associate | 7923 | 2012-03-13 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | An unencrypted laptop computer and an external hard drive containing the electronic protected health information (ePHI) of 7,923 individuals were stolen from a staff member of the CE’s business associate (BA). The ePHI included names, ages, gender, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items. The CE also provided breach notification to all affected individuals, HHS, and the media. As a result of OCR’s investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. The CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. | Quantum Health Consulting PR Business Associate 7923 | Tuesday | 2012 |
| Administracion de Seguros de Salud - Triple S Salud Inc (BA) | PR | Health Plan | 7911 | 2014-07-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On April 15, 2014, the covered entity (CE), Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico reported to HHS that on January 14, 2014, they became aware that sometime before October 9, 2013, a former employee of American Health Medicareâs (AHM) business associate (BA), Triple-S Advantage Solutions, copied beneficiariesâ electronic protected health information (ePHI) onto a compact disk which he took home for an unknown period of time and which he subsequently downloaded onto a computer at his new employer. The ePHI included the enrollment information of 7,911 of the CEâs beneficiaries, including names, dates of births, contract numbers, health insurance claim numbers, home addresses, and social security numbers. AHM, which was acting as both a CE and a BA, provided breach notification to affected individuals and the media. As a result of OCRâs investigation, the CE committed to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and re-train staff within a specified period. | Administracion de Seguros de Salud - Triple S Salud Inc (BA) PR Health Plan 7911 | Friday | 2014 |
| Triple S Salud Inc. | PR | Business Associate | 7911 | 2014-04-15 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Triple S Salud Inc. PR Business Associate 7911 | Tuesday | 2014 |
| Jessie Trice Community Health Center, Inc. | FL | Healthcare Provider | 7888 | 2014-11-03 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | Jessie Trice Community Health Center, Inc. FL Healthcare Provider 7888 | Monday | 2014 | |
| Lutheran Social Services of South Central Pennsylvania | PA | Healthcare Provider | 7803 | 2013-05-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | This case involved a hacking incident on the covered entityâs (CE) network server. A Trojan virus was discovered running under an administrative account on a remote access server. No data loss was actually discovered, but potentially 7,300 records may have been vulnerable. The types of protected health information (PHI) potentially breached included demographic, financial, and clinical information. The CE engaged a forensic consulting team to verify the scope and impact of the malware and to clean the system. The CE installed more effective virus detection software, trained and educated users regarding data security, and made adjustments to data storage policies. OCR confirmed that the CE took all appropriate corrective action. | Lutheran Social Services of South Central Pennsylvania PA Healthcare Provider 7803 | Monday | 2013 |
| Mission City Community Network | CA | Healthcare Provider | 7800 | 2014-03-12 | Theft | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | In violation of the employerâs policies, a workforce member of the covered entity (CE), Mission City Community Network, Inc., sent an unsecured email to a business associate (BA) containing the protected health information (PHI) of 7,800 individuals. The PHI included names, addresses, dates of birth, and insurance information. During the investigation, OCR determined that the disclosure to the BA for payment purposes was permissible, as the email reached the intended BA, and there was no evidence that PHI was impermissibly disclosed to any other party. OCR provided technical assistance to the CE. As a result of OCRâs investigation, the CE initiated a review and improvements to its HIPAA practices. | Mission City Community Network CA Healthcare Provider 7800 | Wednesday | 2014 | |
| Sunbury Plaza Dental | OH | Business Associate | 7784 | 2016-07-21 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | OCR opened an investigation of the covered entity (CE), Sunbury Plaza Dental, after it reported that a secured storage unit containing paper protected health information (PHI) was burglarized. The storage unit contained PHI for 7,981 individuals. The medical records contained at this location included names, addresses, dates of birth, social security numbers, and treatment information. The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice on its website. The CE offered one year of identity monitoring to all affected individuals. Following the breach, the CE revised its records retention policies to minimize the number of paper records in storage. OCR obtained assurances that the CE implemented the corrective actions noted above. | Sunbury Plaza Dental OH Business Associate 7784 | Thursday | 2016 |
| Kansas Department on Aging | KS | Healthcare Provider | 7757 | 2012-01-19 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On January 13, 2012, a laptop computer was from stolen from an employeeâs vehicle. The laptop contained the electronic protected health information (ePHI) of approximately 7,757 Kansas Department on Aging customers. The ePHI included customersâ names, addresses, dates of birth, types of services, case managers and their telephone numbers, dates of quality reviews, and names of quality review staff. KDOA filed a police report, provided breach notification to HHS, affected individuals, and the media, and issued substitute notice. Following the breach, KDOA retrained its workforce and encrypted all its laptops and thumb/flash drives. OCR obtained assurances that KDOA implemented the corrective action listed above, and upon investigation, OCR determined that KDOA does not meet the definition of a covered entity. | Kansas Department on Aging KS Healthcare Provider 7757 | Thursday | 2012 |
| Burrell Behavioral Health | MO | Healthcare Provider | 7748 | 2016-09-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Between July 6 and 7, 2016, an unauthorized individual(s) accessed the email account of an employee at the covered entity (CE), Burrell Behavioral Health, and sent thirteen (13) personal emails to an account believed to be the employeeâs ex-boyfriend. The email account which was impermissibly accessed contained electronic protected health information (ePHI) for 7,748 patients. The ePHI included names, treatment, social security numbers, and financial information. The CE provided breach notification to HHS, affected individuals, and the media, and posted notice on its website. The CE directed a third-party forensic information technology investigator to determine the cause and severity of the breach. The investigation concluded that only the one employeeâs email account was breached. The CE disabled email internet access globally for all employees. The CE also sent out educational documents and reminders to all employees about password security and best practices for HIPAA and network security. The CE also provided one year of identity and credit protection to affected individuals. OCR obtained assurances that the CE took the voluntary corrective actions listed above. | Burrell Behavioral Health MO Healthcare Provider 7748 | Friday | 2016 | |
| T&P CONSULTING, INC. D/B/A QUANTUM | PR | Business Associate | 7706 | 2012-02-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 7,706 individuals were stolen from a staff member of the covered entity’s (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and all individuals affected by the breach. As a result of OCR’s investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurances that the CE implemented the corrective action listed above and required two additional corrective actions. OCR identified the need for the CE to complete a risk assessment and implement certain security policies and procedures. | T&P CONSULTING, INC. D/B/A QUANTUM PR Business Associate 7706 | Tuesday | 2012 |
| Project Vida Health Center | TX | Healthcare Provider | 7700 | 2015-03-27 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Encrypted servers containing the electronic protected health information (ePHI) of approximately 7,7A0 individuals were stolen from the covered entity’s (CE), Project Vida Health Center facility. The thieves by-passed the locks and the sensors to the facility’s security system by entering through a window that was secured with steel bars. The ePHI included patients’ names, dates of birth, social security numbers, addresses, and zip codes. The CE provided breach notification to HHS, affected individuals and the media. Notices to the public were provided in English and Spanish. Following the breach incident, the CE transitioned from a server based systems to a cloud hosted system. The CE demonstrated that it immediately acted to recover data for the purpose of business continuity. The CE provided documentation of the new security measures implemented to sufficiently reduce the risks and vulnerabilities to ePHI. In addition the CE encrypted data and implemented access controls on its information systems. OCR obtained assurances that the CE implemented the corrective actions listed above. | Project Vida Health Center TX Healthcare Provider 7700 | Friday | 2015 |
| University of Oklahoma, Department of Obstetrics and Gynecology | OK | Healthcare Provider | 7693 | 2015-07-03 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted, password-protected laptop computer was stolen from a resident physicianâs car. The laptop contained the electronic protected health information (ePHI) of approximately 7,693 individuals and included patientsâ names, dates of birth, medical procedure dates, medications, lab results, admission and discharge dates, treating physiciansâ names, and treatment plans. The covered entity (CE), University of Oklahoma, provided breach notification to HHS, affected individuals, and the media. It also offered identity protection services to affected individuals and posted substitute notice on its website. Following the breach, the CE retrained the resident physicians on its encryption policies and procedures and counseled and sanctioned the involved resident. As a result of OCRâs investigation, the CE developed a policy on encryption of laptops for all first-year residents. It also instituted a requirement for all first-year residents to disclose all laptops, tablets, and smartphones to be used for the CEâs business and to ensure they are encrypted by the CEâs representatives. | University of Oklahoma, Department of Obstetrics and Gynecology OK Healthcare Provider 7693 | Friday | 2015 |
| FireKeepers Casino Hotel | MI | Health Plan | 7666 | 2015-07-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | FireKeepers Casino Hotel MI Health Plan 7666 | Friday | 2015 |
| Children’s Hospital Medical Center of Akron | OH | Healthcare Provider | 7664 | 2015-08-26 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) reported that a hard drive was missing that contained approximately 1,800 hours of voice recordings that were communications between dispatchers and medical staff prior to or during medical transport between September 18, 2014, and June 3, 2015. The hard drive was not searchable without a separate application and many of the recordings did not contain protected health information The hard drive was missing from the CE’s locked, secure area. The breach affected 7,664 individuals and included clinical and demographic information. The CE provided breach notification to HHS, affected individuals, and the media. Upon discovery of the breach, the CE installed a security camera in the area the hard drive was located, ceased storing back-up transport voice recordings on a mobile device, encrypted all mobile devices, and retrained staff. OCR obtained documentation that the CE implemented the compliance actions listed. | Children’s Hospital Medical Center of Akron OH Healthcare Provider 7664 | Wednesday | 2015 |
| Hospice of the Chesapeake | MD | Healthcare Provider | 7606 | 2013-11-12 | Theft | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Contrary to the covered entity’s (CE) established policy, an employee emailed spreadsheets containing the electronic protected health information (ePHI) of 7,035 patients to a personal email account, and a third party may have viewed the spreadsheets. The PHI included names, addresses, conditions, and diagnoses. Following the breach, the CE hired an independent computer forensics firm which conducted an independent investigation. The investigation uncovered another spreadsheet containing the PHI of 571 additional patients in the employee’s personal email account. The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website. The CE applied sanctions for violating its policy and terminated the responsible employee. As a result of OCR’s investigation, OCR obtained assurances that the CE has periodically conducted risk assessments to assess vulnerabilities to ePHI in its computer systems. | Hospice of the Chesapeake MD Healthcare Provider 7606 | Tuesday | 2013 | |
| T&P Consulting, INC DBA Quantum HC | PR | Business Associate | 7606 | 2012-03-15 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 39,609 individuals were stolen from a staff member of the covered entity’s (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and all affected individuals. As a result of OCR’s investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurance that the CE implemented the corrective action listed above and required one additional corrective action. OCR identified the need for the CE to implement certain security policies, procedures and controls. | T&P Consulting, INC DBA Quantum HC PR Business Associate 7606 | Thursday | 2012 |
| Sheldon M. Golden O.D., Optometric Corporation | CA | Healthcare Provider | 7583 | 2017-12-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Sheldon M. Golden O.D., Optometric Corporation CA Healthcare Provider 7583 | Tuesday | 2017 |
| New England Baptist Health | MA | Healthcare Provider | 7582 | 2018-06-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | New England Baptist Health MA Healthcare Provider 7582 | Friday | 2018 | |
| Soundpath Health, Inc | WA | Health Plan | 7581 | 2011-12-23 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop containing the protected health information (PHI) of approximately 7,581 clients was stolen out a workforce member’s vehicle and subsequently used to access the covered entity’s (CE) company server. The laptop contained clients’ demographic information. After the incident, the CE performed a risk analysis of the specific breach occurrence. The CE provided OCR with a copy of its risk analysis, as well as its privacy, breach notification, and security policies and procedures. Following OCR’s investigation, the CE performed a broader security risk assessment and encrypted all mobile media. The CE also developed and provided computer security training to its staff members. | Soundpath Health, Inc WA Health Plan 7581 | Friday | 2011 |
| Integral Health Plan, Inc. | FL | Health Plan | 7549 | 2015-07-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), Integral Health Plan, Inc., discovered on May 15, 2015, that its business associate (BA), Independent Living Solutions LLC, sent Explanation of Benefits (EOBs) information to incorrect network providers. The EOBs contained patients’ names, dates of birth, Medicaid identification numbers (if applicable), and diagnosis and procedure codes, affecting 7,549 individuals. The CE had a BA agreement in place with the BA since July 2013. The CE provided breach notification to HHS, affected individuals, and the media, and also posted notice on its website. In response to the breach, the CE provided additional training material to its BA. In addition, the CE and BA revised payment processes to implement a two-step verification process before material is mailed. OCR obtained assurances that the CE implemented the corrective actions listed above. | Integral Health Plan, Inc. FL Health Plan 7549 | Friday | 2015 |
| University Health System | NV | Healthcare Provider | 7526 | 2010-06-22 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | University Health System NV Healthcare Provider 7526 | Tuesday | 2010 | |
| Vision Care Florida, LLC | FL | Healthcare Provider | 7500 | 2016-11-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Vision Care Florida, LLC, discovered that on September 21, 2016, its server was infected with a ransomware virus after an employee opened an email attachment. The CEâs server contained patients’ demographic information including the names, dates of birth, and addresses of 7,500 individuals. The CE provided breach notification to HHS, affected individuals, and the media. OCR provided technical assistance to the CE regarding the Breach Notification Rule and documentation of training. In response to the breach, the CE changed its policies and procedures regarding its information security and included security training concerning malicious software. The CE removed its computer server from the Internet immediately, upgraded to a business firewall, implemented a cloud based backup, and strengthened its passwords. Additionally, the CE retrained its workforce and disseminated security reminders. OCR obtained assurances that the CE implemented the corrective actions listed above. | Vision Care Florida, LLC FL Healthcare Provider 7500 | Wednesday | 2016 |
| Lafayette Pain Care PC | IN | Healthcare Provider | 7500 | 2016-05-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Malware infected a business associate (BA), Bizmatics, Inc., and certain electronic systems containing protected health information (PHI) for the covered entity (CE), Lafayette Pain Care, were accessed in 2015. The breach affected 7,500 individualsâ PHI and included diagnoses/conditions, lab results, medications, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media, and also provided substitute notice on its website, established a call center with a toll-free phone number, and provided free credit monitoring and reporting services for one year. The CE executed a new BA agreement with Bizmatics with provisions regarding the use, disclosure, and safeguarding of PHI and made its Notice of Privacy Practices available on its website. OCR obtained documented assurances that the CE implemented the corrective actions noted above. | Lafayette Pain Care PC IN Healthcare Provider 7500 | Monday | 2016 |
| Joseph Michael Benson M.D | TX | Healthcare Provider | 7500 | 2014-02-27 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Joseph Michael Benson M.D TX Healthcare Provider 7500 | Thursday | 2014 | |
| DeKalb Medical Center, Inc. d/b/a DeKalb Medical Hillandale | GA | Healthcare Provider | 7500 | 2011-07-15 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | An employee working for the covered entity (CE) took protected health information (PHI) off premises for purposes of identity theft. Over a period of three months, the employee impermissibly accessed the PHI of 7,500 patients. The types of PHI involved in the breach included names, dates of birth, medical record and account numbers, admission or visit dates, primary diagnoses, treating physicians and in some cases social security numbers. The CE notified affected individuals, HHS, and the media about the breach. It offered a year of enhanced credit services to those affected. Upon full investigation of the breach, the CE terminated the employee. As a result of this incident, the CE initiated a corrective action plan that included revising or creating policies and procedures to prevent such incidents in the future as well as retraining of staff on its HIPAA policies and procedures. OCRâs investigation confirmed that the appropriate notifications were made and that corrective actions steps were taken. | DeKalb Medical Center, Inc. d/b/a DeKalb Medical Hillandale GA Healthcare Provider 7500 | Friday | 2011 |
| University of Mississippi Medical Center | MS | Healthcare Provider | 7492 | 2017-07-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | No | NA | University of Mississippi Medical Center MS Healthcare Provider 7492 | Friday | 2017 |
| Northwest Rheumatology | AZ | Healthcare Provider | 7468 | 2017-07-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Northwest Rheumatology AZ Healthcare Provider 7468 | Monday | 2017 |
| VNA Health Care Hartford Hospital | CT | Healthcare Provider | 7461 | 2012-07-31 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | VNA Health Care Hartford Hospital CT Healthcare Provider 7461 | Tuesday | 2012 |
| EMC | CT | Business Associate | 7461 | 2012-07-30 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | EMC CT Business Associate 7461 | Monday | 2012 | |
| Dr. Anthony T. R. Green DDS | NY | Healthcare Provider | 7448 | 2015-03-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | Paper/Films | NA | NA | NA | NA | NA | NA | No | A self-storage facility in Hollis, New York auctioned off the contents of a unit rented by the covered entity (CE) that contained medical records of 8,636 individuals. Ultimately, many of the records were left unattended in a Home Depot parking lot in Jamaica, New York. The protected health information (PHI) involved in the breach included names, dates of birth, addresses, social security numbers, diagnoses, conditions, lab results, and other treatment information. Following the breach, the CE provided breach notification to HHS, affected individuals, and the media, and provided credit and identity theft services to individuals at no cost. The CE also ended its practice of storing patient files outside of the office and implemented policies and procedures that prohibit business associates from having access to PHI before a business associate agreement is in place. OCR obtained assurances that the CE implemented the corrective actions listed above. Additionally, the New York Attorney General and the CE agreed to enter into an Assurance of Discontinuance that requires the CE to take additional corrective actions. | Dr. Anthony T. R. Green DDS NY Healthcare Provider 7448 | Wednesday | 2015 |
| West Virginia University Hospitals-East, Inc. DBA University Healthcare | WV | Healthcare Provider | 7445 | 2017-02-24 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), West Virginia University Hospitals- East, Inc., reported that on February 24, 2017, a police officer contacted its compliance officer indicating that 113 individuals had reported identity theft and it was discovered they had all been treated at Berkley Medical Center which is part of the CE. The breach affected 7,445 individuals and included demographic and clinical information. The CE discovered that an employee who handled these individuals during admission was involved in the breach. The employee, along with other individuals allegedly involved in the incident, was charged with identity theft, aggravated identity theft, bank fraud and producing false identity documents, among other charges, in a 36-count indictment handed down by a federal grand jury on June 20, 2017. A forensic review conducted by the CEâs third-party Incident Response vendor and the FBI immediately following the event determined that no PHI was removed or viewed from the CEâs electronic network. The CE provided OCR with its Kroll Event Report from June 2017, which provided an update and confirmation that there have been no additional reports of identity theft made to Kroll since the incident was identified and the criminal charges initiated. OCR reviewed a copy of the CEâs current risk assessment. The CE provided breach notification to HHS, affected individuals, and the media, and also provided free credit monitoring. OCR obtained assurances that the CE implemented the corrective actions listed above. | West Virginia University Hospitals-East, Inc. DBA University Healthcare WV Healthcare Provider 7445 | Friday | 2017 |
| Indian Health Service Northern Navajo Medical Center | NM | Health Plan | 7421 | 2016-04-07 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Indian Health Services, Northern Navajo Medical Center, the covered entity (CE), reported that an employee took protected health information (PHI) and stored it in a public storage unit without authorization. The breach affected 7,721 individuals, and the types of PHI involved in the breach included patientsâ names, health record numbers, social security numbers, dates of birth, and health insurance policy numbers. The CE provided breach notification to HHS, affected individuals, and the media. It also notified law enforcement. OCR obtained documented assurances from the CE that it implemented improved administrative and technical safeguards, revised HIPAA policies and procedures, and retrained staff. | Indian Health Service Northern Navajo Medical Center NM Health Plan 7421 | Thursday | 2016 |
| Wm. Jennings Bryan Dorn VAMC | SC | Healthcare Provider | 7405 | 2013-04-10 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On February 11, 2013, a laptop was stolen from the William Jennings Bryan Dorn VAMCâs Pulmonary Testing Unit. The laptop contained the protected health information (PHI) of approximately 7,405 individuals, including names, dates of birth, and clinical information. The covered entity (CE) provided breach notification to HHS, the media, and affected individuals, and issued substitute notice by placing a notice on its website. It also offered credit monitoring, including identity theft protection for one year. The CE opened a report with the VA police and VA Office of Inspector General (OIG). To prevent future occurrences, the CE improved physical safeguards for all laptops attached to medical testing devices. Additionally, procedures were implemented for secure storage and removal of all personally identifiable information from such medical devices. OCR obtained assurances that the corrective actions listed above were completed. | Wm. Jennings Bryan Dorn VAMC SC Healthcare Provider 7405 | Wednesday | 2013 |
| Blue Cross and Blue Shield of Florida | FL | Health Plan | 7366 | 2011-03-03 | Unknown | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Blue Cross and Blue Shield of Florida FL Health Plan 7366 | Thursday | 2011 | |
| Iowa Department of Human Services | IA | Healthcare Provider | 7335 | 2013-06-26 | Loss | Unknown | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Iowa Department of Human Services IA Healthcare Provider 7335 | Wednesday | 2013 | |
| Associated Urologists of North Carolina | NC | Healthcare Provider | 7300 | 2013-11-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | On September 11, 2013, a patient of the covered entity (CE), Associated Urologists of North Carolina (AUNC), notified the CE that when he did an internet search for his name he was able to see a list identifying him as an AUNC patient. The CE investigated and discovered that protected health information (PHI) was accessible on the internet from September 17, 2012, to September 11, 2013, and that the breach was due to the way medical notes had been transcribed. An employee uploaded audio files and lists of patientsâ names through a file transfer protocol (FTP) site to assist with transcription. The files included the names, dates of birth, phone numbers, referring physicians, chart numbers, and reasons for visits for 7,297 patients. In response to the incident, the CE immediately discontinued use of the FTP site, removed all of its files from the unsecure website, and contacted Google to have all cached copies of the files removed. The CE also provided breach notification to HHS, affected individuals, and the media and offered free credit monitoring and a toll free number to answer questions. The CE also reviewed its policies and retrained all staff on it data privacy and information security policies. Additionally, the CE partnered with a security contractor to develop and implement new policies and procedures to safeguard electronic PHI. OCR obtained assurances that the CE implemented the corrective actions listed above. | Associated Urologists of North Carolina NC Healthcare Provider 7300 | Friday | 2013 |
| University of California, San Francisco | CA | Healthcare Provider | 7300 | 2010-01-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | University of California, San Francisco CA Healthcare Provider 7300 | Wednesday | 2010 | |
| Med-Cert, Inc. | FL | Business Associate | 7253 | 2017-09-02 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | Other | NA | NA | NA | NA | NA | NA | Yes | On July 7, 2017, Med-Cert, Inc., a business associate (BA) for multiple health plans, learned that protected health information (PHI) was publically accessible through several online search engines including Bing and Google. The exposed PHI included the names, addresses, birthdates, employer information, and case management reports for 7,243 individuals, as well as some social security numbers. The BA provided breach notification to HHS and the affected individuals in a timely and compliant manner. No media or substitute notice was required. Following the breach, the BA discovered that the exposure was caused by a subcontractor, Alentus Hosting, which failed to reactivate a firewall after a software update. As a result, âweb-crawlersâ infiltrated the subcontractorâs computer network, stole electronic PHI, and posted it online. In response to the breach, the BA immediately contacted the subcontractor and had them close the vulnerability. The BA and the subcontractor did not have a BA agreement (BAA) in place. As a result of the breach, the subcontractor ceased responding to the BAâs request for information. The BA ended its business relationship with the subcontractor and acquired the services of another web hosting company, with which it has a HIPAA-compliant BA agreement. The BA contacted the search engines and was able confirm that the PHI was removed from public access. OCR provided technical assistance to the BA regarding the BA agreement requirements of HIP AA and obtained written assurances that the BA implemented the corrective actions listed above. | Med-Cert, Inc. FL Business Associate 7253 | Saturday | 2017 |
| Clearpoint Design, Inc. | MA | Business Associate | 7250 | 2013-01-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Clearpoint Design, Inc. MA Business Associate 7250 | Thursday | 2013 | |
| Gibson Insurance Agency, Inc. | IN | Business Associate | 7242 | 2016-10-14 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Gibson Insurance Agency, Inc. IN Business Associate 7242 | Friday | 2016 |
| Blue Vantage Group | NY | Business Associate | 7226 | 2011-12-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Blue Vantage Group NY Business Associate 7226 | Friday | 2011 | |
| Columbus Surgery Center, LLC | NE | Healthcare Provider | 7221 | 2017-12-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Columbus Surgery Center, LLC NE Healthcare Provider 7221 | Thursday | 2017 |
| American Family Care, Inc. | AL | Healthcare Provider | 7200 | 2016-07-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | Other | NA | NA | NA | NA | NA | NA | No | American Family Care, Inc., the covered entity (CE), discovered that its software impermissibly disclosed the electronic protected health information (ePHI) of patients who received services at the clinic. The breach occurred from August 8, 2015 until June 14, 2016 and affected 7,200 individuals. The PHI involved in this breach included names, dates of birth, addresses, internal patient identification numbers, gender, and body parts being x-rayed. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notification on its website. In response to the breach, the CE worked with its software vendor to modify the software to prevent users from including a copy of the entire database with any electronic patient files in the future. The CE also revised its policies, trained its staff on the new policies, and sanctioned an employee for failure to timely update the software licenses. OCR obtained assurances that the CE implemented the corrective actions listed above. | American Family Care, Inc. AL Healthcare Provider 7200 | Monday | 2016 |
| University of Arkansas for Medical Sciences | AR | Healthcare Provider | 7121 | 2012-04-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | University of Arkansas for Medical Sciences AR Healthcare Provider 7121 | Friday | 2012 | |
| BlackHawk | IL | Business Associate | 7120 | 2013-10-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), MUSC Physicians & MUHA, learned on August 22, 2013, that the payment portal of its business associate (BA), Blackhawk Statement Group, had been hacked on June 30, 2013. The breach exposed the names, addresses, email addresses, and credit care information for 7,120 individuals. The CE provided breach notification to HHS, affected individuals, and the media and posted notice on its website. In response to the breach, the CE changed its payment procedures to circumvent the BA and process credit card transactions directly with the processor. The BA patched the vulnerability in the software that was targeted by the hack and improved its network security. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAâs use and disclosure of protected health information (PHI) and required the BA to safeguard all PHI. OCR obtained assurances that the CE implemented the corrective actions listed above. | BlackHawk IL Business Associate 7120 | Wednesday | 2013 |
| Cook County Health & Hospitals System | IL | Healthcare Provider | 7081 | 2010-08-20 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An employee’s laptop was stolen out of a locked office; evidence shows that the laptop was password protected but not encrypted. The laptop contained the protected health information (PHI) of approximately 7,000 individuals. The PHI stored on the laptop included names, dates of birth, Social Security numbers, internal encounter numbers, and other administrative codes. Following the breach, the covered entity notified those individuals reasonably believed to have been affected by the breach, placed notice on its website and with a local news center; established stringent computer security guidelines, and retrained its staff in the new requirements with the intention of preventing a similar event from occurring again. | Cook County Health & Hospitals System IL Healthcare Provider 7081 | Friday | 2010 |
| The Surgeons of Lake County, LLC | IL | Healthcare Provider | 7067 | 2012-07-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The Surgeons of Lake County, LLC IL Healthcare Provider 7067 | Wednesday | 2012 | |
| HITS Scanning Solutions, Inc. | MO | Business Associate | 7059 | 2011-10-22 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity’s (CE) business associate (BA) shipped microfilm records containing protected health information (PHI) of 7,059 workforce members. The microfilm was lost in transit and not recovered. The PHI included clinical information, diagnoses, names, addresses, zip codes, date of births, social security numbers, driver’s license numbers, and other identifiers. Following the breach, the CE changed its procedures, requiring PHI to be shipped via a new mail carrier that requires a confirmation signature upon receipt and allows for the tracking of packages. As a result of OCR’s investigation the CE retrained its employees on its HIPAA policies and procedures. | HITS Scanning Solutions, Inc. MO Business Associate 7059 | Saturday | 2011 |
| Western Montana Clinic | MT | Healthcare Provider | 7038 | 2015-04-02 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Western Montana Clinic MT Healthcare Provider 7038 | Thursday | 2015 |
| VA Corporate Data Center Operations/Austin Information Technology Center | TX | Healthcare Provider | 7029 | 2015-01-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Veterans Health Administration, discovered that its public facing telehealth website administered by one of its business associates (BA), AuthentiDate Holding Corporation, potentially impermissibly disclosed the protected health information (PHI) of 7,054 individuals. The types of PHI potentially involved in the breach included names, addresses, birthdates, phone numbers, and VA patient identification numbers of veterans who used the telehealth system. The CE provided breach notification to individuals, HHS, and the media, and also provided credit monitoring to the affected individuals. OCR verified that the CE had a proper BA agreement in place that restricted the BAâs use and disclosure of PHI and required the BA to safeguard all PHI. Upon discovery of the breach, the CE took steps to enforce the requirements of its BA agreement and determined not to renew the agreement with the identified BA. The CE reported that they are no longer doing business with the identified BA. OCR opened a separate case to review the BAâs compliance with the HIPAA Security Rule. | VA Corporate Data Center Operations/Austin Information Technology Center TX Healthcare Provider 7029 | Wednesday | 2015 |
| Diamond Computing Company | GA | Business Associate | 7016 | 2014-08-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | OCR notified the covered entity, Diatherix, that electronic protected health information (ePHI) of its patients was potentially accessible online. The CE conducted an internal investigation and determined that its business associate (BA), Diamond Computing Company, Inc., was maintaining an insecure file transfer protocol (FTP) site containing the ePHI of approximately 7,016 individuals. The ePHI involved in the breach included names, social security numbers, dates of birth, addresses, diagnoses, and billing information, as well as other data. In response to this incident, the CE engaged a data forensic firm to determine the scope and cause of the breach. The CE provided breach notification to HHS, the media, and affected individuals, and offered one year of identity theft protection. In addition, the CE performed a risk assessment, took steps to remove cached copies of ePHI from the Internet, and revised its existing policies to ensure its vendors enforce appropriate security measures to protect ePHI. As a result of OCRâs investigation, OCR obtained assurances that the corrective actions listed above were completed. | Diamond Computing Company GA Business Associate 7016 | Thursday | 2014 |
| University of Houston for UH College of Optometry | TX | Healthcare Provider | 7000 | 2012-05-08 | Hacking/IT Incident | Unauthorized Access/Disclosure | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | University of Houston for UH College of Optometry TX Healthcare Provider 7000 | Tuesday | 2012 | |
| Beth Barrett Consulting, LLC | NM | Business Associate | 7000 | 2012-02-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | Beth Barrett Consulting, LLC NM Business Associate 7000 | Tuesday | 2012 | |
| Sports Medicine & Rehabilitation Therapy, Inc. | MA | Healthcare Provider | 7000 | 2017-11-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Sports Medicine & Rehabilitation Therapy, Inc. MA Healthcare Provider 7000 | Tuesday | 2017 |
| Louisiana State University Health Care Services Division | LA | Healthcare Provider | 6994 | 2013-07-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Louisiana State University Health Care Services Division LA Healthcare Provider 6994 | Monday | 2013 | |
| Phoebe Putney Memorial Hospital | GA | Healthcare Provider | 6989 | 2014-01-03 | Loss | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Phoebe Putney Memorial Hospital GA Healthcare Provider 6989 | Friday | 2014 | |
| Pediatric Healthcare Solutions, P.C. | NY | Healthcare Provider | 6932 | 2017-06-28 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Pediatric Healthcare Solutions, P.C. NY Healthcare Provider 6932 | Wednesday | 2017 |
| HOPE Family Health | TN | Healthcare Provider | 6932 | 2013-09-30 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | HOPE Family Health TN Healthcare Provider 6932 | Monday | 2013 | |
| University of Wisconsin Hospitals and Clinics Authority | WI | Healthcare Provider | 6923 | 2016-09-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | University of Wisconsin Hospitals and Clinics Authority WI Healthcare Provider 6923 | Friday | 2016 |
| Amedisys | LA | Healthcare Provider | 6909 | 2015-03-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Laptop | NA | NA | NA | NA | NA | No | On February 23, 2015, the covered entity (CE), Amedisys, Inc. discovered that 142 encrypted computers and laptops were unaccounted for, that were accessible to former employees who had left or been terminated by the CE between January 1, 2011 and December 31, 2014. The devices contained the electronic protected health information (ePHI) of approximately 6, 909 effected individuals. The types of ePHI involved in the incident included, names, dates of birth, addresses, social security numbers, other demographic information, diagnosis, lab results, medications, other treatment information, and claim information. The CE provided breach notification to HHS, individuals, and the media. As a result of this incident, the CE implemented an enhanced termination policy and device recovery process. The CE also implemented software that provides an offline device freeze policy, which completely freezes any device that does not connect to the CEâs network for a period of time. OCR provided technical assistance to the CE regarding conducting a risk analysis and the requirements to identify and assess the potential risks and vulnerabilities of ePHI. The CE hired a third party vendor to do a complete enterprise-wide risk analysis that will be provided to OCR upon its completion. | Amedisys LA Healthcare Provider 6909 | Sunday | 2015 |
| Larsen Dental Care LLC | ID | Healthcare Provider | 6900 | 2014-04-18 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted external hard drive containing the electronic protected health information (ePHI) of 6,900 individuals was stolen from a workforce memberâs vehicle. The ePHI involved in the breach included names, addresses, dates of birth, email addresses, telephone numbers, dental records, medical history, health insurance numbers, and social security numbers. The covered entity (CE), Larson Dental Care LLC, provided breach notification to HHS, affected individuals and the media, and also posted notice online. Following the breach, the CE terminated the employment of the responsible workforce member. It also conducted a new risk assessment, implemented new security and privacy policies, including device and media control policies, and retrained staff. The CE improved safeguards by encrypting all computers and mobile devices containing ePHI and installing comprehensive security upgrades to its computer network. OCR obtained assurances that the CE implemented these corrective actions. | Larsen Dental Care LLC ID Healthcare Provider 6900 | Friday | 2014 |
| Centers Plan for Healthy Living | NY | Health Plan | 6893 | 2016-03-03 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Centers Plan for Healthy Living NY Health Plan 6893 | Thursday | 2016 |
| Orleans Medical Clinic | IN | Healthcare Provider | 6890 | 2016-08-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Orleans Medical Clinic IN Healthcare Provider 6890 | Friday | 2016 |
| Charles Mitchell MD | TX | Healthcare Provider | 6873 | 2010-07-28 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | A burglary occurred at the covered entity’s (CE) facility and two desktop computers containing protected health information (PHI) were stolen. Approximately 6873 individuals were affected. The PHI involved included names, addresses, dates of birth, social security numbers, diagnoses and conditions, medications, and other treatment information. OCR closed this investigation after determining that the individual who reported the breach worked for a CE no longer in existence. | Charles Mitchell MD TX Healthcare Provider 6873 | Wednesday | 2010 |
| Fred Finch Youth Center | CA | Healthcare Provider | 6871 | 2015-06-05 | Theft | NA | NA | NA | NA | NA | Network Server | Other | NA | NA | NA | NA | NA | NA | No | NA | Fred Finch Youth Center CA Healthcare Provider 6871 | Friday | 2015 |
| Grace Primary Care, PC | TN | Healthcare Provider | 6853 | 2016-06-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Grace Primary Care, PC, the covered entity (CE), discovered that its business associate (BA), Bizmatics, suffered a malicious cyber-attack to its computer servers, potentially exposing the names, dates of birth, addresses, phone numbers, email addresses, social security numbers, health insurance numbers, diagnoses, and treatment information for 6,853 individuals. In addition, while the CE was completing breach notification requirements, some of the notification letters to the affected individuals were inadvertently mailed to invalid addresses due to a spreadsheet error. The CE recovered all but 135 letters, unopened, and conducted a breach risk assessment. The CE determined that the 135 letters had a low probability of impermissible disclosure, and OCR provided technical assistance to the CE concerning the elements which constitute PHI. The CE provided timely breach notification to the affected individuals, to HHS, and to the media. OCR determined that a BA agreement was in place at the time of the breach and the subsequent investigation. In response to the breach, the CE offered free identity protection services to the affected individuals, and initiated a process of terminating its business relationship with the BA, which is its electronic health records provider. OCR obtained assurances that the CE implemented the corrective actions listed above. | Grace Primary Care, PC TN Healthcare Provider 6853 | Tuesday | 2016 |
| Allergy, Asthma & Immunology of the Rockies, PC | CO | Healthcare Provider | 6851 | 2016-06-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Allergy, Asthma & Immunology of the Rockies, PC CO Healthcare Provider 6851 | Friday | 2016 |
| St. Elizabeth’s Medical Center | MA | Healthcare Provider | 6831 | 2012-04-06 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | St. Elizabeth’s Medical Center MA Healthcare Provider 6831 | Friday | 2012 | |
| Preventice Services, LLC | TX | Healthcare Provider | 6800 | 2016-12-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | A business associate (BA), Zirmed, Inc., erroneously mailed notices that contained other patientsâ names and dates of services due to a programming error by its sub-contractor, Allison Payment Systems (APS). The breach affected approximately 6,800 individuals. The CE initially provided breach notification to HHS and affected individuals. Following the breach, the covered entity (CE), Preventice Services, LLC, worked with the BA and its sub-contractor to correct the programming error and add an additional technical safeguard. OCR confirmed that appropriate BA agreements were in place prior to the breach, provided technical assistance regarding media notification requirements, and confirmed that the CE completed the required breach notifications, including the posting of substitute notice on its website. | Preventice Services, LLC TX Healthcare Provider 6800 | Wednesday | 2016 |
| NewYork-Presbyterian Hospital and Columbia University Medical Center | NY | Healthcare Provider | 6800 | 2010-09-24 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Data breach results in $4.8 million HIPAA settlements health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date. U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results. and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as ‘New York Presbyterian Hospital/Columbia University Medical Center.’ NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI. investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet. addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management. 'When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,‘said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. ’Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.’ has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports. | NewYork-Presbyterian Hospital and Columbia University Medical Center NY Healthcare Provider 6800 | Friday | 2010 |
| VHS Genesis Lab Inc. | IL | Healthcare Provider | 6800 | 2010-04-05 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), VHS Genesis Lab, Inc., misplaced a monthâs worth of client invoices which were never located. The invoices contained the protected health information (PHI) of over 500 individuals and included names, dates of birth, and medical testing information. The CE provided breach notification to HHS, affected individuals and the media, and placed notice on its website. Following the breach, the CE arranged for a business associate to handle the mailing of invoices. OCR obtained assurances that the CE implemented the corrective actions listed above. | VHS Genesis Lab Inc. IL Healthcare Provider 6800 | Monday | 2010 |
| Family Medicine East, Chartered | KS | Healthcare Provider | 6800 | 2017-02-03 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Family Medicine East, Chartered KS Healthcare Provider 6800 | Friday | 2017 |
| Florida Hospital Medical Group | FL | Healthcare Provider | 6786 | 2016-10-21 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | In the process of transferring over 7,000 boxes of the covered entityâs patient records from Access Record Storage Company to Iron Mountain, a total 139 boxes of paper medical records went missing.The covered entity (CE), Florida Hospital Medical Group, discovered on August 17, 2016, that 80 boxes of patient records were missing from its Iron Mountain storage facility. Additionally, on October 6, 2016, the CE discovered that another 59 boxes were reported missing from its Access Record Storage Company facility. The boxes included patientsâ clinical health information, financial claims information, addresses, dates of birth, driverâs license numbers, names, and social security numbers. Approximately 6,786 individuals were affected. In response to the breach, the CE commenced an investigation in coordination with both business associates (BAs). Moreover, the CE evaluated the record transfer process and implemented process improvements. The also CE improved its purchasing department processes for vendor management and implemented policies and procedures to train future storage vendors. Furthermore, the CE provided its leadership with additional education and awareness training regarding HIPAA privacy. OCR obtained assurances that the CE implemented the corrective actions listed above. | Florida Hospital Medical Group FL Healthcare Provider 6786 | Friday | 2016 |
| Ron’s Pharmacy Services | CA | Healthcare Provider | 6781 | 2018-02-02 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Ron’s Pharmacy Services CA Healthcare Provider 6781 | Friday | 2018 | |
| Rhinebeck Health Center/Center for Progressive Medicine | NY | Healthcare Provider | 6745 | 2012-04-12 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | The CE’s network server and two local computers were hacked and compromised by a computer virus which resulted in the disclosure of electronic protected health information (ePHI) of 6,745 individuals. The ePHI included names, insurance numbers, diagnoses, medical histories, dates of birth, telephone numbers, and social security numbers. Upon discovery of the breach, the CE shut down all computer and email systems to prevent unauthorized access to its network and core files. In addition, the CE decommissioned the previously used server, deactivated the network router, disabled network access to ePHI, and discontinued the previously utilized backup. As a result of OCR’s investigation, the CE deployed a new real-time firewall and intrusion detection system and implemented new measures for software management. In addition, the CE installed a new network server, deployed a new router with security subscription to actively monitor internal network traffic and external threat patterns, and implemented a centralized antivirus software system. | Rhinebeck Health Center/Center for Progressive Medicine NY Healthcare Provider 6745 | Thursday | 2012 |
| Sunspire Health | NJ | Healthcare Provider | 6737 | 2018-07-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Sunspire Health NJ Healthcare Provider 6737 | Monday | 2018 | |
| UnitedHealth Group health plan single affiliated covered entity | MN | Health Plan | 6678 | 2012-02-01 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | UnitedHealth Group health plan single affiliated covered entity MN Health Plan 6678 | Wednesday | 2012 | |
| Stone Oak Urgent Care & Family Practice | TX | Business Associate | 6672 | 2011-10-24 | Loss | Theft | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | Yes | Stone Oak Urgent Care & Family Practice TX Business Associate 6672 | Monday | 2011 | |
| Feinstein and Roe Mds Inc. | CA | Healthcare Provider | 6642 | 2017-08-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Feinstein and Roe Mds Inc. CA Healthcare Provider 6642 | Monday | 2017 |
| CCS Medical, Inc. | TX | Healthcare Provider | 6601 | 2012-12-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | Other | NA | NA | NA | NA | NA | NA | No | CCS Medical, Inc. TX Healthcare Provider 6601 | Monday | 2012 | |
| The Department of Aging and Disability Services | TX | Health Plan | 6600 | 2015-06-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | The Department of Aging and Disability Services TX Health Plan 6600 | Thursday | 2015 |
| Saliba’s Extended Care Pharmacy | AZ | Healthcare Provider | 6599 | 2017-03-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On January 12, 2017, an employee inadvertently emailed an attachment containing patient invoices for December 2016 to six current patients or their personal representatives. These invoices contained patients’ names, billing addresses, account balances, and some invoices included the names and dosage amounts of medications provided by the covered entity (CE), Saliba Extended Care Pharmacy, to the patient. Approximately 6,599 individuals were affected by the breach. The CE discovered the inadvertent emailing on January 16, 2017, recalled the email sent to all recipients and reached out to the three recipients who confirmed they opened the email message and requested that the recipients permanently delete the email. After the incident, the CE restricted workforce access to the folder containing patient invoices, retrained billing staff on proper methods for accessing and emailing patient invoices and on its HIPAA policies and procedures, and sanctioned the employee who sent the email. The CE also developed a secure online portal through which patients can directly retrieve their monthly invoices. The CE provided breach notification to HHS, affected individuals, and media, as well as substitute notification. OCR provided the CE with technical assistance regarding the risk analysis and risk management provisions of the HIPAA Security Rule. | Saliba’s Extended Care Pharmacy AZ Healthcare Provider 6599 | Friday | 2017 | |
| Jemison Internal Medicine, PC | AL | Health Plan | 6550 | 2018-02-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Jemison Internal Medicine, PC AL Health Plan 6550 | Friday | 2018 |
| Associates in Psychiatry and Psychology | MN | Healthcare Provider | 6546 | 2018-05-18 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Associates in Psychiatry and Psychology MN Healthcare Provider 6546 | Friday | 2018 |
| Ohio Living | OH | Healthcare Provider | 6510 | 2018-09-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Ohio Living OH Healthcare Provider 6510 | Friday | 2018 | |
| Baptist Health and Arkansas Health Group | AR | Healthcare Provider | 6500 | 2015-10-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | On October 1, 2015, Baptist Health and Arkansas Health Group (CE) reported a breach when a workforce member accessed and downloaded the electronic protected health information of 6,500 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The workforce member left the CE to conduct health care services with another CE. OCR determined in its investigation, that the incident was not a breach, but is considered a continuation or coordination of care. | Baptist Health and Arkansas Health Group AR Healthcare Provider 6500 | Thursday | 2015 |
| Urology Associates, Professional Corporation | MT | Healthcare Provider | 6500 | 2015-07-24 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Urology Associates, reported that 6,500 individuals were affected by a breach that occurred when unknown individuals broke into a locked storage unit at a secure storage facility where it stored medical records. The boxes containing the medical records had clearly been rifled through, but there was no indication that records were removed. The CE provided breach notification to HHS, affected individuals, and the media. It also provided one year of free credit monitoring to affected individuals. Following the breach, the CE removed the medical records from the storage facility and shredded them after scanning them into a secure encrypted computer database. OCR obtained assurances that the CE implemented the corrective actions listed above. | Urology Associates, Professional Corporation MT Healthcare Provider 6500 | Friday | 2015 |
| Lewis J. Sims, DPM, PC dba Sims and Associates Podiatry | NY | Healthcare Provider | 6475 | 2014-02-12 | Other | Theft | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Three laptop computers belonging to the covered entity (CE), Sims & Podiatry Associatesâ, were stolen from its office. The laptops were unencrypted and contained electronic protected health information (ePHI) that included 6,474 patientsâ addresses, zip codes, dates of birth and vascular test results. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCRâs investigation, the CE installed new locks on all its doors and an alarm security system with central station monitoring. The CE also purchased replacement laptops and a new server. Additionally, the CE secured all laptops with cable locks and implemented full disk encryption along with antivirus and anti-malware software. Further, the CE implemented real-time offsite backup of all its ePHI. OCR specified its expectation that the CE conduct an on-going risk analysis, implement an on-going risk management plan, conduct periodic vulnerability scans and penetration tests, implement audit controls and perform information system activity review. Further, OCR expects the CE to upgrade encryption for the Poughkeepsie office and ensure that portable hard drives are stored in a secured location. The CE is also expected to provide on-going security awareness training to all staff. | Lewis J. Sims, DPM, PC dba Sims and Associates Podiatry NY Healthcare Provider 6475 | Wednesday | 2014 |
| EDWARD G. MYERS D.O. INC | OH | Healthcare Provider | 6441 | 2016-06-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) filed a breach report and verified the information in the breach report. Later, the CE stated it filed the breach report prematurely and there was no breach. The CE then filed a breach report recanting that a breach had occurred. Based on the conflicting breach reports filed by the CE, OCR decided to initiate an investigation to determine the CEâs compliance. The CE provided affidavits signed by its business associate (BA) for the software used to run the practice and where PHI is stored, and its information technology person at CORTCOMP-Cortland Computer. Both stated that PHI was not accessed or compromised. OCR obtained and reviewed a copy of the BA agreement with the software vendor, the CEâs policies and procedures related to safeguarding PHI, a risk analysis, and an incident report. | EDWARD G. MYERS D.O. INC OH Healthcare Provider 6441 | Friday | 2016 |
| Patterson Dental Supply/Patterson Companies | MN | Business Associate | 6400 | 2013-03-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | An unknown individual hacked into the covered entityâs (CE) server which contained the electronic protected health information (ePHI) of approximately 6,400 individuals. The ePHI involved in the breach included names, addresses, dates of birth, social security numbers, payment information, and treatment information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE improved safeguards by installing a new firewall and filtering technology. Additionally, OCRâs investigation resulted in the CE retraining its employees. | Patterson Dental Supply/Patterson Companies MN Business Associate 6400 | Tuesday | 2013 |
| Catoctin Dental/Richard B. Love, D.D.S., P.A. | MD | Healthcare Provider | 6400 | 2013-02-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Catoctin Dental/Richard B. Love, D.D.S., P.A. MD Healthcare Provider 6400 | Wednesday | 2013 |
| Cogent Healthcare, Inc. | TN | Business Associate | 6400 | 2009-11-25 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | A laptop was stolen from a locked office at the Aurora St. Lukes Medical Center. The laptop contained protected health information pertaining to 6,400 individuals. The information included patient names, dates of birth, social security numbers, medical record numbers, and in some cases diagnosis codes. In response to the theft, the hospital implemented several corrective action measures, including accelerated efforts to encrypt all laptop hard drives, improved physical locks on the office where the theft occurred, staff training regarding the appropriate use and storage of devices containing ePHI, and encryption of portable flash drives and Blackberry devices. | Cogent Healthcare, Inc. TN Business Associate 6400 | Wednesday | 2009 |
| Aetna | CT | Health Plan | 6372 | 2010-07-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Aetna CT Health Plan 6372 | Tuesday | 2010 | |
| Fairbanks North Star Borough | AK | Healthcare Provider | 6346 | 2018-07-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Fairbanks North Star Borough AK Healthcare Provider 6346 | Thursday | 2018 |
| Goold Health System (Goold) | MA | Business Associate | 6332 | 2013-03-06 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | An employee of the covered entityâs business associate (BA) lost a portable thumb drive containing the electronic protected health information (ePHI) of over 6,000 individuals. The ePHI included demographic information, Medicaid identification numbers, and prescription information. The covered entity (CE), Utah Department of Health, provided breach notification to HHS, affected individuals, and the media. The CE took corrective action to mitigate the situation and implemented a new agreement with its BA to include additional security measures. As a result of OCRâs investigation, OCR obtained assurances that the corrective actions listed above were completed. OCR opened a separate investigation of the BA. | Goold Health System (Goold) MA Business Associate 6332 | Wednesday | 2013 |
| Rady Children’s Hospital - San Diego | CA | Healthcare Provider | 6307 | 2014-06-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | No | Rady Children’s Hospital - San Diego CA Healthcare Provider 6307 | Wednesday | 2014 | ||
| U.S. Health Holdings, Ltd. o/b/o Macomb County, Michigan | MI | Health Plan | 6302 | 2014-10-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | U.S. Health Holdings, Ltd. o/b/o Macomb County, Michigan MI Health Plan 6302 | Wednesday | 2014 | |
| M&C Children’s Clinic PA | TX | Healthcare Provider | 6300 | 2013-03-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On March 19, 2013, the covered entity (CE), M & C Childrenâs Clinic, reported a breach when a hacker infected its network and encrypted patientsâ electronic medical records. The hacker contacted the CE and demanded money in return for allowing access to patientsâ records. The breach involved the clinical, financial, and demographic information of 3,667 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the incident, the CE improved safeguards by adding enhanced firewalls and antivirus software. It also closed all electronic access ports and revised its data backup and recovery/restoration plan. Additionally, the CE trained staff on privacy and security. OCR provided technical assistance to the CE on the requirements for conducting a thorough assessment of the potential risks and vulnerabilities to ePHI. | M&C Children’s Clinic PA TX Healthcare Provider 6300 | Tuesday | 2013 |
| Superior HealthPlan, Inc. | TX | Health Plan | 6284 | 2013-11-01 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Superior HealthPlan, Inc., mistakenly sent mail containing protected health information (PHI) to unrelated members. Approximately 6,284 individuals were affected. The PHI involved in the breach included names, addresses, and identification numbers. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. It also offered credit and identity theft protection to the affected parties. As a result of OCRâs investigation, the CE implemented procedures to improve accuracy of mailings. In addition, the CE improved safeguards by implementing a periodic audit to assure that IDs are matched to mailing addresses. | Superior HealthPlan, Inc. TX Health Plan 6284 | Friday | 2013 |
| Memorial Health System | CO | Healthcare Provider | 6262 | 2012-11-07 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Memorial Health System CO Healthcare Provider 6262 | Wednesday | 2012 | |
| Nintendo of America Inc. | WA | Health Plan | 6248 | 2016-02-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Nintendo of America, Inc., reported that on May 5, 2014, attackers impermissibly accessed and acquired data in possession of its business associate (BA), Premera. This data included the protected health information (PHI) of former and current participants in health plans of certain members of the Blue Cross Blue Shield Association dating back to 2002. The BA is a member of the Blue Cross Blue Shield Association and is the third-party administrator for the health plan. As a result, some former and current plan participants have been impacted. The CE reported that 6,248 individuals were affected and the PHI involved in the breach included demographic, clinical, and financial information. The BA provided breach notification to HHS, affected individuals, and the media. The CE had a BA agreement in place with Premera. OCR determined that Nintendo is in compliance with the Privacy, Security, and Breach Notification Rules. | Nintendo of America Inc. WA Health Plan 6248 | Friday | 2016 |
| Amida Care | NY | Health Plan | 6231 | 2017-09-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Amida Care NY Health Plan 6231 | Friday | 2017 |
| OptumRx, Inc. | CA | Healthcare Provider | 6229 | 2016-04-12 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | OptumRx, Inc. CA Healthcare Provider 6229 | Tuesday | 2016 |
| CareFirst BlueCross BlueShield | MD | Health Plan | 6200 | 2018-04-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | CareFirst BlueCross BlueShield MD Health Plan 6200 | Thursday | 2018 | |
| Covenant Medical Center, Inc. | MI | Healthcare Provider | 6197 | 2017-01-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Covenant Medical Center discovered that an employee accessed patientsâ electronic medical records from February 1, 2016 through November 21, 2016 without an appropriate business purpose. This breach affected the clinical, demographic, and financial information of approximately 6,197 individuals. The CE provided breach notification to HHS, affected individuals, and the media. It also offered affected individuals credit monitoring. Following the breach, the CE sanctioned the involved employee and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed above. In this case the sanctions included termination of employment. | Covenant Medical Center, Inc. MI Healthcare Provider 6197 | Friday | 2017 |
| Allina Health | MN | Healthcare Provider | 6195 | 2015-12-23 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On October 27, 2015, the covered entity (CE), Alina Health, discovered that its janitorial vendor erroneously placed its patientsâ protected health information (PHI) in the trash dumpster. The breach affected 6,195 individuals and the types of PHI involved included financial, demographic, and clinical information. The CE provided notification of the breach to HHS, affected individuals, and the media and also posted substitute notice on its website. Following the breach, the CE investigated the breach, updated its physical safeguards policy, and educated its workforce on its updated policy. OCR obtained a copy of the CEâs business associate agreement with Iron Mountain for PHI disposal services. OCR obtained documented assurances that the CE implemented the corrective actions taken in response to this breach incident. | Allina Health MN Healthcare Provider 6195 | Wednesday | 2015 |
| Aflac | GA | Health Plan | 6166 | 2015-05-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Some of the covered entityâs (CE) policyholders erroneously received welcome packets in the mail that contained the protected health information (PHI) of other individuals on a summary page. The breach affected 6,166 individuals and the types of PHI involved in the incident included policyholdersâ names, coverage applied for, premium amounts, whether the applicant was a new employee, codes or names representing employeesâ departments, and denial or acceptance of insurance coverage. In response to the breach, the CE updated its privacy and security procedures, which included updating its mailing process. The CE installed new printer software on all IT quality assurance (QA) desktops and on additional machines located in the IT QA lab. The CE also purchased and installed new local printers that will allow IT testers and coders to confirm packet accuracy. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions listed above. | Aflac GA Health Plan 6166 | Friday | 2015 |
| Michele Del Vicario, MD | CA | Healthcare Provider | 6145 | 2009-11-20 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 6,145 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 6,145 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor’s private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. | Michele Del Vicario, MD CA Healthcare Provider 6145 | Friday | 2009 |
| Steven A. Goldman, MD Inc. | OH | Healthcare Provider | 6141 | 2014-08-22 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Steven A. Goldman, MD Inc. OH Healthcare Provider 6141 | Friday | 2014 | |
| Medical Mutual of Ohio | OH | Health Plan | 6119 | 2017-09-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Medical Mutual of Ohio OH Health Plan 6119 | Friday | 2017 | |
| AU Medical Center, Inc. | GA | Healthcare Provider | 6109 | 2017-09-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | AU Medical Center, Inc. GA Healthcare Provider 6109 | Friday | 2017 | |
| University Health | LA | Healthcare Provider | 6073 | 2014-08-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On August 15, 2014, the covered entity (CE), University Health, reported a breach when a professor from City College of San Francisco notified them by email of security issues. Protected health information (PHI) from the E.A. Conway Medical Center was contained on an unsecured server that was accessible online. The types of PHI involved in the breach included financial and medical information and affected 6,075 individuals. The CE immediately took the server off-line, which discontinued any unauthorized access. The CE provided breach notification to HHS, affected individuals, and the media. Following the incident, the CE hired a third-party company to conduct and assess a thorough external penetration test. OCR obtained assurances that the CE implemented the corrective actions listed above. | University Health LA Healthcare Provider 6073 | Friday | 2014 |
| VA Caribbean Healthcare System | PR | Healthcare Provider | 6006 | 2011-05-26 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), VA Caribbean Healthcare System, left documents containing the protected health information (PHI) of 6,006 individuals in an unsecure bag at a nursing station. The PHI included names, social security numbers, patient care assignments, patient counts and patient census lists. Upon discovery of the breach, the CE secured the PHI and provided breach notification to HHS, the media, and affected individuals. As a result of OCR’s investigation, the CE disciplined and retrained the employee and implemented a procedure that nursing leadership is required to conduct rounds on wards once vacated. The CE also retrained all staff on its privacy and security policies and procedures. | VA Caribbean Healthcare System PR Healthcare Provider 6006 | Thursday | 2011 |
| Hal Meadows, M.D. | CA | Healthcare Provider | 6000 | 2016-09-23 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | The cover entity CE), Dr. Hal Meadows (HM) reported a breach that occurred when its electronic patient billing files were unlawfully accessed on a desktop computer in the CEâs office. The breach affected approximately 6,000 individuals who were the CEâs patients. The electronic protected health information (ePHI) involved included full names, addresses, dates of birth, telephone numbers, some social security numbers, claims information, diagnosis/conditions, lab results, medications, treatment codes, and billing information. The CE provided breach notification to HHS, affected individuals, and the media, and also provided substitute notice. Following the breach, the CE also immediately reported the incident to the FBI. As a result of this incident, the CE updated its policies and procedures, and contracted with a company to provide an encrypted cloud-based billing system in order to safeguard ePHI. OCR obtained assurances that the CE implemented the corrective actions above. | Hal Meadows, M.D. CA Healthcare Provider 6000 | Friday | 2016 |
| Oklahoma City Indian Clinic | OK | Healthcare Provider | 6000 | 2014-08-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | A staff member of the covered entity (CE), Oklahoma City Indian Clinic, sent an email to 412 recipients that erroneously included an attachment that contained the electronic protected health information (ePHI) of 6,044 individuals. Following an attempted recall of the message, a corrected email without the attachment was sent, asking the recipients to delete the erroneous email and the attachment. The ePHI involved in the breach included patientsâ names, chart numbers, and email addresses. The CE provided breach notification to HHS, affected individuals, and the media, and provided substitute notice. Following the breach, the CE re-trained staff on its encryption policy. In addition, the CE improved safeguards by developing a policy regarding electronic transmission of patient information. The policy limits identifying patient information contained in electronic communications within the CEâs network, and requires password protection for electronic files including ePHI. As a result of OCRâs investigation, OCR obtained assurances that the corrective actions listed above were completed. | Oklahoma City Indian Clinic OK Healthcare Provider 6000 | Friday | 2014 | |
| Haley Chiropractic Clinic | WA | Healthcare Provider | 6000 | 2014-07-08 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | One laptop and two desktop computers containing the electronic protected health information (ePHI) of about 6,000 patients were stolen during a break-in at the covered entity (CE), Haley Chiropractic Clinic. The machines and the clinicâs electronic health record (EHR) application were password-protected, but the devices were not encrypted. One of the desktop computers provided access to the web-based EHR system that included names, treatment notes, addresses, phone numbers, dates of birth, insurance information, and social security numbers. The stolen laptop contained patientsâ names, social security numbers, height and weight, and range of motion data. The CE filed a police report, provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. Following the breach, the CE improved safeguards by installing a new physical security alarm and video surveillance system, changing all computer passwords, and encrypting computers. OCRâs review found that the media notice did not comply with the content requirements of the Breach Notification Rule. Based on OCRâs technical assistance, the CE provided a compliant notice to regional media. | Haley Chiropractic Clinic WA Healthcare Provider 6000 | Tuesday | 2014 |
| Keith & Fisher, DDS, PA | NC | Healthcare Provider | 6000 | 2011-04-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Keith & Fisher DDS PA, discovered on March 7, 2011, that its server had been hacked, potentially exposing the clinical and demographic data for 6,000 individuals. The CE provided breach notification to HHS, to affected individuals, and published notice on its website and to the media. In response to the breach, the CE increased its information systems security, improved its password policy, implemented logging procedures to track access failures and changed access to its servers so it is only accessible through an existing firewall and a virtual private network tunnel. OCR obtained assurances that the CE implemented the corrective actions listed above. | Keith & Fisher, DDS, PA NC Healthcare Provider 6000 | Thursday | 2011 |
| MJHS Home Care | NY | Healthcare Provider | 6000 | 2017-08-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | MJHS Home Care NY Healthcare Provider 6000 | Friday | 2017 | |
| Southwest Community Health Center | CT | Healthcare Provider | 6000 | 2017-06-07 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | NA | Southwest Community Health Center CT Healthcare Provider 6000 | Wednesday | 2017 |
| Providence Medical Group- Gateway Clinics | OR | Healthcare Provider | 5978 | 2016-07-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | In July 2016, the covered entity (CE), Providence Medical Group â Gateway Clinics, reported that its privacy monitoring program discovered inappropriate access to medical records by one its financial coders. The audit revealed that the employee had impermissibly accessed the medical records of 5,977 individuals. The types of protected health information (PHI) involved in the breach varied by patient, but could have included demographic and medical treatment information, and may have included images of driver’s licenses, insurance data and Social Security numbers. The CE provided breach notification to HHS, affected individuals, and the media and also offered individuals two years of credit monitoring. Following the breach, the CE sanctioned the employee and disabled electronic and physical access to its systems. The CE also retrained coders on its privacy policies and reviewed its risk assessment and risk management plan. OCR obtained assurances that the CE implemented the corrective actions listed above. | Providence Medical Group- Gateway Clinics OR Healthcare Provider 5978 | Friday | 2016 |
| Speare Memorial Hospital | NH | Healthcare Provider | 5960 | 2011-05-02 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Speare Memorial Hospital NH Healthcare Provider 5960 | Monday | 2011 | |
| City of Hope National Medical Center | CA | Healthcare Provider | 5900 | 2009-11-23 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop computer was stolen from a workforce member’s car. The laptop computer contained the protected health information of approximately 5,900 individuals. Following the breach, the covered entity encrypted all protected health information stored on lap tops. Additionally, OCR’s investigation resulted in the covered entity improving their physical safeguards and retraining employees. | City of Hope National Medical Center CA Healthcare Provider 5900 | Monday | 2009 |
| Mary M. Desch,MD/PathHealer, LTD | AZ | Healthcare Provider | 5893 | 2010-06-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Mary M. Desch,MD/PathHealer, LTD AZ Healthcare Provider 5893 | Monday | 2010 | |
| Complete Family Foot Care | NE | Healthcare Provider | 5883 | 2016-03-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | No | Bizmatics, Inc., a business associate (BA) that the covered entity (CE), Complete Family Foot Care, employs for the online storage and management of its patient health records, discovered an unauthorized access to the computer servers on which the CE’sâs patient files were stored. The breach affected 5,883 individuals and included clinical information. Upon request of the CE, the BA provided breach notification to affected individuals and complimentary identity recovery services for individuals victimized by identity theft. The CE also provided breach notification to HHS and the media and posted substitute notice on its website. Following the breach the BA comprehensively scanned for malware and any external vulnerabilities, upgraded all anti-virus and anti-malware programs as well as system hardware and operating systems, updated server and account passwords, and revised its firewall configurations. The BA also implemented stricter password policies and initiated the installation of an active traffic-monitoring solution for its network. OCR obtained written assurances that the CE and BA implemented the corrective actions listed above. | Complete Family Foot Care NE Healthcare Provider 5883 | Monday | 2016 |
| University of Florida | FL | Healthcare Provider | 5875 | 2013-05-30 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | University of Florida FL Healthcare Provider 5875 | Thursday | 2013 | |
| Brodhead Dental Center | PA | Healthcare Provider | 5872 | 2016-12-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | A dentist with the covered entity (CE), Brodhead Dental Center, encountered a suspicious pop-up window on his work computer while he was online making a personal transaction. There is no indication that any patientsâ protected health information (PHI) was accessed as a result of this incident. Following this incident, the CE adopted encryption technology, improved password security, updated its security plan, and implemented technical safeguards. It also sanctioning the involved workforce member and improved its policies and procedures. OCR obtained assurances that the CE implemented the corrective actions noted above. | Brodhead Dental Center PA Healthcare Provider 5872 | Monday | 2016 |
| Accuprint | PR | Business Associate | 5848 | 2011-08-15 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity’s (CE) business associate (BA) erroneously sent explanation of benefits letters (EOBs) containing the protected health information (PHI) of 5,848 individuals to other individuals. The PHI included names, addresses, current procedural terminology codes (CPT), explanations of CPT codes, providers’ names, and dates of service. Upon discovery of the breach, the CE provided notice to the individuals affected by the breach but did not notify the media. As a result of OCR’s investigation, OCR provided technical assistance regarding the requirements of the Breach Notification Rule to the CE and the CE published a media notice. In addition, the CE developed policies and procedures requiring quality control checks on the BA. In addition, the BA adopted a new software system that validates the contents of the EOBs prior to mailing. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use of PHI and required the BA to safeguard all PHI. | Accuprint PR Business Associate 5848 | Monday | 2011 |
| Mark A. Gillispie | CA | Healthcare Provider | 5845 | 2014-06-06 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | On June 5, 2014, the covered entity (CE), reported that a trusted physician who had worked in the office for four years left, and prior to leaving, copied patientsâ demographic information including names, social security numbers, addresses, dates of birth, phone numbers, emails, insurance information and recall dates. The protected health information (PHI) of 5,845 individuals was affected by the breach. Following the breach, the CE improved technical safeguards by installing a firewall, securing browser sessions, implementing strong authentication, antivirus software, and logical access control, and encrypting wireless connections. It also improved physical security and reported that it revised its HIPAA Privacy and Security policies and procedures. During the course of the investigation, OCR learned that the CE is no longer a CE. | Mark A. Gillispie CA Healthcare Provider 5845 | Friday | 2014 |
| Greater Dallas Orthopaedics, PLLC | TX | Healthcare Provider | 5840 | 2013-10-28 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Two computers containing files with dictated letters were stolen from the covered entity (CE), Greater Dallas Orthopaedics, PLLC. The protected health information (PHI) on the audio files included the names and medical information of approximately 5,840 individuals. Upon discovering the breach, the CE filed a police report. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. | Greater Dallas Orthopaedics, PLLC TX Healthcare Provider 5840 | Monday | 2013 |
| BHcare, Inc | CT | Healthcare Provider | 5827 | 2012-09-14 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No |
OCR opened an investigation of the covered entity (CE), BHcare, Inc. after it reported that a laptop computer and unencrypted back-up tape containing the electronic protected health information (ePHI) of 5,827 individuals were stolen from a workforce member’s vehicle. The ePHI included names, date of birth, social security numbers, health insurance numbers, and some patients’ assessments and diagnosis information. Upon discovering the breach, the CE filed a police report with the Connecticut State Police. The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notice on its website. The CE offered one year of free credit monitoring services to affected individuals. As a result of OCR’s investigation, the CE completed a risk analysis and risk management plan, retrained employees, and implemented new security policies and procedures to ensure adequate safeguards of ePHI. |
BHcare, Inc CT Healthcare Provider 5827 | Friday | 2012 |
| Center for Pain Management, LLC | MD | Healthcare Provider | 5822 | 2013-02-12 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Three laptop computers were stolen from the Rockville, MD office of the covered entity (CE), Center for Pain Management. The laptops were unencrypted and two of the devices contained the electronic protected health information (ePHI) of 5,822 individuals. The CE retained Identity Force, a firm specializing in providing mitigation services in cases of security breaches. Identity Force mailed notification letters to all affected individuals and provided identity theft insurance and credit monitoring services for one year. The CE also posted the breach notification on its website and notified the media. The CE engaged the services of an information technology firm to update its devices and computer network. OCR obtained assurances that the corrective action listed above was completed. | Center for Pain Management, LLC MD Healthcare Provider 5822 | Tuesday | 2013 |
| Martinsville Henry County Coalition for Health and Wellness | VA | Healthcare Provider | 5806 | 2017-10-13 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Martinsville Henry County Coalition for Health and Wellness VA Healthcare Provider 5806 | Friday | 2017 |
| Triple-S Salud | PR | Health Plan | 5795 | 2014-04-02 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No |
Triple-S Management Corporation (âTRIPLE-Sâ), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. âOCR remains committed to strong enforcement of the HIPAA Rules,â said OCR Director Jocelyn Samuels. âThis case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.â TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entitiesâ compliance with HIPAA Rules. OCRâs investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiariesâ PHI; Impermissible disclosure of its beneficiariesâ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA. âTriple-S is committed to protecting the privacy and security of its beneficiariesâ health information and implementing the Corrective Action Plan entered into with OCR,â said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. âWe are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCRâs technical assistance to date, and look forward to our collaboration in the future.â |
Triple-S Salud PR Health Plan 5795 | Wednesday | 2014 |
| Humana Inc | KY | Health Plan | 5764 | 2017-11-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Humana Inc KY Health Plan 5764 | Tuesday | 2017 |
| Bon Secours Mary Immaculate Hospital | VA | Healthcare Provider | 5764 | 2013-05-29 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No |
The covered entity (CE), Bon Secours Health System, discovered that two Certified Nursing Assistants (CNAs) impermissibly electronically accessed the medical records of approximately 5,764 patients during the prior 12 months. The protected health information (PHI) contained in the breach included patients’ names, social security numbers, dates of birth, addresses, clinical information, and other identifiers. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE conducted a full investigation, sanctioned the two CNAs, revoked their access to the electronic medical record system and subsequently terminated both employees for their actions. Following the CE’s reports to law enforcement and the state department of health professions, the two former employees plead guilty to Federal misdemeanor charges and had their professional certifications revoked. OCR reviewed the CE’s most recent risk assessment and confirmed that all identified risks are to be addressed by December 2014 according to the CE’s Risk Management Plan. As a result of OCR’s investigation, the CE pursued prosecution of the CNAs and provided credit monitoring services to the affected individuals. |
Bon Secours Mary Immaculate Hospital VA Healthcare Provider 5764 | Wednesday | 2013 |
| CHRISTUS St. John Hospital | TX | Healthcare Provider | 5748 | 2012-11-16 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On September 25, 2012, an employee lost an unsecured flash drive which contained the electronic protected health information (ePHI) of 5,748 individuals. The types of ePHI involved in the breach included financial, demographic, and clinical information. The hospital provided breach notification to HHS, affected individuals, and the media. Following the discovery of the incident, the hospital revised its HIPAA policy, implemented an encryption solution for media storage devices, and retrained the involved employee. OCR obtained assurances that the CE implemented the corrective actions listed above. | CHRISTUS St. John Hospital TX Healthcare Provider 5748 | Friday | 2012 |
| Ecco Health, LLC | NV | Business Associate | 5713 | 2012-09-14 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | Ecco Health, LLC NV Business Associate 5713 | Friday | 2012 | |
| Titus Regional Medical Center | TX | Healthcare Provider | 5700 | 2012-05-26 | Loss | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Titus Regional Medical Center, after it reported that its EMS laptop computer that contained the protected health information (PHI) of 5,840 patients was missing upon returning from the EMS’s last transport to Titus. It is thought that the laptop was left on the fender of the vehicle and fell off. Although the laptop was encrypted, the CE could not confirm if the laptop was opened or closed when it dropped from the vehicle. If the laptop was open when it dropped, then patientsâ PHI (names, social security numbers, addresses, and dates of birth) may have been accessible to others. The CE proved breach notification to HHS, affected individuals, and the media. Following the breach the CE conducted an internal audit and determined that there was a glitch in the software parameter that permitted the download and storage of all 5,840 patientsâ records on the laptops regardless of the parameter setting. As a result of OCRâs investigation the settings on the laptops were changed, including a reduction in the time for automatic shutâ“off when laptops are not in use. The CE applied sanctions to the EMT personnel involved and re-trained them on its privacy policies. In November 2013, the CE conducted a system wide risk analysis that included all of its systems and revised and implemented its security policies. | Titus Regional Medical Center TX Healthcare Provider 5700 | Saturday | 2012 |
| Health Behavior Innovations (HBI) | UT | Business Associate | 5700 | 2010-02-05 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | A laptop computer containing the protected health information (PHI) of 3,500 individuals was stolen from the covered entity’s (CE) locked medical office. The PHI involved in the breach included names, addresses, dates of birth, social security numbers, and medication information. As a result of this incident, the CE encrypted all PHI stored on the medical office computers. Following OCR’s investigation, the CE improved its physical safeguards and retrained employees. | Health Behavior Innovations (HBI) UT Business Associate 5700 | Friday | 2010 |
| OptumRx | IL | Business Associate | 5696 | 2014-04-30 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | An employee of the covered entity’s (CE) business associate (BA) mistakenly mailed protected health information (PHI) to other individuals due to a human error in sorting the data contained in an Excel spreadsheet. The mailing affected 5,696 individuals and included names and prescription drug names. The BA provided breach notification to the affected individuals, HHS, and the media. As a result of OCR’s investigation, OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. OCR obtained assurances that the BA completed the corrective actions noted above. The BA also stated that it has developed a plan to improve safeguards by implementing additional quality checks and controls for mailings. | OptumRx IL Business Associate 5696 | Wednesday | 2014 |
| Foundations Recovery Network | TN | Healthcare Provider | 5690 | 2013-08-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A password-word protected, unencrypted laptop was stolen from the covered entityâs (CE) employeeâs car in her neighborhood. The laptop contained the protected health information (PHI) of 5,690 individuals and included patient names, dates of birth, addresses, telephone numbers, social security numbers, diagnoses, level of care, dates of service, and health insurance identifiers. The CE conducted an investigation and filed a police report. The CE provided breach notifications to HHS and affected individuals. Following the breach, the CE disabled the laptopâs access to its internal systems and changed the passwords. The employee was formally reprimanded and retrained. The CE hired experts to perform a risk assessment and gap analysis of its existing privacy and security practices, policies, and procedures and instituted a policy prohibiting workforce members from removing unencrypted company laptops from the premises. The CE retrained employees at all levels on its HIPAA policies and procedures and provided company-wide email reminders to all workforce members regarding privacy and security protections. The CE established roles to address compliance, including a compliance committee and a compliance director. OCR obtained assurances that the corrective actions listed above were taken. Two of the three individuals involved in the theft of the laptop were arrested. | Foundations Recovery Network TN Healthcare Provider 5690 | Thursday | 2013 |
| Mo. Dept. of Mental Health | MO | Healthcare Provider | 5685 | 2017-02-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Mo. Dept. of Mental Health MO Healthcare Provider 5685 | Tuesday | 2017 | |
| Rhode Island Executive Office of Health and Human Services | RI | Health Plan | 5600 | 2018-02-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Rhode Island Executive Office of Health and Human Services RI Health Plan 5600 | Tuesday | 2018 |
| AU Medical Center, Inc. | GA | Healthcare Provider | 5600 | 2017-05-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On September 7, 2016, a cyber-attacker sent a phishing email to the covered entity (CE), Augusta University Medical Center, Inc. and obtained employees’ user names and passwords. The cyber-attacker then accessed the employeesâ self-service portal with the purpose of redirecting their paychecks to the cyber-attackerâs bank account. The breach affected the protected health information (PHI) of 4,690 individuals and included one or more of the following: addresses, dates of birth, medical record numbers, insurance information, prescription information, treatment information, and for a few individuals, social security numbers. In response to this incident, the CE changed user passwords, closed affected email accounts, and issued a security alert for all staff members to immediately change their passwords. The CE provided breach notification to HHS, affected individuals, and the media. It also established a dedicated call center and one year of free credit monitoring for all affected individuals. The CE enhanced security by implementing two-factor authentication for remote connections, an e-mail subject tagging system, and a log collection and correlation tool. The CE provided additional training on spotting phishing emails, deployed a means to automatically quarantine suspicious email messages, and corrected its software to identify suspicious internet addresses more quickly. OCR confirmed that the CE implemented the corrective actions listed above. | AU Medical Center, Inc. GA Healthcare Provider 5600 | Friday | 2017 | |
| Charles Stamitoles | FL | Healthcare Provider | 5600 | 2016-12-11 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On October 12, 2016, Stamitoles Dental Center, the covered entity (CE), unintentionally disposed of boxes of paper medical records in a publicly accessible dumpster, potentially exposing the names, dates of birth, social security numbers, addresses, telephone numbers, clinical information and health insurance information of 4,678 individuals. The paper medical records were retrieved by the CE the following morning. The CE provided timely breach notification to HHS, to affected individuals, on its website and to the media. In response to the breach, the CE retrained its workforce and adopted a new written policy governing the proper destruction and disposal of paper records. OCR obtained assurances that the CE has implemented the corrective actions listed above. | Charles Stamitoles FL Healthcare Provider 5600 | Sunday | 2016 |
| Carolinas Medical Center - Randolph | NC | Healthcare Provider | 5600 | 2012-12-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Carolinaâs Medical Center, discovered that a physician had responded to a phishing email and provided her password to a third party, causing all of the physicianâs emails to be forwarded to a third party. The forwarded emails included protected health information (PHI) regarding 5,600 individuals. The PHI in the emails included names, dates of birth, medications, treatment information, social security numbers (for 5 patients), dates of service, addresses, names of providers, admission/discharge dispositions and dates, and internal medical record and account numbers. Following the breach, CE improved administrative and technical safeguards by terminating auto-forwarding capabilities and implementing an alert for remote system accesses that originate from a foreign country. The CE also trained employees on identifying social engineering schemes. OCR obtained assurances that the corrective actions were taken. | Carolinas Medical Center - Randolph NC Healthcare Provider 5600 | Friday | 2012 | |
| State of South Carolina Budget and Control Board Employee Insurance Program (EIP) | SC | Health Plan | 5596 | 2011-01-14 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | A workstation in the covered entity’s (CE) finance department was infected with malware that recorded keystrokes and captured screenshots. The CE reported 5,596 individuals as being potentially affected by the malware. The types of PHI involved in the breach included names, addresses, dates of birth, benefits identification numbers, social security numbers, and in some cases, banking information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE disconnected the workstation from the network and provided the affected employee with new login credentials, a new hard drive, and additional training. The CE updated its Privacy and Security Rule policies and procedures and initiated mandatory annual supplemental training for all of its employees. The CE improved safeguards by implementing additional network security monitoring programs to actively protect workstation environments and limit the proliferation of malware infections on its network. OCR obtained assurances that the appropriate notifications were made and that the corrective actions listed above were completed. | State of South Carolina Budget and Control Board Employee Insurance Program (EIP) SC Health Plan 5596 | Friday | 2011 |
| NOVA Chiropractic & Rehab Center | VA | Healthcare Provider | 5534 | 2014-03-27 | Loss | Other | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), NOVA Chiropractic and Rehabilitation Center, misplaced a mobile device within its office. The device contained the electronic protected health information (ePHI) of approximately 5,534 patients, including names, dates of birth, and addresses. The CE found no evidence that the ePHI was inappropriately used outside of the CEâs office. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. As a result of OCRâs investigation, the CE cleared and encrypted its thumb drives that contained ePHI. The CE improved physical safeguards by installing a new security alarm system, and updated its policy for removal of PHI from the office. OCR obtained assurances that the CE has executed business associate agreements for its email and cloud system providers. | NOVA Chiropractic & Rehab Center VA Healthcare Provider 5534 | Thursday | 2014 |
| Community Link Inc | WI | Health Plan | 5524 | 2017-06-30 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Community Link Inc WI Health Plan 5524 | Friday | 2017 | |
| Children’s Mercy Hospital | MO | Healthcare Provider | 5511 | 2017-05-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | CMH physician store protected health information on a personal website. Approximately 5,511 individuals were affected by this breach. The breach included names, dates of birth, diagnoses and conditions, and ICD codes. In order to prevent a similar breach from happening in the future, CMH reviewed and updated policies, created a new online course, retrained employees, physician received monetary sanctions, and conducted additional counseling. CMH sent out breach notices to affected individuals, sent a media notice to the Kansas City Star. And provided notice via CMHâs website. CMH provided documentation of the actions it took in this matter. | Children’s Mercy Hospital MO Healthcare Provider 5511 | Friday | 2017 |
| Seton Healthcare Family | TX | Healthcare Provider | 5500 | 2013-10-23 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Seton Healthcare Family after it reported that on October 4, 2013, an unencrypted laptop computer that contained the electronic protected health information (ePHI) of 5,500 patients was stolen from a clinic. The ePHI included patients’ names, medical record numbers, account numbers, social security numbers, dates of birth, diagnoses, immunizations, and insurance information. The CE notified HHS, affected individuals, and the media in accordance with the Breach Notification Rule and provided free credit monitoring services for one year. The CE took a number of corrective actions to prevent future breaches. It implemented a full disk encryption policy to be applied prior to deployment of new computers, updated internal processes, and retrained staff on its updated processes. The CE also sanctioned and re-trained the workforce member involved in the breach, and confirmed the same was applied to the Dell IT technician involved with system upgrades, including encryption. OCR obtained assurances that the CE implemented the corrective actions listed. | Seton Healthcare Family TX Healthcare Provider 5500 | Wednesday | 2013 |
| Mercer Health & Benefits | ID | Business Associate | 5500 | 2010-08-10 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Idaho Power Group Health Plan’s business associate, Mercer Health and Benefits, lost a backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Idaho Power was about 5,500 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Idaho Power notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer’s Boise office now encrypts backup tapes. Following the incident, Idaho Power renegotiated its contract with Mercer and continues to evaluate its business relationship with Mercer. | Mercer Health & Benefits ID Business Associate 5500 | Tuesday | 2010 |
| Managed Health Services | IN | Health Plan | 5500 | 2016-11-29 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | No | NA | Managed Health Services IN Health Plan 5500 | Tuesday | 2016 | |
| Palomar Health, Privacy Manager Breach | CA | Healthcare Provider | 5499 | 2014-03-28 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | A workforce memberâs car was broken into resulting in the theft and loss of two unencrypted flash drives containing the protected health information (PHI) of 5,499 individuals. Types of PHI involved in the breach included names, dates of birth, diagnoses/treatment information, and insurance information, including some Medicare numbers. The CE provided breach notification to HHS, affected individuals, and the media, and provided credit monitoring and identity theft protection for the affected individuals. In response to the breach, the CE sanctioned and retrained the workforce member involved with the breach who was not following the CE’s policies and procedures and retrained other workforce members on its HIPAA security procedures. The CE also implemented a USB encryption lockdown project which enhanced the CE’s technical safeguards. OCRâs investigation resulted in improved HIPAA practices at the covered entity. | Palomar Health, Privacy Manager Breach CA Healthcare Provider 5499 | Friday | 2014 |
| Anthem BCBS of GA | IN | Business Associate | 5497 | 2013-08-13 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes |
The covered entity’s (CE) sales representative used an incorrect group number based on an erroneous membership and data file, resulting in an impermissible disclosure of protected health information (PHI) to the CE’s business associate (BA). This breach affected approximately 5,497 individuals and included demographic information. Following the breach, the CE obtained certification that the BA destroyed the PHI and determined that there was a low risk of harm to the affected individuals. The CE also sent a memorandum and its corrective action/sanction policy to the account manager’s staff regarding quality control procedures, instituted an additional quality control procedure, and counseled the involved sales representative. OCR obtained assurances that the CE implemented the corrective action listed above. |
Anthem BCBS of GA IN Business Associate 5497 | Tuesday | 2013 |
| Muir Medical Group, IPA, Inc. | CA | Business Associate | 5485 | 2018-05-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Muir Medical Group, IPA, Inc. CA Business Associate 5485 | Tuesday | 2018 |
| Abrham Tekola, M.D.,INC | CA | Healthcare Provider | 5471 | 2014-06-20 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Two unencrypted desktop computers and one unencrypted laptop computer were stolen during a burglary. The breach affected 5,471 individuals and the types of protected health information (PHI) involved included patientsâ names, social security numbers, addresses, dates of births, and medical information. Upon learning of the theft, the covered entity (CE) hired a legal firm to assist with responding and notifying all individuals affected. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE hired specialized data security personnel, conducted a Security Rule risk analysis, and implemented a risk mitigation plan that reflects the current work environment. Additionally, the CE improved safeguards by updating its policies and procedures on portable/mobile devices and encrypting its electronic equipment. The CE completed security awareness training of its workforce members. OCR obtained documentation that the CE implemented the corrective actions noted above and provided technical assistance regarding the HIPAA Security Rule. | Abrham Tekola, M.D.,INC CA Healthcare Provider 5471 | Friday | 2014 |
| Sentara Healthcare | VA | Healthcare Provider | 5454 | 2017-01-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Sentara Healthcare VA Healthcare Provider 5454 | Monday | 2017 |
| John Muir Physician Network | CA | Healthcare Provider | 5450 | 2010-04-24 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Two laptop computers containing the electronic protected health information (ePHI) of approximately 5,450 individuals were stolen from the CE. The ePHI included patient names, dates of birth, and social security numbers. The CE provided breach notification to all affected individuals, HHS, and the media. As a result of OCR’s investigation, the CE installed encryption software and increased physical security. | John Muir Physician Network CA Healthcare Provider 5450 | Saturday | 2010 |
| International Union of Operating Engineers Local Unions 181, 320 & TVA Health and Welfare Trust Fund | KY | Health Plan | 5440 | 2015-04-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | International Union of Operating Engineers Local Unions 181, 320 & TVA Health and Welfare Trust Fund KY Health Plan 5440 | Thursday | 2015 |
| Valley View Hospital Association | CO | Healthcare Provider | 5415 | 2014-03-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | On January 25, 2014, Valley View Hospital Association, the covered entity (CE), discovered that malware infected 172 of its computer workstations. The CE determined that, on 90 of the 172 infected workstations, the malware took screen shots of the electronic protected health information (ePHI) belonging to 5,415 individuals, and the malware stored those screen shots as encrypted files âhiddenâ on the workstationsâ hard drives. The screen shots contained names, social security numbers, and other demographic information as well as credit card information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE deployed anti-virus software and cleaned the malware from its systems. OCRâs investigation resulted in the CE revising its procedures for safeguarding ePHI and protecting against malicious software. OCR provided technical assistance to the CE regarding the Security Ruleâs risk analysis and risk management requirements. OCR also obtained an assurance from the CE that it would update its risk analysis and risk management plan. | Valley View Hospital Association CO Healthcare Provider 5415 | Friday | 2014 |
| Just the Connection Inc | IN | Business Associate | 5388 | 2013-05-20 | Improper Disposal | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Just the Connection Inc IN Business Associate 5388 | Monday | 2013 | |
| Health Dimensions | MI | Healthcare Provider | 5370 | 2014-01-16 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On November 2, 2013, the covered entity (CE), Health Dimensions, was burglarized and a computer server containing the protected health information (PHI) of 5,370 individuals was stolen. The server contained faxed copies of patientsâ prescription orders. The CE provided breach notification to HHS, affected individuals, and the media. To prevent similar breaches from happening in the future, the CE repaired damage to its building, and trained staff on its HIPAA policies and procedures. OCR obtained documentation that the CE implemented the corrective actions listed above. | Health Dimensions MI Healthcare Provider 5370 | Thursday | 2014 |
| Hospice and Palliative Care Center of Alamance Caswell | NC | Healthcare Provider | 5370 | 2013-04-04 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Laptop | Paper/Films | NA | NA | NA | NA | NA | NA | No | Hospice and Palliative Care Center of Alamance Caswell NC Healthcare Provider 5370 | Thursday | 2013 | |
| Healthfirst Affiliates that include Healthfirst PHSP, Inc., Managed Health, Inc., HF Management Services, LLC, and Senior Health Partners | NY | Health Plan | 5338 | 2015-07-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Healthfirst Affiliates that include Healthfirst PHSP, Inc., Managed Health, Inc., HF Management Services, LLC, and Senior Health Partners NY Health Plan 5338 | Friday | 2015 |
| Estill County Chiropractic, PLLC | KY | Healthcare Provider | 5335 | 2017-03-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Estill County Chiropractic, PLLC KY Healthcare Provider 5335 | Thursday | 2017 |
| UnitedHealth Group Single Affiliated Covered Entity (SACE) | MN | Health Plan | 5330 | 2016-05-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | UnitedHealth Group Single Affiliated Covered Entity (SACE) MN Health Plan 5330 | Wednesday | 2016 |
| Northwest Primary Care Group | OR | Healthcare Provider | 5327 | 2015-12-11 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Paper/Films | NA | NA | NA | NA | NA | NA | No | On October 13, 2015, the covered entity (CE), Northwest Primary Care Group, discovered that a former employee, prior to being terminated, had impermissibly accessed and downloaded information from a desktop computer within the facility. Local law enforcement notified the CE that the former employee had accessed and printed a fifty-two (52) page document that contained the protected health information of 5,327 individuals. The types of PHI contained in the document included the names of 5,327 patients, and one or more of the following: social security numbers, dates of birth, credit card and/or bank account information. The CE notified HHS, affected individuals, and the media pursuant to the Breach Notification Rule. It also offered one year of free credit monitoring to all affected individuals. Following the breach, the CE implemented technical safeguards, revised its HIPAA policies and procedures, and retrained workforce members. OCR obtained satisfactory assurances that the CE implemented the corrective actions noted above. | Northwest Primary Care Group OR Healthcare Provider 5327 | Friday | 2015 |
| University of Iowa Hospitals & Clinics | IA | Healthcare Provider | 5292 | 2017-06-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | University of Iowa Hospitals & Clinics IA Healthcare Provider 5292 | Thursday | 2017 |
| L. Douglas Carlson, M.D. | CA | Healthcare Provider | 5257 | 2009-11-20 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,257 individuals who were patients of the CE. The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the covered entity notified all 5,257 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor’s private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules. | L. Douglas Carlson, M.D. CA Healthcare Provider 5257 | Friday | 2009 |
| TSYS Employee Health Plan | GA | Health Plan | 5232 | 2013-10-02 | Theft | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | TSYS Employee Health Plan, the covered entity (CE), discovered that an employee of the CEâs business associate (BA), Paragon Benefits, Inc., misappropriated a digital file that contained protected health information (PHI) for 5,232 beneficiaries. The CE sent timely breach notification to HHS, to affected individuals, to the media and posted substitute notification on its website. In response to the breach, the CE provided affected individuals with identity theft protection, credit monitoring, tax forms, contact information for the Federal Trade Commission, and instructions on how to put a credit freeze on a credit account. OCR determined that the CE and BA had an effective BA agreement in place at the time of the breach. The CE terminated its contract with the BA as of December 31, 2012, but the BA continues to provide services for outstanding claims that it submitted on the CEâs behalf. The CE obtained assurances from the BA that additional security measures have been implemented. OCR obtained assurances that the CE implemented the corrective actions listed above. | TSYS Employee Health Plan GA Health Plan 5232 | Wednesday | 2013 | |
| Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc. | MD | Healthcare Provider | 5228 | 2018-01-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc. MD Healthcare Provider 5228 | Friday | 2018 |
| Mississippi Division of Medicaid | MS | Health Plan | 5220 | 2017-05-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On April 7, 2017 the covered entity (CE), Mississippi Division of Medicaid, discovered that beginning on May 2, 2014, an employee had used WuFoo, an online service, to create and post online forms to the CEâs external website for public use. While these forms were secure on the CEâs and WuFooâs websites, they were not encrypted when emailed between Wufoo and the CEâs employees. These forms requested protected health information (PHI) from beneficiaries. As the form information was transmitted via unencrypted email across the public internet, the CE was unable to determine whether a third party inappropriately accessed the form information contained in these emails. The CE did not have a Business Associate Agreement (BAA) with WuFoo. The PHI contained in the unsecured forms included: beneficiary or potential applicantsâ names, addresses, emails, enrollment dates, Medicaid and/or Medicare identification numbers, social security numbers, phone numbers, clinical information, and health plans. Approximately 4,524 people were affected by the breach. The CE provided breach notification to HHS, affected individuals, and the media, and also provided substitute notice on its website. Following the breach, the CE cancelled its WuFoo account and conducted an audit of all active contracts to ensure proper BAAs. It also revised its purchasing policy and Privacy and Security policies and trained staff on its new policies. Additionally, the CE structured the Privacy Officer position to report directly to the CEâs Executive Director and counseled the employee involved in the breach. OCR obtained assurances that the CE implemented the corrective actions listed above. | Mississippi Division of Medicaid MS Health Plan 5220 | Friday | 2017 | |
| City of Charlotte, NC (Health Plan) | NC | Health Plan | 5220 | 2010-05-24 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | City of Charlotte, NC (Health Plan) NC Health Plan 5220 | Monday | 2010 | |
| Serene Sedation, LLC | MD | Healthcare Provider | 5207 | 2018-03-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Serene Sedation, LLC MD Healthcare Provider 5207 | Wednesday | 2018 |
| Jacksonville Spine Center | FL | Healthcare Provider | 5200 | 2013-06-24 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Jacksonville Spine Center, impermissibly disclosed the protected health information (PHI) of approximately 5,200 individuals when a workforce member misaddressed some envelopes due to a spreadsheet error. The mailing resulted in some individuals receiving correspondence with another patient’s name on the envelope. The only PHI involved in the breach was patients’ names. The CE provided breach notification to HHS, the media and affected individuals. The notice to individuals requested that patients either return the envelope to the CE or destroy the envelope. As a result of this incident, the CE issued a written warning to the responsible workforce member pursuant to the CE’s sanction policy. Moreover, the CE implemented additional safeguards including the checking of data file integrity prior to sending mailings. OCR obtained assurances that the CE implemented the corrective action listed above. | Jacksonville Spine Center FL Healthcare Provider 5200 | Monday | 2013 |
| KP Northern CA Department of Research | CA | Healthcare Provider | 5178 | 2014-04-02 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Kaiser Permanente Northern California Division of Research, reported a breach of 5,178 individualsâ electronic protected health information (e-PHI), as a result of a malware software infection on its computer server. The types of ePHI involved in the breach included names, dates of birth, genders, addresses, race/ethnicity information, medical record numbers, lab results, and responses patients provided to research-related questions. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE conducted an updated security analysis, revised its policies and procedures, and provided training to its workforce members. OCR obtained written assurances that the CE implemented the corrective actions noted above and provided technical assistance regarding the HIPAA Security Rule. | KP Northern CA Department of Research CA Healthcare Provider 5178 | Wednesday | 2014 |
| Mark D. Lurie, MD | CA | Healthcare Provider | 5166 | 2009-11-20 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,166 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 5,166 affected indiv’s and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor’s private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. | Mark D. Lurie, MD CA Healthcare Provider 5166 | Friday | 2009 |
| Valley Women’s Health, S.C. | IL | Healthcare Provider | 5155 | 2017-04-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Valley Women’s Health, S.C. IL Healthcare Provider 5155 | Wednesday | 2017 |
| Medical Center At Bowling Green | KY | Healthcare Provider | 5148 | 2010-04-26 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Medical Center At Bowling Green KY Healthcare Provider 5148 | Monday | 2010 | |
| Flexible Benefit Service Corporation | IL | Business Associate | 5123 | 2018-02-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Flexible Benefit Service Corporation IL Business Associate 5123 | Friday | 2018 | |
| St. Peter’s Health Partners | NY | Healthcare Provider | 5117 | 2015-01-23 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | St. Peter’s Health Partners NY Healthcare Provider 5117 | Friday | 2015 |
| Laboratory Corporation of America/Dynacare Northwest, Inc. | WA | Healthcare Provider | 5080 | 2010-03-18 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
A laptop computer was stolen from a workforce member’s car. The laptop computer contained the protected health information of approximately 5080 individuals. The protected health information involved in the breach included names, addresses, dates of birth, Social Security numbers, and lab results. Following the breach, the covered entity encrypted all laptop computers. |
Laboratory Corporation of America/Dynacare Northwest, Inc. WA Healthcare Provider 5080 | Thursday | 2010 |
| Aetna Inc. | CT | Health Plan | 5002 | 2017-06-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Aetna Inc. CT Health Plan 5002 | Tuesday | 2017 |
| SAGE DENTAL MANAGEMENT, LLC | FL | Business Associate | 5000 | 2017-07-19 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | NA | SAGE DENTAL MANAGEMENT, LLC FL Business Associate 5000 | Wednesday | 2017 |
| Walnut Place | TX | Healthcare Provider | 5000 | 2017-07-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Walnut Place TX Healthcare Provider 5000 | Wednesday | 2017 |
| Locust Fork Pharmacy | AL | Healthcare Provider | 5000 | 2016-02-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | On February 15, 2016, the covered entity (CE), Locust Fork Pharmacy, discovered the lock on one of their storage units was broken. The storage unit contained boxes of records for approximately 5,000 individuals. Protected health Information (PHI) in the records included names, addresses, and birth dates. The CE determined that all the boxes were stacked in sequence, none was missing, and all remained sealed. The CE worked with local police in the investigation of the incident, and updated its policies and procedures related to breach response, breach mitigation, and physical security of the storage unit. The CE provided breach notification to HHS and posted media notice in its geographic area for two weeks in March 2016. OCR obtained assurances that the CE implemented the corrective actions listed above. | Locust Fork Pharmacy AL Healthcare Provider 5000 | Friday | 2016 |
| Planned Parenthood Southwest Ohio | OH | Healthcare Provider | 5000 | 2015-02-05 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On October 1, 2014, the Covered Entity (CE) mistakenly disposed of binders containing protected health information (PHI). The CEâs archived prescription dispensing logs and waived lab test logs were left in an unlocked closet after business hours and a custodian mistakenly put them in a trash dumpster. The following morning, the dumpster was emptied by the trash collector who took it to be buried with other garbage at a landfill that same day. The PHI involved in the incident included the names, dates of birth, lab results, and medications of approximately 5,000 individuals. After the CE filed the breach report, it determined that the incident was a non-reportable breach based on a four-part breach assessment and a low probability that the PHI in the binders had been compromised. The CE stated that its breach filing to OCR was not untimely, but was made in error. The CE conducted an investigation, re-trained all staff regarding its HIPAA policies and procedures, completed on-site HIPAA compliance audits, and implemented a new policy to address bulk trash removal from the health centers. OCR obtained written assurances that the voluntary actions of the CE listed above were taken. | Planned Parenthood Southwest Ohio OH Healthcare Provider 5000 | Thursday | 2015 |
| Pediatric Gastroenterology Consultants | CO | Healthcare Provider | 5000 | 2014-12-19 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On October 16, 2014, an employee of the covered entity (CE), Pediatric Gastroenterology Consultants, P.C., discovered that a laptop owned by the CE had been stolen from his vehicle. The laptop was password-protected but unencrypted, and it contained the electronic protected health information (ePHI) of approximately 5,000 individuals. Specifically, it contained patientsâ first and last names, dates of birth, dates of service, and medical information including, medical histories, lab test results, diagnoses, and medical treatment recommendations. The CE provided breach notification HHS, affected individuals, the media. Following the breach, the CE implemented corrective actions, such as encryption and employee security training, to prevent similar breaches from occurring in the future. OCR obtained assurances that the CE implemented the corrective actions listed above. | Pediatric Gastroenterology Consultants CO Healthcare Provider 5000 | Friday | 2014 |
| IHS | MD | Health Plan | 5000 | 2014-04-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entityâs (CE) network penetration testing team discovered protected health information (PHI) on open shares in a network attached storage device that could have affected 5,000 individuals if the IT department had not caught the problem in time. There was no indication of a breach and the CE immediately secured the website and notified the facility to delete all emails. The CE implemented a mandatory monthly training for all site managers to include a discussion of all site incidents. | IHS MD Health Plan 5000 | Tuesday | 2014 |
| Partners In Nephrology & Endocrinology, P.C. | PA | Healthcare Provider | 5000 | 2014-03-14 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Partners In Nephrology & Endocrinology, P.C. PA Healthcare Provider 5000 | Friday | 2014 |
| Todd M. Burton, M.D. | TX | Healthcare Provider | 5000 | 2014-03-13 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Todd M. Burton, M.D. TX Healthcare Provider 5000 | Thursday | 2014 | |
| The Good Samaritan Health Center | GA | Healthcare Provider | 5000 | 2013-12-06 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | One of the covered entity’s (CE) computers was infected with malware and as a result, data on the infected computer was encrypted and made inaccessible. The CE subsequently restored the infected data. The type of protected health information (PHI) involved in the breach was clinical information and included diagnoses/conditions, lab results, medications, and other treatment information for approximately 5,000 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE retrained staff, implemented additional safeguards for secure file backup, and upgraded its antivirus software. In response to OCRâs investigation, the CE provided substitute notice of the breach. OCR provided the CE with technical assistance regarding the Security Rule including risk analysis and risk management. | The Good Samaritan Health Center GA Healthcare Provider 5000 | Friday | 2013 |
| PHMHS | PR | Business Associate | 5000 | 2013-09-11 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Upon request, a subcontractor (PHM Software Solutions) of the covered entity’s (CE) business associate (BA), PHM Healthcare Solutions, modified a software application the CE was utilizing which led to the disclosure of electronic protected health information (ePHI) of 5,000 individuals on the Internet. The ePHI included names, gender, member identification numbers, dates of birth, and consent forms. The CE provided breach notification to HHS, the media, and affected individuals and posted substitute notice on its website. Upon discovery of the breach, the BA removed the software application and placed it offline. As a result of OCR’s investigation, the CE had its BA to conduct a risk analysis and create a risk management plan to address any vulnerabilities identified in the risk analysis. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR provided technical assistance to assist the CE understand its obligations under the Privacy and Security Rules regarding BA agreements. | PHMHS PR Business Associate 5000 | Wednesday | 2013 |
| St. Joseph Medical Center | MD | Healthcare Provider | 5000 | 2011-11-03 | Theft | NA | NA | NA | NA | NA | Other | Paper/Films | NA | NA | NA | NA | NA | NA | No | St. Joseph Medical Center MD Healthcare Provider 5000 | Thursday | 2011 | |
| Lansing Community College | MI | Business Associate | 5000 | 2011-07-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | An unknown assailant associated with a foreign IP address attempted to bypass the security mechanisms of a computer server of a former third party administrator and business associate (BA), AssureCare Risk Management, of the covered entity (CE), Lansing Community College Dental Care Plan. Approximately 5,000 individuals were affected by the breach. The server contained protected health information (PHI) regarding some of the CEâs participants such as names, addresses, social security numbers and clinical information, including information regarding healthcare providers and types of service. The BA provided breach notification to HHS, affected individuals, and the media. Following the breach, the BA shut down the unsecured server and hired Kroll Background America, a forensic computer security service, to investigate the nature and extent of the unauthorized access. Krollâs findings indicated that it was unlikely that any of the CEâs member data was taken. The BA also reviewed and reevaluated its security policies and related BA agreements. OCR obtained written documentation that the BA implemented the corrective actions listed above. | Lansing Community College MI Business Associate 5000 | Monday | 2011 |
| Port City Operating Company doing business as St. Joseph’s Medical Center | CA | Healthcare Provider | 4984 | 2018-08-31 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Port City Operating Company doing business as St. Joseph’s Medical Center CA Healthcare Provider 4984 | Friday | 2018 |
| Columbia University Medical Center and NewYork-Presbyterian Hospital | NY | Healthcare Provider | 4929 | 2012-12-14 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Columbia University Medical Center and NewYork-Presbyterian Hospital NY Healthcare Provider 4929 | Friday | 2012 | |
| Rainier Surgical, Incorporated | TX | Healthcare Provider | 4920 | 2015-01-16 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Rainier Surgical, Inc., after it reported that a file drawer with explanations of benefits containing the protected health information (PHI) of 4,290 individuals was stolen from a warehouse. The PHI included names, addresses, dates of birth, health insurance information, explanations of benefits, and in some cases, credit card numbers and social security numbers. Upon discovering the breach, the CE filed a police report. The CE provided substitute notice and media notification in the localities with greater than 500 individuals affected. The CE offered one year of free credit monitoring services to individuals whose social security numbers may have been compromised. Following this breach, the CE retrained employees, reviewed its policies and procedures, and began storing some PHI with an on-site third party secure storage vendor. OCR confirmed that the CE took the actions described above. | Rainier Surgical, Incorporated TX Healthcare Provider 4920 | Friday | 2015 |
| Coastal Behavioral Healthcare, Inc. | FL | Healthcare Provider | 4907 | 2012-12-07 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Coastal Behavioral Healthcare, Inc., after it reported that four pages containing protected health information (PHI) were recovered by local law enforcement during a motor vehicle traffic stop. The CE indicated the four pages were likely part of a larger report and may have containing the PHI of 4,907 individuals. The PHI involved in the breach included names, social security numbers, dates of birth, and other identifiers. The CE provided breach notification to the affected individuals, HHS, and the media. Following the breach, the CE hired a cybersecurity firm to perform a network audit and to conduct a security risk assessment. The CE also improved safeguards by restricting physical access to its information technology department, implementing a new electronic health record system, and disabling the ability to print reports from its database containing data similar to the report that was the subject of the breach. OCR obtained assurances that the CE implemented the corrective action listed above. | Coastal Behavioral Healthcare, Inc. FL Healthcare Provider 4907 | Friday | 2012 |
| Consolidated Tribal Health Project, Inc. | CA | Healthcare Provider | 4885 | 2015-04-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Laptop | Network Server | Other Portable Electronic Device | NA | NA | No | NA | Consolidated Tribal Health Project, Inc. CA Healthcare Provider 4885 | Tuesday | 2015 | |
| Northside Hospital, Inc. | GA | Healthcare Provider | 4879 | 2013-12-10 | Loss | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A password-protected, unencrypted laptop was lost or stolen when a Northside Hospital (NSH) workforce member inadvertently left it on the hood of her car while parked. The laptop contained the electronic protected health information (ePHI) of 4,879 individuals. The ePHI involved in the breach included patientsâ names, account numbers, billing dates, diagnoses and/or diagnosis codes, and lab results. The covered entity (CE), NSH, provided breach notification to HHS, affected individuals, and the media and provided substitute notification. Following the breach, the CE encrypted all its ePHI. As a result of OCRâs investigation, the CE also revised its HIPAA policies reguarding mobile devices and breach notification, and implemented other safeguards. | Northside Hospital, Inc. GA Healthcare Provider 4879 | Tuesday | 2013 |
| Valley Plastic Surgery, P.C. | VA | Healthcare Provider | 4873 | 2012-09-13 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The covered entityâs (CE) backup hard drive was stolen from the physicianâs car, along with a camera and prescription pads. All the items were thrown aside except for the hard drive. The PHI involved in the breach consisted mainly of names and clinic notes of 4,873 individuals, while dates of birth were involved in some instances. Some photos of patientsâ hands were also involved. Following the breach, the CE filed a police report. As a result of OCRâs investigation, the CE updated HIPAA policies, re-trained staff at all levels, and contracted with a third party to provide record storage service and encryption. | Valley Plastic Surgery, P.C. VA Healthcare Provider 4873 | Thursday | 2012 |
| University of California Irvine Medical Center | CA | Healthcare Provider | 4859 | 2015-06-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | University of California Irvine Medical Center CA Healthcare Provider 4859 | Wednesday | 2015 |
| Health Fitness Corporation | IL | Business Associate | 4837 | 2013-11-14 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | Health Fitness Corporation IL Business Associate 4837 | Thursday | 2013 | |
| Neurology Physicians LLC | MD | Healthcare Provider | 4831 | 2016-07-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Neurology Physicians LLC MD Healthcare Provider 4831 | Wednesday | 2016 |
| Willis North America Inc. Medical Expense Benefit Plan | NY | Health Plan | 4830 | 2014-04-24 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | A group health plan administrator emailed 1,889 plan participants a spreadsheet containing the protected health information (PHI) of 4,830 plan participants, including their names, dates of birth and social security numbers. The covered entity (CE), Willis North America Inc. Medical Expense Benefit Plan, provided breach notification to HHS, the media, and the affected individuals, including the offer of two years of identity theft protection at no cost to the affected individuals. Following the breach, the CE blocked recipientsâ ability to forward the email, deleted the email from recipientsâ inboxes, and instructed recipients to delete the email and not save or forward it. The CE also tracked all instances of recipients forwarding the email prior to the block and obtained assurances that the PHI had been deleted, no copies kept, and such PHI had not been and would not be used for any improper purpose. The CE also instructed its workforce members to follow new protocols for handling PHI, including encrypting and password-protecting attachments with sensitive information prior to transmission and, when possible, opening such information in a secure shared drive as opposed to emailing it. The CE also sanctioned the administrator. Additionally, the CE adopted HIPAA policies and procedures relating to the handling of PHI, updated its HIPAA training, and completed an assessment to examine what e-PHI it maintains and where, why and how the CE maintains and transmits that e-PHI. OCR obtained assurances that the CE implemented the corrective actions listed. Additionally, the CE is expected to conduct a risk analysis and implement a corresponding remediation plan as required by the Security Rule, and to make certain revisions to its plan documents to comply with the Privacy Rule. | Willis North America Inc. Medical Expense Benefit Plan NY Health Plan 4830 | Thursday | 2014 | |
| The Terteling Co., Inc., Group Benefit Plan | ID | Health Plan | 4824 | 2018-07-06 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | The Terteling Co., Inc., Group Benefit Plan ID Health Plan 4824 | Friday | 2018 | |
| SSM Dean Medical Group | WI | Healthcare Provider | 4800 | 2017-01-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | SSM Dean Medical Group WI Healthcare Provider 4800 | Tuesday | 2017 | |
| Walmart Stores, Inc. | AR | Healthcare Provider | 4800 | 2016-03-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Walmart Stores, Inc. AR Healthcare Provider 4800 | Tuesday | 2016 |
| Jeffrey Paul Edelstein M.D. | AZ | Healthcare Provider | 4800 | 2012-07-27 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Jeffrey Paul Edelstein M.D. AZ Healthcare Provider 4800 | Friday | 2012 | |
| J. A. Still Corporation | MO | Business Associate | 4800 | 2011-01-18 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Two diskettes containing the electronic protected health information (ePHI) of approximately 4,754 individuals were lost by the Covered Entity’s (CE) Business Associate (BA) after the package containing the diskettes was damaged by the mail carrier. Although one of the diskettes was eventually found, the other diskette was never recovered. The ePHI on the diskettes included names, addresses, dates of birth, social security numbers, and clinical information. Upon discovery of the breach, the CE obtained a copy of the information contained on the diskettes and notified all affected individuals, OCR and the media. Following OCR’s investigation, the CE terminated its contract with the BA involved in the incident and provided evidence of the assurances in its BA agreement pertaining to the return or destruction of ePHI. Lastly, the CE entered an accounting of disclosures for each affected individual into its electronic database. | J. A. Still Corporation MO Business Associate 4800 | Tuesday | 2011 |
| StayWell Health Management, LLC | MN | Business Associate | 4786 | 2014-02-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | StayWell Health Management, a business associate (BA) for multiple covered entities (CE), reported that, from March 29, 2012, until January 21, 2014, spreadsheets containing the protected health information (PHI) of 19,474 individuals who participated in wellness programs were unintentionally available online when an internal administrative tool generated reports and placed those reports in a public facing folder. The types of PHI on the spreadsheets included the participantsâ names, email addresses, unique BA identification numbers, and information about participation in the program. The BA provided breach notification to HHS, affected individuals, and the media on behalf of the CEs affected by the breach: Regents of the University of Minnesota, Missouri Consolidated health Care Plan, Clorox Company Group Insurance Plan, Nissan North America, Inc., and QBE Holdings, Inc. Upon discovery of the breach, the BA upgraded its platform and revised and implemented its policies and procedures. OCR obtained assurances that the BA implemented the corrective actions listed above. Steps were also taken to restrict access to and to remove the data entirely from Google, Bing, Yahoo, and other search engines. Separate breach cases have been opened for each of the affected CEs. | StayWell Health Management, LLC MN Business Associate 4786 | Friday | 2014 |
| Molina Healthcare of New Mexico, Inc. | NM | Business Associate | 4744 | 2014-05-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | On behalf of the covered entity (CE), Molina Healthcare of California Partner Plan, Inc., a business associate (BA) subcontractor, printed and mailed postcards to the CEâs former members addressed generically to âResidentâ and containing a tracking number, that in some cases, was the memberâs social security number. Approximately 4,744 individuals were affected by this breach. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notification on its website. It also offered affected individuals one year of free identity theft protection services. As a result of the incident, the CE revised and developed HIPAA policies and procedures to better safeguard protected health information (PHI) during mailing projects. It also counseled the workforce members involved in the incident pursuant to its policies. OCR obtained assurances that the CE implemented the corrective actions listed above. | Molina Healthcare of New Mexico, Inc. NM Business Associate 4744 | Saturday | 2014 |
| Associated Dentists | MN | Healthcare Provider | 4725 | 2015-05-18 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Associated Dentists MN Healthcare Provider 4725 | Monday | 2015 |
| Daniel Drake Center for Post-Acute Care | OH | Healthcare Provider | 4721 | 2017-08-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Daniel Drake Center for Post-Acute Care OH Healthcare Provider 4721 | Tuesday | 2017 |
| ZDI | CA | Business Associate | 4718 | 2013-07-10 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | ZDI CA Business Associate 4718 | Wednesday | 2013 | |
| Contra Costa Health Services | CA | Healthcare Provider | 4700 | 2011-12-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Contra Costa Health Services CA Healthcare Provider 4700 | Wednesday | 2011 |
| Debra C. Duffy, DDS | TX | Healthcare Provider | 4700 | 2010-10-05 | Theft | NA | NA | NA | NA | NA | Laptop | Network Server | NA | NA | NA | NA | NA | NA | No |
An unencrypted laptop and network server were stolen during a burglary of the office.The breach affected approximately 4700 individuals.The protected health information involved in the breach included treatment information for pediatric dental patients and social security numbers, insurance identification numbers and driver’s license numbers. Following the discovery of the breach, the CE relocated the practice servers, secured the laptops and installed steel doors at the front entrance of the facility. Additionally, the CE notified the affected individuals and local media and retrained staff. |
Debra C. Duffy, DDS TX Healthcare Provider 4700 | Tuesday | 2010 |
| Paul C. Brown, MD, PS | WA | Healthcare Provider | 4693 | 2011-12-15 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Paul C. Brown, MD, PS WA Healthcare Provider 4693 | Thursday | 2011 | |
| VCU Health System | VA | Healthcare Provider | 4686 | 2018-07-06 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | VCU Health System VA Healthcare Provider 4686 | Friday | 2018 |
| Min Yi, M.D. | CA | Healthcare Provider | 4676 | 2014-02-05 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | A desktop computer hard drive and a backup external hard drive containing the electronic protected health information (ePHI) of 4,676 individuals were stolen from the office of the covered entity (CE), Dr. K. Min Yi. The ePHI on the external hard drive included names, addresses, phone numbers, insurance identification numbers, social security numbers, checking account information, medical and surgical information, diagnosis and procedure codes, and dates of birth. The CE provided breach notification to HHS, the media, and affected individuals, and provided credit monitoring to patients who contacted her with privacy concerns. In response to the breach the CE improved physical safeguards, implemented revised administrative policies and encrypted ePHI. OCRâs investigation resulted in the CE improving its HIPAA practices. | Min Yi, M.D. CA Healthcare Provider 4676 | Wednesday | 2014 |
| Clinical Reference Laboratory, Inc. | KS | Healthcare Provider | 4668 | 2015-03-03 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Clinical Reference Laboratory, Inc., sent a parcel which was damaged and opened during the mailing process by the United States Postal Services (USPS). The protected health information (PHI) involved in the breach included the names, dates of service, partial social security numbers, and lab test types of approximately 4,668 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Since multiple breach reports have been received involving the same CE and fact pattern, this investigation was consolidated into one investigation. | Clinical Reference Laboratory, Inc. KS Healthcare Provider 4668 | Tuesday | 2015 |
| Princeton Pain Management | NJ | Healthcare Provider | 4668 | 2017-01-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | NA | NA | NA | NA | NA | NA | No | NA | Princeton Pain Management NJ Healthcare Provider 4668 | Friday | 2017 |
| Quantum Health Consulting | PR | Business Associate | 4645 | 2012-03-12 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes |
OCR opened an investigation of the covered entity (CE), First Proveedores Aliados Por Tu Salud, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 4,645 individuals were stolen from a staff member of the CE’s business associate (BA), Quantum Health. The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to all individuals affected by the breach, HHS, and the media. As a result of OCR’s investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices. |
Quantum Health Consulting PR Business Associate 4645 | Monday | 2012 |
| Michael Gruber DMD PA | NJ | Healthcare Provider | 4624 | 2018-04-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | No | NA | Michael Gruber DMD PA NJ Healthcare Provider 4624 | Friday | 2018 | |
| Catholic Charities of the Diocese of Albany | NY | Healthcare Provider | 4624 | 2017-10-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Catholic Charities of the Diocese of Albany NY Healthcare Provider 4624 | Friday | 2017 |
| Chilton Medical Center | NJ | Healthcare Provider | 4600 | 2017-12-15 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Chilton Medical Center NJ Healthcare Provider 4600 | Friday | 2017 |
| RGH Enterprises, Inc. | OH | Healthcare Provider | 4586 | 2018-01-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | RGH Enterprises, Inc. OH Healthcare Provider 4586 | Monday | 2018 |
| RxAmerica, a subsidiary of CVS Caremark | TX | Business Associate | 4573 | 2011-07-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | RxAmerica, a subsidiary of CVS Caremark TX Business Associate 4573 | Friday | 2011 | |
| Sheet Metal Local 36 Welfare Fund | MO | Business Associate | 4560 | 2013-07-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), Sheet Metal Local 36 Welfare Fund, reported that an employee of its business associate (BA), People Resources Corporation, inadvertently uploaded Excel spreadsheets containing the CEâs Member Assistance Program (MAP) eligibility data onto an unsecure website maintained by the BA. An unknown individual or entity believed to be in China uploaded the data to two additional websites. In addition, two other websites contained links to the BAâs unsecure website. The spreadsheets contained the names, addresses, dates of birth, and social security numbers of 4,560 members (but not dependents). The BA was purchased by E4 Health, Inc. in September 2013. The CE provided breach notification to HHS, affected individuals, and the media. The BA immediately removed the protected health information (PHI) from the unsecure website, confirmed that the PHI was no longer available on its websites or through internet search engines, and confirmed that only one spreadsheet was accessed by unauthorized parties and the other spreadsheets had not been viewed or compromised. The BA adopted additional protections to prevent future unauthorized disclosures (including management level review of any documents posted to its websites). Additionally, the CE met with each of its vendors to review the vendorsâ security procedures and protocols and instituted a review program, as well as reviewed its own internal procedures. OCR obtained assurances that the CE and BA implemented the corrective actions listed. | Sheet Metal Local 36 Welfare Fund MO Business Associate 4560 | Monday | 2013 |
| QuadMed, LLC (Whirlpool) | WI | Healthcare Provider | 4549 | 2018-01-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | QuadMed, LLC (Whirlpool) WI Healthcare Provider 4549 | Monday | 2018 |
| Arkansas Children’s Hospital | AR | Healthcare Provider | 4521 | 2018-06-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Arkansas Children’s Hospital AR Healthcare Provider 4521 | Friday | 2018 |
| Walgreen Co. | IL | Healthcare Provider | 4500 | 2017-02-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Walgreens, sent an improperly formatted survey letter to individuals so that protected health information (PHI) was visible in the addressee window of the envelope. The visible PHI included recent prescription histories, clinical, and demographic data affecting 4,500 individuals in 49 states. Following the breach, the CE conducted an investigation to determine the root cause of the breach, revised quality control steps for mailings that contain PHI, and retrained department staff on its revised procedures. The CE provided breach notification to HHS, affected individuals, and the media and posted a substitute notice on the home page of its website. OCR obtained documented assurances that the CE implemented the corrective actions noted above. | Walgreen Co. IL Healthcare Provider 4500 | Friday | 2017 |
| Indian Territory Home Health and Hospice | OK | Healthcare Provider | 4500 | 2015-10-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | This review has been consolidated with a review of Aspire Home Care and Hospice. | Indian Territory Home Health and Hospice OK Healthcare Provider 4500 | Thursday | 2015 | |
| ReachOut Home Care [Case #16687] | KY | Healthcare Provider | 4500 | 2014-12-09 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | ReachOut Home Care [Case #16687] KY Healthcare Provider 4500 | Tuesday | 2014 |
| M&M Computer Services | TX | Business Associate | 4500 | 2014-10-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | An unknown third party intruder hacked into a server of a business associate (BA) which maintained electronic health records for the covered entity (CE), Penn Highlands Brookville. The breach potentially affected the protected health information (PHI) of 4,500 individuals and included names, dates of birth, social security numbers, and clinical information. The CE provided breach notification to HHS, affected individuals, and the media, and offered affected individuals one year of credit monitoring. Following the breach, the CE terminated its relationship with the BA. OCR initiated a compliance review of the BA in July of 2015, but learned that it was no longer doing business or acting as a BA. As a result of OCRâs investigation, the CE developed a checklist to use to ensure that electronic health record systems used by medical practices acquired by the CE comply with the HIPAA Privacy and Security Rules and to ensure that proper BA agreements are in place. | M&M Computer Services TX Business Associate 4500 | Friday | 2014 |
| PruittHealth Corporation | GA | Healthcare Provider | 4500 | 2013-12-06 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | PruittHealth Corporation GA Healthcare Provider 4500 | Friday | 2013 | |
| TriWest Healthcare Alliance Corp. | AZ | Business Associate | 4500 | 2011-03-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | TriWest Healthcare Alliance Corp. AZ Business Associate 4500 | Tuesday | 2011 | |
| University of Kentucky HealthCare | KY | Healthcare Provider | 4490 | 2012-06-19 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On May 1, 2012, an unencrypted laptop of a University of Kentucky Health Care employee with the protected health information (PHI) of approximately 4,488 individuals was stolen from a workforce memberâs son, who borrowed the laptop without permission and knew the computerâs password. The PHI involved in the breach included medical record numbers, dates of visits, and chief complaints. The covered entity (CE) provided breach notification to HHS, the media, and affected individuals, set up a toll-free number for questions, and posted substitute notice on its website. The responsible workforce member was suspended pending an investigation and ultimately resigned. The CE created and revised its HIPAA policies and procedures, including its mobile device policy, and implemented additional security measures to address high and moderate risks identified in its risk analysis. Finally, the CE provided evidence of employee training and security reminders. OCR obtained assurances that the corrective actions listed above were completed. | University of Kentucky HealthCare KY Healthcare Provider 4490 | Tuesday | 2012 |
| StayWell Health Management, LLC | MN | Business Associate | 4487 | 2014-07-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | StayWell Health Management, LLC MN Business Associate 4487 | Thursday | 2014 | |
| Hanger Prosthetics & Orthotics, Inc. | TX | Healthcare Provider | 4486 | 2011-01-24 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
An unencrypted laptop was stolen from an employee offsite. The laptop contained the PHI of 4,486 patients. The protected health information involved in the breach contained names, addresses and procedure codes. Following the breach, the CE filed a police report, notified affected patients and notified the media. Following the discovery of the breach, the covered entity encrypted all existing laptops and implemented a policy requiring all future purchased laptops to be encrypted prior to being issued for use. |
Hanger Prosthetics & Orthotics, Inc. TX Healthcare Provider 4486 | Monday | 2011 |
| Sutter Health East Bay Region | CA | Healthcare Provider | 4479 | 2013-07-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | The Alameda County Sheriffâs office found a list of protected health information (PHI) belonging to 4,491 individuals during an unrelated investigation and provided it to the covered entity (CE), Sutter Health East Bay Region. The list contained demographic information such as names, addresses, dates of birth, social security numbers, and other identifiers. The CE determined that the PHI was stolen by a workforce member of its business associate (BA). The PHI belonged to patients of the following CE hosptials: Alta Bates Summit Medical Center, Sutter Delta Medical Center, and Eden Medical Center. The CE provided breach notification to HHS, the media, and affected individuals, and provided the affected individuals one year of free credit monitoring. Following the breach, the CE conducted an internal forensics investigation, hired an external forensics firm, and fully implemented data loss prevention technology. OCR obtained assurances that the CE implemented the corrective actions listed above. Additionally, the workforce member responsible for the breach is no longer employed by the BA. | Sutter Health East Bay Region CA Healthcare Provider 4479 | Friday | 2013 | |
| Gillette Medical Imaging | WY | Healthcare Provider | 4476 | 2018-01-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Gillette Medical Imaging WY Healthcare Provider 4476 | Thursday | 2018 |
| AdminisTEP | TX | Business Associate | 4469 | 2014-11-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entityâs (CE) print and mail sorting vendor, Administep, improperly stuffed and mailed letters which contained other enrolleesâ names, addresses, subscriber identifications, claims amounts, and service descriptions. The breach affected approximately 4,469 of the CEâs enrollees. The CE provided breach notification to HHS, the media, and affected individuals, and offered individuals free one-year identity theft protection services. In response to the incident, the CE provided evidence that it placed the business associate (BA) responsible for the breach on a corrective action plan which required the BA to complete a documented quality assurance check for each new implementation or modification of a mailing project. This includes administrative sign- offs and ongoing, random audits on a sample of envelopes for each project. OCR obtained assurances that the CE implemented the corrective actions listed. | AdminisTEP TX Business Associate 4469 | Tuesday | 2014 |
| Kaiser Permanente Health Plan, Inc of Northern California | CA | Health Plan | 4432 | 2016-11-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On October 12, 2016, Kaiser Permanente upgraded its website, kp.org, which resulted in an incorrect configuration setting for caching data. This website upgrade affected several covered entities (CEs), including Kaiser Permanente Health Plan of Northern California. As a result of the error, some users who logged into the website may have had some of the protected health information (PHI) they viewed online saved into the cache where it could be seen by other visitors to the webpage. Kaiser Permanente was alerted to the incident and took action to repair the error. The breach affected approximately 4,432 individuals participating with this CE. The types of PHI involved in the breach included financial, clinical and demographical information. The CE provided breach notification to HHS, affected individuals, and the media. It also provided substitute notice. In response to the breach, the CE created a corrective action plan to help mitigate the chances of a misconfiguration error by educating the relevant IT staff, creating new processes, ensuring sign offs and approvals at appropriate points in the process, testing an outcome before going live, and engaged a subject matter expert. OCR provided the CE with technical assistance regarding the HIPAA Security Rule including risk analysis and risk management. | Kaiser Permanente Health Plan, Inc of Northern California CA Health Plan 4432 | Monday | 2016 |
| Florida Digestive Health Specialists | FL | Healthcare Provider | 4400 | 2013-12-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | A patient scheduler at one of the covered entityâs (CE) small subsidiary offices impermissibly accessed the electronic health record (EHR) system via a virtual private network (VPN) and took photographic images of patient data, which she tried to download for printing at Wal-Mart. She accessed the records of about 4,400 patients and photographed those of 430. The protected health information (PHI) involved in the breach included names, addresses, dates of birth, social security numbers, and telephone numbers. The suspect behavior at Wal-Mart was investigated by the County Sheriff, who informed the CE of the breach. The CE provided partial breach notification to affected individuals, HHS, the media, and provided substitute notice on its website. Following the breach, the CE discharged the workforce member and terminated her access to the EHR. The CE updated its privacy and security plan and employee handbook. In addition, the CE improved safeguards by limiting access to its VPN to providers and administrators, and instituted routine weekly audits of EHR system use. After OCR began its review, the covered entity retrained the office manager and the provider who had been at the office where the breach occurred. As a result of OCRâs investigation the CE received technical assistance on the complete requirements for breach notifications. | Florida Digestive Health Specialists FL Healthcare Provider 4400 | Monday | 2013 |
| Desert AIDS Project | CA | Healthcare Provider | 4400 | 2012-04-20 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Desert AIDS Project CA Healthcare Provider 4400 | Friday | 2012 | |
| LC&Z General and Cosmetic Dentistry | FL | Healthcare Provider | 4391 | 2017-07-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | LC&Z General and Cosmetic Dentistry FL Healthcare Provider 4391 | Tuesday | 2017 | |
| Kaiser Foundation Health Plan, Inc. | CA | Health Plan | 4389 | 2017-12-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Kaiser Foundation Health Plan, Inc. CA Health Plan 4389 | Thursday | 2017 | |
| California Health & Longevity Institute | CA | Healthcare Provider | 4386 | 2016-05-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | This case has been consolidated into an existing review. | California Health & Longevity Institute CA Healthcare Provider 4386 | Wednesday | 2016 |
| Molalla Family Dental | OR | Healthcare Provider | 4354 | 2012-07-16 | Hacking/IT Incident | Other | Unauthorized Access/Disclosure | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The CE did not control access to the electronic protected health information (ePHI) of 4,354 individuals which was contained in the CEâs network-attached storage. Specifically, the CEâs firewall was set to allow access to a port that permitted anyone outside of CEâs firewall to access patient information. The ePHI involved in the breach included names, addresses, email addresses, dates of birth, patient intake sheets, invoices, dental charts, photos, x-rays, insurance information, credit card numbers, dates of birth, and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE closed access to the unsecured port, encrypted ePHI, upgraded operating system software on all workstations, implemented new firewall rules, installed a new server, set up automatic software patching and spyware removal, and deployed new virus and spam filters. The CE also retrained employees and implemented extensive policies and procedures, including new backup procedures for ePHI. OCR obtained assurances that the corrective actions were taken. | Molalla Family Dental OR Healthcare Provider 4354 | Monday | 2012 |
| Clearpoint Design, Inc. | MA | Business Associate | 4343 | 2012-12-28 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Clearpoint Design, Inc. MA Business Associate 4343 | Friday | 2012 | |
| Healthcare Management System | TN | Business Associate | 4330 | 2013-10-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Healthcare Management System TN Business Associate 4330 | Friday | 2013 | |
| Eastmoreland Surgical Clinic, William Graham, DO | OR | Healthcare Provider | 4328 | 2010-08-20 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Other | Other Portable Electronic Device | NA | NA | NA | NA | No | Three desktop computers, one laptop computer, and a backup drive, containing the electronic protected health information (EPHI) of 4,328 individuals, were stolen on July 5, 2010. The EPHI involved in the breach included names, addresses, phone numbers, dates of birth, Social Security numbers, reason for visits, and insurance information. Following the breach, the covered entity implemented backup and whole disk encryption on electronic information systems that maintain EPHI and improved their physical safeguards. Additionally, OCR’s investigation resulted in the covered entity improving their administrative safeguards, such as password complexity requirements and data backup protocols. | Eastmoreland Surgical Clinic, William Graham, DO OR Healthcare Provider 4328 | Friday | 2010 |
| CVS Caremark | AZ | Business Associate | 4305 | 2013-07-02 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Business associate (BA) employees erroneously sent 4,305 health plan members’ protected health information (PHI) to other plan members. The PHI involved in the breach included names and prescribed medication(s). The covered entity, Northrop Grumman Retiree Health Plan, provided breach notification to HHS, and the BA, CVS Caremark, provided breach notification to affected individuals and the media. Following the breach, the BA revised its quality control policies for targeted mailings and retrained employees involved in the breach to prevent similar incidents in the future. OCR obtained assurances that the BA implemented the breach notification and policy revisions listed above. | CVS Caremark AZ Business Associate 4305 | Tuesday | 2013 |
| Krichev Family Medicine, P.C. | AL | Healthcare Provider | 4300 | 2017-06-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Krichev Family Medicine, P.C. reported that a ransomware virus attacked its electronic medical records system on April 14, 2017, possibly affecting 4,299 individuals. The virus was removed and patient records were restored from a backup copy. The types of PHI involved included names, Social Security numbers, addresses, patient identification numbers, prescription information, diagnoses, medical procedure histories, and times and dates of treatment. Krichev Family Medicine, working with Amy E. Carter, MD, and Cove Family and Sports Medicine, LLC, provided breach notification to HHS, affected individuals and the media and also provided substitute notification on its website. The breach reports filed by Krichev Family Medicine, P.C., and Amy E. Carter, MD, have been consolidated into a review of Cove Family and Sports Medicine, LLC, which will include an investigation of the related entities and the ransomware incident. | Krichev Family Medicine, P.C. AL Healthcare Provider 4300 | Tuesday | 2017 |
| Amy E. Carter, MD d/b/a Cove Family and Sports Medicine | AL | Healthcare Provider | 4300 | 2017-06-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Amy E. Carter, MD reported that a ransomware virus attacked her electronic medical records system on April 14, 2017, possibly affecting 4,299 individuals. The virus was removed and patient records were restored from a backup copy. The types of protected health information (PHI) involved included names, Social Security numbers, addresses, patient identification numbers, prescription information, diagnoses, medical procedure histories, and times and dates of treatment. Amy E. Carter, MD, working with Krichev Family Medicine, P.C., and Cove Family and Sports Medicine, LLC, provided breach notification to HHS, affected individuals, and the media, and also posted notice on their website. The breach reports filed by Amy E. Carter, MD, and Krichev Family Medicine, P.C., have been consolidated into a review of Cove Family and Sports Medicine, LLC, which will include an investigation of the related entities and the ransomware incident. | Amy E. Carter, MD d/b/a Cove Family and Sports Medicine AL Healthcare Provider 4300 | Tuesday | 2017 |
| Huntington Medical Research Institutes | CA | Healthcare Provider | 4300 | 2015-10-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | A workforce member took 4,300 patientsâ protected health information (PHI) with her on several external computer hard drives when her employment with the covered entity (CE), Huntington Medical Research Institutes was terminated. The types of PHI involved in the breach included, variously, financial, demographic and financial information. The CE provided substitute notice, notice to the media, and notice to OCR pursuant to the requirements of the Breach Notification Rule. Following the breach, the CE worked with the workforce memberâs counsel to recover the PHI in a secure manner and engaged a forensic expert to confirm that all PHI was recovered. The CE also reassigned privacy and security responsibilities and began considering the need to augment its privacy and security staff. The CE improved safeguards by encrypting all computer workstations, as well as phones that access PHI. In response to OCRâs investigation, the CE developed a comprehensive enterprise-wide risk analysis report and corresponding risk management plan. | Huntington Medical Research Institutes CA Healthcare Provider 4300 | Tuesday | 2015 |
| Cove Family and Sports Medicine, LLC | AL | Healthcare Provider | 4300 | 2017-06-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Cove Family and Sports Medicine, LLC AL Healthcare Provider 4300 | Monday | 2017 |
| Massachusetts General Hospital | MA | Healthcare Provider | 4293 | 2016-06-29 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Hackers caused a breach of protected health information (PHI) at Patterson Dental Supply, Inc., a business associate (BA) of the covered entity (CE), Massachusetts General Hospital. The breach affected the PHI of approximately 4,293 individuals, and included demographic and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. OCRâs investigation revealed that the CE and BA had a business associate agreement in place at the time of the breach. OCR reviewed the BA agreement and determined that it appeared to comply with the requirements of the HIPAA Rules. OCR has opened a separate review of the BA concerning the underlying breach. | Massachusetts General Hospital MA Healthcare Provider 4293 | Wednesday | 2016 |
| Integrated Rehab Consultants | IL | Healthcare Provider | 4292 | 2018-04-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Integrated Rehab Consultants IL Healthcare Provider 4292 | Monday | 2018 |
| Aspire Home Care and Hospice | OK | Healthcare Provider | 4278 | 2015-10-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On October 9 and 22, 2015, Aspire Home Care and Hospice, the covered entity (CE), experienced two similar breach incidents. The breach incidents involved phishing scams on the Google email accounts of two CE employees. The type of protected health information (PHI) involved in the breaches included demographic information, social security numbers, and treatment information. One breach report estimated that 4,278 individuals were affected, and in the second the estimate was 4,500 individuals. Later that number was amended since the CE determined that 1,889 persons had already been accounted for in the initial breach report. In response to the breach incidents, the CE took certain corrective action, including, but not limited to, implementing additional technical safeguards to prevent future security incidents of this nature. As a result of extensive technical assistance provided by OCR, the CE took corrective action, launching a phishing campaign to better train and educate workforce members regarding potential phishing incidents, and implementing additional Privacy and Security policies and procedures to ensure full compliance with the Privacy and Security Rules. Further, the CE conducted an updated risk analysis and implemented a corresponding risk management plan. The CE also offered affected individuals identity theft monitoring services for one year at no cost. | Aspire Home Care and Hospice OK Healthcare Provider 4278 | Friday | 2015 | |
| Dr. Melissa D. Selke | NJ | Healthcare Provider | 4277 | 2016-12-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | NA | NA | NA | NA | NA | NA | No | NA | Dr. Melissa D. Selke NJ Healthcare Provider 4277 | Monday | 2016 |
| NHC HealthCare, Oak Ridge | TN | Healthcare Provider | 4268 | 2013-09-13 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NHC HealthCare, Oak Ridge TN Healthcare Provider 4268 | Friday | 2013 | |
| Napa Valley Dentistry | CA | Healthcare Provider | 4262 | 2016-10-05 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Napa Valley Dentistry CA Healthcare Provider 4262 | Wednesday | 2016 |
| RGH Enterprises, Inc. | OH | Health Plan | 4230 | 2014-01-13 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Computer hackers installed malware that intercepted the electronic protected health information (ePHI) of approximately 4,230 individuals using the covered entity’s (CE’s) website. The ePHI included names, dates of birth, phone numbers, shipping and billing addresses, email addresses, credit card issuers, expiration dates, the last 4 digits of credit card numbers, account numbers, primary physicians, diagnoses, order histories, and health insurers. Following the breach, the CE removed the malware from the affected computer servers, migrated the website to non-compromised | RGH Enterprises, Inc. OH Health Plan 4230 | Monday | 2014 |
| Behavioral Health Center | ME | Healthcare Provider | 4229 | 2017-04-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Behavioral Health Center ME Healthcare Provider 4229 | Friday | 2017 |
| Central Brooklyn Medical Group, PC | NY | Healthcare Provider | 4223 | 2015-06-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Between January 1, 2015 and April 18, 2015, a physician employed by the covered entity (CE), Central Brooklyn Medical Group, PC, impermissibly disclosed the protected health information (PHI) of approximately 500 patients to his former medical assistants via facsimile on multiple occasions. On one occasion, the physician accidentally transposed digits in the intended facsimile number and disclosed the PHI of 88 patients to an unrelated third party. The types of PHI involved in the breach included patientsâ names, ages, sex, appointment dates, times and reasons for visits, treating physicianâs names, and medical conditions. The CE sent breach notification letters to 4,135 patients who had been scheduled to see the physician in the year prior to the breach because the CE could not identify which specific patients were affected; however, they were most likely within this group. The CE also provided breach notification to HHS and the media. Upon discovery of the breach, the CE confirmed the destruction of any PHI possessed by the unrelated third party and the medical assistant and sanctioned the physician. The CE also retrained its workforce members regarding HIPAA compliance, including the CEâs policy regarding communications via facsimile. OCR obtained assurances that the CE implemented the corrective actions listed above. In addition, the CE reported the physician to the State Office for Professional Medical Conduct. | Central Brooklyn Medical Group, PC NY Healthcare Provider 4223 | Friday | 2015 |
| Metropolitan Life Insurance Company | NY | Health Plan | 4220 | 2017-07-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Metropolitan Life Insurance Company NY Health Plan 4220 | Wednesday | 2017 |
| Northwestern Memorial Hospital | IL | Healthcare Provider | 4211 | 2012-07-27 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Northwestern Memorial Hospital IL Healthcare Provider 4211 | Friday | 2012 | |
| North Texas Heart Center, P.A. | TX | Healthcare Provider | 4210 | 2016-11-21 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), North Texas Heart Center, after it reported, on behalf of its business associate (BA), Ambucor, that law enforcement discovered mobile computer drives containing the electronic protected health information (ePHI) of 4,210 individuals in connection with the activities of a former employee. The ePHI included patientsâ names, dates of birth, addresses, social security numbers, laboratory results, and other treatment information. Upon discovering the breach, the BA worked with federal law enforcement to recover the mobile devices. OCR obtained a draft copy of the BA’s breach notification to individuals and the media. The BA offered one year of free credit monitoring services to affected individuals. OCR initiated a separate investigation of the BA. | North Texas Heart Center, P.A. TX Healthcare Provider 4210 | Monday | 2016 |
| NHC HealthCare, Mauldin | SC | Healthcare Clearing House | 4204 | 2013-09-13 | Improper Disposal | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NHC HealthCare, Mauldin SC Healthcare Clearing House 4204 | Friday | 2013 | |
| Heriberto Rodriguez-Ayala, M.D. | TX | Healthcare Provider | 4200 | 2010-05-11 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted laptop computer containing the protected health information (PHI) of approximately 4,200 individuals was stolen from a personal vehicle. The PHI included names, addresses, phone numbers, dates of birth, social security numbers, treatment histories, and driver license numbers. The covered entity (CE) provided breach notification to the affected individuals, HHS, and the media. As a result of OCR’s investigation the covered entity implemented new policies and procedures, retrained staff, and installed encryption software on all workstations. | Heriberto Rodriguez-Ayala, M.D. TX Healthcare Provider 4200 | Tuesday | 2010 |
| New Mexico Heart Institute | NM | Healthcare Provider | 4185 | 2016-11-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | Ambucor Health Solutions, the business associate (BA) of the covered entity (CE), New Mexico Heart Institute, recovered a portable electronic device (a âthumbâ drive) from a former employee that contained the protected health information (PHI) for 4,185 of the CEâs patients. The BA informed the CE that there was no indication that the PHI had been misused. The CE provided breach notification to affected individuals, the media, and HHS. Out of an abundance of caution, the BA offered affected individuals one year of identity protection services and, if necessary, related recovery services and $1 million of identity theft insurance at no cost. Following the breach, the CE initiated a review and update of its HIPAA security processes. OCR obtained assurances that the CE implemented the corrective actions noted above. The CE also confirmed that the employee who was responsible for this incident no longer works for or has access to its facility. | New Mexico Heart Institute NM Healthcare Provider 4185 | Wednesday | 2016 |
| Washington Health System Greene | PA | Healthcare Provider | 4145 | 2017-12-01 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Washington Health System Greene PA Healthcare Provider 4145 | Friday | 2017 |
| Clearpoint Design, Inc. | MA | Business Associate | 4125 | 2013-01-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Clearpoint Design, Inc. MA Business Associate 4125 | Monday | 2013 | |
| Children’s National Medical Center | DC | Healthcare Provider | 4107 | 2016-04-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | A former business associate (BA) of the covered entity (CE), Childrenâs Medical Center, Ascend Health System, misconfigured a File Transfer Protocol site (FTP), which may have allowed access from the internet to transcription documents from a number of healthcare entities, including the CE. The breach was discovered in December 2015; however, the CE had ceased doing business with the BA on June 23, 2014. The transcriptions may have contained protected health information including children’s names, dates of birth, medications, and attending physicians’ names. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained copies of the notification letters and BA agreement, as well as assurances that the CE implemented the corrective actions listed above. | Children’s National Medical Center DC Healthcare Provider 4107 | Monday | 2016 |
| Clearpoint Design, Inc. | MA | Business Associate | 4100 | 2013-01-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Clearpoint Design, Inc. MA Business Associate 4100 | Thursday | 2013 | |
| Richard Switzer MD PC | MI | Healthcare Provider | 4100 | 2012-12-23 | Other | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Richard Switzer MD PC MI Healthcare Provider 4100 | Sunday | 2012 | |
| VA North Texas Health Care System | TX | Healthcare Provider | 4083 | 2010-05-25 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | VA North Texas Health Care System TX Healthcare Provider 4083 | Tuesday | 2010 | |
| Complete Chiropractic & Bodywork Therapies | MI | Healthcare Provider | 4082 | 2016-05-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | On March 7, 2016, the covered entity (CE) discovered a malfunction on certain of its computer workstations. The CE hired a forensic expert who concluded that the CE’s server was left vulnerable to access by unauthorized users from November 19, 2015 to March 10, 2016. The types of protected health information (PHI) on the server included patientsâ full names, social security numbers, dates of birth, home addresses, and treatment notes. Approximately 4,082 individuals were affected by the breach. The CE provided breach notification to HHS, affected individuals, and the media and offered free identity protection for 1 year to the affected individuals. To prevent a similar breach from happening in the future, the CE installed a new firewall to monitor all incoming and outgoing traffic to and from the server. It also hired a new IT vendor and Security Rule experts to enhance safeguards. OCR obtained assurances that the CE implemented the corrective actions listed above. | Complete Chiropractic & Bodywork Therapies MI Healthcare Provider 4082 | Tuesday | 2016 |
| Owensboro Medical Practice, PLLC | KY | Business Associate | 4077 | 2014-09-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Owensboro Medical Practice, PLLC KY Business Associate 4077 | Thursday | 2014 |
| Research Integrity, LLC | KY | Business Associate | 4077 | 2014-09-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | Research Integrity, LLC KY Business Associate 4077 | Monday | 2014 | |
| Children’s Mercy Hospital | MO | Business Associate | 4067 | 2014-08-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), Children’s Mercy Hospital, reported that the protected health information (PHI) of 4,067 individuals stored in an online registration system by the subcontractor, Onsite Health Diagnostics, of its business associate (BA), StayWell Health Management, was hacked. The hacked information included names, encrypted passwords, email addresses, physical addresses, phone numbers, genders, and dates of birth. Because the subcontractor-generated passwords were encrypted/hashed, they were rendered unusable. The CE provided breach notification to HHS, affected individuals, and the media. The CE reported that the subcontractor moved all data from the affected scheduling application, moved all of its clients to a new scheduling platform, and completely decommissioned the vulnerable platform. The subcontractor also conducted a comprehensive security audit and found no other improper uses of protected health information or vulnerabilities. As a result of OCR’s investigation, the CE provided documentation substantiating all actions taken. | Children’s Mercy Hospital MO Business Associate 4067 | Friday | 2014 |
| Central Colorado Dermatology, PC | CO | Healthcare Provider | 4065 | 2018-08-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Central Colorado Dermatology, PC CO Healthcare Provider 4065 | Friday | 2018 |
| BioIQ Inc. | CA | Business Associate | 4059 | 2018-05-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | BioIQ Inc. CA Business Associate 4059 | Friday | 2018 | |
| HomeCare of Mid-Missouri, Inc. | MO | Healthcare Provider | 4027 | 2013-02-14 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | HomeCare of Mid-Missouri, Inc. MO Healthcare Provider 4027 | Thursday | 2013 | |
| Capital Nephrology | MD | Healthcare Provider | 4000 | 2017-05-02 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Capital Nephrology MD Healthcare Provider 4000 | Tuesday | 2017 |
| EyeCare of Bartlesville | OK | Healthcare Provider | 4000 | 2015-03-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | The covered entityâs (CE) database was hacked and held by an outside malware virus. The computer serverâs hard drive contained the unencrypted, password protected health information (PHI) of approximately 4,000 individuals. The electronic PHI (ePHI) contained names, addresses, telephone numbers, dates of birth, insurance identification numbers, and diagnosis codes. Since the malware virus was discovered, the CE confirmed that nothing had been copied or removed from the computer, just locked. The CE destroyed the hard drive so that no further access to the hard drive was possible. The CE provided breach notification to HHS, affected individuals, and posted notice on its website. In addition, the CE retrained workforce members, and instituted a requirement of quarterly employee privacy and security awareness training. The CE improved safeguards by changing all passwords. Following OCRâs investigation, the CE further improved safeguards by changing anti-virus software, encrypting all information saved to its hard drive, and moving ePHI to a cloud based system. It revised procedures to require weekly computer virus scans and monthly audit reports. It also changed vendors to those that require HIPAA training. Finally, OCR reviewed the CEâs comprehensive risk analysis plan. | EyeCare of Bartlesville OK Healthcare Provider 4000 | Friday | 2015 |
| Saint Louis County Department of Health | MO | Healthcare Provider | 4000 | 2015-01-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | No | On November 18, 2014, an employee of the covered entity (CE), Saint Louis County Department of Health, resigned her position and then impermissibly emailed her personal email account a spreadsheet that was used to reconcile bills for medical services provided to the CE’s patients. The types of protected health information (PHI) contained in the spreadsheet included the names, social security numbers, and dates of service of approximately 4,000 patients, along with the names of the medical providers. The CE provided breach notification to HHS, affected individuals, and the media, and also filed a police report. The CE terminated the former employeeâs access to its patient database and retrained employees on its HIPAA policies and procedures regarding HIPAA. OCR obtained assurances that the CE implemented the corrective actions listed. | Saint Louis County Department of Health MO Healthcare Provider 4000 | Wednesday | 2015 | |
| South Texas Veterans Health Care System | TX | Healthcare Provider | 4000 | 2014-10-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), South Texas Veterans Health Care System, incorrectly mailed 2,000 letters with another veteranâs protected health information (PHI) printed on the other side. The types of PHI involved in the breach included patientsâ names, addresses, and medication information. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCRâs investigation, the CE updated its procedures for fulfilling mailing requests and issued a memorandum to the print shop staff with the revised procedures and forms. | South Texas Veterans Health Care System TX Healthcare Provider 4000 | Thursday | 2014 |
| Dr. Veronica Joann Barber | CA | Business Associate | 4000 | 2014-07-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Another provider, Veronica Joann Barber, O.D., (VB) copied the covered entityâs (CE) entire data base and used the electronic protected health information (ePHI) to solicit patients for her own practice. VB worked at the CEâs office under a space-sharing agreement until the CE terminated the agreement. The CE requested that VB cease and desist using the PHI, but she did not agree. The theft occurred on December 15, 2013, and affected 4,000 individuals. The ePHI involved in the breach included individualsâ names, social security numbers, addresses, driverâs licenses, dates of births, other identifiers, credit card and bank account numbers, claims information, other financial information, diagnoses and medical conditions, medications, and other treatment information. The CE provided breach notification to HHS and affected individuals. Following the breach the CE installed computer firewalls. Based on OCRâs provision of technical assistance, the CE notified the media and completed a risk assessment. It also improved safeguards by denying access by unlicensed persons to its computer systems and updating its policies and procedures regarding computer user names and passwords. The CE improved physical safeguards by moving the computer with the ePHI behind a 5-foot tall counter. | Dr. Veronica Joann Barber CA Business Associate 4000 | Monday | 2014 |
| Tricounty Behavioral Health Clinic | GA | Healthcare Provider | 4000 | 2012-08-31 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Tricounty Behavioral Health Clinic GA Healthcare Provider 4000 | Friday | 2012 | |
| Family Health Services Minnesota PA | MN | Healthcare Provider | 4000 | 2012-05-14 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Family Health Services Minnesota PA MN Healthcare Provider 4000 | Monday | 2012 | |
| Benefits Administration Services, Inc. | VA | Business Associate | 4000 | 2011-09-22 | Loss | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | Benefits Administration Services, Inc. VA Business Associate 4000 | Thursday | 2011 | |
| Futurity First Insurance Group | CT | Business Associate | 3994 | 2011-10-11 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Futurity First Insurance Group CT Business Associate 3994 | Tuesday | 2011 | |
| Metropolitan Hospital Center | NY | Healthcare Provider | 3957 | 2015-06-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Metropolitan Hospital Center NY Healthcare Provider 3957 | Monday | 2015 | |
| St. Mary’s Health | IN | Healthcare Provider | 3952 | 2015-03-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On December 3, 2014, the covered entity (CE), St. Maryâs Health, discovered that a phishing email attack compromised several employeesâ user names and passwords. The breach affected approximately 3,952 individuals. The types of protected health information (PHI) involved in the breach included patientsâ names, addresses, date of birth, clinical information, and in some instances, social security numbers. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE deployed a program to assist users in identifying phishing and malware attacks. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | St. Mary’s Health IN Healthcare Provider 3952 | Thursday | 2015 | |
| Washington State Department of Social and Health Services | WA | Health Plan | 3950 | 2011-08-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Washington State Department of Social and Health Services WA Health Plan 3950 | Tuesday | 2011 | |
| Ferris State University MI College of Optometry | MI | Healthcare Provider | 3947 | 2013-10-23 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | An unauthorized person evaded the network security of Ferris State University Michigan College of Optometry on December 1, 2011, and placed a malware program on the computer Ferris uses to operate its website, which had the technical ability to access its electronic files on certain network servers. The breach of electronic protected health information (ePHI) affected approximately 3,947 individuals and included patients’ names, dates of birth, Social Security numbers, addresses, diagnoses/conditions, financial claims information, clinical information, and other treatment information. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media and posted substitute notification of the breach incident on its website. The CE created a dedicated call center regarding the breach and also offered one year of free credit monitoring to individuals whose social security number was involved in the breach. Following the breach, the CE engaged an outside forensic security firm to conduct an internal investigation, installed the latest operating systems and patches to its network asset and web server, and applyed the latest version of antivirus and malware on its servers. The CE verified the removal of ePHI from the application and archive files, worked with its customers to remove sensitive data, and blocked specific internet addresses from its networks. The CE also revised its policies and procedures addressing how it administratively, technically, and physically safeguards patientsâ PHI. Additionally, the CE trained employees on its policies and procedures and documented its most recent risk analysis and corresponding risk management plan. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. | Ferris State University MI College of Optometry MI Healthcare Provider 3947 | Wednesday | 2013 |
| Ferris State University - MI College of Optometry | MI | Healthcare Provider | 3947 | 2013-10-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Ferris State University - MI College of Optometry MI Healthcare Provider 3947 | Friday | 2013 | |
| Weill Cornell Medical College | NY | Healthcare Provider | 3936 | 2014-11-07 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | Laptop | NA | NA | NA | NA | NA | NA | No | NA | Weill Cornell Medical College NY Healthcare Provider 3936 | Friday | 2014 |
| Tarleton Medical | CA | Healthcare Provider | 3929 | 2017-03-06 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) was the victim of a malware/ransom attack. The electronic protected health information (ePHI) involved in the breach included the names, dates of birth, addresses, social security numbers, and health care claims information of of 3,929 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE strengthened its administrative and technical safeguards by implementing a stronger password policy encrypting all its computers, and enhancing firewall and antivirus protection for its electronic systems. OCRâs investigation resulted in the CE enhancing its safeguards for ePHI. | Tarleton Medical CA Healthcare Provider 3929 | Monday | 2017 |
| Institute on Aging | CA | Healthcare Provider | 3907 | 2018-07-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Institute on Aging CA Healthcare Provider 3907 | Friday | 2018 | |
| RMA Medical Centers of Florida | FL | Healthcare Provider | 3906 | 2016-04-07 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | RMA Medical Centers of Florida, the covered entity (CE), discovered that on February 6, 2016, a password protected company laptop computer was stolen from an employeeâs hotel room. The laptop was not encrypted. It contained 3,906 individualsâ protected health information (PHI) and included patientsâ names, dates of birth, health plan identification numbers, diagnoses, and primary care physiciansâ names. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. It also offered complimentary one-year identity theft protection to affected individuals. Following the breach, the CE encrypted all laptops containing PHI and revised certain HIPAA policies to improve safeguards. The CE educated and retrained its employees on its policies. Finally, the CE sanctioned the employee responsible for the breach. OCR obtained assurances that the CE implemented the corrective actions listed above. | RMA Medical Centers of Florida FL Healthcare Provider 3906 | Thursday | 2016 |
| Blue Cross Blue Shield of Michigan | MI | Health Plan | 3903 | 2015-03-17 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Blue Cross Blue Shield of Michigan, after it reported that the protected health information (PHI) of 3,903 of its patients had been stolen for the purposes of identity fraud. The types of PHI disclosed included names, ages, genders, dates of birth, contract numbers, group names and numbers, and social security numbers. The CE provided breach notification to HHS, the media and affected individuals. Following the breach, the CE improved safeguards by masking social security numbers, removing membersâ dates of birth, limiting search results to 25 records, and installing new printing devices that require employees to scan their coded badges when printing. OCR obtained assurances that the CE implemented the corrective actions listed above. | Blue Cross Blue Shield of Michigan MI Health Plan 3903 | Tuesday | 2015 |
| Midlands Orthopaedics, P.A. | SC | Healthcare Provider | 3902 | 2015-11-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | On September 15, 2015, the covered entity (CE), Arcis Healthcare, LLC d/b/a Midlands Orthopaedics, discovered that an unknown party identified as âSlyhackerâ accessed a patient database. The database contained the names, addresses, and phone numbers of 3,902 individuals. The database was housed on a third party internet site by the CEâs business associate, PlanetHosting.com, The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE removed the database from the internet-based computer server, hired a digital forensics firm to investigate, and implemented a plan for securing this and other databases containing protected health information. OCR obtained assurances that the CE implemented the corrective actions listed above. | Midlands Orthopaedics, P.A. SC Healthcare Provider 3902 | Friday | 2015 |
| Beth Israel Deaconess Medical Center | MA | Healthcare Provider | 3900 | 2012-07-20 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
A physicianâs unencrypted personal laptop computer, which he used for business purposes, was stolen from his office on the campus of the covered entity (CE), Beth Israel Deaconess Medical Center. The laptop contained the PHI of approximately 3,900 individuals, including short summaries of medical information and the names and social security numbers of two individuals. After discovering the breach, the CE notified the police and hired an independent forensic firm. The CE provided breach notification to HHS, affected individuals, and the media. The CE also offered affected individuals one year of free credit monitoring and access to a dedicated call center to contact with questions regarding the incident. As a result of this incident, the CE retrained staff, enhanced its data security policy, and initiated an awareness campaign to educate and alert its workforce of security and privacy issues. The CE improved technical safeguards by encrypting or disabling all of its laptops. The CE counseled the physician whose laptop was stolen and assured that his replacement laptop was secured to the desk and encrypted. OCRâs investigation occurred simultaneously with the Massachusetts Attorney Generalâs Office (AGO) investigation into the same incident. Pursuant to an information sharing agreement, OCR and the AGO worked in collaboration to ensure the corrective action and future compliance of this CE. |
Beth Israel Deaconess Medical Center MA Healthcare Provider 3900 | Friday | 2012 |
| St. Mary Medical Center | CA | Healthcare Provider | 3900 | 2012-05-14 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | St. Mary Medical Center CA Healthcare Provider 3900 | Monday | 2012 | |
| State of TN, Bureau of TennCare | TN | Health Plan | 3900 | 2010-02-19 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No |
The covered entity (CE) mailed the wrong information to 3,900 individuals based on a corrupted data file it received from a state agency. The types of PHI involved were names, dates of birth, social security numbers, member identification numbers, and in some cases, diagnoses, treatments, conditions, and medications. Following the breach, the CE immediately fixed the corrupted file and mailed corrected letters. The CE provided breach notification to HHS, the media, and affected individuals and provided substitute notification by posting on its website. It also offered affected individuals one year of free credit monitoring and comprehensive credit services. The CE also worked with the state agency to implement a new procedure to improve safeguards for PHI. OCR obtained assurances that the CE implemented the corrective action listed above. |
State of TN, Bureau of TennCare TN Health Plan 3900 | Friday | 2010 |
| BEE Reno Dental, LLC | NV | Healthcare Provider | 3898 | 2017-12-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | NA | BEE Reno Dental, LLC NV Healthcare Provider 3898 | Wednesday | 2017 |
| Maryville Academy | IL | Healthcare Provider | 3897 | 2012-11-08 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Three secondary back-up portable hard drives, which were maintained by the covered entity (CE), Maryville Academy, were removed from a locked room used as a secure area to maintain a secondary back-up copy of some electronic records for the CEâs services programs. The drives contained the electronic protected health information (ePHI) of approximately 3,897 individuals, including patientsâ names, dates of birth, telephone numbers, social security numbers, addresses, diagnosis/conditions, financial claims information, medications, lab results, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media, and posted notification of the breach on its website. The CE also offered one year of free credit monitoring services to affected individuals. Following the breach, the CE revised its HIPAA policies and procedures and encrypted its back-up portable hard drives and other portable electronic devices. It also updated its practices regarding the physical storage of its back-up portable hard drives to include the use of a third party, off-site vendor and contracted with a third party vendor for long term offsite archive storage, and trained its workforce on any revised or newly implemented policies and procedures. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. | Maryville Academy IL Healthcare Provider 3897 | Thursday | 2012 |
| InfuSystem, Inc. | MI | Healthcare Provider | 3882 | 2018-06-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | InfuSystem, Inc. MI Healthcare Provider 3882 | Friday | 2018 | |
| Sentara Healthcare | VA | Healthcare Provider | 3861 | 2014-01-16 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Two former employees of the covered entity (CE), Sentara Healthcare, accessed protected health information (PHI) outside of their normal job duties and used this information to process fraudulent tax returns. The US Attorneyâs office investigated the matter and both individuals received prison sentences. The breach report indicated that the PHI of approximately 3,645 individuals was involved in the breach; however, the CE verified that the final count of affected individuals was 3,891. The CE provided breach notification to HHS, affected individuals, and the media. The CE also offered complimentary credit monitoring and identity theft protection services to all eligible individuals. Following this incident, the CE increased safeguards by installing a new software system to help monitor and detect inappropriate access to its electronic medical records system, updated its security policies and procedures, re-trained employees, and initiated steps to address and mitigate the issues identified in its 2014 risk analysis. OCR obtained assurances that the corrective actions listed above were completed and/or initiated as described. | Sentara Healthcare VA Healthcare Provider 3861 | Thursday | 2014 |
| Mosaic | NE | Healthcare Provider | 3857 | 2013-12-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Mosaic, discovered multiple employee email accounts that had fallen victim to a phishing attack. The affected e-mail accounts contained the following types of protected health information (PHI): clientsâ names, dates of birth, addresses, telephone numbers, governmentâ“issued identification numbers, medical record numbers, insurance identification numbers, payment information, Medicaid and Medicare numbers, and in some instances social security numbers. This breach affected approximately 3,857 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The CE responded to the breach by blocking the IP address which was the source of the phishing scam, contacting the proper authorities to investigate possible criminal infractions, providing phishing scam awareness training, and changing its email practices. As a result of OCRâs investigation, the CE updated its HIPAA policies, created additional training material, and changed its training practices. | Mosaic NE Healthcare Provider 3857 | Wednesday | 2013 | |
| Codman Square Health Center | MA | Healthcare Provider | 3840 | 2016-09-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | A workforce member provided an unauthorized individual with the workforce memberâs credentials so as to allow the individual access to the New England Health Exchange Network (NEHEN) via computer. The unauthorized individual was thus able to access the protected health information (PHI) of 102 patients of the covered entity (CE), Codman Square Health Center. The types of PHI involved in the breach included patientsâ names, addresses, birthdates, medical insurance information, and for patients receiving Medicaid, social security numbers. The CE provided breach notification to the affected individuals, the media and HHS. The CE also provided individuals fraud resolution and credit monitoring services at no cost. Following discovery of the breach, the CE sanctioned the involved employees and re-trained all employees. As a result of OCRâs investigation, the CE revised its Breach Notification policy and implemented related procedures. | Codman Square Health Center MA Healthcare Provider 3840 | Monday | 2016 |
| Good Samaritan Hospital | CA | Healthcare Provider | 3833 | 2013-10-25 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Samaritan Regional Health System, mismatched names and addresses in a mailing to former patients of a recently deceased physician. The protected health information (PHI) included the names and addresses of approximately 2,203 individuals. The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website. Following the breach, the CE re-trained staff on proper address validation techniques and implemented new audit procedures for mailings. OCR obtained assurances that the CE implemented the corrective action listed above. | Good Samaritan Hospital CA Healthcare Provider 3833 | Friday | 2013 |
| Humana Inc [case # HU17001CC] | KY | Health Plan | 3831 | 2017-04-18 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Humana Inc [case # HU17001CC] KY Health Plan 3831 | Tuesday | 2017 |
| SunBridge Healthcare Corporation | NM | Healthcare Provider | 3830 | 2010-07-08 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop computer containing the electronic protected health information (EPHI) of 3,830 individuals was stolen out of a workforce memberâs vehicle. The types of ePHI included names, birthdates, social security numbers, claims information, financial information, diagnoses/conditions, medications, lab results, and other treatment information. The covered entity (CE), SunBridge Healthcare Corporation, provided breach notification to HHS, affected individuals, and the media, and provided individuals with identity theft protection services. As a result of OCRâs investigation the CE updated its risk analysis, re-educated its workforce members on proper laptop security protocols, and installed encryption software to protect ePHI. | SunBridge Healthcare Corporation NM Healthcare Provider 3830 | Thursday | 2010 |
| NFP Maschino, Hudelson & Associates | OK | Business Associate | 3814 | 2014-05-30 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | An unencrypted laptop was stolen from the vehicle of an employee of Maschino, Hudelson & Associates, a broker and business associate (BA) of the covered entity (CE), Aetna. The laptop contained the protected health information (PHI) of 3,814 of the CE’s customers. The types of PHI involved in the breach included names, dates of birth, addresses, social security numbers and account information. The BA provided breach notification to affected individuals and the media. OCR provided technical assistance to the CE regarding the requirements for notification to HHS. OCR verified that the CE had a proper BA agreement in place at the time of this breach. | NFP Maschino, Hudelson & Associates OK Business Associate 3814 | Friday | 2014 |
| Texas Health Physicians Group | TX | Healthcare Provider | 3808 | 2018-04-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Texas Health Physicians Group TX Healthcare Provider 3808 | Friday | 2018 | |
| Allina Health | MN | Healthcare Provider | 3807 | 2013-11-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Allina Health MN Healthcare Provider 3807 | Monday | 2013 |
| Health Fitness Corporation | IL | Business Associate | 3804 | 2013-11-14 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | An unencrypted company laptop was stolen from the car of the business associateâs (BA) employee. The laptop contained the protected health information (PHI) of 3,804 individuals and included employees and/or spouses names, birthdates, health plan election, and social security numbers. The covered entity (CE) provided breach notification to HHS and the BA provided breach notification to affected individuals and the media. In response to this incident, the CE implemented a policy requiring encryption on all laptops containing PHI. The CE trained employees and provided refresher training regarding mobile device encryption. The BA implemented a new certification process to ensure client owned mobile devices are encrypted. OCR obtained assurances that the corrective actions listed above were taken. | Health Fitness Corporation IL Business Associate 3804 | Thursday | 2013 |
| Arizona Counseling & Treatment Services, LLC | AZ | Healthcare Provider | 3800 | 2013-05-01 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Arizona Counseling & Treatment Services, LLC AZ Healthcare Provider 3800 | Wednesday | 2013 | |
| Lee Memorial Health System | FL | Healthcare Provider | 3800 | 2010-03-17 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity sent postcards to approximately 3,800 patients, which listed the patients’ demographic information, and a statement that read, ‘Your Physician Has Moved,’ with a name and description of the practice, Infectious Disease Specialist. The types of PHI involved were demographic and clinical information. Voluntary actions taken prior to OCR’s investigation include the issuance of sanctions and review of policies and procedures. | Lee Memorial Health System FL Healthcare Provider 3800 | Wednesday | 2010 |
| Children’s Medical Center of Dallas | TX | Healthcare Provider | 3800 | 2010-01-18 | Loss | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Children’s Medical Center of Dallas TX Healthcare Provider 3800 | Monday | 2010 | |
| Health Services for Children with Special Needs, Inc. | DC | Health Plan | 3800 | 2009-11-17 | Loss | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
A laptop was lost by an employee while in transit on public transportation. The computer contained the protected health information of 3800 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity has installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and updated it risk assessment. In addition, all employees received additional security training. |
Health Services for Children with Special Needs, Inc. DC Health Plan 3800 | Tuesday | 2009 |
| TMG Health | PA | Business Associate | 3794 | 2013-04-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | TMG Health PA Business Associate 3794 | Friday | 2013 | |
| Temple University Physicians | PA | Healthcare Provider | 3780 | 2014-09-05 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Temple University Physicians PA Healthcare Provider 3780 | Friday | 2014 | |
| Ruben U. Carvajal, MD | NY | Healthcare Provider | 3775 | 2018-07-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | NA | NA | NA | NA | NA | NA | No | NA | Ruben U. Carvajal, MD NY Healthcare Provider 3775 | Tuesday | 2018 |
| Cambridge Dental Consulting Group | NV | Business Associate | 3758 | 2018-05-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Cambridge Dental Consulting Group NV Business Associate 3758 | Wednesday | 2018 |
| The Arc of Erie County | NY | Healthcare Provider | 3751 | 2018-03-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | The Arc of Erie County NY Healthcare Provider 3751 | Friday | 2018 |
| Greenwood Leflore Hospital | MS | Healthcare Provider | 3750 | 2014-04-16 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Greenwood Leflore Hospital, discovered that an ex-employee of a business associate (BA) the CE used to recycle and destroy old x-ray films, stole x-ray films which contained the names, dates of birth and x-ray images of 3,750 patients. This individualâs employment had been terminated by the BA prior to the breach, and therefore he was not authorized to take possession of these x-ray films. The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice. In response to the breach, the CE filed a police report, attempted to recover the x-ray films, and sanctioned and re-trained the employees involved. The CE also filed a civil lawsuit against the individual who took the films. The individual was later arrested and found guilty of petit larceny and was ordered to pay restitution to the CE. The CE provided additional training to its entire workforce regarding its BA access and breach policies, and terminated its business relationship with the BA. OCR obtained the CEâs policies and procedures related to the cited Privacy Rule provisions, as well as documentation related to employee training on the Privacy and Security Rules. | Greenwood Leflore Hospital MS Healthcare Provider 3750 | Wednesday | 2014 |
| RISE Wisconsin, Inc. | WI | Healthcare Provider | 3731 | 2018-06-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | RISE Wisconsin, Inc. WI Healthcare Provider 3731 | Thursday | 2018 |
| Henry Ford Hospital | MI | Healthcare Provider | 3700 | 2010-11-15 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Henry Ford Health System, the covered entity (CE), reported that a breach occurred on September 24, 2010, that affected 3,700 individuals and occurred when a laptop computer was stolen from an office left unlocked by an employee for approximately four hours while the employee was attending a meeting. The PHI involved in the breach included clinical and demographic information. The CE provided breach notification to the affected individuals, the media, and HHS. To resolve the issues raised by the breach, the CE sanctioned the employee involved in the breach based on the severity of the employeeâs noncompliance, implemented an encryption process to purchase 2,000 additional encryption licenses, and implemented a program for receiving and using encrypted flash drives on March 14, 2011. OCR obtained documented assurances that the CE implemented these corrective action steps. After OCR provided substantial technical assistance to the CE on the Security Ruleâs Risk Analysis requirements, the CE provided written assurances to OCR that it will: create a more robust asset management program over the next 6-8 months and provide documentation to OCR; complete an enterprise data mapping and asset; and submit a fully executed copy of the business associate agreement (BAA) to OCR upon signature of a Master Service Agreement (MSA) and Statement of Work (SOW) for data mapping services once its vendor is chosen. This case was consolidated into an existing investigation of the CE. | Henry Ford Hospital MI Healthcare Provider 3700 | Monday | 2010 |
| Zachary E. Adkins, DDS | NM | Healthcare Provider | 3677 | 2018-01-25 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Zachary E. Adkins, DDS NM Healthcare Provider 3677 | Thursday | 2018 |
| Humana Inc. [case #HU16004F3] | KY | Health Plan | 3674 | 2016-12-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Humana Inc. [case #HU16004F3] KY Health Plan 3674 | Monday | 2016 |
| Florida Healthy Kids Corporation | FL | Business Associate | 3667 | 2013-02-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | A vendor, OneTouchPoint CCI, incorrectly printed and mailed 3,667 identification cards for the business associate (BA), DentaQuest of Florida. The types of protected health information (PHI) involved in the breach included names, identification numbers, and dates of coverage. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. Following the incident, the CE re-programmed the software to compare names and addresses, and conducted quality assurance tests to ensure accuracy. The BA re-issued identification cards and provided self-addressed, stamped envelopes and requested that the members return the previously sent cards. OCR reviewed copies of the CEâs policies and procedures related to the incident. | Florida Healthy Kids Corporation FL Business Associate 3667 | Tuesday | 2013 |
| Xforia Web Services | WV | Business Associate | 3655 | 2011-02-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Xforia Web Services WV Business Associate 3655 | Wednesday | 2011 | |
| Heartland Health Clinic | VA | Healthcare Provider | 3650 | 2015-09-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | No | Heartland Clinic is not a covered entity as defined by the Privacy Rule. All patients are self pay. | Heartland Health Clinic VA Healthcare Provider 3650 | Monday | 2015 |
| Wm. Jennings Bryan Dorn VA Medical Center | SC | Healthcare Provider | 3637 | 2014-09-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Wm. Jennings Bryan Dorn VA Medical Center SC Healthcare Provider 3637 | Wednesday | 2014 | |
| KPMG LLP | NY | Business Associate | 3630 | 2010-08-26 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals. The ePHI included names, dates of birth, diagnoses, and other treatment information. Upon discovery of the breach, the CE conducted a search for the portable device. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR’s investigation, the CE improved physical security. The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. | KPMG LLP NY Business Associate 3630 | Thursday | 2010 |
| University of Michigan/Michigan Medicine | MI | Healthcare Provider | 3624 | 2018-09-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | University of Michigan/Michigan Medicine MI Healthcare Provider 3624 | Friday | 2018 |
| University of Kentucky - UK HealthCare | KY | Healthcare Provider | 3604 | 2011-07-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted company laptop computer was stolen from the car of an employee of the covered entity (CE). The laptop contained the protected health information (PHI) of 3,604 individuals and included names, dates of birth, social security numbers, medical record numbers, and diagnoses. The CE provided breach notification to HHS, the media, and affected individuals. In response to this incident, the CE implemented a policy requiring encryption on all laptops containing PHI. The CE also provided employee training regarding mobile device encryption and refresher training on HIPAA. OCR obtained assurances that the CE implemented the corrective actions listed. | University of Kentucky - UK HealthCare KY Healthcare Provider 3604 | Thursday | 2011 |
| The University of Texas MD Anderson Cancer Center | TX | Healthcare Provider | 3598 | 2014-01-31 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The University of Texas MD Anderson Cancer Center TX Healthcare Provider 3598 | Friday | 2014 | |
| Childrens Hospital of Los Angeles | CA | Healthcare Provider | 3594 | 2017-01-13 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Childrenâs Hospital of Los Angeles, reported a breach of 3,594 individualsâ electronic protected health information (ePHI) resulting from theft of an unencrypted laptop stored in a workforce memberâs vehicle while parked in a public parking lot. The breach affected patients’ demographic information (name, date of birth, medical record number, address) and/or clinical information. Following the breach and in response to OCRâs contact in this matter, the CE took corrective actions, including blocking the laptop from accessing the CE’s internal computer network, reminding staff not to store laptops or other mobile devices in vehicles, ensuring encryption on each Apple operated laptop, and implementing new policies. The CE provided breach notification to HHS, affected individuals, and the media. | Childrens Hospital of Los Angeles CA Healthcare Provider 3594 | Friday | 2017 |
| Massachusetts Eye and Ear Infirmary | MA | Healthcare Provider | 3594 | 2010-04-20 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Massachusetts Eye and Ear Infirmary MA Healthcare Provider 3594 | Tuesday | 2010 | |
| Colorado Department of Health Care Policy and Financing | CO | Health Plan | 3589 | 2011-08-16 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Colorado Department of Health Care Policy and Financing CO Health Plan 3589 | Tuesday | 2011 |
| Department of Personnel and Administration | CO | Business Associate | 3589 | 2011-06-29 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes |
covered entity’s (CE) business associate (BA) mailed a compact disk (CD) containing electronic protected health information (ePHI) through the inter-office mail system for delivery in another city. The CD, containing ePHI of 3,589 individuals, was lost en route. The PHI included state Medicaid and children’s health plan data. Immediately following the breach, the CE completed a risk analysis to identify additional concerns and developed a risk management plan. The CE provided breach notification to the affected individuals, HHS, and the media and provided substitute notification on its website. To prevent a similar breach from happening in the future, the CE required all future ePHI to be encrypted prior to shipment. OCR obtained assurances that the CE implemented the corrective action listed above. |
Department of Personnel and Administration CO Business Associate 3589 | Wednesday | 2011 |
| BioReference Laboratories, Inc | NJ | Healthcare Provider | 3563 | 2016-04-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | BioReference Laboratories, Inc NJ Healthcare Provider 3563 | Friday | 2016 |
| University of California, San Francisco | CA | Healthcare Provider | 3553 | 2013-10-03 | Theft | NA | NA | NA | NA | NA | Laptop | Paper/Films | NA | NA | NA | NA | NA | NA | No | On September 9, 2013, both an unencrypted personal laptop computer containing electronic protected health information (ePHI) and paper documents that contained PHI were stolen out of a workforce memberâs locked car. The laptop contained unencrypted ePHI pertaining to 3,541 individuals, and the paper documents contained PHI for 31 patients. The types of PHI involved in the breach included patientsâ names, addresses, dates of birth, medical record numbers, social security numbers, diagnoses, conditions, dates of service, lab results, medications, and other treatment-related PHI. The covered entity (CE), the University of California San Francisco, provided breach notification to HHS, affected individuals, and the media. Following the breach the CE retrained the workforce members on encryption, use of email on personal devices, and best practices for sharing PHI documents via email. OCR obtained assurances that the CE implemented the corrective actions noted above. | University of California, San Francisco CA Healthcare Provider 3553 | Thursday | 2013 |
| Eureka Internal Medicine | CA | Healthcare Provider | 3534 | 2014-03-04 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Eureka Internal Medicine CA Healthcare Provider 3534 | Tuesday | 2014 | |
| Urological Associates of Southern Arizona, P.C. | AZ | Healthcare Provider | 3529 | 2014-07-25 | Improper Disposal | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Urological Associates of Southern Arizona, P.C. AZ Healthcare Provider 3529 | Friday | 2014 | |
| Anthem, Inc. | IN | Health Plan | 3525 | 2016-10-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entityâs (CE) employee emailed protected health information (PHI) to himself, claiming it was for commission reconciliation purposes. The CE ensured that all the PHI was deleted from the employeeâs home computer and smart phones. The employee resigned from the company, and attested that all PHI was deleted from his devices. The CE provided breach notification to HHS, affected individuals, and the media and substitute notice was posted on the CE’s websites on October 29, 2016, and will remain posted through January 27, 2017. To prevent a similar breach from happening in the future, the CE retrained its Medicare sales workforce, took steps to ensure that the former employee can no longer work or sell the CE’s products, and changed its commission statement to reflect only the minimum necessary PHI. OCR obtained written assurances that the CE implemented the corrective actions listed above. | Anthem, Inc. IN Health Plan 3525 | Wednesday | 2016 | |
| Sarah Benjamin, DPM - Littleton Podiatry | CO | Healthcare Provider | 3512 | 2013-09-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | On August 27, 2013, an unencrypted laptop computer containing the protected health information (PHI) of 3,512 individuals was stolen from a locked supply closet at the covered entityâs (CE) facility. The types of PHI involved in the breach likely included patientsâ names, genders, addresses, telephone numbers, dates of birth, health insurance information, and medical records, including, appointment notes, diagnosis, treatments, surgery notes, lab test results, prescriptions, instructions, and other information relating to podiatric care. The CE provided breach notification to HHS, affected individuals, and the media, and also contacted the police. Following the breach, the CE conducted an enterprise-wide risk analysis, implemented a risk management plan, encrypted its workstations and devices, and improved physical safeguards. The CE also implemented several other administrative and technical safeguards to ensure its compliance with the Security Rule. OCR obtained assurances that the CE implemented the corrective actions listed above. | Sarah Benjamin, DPM - Littleton Podiatry CO Healthcare Provider 3512 | Saturday | 2013 |
| Multilingual Psychotherapy Centers, Inc | FL | Healthcare Provider | 3500 | 2014-10-28 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | An encrypted server was stolen from the covered entity (CE), Multilingual Psychotherapy Centers, Inc., on October 20, 2014, as a result of a break-in. The server contained the protected health information (PHI) of 3,500 individuals and included patientsâ names, dates of birth, social security numbers, addresses, and Medicaid ID numbers. The CE provided notice to HHS and individuals whose information was contained in the stolen server. Following this incident, the CE increased its physical safeguards, modified its policies, and developed a plan to train its workforce specifically regarding data security breaches. OCR determined the CE had adequate policies and procedures in place for securing electronic information via encryption. Under OCRâs guidance, the CE provided media notice and altered its procedures to ensure such notification is performed in the event of a breach affecting more than 500 individuals. | Multilingual Psychotherapy Centers, Inc FL Healthcare Provider 3500 | Tuesday | 2014 |
| Comprehensive Psychological Services LLC | SC | Healthcare Provider | 3500 | 2013-11-01 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On October 28, 2013, the covered entityâs (CE) facility was broken into and an unencrypted laptop was stolen, affecting the demographic and clinical information of approximately 3,500 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The CE increased its facilityâs physical security. The CE also upgraded its technology and improved safeguards by encrypting equipment and communication containing ePHI, implementing a networked file server and domain, and backing up client data to an encrypted cloud-based storage service. Pursuant to OCRâs recommendations, the CE modified its policies and training procedures. | Comprehensive Psychological Services LLC SC Healthcare Provider 3500 | Friday | 2013 |
| Advanced NeuroSpinal Care | CA | Healthcare Provider | 3500 | 2010-02-23 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | A computer containing the electronic protected health information (ePHI) of 3,500 individuals was stolen from the office of a covered entity (CE). The ePHI included patient names, addresses, dates of birth, social security numbers, driver’s licenses, claims information, diagnoses, and conditions. As a result of the loss, the CE upgraded the alarm system and replaced the server housing and storage security lock-up. The CE also notified affected individuals, the media, appropriate government agencies, and law enforcement. In addition, the CE established an office-based hotline to assist affected individuals. As a result of OCR’s investigation, the CE has implemented regularly scheduled security risk analyses and has installed window bars, roll down shutters, four video surveillance cameras, and other physical security measures to prevent theft. | Advanced NeuroSpinal Care CA Healthcare Provider 3500 | Tuesday | 2010 |
| New York City Health and Hospitals Corporation - Coney Island Hospital | NY | Healthcare Provider | 3494 | 2017-05-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | Paper/Films | NA | NA | NA | NA | NA | NA | No | NA | New York City Health and Hospitals Corporation - Coney Island Hospital NY Healthcare Provider 3494 | Tuesday | 2017 |
| Caremark PCS Health, L.L.C. (formerly known as Caremark PCS Health, L.P.) | IL | Business Associate | 3482 | 2012-03-23 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Caremark PCS Health, L.L.C. (formerly known as Caremark PCS Health, L.P.) IL Business Associate 3482 | Friday | 2012 | |
| Michagan Facial Aesthetic Surgeons d/b/a University Physician Group | MI | Healthcare Provider | 3467 | 2017-04-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Michagan Facial Aesthetic Surgeons d/b/a University Physician Group MI Healthcare Provider 3467 | Friday | 2017 |
| Blue Cross and Blue Shield of Florida | FL | Health Plan | 3463 | 2011-06-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Blue Cross and Blue Shield of Florida FL Health Plan 3463 | Friday | 2011 | |
| Care Advantage, Inc. | VA | Healthcare Provider | 3458 | 2014-02-26 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Care Advantage, Inc., experienced a break-in at a satellite office and the theft of 4 laptops. The laptops, which were password protected, contained the electronic protected health information (ePHI) relating to information used in a web based scheduling program. The breach report indicated that 3458 individuals were affected. Upon discovering the breach, the CEâs investigation revealed that the actual number of affected individuals was 420. The CE provided breach notification to HHS, and affected individuals and also posted notice of the incident on its website. Following the breach, the CE assessed and updated its HIPAA security policy, and conducted employee training. As a result of OCRâs investigation, OCR obtained written assurance that the CE has implemented the corrective action steps listed above. | Care Advantage, Inc. VA Healthcare Provider 3458 | Wednesday | 2014 |
| Baptist Health | AR | Healthcare Provider | 3453 | 2018-05-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Baptist Health AR Healthcare Provider 3453 | Monday | 2018 |
| Coastal home Respiratory, LLP | GA | Healthcare Provider | 3440 | 2012-10-18 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Computers containing the electronic protected health information (ePHI) of 3,440 patients were stolen from the covered entity (CE), Coastal Home Respiratory, during a burglary. The ePHI included names, addresses, phone numbers, insurance identification numbers, social security numbers, and diagnoses. The computers were password protected and the data was encoded. The CE promptly notified law enforcement and provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE cancelled access passwords for patient data, and changed patient data software to a server based system that is password protected and encrypted. The CE’s billing software vendor changed the CE’s account numbers to prevent unauthorized access to the ePHI. The CE improved physical safeguards by installing a new alarm system. Following OCR’s investigation, the CE also improved safeguards for PHI by implementing new procedures for activity reports, audit logs, and security reports. | Coastal home Respiratory, LLP GA Healthcare Provider 3440 | Thursday | 2012 |
| DeLoach & Williamson | SC | Business Associate | 3432 | 2013-12-18 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes |
DeLoach & Williamson’s (a business associate (BA) for South Carolina Health Insurance Pool) employee’s car was broken into and her password-protected company laptop computer was stolen which contained the electronic protected health information (ePHI) of 3,432 individuals. The ePHI involved in the breach included social security numbers, names, dates of service, and provider identification numbers. The BA provided breach notification to the covered entity, affected individuals, and HHS. The covered entity provided breach notification to the media. Following the breach, the BA immediately launched an internal investigation and retrained the subject employee on the company’s policies on privacy and security of electronic information. Prior to the incident, the BA had decided to dissolve the company and it ceased operations by December 2013. The BA intends to legally file for dissolution in December 2014. |
DeLoach & Williamson SC Business Associate 3432 | Wednesday | 2013 |
| Orlando Health | FL | Healthcare Provider | 3421 | 2015-07-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Orlando Health, discovered during audit on May 27, 2015, that an employee was accessing protected health information (PHI) outside the scope of her employment. The PHI contained the names, dates of birth and clinical records of 3,421 individuals. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice. In response to the breach, the CE retraining employees. In addition, the CE offered credit monitoring to the affected individuals. OCR obtained assurances that the CE implemented the corrective actions listed above. Additionally, the employee involved in the incident was terminated. | Orlando Health FL Healthcare Provider 3421 | Thursday | 2015 |
| University of Rochester Medical Center & Affiliates | NY | Healthcare Provider | 3403 | 2015-05-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | University of Rochester Medical Center & Affiliates NY Healthcare Provider 3403 | Friday | 2015 |
| City of Hope | CA | Healthcare Provider | 3400 | 2017-08-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | City of Hope CA Healthcare Provider 3400 | Thursday | 2017 | |
| LKM ENTERPRISES, INC. | OK | Healthcare Provider | 3400 | 2017-06-01 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | NA | LKM ENTERPRISES, INC. OK Healthcare Provider 3400 | Thursday | 2017 |
| Service Benefits Plan Administrative Services Corp | DC | Business Associate | 3400 | 2010-01-08 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes |
The covered entity’s (CE) business associate (BA) incorrectly updated contract holders’ addresses and mailed protected health information (PHI) to the wrong address of approximately 3,400 individuals. The PHI involved included demographic information, explanations of benefits, clinical information, and diagnoses. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. Upon discovery of the breach, the CE obtained assurances that the BA took steps to enforce the requirements of the BA agreement. Specifically, the BA updated its processes and created an incident tracking report. In addition, a contract was executed for a new vendor to handle mail address verification. Following OCR’s investigation, the BA improved its code review process to catch the system error that caused this incident and instituted a manual quality review process. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. |
Service Benefits Plan Administrative Services Corp DC Business Associate 3400 | Friday | 2010 |
| Region Six of the Georgia Department of Behavioral Health and Developmental Disabilities | GA | Healthcare Provider | 3397 | 2014-10-09 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Region Six of the Georgia Department of Behavioral Health and Developmental Disabilities GA Healthcare Provider 3397 | Thursday | 2014 | |
| Children’s Hospital Colorado | CO | Healthcare Provider | 3370 | 2017-09-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Children’s Hospital Colorado CO Healthcare Provider 3370 | Friday | 2017 | |
| Skin Cancer Specialists, P.C. | GA | Healthcare Provider | 3365 | 2017-03-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Skin Cancer Specialists, P.C. GA Healthcare Provider 3365 | Friday | 2017 |
| Dr. Dennis T. Myers, D.D.S., P.A. | MO | Healthcare Provider | 3364 | 2016-10-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Dr. Dennis T. Myers, D.D.S., P.A. MO Healthcare Provider 3364 | Monday | 2016 |
| Wonderful Center For Health Innovation | CA | Healthcare Provider | 3358 | 2017-01-20 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) reported a breach of 3,091 individualsâ electronic protected health information (ePHI), after a laptop computer was stolen from a workforce memberâs unlocked car between December 9, 2016 and December 12, 2016. The types of ePHI involved in the breach included diagnoses or conditions, lab results, medications, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media. It provided OCR with evidence that it responded to the security incident and implemented physical and technical security safeguards, updated its security analysis, sanctioned the workforce members, and trained the entire staff. OCR provided technical assistance regarding the HIPAA Security Rule. | Wonderful Center For Health Innovation CA Healthcare Provider 3358 | Friday | 2017 |
| North Texas Medical Center | TX | Healthcare Provider | 3350 | 2018-03-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | North Texas Medical Center TX Healthcare Provider 3350 | Thursday | 2018 |
| Bellevue Hospital Center | NY | Healthcare Provider | 3334 | 2015-04-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Bellevue Hospital Center NY Healthcare Provider 3334 | Tuesday | 2015 | |
| Bio-Reference Laboratories Inc | NJ | NA | 3334 | 2014-07-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Bio-Reference Laboratories Inc NJ NA 3334 | Wednesday | 2014 | |
| Partners HealthCare System, Inc. | MA | Healthcare Provider | 3321 | 2015-05-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Partners HealthCare System, Inc. MA Healthcare Provider 3321 | Friday | 2015 |
| Skin and Cancer Center of Arizona | AZ | Healthcare Provider | 3311 | 2015-09-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | OCR investigated the covered entity (CE), Skin and Cancer Center of Arizona, after the CE reported a breach of 3,311 individualsâ protected health information (PHI) that it learned about on July 29, 2015. A former employee possessed PHI from the CE’s office, which was further disclosed to the former employeeâs new employer after her employment ended on March 18, 2015. The breach affected patients’ names, dates of birth, telephone numbers, insurance company names, and reasons for appointment(s). The CE provided breach notification to HHS, affected individuals, and the media. In response to OCRâs contact in this matter, the CE retrieved all the breached PHI, ensured the former employee and the former employeeâs new employer no longer had copies of the PHI, and that they ceased from further use or disclosure of the PHI. The CE also took steps to retrain workforce members, implemented regular workforce HIPAA reminders, and increased the physical security of its employee workspace. OCR obtained documentation that the CE implemented these corrective actions. | Skin and Cancer Center of Arizona AZ Healthcare Provider 3311 | Monday | 2015 |
| St. Joseph Health System | TX | Business Associate | 3300 | 2014-03-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | St. Joseph Health System TX Business Associate 3300 | Wednesday | 2014 | |
| Dean Health Systems, Inc.; St. Mary’s Hospital; St. Marys Dean Ventures, Incorporated | WI | Healthcare Provider | 3288 | 2010-12-20 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Dean Health Systems, Inc.; St. Mary’s Hospital; St. Marys Dean Ventures, Incorporated WI Healthcare Provider 3288 | Monday | 2010 | |
| CCRM Minneapolis, P.C. | MN | Healthcare Provider | 3280 | 2017-12-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | CCRM Minneapolis, P.C. MN Healthcare Provider 3280 | Friday | 2017 |
| Spokane VA Medical Center | WA | Healthcare Provider | 3275 | 2017-09-20 | Loss | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Spokane VA Medical Center WA Healthcare Provider 3275 | Wednesday | 2017 |
| Thomas L. Davis, Jr. DDS | OR | Healthcare Provider | 3269 | 2013-03-15 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | NA | NA | NA | NA | NA | NA | No | Thomas L. Davis, Jr. DDS OR Healthcare Provider 3269 | Friday | 2013 | |
| Indiana University | IN | Health Plan | 3266 | 2012-11-05 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted and password protected laptop computer was stolen from the car of an employee (medical resident) of the covered entity (CE). The laptop contained the electronic protected health information (ePHI) of approximately 3,266 individuals. The types of ePHI in the breach included names, medical record numbers, birth dates, diagnosis codes, and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE audited the employeeâs department and equipment, retrained the involved employee and other staff, updated its HIPAA policies and procedures, and encrypted its laptop computers. OCR obtained written assurances that the CE implemented the corrective actions listed above. | Indiana University IN Health Plan 3266 | Monday | 2012 |
| Indiana University | IN | Healthcare Provider | 3266 | 2011-10-04 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted and password protected laptop computer was stolen from the car of an employee (medical resident) of the covered entity (CE). The laptop contained the electronic protected health information (ePHI) of approximately 3,266 individuals. The types of ePHI in the breach included names, medical record numbers, birth dates, diagnosis codes, and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE audited the employeeâs department and equipment, retrained the involved employee and other staff, updated its HIPAA policies and procedures, and encrypted its laptop computers. OCR obtained written assurances that the CE implemented the corrective actions listed above. | Indiana University IN Healthcare Provider 3266 | Tuesday | 2011 |
| Vanderbilt University Medical Center | TN | Healthcare Provider | 3247 | 2017-02-24 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Vanderbilt University Medical Center TN Healthcare Provider 3247 | Friday | 2017 |
| Riderwood Village | MD | Healthcare Provider | 3230 | 2013-01-17 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Riderwood Senior Living Community, after it reported that five laptop computers (four of which were unencrypted) containing the electronic protected health information (ePHI) of 8,507 individuals were stolen from the facility’s physical therapy department. The ePHI included names, dates of birth, addresses, Health plan ID numbers, and discussions of therapy treatments. Upon discovering the breach, the CE filed a police report, mailed individual notice of the breach to all current and former Riderwood residents and affected health plan members, issued a press release to seven media outlets, posted substitute notice on its website for 90 days, and reported the breach to HHS. Following this breach, the CE encrypted laptops, revised security procedures, and retrained employees. OCR obtained written assurance that the CE implemented the corrective action listed above as well as new security policies and procedures to ensure adequate safeguards of ePHI. | Riderwood Village MD Healthcare Provider 3230 | Thursday | 2013 |
| Cathrine Steinborn, DDS | CA | Healthcare Provider | 3224 | 2015-02-27 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) reported a breach of 3,224 individualsâ electronic protected health information (ePHI), as a result of an office burglary on January 5, 2015. The stolen server contained names, addresses, dates of birth, telephone numbers, social security numbers, insurance information, medical information, and billing information. The CE provided OCR with evidence that it responded to the security incident and undertook steps to prevent the risk of future security incidents by implementing physical and technical security safeguards; updating security analysis, and training the entire workforce. OCR provided technical assistance regarding the HIPAA Security Rule. | Cathrine Steinborn, DDS CA Healthcare Provider 3224 | Friday | 2015 |
| AltaMed Health Services Corporation | CA | Healthcare Provider | 3206 | 2014-08-29 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Network Server | Paper/Films | NA | NA | NA | NA | NA | No | AltaMed Health Services Corporation CA Healthcare Provider 3206 | Friday | 2014 | |
| Steven Yang, D.D.S., INC. | CA | Healthcare Provider | 3202 | 2018-01-26 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Steven Yang, D.D.S., INC. CA Healthcare Provider 3202 | Friday | 2018 |
| North Texas Comprehensive Spine & Pain Center | TX | Healthcare Provider | 3200 | 2013-08-19 | Loss | Theft | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On August 19, 2013, the covered entity (CE), North Texas Comprehensive Spine & Pain Center, reported a breach when an employeeâs car was broken into and an external hard drive was stolen. The hard drive contained the demographic and clinical information of 3,200 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The employee was authorized to take protected health information (PHI) home as part of her job duties. Following the breach, the CE sanctioned the involved employee, encrypted its hard drives, and changed its policies to prohibit employees from remotely accessing PHI. OCR verified the corrective action taken by the CE. | North Texas Comprehensive Spine & Pain Center TX Healthcare Provider 3200 | Monday | 2013 |
| Metro Community Provider Network | CO | Healthcare Provider | 3200 | 2012-01-27 | Hacking/IT Incident | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No |
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the lack of a security management process to safeguard electronic protected health information (ePHI). Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $400,000 and implementing a corrective action plan. With this settlement amount, OCR considered MCPNâs status as a FQHC when balancing the significance of the violation with MCPNâs ability to maintain sufficient financial standing to ensure the provision of ongoing patient care. MCPN provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level. On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. OCRâs investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule. âPatients seeking health care trust that their providers will safeguard and protect their health information,â said OCR Director Roger Severino. âCompliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.â The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MCPN |
Metro Community Provider Network CO Healthcare Provider 3200 | Friday | 2012 | |
| J.A. Stokes Ltd. | NV | Healthcare Provider | 3200 | 2018-09-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | No | NA | J.A. Stokes Ltd. NV Healthcare Provider 3200 | Wednesday | 2018 |
| Wyoming Medical Center | WY | Healthcare Provider | 3184 | 2016-04-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On February 25, 2016, Wyoming Medical Center, the covered entity (CE), discovered that a hacker compromised two employeesâ email accounts after the employees succumbed to the hackerâs phishing emails. The breach allowed the hacker access to 3,184 individualsâ electronic protected health information (ePHI), including names, medical record numbers, account numbers, dates of hospital service, dates of birth, and other medical information. Following the breach and as a result of OCRâs investigation, the CE notified affected individuals and the media of the breach, changed email passwords, scanned its systems confirming the absence of malware, and provided its employees additional training specifically designed to address phishing awareness. OCR also provided the CE with technical assistance regarding its obligation to safeguard ePHI that is either transmitted over an electronic communications network (via email) or maintained (at rest) in an email server. | Wyoming Medical Center WY Healthcare Provider 3184 | Wednesday | 2016 | |
| Liberty Resources, Inc. | PA | Healthcare Provider | 3183 | 2012-08-17 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
An employee’s personal laptop computer that contained the unencrypted electronic protected health information (ePHI) of 3,183 individuals was stolen from his vehicle. The ePHI involved in the breach included consumer names, identification numbers, diagnosis codes, base service unit numbers, service start and end dates, service names, procedure codes, service location identifiers, units authorized, units utilized, units cost, total authorization amounts, total utilized amounts, authorization dates, funding sources, provider names, and master provider index numbers. The CE timely notified all affected individuals, the media, and HHS, and offered assistance to consumers who wished to place fraud alerts on their consumer credit files. Following the breach, the CE created and implemented a new policy and procedure to improve safeguards. This policy prohibits downloading any PHI to a home computer or portable device, prohibits forwarding emails containing PHI to a personal account, cloud service, or unauthorized user, and requires full-disk encryption of agency laptops. OCR obtained assurances that the CE implemented the corrective action listed above. |
Liberty Resources, Inc. PA Healthcare Provider 3183 | Friday | 2012 |
| Medical College of Wisconsin | WI | Healthcare Provider | 3179 | 2016-09-02 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An unauthorized third-party comprised the protected health information (PHI) found in an employeeâs email account for a period of three days. The compromised email account contained the PHI of 3,225 individuals. The types of PHI involved in the breach included full names, home addresses, dates of birth, medical record numbers, diagnoses, and/or treatment information, and the social security numbers of two patients. The covered entity (CE), Medical College of Wisconsin, provided breach notification to HHS, affected individuals, and the media and also posted a substitute notice. Following the breach, the CE retained a forensic firm, retrained the employee with the compromised email account, and implemented new safeguards. OCR obtained written assurances that the CE implemented the actions listed above. | Medical College of Wisconsin WI Healthcare Provider 3179 | Friday | 2016 | |
| SynerMed / Inland Valleys IPA | CA | Business Associate | 3164 | 2013-05-24 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | On April 14, 2013, a SynerMed employeeâs laptop computer was stolen out of her vehicle while parked in front of her home. The laptop contained the protected health information (PHI) of 3,164 individuals, and included patientsâ names, member identification, dates of service, reasons for visits, and procedure codes. The laptop was password protected, but was not encrypted. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. In response to this incident, the CE improved physical security, encrypted all computers, counseled the employee involved, and trained staff. It also reviewed its policies and implemented an encryption policy. OCR obtained assurances that the CE implemented the corrective actions listed above. | SynerMed / Inland Valleys IPA CA Business Associate 3164 | Friday | 2013 |
| Mankato Clinic | MN | Healthcare Provider | 3159 | 2010-12-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Mankato Clinic MN Healthcare Provider 3159 | Tuesday | 2010 | |
| Thomas Jefferson University Hospitals, Inc. | PA | Healthcare Provider | 3150 | 2011-10-14 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Thomas Jefferson University Hospitals, Inc. PA Healthcare Provider 3150 | Friday | 2011 | |
| Illinois Department of Healthcare and Family Services | IL | Healthcare Provider | 3133 | 2013-07-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Family Health Network, a business associate (BA) for the covered entity (CE), Illinois Department of Healthcare and Family Services, mailed member identification cards to the wrong addresses due to a computer program error. The breach affected the protected health information of approximately 3,133 individuals and included names, dates of birth, and State-issued Medicaid numbers. Following the breach, the BA corrected the case number conversion process and manually reviewed the imported data. The CE and the BA reviewed their respective privacy policies and procedures and reminded all workforce members of those policies. The BA provided breach notification to HHS, the CE, affected individuals, and the media. OCR obtained documented assurances that the CE implemented the corrective actions steps noted above. | Illinois Department of Healthcare and Family Services IL Healthcare Provider 3133 | Monday | 2013 |
| Family Health Network | IL | Business Associate | 3133 | 2013-07-08 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Family Health Network IL Business Associate 3133 | Monday | 2013 | |
| Schneck Medical Center | IN | Healthcare Provider | 3131 | 2013-04-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Schneck Medical Center IN Healthcare Provider 3131 | Friday | 2013 | |
| MGA Home Healthcare Colorado, Inc. | AZ | Healthcare Provider | 3119 | 2016-10-19 | Loss | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | MGA Home Healthcare Colorado, Inc. AZ Healthcare Provider 3119 | Wednesday | 2016 |
| Vail Clinic, Inc. dba Vail Valley Medical Center, and dba Howard Head Sports Medicine | CO | Healthcare Provider | 3118 | 2016-04-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Laptop | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Vail Clinic, Inc. dba Vail Valley Medical Center, and dba Howard Head Sports Medicine CO Healthcare Provider 3118 | Friday | 2016 |
| NEA Baptist Clinic | AR | Healthcare Provider | 3116 | 2011-09-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | An unknown individual hacked into a database that contained electronic protected health information (ePHI) of individuals who had registered online with the covered entity (CE) in the last eight years. The PHI involved in the breach, which affected approximately 3,116 patients, included names, addresses and dates of birth. The CE provided breach notification to HHS and affected individuals. Following this breach, the CE shut down its âoldâ website and replaced it with a ânewâ website with improved safeguards such as blocking of specific IP addresses, strong authentication for areas that are not available to the general public, and secure web browsers. As a result of OCRâs investigation, the CE created new procedures to protect ePHI, including procedures for inventory and asset management, as well as tracking encrypted devices. | NEA Baptist Clinic AR Healthcare Provider 3116 | Wednesday | 2011 |
| WA State Department of Social & Health Services | WA | Health Plan | 3104 | 2014-02-11 | Other | Unauthorized Access/Disclosure | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) erroneously sent mail to 3,104 clients at incorrect addresses due to a coding error in an internal database. The protected health information (PHI) contained in the mailing may have included clientsâ names, addresses, and client identification numbers, and some letters also included dates of birth, social security numbers, diagnoses, and financial information. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. Following the breach, the CE hired a firm to conduct an independent evaluation of the data breach to identify and correct the root causes of this incident. The CE formed a Quality Improvement Team to increase oversight of production and ensure that quality assurance processes are strictly followed. As a result of OCRâs investigation, OCR provided technical assistance on the timeliness of notifications and incident reporting and obtained assurances that the corrective actions listed above were completed. | WA State Department of Social & Health Services WA Health Plan 3104 | Tuesday | 2014 |
| Geisinger Bloomsburg Hospital | PA | Healthcare Provider | 3101 | 2014-01-23 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Archived protected health information (PHI) for 3,101 individuals could not be located by the CE, Geisinger Bloomsburg Hospital, after it was acquired by Geisinger, although copies of the PHI were available. There was no evidence that the PHI had been impermissibly disclosed or stolen. OCR provided the CE with information on what constitutes a breach under the Breach Notification Rule. The CE posted notice on its website and notified the media and patients although there was no indication that PHI had been accessed, used, or disclosed. The CE also re-trained staff on safeguards and proper disposal of PHI and stated that additional corrective steps would be taken to reinforce privacy practices in its new facility. | Geisinger Bloomsburg Hospital PA Healthcare Provider 3101 | Thursday | 2014 |
| Saint Louis University | MO | Healthcare Provider | 3100 | 2013-10-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Saint Louis University MO Healthcare Provider 3100 | Monday | 2013 | ||
| Flex Physical Therapy | WA | Healthcare Provider | 3100 | 2012-01-27 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | On 12/30/2011, three password protected desktop computers were stolen as a result of a break-in. The electronic protected health information (ePHI) involved in the breach may have contained the names, social security numbers, addresses, dates of birth, claims information, diagnosis and treatment information of 3,100 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and also provided substitute notice. Following the breach, the CE upgraded its software and addressed facility access controls. OCR provided technical assistance regarding encryption standards and breach notification requirements. | Flex Physical Therapy WA Healthcare Provider 3100 | Friday | 2012 |
| Cancer Care Northwest P.S. | WA | Healthcare Provider | 3100 | 2011-02-09 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) accidentally mailed the protected health information (PHI) of approximately 3,100 individuals to other individuals when a mail-merge process mismatched names and addresses. The PHI involved in the breach included names and indicated that the individuals were patients of the CE. Following the breach, the CE implemented additional safeguards, as well as policies and procedures to ensure mailing list accuracy. As a result of this incident, OCR required the CE to train its workforce members on its newly developed policies and procedures. Additionally, OCR provided technical assistance regarding substitute breach notification methods, including a conspicuous posting on the CE’s website. | Cancer Care Northwest P.S. WA Healthcare Provider 3100 | Wednesday | 2011 |
| ADT LLC Group Health & Welfare Plan | FL | Health Plan | 3074 | 2015-04-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | ADT LLC Group Health & Welfare Plan FL Health Plan 3074 | Tuesday | 2015 |
| Kaiser Foundation Healthplan, Inc. of Southern California | CA | Health Plan | 3044 | 2016-11-06 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Kaiser Foundation Healthplan, Inc. of Southern California CA Health Plan 3044 | Sunday | 2016 |
| St. Therese Medical Group, Inc | CA | Healthcare Provider | 3031 | 2012-09-17 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | St. Therese Medical Group, Inc CA Healthcare Provider 3031 | Monday | 2012 | |
| MAXIMUS, Inc. / Business Ink, Co. | VA | Business Associate | 3029 | 2018-04-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | MAXIMUS, Inc. / Business Ink, Co. VA Business Associate 3029 | Tuesday | 2018 |
| Easter Seal Society of Superior California, Privacy Manager Breach | CA | Healthcare Provider | 3026 | 2014-02-07 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A work-issued laptop computer containing 3,026 clientsâ protected health information (ePHI) was stolen out of an employeeâs locked car. The types of ePHI involved in the breach included financial, demographic, and clinical information. The covered entityâs (CE) investigation revealed that, although the computer was powered off, password protected and not connected to the internet at the time of the theft, e-mails containing the respective e-PHI could still be accessed. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. It also provided affected individuals with one free year of credit monitoring and restoration, tips on protecting against ID theft, and a confidential privacy line to call with questions or concerns. Upon learning of the theft, the CE launched an internal investigation, hired specialized data security counsel to assist in responding to the incident, and retained external forensic experts to assist in determining the scope of the breach. The CE improved safeguards by reviewing its privacy and security policies and procedures, implementing a risk mitigation plan that reflects the current work environment, encrypting its laptop computers, and updating its policies and procedures on portable/mobile devices. It also retrained workforce members. OCR provided technical assistance regarding the HIPAA Security Rule requirements and obtained written documentation that the CE implemented the corrective actions listed above. | Easter Seal Society of Superior California, Privacy Manager Breach CA Healthcare Provider 3026 | Friday | 2014 |
| Medical Center Ophthalmology Associates | TX | Healthcare Provider | 3017 | 2018-04-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Medical Center Ophthalmology Associates TX Healthcare Provider 3017 | Monday | 2018 | |
| The Finley Center | NV | Healthcare Provider | 3000 | 2016-10-20 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | On September 17, 2015, a desktop computer containing scheduling software was stolen from the covered entity (CE), The Finley Center. The computer contained the demographic and financial information of approximately 3,000 individuals. The CE provided breach notification to HHS and affected individuals. In response to the breach, as well as OCRâs investigation of the breach incident, the CE implemented new technical, administrative, and physical safeguards, and revised its HIPAA policies and procedures. | The Finley Center NV Healthcare Provider 3000 | Thursday | 2016 |
| You and Your Health Family Care, Inc. | FL | Healthcare Provider | 3000 | 2016-10-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), You and Your Health Family Care, Inc., discovered a ransomware virus accessed its server through an open firewall port on September 11, 2016. The ransomware accessed data that included patient names, addresses, dates of birth, Social Security numbers, and clinical information for 1,456 individuals. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE initiated a comprehensive review of its privacy and security safeguards, secured all open ports in its firewall, reviewed and secured all user accounts and strengthened passwords, and installed additional security software. It developed a plan to implement an audit system and encryption mechanisms, and retrain all staff after it finishes the in-depth review and update of its privacy and security policies. Additionally, it will conduct a risk analysis on an annual basis moving forward. OCR obtained assurances that the CE implemented the corrective actions listed above. | You and Your Health Family Care, Inc. FL Healthcare Provider 3000 | Thursday | 2016 |
| The Vein Doctor | MO | Healthcare Provider | 3000 | 2016-06-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | No | NA | The Vein Doctor MO Healthcare Provider 3000 | Friday | 2016 |
| Morton Medical Center, PLLC | WA | Healthcare Provider | 3000 | 2016-03-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | In March 2016, the covered entity (CE), Morton Medical Center, reported that a virus encrypted many of its merge documents and held them for ransom, preventing the CE from printing any documents that required merging data. An internal investigation revealed that the ransomware had been introduced into its systems through an âadd-onâ through the Internet. After paying the ransom, the hacker(s) released the CE’s entire electronic protected health information (ePHI). The breach affected the ePHI of approximately 3,000 individuals; however, there were no indications that ePHI was actually uploaded or accessed. If the hackers accessed the ePHI, it would have contained names, addresses, demographic information and, possibly, some diagnostic information. Following the breach, the CE conducted an enterprise-wide analysis of the various risks to its ePHI and developed a risk management plan. The CE then overhauled its entire information technology system, focusing on strengthening its physical, administrative, and technical safeguards. The CE also re-trained its workforce members and implemented a new policy that prohibits Internet access for other than business reasons. OCR provided technical assistance regarding the requirements of the Breach Notification Rule. | Morton Medical Center, PLLC WA Healthcare Provider 3000 | Thursday | 2016 |
| Group Life Hospital and Medical Program | CT | Health Plan | 3000 | 2016-02-29 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Group Life Hospital and Medical Program CT Health Plan 3000 | Monday | 2016 |
| Roark’s Pharmacy | TN | Healthcare Provider | 3000 | 2016-02-19 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Roarkâs Pharmacy, discovered on January 13, 2016, that its facility had been broken into and computer hard drives containing the protected health information (PHI) of 3,000 individuals were stolen. The types of PHI on the hard drives included patients’ names, dates of birth, addresses, diagnoses, conditions, medications, health insurance information, and social security numbers (when used as ID numbers for certain insurance carriers). The CE provided breach notification to HHS and to affected individuals. OCR provided technical assistance to the CE regarding the Breach Notification Rule and impermissible disclosures. In addition, OCR provided resource materials regarding small businesses and the Privacy and Security Rules. In response to the breach, the CE increased its physical security by installing a metal gate over its front door, improving its security alarm system, and physically hiding and securing sensitive equipment. OCR obtained assurances that the CE implemented the corrective actions listed above. | Roark’s Pharmacy TN Healthcare Provider 3000 | Friday | 2016 |
| G&S Medical Associates, LLC | NJ | Healthcare Provider | 3000 | 2016-01-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | The covered entity, G&S Medical Associates, LLC(âCEâ) reported a breach stating that an unknown individual had encrypted a file on a desktop computer which prohibited the CE from accessing the protected health information (PHI) of at least 400 patients. The initial report estimated the number of patients affected as 3,000, though later the CE filed an addendum reducing the number of affected patients. The health information that was compromised included patient names, dates of service and progress notes. The CE provided breach notification to HHS, updated its safeguards policy and implemented an anti-virus solution. As a result of an investigation, OCR provided technical assistance, and the CE is expected to notify the affected individuals of the impermissible disclosure, document the impermissible disclosure in the affected individualsâ medical record, conduct a risk analysis, implement a risk management plan, and implement a security incident policy and procedure. OCR stated the expectation that the CE will to ensure that all staff are trained on all new policies and procedures and with Security Awareness and Privacy Rule training. | G&S Medical Associates, LLC NJ Healthcare Provider 3000 | Thursday | 2016 |
| St. Martin Parish School Based Health Centers | LA | Healthcare Provider | 3000 | 2015-06-15 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Laptop | NA | NA | NA | NA | NA | No | On June 15, 2015, St. Martin Parish School Based Health Centers reported a breach at one of its clinics, Cecilia School Based Health Center (CSBHS). The covered entity (CE) experienced a breach of protected health information (PHI) affecting 3,000 individuals when four desktop computers, one laptop, a wireless router, and several printers were stolen during an office break-in on April 30, 2016. The types of PHI involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses, and procedure codes. The CE provided breach notification to HHS, affected individuals, and the media. As a result of this incident, the CE conducted a post-incident risk analysis and directed staff to change and update all passwords. The CE also remotely disabled the login capability for each computer. The CE improved physical security at the CSBHS facility. In addition, the CE stated that no data is stored locally on its computers. OCR obtained assurances from the CE that it implemented the corrective actions listed above. | St. Martin Parish School Based Health Centers LA Healthcare Provider 3000 | Monday | 2015 |
| University of Illinois at Chicago | IL | Healthcare Provider | 3000 | 2015-04-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A physicianâs assigned laptop computer containing the electronic protected health information (ePHI) of approximately 3,000 individuals was stolen. The type of ePHI involved in the breach included diagnoses and conditions of the individuals. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE updated relevant HIPAA policies, including encryption, to ensure the safeguarding of ePHI and sanctioned the physician involved. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also notified the deans and directors of all the CEâs healthcare components of the corrective actions taken in response to this incident. | University of Illinois at Chicago IL Healthcare Provider 3000 | Tuesday | 2015 |
| Hunt Regional Medical Partners | TX | Healthcare Provider | 3000 | 2015-02-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Vandals broke into a building storing paper protected health information (PHI) for the covered entity (CE), Hunt Regional Medical Partners. The types of PHI involved in the breach included patients’ names, addresses, dates of birth, social security numbers, claims information, and patients’ chart information. Approximately 3,000 individuals were affected. Upon discovering the breach, the CE filed a police report. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical safeguards and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. | Hunt Regional Medical Partners TX Healthcare Provider 3000 | Wednesday | 2015 |
| RevSpring, Inc. | MI | Business Associate | 3000 | 2014-01-06 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Due to a printing error at the covered entityâs (CE) business associate (BA), RevSpring, Inc., patients received billing statements containing other patientsâ protected health information (PHI). The breach affected approximately 3,000 individuals. The types of PHI involved in the breach included names, account numbers, balances owed, procedure codes, procedure descriptions, providersâ names, and dates of services. Following the breach, the CE obtained assurances from the BA that additional safeguards would be implemented to prevent future disclosures. OCR reviewed the CEâs policies and procedures to ensure compliance with the Privacy and Security Rules. | RevSpring, Inc. MI Business Associate 3000 | Monday | 2014 |
| WOMENS HEALTH ENTERPRISE, INC. | GA | Healthcare Provider | 3000 | 2013-02-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | WOMENS HEALTH ENTERPRISE, INC. GA Healthcare Provider 3000 | Wednesday | 2013 | |
| Ameritas Life Insurance Corp. | NE | Health Plan | 3000 | 2012-05-21 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Ameritas Life Insurance Corp. NE Health Plan 3000 | Monday | 2012 | |
| Iowa Department of Human Services | IA | Health Plan | 3000 | 2012-05-11 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Iowa Department of Human Services IA Health Plan 3000 | Friday | 2012 | |
| Oakland Vision Services, PC | MI | Healthcare Provider | 3000 | 2012-05-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Oakland Vision Services, PC MI Healthcare Provider 3000 | Thursday | 2012 | |
| Living Healthy Community Clinic | WI | Business Associate | 3000 | 2011-09-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | Yes | Living Healthy Community Clinic WI Business Associate 3000 | Tuesday | 2011 | |
| SpaMed Solutions, LLC, Edward McMenamin President, | NJ | Business Associate | 3000 | 2011-08-28 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Laptop | Network Server | Other | Other Portable Electronic Device | Paper/Films | Yes | SpaMed Solutions, LLC, Edward McMenamin President, NJ Business Associate 3000 | Sunday | 2011 | ||
| The Dermatology Center of Raleigh PA | NC | Healthcare Provider | 3000 | 2017-07-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | The Dermatology Center of Raleigh PA NC Healthcare Provider 3000 | Wednesday | 2017 | |
| Jewish Hospital | KY | Healthcare Provider | 2992 | 2014-03-28 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | A small number of employees of the covered entity (CE), Jewish Hospital, responded to âphishingâ emails that appeared legitimate and disclosed the demographic and clinical protected health information (PHI) of approximately 2,992 individuals. The PHI involved in the breach included names, addresses, birthdates, diagnoses, treatments received, health insurance information and the social security numbers of a few individuals. In response to the incident, the CE secured the affected email accounts and arranged for a forensic investigation. While the CE has no evidence that the electronic PHI in the employeesâ mailboxes was accessed or otherwise infiltrated by the phishing scheme, it nonetheless sent breach notification letters and offered one year of free credit monitoring and identity theft protection services to all potentially affected individuals. It also provided breach notification to HHS and the media and provided substitute notice. Following the breach, the CE deployed anti-phishing software, accelerated its employee phishing education campaign, established a quick reaction team for proactively blocking phishing or other web-based threats, and enhanced its auditing and logging controls. OCR obtained assurances that the corrective actions listed above were completed. | Jewish Hospital KY Healthcare Provider 2992 | Friday | 2014 | |
| St. Mark’s Medical Center | TX | Healthcare Provider | 2988 | 2012-12-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | St. Mark’s Medical Center TX Healthcare Provider 2988 | Monday | 2012 | |
| Sleep HealthCenters LLC | MA | Healthcare Provider | 2988 | 2011-12-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Sleep HealthCenters LLC MA Healthcare Provider 2988 | Wednesday | 2011 | |
| Suburban Lung Associates | IL | Healthcare Provider | 2984 | 2015-04-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Suburban Lung Associates IL Healthcare Provider 2984 | Monday | 2015 |
| Georgia Department of Human Services | GA | Health Plan | 2983 | 2015-07-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Georgia Department of Human Services, the covered entity (CE), discovered that on June 8, 2015, an employee emailed a password protected spreadsheet containing protected health information (PHI) to three recipients at a contractor of the CE for research purposes. The contractor was not considered a business associate of the CE. The CE investigated and determined that the spreadsheet contained PHI for 2,983 individuals, including full names, general geographic areas of residence, internal identification numbers, dates of most recent medical assessments, and the diagnoses associated with those assessments. The CE obtained assurances from the recipients that all versions of the spreadsheet and corresponding email chains were deleted and not accessed by anyone else The CE timely breach notification to HHS, affected individuals, and the media. In response to the breach, the CE retrained its workforce, revised its policies and procedures, improved its training program, and implemented additional clearance and approval requirements for the sharing of data. OCR obtained assurances that the CE implemented the corrective actions listed above. | Georgia Department of Human Services GA Health Plan 2983 | Wednesday | 2015 | |
| Iowa Veterans Home | IA | Healthcare Provider | 2969 | 2017-04-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On April 13, 2017, three Iowa Veterans Home employees mistakenly provided their credentials in response to a phishing email during the covered entityâs (CE) migration from Microsoft to Google for emails. The breach potentially affected the protected health information (PHI) of 2,969 individuals, including full names, social security numbers, dates of birth, addresses, driverâs licenses, and clinical information. The CE provided timely breach notification to HHS, affected individuals, and the media. The CE retrained staff and initiated testing two-factor email authentication with staff and customers. OCR obtained assurances from the CE that it has implemented the corrective actions listed above. | Iowa Veterans Home IA Healthcare Provider 2969 | Friday | 2017 | |
| Humana Inc [case #15381] | KY | Health Plan | 2962 | 2014-05-23 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On April 2, 2014, an unencrypted portable media device containing electronic protected health information (ePHI) was stolen from an employeeâs locked vehicle. The portable media device contained the demographic data (including some social security numbers), clinical, and health insurance information of 2,962 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The offending employee was terminated as a direct result of violating the CEâs policy prohibiting the use of unencrypted devices to store and transport PHI. In addition, the CE re-educated employees about this policy and instructed management teams to ensure that proper procedures were being followed. OCR obtained assurances that the corrective actions were taken. | Humana Inc [case #15381] KY Health Plan 2962 | Friday | 2014 |
| Catalina Post-Acute Care and Rehabilitation | AZ | Healthcare Provider | 2953 | 2017-02-02 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Catalina Post-Acute Care and Rehabilitation AZ Healthcare Provider 2953 | Thursday | 2017 |
| Einstein Healthcare Network | PA | Healthcare Provider | 2939 | 2016-04-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Einstein Healthcare Network, reported that between April 11, 2013 and March 21, 2017, its website, Einstein.edu, contained a webpage form where a visitor could âRequest an Appointmentâ that allowed protected health information (PHI) to be left accessible via the internet, including demographic and clinical information. The CE staff used this data to schedule the requested appointment(s) for patients. The CE learned that it was possible to cause the website to display PHI by submitting an unexpected string of characters in the universal resource locator (URL). Google accessed these specially crafted URLâs in order to attempt to add these web pages to the list of pages that can be searched by Google. The CE reviewed the information provided on the forms and determined that it demonstrated a low probability of compromise for most patients. The CE provided breach notification to the remaining 2,034 patients, HHS, and the media. Following the breach, the CE worked with Google to have the information removed from indexing. Subsequently, the CE conducted a system wide risk assessment and penetration test to specifically assess for security vulnerabilities on the website, changed the vendor used for website creation and hosting and built and tested a new “Einstein.edu” website. OCR obtained assurances that the CE implemented the corrective actions listed. | Einstein Healthcare Network PA Healthcare Provider 2939 | Friday | 2016 |
| Warren Clinic | OK | Healthcare Provider | 2938 | 2016-10-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Warren Clinic OK Healthcare Provider 2938 | Friday | 2016 |
| Prima Medical Foundation | CA | Healthcare Provider | 2933 | 2016-09-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Medical Practice Concepts, Inc., a business associate (BA) that provides the covered entity (CE), Prima Medical Foundation, with business and health care system services, experienced a ransomware infection. A third party forensic firm hired to investigate this incident found no evidence that protected health information was accessed, viewed, or transferred. However, the BA informed the CE that during the data restoration process one of their backup systems failed, causing the loss of certain information documented by the CE’s physicians during the period from July 11, 2016 through July 26, 2016. OCR has consolidated the review of this case into a review of the BA. | Prima Medical Foundation CA Healthcare Provider 2933 | Monday | 2016 |
| Centegra Health System | IL | Healthcare Provider | 2929 | 2015-12-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Centegra Health System IL Healthcare Provider 2929 | Tuesday | 2015 |
| Geisinger Wyoming Valley Medical Center | PA | Healthcare Provider | 2928 | 2010-12-28 | Theft | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity’s (CE) staff physician emailed the protected health information (PHI) of approximately 2,900 individuals to his home email account while working on an analysis. The PHI included names, addresses, dates of birth, social security numbers, and medication information. Following the breach, the CE sanctioned the physician and implemented a plan to auto-encrypt all PHI sent through email. As a result of OCR’s investigation, the CE improved its physical safeguards and retrained employees. | Geisinger Wyoming Valley Medical Center PA Healthcare Provider 2928 | Tuesday | 2010 | |
| Insurance Data Services | MI | Business Associate | 2918 | 2015-10-08 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | On September 15, 2015, a zippered bag was stolen from a delivery service vehicle with month-end reports for Insurance Data Services, a business associate (BA) of the covered entity (CE), Claystone Clinical Associates. The BA reported that this breach affected 2,918 individuals. The types of protected health information (PHI) involved in the breach included patientsâ names, dates of service, balances, insurance providers, diagnostic and procedure codes, addresses, and phone numbers. The BA investigated the breach and assured that the theft was reported to the police. The BA provided breach notification to HHS, affected individuals, and the media. The BA also updated its procedures to utilize a secure client portal to transmit PHI with clients. As a result of OCRâs investigation the BA created policies and procedures relating to safeguarding PHI, using and disclosing PHI, and Breach Rule Notification and trained its staff on its policies. OCR obtained written assurances that the CE completed the corrective actions listed. | Insurance Data Services MI Business Associate 2918 | Thursday | 2015 |
| Pamlico Medical Equipment LLC | NC | Healthcare Provider | 2917 | 2012-07-17 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Pamlico Medical Equipment LLC NC Healthcare Provider 2917 | Tuesday | 2012 | |
| Rite Aid Store 1343 | WV | Healthcare Provider | 2905 | 2012-05-10 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On March 29, 2012, the covered entity (CE), Rite Aid Store 1343, discovered that hard copy prescriptions from 2004 were stolen from a storage building in Oceana, West Virginia. The prescriptions contained the protected health information (PHI), of approximately 2,905 individuals, and included names and prescription information. After the breach was discovered, the CE removed two remaining boxes of prescriptions from the storage unit and secured them. The CE also improved physical safeguards by placing a new lock on the outside of the storage facility. The CE reported the incident to the authorities. As several staff members violated company policy by not ensuring that the storage area was properly secured, the CE issued final written warnings to all responsible staff members. The CE provided breach notification to HHS, affected individuals, and the media, and also offered each affected individual free identity theft protection services for one year. OCR obtained assurances that the CE implemented the corrective actions listed. | Rite Aid Store 1343 WV Healthcare Provider 2905 | Thursday | 2012 |
| Logan Community Resources, Inc. | IN | Healthcare Provider | 2900 | 2012-10-23 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Logan Community Resources, Inc. IN Healthcare Provider 2900 | Tuesday | 2012 | |
| Rite Aid Corporation | PA | Healthcare Provider | 2900 | 2011-12-07 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Rite Aid Corporation PA Healthcare Provider 2900 | Wednesday | 2011 | |
| Julie A. Kennedy, D.M.D., P.A. | FL | Healthcare Provider | 2900 | 2011-10-31 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Two laptop computers containing the electronic protected health information (ePHI) of approximately 5,450 individuals were stolen from the CE. The ePHI included patient names, dates of birth, and social security numbers. The CE provided breach notification to all affected individuals, HHS, and the media. As a result of OCR’s investigation, the CE installed encryption software and increased physical security. | Julie A. Kennedy, D.M.D., P.A. FL Healthcare Provider 2900 | Monday | 2011 |
| Don White, RN, DC, PC dba Canyon Rd Chiropractic and Massage | OR | Healthcare Provider | 2900 | 2018-08-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Don White, RN, DC, PC dba Canyon Rd Chiropractic and Massage OR Healthcare Provider 2900 | Friday | 2018 |
| MGA Home Healthcare Colorado, Inc. | AZ | Healthcare Provider | 2898 | 2017-10-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | MGA Home Healthcare Colorado, Inc. AZ Healthcare Provider 2898 | Wednesday | 2017 | |
| Scenic Bluffs Health Center Inc | WI | Healthcare Provider | 2889 | 2018-04-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Scenic Bluffs Health Center Inc WI Healthcare Provider 2889 | Tuesday | 2018 | |
| Harris County Hospital District | TX | Healthcare Provider | 2875 | 2012-08-03 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | Paper/Films | NA | NA | NA | NA | NA | NA | No | Harris County Hospital District TX Healthcare Provider 2875 | Friday | 2012 | |
| Baylor Medical Center at Carrollton | TX | Healthcare Provider | 2874 | 2014-06-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Baylor Medical Center at Carrollton TX Healthcare Provider 2874 | Friday | 2014 | |
| CarePlus Health Plans [case 18772] | KY | Health Plan | 2873 | 2015-10-06 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On September 18, 2015, the covered entity (CE), CarePlus Health Plans, discovered that âLate Enrollment Penalty Premium Statementsâ mailed to members on September 11, 2015, had been mailed to incorrect members. The printing apparatus was accidently programmed to insert two statements per envelope instead of one. The types of protected health information (PHI) involved in the mailing included the names, addresses, and identification number of 2,873 members. In response to the breach, the CE mailed correct statements, sanctioned the responsible employee, and retrained employees in the printing and correspondence department. The CE provided breach notification to HHS, to affected individuals, on its website and to the media. OCR obtained assurances that the CE implemented the corrective actions listed above. | CarePlus Health Plans [case 18772] KY Health Plan 2873 | Tuesday | 2015 |
| Long Beach Memorial Medical Center | CA | Healthcare Provider | 2864 | 2013-07-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Long Beach Memorial Medical Center CA Healthcare Provider 2864 | Thursday | 2013 | |
| Health Advantage | AR | Health Plan | 2863 | 2012-12-20 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Health Advantage, mailed Personal Health Statements to approximately 2,863 plan membersâ previous addresses due to an internal programming error. This incident affected additional patients (addressed in separate breach reports) in that the covered entity had contracted with other covered entities, BCBS of Arkansas, the State of Arkansas Department of Finance and Administration Employee Benefits Division health plan and Baptist Health Systemâs health plan. The protected health information (PHI) involved in the breach included patientsâ demographic information, health insurance identification numbers, descriptions of treatment or services received, and names of treating facilities or providers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE corrected the programming error, purged outdated information from its system, and implemented new quality control procedures for mailings. As a result of OCRâs investigation, Health Advantage also revised or entered into multiple business associate agreements. | Health Advantage AR Health Plan 2863 | Thursday | 2012 |
| Heartland Dental, LLC | IL | Business Associate | 2860 | 2015-06-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Heartland Dental, LLC IL Business Associate 2860 | Wednesday | 2015 |
| Murali Menon, Privacy Manager Breach | CA | Healthcare Provider | 2855 | 2014-12-30 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | Paper/Films | NA | NA | NA | NA | NA | No | The covered entity (CE), Murali Menon and Physicians Skin and Weight Centers , reported that on November 4, 2014, an employeeâs password protected laptop computer and external hard drive containing the protected health information (PHI) of 2,855 individuals were stolen from a locked vehicle. The theft was discovered within an hour and police were immediately notified. The types of PHI involved in the breach included demographic, financial and clinical information, including names, addresses, dates of birth, social security numbers, credit card/bank account numbers, claims information, and other treatment information. The CE provided breach notification to HHS, the media, and affected individuals, and provided the affected individuals one year of free credit monitoring. As a result of OCRâs investigation, the CE discontinued all use of external hard drives and encrypted all its laptops within 30 days. Additionally the CE revised its policies regarding the removal of electronic devices from the work site, re-trained staff, and provided OCR with its policies and procedures regarding the administrative, physical, and technical safeguarding of electronic PHI. | Murali Menon, Privacy Manager Breach CA Healthcare Provider 2855 | Tuesday | 2014 |
| South Carolina Department of Health and Environmental Control | SC | Health Plan | 2850 | 2010-04-22 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | South Carolina Department of Health and Environmental Control SC Health Plan 2850 | Thursday | 2010 | |
| StarCare Speciality Health System | TX | Healthcare Provider | 2844 | 2016-07-25 | Theft | NA | NA | NA | NA | NA | Laptop | Paper/Films | NA | NA | NA | NA | NA | NA | No | An unauthorized individual burglarized one of StarCare Specialty Health Systemâs facilities. Five laptop computers were stolen and paper files containing protected health information (PHI) showed signs of tampering. The types of PHI potentially affected included the names, assessments, progress notes, discharge plans, and medical record numbers of approximately 2,844 individuals. As a result of the breach, the covered entity (CE) improved safeguards, and provided affected individuals with free credit monitoring. Further, the CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions listed. | StarCare Speciality Health System TX Healthcare Provider 2844 | Monday | 2016 |
| Saint Thomas Rutherford Hospital | TN | Healthcare Provider | 2837 | 2017-06-22 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Saint Thomas Rutherford Hospital TN Healthcare Provider 2837 | Thursday | 2017 |
| QuadMed, LLC (Stoughton Trailers) | WI | Healthcare Provider | 2834 | 2018-02-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | QuadMed, LLC (Stoughton Trailers) WI Healthcare Provider 2834 | Monday | 2018 |
| Options Counseling Center | NJ | Healthcare Provider | 2828 | 2014-05-09 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Options Counseling Center, after the CE reported that, between May 1, 2011 and July 29, 2011, an employee made photocopies of documents and printed documents from the computer system containing 2,828 patientsâ protected health information (PHI) and disclosed the documents to his attorney. The types of PHI involved in the breach included, variously for different individuals, patientsâ names, counseling session attendance verifications, internal CE account codes, charges, payments, addresses, telephone numbers, dates of birth, health insurance account information, and account balances, as well as 46 social security numbers. Upon discovery of the breach, the CE ensured the destruction of the PHI possessed by the (then former) employee and/or his attorney, and retrained staff. The CE also implemented new safeguards, including restricting the number of personnel who hold keys to the rooms and file cabinets that contain PHI, and converting its paper billing system to an electronic billing system, which establishes password-protected role-based access rights to varying levels of information. OCR obtained assurances that the CE implemented the corrective actions listed above. | Options Counseling Center NJ Healthcare Provider 2828 | Friday | 2014 |
| The University of New Mexico | NM | Healthcare Provider | 2827 | 2016-06-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), The University of New Mexico, inadvertently mailed invoices intended for third party payers to random patientsâ addresses due to an error in the CEâs billing system. The protected health information (PHI) included patients’ names, patient care service categories, clinic names, pharmacies, and dates of service for 2,898 individuals. Upon discovering the breach, the CE manually reviewed its billing programs and put a hold on the billing program that created the error. The CE provided breach notification to HHS, affected individuals, and the media. As a result of the breach, the CE improved technical and administrative safeguards and retrained appropriate staff on its updated procedures. OCR obtained assurances that the CE implemented the corrective actions listed above. | The University of New Mexico NM Healthcare Provider 2827 | Friday | 2016 |
| Molina Healthcare of Texas, Inc. | TX | Health Plan | 2826 | 2013-12-21 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Molina Healthcare of Texas, Inc. TX Health Plan 2826 | Saturday | 2013 | |
| CHI Franciscan Health, St. Clare Hospital and St. Joseph Medical Center | WA | Healthcare Provider | 2818 | 2016-09-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | On July 22, 2016, CHI Franciscan Health, the covered entity (CE), learned that an employee-physician had been impermissibly accessing St. Clare Hospital and St. Joseph Medical Center patient information since July 1, 2015, to try to expand the physicianâs client base. Approximately 2,818 individuals were affected by this breach incident. The types of electronic protected health information (ePHI) involved included clinical information, such as diagnoses, conditions, lab results, medications, and other treatment information. The CE provided breach notification to affected individuals, the media and HHS, and also posted information about the breach on its website. The CE created a call center for patients and other concerned individuals, so that such individuals could get up-to-date information on the breach incident and receive assistance as needed. In addition, the CE sanctioned the responsible physician in accordance with its HIPAA sanctions policy and retrained its workforce members on HIPAA, which included a session on âAcceptable Uses and Disclosures of PHI for Physicians.â OCR obtained assurances that the CE implemented the corrective actions described above. | CHI Franciscan Health, St. Clare Hospital and St. Joseph Medical Center WA Healthcare Provider 2818 | Friday | 2016 |
| Humana Inc [Case 18652] | KY | Health Plan | 2815 | 2015-09-30 | Theft | NA | NA | NA | NA | NA | Laptop | Paper/Films | NA | NA | NA | NA | NA | NA | No | Humana, Inc., the covered entity (CE), discovered that on August 20, 2015, a market staff employeeâs briefcase containing an encrypted laptop computer and unsecured paper documents was stolen from her locked vehicle. The CE investigated and determined that the stolen documents contained the protected health information (PHI) of 2,815 individuals, including full names, dates of birth, clinic names, and health insurance information. The CE issued new health insurance member identification numbers to affected individuals, and provided timely breach notification to HHS, to affected individuals, on its website and to the media. In response to the breach, the CE retrained its workforce, disseminated guidance material specifically addressing the proper handling and safeguarding of PHI, and revised procedures to eliminate transportation of PHI in paper format. OCR obtained assurances that the CE implemented the corrective actions listed above. | Humana Inc [Case 18652] KY Health Plan 2815 | Wednesday | 2015 |
| Geisinger Health Plan | PA | Health Plan | 2814 | 2016-09-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Between July 30, 2016, and August 4, 2016, the covered entity (CE), Geisinger Health Plan, misdirected invoices to the incorrect recipients. The breach affected 2,814 individuals and the protected health information (PHI) involved in the breach included clinical and demographic information. The CE provided breach notification to HHS, affected individuals, and the media, and offered credit monitoring for individuals. It also offered to change the health plan member numbers for affected individuals. OCR obtained assurances that the CE implemented the corrective actions listed above. | Geisinger Health Plan PA Health Plan 2814 | Wednesday | 2016 |
| Health Alliance Plan | MI | Health Plan | 2814 | 2018-07-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | No | NA | Health Alliance Plan MI Health Plan 2814 | Thursday | 2018 | |
| Northwestern Memorial HealthCare | IL | Healthcare Provider | 2813 | 2014-12-23 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Northwestern Memorial HealthCare IL Healthcare Provider 2813 | Tuesday | 2014 |
| Schuylkill Health System | PA | Healthcare Provider | 2810 | 2013-10-04 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Schuylkill Health System PA Healthcare Provider 2810 | Friday | 2013 | |
| Courier Corporation of Hawaii | HI | Business Associate | 2809 | 2015-02-11 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Documents containing the protected health information (PHI) of 3,959 Kaiser Permanente patients, spilled onto the highway when the business associate (BA), Courier Corporation of Hawaii, transported the covered entityâs (CE) documents to storage. Many but not all of the documents were retrieved from the road. The types of PHI involved in the breach included names, addresses, dates of birth, driverâs license information, social security numbers, and other identifiers. The CE provided breach notification to HHS, affected individuals, and the media, and provided affected individuals with free credit monitoring. To prevent a similar breach from happening in the future, the CE and BA retrained staff on HIPAA requirements, revised policies and procedures, and sanctioned workforce members (including termination). The CE and BA also took steps to mitigate harm. As a result of OCRâs investigation, OCR obtained assurances that the notifications and corrective actions listed above were completed. | Courier Corporation of Hawaii HI Business Associate 2809 | Wednesday | 2015 |
| Karmanos Cancer Center | MI | Healthcare Provider | 2808 | 2016-03-10 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), Karmanos Cancer Center, lost an unencrypted flash drive that contained the protected health information (PHI) of approximately 2,808 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and it offered 12 months of credit monitoring to affected individuals. Following the breach, the CE retrained staff, published an article in its newsletter about encryption, and audited its business associate agreements. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | Karmanos Cancer Center MI Healthcare Provider 2808 | Thursday | 2016 |
| Pinellas County Board of County Commissioners | FL | Health Plan | 2800 | 2016-11-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On September 21, 2016, the covered entity (CE), Pinellas County Board of County Commissioners, discovered that it had posted a file containing protected health information (PHI) on an external website accessible by potential vendors. The file contained the dates of birth, employee identification numbers, and dental plan coverage elections of 2,757 individuals. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE altered its procedure for soliciting bids from vendors such that PHI is no longer involved. In addition, the CE retrained its workforce and sanctioned the responsible employee, who subsequently resigned from his employment with the CE. OCR obtained assurances that the CE implemented the corrective actions listed above. | Pinellas County Board of County Commissioners FL Health Plan 2800 | Friday | 2016 | |
| Dr Axel Velez | PR | Healthcare Provider | 2800 | 2011-07-13 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Four computers containing the electronic protected health information (ePHI) of 2,143 patients were stolen from the covered entity (CE), Dr. Axel Velez. The PHI involved in the breach included patientsâ names, addresses, contact numbers, partial social security numbers, dates of birth, diagnostic information, dates of visits, patient numbers, referring physicians, physiciansâ telephone numbers, and insurance information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE improved physical security by repairing the backdoor entrance to the office, installing an alarm system and video surveillance equipment, attaching cable locks to the workstation computers, servers and portable media devices, and moving inventoried equipment off-site. OCR provided technical assistance to the CE regarding risk analysis, risk management planning, and policies and procedures required under the Security Rule. | Dr Axel Velez PR Healthcare Provider 2800 | Wednesday | 2011 |
| UT Physicians | TX | Healthcare Provider | 2793 | 2018-05-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | UT Physicians TX Healthcare Provider 2793 | Friday | 2018 | |
| Kaleida Health | NY | Healthcare Provider | 2789 | 2017-07-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Kaleida Health NY Healthcare Provider 2789 | Friday | 2017 | |
| Bay Area Pain Medical Associates | CA | Healthcare Provider | 2780 | 2014-07-16 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | The offices of the covered entity (CE), Bay Area Pain Management Associates, were broken into and three desktop computers were stolen. One unencrypted document on a stolen computer contained the names, and dates of service of 2,780 individuals. In response to the breach the CE improved physical safeguards by adding a security alarm system, and increasing security features on doors. The CE improved technical safeguards by implementing an encryption file management program. As a result of OCRâs investigation the CE improved its HIPAA practices. | Bay Area Pain Medical Associates CA Healthcare Provider 2780 | Wednesday | 2014 |
| Colby DeHart | TN | Business Associate | 2777 | 2013-12-19 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | On October 21, 2013, an unencrypted laptop computer belonging to a Tennova Cardiology business associate (BA) was stolen from a vehicle. The laptop contained the protected health information (PHI) of 2,777 individuals, and included patient names, dates of birth, dates of service, names of referring physicians, and health information about treatment and diagnostic procedures. The CE provided breach notification to HHS, affected individuals, and the media. In response to this breach, the covered entity (CE) conducted an encryption assessment of laptop computers with user system access to PHI and then encrypted all laptop computers. The CE reviewed its policies, retrained staff, and implemented an encryption policy. The CE also terminated the BA agreement and moved the work in-house. OCR obtained assurances that the CE implemented the corrective actions listed. | Colby DeHart TN Business Associate 2777 | Thursday | 2013 |
| Henry Ford Health System | MI | Healthcare Provider | 2777 | 2012-11-05 | Loss | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Henry Ford Health System, the covered entity (CE) reported breaches that occurred on September 24, 2010, January 31, 2011, August 5, 2011, and October 23, 2014. OCR consolidated the breaches into one investigation because the breaches contained similar issues and each breach involved employees who failed to follow the CEâs policies or procedures. The September 24, 2010, breach affected 3,700 individuals and occurred when a laptop computer was stolen from an office left unlocked by an employee for approximately four hours while the employee was attending a meeting. The January 31, 2011, breach affected 2,777 individuals and occurred when an employee lost a personal portable electronic device (a âflashâ drive) containing protected health information (PHI). The August 5, 2011, breach affected 520 individuals and occurred when an unencrypted desktop computer was stolen from a lab with secure access for workforce members. The desktop computer had been purchased directly by the department instead of through the CEâs established computer purchase procedures. The October 23, 2014, breach affected 2,336 individuals and occurred when a physician lost a flash drive. The physician failed to adhere to the CEâs policy mandating use of the CEâs issued flash drives and padlock. The PHI involved in the breaches included clinical and demographic information. The CE provided breach notification to the affected individuals, the media, and HHS. To resolve the issues raised in these matters, the CE took the following voluntary actions: 1) sanctioned the employees involved in the breaches depending on the severity of the employeesâ noncompliance; 3) following the September 24, 2010 breach, implemented an encryption process to purchase 2,000 additional encryption licenses; 4) and on March 14, 2011, implemented a program for receiving and using encrypted flash drives. OCR obtained documented assurances that the CE implemented the corrective actions noted above. After OCR provided substantial technical assistance to the CE on the Security Ruleâs Risk Analysis requirements, the CE provided the following written assurances to OCR that it will: create a more robust asset management program over the next 6-8 months and would provide documentation of the program to OCR; complete an enterprise data mapping and asset inventory by December 31, 2017; and submit a fully executed copy of the business associate agreement (BAA) to OCR upon signature of a Master Service Agreement (MSA) and Statement of Work (SOW) for data mapping services once its vendor was chosen. | Henry Ford Health System MI Healthcare Provider 2777 | Monday | 2012 |
| Henry Ford Hospital | MI | Healthcare Provider | 2777 | 2011-02-23 | Loss | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | The Henry Ford Health System, the covered entity (CE) reported a breach that occurred on January 31, 2011 affecting 2,777 individuals. The breach occurred when an employee lost a personal portable electronic device (a âflashâ drive) containing protected health information (PHI). The PHI involved in the breach included clinical and demographic information. The CE provided breach notification to the affected individuals, the media, and HHS. To resolve the issues raised by the breach, the CE sanctioned the employee involved in the breach based on the severity of the employeeâs noncompliance, implemented an encryption process to purchase 2,000 additional encryption licenses, and implemented a program for receiving and using encrypted flash drives on March 14, 2011. OCR obtained documented assurances that the CE implemented these corrective action steps. OCR provided substantial technical assistance to the CE on the Security Ruleâs Risk Analysis requirements. The CE provided the following written assurances to OCR that the CE will: create a more robust asset management program over the next 6-8 months and provide documentation to OCR; complete an enterprise data mapping and asset; and submit a fully executed copy of the business associate agreement (BAA) to OCR upon signature of a Master Service Agreement (MSA) and Statement of Work (SOW) for data mapping services once its vendor is chosen. This case was consolidated into an existing investigation of the CE. | Henry Ford Hospital MI Healthcare Provider 2777 | Wednesday | 2011 |
| Laboratory Corporation of America / US LABS / Dianon Systems, Inc | AZ | Healthcare Provider | 2773 | 2010-04-01 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No |
An external hard drive containing ePHI of 2,773 individuals was stolen. The ePHI included first and last name, medical record number, date of birth, laboratory test information data, and some social security numbers. CE advises OCR that notice to the individuals went out April 13 and 14, 2010. The media (St. Petersburg Times) was notified. CE added emails will now be password protected and encrypted. As a result of the loss, CE has initiated an encryption project to encrypt external hard drives and related media. |
Laboratory Corporation of America / US LABS / Dianon Systems, Inc AZ Healthcare Provider 2773 | Thursday | 2010 |
| Senior Health Partners, a Healthfirst company | NY | Health Plan | 2772 | 2015-02-06 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | NA | Senior Health Partners, a Healthfirst company NY Health Plan 2772 | Friday | 2015 |
| Medtronic, Inc. | MN | Healthcare Provider | 2764 | 2013-07-10 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No |
The covered entity (CE), Medtronic, misplaced a box of paper records containing the protected health information (PHI) of approximately 2,764 individuals. The box contained patient pump training records, including a checklist of training received, patients’ names, device serial numbers, phone numbers, and, in some cases, email addresses. Some of the records may also have included social security numbers, medical necessity forms, physician orders, and copies of documents from one patient’s medical record. The CE provided breach notification to affected individuals and HHS. Following the breach, the CE improved safeguards by redesigning its records tracking procedures and installing software with additional box tracking capabilities. OCR obtained assurances that the CE implemented the corrective action listed above. |
Medtronic, Inc. MN Healthcare Provider 2764 | Wednesday | 2013 |
| UCLA Health System | CA | Healthcare Provider | 2761 | 2011-11-04 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | UCLA Health System CA Healthcare Provider 2761 | Friday | 2011 | |
| Career Education Corporation | IL | Health Plan | 2743 | 2015-03-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Career Education Corporation IL Health Plan 2743 | Thursday | 2015 |
| Anchorage Community Mental Health Services Inc. | AK | Healthcare Provider | 2743 | 2012-03-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No |
Anchorage Community Mental Health Services (ACMHS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. ACMHS is a five-facility, nonprofit organization providing behavioral health care services to children, adults, and families in Anchorage, Alaska. OCR opened an investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. OCRâs investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software. âSuccessful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,â said OCR Director Jocelyn Samuels. âThis includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.â ACMHS cooperated with OCR throughout its investigation and has been responsive to technical assistance provided to date. In addition to the $150,000 settlement amount, the agreement includes a corrective action plan and requires ACMHS to report on the state of its compliance to OCR for a two-year period. The Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html |
Anchorage Community Mental Health Services Inc. AK Healthcare Provider 2743 | Saturday | 2012 |
| HealthTexas Provider Network | TX | Healthcare Provider | 2742 | 2014-04-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | HealthTexas Provider Network TX Healthcare Provider 2742 | Friday | 2014 | ||
| Curtis R. Bryan, M.D. | VA | Healthcare Provider | 2739 | 2010-09-08 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Curtis R. Bryan, M.D. VA Healthcare Provider 2739 | Wednesday | 2010 | |
| Oneida Tribe of Indians of Wisconsin | WI | Healthcare Provider | 2734 | 2016-04-15 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Oneida Tribe of Indians of Wisconsin, reported an employeeâs personal flash drive containing the electronic protected health information (ePHI) approximately 2,734 individuals was stolen from its dental offices. The ePHI involved in the breach included names, patient identification numbers, dental insurance plan numbers and dates of service. Following the breach, the CE sanctioned and retrained the employees involved in the breach. Also, the CE notified employees that it banned the use of all external electronic data storage devices, unless they are encrypted and approved by the CE. As a result of OCRâs investigation, the CE updated its policy related to Breach Rule Notification and distributed the updated policy to its workforce. OCR obtained documented assurances that it implemented the corrective actions listed above. | Oneida Tribe of Indians of Wisconsin WI Healthcare Provider 2734 | Friday | 2016 |
| Erskine Family Dentistry | IN | Healthcare Provider | 2723 | 2013-05-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | An email was opened on an Erskine Family Dentistry computer that contained a virus; it affected the computers which stored the protected health information (PHI) of 2,723 individuals. The types of PHI involved in the breach included patientsâ names, addresses, dates of birth, social security numbers, credit card numbers, claims information, and treatment information. The covered entity (CE) investigated and ensured that the virus did not penetrate any of its programing containing PHI. The CE also ensured that it was only storing PHI in its encrypted programs, installed a new antivirus tool, and assured that every potentially affected computer was examined and wiped of the virus. The CE provided breach notification to HHS, the media, and affected individuals. The CE also retrained staff. OCR obtained written documentation that the CE implemented the corrective actions listed. | Erskine Family Dentistry IN Healthcare Provider 2723 | Tuesday | 2013 |
| United Seating and Mobility, LLC d/b/a Numotion | CT | Healthcare Provider | 2722 | 2015-06-10 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On March 26, 2015, a break-in occurred at the Tacoma, Washington branch office of Numotion, the covered entity (CE). The items stolen included five laptop computers that accessed service work orders, quotes, labor guides and delivery checklists. The breach affected 2,722 individuals’ protected health information (PHI) and included names, addresses, phone numbers, and the serial numbers of customer equipment. Some documents may have also contained dates of birth, insurance policy numbers, or diagnosis codes. The stolen laptops required a password to obtain access to information. The CE provided breach notification to HHS, affected individuals, and the media. It also offered affected customers one year of free credit monitoring. The CE was able to successfully wipe the data from two of the computers via remote access. As a result of this investigation, the CE updated its password policy and completed full disk encryption of computer hard drives in all its locations. OCR provided technical assistance to the CE on conducting a compliant Security Rule risk analysis. | United Seating and Mobility, LLC d/b/a Numotion CT Healthcare Provider 2722 | Wednesday | 2015 |
| Pharma Medica Research Inc. | MO | Healthcare Provider | 2718 | 2017-06-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Pharma Medica Research Inc. MO Healthcare Provider 2718 | Friday | 2017 |
| Aiken Community Based Outpatient Clinic | SC | Healthcare Provider | 2717 | 2011-04-12 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Aiken Community Based Outpatient Clinic SC Healthcare Provider 2717 | Tuesday | 2011 | |
| Virginia Commonwealth University Health System | VA | Healthcare Provider | 2716 | 2017-03-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Virginia Commonwealth University Health System, detected an unusual pattern of accessing electronic patient records from two different sources and confirmed that an employee of a community physician and an employee with a contracted vendor, acting independently, accessed patient records without a legitimate business need. The types of protected health information (PHI) potentially viewed included full names, home addresses, dates of birth, medical record numbers, providers, visit dates, health insurance information and diagnostic and treatment information. As a result of this incident, the respective employers sanctioned the employees. The CE obtained assurances from the former employees that any inappropriate accesses to the electronic medical records were viewed without malicious intent and no information was retained. The CE implemented additional administrative and technical safeguards, eliminated the option to browse records, and limited the information that was displayed as the result of a search to the minimum necessary. The CE provided breach notification to HHS, the media, and affected individuals. OCR obtained assurances that the CE implemented the corrective actions listed. | Virginia Commonwealth University Health System VA Healthcare Provider 2716 | Friday | 2017 |
| The Brookdale Hospital and Medical Center | NY | Healthcare Provider | 2700 | 2013-07-20 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Brookdale Hospital and Medical Center, reported a breach when a staff pharmacist lost an unencrypted USB external hard drive that contained the electronic protected health information (ePHI) of 2,700 patients. The ePHI included addresses, zip codes, dates of birth, diagnosis codes, and medical record numbers. The CE provided breach notification to HHS, the affected individuals, and the media. Following the loss, the CE disabled all USB ports in all of its computers to prevent any staff members from using USB external hard drives to store data from its electronic records system, established a policy on obtaining an encrypted USB external hard drive from its IT department, and retrained its pharmacist staff. As a result of OCRâs investigation and technical assistance, the CE is expected to review and revise its policies and procedures and training materials regarding reporting breach incidents and the usage of mobile and portable devices by its staff members. Additionally, OCR stated the expectation that the CE will perform a thorough and accurate enterprise wide risk analysis and establish a Risk Management Plan that addresses the threats and vulnerabilities identified by the risk analysis. | The Brookdale Hospital and Medical Center NY Healthcare Provider 2700 | Saturday | 2013 |
| Hansen and Associates, Inc. | WY | Business Associate | 2700 | 2013-07-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | Yes | Hansen and Associates, Inc., the covered entity (CE), reported that between May 21, 2013, and May 29, 2013, its employee inappropriately used her workstation in violation of its policies on multiple occasions. The employee added software programs that allowed her to remotely access a desktop computer from her personal computer and store information in the cloud for personal access. The employeeâs conduct temporarily affected the CEâs ability to access protected health information (PHI) maintained on the workstation. The breach affected 2,700 individuals and the types of PHI involved included, names, social security numbers, addresses, date of births, claims, and clinical diagnoses and conditions. The CE provided breach notification to the affected individuals, the media, and HHS. Upon discovering the breach, the CE conducted an internal investigation with assistance from an information technology vendor; notified local law enforcement regarding its employeeâs misconduct; implemented physical, administrative, and security safeguards in response to the subject incident; and drafted new policies and procedures regarding its obligations under the Privacy, Security, and Breach Notification Rules. OCR obtained assurances that the CE implemented the corrective actions noted above. | Hansen and Associates, Inc. WY Business Associate 2700 | Monday | 2013 |
| RightNow Technologies | MT | Business Associate | 2700 | 2012-01-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | RightNow Technologies, the software vendor and business associate (BA) for the covered entity (CE), MDwise, failed to disable a software switch, which allowed Google to index files on the CEâs hosted website containing the electronic protected health information (ePHI) of approximately 2,700 individuals. The ePHI included individualsâ names, addresses, zip codes, Medicaid numbers, and primary care physiciansâ names and addresses. Following the breach, the CE took down the files in issue, disallowed the indexing and searching of the CEâs files by Internet search engines, and added restrictions. The CE also requested that Google remove the indexing on the affected files and obtained confirmation that Google cooperated within 24 hours. The CE provided breach notification to HHS, affected individuals, and the media. Finally, the CE improved technical safeguards pursuant to the HIPAA Security Rule. OCR obtained assurances that the CE implemented the corrective actions listed. | RightNow Technologies MT Business Associate 2700 | Wednesday | 2012 |
| Navos | WA | Health Plan | 2700 | 2011-06-08 | Unknown | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Navos WA Health Plan 2700 | Wednesday | 2011 | |
| Business Express | FL | Business Associate | 2700 | 2011-02-15 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | Business Express FL Business Associate 2700 | Tuesday | 2011 | |
| Ward A. Morris, DDS | WA | Healthcare Provider | 2698 | 2010-08-11 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | The covered entityâs (CE), computer server containing the electronic protected health information (ePHI) of 2,698 patients was stolen during an office burglary. The server was password-protected but not encrypted. The types of ePHI involved in the breach included names, addresses, dates of birth, social security numbers, and medical information. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice. Following the breach, the CE encrypted all ePHI on computer workstations and servers. As a result of OCRâs investigation, the CE improved its physical safeguards and retrained employees. | Ward A. Morris, DDS WA Healthcare Provider 2698 | Wednesday | 2010 |
| Iron Mountain | CA | Business Associate | 2691 | 2014-11-14 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Iron Mountain CA Business Associate 2691 | Friday | 2014 | |
| Midwestern Regional Medical Center, Inc. | IL | Healthcare Provider | 2675 | 2018-07-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Midwestern Regional Medical Center, Inc. IL Healthcare Provider 2675 | Thursday | 2018 |
| American Fidelity Assurance Company | OK | Health Plan | 2664 | 2016-04-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), American Fidelity Assurance Company, erroneously mailed letters to customers containing pages that belonged to another customer due to a mailroom equipment malfunction and manual sorting by an employee. The types of protected health information (PHI) involved in the breach included providersâ names, treatment dates, customersâ names, customersâ employersâ names, and customersâ employer identification numbers. Approximately 2,664 individuals were affected by this incident. The CE provided breach notification to HHS, all potentially affected individuals, and the media. The CE also offered credit monitoring services. The CE retrained staff on safeguarding PHI and verbally reprimanded the employee involved in the incident. As a result of this incident, the CE decided to outsource its mailing and sorting process with a business associate using a fully automated sorting process which provides positive assurance and audit capability. In addition, the CE added quality control measures to their mailing process. OCR obtained assurances that the CE implemented the corrective actions listed above. | American Fidelity Assurance Company OK Health Plan 2664 | Wednesday | 2016 |
| New Mexico VA Health Care System | NM | Healthcare Provider | 2657 | 2014-09-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | New Mexico VA Health Care System NM Healthcare Provider 2657 | Thursday | 2014 | |
| Calif. Dept. of Health Care Services (DHCS) | CA | Health Plan | 2643 | 2012-12-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), California Department of Health Care Services reported that 2,705 member identification cards were mailed to the wrong households. Due to a computer programming error in the electronic file for multiple beneficiaries living in the same household, some cards for these beneficiaries were sent to the wrong households. The types of protected health information (PHI) on the cards included names, dates of birth, genders, dates of issue, and Medi-Cal-assigned numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE put an immediate hold on additional mailings and conducted a quality assurance check. The CE deactivated the cards that were mailed to the wrong addresses, requested the return of the deactivated cards, and issued replacements. The CE implemented a new internal data transfer policy and updated related procedures. It also instituted new processes for mailings. OCR obtained assurances that the CE implemented the corrective actions listed above. | Calif. Dept. of Health Care Services (DHCS) CA Health Plan 2643 | Sunday | 2012 |
| Milligan Chiropractic Group, Inc. d/b/a Del Mar Chiropractic Sports Group | CA | Healthcare Provider | 2640 | 2018-03-30 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Milligan Chiropractic Group, Inc. d/b/a Del Mar Chiropractic Sports Group CA Healthcare Provider 2640 | Friday | 2018 |
| Matrix Imaging | NY | Business Associate | 2631 | 2010-07-30 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity’s (CE) business associate (BA) sent coverage determination letters to incorrect addresses, affecting 2,631 individuals. The protected health information (PHI) included names, addresses, unique CE identification numbers, and prescription drug information. Following the breach, the CE reprinted all erroneous coverage determination letters with an apology notice and provided breach notification to all affected individuals and HHS. The CE implemented additional policies and procedures to ensure mailing list accuracy. Specifically, the CE implemented a multiple-step quality assurance process and established verification with the BA. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. As a result of OCR’s investigation, the CE placed a record into its accounting of disclosure records for each individual impacted. | Matrix Imaging NY Business Associate 2631 | Friday | 2010 |
| University of Rochester Medical Center and Affiliates | NY | Healthcare Provider | 2628 | 2010-05-20 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), University of Rochester Medical Center and Affiliates, reported that on April 19, 2010, 2,628 patient billing statements for Strong Memorial Hospital were sent to the wrong patients. The statements contained patientsâ names, addresses, guarantorsâ names, guarantorsâ addresses, dollar amounts owed, health insurance plans, subscriber numbers, social security numbers, general descriptions of services rendered (such as inpatient room charge, outpatient visit charge, physical therapy, laboratory, pharmacy, radiology, etc.) and dates of service. The CE provided breach notification to HHS, affected individuals, and the media. As a result of the breach, the CE established a numerical counter to ensure that the numbers of statements that run through the folding machine are matching the numbers of statements that are printing. In addition, a report was added to the statement bundles distributed by the printing center that identifies the number of pages printed for each statement run. Further, a quality control process was put into place where a second staff member manually inspects stuffed envelopes on a random basis to ensure that the correct number of pages are inserted as well as verifying that the contents are all for the same patient. As a result of OCR investigation, OCR reviewed a copy of the CEâs risk assessment and policies and procedures relating to uses and disclosures of protected health information (PHI) and safeguarding PHI. | University of Rochester Medical Center and Affiliates NY Healthcare Provider 2628 | Thursday | 2010 |
| Departamento de Salud de Puerto Rico | NA | Healthcare Provider | 2621 | 2011-02-22 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Departamento de Salud de Puerto Rico NA Healthcare Provider 2621 | Tuesday | 2011 | |
| Eye Physicians, P.C. | NE | Healthcare Provider | 2620 | 2017-12-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Eye Physicians, P.C. NE Healthcare Provider 2620 | Thursday | 2017 |
| Pulaski County Special School District-Employee Benefits Division | AR | Health Plan | 2602 | 2016-05-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | An employee responsible for reconciling health insurance billing data at Pulaski County Special School DistrictâEmployee Benefits Division, the covered entity (CE), sent copies of the reconciliations for 2,602 individuals to her home email account before she resigned. The emails contained former and current employeesâ health insurance records, which included names, social security numbers, disability reports, employee payroll deductions and Employee Benefits Division reports. The CE provided breach notification to HHS, affected individuals, and the media. It also notified local law enforcement. OCR provided technical assistance regarding the CEâs obligations under the Breach Notification Rule, and implementing HIPAA policies and procedures. In response to the breach, the CE informed OCR that it would implement additional technical safeguards and preventative measures. | Pulaski County Special School District-Employee Benefits Division AR Health Plan 2602 | Thursday | 2016 | |
| St. Anthony’s Physician Organization | MO | Healthcare Provider | 2600 | 2013-08-30 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | St. Anthony’s Physician Organization MO Healthcare Provider 2600 | Friday | 2013 | |
| Granger Medical Clinic | UT | Healthcare Provider | 2600 | 2013-03-22 | Loss | Other | Theft | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Granger Medical Clinic UT Healthcare Provider 2600 | Friday | 2013 | |
| InStep Foot Clinic, P.A. | MN | Healthcare Provider | 2600 | 2011-10-11 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | Laptop | NA | NA | NA | NA | NA | NA | No | InStep Foot Clinic, P.A. MN Healthcare Provider 2600 | Tuesday | 2011 | |
| NYU Hospital for Joint Diseases Inventory Management Department | NY | Healthcare Provider | 2600 | 2011-09-26 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A box containing 2,600 paper records of tissue implants used in surgeries was discarded by a waste disposal contractor of the covered entity (CE), NYU Hospital for Joint Diseases Inventory Management Department, when the box was not property secured. The box contained the protected health information (PHI) of 2,239 individuals and included names, dates of birth, dates of surgery, surgeon names, procedures, and types and serial numbers of the tissues used in the surgeries. Upon discovery of the breach, the CE contacted the waste disposal contractor and determined that the documents were discarded and buried in a landfill out of state. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. As a result of OCR’s investigation, the CE improved safeguards by storing all tissue records in a locked cabinet and requiring management to store the keys. In addition, the CE counseled the employees involved in the incident and retrained all staff on its policies and procedures for safeguarding PHI. The CE also implemented a plan to conduct reviews of HIPAA compliance, including both physical access and physical security risks. | NYU Hospital for Joint Diseases Inventory Management Department NY Healthcare Provider 2600 | Monday | 2011 |
| Mount Sinai Medical Center | FL | Healthcare Provider | 2600 | 2010-03-23 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Mount Sinai Medical Center FL Healthcare Provider 2600 | Tuesday | 2010 | |
| State Long Term Care Ombudsmans Office, Michigan Department of Community Health | MI | Healthcare Provider | 2595 | 2014-04-03 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | State Long Term Care Ombudsmans Office, Michigan Department of Community Health MI Healthcare Provider 2595 | Thursday | 2014 | |
| Highmark Inc. | PA | Business Associate | 2589 | 2014-07-08 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Health profile and care summaries and corresponding cover letters were incorrectly mailed to senior members of the covered entity (CE), Highmark Health, and their physicians. The protected health information involved in the breach included the names, addresses, telephone numbers, dates of birth, unique medical identifiers (UMI), gender, medications, and health information of 2,589 individuals. The CE provided breach notification to HHS, the media, and affected individuals. Following the breach, the CE issued a new UMI to each member impacted by the incident. The CE determined that a process failure by an employee was the root cause for the incorrect mailing and subsequently terminated the employee. As a result of OCR’s investigation, the CE instituted new quality review procedures for mailings and retrained employees on its privacy practices and departmental policies, processes and procedures. OCR obtained details of the CE’s revised policies on its health profiles to assure they include only the minimum necessary information. | Highmark Inc. PA Business Associate 2589 | Tuesday | 2014 |
| American Family Care, Inc. | AL | Healthcare Provider | 2588 | 2014-09-30 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On July 17, 2014, two password-protected, unencrypted laptop computers belonging to the covered entity (CE), American Family Care, were stolen from an employeeâs vehicle while he was on business travel. The laptops contained the electronic protected health information (ePHI) of 2,500 individuals, and included different types of data for different individuals, such as patientsâ names, dates of visits, patient identification numbers, social security numbers, dates of birth, and specific health information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE contacted the local police department and conducted an internal investigation. The CE also revised its HIPAA policies and procedures, retrained its workforce, and encrypted all of its laptops. | American Family Care, Inc. AL Healthcare Provider 2588 | Tuesday | 2014 |
| CompuNet Clinical Laboratories | OH | Healthcare Provider | 2584 | 2015-04-23 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On March 17, 2015, the covered entity (CE) learned that a box containing health insurance claim forms was damaged by a Federal Express (FedEx) hub in Memphis, Tennessee. The protected health information (PHI) involved in the breach included the names, addresses, dates of birth, genders, diagnosis codes, procedure codes, insurance identification numbers, and some social security numbers of 2,584 individuals. Through retained legal counsel the CE investigated the incident to determine what and how many forms were missing, and to retrieve as many missing forms as possible. The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of credit protection to affected individuals. Additionally, the CE decreased the size of batch mailings to limit the potential size of a data breach associated with a lost or damaged box. OCR obtained assurances that the corrective actions were taken. | CompuNet Clinical Laboratories OH Healthcare Provider 2584 | Thursday | 2015 |
| Advantage Health Solutions, Inc. | IN | Business Associate | 2575 | 2012-11-26 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Advantage Health Solutions, Inc. IN Business Associate 2575 | Monday | 2012 | |
| NYU Hospitals Center | NY | Healthcare Provider | 2563 | 2010-07-07 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) misplaced an unencrypted USB drive that contained the electronic protected health information (ePHI) of 2,563 individuals. The ePHI included names, medical record numbers, ages, genders, procedures, attending physicians’ names, anesthesiologists’ names, types of anesthesia, times of arrival in the recovery room, and times of discharge. Upon discovery of the breach, the CE reported the incident to internal security as a possible theft and conducted a thorough search of the perimeter. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR’s investigation, the CE stopped using USB drives and local desktop computers for data storage. In addition, the CE updated physical security in the recovery room and installed data prevention software to monitor, block or encrypt mobile media used in the CE. Further, the CE purchased encrypted USB drives for workforce members with an identified need to download and store ePHI. The CE also revised its mobile device and portable storage media policy and retrained all workforce members on its policies. | NYU Hospitals Center NY Healthcare Provider 2563 | Wednesday | 2010 |
| United Micro Data | ID | Business Associate | 2562 | 2010-01-14 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity’s (CE’s) business associate (BA) mailed a package to the CE that was supposed to contain a backup data tape and compact disc containing protected health information (PHI); however, the tape was not in the package when delivered. Approximately 2,000 individuals were affected by the breach. The PHI included demographic, financial, and clinical information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE revised its procedures for back up data storage instead of sending tapes via the mail. Following OCR’s investigation, the CE continued to reevaluate ways to enhance administrative, physical, and technical safeguards. | United Micro Data ID Business Associate 2562 | Thursday | 2010 |
| Miami Beach Healthcare Group Ltd. dba Aventura Hospital and Medical Center | FL | Healthcare Provider | 2560 | 2012-11-05 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | This case has been consolidated with another review of the same covered entity. | Miami Beach Healthcare Group Ltd. dba Aventura Hospital and Medical Center FL Healthcare Provider 2560 | Monday | 2012 |
| Jeremaih J. Twomey, F.A.C.P., P.A. | TX | Business Associate | 2559 | 2012-03-02 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Jeremaih J. Twomey, F.A.C.P., P.A. filed a breach notification report on March 2, 2012, as a business associate (BA), stating its office building and suite were ransacked and vandalized during the weekend of December 31, 2011. An external hard drive was stolen containing patient names, addresses, medical condition(s), diagnoses and, in some instances, social security numbers and dates of birth. The number of patients affected was 2,559. The BA provided breach notification to HHS, affected individuals, and the media. OCR initiated an investigation and, subsequently, learned that Jeremaih J. Twomey, F.A.C.P., P.A. is no longer a business associate (or covered entity). Dr. Twomey retired and closed his practice. | Jeremaih J. Twomey, F.A.C.P., P.A. TX Business Associate 2559 | Friday | 2012 |
| Metcare of Florida, Inc. | FL | Healthcare Provider | 2557 | 2012-06-04 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Metcare of Florida, discovered on May 2, 2012, that its facility had been broken into and a tablet computer was stolen. The tablet was password protected but not encrypted and contained the following types of protected health information (PHI): patientsâ name, dates of birth, patient identification numbers, and clinical information. The theft affected 2,557 individuals. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. In response to the breach, the CE encrypted its portable devices, implemented written policies requiring the physical safeguard of portable devices, and provided specialized training to its workforce. OCR obtained assurances that the CE implemented the corrective actions listed above. | Metcare of Florida, Inc. FL Healthcare Provider 2557 | Monday | 2012 |
| Eye Care Surgery Center, Inc. | LA | Healthcare Provider | 2553 | 2018-04-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Eye Care Surgery Center, Inc. LA Healthcare Provider 2553 | Friday | 2018 |
| Tiger Vision, LLC | LA | Healthcare Provider | 2553 | 2018-04-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Tiger Vision, LLC LA Healthcare Provider 2553 | Friday | 2018 |
| BLUE CROSS AND BLUE SHIELD OF KANSAS CITY | MO | Health Plan | 2546 | 2014-04-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | In February 2014, two members of the covered entity (CE), Blue Cross Blue Shield of Kansas City Plan, reported unauthorized charges on credit cards they used to make payments by phone to the CE. The CE determined that an employee violated its policies and procedures and may have put the financial information of 2,546 individuals at risk. The breach affected members that spoke with this employee regarding payment of premiums. The CE provided breach notification to HHS, affected individuals, and the media, and reported the matter to the FBI and local law enforcement. The CE reported that its background check contractor, Verifications Inc. (VI) provided an inaccurate criminal background check, which resulted in the hiring of the involved employee although the employee had been convicted of felony identity theft in April 2012. To prevent similar breaches from happening in the future, the CE terminated its contract with VI and established a relationship with a new background check vendor. The CE provided training to its workforce on its policies and procedures regarding HIPAA Security. OCR obtained documented evidence demonstrating that the CE implemented the corrective action listed above. The CE also ended the involved employeeâs employment. | BLUE CROSS AND BLUE SHIELD OF KANSAS CITY MO Health Plan 2546 | Friday | 2014 |
| John T. Melvin, M.D.& Associates | TX | Healthcare Provider | 2541 | 2011-09-14 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Medical records were stolen from an off-site storage facility of the covered entity (CE), John T. Melvin & Associates. The protected health information (PHI) involved in the breach included names, dates of birth, social security numbers, claim information, diagnoses/conditions, medications, lab results, and other treatment information for approximately 2,541 individuals. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCRâs investigation the CE changed its policies, so that all records are now kept on-site and all records are immediately shredded once the required retention time has elapsed, according to applicable state law. | John T. Melvin, M.D.& Associates TX Healthcare Provider 2541 | Wednesday | 2011 |
| Patterson Dental, Inc. | MN | Business Associate | 2533 | 2012-07-13 | Loss | Unauthorized Access/Disclosure | Unknown | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | Patterson Dental, Inc. MN Business Associate 2533 | Friday | 2012 | |
| Courier Express/Atlanta, Courier Express/Charlotte & Courier Express US, Inc. | GA | Business Associate | 2523 | 2014-04-17 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Courier Express/Atlanta, Courier Express/Charlotte & Courier Express US, Inc. GA Business Associate 2523 | Thursday | 2014 | |
| Planned Parenthood of the Heartland | IA | Healthcare Provider | 2506 | 2016-07-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Planned Parenthood of the Heartland IA Healthcare Provider 2506 | Friday | 2016 |
| Arizona Department of Health Services | AZ | Healthcare Provider | 2500 | 2017-05-26 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On May 26, 2017, the Arizona Department of Health Services, the covered entity (CE) reported that a package of billing documents containing protected health information (PHI) was lost in the mail. The package contained the PHI of approximately 2,500 individuals from its newborn screening program. The types of PHI involved in the breach included names, dates of birth, addresses, phone numbers, health insurance information, and possibly social security numbers. The CE provided breach notification to the affected individuals, the media, and HHS. Following the breach and an investigation, the CE switched the mail carrier it used for shipping its billing information. Pursuant to OCRâs investigation, the CE improved its physical safeguards and implemented new policies and procedures for mailings. OCR obtained assurances from the CE that it has taken the actions above. | Arizona Department of Health Services AZ Healthcare Provider 2500 | Friday | 2017 |
| Access Health Care Physicians, LLC | FL | Healthcare Provider | 2500 | 2016-07-19 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Access Health Care Physicians, LLC, the covered entity (CE), discovered that on May 26, 2016, an intruder broke into one of the physicianâs locked offices and pried open locked file cabinets where patientsâ financial records were stored, affecting the demographic and clinical information of approximately 2,500 individuals. The file cabinets contained records which included patientsâ names, dates of birth, phone numbers, home addresses, diagnoses code, social security numbers, and insurance information. The CE provided timely breach notification to HHS, affected individuals, and the media. In response to the breach, the CE immediately secured the physicianâs office where the breach occurred, changed the locks, and installed an alarm system. It moved the records of former patients to a secure offsite storage facility. The CE conducted a survey of all of its affiliated physician offices to ensure every office installed an alarm system. OCR obtained assurances that the CE has implemented the corrective actions listed above. | Access Health Care Physicians, LLC FL Healthcare Provider 2500 | Tuesday | 2016 |
| My Pediatrician, PA | FL | Business Associate | 2500 | 2016-06-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | A hacker gained access to the protected health information (PHI) for 2,385 of the covered entityâs (CE) patients. The CEâs business associate (BA), Bizmatics, Inc., informed the CE, My Pediatrician, PA, about this incident. The CE provided breach notification to HHS, affected individuals, and the media. The CE also created a website with information about the breach and posted substitute notification about the breach. To mitigate harm, the CE sent notice of the breach to Equifax, Transunion, and Experian and provided affected individuals with instructions for registering a fraud alert with a credit reporting agency and instructions on how to obtain a free annual credit report. The CE also trained its staff on HIPAA awareness and retained outside counsel to provide further training and to review its policies. The CE did not have a BA agreement with the BA at the time of the breach, but entered into an agreement with the BA on July 12, 2016. OCR obtained assurances that the CE implemented the corrective actions listed above. | My Pediatrician, PA FL Business Associate 2500 | Wednesday | 2016 |
| San Franciso General Hospital and Trauma Center | CA | Healthcare Provider | 2500 | 2015-03-06 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | A physician formerly affiliated with a business associate, the University of California, San Francisco (UCSF) removed patientsâ electronic protected health information (ePHI) from the covered entity (CE), San Francisco General Hospital and Trauma Center , without authorization. The CE estimated that approximately 2,500 individuals were affected by the breach. The types of ePHI affected included patientsâ names, surgical notes, consultation notes, and radiologic films. The CE provided breach notification to affected individuals, the media, and HHS. In response the breach, the CE implemented new HIPAA Privacy and Security policies and procedures, including a new/updated Security Rule Risk Management Plan and Security Risk Analysis, new technological safeguards, periodic technical and non-technical evaluations, and trained and retained workforce members . OCR obtained assurances that the CE implemented the corrective actions noted above. | San Franciso General Hospital and Trauma Center CA Healthcare Provider 2500 | Friday | 2015 |
| 101 Family Medical Group, Privacy Manager Breach | CA | Business Associate | 2500 | 2014-01-08 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | A laptop computer owned by Phressia, Inc., a business associate (BA) of the covered entity (CE), Family Medical Group, was stolen from the parked car of a Phreesia workforce member. In violation of the BAâs policies and procedures, both the hard drive of the laptop, and the workforce memberâs Dropbox account, which was accessible through the laptop, contained the electronic protected health information (ePHI) of approximately 2,500 patients. The types of PHI involved in the breach included patientsâ names, addresses, identification numbers, phone numbers, email addresses, dates of birth, social security numbers, and insurance identification numbers. Following the breach, the BA sanctioned the responsible workforce member and retrained workforce members on its privacy and security policies and procedures. The CE provided breach notification HHS, affected individuals, and the media. In response to OCR’s investigation, the BA updated its policies and procedures on device and media controls and employee sanctions. | 101 Family Medical Group, Privacy Manager Breach CA Business Associate 2500 | Wednesday | 2014 |
| Coulee Medical Center | WA | Healthcare Provider | 2500 | 2014-01-03 | Theft | NA | NA | NA | NA | NA | Laptop | Network Server | NA | NA | NA | NA | NA | No |
The covered entity (CE), Coulee Medical Center, reported that a CE-employed physician disclosed electronic protected health information (ePHI) to his wife without authorization. The ePHI involved in the breach included names, hospital account numbers, dates of service, CPT codes, and service descriptions for approximately 2,500 individuals. The CE provided breach notification to HHS and affected individuals. Upon discovering the breach, the CE sanctioned the physician, required the physician to complete comprehensive HIPAA training, and required all workforce members to complete annual HIPAA training. As a result of OCR’s investigation, the CE implemented new information security policies and procedures to better safeguard its ePHI. OCR provided the CE with technical assistance regarding what constitutes an adequate Security Rule risk analysis and risk management plan, as well as what constitutes adequate notice to the media pursuant to the Breach Notification Rule. |
Coulee Medical Center WA Healthcare Provider 2500 | Friday | 2014 | |
| Paul G. Klein, DPM | NJ | Healthcare Provider | 2500 | 2013-10-01 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Paul G. Klein DPM, after it reported that an encrypted and password protected laptop was stolen that contained the electronic protected health information (ePHI) of 2,500 individuals. The ePHI included names, addresses, dates of birth, social security numbers, diagnoses, lab test results, medications, medical notes, and treatment plans. Upon discovery of the breach, the CE filed a police report to recover the stolen item. As a result of OCRâs investigation, the CE provided confirmation that there was encryption software and multi-layered password protection software installed on the stolen laptop. OCR determined that the impermissible disclosure of ePHI did not constitute a breach under the HIPAA Rules and provided technical assistance to the CE regarding the requirements of the Breach Notification Rule. | Paul G. Klein, DPM NJ Healthcare Provider 2500 | Tuesday | 2013 |
| Wood County Hospital | OH | Healthcare Provider | 2500 | 2013-05-03 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Wood County Hospital OH Healthcare Provider 2500 | Friday | 2013 | |
| Cabinet for Health and Family Services, Department for Community Based Services | KY | Healthcare Provider | 2500 | 2012-09-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An employeeâs email account generated spam email which may have caused an unintentional release of protected health information (PHI) held by the Kentucky Cabinet for Health and Family Services (CFHS), Department for Community Based Services, the covered entity (CE). The CE provided breach notification to HHS, affected individuals, and the media, and posted a copy of its press release on the CHFS website with a toll-free number. As a result of OCRâs investigation, the CE required workforce members to sign an agreement to ensure that they understand their role in safeguarding PHI, including safeguarding from phishing attacks. The CE created a security video that all new hires are required to view and that is used for re-training of current staff. In addition, OCR obtained the CEâs HIPAA policies and procedures which complied with the requirements of the Privacy and Security Rules as well as the Breach Notification Rule. | Cabinet for Health and Family Services, Department for Community Based Services KY Healthcare Provider 2500 | Wednesday | 2012 | |
| Aspen Dental Care P.C. | CO | Healthcare Provider | 2500 | 2010-10-26 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No |
A computer hard drive containing encrypted patient records was stolen from the covered entity’s (CE) safe. The hard drive contained clinical and demographic information of approximately 2,500 patients. Following the breach, the CE provided additional training to its staff. OCR obtained assurances that the CE implemented the corrective action listed above. |
Aspen Dental Care P.C. CO Healthcare Provider 2500 | Tuesday | 2010 |
| J&J MEDICAL SERVICE NETWORK INC | TX | Business Associate | 2500 | 2018-09-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | J&J MEDICAL SERVICE NETWORK INC TX Business Associate 2500 | Tuesday | 2018 |
| Gwenn S Robinson MD | NM | Healthcare Provider | 2500 | 2018-06-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Gwenn S Robinson MD NM Healthcare Provider 2500 | Thursday | 2018 |
| Professional Counseling & Medical Associates | TN | Healthcare Provider | 2500 | 2017-07-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Professional Counseling & Medical Associates TN Healthcare Provider 2500 | Thursday | 2017 |
| Orthopedics NY, LLP | NY | Healthcare Provider | 2493 | 2017-10-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Orthopedics NY, LLP NY Healthcare Provider 2493 | Thursday | 2017 |
| Metropolitan Jewish Health System, Inc. d/b/a MJHS | NY | Business Associate | 2483 | 2016-03-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Metropolitan Jewish Health System, Inc. d/b/a MJHS NY Business Associate 2483 | Tuesday | 2016 | |
| Florida Department of Health | FL | Healthcare Provider | 2477 | 2014-12-08 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Florida Department of Health, sent an unencrypted email with an attachment containing the electronic protected health information (ePHI) of 2,477 patients to four physicians who were the intended recipients of the email. The ePHI in the attachment included patientsâ dates of birth, social security numbers, screening test results, and diagnoses. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE contacted the recipients of the emails and verified that the emails were deleted and that the ePHI was not further used or disclosed. The responsible workforce member submitted her resignation before CEâs investigation was completed. The CE also reviewed its privacy and security policies and procedures and retrained staff. OCR obtained and reviewed copies of the CEâs policies and procedures and documentation of staff training. | Florida Department of Health FL Healthcare Provider 2477 | Monday | 2014 | |
| Lee Rice D.O., Medical Corp DBA Lifewellness Institute | CA | Healthcare Provider | 2473 | 2016-07-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | Yes | Malware was installed by cyber-intruders into PrognoCIS, the medical records system of the business associate (BA), Bizmatics, Inc. The breach affected approximately 2,473 individuals who were patients of the covered entity (CE), Lee Rice D.O. Medical Corporation d/b/a Lifewellness Institute. The types of protected health information (PHI) involved included full names, addresses, dates of birth, phone numbers, sex, marital status, social security numbers, claims information, diagnoses/conditions, lab results, and medications. The CE provided breach notification to HHS, affected individuals, and the media and also provided substitute notice. In response to the breach, the BA notified and cooperated with the FBI in its investigation. In addition, the BA consulted with an independent cyber-security firm to assess the extent of the breach and to implement additional protective measures to prevent a similar breach from occurring in the future. OCR obtained assurances that the CE and BA implemented the corrective actions noted above. | Lee Rice D.O., Medical Corp DBA Lifewellness Institute CA Healthcare Provider 2473 | Friday | 2016 |
| Life Care Center of Attleboro | MA | Healthcare Provider | 2473 | 2015-03-20 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | A business associate (BA), Iron Mountain, discovered that five boxes of archived paper records it was storing for the covered entity (CE), Life Care Center of Attleboro, were unaccounted for or lost. During the course of the investigation, the BA located two of the missing boxes, thus the loss affected the protected health information (PHI) of approximately 927 individuals. The records included demographic, financial, and clinical information. OCR obtained evidence of timely notification of the breach to individuals, the media and HHS and reviewed the BA agreement with Iron Mountain. | Life Care Center of Attleboro MA Healthcare Provider 2473 | Friday | 2015 |
| QuadMed, LLC (Hillenbrand) | WI | Healthcare Provider | 2471 | 2018-02-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | QuadMed, LLC (Hillenbrand) WI Healthcare Provider 2471 | Monday | 2018 |
| Hypertension, Nephrology, Dialysis and Transplantation, PC | AL | Healthcare Provider | 2465 | 2010-03-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Hypertension, Nephrology, Dialysis and Transplantation, PC AL Healthcare Provider 2465 | Saturday | 2010 | |
| Dallas County Hospital District dba Parkland Health & Hospital System | TX | Healthcare Provider | 2464 | 2011-11-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | Paper/Films | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Dallas County Hospital District dba Parkland Health & Hospital System, after it reported that a former workforce member, while still employed, downloaded the names and certain personal information of its patients. The electronic protected health information (ePHI) involved in the breach included names, social security numbers, dates of birth, and other demographic information of approximately 2,464 individuals. The downloaded information was used to solicit potential clients in the workforce memberâs personal business, a home health agency. The CE provided breach notification to HHS and affected individuals and offered free credit monitoring services for a year. Further, the CE terminated the workforce member who was involved in the incident and pursued criminal charges against him. As a result of OCRâs investigation, the CE developed a program to track anomalies to detect inappropriate use or access. Further, the CE revised its code of conduct and ethics to increase focus on conflicts of interest and confidentiality of PHI. | Dallas County Hospital District dba Parkland Health & Hospital System TX Healthcare Provider 2464 | Thursday | 2011 |
| Children’s Medical Center of Dallas | TX | Healthcare Provider | 2462 | 2013-07-10 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
Lack of timely action risks security and costs money The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil money penalty against Childrenâs Medical Center of Dallas (Childrenâs) based on its impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standards of the HIPAA Security Rule. OCR issued a Notice of Proposed Determination in accordance with 45 CFR 160.420, which included instruction for how Childrenâs could file a request for a hearing. Childrenâs did not request a hearing. Accordingly, OCR issued a Notice of Final Determination and Children’s paid the full civil money penalty of $3.2 million. Childrenâs is a pediatric hospital in Dallas, Texas, and is part of Childrenâs Health, the seventh largest pediatric health care provider in the nation. On January 18, 2010, Childrenâs filed a breach report with OCR indicating the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals. On July 5, 2013, Children’s filed a separate HIPAA Breach Notification Report with OCR, reporting the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. Children’s reported the device contained the ePHI of 2,462 individuals. Although Children’s implemented some physical safeguards to the laptop storage area (e.g., badge access and a security camera at one of the entrances), it also provided access to the area to workforce not authorized to access ePHI. OCRâs investigation revealed Childrenâs noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013. Despite Children’s knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013. âEnsuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essentialâ said OCR Acting Director Robinsue Frohboese. âAlthough OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.â The Notice of Proposed Determination and Notice of Final Determination may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Childrens |
Children’s Medical Center of Dallas TX Healthcare Provider 2462 | Wednesday | 2013 |
| Health Texas Provider Network - Cardiovascular Consultants of North Texas | TX | Healthcare Provider | 2462 | 2012-07-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | A former employee of the covered entity (CE), Baylor Health Care System and Health Texas Provider Network â Cardiovascular Consultants of North Texas, continued to access its appointment reminder system for nearly two months after employment ended. The former employee accessed the protected health information (PHI) of 2,462 individuals, including patientsâ names, phone numbers, appointment times and dates, reason for appointments, physiciansâ names and facility names. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE terminated the former employeeâs system access, modified its access termination protocol, and sanctioned and retrained involved staff. As a result of OCRâs investigation, OCR obtained assurances that the corrective actions listed above were completed. | Health Texas Provider Network - Cardiovascular Consultants of North Texas TX Healthcare Provider 2462 | Thursday | 2012 |
| St. Charles Health System | OR | Healthcare Provider | 2459 | 2017-03-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | St. Charles Health System OR Healthcare Provider 2459 | Thursday | 2017 |
| North Dakota Department of Human Services | ND | Health Plan | 2452 | 2017-06-01 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | North Dakota Department of Human Services, the covered entity (CE), reported a breach to HHS after it discovered that a workforce member had disposed of documents that included protected health information (PHI) in a dumpster. The documents contained PHI belonging to 2,452 individuals. The PHI included individualsâ first and last names, dates of birth, Medicaid provider numbers and other identifiers, dates of service, diagnosis codes, procedure codes, and billing information. The CE notified affected individuals and prominent media outlets of the breach. The CE also posted substitute notification on its website. The workforce member responsible for the breach resigned in lieu of termination. The CE trained its staff in proper disposal of PHI. As a result of OCRâs technical assistance, the CE revised its policies concerning safeguarding PHI, the provision of Privacy training, its sanctions policies, disclosures of PHI and its mitigation policy and provided OCR with written assurance that it will train all members of its workforce on the updated policies. | North Dakota Department of Human Services ND Health Plan 2452 | Thursday | 2017 |
| Kaiser Foundation Health Plan, Inc. | CA | Business Associate | 2451 | 2016-04-22 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | On March 12, 2016, the covered entity (CE), Kaiser Foundation Health Plan,, discovered that a truck belonging to its business associate (BA), Postage One was stolen and a pallet of printed “evidence of coverage” booklets for Inland Empire Health Plan members was missing. The missing booklets contained names, addresses, and a generic overview of covered benefits for 2,451 individuals. The CE, on behalf of its BA, provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE and BA reviewed and revised policies and procedures to require all mail to be unloaded and placed in a secured area where it can be monitored 24/7 and trained workforce members on mail security. The CE also provided OCR with additional documentation relevant to this breach investigation including its HIPAA Notice of Privacy Practices Policy. OCR obtained assurances that the CE and BA implemented the voluntary actions listed above. | Kaiser Foundation Health Plan, Inc. CA Business Associate 2451 | Friday | 2016 |
| Partners HealthCare System, Inc. | MA | Healthcare Provider | 2450 | 2018-02-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Partners HealthCare System, Inc. MA Healthcare Provider 2450 | Monday | 2018 |
| PrimeWest Health | MN | Health Plan | 2441 | 2016-12-29 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | On November 15, 2016, a business associate (BA), Summit Reinsurance, notified the covered entity (CE), PrimeWest Health, of a data security incident involving the CEâs data. The breach affected approximately 2,441 individuals. The protected health information included patientsâ names, addresses, date of birth, and social security numbers. The BA mitigated the breach by taking the computer server offline and by confirming that the ransomware was limited to a specific server. The BA also assessed and removed any remote access to the data through the ransomware. The CE provided breach notification to the media, affected patients and HHS. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | PrimeWest Health MN Health Plan 2441 | Thursday | 2016 |
| Cox Health | MO | Healthcare Provider | 2435 | 2012-09-17 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Cox Health MO Healthcare Provider 2435 | Monday | 2012 |
| Independence Care System | NY | Healthcare Provider | 2434 | 2013-05-24 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted laptop computer belonging to the covered entity (CE), Independence Care System, was stolen from an employeeâs home. The laptop contained reports that included 2,500 members’ names, addresses, telephone numbers, Medicaid identification numbers, internal identification numbers, enrollment dates, and disenrollment dates. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCRâs investigation, the CE encrypted all of it is laptop computers. The CE also updated its policies and procedures for encryption of desktop computers, laptops, and mobile devices, security, and security awareness training. Additionally, the CE performed an information security assessment of its modified IT environment and implemented the findings of the remediation plan. OCR indicated an expectation that the CE will review its updated security training to confirm whether it meets the standard of the Security Rule, conduct a risk analysis, implement a risk management plan, and implement policies and procedures for security incidents, physical security, and a facility security plan. In addition, OCR provided and expectation that the CE will provide on-going security awareness training to all staff. | Independence Care System NY Healthcare Provider 2434 | Friday | 2013 |
| ViaTech Publishing Solutions, Inc. | MN | Health Plan | 2431 | 2018-04-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | ViaTech Publishing Solutions, Inc. MN Health Plan 2431 | Tuesday | 2018 |
| Pacific Gas and Electric Company | CA | Business Associate | 2426 | 2016-04-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | A vendor incorrectly changed a printer press setting during maintenance resulting in errors on printed, explanation of benefit (EOB), letters for the covered entity (CE), Pacific Gas and Electric Company Health Benefits Plan. The CE’s self-funded health plan is administered by a business associate (BA), Kaiser Permanente Insurance Company. The error impacted the letters of 2,426 individuals. The protected health information (PHI) involved in the breach included names, addresses, annual deductibles, annual out of pocket maximum, dollars spent âyear to dateâ towards the deductible, and out of pocket maximums. The BA provided breach notification to HHS, affected individuals, and the media. Following the breach, a subcontractor BA responsible for printing the EOBâs updated its procedures to include additional oversight by its workforce members and additional print testing during printer updates or maintenance. OCRâs investigation resulted in the subcontractor BA improving safeguards in the printing of PHI. | Pacific Gas and Electric Company CA Business Associate 2426 | Tuesday | 2016 |
| Georgetown University Hospital | DC | Healthcare Provider | 2416 | 2010-05-13 | Other | Theft | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity emailed protected health information (PHI) to an offsite research office (which is not itself a covered entity) in violation of the review preparatory to research protocol. The research office stored the electronic information on an external hard drive that was later stolen. The device contained the PHI of 2,416 individuals. The PHI involved in the breach included names, dates of birth, and clinical information. In response to this incident, the covered entity terminated transmission of the PHI to this research office and gave the responsible employee a verbal warning and counseling. Additionally, the covered entity undertook a review of all research affiliations involving PHI of hospital patients to confirm that appropriate documentation and procedures are in place. | Georgetown University Hospital DC Healthcare Provider 2416 | Thursday | 2010 | |
| Asante | OR | Healthcare Provider | 2400 | 2016-09-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | OCR investigated the covered entity (CE), Asante, after the CE reported a breach of 2,399 individualsâ electronic protected health information (ePHI) due to a workforce memberâs inappropriate access to medical records for a couple of years. It also informed OCR of similar incidents during the course of the investigation involving other workforce members. The breaches affected patients’ names, ages, locations in the hospital, certain health information, and patients’ status. Following the breaches and in response to OCRâs investigation, the CE sanctioned the workforce members involved and implemented a zero tolerance sanctions policy for patient information misuse. OCR obtained documentation that the CE completed security enhancements and network modifications in 2016 and 2017. Additionally, OCR obtained assurances that the CE plans to take additional measures to increase its administrative and technical safeguards of ePHI in 2017 and 2018. In this case, the employee sanctions included termination of employment. | Asante OR Healthcare Provider 2400 | Friday | 2016 |
| QuickRunner, Inc. (dba, RoadRunner Mailing Services) | CA | Business Associate | 2400 | 2013-03-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | QuickRunner, Inc. (dba, RoadRunner Mailing Services) CA Business Associate 2400 | Friday | 2013 | |
| Community Services NW | AL | Healthcare Provider | 2400 | 2013-02-02 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | A computer was stolen from the covered entityâs (CE) locked medical office. The computer contained the protected health information (PHI) of approximately 2,400 individuals. The PHI involved in the breach included names, addresses, dates of birth, social security numbers, and clinician information. Following the breach, the CE encrypted all PHI in transit as well as at rest, upgraded their facility access controls, and updated their device inventory system. Additionally, OCRâs investigation resulted in the CE creating an acceptable risk analysis and risk management plan. The entity also contracted with a third party to overhaul their privacy and security policies and procedures. | Community Services NW AL Healthcare Provider 2400 | Saturday | 2013 |
| Western Wisconsin Medical Association, S.C. - River Falls Medical Clinics | WI | Healthcare Provider | 2400 | 2013-01-25 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Western Wisconsin Medical Associates, discovered that, during the summer of 2012, an employee of a cleaning service used by River Falls Medical Clinic (âClinicâ) stole paper-based protected health information (PHI) of approximately 2,400 individuals, which was stored in unsecured bins for pick-up by a shredding company. The PHI involved in the breach included patientsâ names and at least one of the following for each affected patient: date of birth, insurance account number, address, phone numbers, social security number, or medical number. The CE provided breach notification to HHS, the media, and affected individuals. The CE arranged for the provision of secure bins in which Clinic staff may dispose of paper PHI, developed new policies and procedures related to the disposal of PHI, and retrained relevant workforce members on the newly implemented policy and procedures. | Western Wisconsin Medical Association, S.C. - River Falls Medical Clinics WI Healthcare Provider 2400 | Friday | 2013 |
| BJC HealthCare ACO, LLC | MO | Healthcare Provider | 2393 | 2016-02-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | BJC HealthCare ACO, LLC MO Healthcare Provider 2393 | Friday | 2016 | |
| ADVANTAGE Health Solutions | IN | Health Plan | 2387 | 2016-12-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On December 22, 2016, ADVANTAGE Health Solutions, the covered entity (CE), submitted a Breach Report stating that Summit Reinsurance, a reinsurer for the CE, had experienced a data security event. OCR has reviewed the matter, and based on our review, OCR has determined that no violation of the HIPAA laws occurred. | ADVANTAGE Health Solutions IN Health Plan 2387 | Thursday | 2016 |
| UMass Memorial Medical Center | MA | Healthcare Provider | 2387 | 2014-05-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | Paper/Films | NA | NA | NA | NA | NA | NA | No | UMass Memorial Medical Center MA Healthcare Provider 2387 | Monday | 2014 | |
| Alexander J. Tikhtman, M.D. | KY | Healthcare Provider | 2376 | 2012-10-12 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No |
The covered entity (CE), offices of Alexander J. Tikhtman, M.D., lost an unencrypted flash drive containing the electronic protected health information (ePHI) of 2,376 individuals. The flash drive was not recovered. The ePHI included patient’s names, treatment and diagnostic information, and in some instances, dates of birth and social security numbers. The CE provided breach notification to the affected individuals, HHS, and the media. It also established a dedicated call center for questions related to the breach and offered free credit monitoring and identity theft services to individuals whose social security numbers were breached. The CE updated its privacy and security policies and procedures relating to the use, storage, and transmission of PHI. OCR obtained assurances that the CE completed the corrective action listed above. |
Alexander J. Tikhtman, M.D. KY Healthcare Provider 2376 | Friday | 2012 |
| Laborers Funds Administrative Office of Northern California, Inc. | CA | Health Plan | 2373 | 2016-03-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On February 17, 2016, the covered entity (CE), Laborers Funds Administrative Office of Northern California, Inc, discovered that a tax sent to its clients and beneficiaries inadvertently contained protected health information (PHI) about unrelated individuals. The breach affected approximately 800 individuals and included names, social security numbers, and eligibility information. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE implemented new technical safeguards for creating and transmitting this type of data, conducted a new/updated security analysis, revised its HIPAA policies and procedures, and trained its workforce. The CE also provided OCR with additional documentation including its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation. OCR obtained assurances that the CE implemented the corrective actions listed above. | Laborers Funds Administrative Office of Northern California, Inc. CA Health Plan 2373 | Tuesday | 2016 |
| Bonney Lake Medical Center and Mythili R. Ramachandran, MD | WA | Healthcare Provider | 2367 | 2011-09-21 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | Bonney Lake Medical Center and Mythili R. Ramachandran, MD WA Healthcare Provider 2367 | Wednesday | 2011 | |
| Ladies First Choice, Inc. | FL | Healthcare Provider | 2365 | 2014-04-23 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | In January, 2014, the covered entity (CE), Ladies First Choice Inc., learned that a former employee took and misappropriated a confidential computer program that contained customersâ demographic and healthcare information. The computer program contained the electronic protected health information (ePHI) of 2,365 individuals and included names, dates of birth, social security numbers, addresses, and identifying codes. The CE provided breach notification to HHS, affected individuals, and the media. As a result of the breach, the CE identified the vulnerabilities that contributed to the theft, re-trained its staff, reviewed all of its safeguards policies and internal procedures, including its incident reporting policies, and performed a new risk analysis. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also created new security features for its computer systems, including encryption and secure back up of PHI stored on hard drives. Additionally, the CE filed a civil action against the former employee to enjoin her from using the PHI she obtained. | Ladies First Choice, Inc. FL Healthcare Provider 2365 | Wednesday | 2014 |
| University of New Mexico Health Sciences Center | NM | Healthcare Provider | 2365 | 2012-09-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Anomalous activity occurred on a single computer server utilized to support clinical trial programs at the covered entity (CE), the University of New Mexico Cancer Center. The University of new Mexico is a component of the University of New Mexico Health Sciences Center. The electronic protected health information (ePHI) included the names, addresses, dates of birth, phone numbers, patient identification numbers, and/or social security numbers of approximately 2,365 individuals. Upon discovering the breach, the CE followed its investigative procedures. The CE provided breach notifications to HHS, affected individuals, and the media. The CE improved physical security and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. | University of New Mexico Health Sciences Center NM Healthcare Provider 2365 | Wednesday | 2012 |
| PORTAL HEALTHCARE SOLUTIONS LLC | VA | Business Associate | 2360 | 2013-04-04 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity’s (CE) business associate (BA) operated a server containing the electronic protected health information (ePHI) of 2,360 individuals that was vulnerable to access by unauthorized persons for over four months. The ePHI included transcribed doctors’ notes, which may have included medical diagnoses, clinical laboratory results, diagnostic imaging reports, emergency department records, and medication administration. Upon discovery of the breach, the CE engaged a computer forensic expert to investigate the incident and terminated the BA agreement. As a result of OCR’s investigation, the CE ensured that its BA secured the server, verified that the server was no longer accessible from the Internet, and required the BA to return or destroy all of the CE’s ePHI. | PORTAL HEALTHCARE SOLUTIONS LLC VA Business Associate 2360 | Thursday | 2013 |
| Florida Department of Health | FL | Healthcare Provider | 2354 | 2013-12-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | On October 30, 2013, the Florida Department of Health, the Covered Entity (CE), was notified by law enforcement officials that Orange County Department of Health (OCDOH) employees retrieved protected health information (PHI) from the CEâs Health Maintenance System (HMS) by taking pictures of their computer screens with their smart phones and providing that information to a third party to file fraudulent tax returns. The breach affected 2,354 individuals and the types of PHI involved included patientsâ names, dates of birth, and social security numbers. In response to this breach, the CE sanctioned the two employees, updated its policy regarding access controls for social security numbers, and implemented a statewide masking of social security in its HMS that involves a multi-tiered system for accessing data containing social security numbers. The CE provided breach notification to HHS, affected individuals, and the media, and posted breach notification on its website. The CE provided training on the new policies and procedures throughout OCDOH. OCR obtained assurances that the CE implemented the corrective actions listed above. | Florida Department of Health FL Healthcare Provider 2354 | Monday | 2013 |
| Specialty Clinics Of Georgia - Orthopaedics | GA | Healthcare Provider | 2350 | 2014-08-25 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Specialty Clinics Of Georgia - Orthopaedics GA Healthcare Provider 2350 | Monday | 2014 |
| Reconstructive Orthopaedic Associates II, P.C. d/b/a Rothman Institute | PA | Healthcare Provider | 2350 | 2013-10-03 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | An employee removed paper copies of daily patient schedules and two medical reports from the covered entity’s (CE) transcription processing department without authorization upon her termination from employment. Approximately 2,300 individuals were affected by the breach. The protected health information (PHI) involved in the breach included patient names, telephone numbers, appointment dates and times, dates of birth, reasons for visits, visit sites, assigned staff/physician, chart numbers, insurance company codes and copays, encounter numbers, and treatment information. The CE provided breach notification to HHS, the media and affected individuals and provided one year of free credit monitoring to those requested it. Following the breach, the CE cooperated with local authorities in their arrest and prosecution of the involved employee. The CE updated its privacy policies and procedures, organized the policies into a HIPAA manual, and retrained 687 employees on its privacy policies and procedures. In response to OCR’s investigation, the CE decided to replace its electronic medical records and practice management systems to improve safeguards for electronic PHI. | Reconstructive Orthopaedic Associates II, P.C. d/b/a Rothman Institute PA Healthcare Provider 2350 | Thursday | 2013 |
| Rite Aid Corporation | PA | Healthcare Provider | 2345 | 2015-06-03 | Theft | NA | NA | NA | NA | NA | Other | Paper/Films | NA | NA | NA | NA | NA | NA | No | On April 27, 2015, rioters in Baltimore, MD broke into, vandalized, and looted eight locations of the covered entity (CE), Rite Aid, taking 2,345 filled prescriptions. The âwill-callâ prescriptions involved in the breach contained patientsâ names, addresses, and medication names. The CE provided breach notification to HHS, the media, and affected individuals and offered credit monitoring. All of the vandalized locations, except the one that was burned, have been re-opened with full security restored. OCR obtained assurances that the CE implemented the corrective actions listed. | Rite Aid Corporation PA Healthcare Provider 2345 | Wednesday | 2015 |
| Aetna, Inc. | CT | Health Plan | 2345 | 2010-11-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Aetna notified all possibly affected individuals of the breach, filed a breach report with OCR, commenced an investigation to identify and correct the root cause of the issue; the coding changes that were causing the breach were removed from IPS via Aetna’s emergency Change Management procedures to prevent any further exposure while the problem was analyzed; once the specific code that conflicted with its proxy server settings was identified as the root cause of the breach, it was removed. Also, in an effort to mitigate any harm as a result of the breach, Aetna offered all affected individuals one year of free credit monitoring, and the notification letters included a toll-free number which was established specifically to answer questions related to this incident. | Aetna, Inc. CT Health Plan 2345 | Sunday | 2010 |
| Henry Ford Health System | MI | Healthcare Provider | 2336 | 2015-01-09 | Loss | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Henry Ford Health System, the covered entity (CE), reported a breach that occurred on October 23, 2014, when a physician lost a portable electronic device (a âflashâ drive). The physician failed to adhere to the CEâs policy mandating use of employer-issued flash drives and padlocks. The breach affected 2,336 individuals. The protected health information (PHI) involved in the breach included clinical and demographic information. Following the breach, the CE provided breach notification to affected individuals, the media, and HHS. It also sanctioned the employee involved in the breach based on the severity of the noncompliance. OCR obtained documented assurances that the CE implemented the corrective action steps above. After OCR provided substantial technical assistance to the CE on the Security Ruleâs Risk Analysis requirements, the CE provided written assurances to OCR that it will: create a more robust asset management program over the next 6-8 months and would provide that documentation to OCR; complete an enterprise data mapping and asset inventory by December 31, 2017; and 3) submit a fully executed copy of the business associate agreement (BAA) to OCR upon signature of a Master Service Agreement (MSA) and Statement of Work (SOW) for data mapping services once its vendor is chosen. This review was consolidated into an existing investigation of the CE. | Henry Ford Health System MI Healthcare Provider 2336 | Friday | 2015 |
| Cancer Specialists of Tidewater | VA | Healthcare Provider | 2318 | 2014-07-31 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | Other | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Cancer Specialists of Tidewater, was notified by the Chesapeake Virginia Police Department that an employee was arrested and charged with taking credit card information from patientsâ belongings during office visits. The breach report indicated that over 500 individuals were affected and the types of protected health information (PHI) involved in the breach included demographic and financial information. Following the CEâs investigation and electronic audit, it provided breach notification to a total of 2,318 patients, HHS, and the media, and posted substitute notice on its website. Following the breach, the CE conducted a risk assessment, upgraded breach detection software, and increased its auditing capabilities. It also conducted employee training. OCR obtained written assurance that the CE implemented the corrective actions listed above. Additionally, the CE terminated the employment of the involved employee. | Cancer Specialists of Tidewater VA Healthcare Provider 2318 | Thursday | 2014 |
| Baylor Medical Center at Irving | TX | Healthcare Provider | 2308 | 2014-04-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Baylor Medical Center at Irving TX Healthcare Provider 2308 | Friday | 2014 | ||
| Sutter Medical Foundation | CA | Healthcare Provider | 2302 | 2015-09-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Sutter Medical Foundation CA Healthcare Provider 2302 | Friday | 2015 | |
| Grx Holdings, LLC dba Medicap Pharmacy | IA | Healthcare Provider | 2300 | 2016-02-02 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | An external hard drive containing the clinical and demographic information of approximately 2,300 individuals inadvertently fell into a garage can around November 5, 2015. The covered entity (CE), Grx Holdings, LLC dba Medicap Pharmacy, provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE adhered the external hard drives to the wall and initiated a change to eliminate the use of external hard drives as a data backup. It also sanctioned and retrained the involved employees. OCR obtained documentation that the CE implemented these corrective action steps. | Grx Holdings, LLC dba Medicap Pharmacy IA Healthcare Provider 2300 | Tuesday | 2016 |
| Good Care Pediatric, LLP | NY | Healthcare Provider | 2300 | 2015-11-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Good Care Pediatric, LLP, after it reported that a Trojan Horse virus affected one computer device and caused patient billing files to be accessible by unauthorized individuals online from January 1 through April 3 of 2014. The incident affected 2,300 individuals. The types of electronic protected health information (ePHI) involved included patientsâ names, addresses, telephone numbers, dates of birth, and diagnosis codes. As a result of the breach, the CE shut down the external access to the unsecured computer device, conducted a full virus and malware scan of all of its computer devices, and changed passwords for its router, firewall administration, and workforce members. The CE also encrypted all patientsâ billing files, retrained its workforce members with respect to its HIPAA policies and procedures, and updated its risk analysis and risk management plan. OCR provided the CE with technical assistance regarding the execution of risk analyses and the implementation of procedures for guarding against, detecting, and reporting malicious software. | Good Care Pediatric, LLP NY Healthcare Provider 2300 | Thursday | 2015 |
| Reimbursement Technologies, Inc. | PA | Healthcare Clearing House | 2300 | 2013-10-31 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Reimbursement Technologies, Inc., impermissibly accessed the check images of approximately 2,300 patients. The protected health information (PHI) involved in the breach included personal check information, including bank routing numbers, names and addresses. Following the breach, the CE terminated the employee and reported the breach to the FBI for further investigation. The CE reviewed all the check images accessed and notified the guarantors and offered credit monitoring. The CE monitored employee check viewing, further identified vulnerabilities, and updated its HIPAA policies and procedures, including requiring the check imaging vendor to truncate bank routing numbers. The CE also improved safeguards by installing a new firewall. OCR obtained assurance that the covered actions listed above were completed. | Reimbursement Technologies, Inc. PA Healthcare Clearing House 2300 | Thursday | 2013 |
| Stanford Hospital & Clinics and School of Medicine, Privacy Manager Breach | CA | Healthcare Provider | 2300 | 2012-08-03 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Stanford Health Care (SHC)(formerly Stanford Hospital and Clinics), and Stanford School of Medicine (SOM), reported that on July 15 or 16, 2012, a password-protected computer was stolen from a locked SOM workforce member’s office. The electronic protected health information (ePHI) of approximately 2,641 individuals may have been affected by this incident. The ePHI involved in the breach included clinical and demographic information related to SHC patient care and SOM research. The CE reported that there was no evidence to indicate that ePHI had been inappropriately accessed. The CE contacted law enforcement, notified the affected individuals, offered identity protection services at no cost to the affected individuals, established a toll-free call center to assist affected individuals with questions or concerns, and notification the media and HHS. As a result of the breach and OCRâs corresponding investigation, the CE implemented additional physical safeguards, audited SCH desktops and laptops to ensure encryption, issued security awareness reminders to workforce, and initiated plans to implement an improved risk management process. | Stanford Hospital & Clinics and School of Medicine, Privacy Manager Breach CA Healthcare Provider 2300 | Friday | 2012 |
| Dr. Trandinh | OR | Business Associate | 2300 | 2012-02-20 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | The CE reported that a physicianâs personally-owned, unencrypted laptop was stolen from her residence. The laptop contained the medical records of 2,306 patients who had been seen by the physician in her solo private practice, not the CE. The medical records contained demographic information, including home addresses, social Security numbers, and clinical information, including diagnoses, treatment information, and medical history. Prior to the theft, the physician had closed her private practice and provided an electronic copy of her patient records to the CE. The CE, as custodian of the records, provided breach notification to HHS, affected individuals and the media. Following additional technical assistance provided by OCR, the CE developed a written breach policy and procedure. | Dr. Trandinh OR Business Associate 2300 | Monday | 2012 |
| Memorial Health Systems | CO | Healthcare Provider | 2300 | 2011-07-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Laptop | Network Server | NA | NA | NA | NA | No | On July 12, 2011, the covered entity (CE), Memorial Health System (now doing business as Memorial Hospital â University of Colorado Health) submitted a breach report explaining that a former Colorado Springs Occupational Health Clinic (CSOHC) nurse impermissibly accessed over 2,330 individualsâ medical records between 2003 and May 2011. To carry out these impermissible accesses, the nurse utilized a web-based electronic health record (EHR) application that was owned and operated by the CE and utilized by several Colorado Springs area providers, including the CSOHC. The CE provided breach notification to HHS, the media, and affected individuals. Based on the breach and OCRâs investigation, the the CE terminated the former CSOHC nurseâs access to the EHR and ultimately replaced the EHR. The CE developed and implemented several new Privacy and Security Rule policies and procedures, conducted institution-wide HIPAA training, implemented stricter audit controls, and implemented an information system activity review mechanism. Additionally, the involved nurse resigned from CSOHC. OCR has consolidated the unresolved issues from this breach into another review of this CE. | Memorial Health Systems CO Healthcare Provider 2300 | Friday | 2011 |
| UNCG Speech and Hearing Center | NC | Healthcare Provider | 2300 | 2010-08-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Computer malware was detected on the covered entityâs (CE) unencrypted billing software program, âTherapist Helper.â The CE did not know when the malware entered its system. Approximately 2,300 individuals were potentially affected by this malware virus. The types of protected health information (PHI) involved included demographic, financial (claims information), and clinical information (diagnoses/conditions, medications, lab results, and other treatment information). Following the breach, the CE applied security and privacy safeguards, mitigated harm, and implemented sanctions. The CE also reported working and cooperating with the local law enforcement. As a result of OCRâs investigation, the CE implementing processes and deployed software to detect, prevent, and mitigate malware on its computers, installed new computers and systems to segregate electronic PHI, and implemented additional procedures to increase awareness of and ensure compliance with technical and physical safeguards. The CE also placed an accounting of disclosures in the medical records of the affected individuals, and complied with the applicable notification provisions of the Breach Notification Rule. | UNCG Speech and Hearing Center NC Healthcare Provider 2300 | Monday | 2010 |
| Nihal Saran, MD | MI | Healthcare Provider | 2300 | 2010-06-04 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A password protected laptop computer containing protected health information (PHI) was stolen from Dr. Saran’s personal residence. The laptop contained the PHI of approximately 2,300 individuals. The PHI stored on the laptop included patients’ names, addresses, dates of birth, Social Security numbers, insurance information, and diagnoses. Following the breach, Dr. Saran notified the Northville Township Police Department of the theft, contacted the individuals reasonably believed to have been affected by the breach, sent a notice of the breach to the Detroit Free Press and the Monroe News, and installed encryption software for its billing software. | Nihal Saran, MD MI Healthcare Provider 2300 | Friday | 2010 |
| OrthoWest, Ltd. | OH | Healthcare Provider | 2300 | 2018-05-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | OrthoWest, Ltd. OH Healthcare Provider 2300 | Monday | 2018 |
| The University of Vermont Medical Center | VT | Healthcare Provider | 2300 | 2017-07-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | The University of Vermont Medical Center VT Healthcare Provider 2300 | Friday | 2017 | |
| Marin Healthcare District | CA | Healthcare Provider | 2292 | 2016-09-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Ransomware infected systems operated by the covered entityâs (CE) business associate (BA), Marin Medical Practice Concepts, Inc. A third party forensic firm hired to investigate the incident found no evidence that patientsâ personal, financial, or health information was accessed, viewed, or transferred. However, during the restoration process, one of the BAâs backup systems failed, causing the loss of protected health information (PHI) documented by the CEâs physicians during the period from July 11, 2016 through July 26, 2016. The PHI included vital signs, limited clinical histories, documentation of physical examinations, and records of the communications between patients and their physicians during their visits. OCR consolidated this review with an existing review of the BA involved in this case. | Marin Healthcare District CA Healthcare Provider 2292 | Tuesday | 2016 |
| Mountain Vista Medical Center | AZ | Healthcare Provider | 2291 | 2011-02-21 | Loss | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Mountain Vista Medical Center AZ Healthcare Provider 2291 | Monday | 2011 | |
| Group Health Plan of Hurley Medical Center | MI | Health Plan | 2289 | 2014-06-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Group Health Plan of Hurley Medical Center MI Health Plan 2289 | Monday | 2014 | ||
| Ambercare Corporation, Inc. | NM | Healthcare Provider | 2284 | 2018-07-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Ambercare Corporation, Inc. NM Healthcare Provider 2284 | Friday | 2018 |
| Cambridge Health Alliance | MA | Healthcare Provider | 2280 | 2018-03-28 | Hacking/IT Incident | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Cambridge Health Alliance MA Healthcare Provider 2280 | Wednesday | 2018 |
| Memorial Sloan-Kettering Cancer Center | NY | Healthcare Provider | 2279 | 2013-11-13 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Memorial Sloan-Kettering Cancer Center NY Healthcare Provider 2279 | Wednesday | 2013 | |
| UC Davis Medical Center, Privacy Manager Breach | CA | Healthcare Provider | 2269 | 2014-02-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), University of California, Davis Medical Center, reported that on December 13, 2013, a fraudulent phishing email was sent to employees. The email instructed employees to go to a fraudulent website and input authentication credentials. Three employee email accounts were impacted by the phishing scam. The email accounts contained the electronic protected health information (ePHI) of approximately 2,269 individuals. The types of ePHI potentially affected by the incident included patient names, medical record numbers, and limited health information. The CE determined that there was a low probability that specific email content was accessed during this event. The CE provided breach notification to HHS, affected individuals, and the media. Immediately following its discovery of the breach incident, the CE took steps to mitigate harm including blocking further access to the initiating IP address, deleting all similar phishing emails from employee accounts, and immediately notifying staff of the pending threat. In response to this incident, the CE implemented a new procedure to help guard against, detect, and report malicious software. OCR obtained assurances that the CE implemented the corrective action described above. | UC Davis Medical Center, Privacy Manager Breach CA Healthcare Provider 2269 | Friday | 2014 | |
| The University of Texas MD Anderson Cancer Center | TX | Healthcare Provider | 2264 | 2012-08-17 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The University of Texas MD Anderson Cancer Center TX Healthcare Provider 2264 | Friday | 2012 | |
| California Pacific Orthopaedics and Sports Medicine | CA | Healthcare Provider | 2263 | 2017-06-30 | Theft | NA | NA | NA | NA | NA | Laptop | Paper/Films | NA | NA | NA | NA | NA | NA | No | NA | California Pacific Orthopaedics and Sports Medicine CA Healthcare Provider 2263 | Friday | 2017 |
| Standard Register | OH | Business Associate | 2261 | 2013-03-01 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | OCR opened an investigation of the covered entity (CE), The Brookdale University Hospital and Medical Center, after it reported its business associate (BA), Standard Register, inadvertently mailed statements to 2,261 individuals using another affiliated CE’s envelopes. The protected health information (PHI) included names, addresses and financial information. OCR provided technical assistance to the CE regarding safeguarding PHI. | Standard Register OH Business Associate 2261 | Friday | 2013 |
| TMA Practice Management Group | TX | Business Associate | 2260 | 2014-03-17 | Improper Disposal | Loss | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), McBroom Clinic, PA, signed a business associate (BA) agreement with TMA Practice Management Group to provide an operational assessment/audit. As part of the assessment the BA requested, and the CE provided, certain health information about patients. The protected health information (PHI) included clinical and insurance/payment information about patients. The CE copied some of the PHI to an unencrypted portable USB flash drive and sent it to the BA with other information in a package on January 7, 2014. Upon receipt of the empty package, the BA subsequently discarded it in the recycling receptacle. On or around February 21, 2014, the Clinic contracted with AllClear ID to assist with the patient notification and mitigation efforts. As a result of the breach, the CE instituted new procedures for extracting and sending PHI via portable media, including encryption. Due to OCRâs investigation, the CE was made aware of the following areas of improvement: risk analysis and staff training on policies and procedures. | TMA Practice Management Group TX Business Associate 2260 | Monday | 2014 |
| UPMC | PA | Healthcare Provider | 2259 | 2015-05-15 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | A business associate (BA) employee disclosed the protected health information (PHI) of approximately 2,259 of the covered entityâs (CE) patients to outside parties. The PHI involved in the breach included names, dates of birth, and social security numbers. Following the breach, the CE terminated its relationship with the BA. OCR reviewed the CEâs risk analysis to ensure compliance with the Security Rule. | UPMC PA Healthcare Provider 2259 | Friday | 2015 |
| Vincent Vein Center | CO | Healthcare Provider | 2250 | 2016-06-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), Vincent Vein Center, reported that its business associate (BA), Bizmatics, had owned data servers containing the CE’s patient information that were accessed by unauthorized persons. Approximately 2,250 of the CE’s patients were affected by the breach. The electronic protected health information (ePHI) involved in the breach included patients’ names, addresses, social security numbers, and health visit information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE began evaluating the use of alternate electronic medical record and practice management software. As a result of OCRâs investigation and technical assistance, the CE provided written assurances that it will revise and/or implement its relevant breach notification and BA contract policies and procedures in compliance with HIPAA. OCR opened a separate investigation of the BA. | Vincent Vein Center CO Healthcare Provider 2250 | Tuesday | 2016 |
| Long Beach Memorial Medical Center | CA | Healthcare Provider | 2250 | 2011-02-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Long Beach Memorial Medical Center CA Healthcare Provider 2250 | Friday | 2011 | |
| Genesis Physical Therapy, Inc. | CA | Healthcare Provider | 2245 | 2016-10-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Rehab Billing Solutions (RBS) is a business associate (BA), which handled the billing and medical records, for the covered entity (CE), Genesis Physical Therapy, Inc. A third party impermissibly accessed protected health information (PHI) by exploiting a vulnerability in the BAâs application that stores scanned documents. The demographic and/or financial information of 2,245 individuals was potentially involved in the breach. The CE ended the BA agreement with this BA on August 31, 2016, and did not have access to the application at the time of the breach. The CE provided breach notification to HHS, affected individuals and the media pursuant to the Breach Notification Rule. In response to OCRâs investigation, the CE provided OCR with a copy of its BA agreement with RBS, which contained satisfactory assurances regarding safeguarding PHI pursuant to the requirements of the Privacy and Security Rules. | Genesis Physical Therapy, Inc. CA Healthcare Provider 2245 | Friday | 2016 |
| Advocate Health and Hospitals Corporation | IL | Healthcare Provider | 2237 | 2013-11-01 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan. This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country. âWe hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individualsâ ePHI is secure,â said OCR Director Jocelyn Samuels. âThis includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.â OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (“AMG”). The combined breaches affected the ePHI of approximately 4 million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCRâs investigations into these incidents revealed that Advocate failed to: â¢conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI; â¢implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center; â¢obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and â¢reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight. Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois. | Advocate Health and Hospitals Corporation IL Healthcare Provider 2237 | Friday | 2013 |
| Capitol Anesthesiology Association | TX | Healthcare Provider | 2231 | 2018-06-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Capitol Anesthesiology Association TX Healthcare Provider 2231 | Friday | 2018 |
| MAPFRE Life | PR | Health Plan | 2209 | 2011-09-29 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Other | NA | NA | NA | NA | NA | NA | No |
HIPAA settlement demonstrates importance of implementing safeguards for ePHI The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.2 million and implementing a corrective action plan. With this resolution amount, OCR balanced potential violations of the HIPAA Rules with evidence provided by MAPFRE with regard to its present financial standing. MAPFRE is a subsidiary company of MAPFRE S.A., a global multinational insurance company headquartered in Spain. MAPFRE underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans. On September 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device (described as a âpen driveâ) containing ePHI was stolen from its IT department, where the device was left without safeguards overnight. According to the report, the USB data storage device included complete names, dates of birth and Social Security numbers. The report noted that the breach affected 2,209 individuals. MAPFRE informed OCR that it was able to identify the breached ePHI by reconstituting the data on the computer on which the USB data storage device was attached. OCRâs investigation revealed MAPFREâs noncompliance with the HIPAA Rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014. MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake. âCovered entities must not only make assessments to safeguard ePHI, they must act on those assessments as wellâ said OCR Director Jocelyn Samuels. âOCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.â The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MAPFRE |
MAPFRE Life PR Health Plan 2209 | Thursday | 2011 |
| Anne Arundel Health System | MD | Healthcare Provider | 2208 | 2015-10-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Anne Arundel Health System MD Healthcare Provider 2208 | Thursday | 2015 |
| Mosaic Medical | OR | Healthcare Provider | 2207 | 2015-03-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | An intruder entered the administrative office of the covered entity (CE) through a window. Nothing was stolen; however, the protected health information (PHI) of 2,202 individuals was stored in the office. The PHI involved in the breach included names, medical information, medical insurance information, addresses, phone numbers, and email addresses. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE moved its administrative office to another location with improved physical safeguards. In addition, the CE instructed staff on its procedures for securely storing PHI. OCR obtained assurances that the CE implemented the corrective action listed above. | Mosaic Medical OR Healthcare Provider 2207 | Thursday | 2015 |
| Samaritan Regional Health System | OH | Healthcare Provider | 2203 | 2013-07-03 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Samaritan Regional Health System, mismatched names and addresses in a mailing to former patients of a recently deceased physician. The protected health information (PHI) included the names and addresses of approximately 2,203 individuals. The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website. Following the breach, the CE re-trained staff on proper address validation techniques and implemented new audit procedures for mailings. OCR obtained assurances that the CE implemented the corrective action listed above. | Samaritan Regional Health System OH Healthcare Provider 2203 | Wednesday | 2013 |
| LSU Healthcare Network | LA | Healthcare Provider | 2200 | 2017-05-04 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | NA | LSU Healthcare Network LA Healthcare Provider 2200 | Thursday | 2017 |
| W. Christopher Bryant DDS PC | MI | Healthcare Provider | 2200 | 2016-03-17 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | W. Christopher Bryant DDS PC MI Healthcare Provider 2200 | Thursday | 2016 |
| Inclusion Research Institute | DC | Business Associate | 2200 | 2014-04-24 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entityâs (CE) subcontractor, on behalf of the CEâs business associate (BA), Inclusion Research Institute, sent postcards to 2,200 individuals indicating they were receiving services at the CE, Developmental Disabilities Administration, Maryland Department of Health and Mental Hygiene. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE directed the subcontractor to cease and desist sending the postcards. OCR obtained assurances that the CE implemented the corrective actions listed. | Inclusion Research Institute DC Business Associate 2200 | Thursday | 2014 |
| Brevard Emergency Services, P.A. | FL | Healthcare Provider | 2200 | 2011-10-25 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Brevard Emergency Services, P.A. FL Healthcare Provider 2200 | Tuesday | 2011 | |
| Adult & Pediatric Dermatology, PC | MA | Healthcare Provider | 2200 | 2011-10-07 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No |
Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members. 'As we say in health care, an ounce of prevention is worth a pound of cure,‘said OCR Director Leon Rodriguez. ’That is what a good risk management process is all about’ identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.’ addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR. |
Adult & Pediatric Dermatology, PC MA Healthcare Provider 2200 | Friday | 2011 |
| Friendship Center Dental Office | FL | Healthcare Provider | 2200 | 2011-01-11 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On December 19, 2010, the covered entityâs (CE) facility was broken into and an unencrypted laptop was stolen, affecting the demographic information of approximately 2,200 individuals, including names, addresses, dates of birth and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. The CE increased physical security by installing a security system with motion detectors as well as motion sensor lighting outside the building. The CE also updated its HIPAA policies and procedures to reflect Security Rule requirements, including password protection requirements and the encryption of ePHI in transit. OCR obtained assurances that the corrective actions listed above were taken. | Friendship Center Dental Office FL Healthcare Provider 2200 | Tuesday | 2011 |
| Cumberland Gastroenterology, P.S.C. | KY | Healthcare Provider | 2200 | 2010-10-05 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No |
The covered entity’s (CE) medical records storage facility was burglarized, resulting in the theft of protected health information (PHI) of 2,207 individuals. The PHI included names, birth dates, social security numbers, addresses, phone numbers, primary care providers, diagnosis codes, presenting complaints, exam findings, insurance information, dates of visits, services performed, and referring providers. The CE filed a police report and provided breach notification to affected individuals, HHS, and the media. The CE also conducted an inventory of stolen items and created an accounting of affected individuals. Following the breach, the CE increased physical security, limited the amount of stored PHI, and expedited the adoption of electronic medical records. As a result of OCR’s investigation the CE executed BA agreements with the storage facility and with a document shredding company. Additionally, it re-trained workforce members on its revised HIPAA policies and procedures with respect to safeguards for PHI, and placed an accounting of disclosures of PHI in each of the affected individuals’ medical records. OCR obtained assurances that the CE implemented the corrective action listed above. |
Cumberland Gastroenterology, P.S.C. KY Healthcare Provider 2200 | Tuesday | 2010 |
| Comanche County Hospital Authority | OK | Healthcare Provider | 2199 | 2016-04-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | A business associate (BA), Avatar Solutions, e-mailed satisfaction surveys for patients who visited Memorial Medical Group, a provider affiliate of the covered entity (CE), Comanche County Hospital Authority, to incorrect e-mail addresses. The surveys contained patientsâ and providersâ names and affected 2,199 individuals. In response to the incident, the BA updated its Security Management Plan, implemented new technical safeguards, applied policy changes to mitigate harm, and implemented training to prevent further incidents. In response to OCRâs investigation, the CE provided evidence it provided breach notification to the media and affected individuals and offered affected individuals a year of free credit monitoring and identity theft protection. | Comanche County Hospital Authority OK Healthcare Provider 2199 | Monday | 2016 | |
| Dignity Health Medical Foundation | CA | Healthcare Provider | 2189 | 2017-12-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Dignity Health Medical Foundation CA Healthcare Provider 2189 | Tuesday | 2017 |
| Aegis Sciences Corporation | TN | Healthcare Provider | 2185 | 2011-12-21 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Aegis Science Corp., after the CE reported that a laptop computer and unencrypted external hard drive containing the electronic protected health information (ePHI) of 2,185 individuals were stolen from a workforce member’s vehicle. The ePHI included social security numbers, driver’s license numbers, and other demographic information, as well as bank account information of fourteen individuals and credit card information of three individuals. Upon discovering the breach, the CE filed a police report and hired a private investigator to recover the stolen items. The CE also initiated plans to encrypt laptops, revise security procedures, retrain employees, and offer credit monitoring to affected individuals. As a result of OCR’s investigation, the CE completed a security risk analysis and risk management report and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI. The CE also provided media notification in the two localities with greater than 500 individuals affected. Additionally, the CE encrypted all employee computers and removable media containing ePHI and retrained employees on the CE’s confidentiality and security policies. | Aegis Sciences Corporation TN Healthcare Provider 2185 | Wednesday | 2011 |
| Hankyu Chung, M.D. | CA | Healthcare Provider | 2182 | 2013-09-06 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On June 17, 2013, two unencrypted laptop computers were stolen from the covered entity’s facility in San Jose, California. One of the laptops reportedly contained the electronic protected health information (ePHI) of approximately 2,182 individuals. In particular, the ePHI was included full names, home addresses, telephone numbers, date of birth information, and medical records. The CE provided breach notification to HHS, affected individuals, and the media and established a website to assist potentially affected individuals. The CE implemented measures to improve physical security and safeguard the ePHI it maintains. OCR provided substantive technical assistance and identified corrective actions that the CE must complete to comply with the Security Rule, which includes the following: conduct and monitor a comprehensive, enterprise-wide risk analysis as well as administer measures that support the results of that analysis, such as articulating policies and procedures and maintaining current business associated agreements. | Hankyu Chung, M.D. CA Healthcare Provider 2182 | Friday | 2013 |
| Boys Town National Research Hospital | NE | NA | 2182 | 2018-05-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Boys Town National Research Hospital NE NA 2182 | Wednesday | 2018 | |
| South Alamo Medical Group P.A | TX | Healthcare Provider | 2180 | 2018-08-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | Laptop | Network Server | NA | NA | NA | NA | No | NA | South Alamo Medical Group P.A TX Healthcare Provider 2180 | Thursday | 2018 | |
| Dignity Health St. Rose Dominican Hospitals-DeLIma | NV | Healthcare Provider | 2174 | 2018-05-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Dignity Health St. Rose Dominican Hospitals-DeLIma NV Healthcare Provider 2174 | Thursday | 2018 |
| The Brooklyn Hospital Center | NY | Healthcare Provider | 2172 | 2014-01-22 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The Brooklyn Hospital Center NY Healthcare Provider 2172 | Wednesday | 2014 | |
| Children’s Hospital Boston | MA | Healthcare Provider | 2159 | 2012-05-22 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Children’s Hospital Boston MA Healthcare Provider 2159 | Tuesday | 2012 | |
| NYU School of Medicine - Pediatric Surgery Associates | NY | Healthcare Provider | 2158 | 2017-12-15 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | NYU School of Medicine - Pediatric Surgery Associates NY Healthcare Provider 2158 | Friday | 2017 |
| Raymond Mark Turner, M.D. | NV | Healthcare Provider | 2153 | 2015-02-26 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | One unencrypted laptop computer was stolen during business hours while the office of Dr. Robert Mark Turner was in the process of updating and encrypting its computers. A file on the stolen laptop contained the electronic protected health information (ePHI) of 2,153 individuals which included names, addresses, dates of birth, social security numbers, driverâs license numbers, health insurance information, and records of medical treatment. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media and provided credit monitoring and identity theft protection to affected individuals. In response to the breach, the CE improved physical safeguards and enhanced technical safeguards by implementing an encryption management program for all computer systems. OCR reviewed the CE’s HIPAA risk assessment and provided technical assistance on the required elements of a risk analysis and risk management plan. | Raymond Mark Turner, M.D. NV Healthcare Provider 2153 | Thursday | 2015 |
| Mind Springs Health | CO | Healthcare Provider | 2147 | 2016-02-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | On January 8, 2016 a foreign transcription services subcontractor to Mind Springs Healthâs former business associate (BA), Stratton Consulting Services, Inc., mistakenly published electronic protected health information (ePHI) on the internet during a software update. The types of ePHI involved in the breach included names, dates of birth, medications, and physiciansâ notes, affecting 2,147 individuals who received treatment from the covered entity (CE) between January 2009 and March 2010. Following the breach, the subcontractor removed the information from the internet. The CE provided breach notification to HHS, affected individuals, and the media. Subsequent to the breach, the CE established BA agreements with its contractors. OCR provided technical assistance regarding relevant issues pursuant to the Privacy and Security Rules. | Mind Springs Health CO Healthcare Provider 2147 | Saturday | 2016 |
| Alere Toxicology | MA | Healthcare Provider | 2146 | 2017-11-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Alere Toxicology MA Healthcare Provider 2146 | Tuesday | 2017 |
| VA Eastern Colorado Health Care System | CO | Healthcare Provider | 2130 | 2016-11-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | VA Eastern Colorado Health Care System CO Healthcare Provider 2130 | Tuesday | 2016 | |
| PA Dept. of Human Services | PA | Healthcare Provider | 2130 | 2018-07-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | PA Dept. of Human Services PA Healthcare Provider 2130 | Monday | 2018 |
| James A. Fosnaugh | NE | Healthcare Provider | 2125 | 2013-06-26 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Dr. James A. Fosnaugh, after he reported that the computer chip in his thumb drive had fallen out of its casing at some point in May 2013. The thumb-drive contained the names, dates of birth, addresses, phone numbers, and in some cases, names of family members listed on family medical histories. The incident affected approximately 2,125 of the CEâs patients. The CE provided breach notification to HHS, affected individuals, and the media. To prevent similar breaches from happening in the future, the CE established a team responsible for identifying security issues as they arise. The CE also retrained employees on its policies and procedures regarding the Privacy and Security Rules. As a result of OCRâs investigation, the CE completed a risk analysis to ensure adequate safeguards of electronic protected health information. | James A. Fosnaugh NE Healthcare Provider 2125 | Wednesday | 2013 |
| Baxter Regional Medical Center - Home Health Facility | AR | Healthcare Provider | 2124 | 2016-10-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | On August 5, 2016, intruders broke into the covered entity (CE), Baxter Regional Medical Center, potentially breaching the protected health information (PHI) of approximately 2,124 individuals. The intruders broke into locked offices which contained PHI in paper-based patient files although nothing appeared to be missing. Following the breach, the CE improved physical security. Additionally, it moved all non-current patient records to a secure, off-site storage facility and trained employees on its HIPAA practices. The CE provided breach notification to HHS, affected individuals, and the media. During OCRâs investigation, OCR reviewed the notification to HHS and provided technical assistance regarding the Breach Notification Rule. | Baxter Regional Medical Center - Home Health Facility AR Healthcare Provider 2124 | Wednesday | 2016 |
| BlueCross BlueShield of TN, Inc. | TN | Health Plan | 2117 | 2017-07-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | BlueCross BlueShield of TN, Inc. TN Health Plan 2117 | Friday | 2017 |
| Chesapeake Regional Medical Center | VA | Healthcare Provider | 2100 | 2018-04-06 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Chesapeake Regional Medical Center VA Healthcare Provider 2100 | Friday | 2018 |
| Sunquest Information Systems | AZ | Business Associate | 2100 | 2015-09-24 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), Sunquest Information Systems, reported that on July 27, 2015, that an unencrypted laptop computer was stolen from a workforce memberâs car. The CE determined that the breach affected the electronic protected health information (ePHI) associated with approximately 2,100 individuals. The types of ePHI affected by the breach included patientsâ addresses, dates of birth, names, social security numbers, medical record numbers, health insurance information, billing codes, diagnosis information and lab results. The CE provided breach notification to HHS, affected individuals and the media, and offered 1 year of free credit monitoring to affected individuals. Following the breach, the CE sanctioned the responsible workforce member and provided additional training to other workforce members. As a result of OCRâs investigation, the CE implemented encryption technology and updated relevant policies and procedures. | Sunquest Information Systems AZ Business Associate 2100 | Thursday | 2015 |
| Roy E. Gondo, M.D. | WA | Healthcare Provider | 2100 | 2012-04-13 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | NA | NA | NA | NA | NA | NA | No | Roy E. Gondo, M.D. WA Healthcare Provider 2100 | Friday | 2012 | |
| Dignity Health St. Rose Dominican Hospitals - Siena | NV | Healthcare Provider | 2098 | 2018-05-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Dignity Health St. Rose Dominican Hospitals - Siena NV Healthcare Provider 2098 | Thursday | 2018 |
| Jewish Hospital | KY | Healthcare Provider | 2089 | 2010-08-05 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Jewish Hospital KY Healthcare Provider 2089 | Thursday | 2010 | |
| Ochsner Health System | LA | Healthcare Provider | 2088 | 2012-02-20 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | An external hard drive was stolen from the radiology department of the covered entity (CE), Ochsner Health System. The electronic protected health information (ePHI) on the hard drive included the names, addresses, dates of birth, and medical record numbers of approximately 2,088 individuals. The CE provided breach notification to HHS, affected individuals, and the media. As a result of the breach, the CE improved technical safeguards and updated its policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. | Ochsner Health System LA Healthcare Provider 2088 | Monday | 2012 |
| Rite Aid #10217 | RI | Healthcare Provider | 2082 | 2013-03-29 | Other | Unknown | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Rite Aid #10217 RI Healthcare Provider 2082 | Friday | 2013 | |
| Atlantic Digestive Specialists | NH | Healthcare Provider | 2081 | 2017-04-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Atlantic Digestive Specialists NH Healthcare Provider 2081 | Friday | 2017 |
| City of Chicago | IL | Healthcare Provider | 2080 | 2013-11-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) mistakenly permitted protected health information (PHI) to be viewable on the Internet when users uploaded files without changing the default permission settings for the folders containing the files. As a result, Google was able to detect and cache the PHI in the uploaded folders. Approximately 2,080 individuals were affected by this breach. The types of PHI involved in the breach included studentsâ names, birthdates, genders, identification numbers, vision exam dates, diagnoses, and schools. The CE provided breach notification to HHS, the parents and guardians of affected individuals, and the media. It also posted notice on its website. The CE took action to remove the files containing PHI from its network and compiled a list of files along with the associated unique record locator numbers (URLs) and cached URLs. The CE contacted Google to request removal of the data from the cache and the archives, and Google confirmed that the data was removed. OCR obtained assurances that the CE implemented the corrective actions listed above. | City of Chicago IL Healthcare Provider 2080 | Friday | 2013 |
| New York City Human Resources Administration/Department of Social Services | NY | Health Plan | 2078 | 2018-05-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | New York City Human Resources Administration/Department of Social Services NY Health Plan 2078 | Friday | 2018 |
| Family Medical Group Northeast PC | OR | Healthcare Provider | 2077 | 2018-08-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Family Medical Group Northeast PC OR Healthcare Provider 2077 | Wednesday | 2018 |
| Daniel A. Sheldon, M.D., P.A. | FL | Healthcare Provider | 2075 | 2015-09-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On May 18, 2013, OCR received an anonymous complaint alleging that the protected health information (PHI) of the patients of the covered entity (CE), Dr. Daniel Sheldon, M.D., P.A., was accessible on the internet via Google. OCR confirmed the allegations when it identified web search results containing private medical records from a website associated with the practice. Following an investigation by OCR, the practice submitted a breach notification to HHS on September 16, 2015, in which it reported that the PHI of approximately 2,075 patients was potentially viewable online, including addresses, dates of birth, names, and clinical information. In response to the incident, the CE contacted its electronic medical record (âEMRâ) hosting company, IOS Health Systems (âIOSâ), which immediately secured the information and conducted an internal investigation. IOS changed the file locations of the practiceâs EMR records, renamed the file structures, obfuscated file directories, conducted standard security inspections, and began an audit trail review to determine any unauthorized access to the CE’s records. Additionally, the CE ensured that users did not share any documents or links via non-secure methods, changed all passwords for all users, confirmed username and password confidentiality policies with all employees, ensured proper antivirus and spyware applications were installed, and verified that its firewall was properly configured with the latest version of security upgrades. In response to OCRâs investigation, the practice provided evidence that provided breach notification to HHS, affected individuals and the media, and offered identity theft protection services. It also terminated its relationship with its EMR system hosting company, IOS, and entered into a revised business associate agreement with a new EMR hosting company. Finally, the CE created new policies regarding its breach notification procedures. | Daniel A. Sheldon, M.D., P.A. FL Healthcare Provider 2075 | Wednesday | 2015 |
| Lawrence General Hospital | MA | Healthcare Provider | 2071 | 2015-08-05 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Lawrence General Hospital, discovered that a portable computer drive (a “thumb” drive), which was not encrypted or password-protected, was missing following a theft in the laboratory. The protected health information involved included names, laboratory testing codes, and slide identification numbers, affecting 2,071 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE eliminated the need to use a thumb drive in the pathology laboratory and accelerated the completion of reconfiguring all compatible computer ports (“USB” ports) to disable the use of unencrypted thumb drives. The CE also implemented new procedures to monitor the receipt of media and devices. OCR obtained assurances that the CE implemented the corrective actions listed above. | Lawrence General Hospital MA Healthcare Provider 2071 | Wednesday | 2015 |
| Mercy Family Medicine | CO | Healthcare Provider | 2069 | 2017-08-16 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Mercy Family Medicine CO Healthcare Provider 2069 | Wednesday | 2017 |
| T.J. Samson Community Hospital | KY | Healthcare Provider | 2060 | 2015-08-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), TJ Samson Community Hospital, discovered that on June 8, 2015, it had sent an advertisement email to 2,060 patients that inadvertently exposed the names and email addresses of the recipients. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE drafted a new policy which details the internal use of its patient portal to communicate with patients. It also counseled its marketing staff on disseminating information. OCR obtained assurances that the CE implemented the corrective actions listed above. | T.J. Samson Community Hospital KY Healthcare Provider 2060 | Friday | 2015 | |
| Jonathan Noel MD | IN | Healthcare Provider | 2059 | 2011-09-08 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Jonathan Noel MD IN Healthcare Provider 2059 | Thursday | 2011 | |
| University of Florida | FL | Healthcare Provider | 2047 | 2010-07-08 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), University of Florida Department of Epidemiology and Health Policy Research, mailed approximately 2,047 letters that contained an identifier on the address label that was an adaptation of either a childâs social security number or Medicaid identification number. The types of protected health information (PHI) involved in the breach included names, social security numbers, or Florida Medicaid numbers of the patients. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE recalled the faulty files from the printing company and the medical survey company and updated its procedures and forms to ensure that data is handled in accordance with the Privacy Rule. The CE provided OCR with its 2011 Training Schedule for Research Coordinators at the Institute of Child Health Policy (ICHP). Included in this year-long training is a section dedicated to Regulatory Compliance, including the importance of HIPAA and data security. The CE also sanctioned the employees involved in the breach. OCRâs investigation resulted in the CE improving its physical safeguards and retraining employees. | University of Florida FL Healthcare Provider 2047 | Thursday | 2010 |
| Young Family Medicine Inc | OH | Healthcare Provider | 2045 | 2013-08-12 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Young Family Medicine Inc OH Healthcare Provider 2045 | Monday | 2013 | |
| Iowa Dept. of Human Services | IA | Health Plan | 2042 | 2014-03-10 | Other | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | No | Employees of the covered entity (CE), Iowa Department of Human Services, used personal email accounts, personal online storage accounts and personal electronic devices for work purposes. From February 5, 2010 to January 17, 2014, the protected health information (PHI) of 2,042 individuals was transferred outside of the CEâs secure network in this manner. The types of information included names, mailing addresses, social security numbers, state ID numbers, dates of birth, PHI obtained during case assessment, and incident information. The CE stated that it notified affected individuals and media and also offered free credit monitoring to the affected individuals. OCR has consolidated this breach with another breach involving this CE. | Iowa Dept. of Human Services IA Health Plan 2042 | Monday | 2014 | |
| UW Health | WI | Healthcare Provider | 2036 | 2017-05-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | UW Health WI Healthcare Provider 2036 | Thursday | 2017 | |
| Chapman & Chapman, Inc. | OH | Business Associate | 2032 | 2018-08-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Chapman & Chapman, Inc. OH Business Associate 2032 | Friday | 2018 | |
| Pratap S. Kurra, M.D. | CA | Healthcare Provider | 2029 | 2016-09-12 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On August 9, 2016, the covered entity (CE), Pratap S. Kurra, M.D., discovered a breach in which his practice accidently threw out paper billing tickets during a move, and the tickets were out of his control for less than 24 hours before being retrieved. The breach affected approximately 2,029 individuals. The types of protected health information (PHI) involved in the breach included the CEâs name, patientsâ names, hospital names, procedure types and times, anesthesia used, and difficulty of cases. The CE provided breach notification to HHS, the media, and affected individuals. The CE revised its billing procedure to mail billing tickets directly from the hospital to the CEâs billing company and discontinue taking paper PHI home. OCR provided substantial technical assistance to the CE and obtained assurances that the CE implemented the corrective actions noted above. | Pratap S. Kurra, M.D. CA Healthcare Provider 2029 | Monday | 2016 |
| Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group | IL | Business Associate | 2029 | 2013-09-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan. This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country. âWe hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individualsâ ePHI is secure,â said OCR Director Jocelyn Samuels. âThis includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.â OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (“AMG”). The combined breaches affected the ePHI of approximately 4 million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCRâs investigations into these incidents revealed that Advocate failed to: â¢conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI; â¢implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center; â¢obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and â¢reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight. Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois. | Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group IL Business Associate 2029 | Friday | 2013 |
| University of Kentucky | KY | Healthcare Provider | 2027 | 2010-06-18 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop computer containing the protected health information (PHI) of approximately 2,027 individuals was stolen from the covered entity (CE), University of Kentucky, Department of Pediatrics. The information was part of the New Born Screening Program sent to that department by the state screening program. The types of PHI involved in the breach included demographic information, specifically, names, addresses, dates of birth, social security numbers, and other identifiers, and clinical information. As a result of OCRâs investigation the CE provided OCR with an updated status report of its encryption project that it had previously reported as one of its corrective measures. It also trained workforce members on encryption of computing devices and provided reminders to workforce members about its facility locking procedures. Additionally, the CE provided a report of its information security assessment with details of security gaps as evidence of its risk analysis, along with recommendations for remediation of the gaps identified in the assessment. The CE also improved physical safeguards. The CE provided documentation of compliance with the applicable notification provisions of the Breach Notification Rule. It also updated its accounting of disclosures policy, and drafted a new policy relating to accounting of disclosures regarding breach incidents. | University of Kentucky KY Healthcare Provider 2027 | Friday | 2010 |
| Beth Israel Deaconess Medical Center | MA | Healthcare Provider | 2021 | 2011-07-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Beth Israel Deaconess Medical Center MA Healthcare Provider 2021 | Tuesday | 2011 | |
| Stephen J. Helvie, M.D. | CA | Healthcare Provider | 2013 | 2016-12-22 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Stephen J. Helvie, M.D. CA Healthcare Provider 2013 | Thursday | 2016 |
| OptumHealth New Mexico | MN | Health Plan | 2006 | 2016-11-18 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On September 26, 2016, the covered entity (CE), Optum, learned that an unencrypted portable computer drive (a “USB flash drive”) containing the electronic protected health information (ePHI) of approximately 2,006 individuals had been lost or accidentally destroyed within the U.S. Postal Service System after being mailed on September 16, 2016 by Optumâs business associate (BA) Rothstein, Donatelli, Hughes, Dahlstrom, Schoenburg & Bienvenu (a law firm). The ePHI consisted of names, addresses, dates of birth, providers’ names, diagnoses, plan ID, as well as partial or full social security numbers for 169 of the individuals. The CE’s BA Agreement with the law firm is compliant with the Privacy Rule. As of January 1, 2017, the CE ceased engaging new business with the BA. OCR obtained documentation of this corrective action. OCR is opening a separate review of the BA. | OptumHealth New Mexico MN Health Plan 2006 | Friday | 2016 |
| Florida Healthy Kids Corporation | FL | Health Plan | 2000 | 2017-09-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Florida Healthy Kids Corporation FL Health Plan 2000 | Thursday | 2017 |
| Paul C. Gering, Jr., M.D. | OR | Healthcare Provider | 2000 | 2017-06-29 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Paul C. Gering, Jr., M.D. OR Healthcare Provider 2000 | Thursday | 2017 |
| Atchafalaya Internal Medicine Associates | LA | Healthcare Provider | 2000 | 2017-06-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Laptop | Other Portable Electronic Device | NA | NA | NA | No | The covered entity (CE), Atchafalaya Internal Medicine Associates, reported a malware attack on its desktop computers that may have compromised the protected health information (PHI) of 2000 patients. During the investigation, OCR learned that the owner of the CE had closed the business. On March 6, 2018, OCR received notification from the owner of Atchafalaya Internal Medicine Associatesâ that all healthcare business activities for the entity have ceased, and the entity is no longer operating as a business. OCR verified that the office telephone number is out of service and the entityâs website no longer exists. The Secretary of State shows the entity has not had filings since February of 2017. Under these circumstances, Atchafalaya Internal Medicine Associates is no longer a covered entity and is not subject to the requirements of HIPAA. | Atchafalaya Internal Medicine Associates LA Healthcare Provider 2000 | Thursday | 2017 | |
| Toth Enterprises II d/b/a Victory Medical | TX | Healthcare Provider | 2000 | 2017-06-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | No | NA | Toth Enterprises II d/b/a Victory Medical TX Healthcare Provider 2000 | Monday | 2017 | |
| Mecklenburg County, North Carolina | NC | Healthcare Provider | 2000 | 2017-05-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Mecklenburg County, North Carolina, the covered entity (CE), disclosed multiple digital storage disks (i.e., DVDs) that contained protected health information (PHI) when it responded to the public records requests of two media outlets. The breach affected 2,041 individuals and the PHI included patientsâ names, information regarding the services received, lab results, medical record numbers, patientsâ addresses, and dates of birth. The CE provided timely breach notification to HHS, to affected individuals, and to the media. The CE also posted notification about the breach to its website. In response to the breach, the CE revised its HIPAA policies and procedures, revised training modules, retrained staff, and allocated funds to purchase software and hardware to improve its management of future public records requests. OCR provided technical assistance to the CE regarding the required elements of breach notification notices. OCR obtained assurances that the CE implemented the corrective actions listed above. | Mecklenburg County, North Carolina NC Healthcare Provider 2000 | Thursday | 2017 |
| Briar Hill Management | MS | Business Associate | 2000 | 2016-11-09 | Loss | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), Briar Hill Management, discovered that an employee lost a laptop computer containing protected health information (PHI) in violation of the CEâs policy. The laptop contained the names, addresses, social security numbers, dates of birth, dates of service, prescription information, and services provided pertaining to 1,994 individuals. The CE provided breach notification to HHS, affected individuals, the media, and on its website. It also notified local police. In response to the breach, the CE sanctioned the involved employee. As a result of OCRâs investigation, the CE reviewed its security risks and implemented several new security measures, including providing additional training to employees, installing software that allows the CE to track and remove data from devices remotely, and encrypting all mobile devices. OCR obtained assurances that the CE implemented the corrective actions listed above. | Briar Hill Management MS Business Associate 2000 | Wednesday | 2016 |
| Brian Halevie-Goldman | CA | Healthcare Provider | 2000 | 2016-07-20 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Dr. Brian Halevie-Goldman, the covered entity (CE), reported a breach that occurred when two laptop computers, a laptop bag containing super-bills and receipts, disability paperwork, copies of prescriptions, lists of symptoms identified by patients, miscellaneous papers to be shredded, and blank controlled and non-controlled prescription pads, and a smart phone were stolen from the physicianâs locked vehicle. The types of protected health information (PHI) involved in the breach included the full names, addresses, internal medical record numbers, credit card information, diagnosis/conditions, lab results, medications, and clinical note files for approximately 2,000 individuals. The CE provided breach notification to affected individuals, the media, and HHS, and also provided substitute notice. Following the breach, the CE immediately reported the theft to local law enforcement. In addition, the CE engaged an independent firm to implement additional protective measures. As a result of the breach, the CE purchased new office equipment and security software, created and implemented a log for equipment that travels between offices, encrypted electronic devices that store PHI, and revised policies and procedures to safeguard PHI. The CE also trained workforce members on its revised policies. OCR obtained assurances that the CE implemented the corrective actions noted above. | Brian Halevie-Goldman CA Healthcare Provider 2000 | Wednesday | 2016 |
| Linda J White, DDS, PC | VA | Healthcare Provider | 2000 | 2016-06-27 | Improper Disposal | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On June 27, 2016, the covered entity (CE), Dr. Linda White, reported that an external hard drive device containing a backup of the dental practice’s computer server was not returned for proper destruction by an employee. Approximately 2,000 individuals were affected by the breach and the types of protected health information (PHI) stolen included patientsâ names, dates of births, social security numbers, and limited medical information. The CE provided breach notification to HHS, affected individuals, and the media. The CE determined after a formal risk assessment that the level of risk was very low because the stolen hard drive required specific software to be utilized for the employee to gain access to the patientsâ PHI. OCR obtained assurances that the CE implemented the corrective actions listed. County officials initiated prosecution of the employee who possessed the hard drive device. | Linda J White, DDS, PC VA Healthcare Provider 2000 | Monday | 2016 |
| Pointe Medical Services, Inc. | FL | Healthcare Provider | 2000 | 2016-04-01 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Pointe Medical Services, Inc., discovered on February 11, 2016, that a former nurse practitioner was soliciting patients to her new practice from information she had downloaded from the CE between October 23, 2015 and until she was terminated on December 15, 2015. Information on the reports included: patients’ names, dates of birth, phone numbers, reasons for appointments, appointment status (i.e. no show, cancelled, etc.), service sites, diagnoses, conditions, and health insurance information including insurance providers and plan types. The breach affected 2,055 patients. The CE provided breach notification to HHS, to affected individuals, on its website and to various media outlets across Georgia and Florida. In response to the breach, the CE retrained its workforce, disabled the ability to download information to removable electronic storage devices, and increased the frequency of its electronic health record activity audits. OCR obtained assurances that the CE implemented the corrective actions listed above. | Pointe Medical Services, Inc. FL Healthcare Provider 2000 | Friday | 2016 |
| Val Verde Regional Medical Center | TX | Healthcare Provider | 2000 | 2016-03-18 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Laptop | Network Server | NA | NA | NA | No | On or about December 18, 2015, the covered entity (CE), Val Verde Regional Medical Center, determined that a member of its medical staff had impermissibly used protected health information (PHI) and sent unsecured emails containing PHI to two unapproved, personal email addresses. The emailed PHI included patients’ names, genders, medical record numbers, dates of birth, modalities, study dates, ages, telephone numbers and/or account numbers, affecting 2,412 individuals. the CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised policies and procedures and retrained staff. The CE conducted a new risk analysis and took actions to mitigate identified risks. During the investigation, OCR provided technical assistance regarding multiple standards of the HIPAA Rules. | Val Verde Regional Medical Center TX Healthcare Provider 2000 | Friday | 2016 | |
| ROBERT SOPER, M.D. | CA | Healthcare Provider | 2000 | 2015-08-26 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | On June 27, 2015, the covered entity (CE), Robert Soper, M.D., discovered that electronic protected health information (ePHI) he was maintaining had been breached when a desktop computer was stolen from the trunk of his car. Approximately 2,000 individualsâ ePHI was affected by the breach. The breach affected the following types of ePHI: patients’ names, dates of birth, phone numbers, clinical notes, and e-mails. The CE provided breach notification to HHS, affected individuals, and the media. OCR provided the CE with guidance materials and other technical assistance regarding HIPAA Security Rule compliance. In response to OCRâs technical assistance, the CE implemented a security awareness training program and encryption technology within its medical practice. | ROBERT SOPER, M.D. CA Healthcare Provider 2000 | Wednesday | 2015 |
| Max M Bayard MD, PC | VT | Healthcare Provider | 2000 | 2015-08-07 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Two unencrypted laptops and one portable storage device (thumb drive) were stolen during a burglary on August 5, 2015. They collectively contained the electronic protected health information (ePHI) of 2,154 individuals. The ePHI involved in the breach included names, dates of birth, insurance information, social security numbers, dates of treatment, types of treatment, and diagnoses. Following the breach, the office of Dr. Bayard, the covered entity (CE), notified HHS, the individuals affected by the breach, and the media. The CE provided individuals with identity protection services and credit monitoring services at no cost. As a result of OCRâs investigation, the CE implemented facility access control policies and procedures and installed an office alarm system and four surveillance cameras. The CE also encrypted computer workstations and initiated a requirement for the use of privacy screens and a locked storage room when the equipment is not in use. | Max M Bayard MD, PC VT Healthcare Provider 2000 | Friday | 2015 |
| Community Mercy Health Partners | OH | Healthcare Provider | 2000 | 2015-04-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | An individual was accidently sent the invoices of numerous patients of the covered entity (CE) due to human error after guarantor information on an institutional account was inadvertently changed to an individual patient. The protected health information (PHI) involved in the breach included the demographic, financial, and clinical information of 1,999 individuals. The CE provided breach notification to HHS, affected individuals, and the media. To prevent a future similar occurrence, the covered entity re-educated its patient access/registration staff and began revising processes for institutional payers. OCR reviewed the CEâs relevant HIPAA policies and procedures and obtained assurances that the CE implemented the corrective actions listed above. | Community Mercy Health Partners OH Healthcare Provider 2000 | Monday | 2015 |
| David E. Hansen DDS PS | WA | Healthcare Provider | 2000 | 2015-01-29 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | Paper/Films | NA | NA | NA | NA | NA | NA | No | On January 29, 2015, the covered entity (CE), David E. Hansen DDS PS, reported that a password protected computer back-up disk, 20 encrypted flash drives and 32 paper dental patients’ records were stolen during a break-in at the CEâs facility. The media devices contained the electronic protected health information (ePHI) of approximately 2000 individuals. The PHI involved in the breach included patientsâ names, diagnoses, medications, and other clinical information. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security and retrained workforce members. OCR obtained assurances that the CE implemented the corrective actions noted above. | David E. Hansen DDS PS WA Healthcare Provider 2000 | Thursday | 2015 |
| Sloane Stecker Physical Therapy, PC | NY | Healthcare Provider | 2000 | 2014-06-24 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | A workforce member, a physical therapist, accessed the electronic health record system and obtained 2,000 patientsâ names, addresses and telephone numbers for the purpose of contacting or soliciting these patients to join a new physical therapy practice. The covered entity (CE), Sloane Stecker Physical Therapy, PC, provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. The also CE provided free credit monitoring for the affected individuals. Following the breach, the CE retrieved the patient information and retrained staff. As a result of OCRâs investigation and technical assistance, the CE is expected to perform an enterprise-wide risk analysis and establish a risk management plan. It is also expected to implement mechanisms to record and examine activity in information systems that contain or use electronic PHI. Additionally, the CE is expected to implement a security incident policy and procedure, implement procedures for identity verification for access to electronic PHI, and provide training to all staff on the newly implemented policies and procedures. | Sloane Stecker Physical Therapy, PC NY Healthcare Provider 2000 | Tuesday | 2014 |
| Kemmet Dental Design | ND | Healthcare Provider | 2000 | 2013-11-12 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Kemmet Dental Design, learned on November 11, 2013, that its office had been broken into over the preceding weekend. At the time of the break-in, the CE stored between 1,500 â 2,000 paper patient charts containing protected health information (PHI) in its office, and the paper patient charts were not further secured inside the office. The CE provided breach notification to HHS and affected individuals. Though the CE indicated that nothing appeared to be missing, it moved its dental office to a different location in July 2014 and implemented safeguards it had lacked prior to the break-in. For example, the CE converted all of its patient charts to a secure electronic medical record system, properly shredded its old x-rays, and properly disposed of its old paper charts. It also improved physical security. OCR provided technical assistance regarding the need to implement safeguards policies and procedures and regarding the CE’s breach notification reporting obligations. | Kemmet Dental Design ND Healthcare Provider 2000 | Tuesday | 2013 |
| David Charles Rish | CA | Business Associate | 2000 | 2012-04-10 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | David Charles Rish CA Business Associate 2000 | Tuesday | 2012 | |
| Triumph, LLC | NC | Healthcare Provider | 2000 | 2012-02-01 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Triumph, LLC NC Healthcare Provider 2000 | Wednesday | 2012 | |
| Nation Wise Machine Buyers | IL | Business Associate | 2000 | 2011-12-09 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Nation Wise Machine Buyers IL Business Associate 2000 | Friday | 2011 | |
| Centro de Ortodoncia Inc. | PR | Healthcare Provider | 2000 | 2011-09-13 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Dr. Pedro Valentin, after it reported boxes containing the protected health information (PHI) of 2,000 individuals were moved from the CE’s office. The PHI included names, account numbers, responsible party in charge of account, and method of payment. OCR’s investigation revealed that the individual who removed the PHI was the CE’s wife and business partner. The CE advised OCR that he knew his wife/partner was removing the boxes for the purpose of ascertaining the amount of monies the CE was receiving and that he is in the process of dissolving the partnership. OCR concluded that the actions alleged in the breach report did not amount to a breach. | Centro de Ortodoncia Inc. PR Healthcare Provider 2000 | Tuesday | 2011 |
| HEALTH RESEARCH INSTITUTE, INC., PFEIFFER TREATMENT CENTER | IL | Healthcare Provider | 2000 | 2011-08-29 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | HEALTH RESEARCH INSTITUTE, INC., PFEIFFER TREATMENT CENTER IL Healthcare Provider 2000 | Monday | 2011 | |
| Gail Gillespie and Associates, LLC | LA | Healthcare Provider | 2000 | 2011-06-28 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Laptop | Network Server | Other | Other Portable Electronic Device | NA | No | An unecrypted laptop computer and an unecrypted desktop computer, jointly containing the electronic protected health information (ePHI) of 2,334 individuals, were stolen during a burglary. The computers contained patient names, parent names of minor patients, dates of service, addresses, phone numbers, dates of birth, social security numbers, diagnoses, prognoses, reports/evaluations/interventions, observations, recommendations, goals, medications, and confidential information relayed by parents and/or children and verbal information received from schools/doctors/agencies involved with the patient. The CE provided breach notification to HHS and affected individuals. It improved physical safeguards by purchasing a monitored alarm system. As a result of OCRâs investigation, the CE conducted a risk analysis, deployed encryption on workstations, retrained employees, and notified the media of the breach. | Gail Gillespie and Associates, LLC LA Healthcare Provider 2000 | Tuesday | 2011 | |
| TUBA CITY REGIONAL HEALTH CARE CORPORATION | AZ | Healthcare Provider | 2000 | 2011-06-09 | Improper Disposal | Loss | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | TUBA CITY REGIONAL HEALTH CARE CORPORATION AZ Healthcare Provider 2000 | Thursday | 2011 | |
| Southern Perioperative Services, P.C. | AL | Healthcare Provider | 2000 | 2010-12-30 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No |
A bag containing a compact disk - read only memory (CD-ROM) was stolen from the vehicle of a physician associated with the covered entity (CE). The CD-ROM involved in the breach contained names, dates of birth, social security numbers, medical histories, and the treatment information of approximately 2,046 individuals. Following the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. The CE sanctioned and retrained the physician whose bag was stolen and implemented organization wide improvements to its compliance with the Privacy and Security Rules. As a result of OCR’s investigation the covered entity posted substitute notification of the breach in the local paper and confirmed that corrective actions steps were taken. |
Southern Perioperative Services, P.C. AL Healthcare Provider 2000 | Thursday | 2010 |
| Alaskan AIDS Assistance Association | AK | Business Associate | 2000 | 2010-09-22 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | Alaskan AIDS Assistance Association AK Business Associate 2000 | Wednesday | 2010 | |
| Ault Chiropractic Center | IN | Healthcare Provider | 2000 | 2010-09-15 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | Two unencrypted desktop computers and one unencrypted laptop computer storing electronic protected health information (ePHI) of approximately 2,000 individuals were stolen from the covered entityâs (CE) premises during a break-in on September 15, 2010. The ePHI involved in the breach included patientsâ names, thermal imaging scans, patientsâ contact information, insurance information, and social Security numbers. The CE investigated the incident and reported the theft to the local police department. It also provided breach notification to HHS, the media, and affected individuals. Following the breach, the CE moved to a new facility with a security system. As a result of OCRâs investigation, the CE developed and implemented a policy and procedure related to compliance with the Breach Notification Rule. | Ault Chiropractic Center IN Healthcare Provider 2000 | Wednesday | 2010 |
| Rick Lawson, Professional Computer Services | NC | Business Associate | 2000 | 2009-12-11 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | Yes |
The covered entity (CE) changed the business associate (BA) it used as its information technology vendor. During the transition, a workforce member of the outgoing BA entered the CE’s computer system, changed the passwords, disabled all accounts, and removed drive mappings on the computer server for all of the workstations. The BA also removed the CE’s backup program and deactivated all of its antivirus software. The breach affected approximately 2,000 individuals. The protected health information (PHI) involved in the breach included patients’ names, addresses, dates of birth, social security numbers, appointments, insurance information, and dental records. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE implemented security measures in its computer system to ensure that its information technology associates do not have access to the CE’s master system and enabled direct controls for the CE. A new server was installed with no ties to the previous BA. The new BA corrected the CE’s passwords and settings, mitigating the issues caused by the previous vendor. The CE provided OCR with copies of its HIPAA security and privacy policies and procedures, and its signed BA agreements that included the appropriate HIPAA assurances required by the Security Rule. As a result of OCR’s investigation, the CE improved its physical safeguards and retrained employees. |
Rick Lawson, Professional Computer Services NC Business Associate 2000 | Friday | 2009 |
| Family Tree Relief Nursery | OR | Healthcare Provider | 2000 | 2018-08-30 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Family Tree Relief Nursery OR Healthcare Provider 2000 | Thursday | 2018 |
| Massac County Surgery Center dba Orthopaedic Institute Surgery Center | IL | Healthcare Provider | 2000 | 2018-06-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Massac County Surgery Center dba Orthopaedic Institute Surgery Center IL Healthcare Provider 2000 | Friday | 2018 | |
| QUALITY-CARE PHARMACY | CA | Healthcare Provider | 2000 | 2018-04-02 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Other | Other Portable Electronic Device | Paper/Films | NA | NA | NA | NA | No | NA | QUALITY-CARE PHARMACY CA Healthcare Provider 2000 | Monday | 2018 |
| N. Fred Eaglstein, D.O. d/b/a Dermatology and Laser Center | FL | Healthcare Provider | 2000 | 2017-05-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | N. Fred Eaglstein, D.O. d/b/a Dermatology and Laser Center FL Healthcare Provider 2000 | Tuesday | 2017 |
| Bon Secours Saint Francis | SC | Healthcare Provider | 1997 | 2015-10-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | On July 27, 2015, the covered entity, Bon Secours St. Francis Health Systems, Inc., received a complaint that an employee was committing insurance fraud involving billing co-workersâ insurance for an experimental topical cream. The CE audited the electronic system containing protected health information (PHI) and concluded on October 15, 2015, that the employee accessed the PHI of 1,997 patients without a discernible professional need. The types of PHI involved in the breach included patients’ names, dates of birth, addresses, diagnoses, treatment plans, and scanned insurance cards and driverâs licenses. The CE provided breach notification to HHS, affected individuals, and the media. In response to this incident, the CE reviewed its policies, re-trained staff, and assessed whether behavior-based auditing software programs would be an appropriate addition to current security measures. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also terminated the involved employee’s employment. | Bon Secours Saint Francis SC Healthcare Provider 1997 | Monday | 2015 |
| Apria Healthcare | CA | Healthcare Provider | 1987 | 2016-10-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Due to a phishing scam a workforce member provided unauthorized access to her work email account. On August 5, 2016, the covered entity (CE), Apria Healthcare, reported that approximately 1,987 individuals were potentially affected. The protected health information (PHI) involved included patientsâ names, social security numbers, dates of birth, driversâ license numbers, medical record numbers, diagnoses, and other clinical information. The CE provided breach notification to affected individuals, HHS, and the media. The CE also provided free credit monitoring services to the affected individuals. The CE revised its policies and procedures and provided training on phishing scams to all workforce members. OCR provided substantial technical assistance to the CE and obtained assurances that the CE implemented the corrective actions noted above. | Apria Healthcare CA Healthcare Provider 1987 | Tuesday | 2016 | |
| Saint Joseph - Berea | KY | Healthcare Provider | 1986 | 2011-06-02 | Loss | Theft | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), St. Joseph-Berea discovered that an external back-up hard drive attached to a workstation was missing. The external hard drive included the protected health information of 1,986 individuals, including patientsâ names, dates of birth and information related to bone density scans. The CE provided breach notification to HHS, affected individuals, and the media and performed substitute notice by posting on its website. Following the breach, the CE updated its procedures to limit the use of external hard drives, encrypted all laptops, desktops, servers, and portable media devices, and improved safeguards by monitoring physical workstation access and maintaining observation cameras. As a result of OCRâs investigation, OCR obtained assurances that the corrective actions listed above were completed. | Saint Joseph - Berea KY Healthcare Provider 1986 | Thursday | 2011 |
| Baylor Regional Medical Center at Plano | TX | Healthcare Provider | 1981 | 2014-04-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Baylor Regional Medical Center at Plano TX Healthcare Provider 1981 | Friday | 2014 | ||
| Howard R. Jarvis, D.M.D., L.L.C. dba Southwest Portland Dental | OR | Healthcare Provider | 1980 | 2016-08-30 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On July 1, 2016, Patterson Dental Supply, Inc. a business associate (BA) of the covered entity (CE), Southwest Portland Dental (CE), notified the CE that between April 2012 and January 2016, unauthorized individuals had gained access to a computer network resources site used by both entities to exchange electronic protected health information (ePHI). The breach affected 1,980 of the CEâs patients and the types of ePHI involved included patientsâ names, dates of birth and social security numbers. In response the breach, the CE implemented new HIPAA Privacy and Security policies and procedures. The CE provided written notice of the breach to the affected individuals, prominent media outlets, and to HHS. OCR obtained assurances that the CE performed an updated risk analysis. | Howard R. Jarvis, D.M.D., L.L.C. dba Southwest Portland Dental OR Healthcare Provider 1980 | Tuesday | 2016 |
| Baylor Heart and Vascular Center, LLP | TX | Healthcare Provider | 1972 | 2012-03-16 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | An unsecured tablet computer was stolen from an employeeâs vehicle on January 6, 2012. The protected health information (PHI) involved in the breach included names, addresses, dates of birth, treating physiciansâ names and health screening results for 1,972 individuals. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. As a result of OCRâs investigation, OCR reviewed the CEâs HIPAA policies, documentation of workforce training related to safeguarding mobile devices, and its risk analysis related to mobile devices. Following the incident, the CE implemented additional technical safeguards, including encryption solutions, as part of its mobile device management program. | Baylor Heart and Vascular Center, LLP TX Healthcare Provider 1972 | Friday | 2012 |
| PeaceHealth | WA | Healthcare Provider | 1969 | 2017-09-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | PeaceHealth WA Healthcare Provider 1969 | Tuesday | 2017 |
| Lone Star Circle of Care | TX | Healthcare Provider | 1955 | 2013-06-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On June 28, 2013, the covered entity (CE), Lone Star Circle of Care, reported a breach when a work force memberâs car was broken into and an unencrypted, password-protected laptop computer was stolen. The protected health information (PHI) involved in the breach included the financial and clinical information of 1,955 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the incident, the CE encrypted all of its laptops and revised its policies for storing PHI on hard drives and other mobile devices. Additionally, the CE retrained staff on its privacy and security policies. OCR obtained assurances that the CE implemented the corrective actions listed above. | Lone Star Circle of Care TX Healthcare Provider 1955 | Friday | 2013 |
| Florida Agency for Persons with Disabilities | FL | Health Plan | 1951 | 2018-06-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Florida Agency for Persons with Disabilities FL Health Plan 1951 | Friday | 2018 | |
| Livongo Health, Inc. | IL | Healthcare Provider | 1950 | 2016-01-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) learned that its business associate (BA) mislabeled certain packages containing lancet devices so that the devices were sent and delivered to the correct address, but the shipping label stated the wrong name for the CE’s members. The label included the wrong memberâs name and information from which it could be incorrectly inferred that the individual was to receive a lancet device from the CE and had diabetes. This breach affected 1,950 individuals. The CE provided breach notice to HHS and affected individuals. Following the breach, the CE terminated its relationship with this BA, added a quality assurance process, and communicated the new process to its staff. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | Livongo Health, Inc. IL Healthcare Provider 1950 | Monday | 2016 |
| Oklahoma City VA Medical Center | OK | Healthcare Provider | 1950 | 2010-11-29 | Improper Disposal | Loss | Theft | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Oklahoma City VA Medical Center OK Healthcare Provider 1950 | Monday | 2010 | |
| Blaine Chiropractic Center | MN | Healthcare Provider | 1945 | 2016-07-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On or around May 10, 2016, the covered entityâs (CE) office manager noticed that its computer server was crashing and programs were running slowly. The CE found that its new patient record management system created and hid an administrative account that was using a very weak and predictable user ID and password. This administrative account was used to hack the CEâs server. The protected health information (PHI) on the server included patientsâ full names, addresses, telephone numbers, appointment activity, clinical care notes, insurance information and for 51 of these affected individuals, their social security numbers. Approximately 1,945 individuals were affected by this breach. The CE provided breach notification to HHS, affected individuals, and the media and offered credit monitoring free of charge for one year. Following the breach, the CE removed the unauthorized account and application. The CE retained a forensic expert and provided OCR with a copy of the forensic report. OCR obtained assurances that the CE implemented the corrective actions listed above. | Blaine Chiropractic Center MN Healthcare Provider 1945 | Thursday | 2016 |
| E-dreamz, Inc. | NC | Business Associate | 1924 | 2013-05-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | On April 19, 2013, the credit card information of 1,924 patients of the covered entity (CE), Piedmont HealthCare, P.A., was compromised via a breach of a website hosted by one of the CEâs vendors, E-dreamz. An unauthorized person gained access to E-dreamzâs servers and obtained payment information of the CEâs patients. The protected health information (PHI) involved in the breach included patientsâ names, addresses, phone numbers, email addresses, and credit card information. The CE provided breach notification to HHS, the media, and affected individuals, and offered them a year of free credit monitoring and identity theft protection. Following the breach, the CE terminated its agreement with E-dreamz and entered into a business associate (BA) agreement with a new website hosting vendor. The CE also initiated legal proceedings against E-dreamz regarding its breach of contract for storing credit card information on its server and other issues related to this incident. OCR obtained assurances that the CE implemented the corrective actions listed. | E-dreamz, Inc. NC Business Associate 1924 | Friday | 2013 |
| CareMeridian, LLC | MA | Healthcare Provider | 1922 | 2018-03-21 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | NA | CareMeridian, LLC MA Healthcare Provider 1922 | Wednesday | 2018 |
| Maine Medical Center | ME | Healthcare Provider | 1920 | 2013-03-04 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Maine Medical Center ME Healthcare Provider 1920 | Monday | 2013 | ||
| Colorado Community Health Alliance (CCHA)/Physicians Health Partners | CO | Business Associate | 1918 | 2014-01-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | On January 2, 2014, the covered entity (CE), Colorado Department of Health Care Policy and Financing, reported a breach by its business associate (BA), Colorado Community Health Alliance. On November 21, 2013, a temporary employee working for the BAâs subcontractor, Aerotek, sent a list via unencrypted email containing the electronic protected health information (ePHI) of 1,918 individuals to her personal email account. The ePHI included patientsâ names, addresses, dates of birth, Medicaid identification numbers, and health conditions. The BA detected the email through its auditing program. The CE provided breach notification to HHS and the BA provided breach notification to affected individuals and the media and posted substitute notice. After the incident, the BA developed and implemented a policy requiring that emails containing ePHI be encrypted to prevent a similar incident from occurring in the future, and trained its workforce members accordingly. OCR provided substantial technical assistance to the BA, which implemented additional procedures and technical safeguards and provided written assurance that it will complete an enterprise-wide risk analysis. | Colorado Community Health Alliance (CCHA)/Physicians Health Partners CO Business Associate 1918 | Thursday | 2014 | |
| Mann-Grandstaff VA Medical Center | WA | Healthcare Provider | 1915 | 2017-10-19 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Mann-Grandstaff VA Medical Center WA Healthcare Provider 1915 | Thursday | 2017 |
| Lane Community College Health Clinic | OR | Healthcare Provider | 1911 | 2017-03-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On March 25, 2017, the covered entity (CE) reported that on February 2, 2017, a laptop computer was found to be infected with a virus known to transmit information to a third party on the internet. The breach potentially affected approximately 2,516 individuals and the types of protected health information (PHI) involved in the breach included patientsâ names, addresses, dates of birth, social security numbers and clinical information. The CE provided breach notification to HHS, affected individuals, and the media, as well as posting notification on its website and providing free credit monitoring upon request. The CE revised its policies and procedures specific to the allegations of the breach. OCR provided substantial technical assistance to the CE and obtained assurances that the CE implemented the corrective actions noted above. | Lane Community College Health Clinic OR Healthcare Provider 1911 | Saturday | 2017 |
| Health Resources of Arkansas | AR | Business Associate | 1911 | 2013-08-05 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | A break-in and burglary took place at the Office of Health Resources (HRA), a business associate (BA) of the covered entity (CE), the Arkansas Department of Humans Services (DHS). Two laptop computers which contained client files and the protected health information (PHI) of approximately 1,911 individuals were stolen. Following the breach, the CE improved physical safeguards, retrained workforce members, revised its HIPAA training for all employees on incident reporting procedures, and revised the Arkansas Business Associate Agreement (BAA) provisions on reporting breach incidents. Additionally, OCRâs investigation resulted in the CEâs development of a plan to survey its BAAs to assess HIPAA compliance and conduct on-site inspections. | Health Resources of Arkansas AR Business Associate 1911 | Monday | 2013 |
| St. John’s Mercy Medical Group | MO | Healthcare Provider | 1907 | 2010-08-09 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Covered entity improperly disposed of patients’ Protected Health Information (PHI), by placing the PHI in a dumpster outside of a doctor’s office. The PHI involved in the breach included demographic, financial, clinical, and other medical information. Following the breach, the covered entity notified all affected individuals of the breach, posted a notice about the incident on its website; attempted to retrieve and track all of the medical records that were inappropriately disposed of; offered all affected individuals identity theft protection; obtained a formal apology from and assumed direct office operations management of the physician involved; re-educated its workforce to reinforce policies relating to appropriate medical record protection and disposal requirements. | St. John’s Mercy Medical Group MO Healthcare Provider 1907 | Monday | 2010 |
| MSO of Puerto Rico, Inc. | PR | Business Associate | 1907 | 2010-02-17 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes |
The covered entity’s (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 1,907 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CE’s BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCR’s investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures. |
MSO of Puerto Rico, Inc. PR Business Associate 1907 | Wednesday | 2010 |
| Florida Hospital Medical Group | FL | Healthcare Provider | 1906 | 2016-04-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Florida Hospital Medical Group FL Healthcare Provider 1906 | Monday | 2016 | |
| Kennebunk Center for Dentistry | ME | Healthcare Provider | 1900 | 2017-07-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | Paper/Films | NA | NA | NA | NA | NA | NA | No | NA | Kennebunk Center for Dentistry ME Healthcare Provider 1900 | Monday | 2017 |
| Shiloh Medical Clinic | MT | Healthcare Provider | 1900 | 2013-12-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) reported an alleged impermissible use of protected health information (PHI), affecting approximately 1,900 individuals, by an employee. The PHI involved included patientsâ demographic information. OCR determined that a breach had not occurred and provided technical assistance to the CE on the minimum necessary standard and reasonable safeguards. | Shiloh Medical Clinic MT Healthcare Provider 1900 | Tuesday | 2013 | |
| Health Resources of Arkansas | AR | Healthcare Provider | 1900 | 2013-05-23 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Health Resources of Arkansas AR Healthcare Provider 1900 | Thursday | 2013 | |
| West Dermatology | CA | Healthcare Provider | 1900 | 2012-05-18 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | West Dermatology CA Healthcare Provider 1900 | Friday | 2012 | |
| University of New Mexico Health Sciences Center | NM | Healthcare Provider | 1900 | 2010-02-23 | Other | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | University of New Mexico Health Sciences Center NM Healthcare Provider 1900 | Tuesday | 2010 | |
| MidMichigan Medical Center-Alpena | MI | Healthcare Provider | 1900 | 2017-12-19 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | MidMichigan Medical Center-Alpena MI Healthcare Provider 1900 | Tuesday | 2017 |
| SIU HealthCare | IL | Healthcare Provider | 1891 | 2013-12-06 | Loss | Theft | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | SIU HealthCare IL Healthcare Provider 1891 | Friday | 2013 | |
| Hunt Memorial Hospital District | TX | Healthcare Provider | 1887 | 2018-06-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Hunt Memorial Hospital District TX Healthcare Provider 1887 | Friday | 2018 | |
| Beebe Medical Center | DE | Healthcare Provider | 1883 | 2014-01-31 | Other | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Beebe Physician Network, learned that a temporary contractor handling the electronic protected health information (ePHI) of 1,883 individuals had previously been arrested for identity theft. The ePHI included social security numbers, driverâs license numbers, and other demographic information. Although no inappropriate access was identified, the CE learned that the contractor had been convicted of 5 counts of identity theft in the state of Pennsylvania in 2009, while working in a physician practice. The CE provided substitute notice and provided breach notification to HHS and the media. The CE offered one year of free identity theft monitoring and insurance to affected individuals. Following this breach, the CE reviewed its policies and procedures, worked with electronic medical record vendors to enhance its reports mechanisms, and re-assessed its requirements for staffing agencies. As a result of OCRâs investigation, the CE revised its procedures regarding backgrounds checks for newly employed staff. | Beebe Medical Center DE Healthcare Provider 1883 | Friday | 2014 |
| University of Virginia Medical Center | VA | Healthcare Provider | 1882 | 2018-02-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | NA | University of Virginia Medical Center VA Healthcare Provider 1882 | Wednesday | 2018 |
| Stony Brook Internists, University Faculty Practice Corporation (UFPC) | NY | Healthcare Provider | 1878 | 2016-11-22 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | On May 19, 2016 the business associate (BA), Ambucor Health Solutions, notified the covered entity (CE), Stony Brook Internists, University Faculty Practice Corporation (a member of the Stony Brook Organized Health Care Arrangement), of an investigation into possible breach activities by a former employee affecting the protected health information (PHI) of 55 of the CEâs patients, including demographic and clinical information. On November 18, 2016 the BA notified the CE that an additional 1,823 patients were affected by the breach. The CE and BA both provided breach notification to HHS. The investigation of this breach has been consolidated into an existing review of the BA. As of this submission, the BA has not reported misuse of the breached PHI. OCR obtained and reviewed a copy of the BA agreement between this CE and BA. | Stony Brook Internists, University Faculty Practice Corporation (UFPC) NY Healthcare Provider 1878 | Tuesday | 2016 | |
| TOWERS WATSON | VA | Business Associate | 1874 | 2010-04-27 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes |
A business associate (BA), Towers Watson, of the covered entity (CE), General Agencies Welfare Benefits Program, lost two electronic media disks containing protected health information (PHI) while transporting the disks between two BA offices. The disks contained the names, health plan numbers, and social security numbers of 1,874 individuals. The BA notified all affected individuals and provided two years of enhanced credit services. The CE notified HHS and the media and posted substitute notice on its website. The CE had the BA destroy any of its PHI that had been retained by the BA and executed a new BA agreement for any remaining PHI that the BA was unable to destroy because they were archival files. After OCR’s investigation, the CE updated its privacy and breach notification policies and procedures. |
TOWERS WATSON VA Business Associate 1874 | Tuesday | 2010 |
| Blue Cross and Blue Shield of Nebraska | NE | Health Plan | 1872 | 2015-12-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Due to a printing error, explanation of benefit forms were erroneously mailed to members that contained their protected health information (PHI) printed on the front side and another memberâs PHI printed on the back side. The breach affected approximately 1,872 individuals and included financial, demographic, and clinical information. The covered entity (CE), Blue Cross and Blue Shield of Nebraska, was also acting as a BA for a number of self-insured health plans. The CE/BA provided breach notification to HHS, affected individuals, and the media. It also developed a new policy to address mechanical printing errors and trained its printing facility employees on the new policy. The CE/BA mitigated any potential effects by flagging and reviewing claims for six months for any misuse of dental data for the affected individuals. OCR obtained written documentation that the CE/BA implemented the voluntary corrective actions listed above. | Blue Cross and Blue Shield of Nebraska NE Health Plan 1872 | Thursday | 2015 |
| Cone Health Medical Group | NC | Healthcare Provider | 1872 | 2014-10-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Cone Health Medical Group NC Healthcare Provider 1872 | Wednesday | 2014 |
| Austin Center for Therapy and Assessment, LLC | TX | Healthcare Provider | 1870 | 2011-07-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted laptop, containing the electronic protected health information (ePHI) of 1,870 individuals, was stolen from the covered entity’s (CE) office. The ePHI involved includes clinical evaluation reports, test results, patient names, addresses, phone numbers, and social security numbers. Upon discovery of the breach, the CE notified affected individuals, OCR and the media. Following OCR’s investigation, the CE revised its HIPAA policies and procedures, implemented additional physical safeguards in its facility and installed encryption software. | Austin Center for Therapy and Assessment, LLC TX Healthcare Provider 1870 | Thursday | 2011 |
| Alive Hospice | TN | Healthcare Provider | 1868 | 2018-07-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Alive Hospice TN Healthcare Provider 1868 | Friday | 2018 | |
| Kmart Corporation | IL | Healthcare Provider | 1866 | 2014-09-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Printed pharmacy reports containing protected health information (PHI) about patientsâ prescriptions was disclosed to an acquaintance of a former pharmacy employee in Sebring, Florida. The PHI involved in the breach included the names, addresses, prescribers, and medications for approximately 1,866 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The CE also contacted law enforcement and reinforced with the pharmacy staff the CEâs HIPAA policies and procedures pertaining to the appropriate use, disclosure, and the safeguarding of PHI. OCR obtained written assurances that the CE implemented the corrective actions listed above. | Kmart Corporation IL Healthcare Provider 1866 | Wednesday | 2014 |
| Graybill Medical Group | CA | Healthcare Provider | 1863 | 2014-10-15 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | A group of x-rays of poor quality were placed in the covered entityâs (CE) trash container for destruction. The cleaning personnel mistook the x-rays for regular trash and disposed of them in the usual manner. The CE, Graybill Medical Center, initiated an immediate search but the x-rays had already been taken to the landfill. The breach occurred on September 9, 2014, and affected 1,863 patients. The protected health information (PHI) contained patientsâ names, addresses, dates of birth, physician/medical provider information, and, possibly, images of some areas of patientsâ bodies. The CE provided breach notification to HHS, affected individuals and the media, and offered credit monitoring. Following the breach, the CE improved safeguards by ordering locked bins for x-rays that are to be destroyed, ordering covers for the PHI being transported, and implementing procedures requiring x-rays to be recycled weekly so as to more easily distinguish them from regular trash. The CE also retrained its workforce on its HIPAA policies. OCR obtained assurances that the CE implemented the corrective actions listed. | Graybill Medical Group CA Healthcare Provider 1863 | Wednesday | 2014 |
| Daniel J. Sigman MD PC | MA | Business Associate | 1860 | 2010-01-07 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | Yes | Computer backup tapes containing EPHI for the office practice management program including electronic medical records were stolen from the home of the practice manager on December 11, 2009. The breach affected approximately 1,860 patients. The protected health information on the tapes contained patients’ names, addresses, telephone numbers, dates of birth, insurance information, social security numbers and medical record information. Following the breach, Sigman took the following voluntary corrective actions: (1) upgraded software application for backup security; implemented a new external backup system in case the server goes down; (2) encryption software was implemented for data contained on both its backup tapes and network storage device; (3) revised its security policy for transporting backup media; backup tapes must now be stored in a lockbox within a locked office in its facility; the revised policy also prohibits the movement of backup tapes from the facility as well as restricts access to the tapes to designated workforce; (4) employees were retrained on the policies and procedures in place and received training on the new policies and procedures for safeguarding backup tapes; (5) notified affected individuals and the media. | Daniel J. Sigman MD PC MA Business Associate 1860 | Thursday | 2010 |
| mdINR LLC | FL | Healthcare Provider | 1859 | 2015-01-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), MDINR, LLC, discovered that on November 3, 2014, an information technology employee sent an unsecured email to a manufacturer representative. The email had an attached spreadsheet that included 1,859 patientsâ protected health information (PHI). The PHI in the attached excel spreadsheet included patientsâ names, billing account numbers, patientsâ reporting dates, internal site codes, and the address of the CE-affiliated facility that delivered the equipment. Following the breach, the CE sanctioned the employee who caused the breach with a written warning. The CE confirmed its practice of providing HIPAA Training to all new employees within 30 days of hiring and safeguarding data by providing system access to employees based on an employeeâs job title or role. The CE provided breach notification to HHS, and notice to the 1,859 affected individuals. Media notice was not provided due to fewer than 500 affected individuals being in any one state. OCR obtained assurances that the CE implemented the corrective actions listed above. | mdINR LLC FL Healthcare Provider 1859 | Monday | 2015 | |
| Crown Point Health Center | IN | Healthcare Provider | 1854 | 2016-01-29 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Patientsâ empty paper file folders with protected health information (PHI) appearing on the front cover were improperly disposed of when an employee put them in the regular trash. The PHI on the cover included patients’ dates of birth, medical record numbers, and guarantors’ names. Approximately 1,854 individuals were affected by this breach. The covered entity (CE) provided breach notification to HHS, affected individuals and the media. The notification letter informed the individuals that a hotline had been established to address their questions and provided the hotline phone number. To prevent a similar breach from happening in the future, the CE sanctioned the involved employee and counseled the remaining staff regarding this matter. OCR obtained assurances that the CE implemented the corrective actions listed above. | Crown Point Health Center IN Healthcare Provider 1854 | Friday | 2016 |
| Family & Cosmetic Dentistry of the Rockies | CO | Healthcare Provider | 1850 | 2017-11-13 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), Family & Cosmetic Dentistry of the Rockies, reported that on September 18, 2017, it learned that its business associate (BA), a document shredding vendor, did not properly secure a container that held paper records to be shredded. Some of the documents, which contained clinical, demographic, and financial information, fell out of the container while they were being transported back to the shredding facility. The CE was able to recover most of the documents, but it could not be certain whether all of the documents were recovered. The CE provided breach notification to HHS, the 1,850 potentially affected individuals and the media. It also suspended its agreement with the BA and retained a different BA to conduct shredding services. OCR also provided the CE with technical assistance regarding its Privacy Rule policies and procedures. | Family & Cosmetic Dentistry of the Rockies CO Healthcare Provider 1850 | Monday | 2017 |
| St.Vincent Hospital - Indianapolis | IN | Healthcare Provider | 1848 | 2011-01-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | No | St.Vincent Hospital - Indianapolis IN Healthcare Provider 1848 | Wednesday | 2011 | ||
| University of Virginia Medical Center | VA | Healthcare Provider | 1846 | 2012-11-30 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | University of Virginia Medical Center VA Healthcare Provider 1846 | Friday | 2012 | |
| Reading Health System | PA | Healthcare Provider | 1845 | 2014-04-29 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A medical practice moved and a vendor/patient stored three boxes of paper medical billing records in the vendorâs crawl space from March 2012 until March 2014. The boxes contained the protected health information (PHI) of approximately 1,845 individuals. The types of PHI involved in the breach included names, addresses, dates of birth, social security numbers, insurance information, medical practice billing codes, and diagnoses. Following the breach, the covered entity (CE), Reading Health System, interviewed the vendor/patient and determined no disclosures had occurred. The CE provided breach notification to HHS and affected individuals and offered all living patients a year of free credit monitoring. The CE established a professionally staffed call | Reading Health System PA Healthcare Provider 1845 | Tuesday | 2014 |
| John J. Pershing VA Medical Center | MO | Healthcare Provider | 1843 | 2018-03-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | John J. Pershing VA Medical Center MO Healthcare Provider 1843 | Wednesday | 2018 |
| Blue Cross Blue Shield of Massachusetts | MA | Health Plan | 1843 | 2017-12-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Blue Cross Blue Shield of Massachusetts MA Health Plan 1843 | Tuesday | 2017 | |
| Texas Health and Human Services | TX | Health Plan | 1842 | 2017-06-15 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Texas Health and Human Services TX Health Plan 1842 | Thursday | 2017 |
| Personal Assistance Services of Colorado, LLC | CO | Healthcare Provider | 1839 | 2018-09-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Personal Assistance Services of Colorado, LLC CO Healthcare Provider 1839 | Thursday | 2018 | |
| Vitreo-Retinal Medical Group, Inc. | CA | Healthcare Provider | 1837 | 2013-08-02 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Vitreo-Retinal Medical Group, Inc. CA Healthcare Provider 1837 | Friday | 2013 | |
| Lasair Aesthetic Health, P.C. | CO | Healthcare Provider | 1835 | 2016-07-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Lasair Aesthetic Health, P.C., reported that on May 11, 2016, its former employee used her mobile phone to forward 5 emails containing the electronic protected health information of 1,835 patients to her personal email account. The emails consisted of two lists of patients that included names and balances or credit amounts, two emails with pictures that included names of the patients pictured, and one email documenting a patientâs reaction to a medical service. The former employee tendered her resignation on May 10, 2016, and the CE changed all of her passwords within 20 minutes of receiving her notice; however, the breach occurred the next day, because the change in passwords did not update to her mobile phone. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE created new privacy and security policies and procedures, including a new termination checklist; re-trained its staff; instituted background check procedures for all staff; switched email service to a new provider with increased security controls; and removed remote access capability from the majority of its staff. OCR provided the CE with relevant technical assistance. | Lasair Aesthetic Health, P.C. CO Healthcare Provider 1835 | Monday | 2016 | |
| ConnectiCare | CT | Health Plan | 1834 | 2018-02-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | ConnectiCare CT Health Plan 1834 | Wednesday | 2018 |
| Doctors First Choice Billings, Inc. | FL | Business Associate | 1831 | 2014-06-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Doctors First Choice Billings, Inc. FL Business Associate 1831 | Thursday | 2014 | |
| UnityPoint Health Affiliated | IA | Healthcare Provider | 1825 | 2013-10-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), UnityPoint Health, discovered that an office manager (from an independent private practice) was using physiciansâ passwords to access patientsâ protected health information (PHI). The types of PHI involved in the breach included names, social security numbers, addresses, driverâs license numbers, dates of birth, diagnoses, lab results, and medications affecting approximately 1,825 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and contacted the proper authorities to investigate any possible criminal infractions. The CE investigated the breach, which resulted in the office managerâs resignation from her job. The CE also retrained the physicians who shared their passwords with the office manager and obtained written assurances they would no longer share passwords. OCR obtained and reviewed the CEâs HIPAA compliance documentation. | UnityPoint Health Affiliated IA Healthcare Provider 1825 | Wednesday | 2013 |
| Heyman HospiceCare at Floyd | GA | Healthcare Provider | 1819 | 2013-02-15 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Heyman HospiceCare at Floyd GA Healthcare Provider 1819 | Friday | 2013 | |
| CoreLink Administrative Solutions, LLC | ND | Business Associate | 1813 | 2018-08-06 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | CoreLink Administrative Solutions, LLC ND Business Associate 1813 | Monday | 2018 | |
| Women’s Care of Somerset | KY | Healthcare Provider | 1806 | 2017-03-31 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On February 3, 2017, Womenâs Care of Somerset, the covered entity (CE), sent a promotional email to patients without blind copying the recipients, disclosing the email addresses of 1,805 individuals. The CE investigated the incident and determined the email was sent by an office manager using an unauthorized email method. Following the breach the CE sanctioned the office manager, deleted the emails, and disabled the email account that was used to send them. The CE also revised its electronic mail use policy, required staff to review the revised policy, and retrained staff on proper email use. The CE provided breach notification to HHS, the affected individuals, the media, and posted substitute notice on the CEâs website. OCR obtained assurances that the CE implemented the corrective actions listed above. | Women’s Care of Somerset KY Healthcare Provider 1806 | Friday | 2017 | |
| CHRISTUS Spohn Hospital Corpus Christi-Shoreline | TX | Healthcare Provider | 1805 | 2018-06-15 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | CHRISTUS Spohn Hospital Corpus Christi-Shoreline TX Healthcare Provider 1805 | Friday | 2018 |
| Penn State Milton S. Hershey Medical Center | PA | Healthcare Provider | 1801 | 2014-06-06 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Penn State Milton S. Hershey Medical Center, downloaded protected health information (PHI) onto an unsecured flash drive and used the device in his personal computer to complete work which he then emailed to the CE using his personal email account. The types of PHI involved in the breach included the demographic and clinical information for 1,801 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE performed a risk assessment and updated encryption measures. The CE also reminded all clinical laboratory staff and faculty of expected practices pertaining to safeguarding PHI, and provided staff a listing of the relevant policies concerning encryption and electronic messaging and links to the corresponding policies. As a result of OCR’s investigation, the CE submitted to OCR copies of its policies regarding use of personal devices and emails, storing PHI on third party owned or managed media and use of approved electronic connections, systems and/or services. OCR verified that appropriate policy was in place at the time of the incident and the employee did not follow the policy. OCR obtained assurances that the CE has implemented the corrective actions listed above. | Penn State Milton S. Hershey Medical Center PA Healthcare Provider 1801 | Friday | 2014 | |
| Urological Associates of Central Jersey P.A. | NJ | Healthcare Provider | 1800 | 2017-09-18 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Urological Associates of Central Jersey P.A. NJ Healthcare Provider 1800 | Monday | 2017 |
| Muir Orthopaedic Specialists, A Medical Group Inc. | CA | Healthcare Provider | 1800 | 2011-09-07 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Muir Orthopaedic Specialists, A Medical Group Inc. CA Healthcare Provider 1800 | Wednesday | 2011 | |
| VA Gulf Coast Veterans Health Care System | MS | Healthcare Provider | 1797 | 2011-09-20 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No |
The covered entity (CE), U.S. Department of Veterans Affairs (VA), Gulf Coast Veterans Health Care System, Biloxi Veterans Affairs Medical Center (Biloxi VAMC) reported that the office of an employee was vandalized. Paper files were found on the office floor, and the protected health information (PHI) of approximately 1,814 individuals was compromised. The PHI included full names, social security numbers, dates of birth, and medical diagnoses. The CE provided breach notification to HHS, the media and affected individuals. Following the breach, VA police at the facility reviewed procedures and continued foot patrols to ensure office doors are locked during non-business hours. The CE provided additional training to workforce members of the affected department on its physical security policies and procedures to improve safeguards for PHI. OCR obtained assurances that the CE implemented the corrective action listed above. |
VA Gulf Coast Veterans Health Care System MS Healthcare Provider 1797 | Tuesday | 2011 |
| Authentic Recovery Center, LLC | CA | Healthcare Provider | 1790 | 2018-08-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Authentic Recovery Center, LLC CA Healthcare Provider 1790 | Friday | 2018 | |
| American Sleep Medicine | CA | Healthcare Provider | 1787 | 2015-04-16 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), American Sleep Medicine of San Diego, California reported a breach of 1,787 individualsâ electronic protected health information (ePHI), as a result of a stolen backup computer hard drive. The hard drive contained names, birthdates, medical histories, physicians’ names, and study results. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE improved physical safeguards, conducted a new security analysis, revised policies and procedures, and trained its workforce. As a result of OCRâs investigation OCR provided technical assistance regarding the HIPAA Security Rule. | American Sleep Medicine CA Healthcare Provider 1787 | Thursday | 2015 |
| Memorial Healthcare System | FL | Healthcare Provider | 1782 | 2014-10-31 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE) sent a group email to current and former patients inviting them to a cancer awareness event and mistakenly failed to mask the recipients’ email addresses. This breach affected the protected health information (PHI) of 1,782 individuals by exposing names and an implicit indication that they may have received cancer treatment. The CE recalled the email and immediately investigated the breach. The CE provided breach notification to HHS, affected patients, and the media, and posted substituted notice on its website. The CE established a call center to answer questions for its patients. The CE counseled the involved employee, and the employeeâs supervisor reinforced to all department employees instructions regarding the use of group emails and the importance of keeping patientsâ emails confidential. The CE reviewed and revised its privacy program in March 2015 and September 2015, which included guidelines for security of electronic PHI/email. In addition, the CE confirmed that it uses an encryption program to ensure the security and integrity of data. OCR obtained assurances that the CE implemented the corrective actions listed above. | Memorial Healthcare System FL Healthcare Provider 1782 | Friday | 2014 | |
| Northfield Hospital & Clinics | MN | Healthcare Provider | 1778 | 2014-11-25 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Northfield Hospital & Clinics MN Healthcare Provider 1778 | Tuesday | 2014 | |
| TMC HealthCare | AZ | Healthcare Provider | 1776 | 2018-09-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | TMC HealthCare AZ Healthcare Provider 1776 | Friday | 2018 |
| ATI Holdings, LLC and its subsidiaries | IL | Business Associate | 1776 | 2018-04-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | ATI Holdings, LLC and its subsidiaries IL Business Associate 1776 | Friday | 2018 | |
| BioReference Laboratories, Inc. | NJ | Healthcare Provider | 1772 | 2017-04-14 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | BioReference Laboratories, Inc. NJ Healthcare Provider 1772 | Friday | 2017 |
| Group Health Incorporated | NY | Health Plan | 1771 | 2013-01-02 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No |
OCR opened an investigation of the covered entity (CE), Group Health Insurance, after it reported that postcard reminders were sent to 1,771 subscribers. The protected health information (PHI) involved included social security numbers within a series of other numbers inscribed on the outside of the postcard. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. Upon discovery of the breach, the CE suspended its mailing in order to verify subscriber information to ensure pending and completed projects did not contain social security numbers. As a result of OCR’s investigation, the CE modified its mailing procedures to prevent similar disclosures from recurring in the future and retrained staff on its modified mailing procedure. The CE provided affected individuals with a free one year subscription for credit monitoring. |
Group Health Incorporated NY Health Plan 1771 | Wednesday | 2013 |
| State of Tennessee Sponsored Group Health Plan | TN | Health Plan | 1770 | 2011-11-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | An equipment operator at the state’s postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope. The error affected approximately 1770 enrollees. The letters contained information such as names, addresses, birth dates, and social security numbers. As a result, the CE retrained the employee, submitted a breach report to HHS, provided notice to the affected individuals, notified the media, created a toll-free number for information regarding the incident, posted notice on its website, modified policies to remove the SSN on templates for future mailings, and offered identity theft protection to the affected individuals. Following the OCR investigation, the CE provided reviewed its policies and procedures to ensure adequate safeguards are in place. | State of Tennessee Sponsored Group Health Plan TN Health Plan 1770 | Monday | 2011 |
| Echo Canyon Healthcare, Incorporated dba Heritage Court Post Acute of Scottsdale | AZ | Healthcare Provider | 1765 | 2018-05-21 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Echo Canyon Healthcare, Incorporated dba Heritage Court Post Acute of Scottsdale AZ Healthcare Provider 1765 | Monday | 2018 |
| Dignity Health St. Rose Dominican Hospitals - San Martin | NV | Healthcare Provider | 1764 | 2018-05-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Dignity Health St. Rose Dominican Hospitals - San Martin NV Healthcare Provider 1764 | Thursday | 2018 |
| UnitedHealth Group Single Affiliated Covered Entity | MN | Health Plan | 1755 | 2018-03-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | UnitedHealth Group Single Affiliated Covered Entity MN Health Plan 1755 | Thursday | 2018 |
| Austin Manual Therapy Associates | TX | Healthcare Provider | 1750 | 2017-12-06 | Hacking/IT Incident | NA | NA | NA | NA | NA | Laptop | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Austin Manual Therapy Associates TX Healthcare Provider 1750 | Wednesday | 2017 |
| Robbins Eye Center PC | CT | Healthcare Provider | 1749 | 2012-11-28 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Robbins Eye Center PC CT Healthcare Provider 1749 | Wednesday | 2012 | |
| StayWell Health Management, LLC | MN | Business Associate | 1746 | 2014-03-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), QBE Holdings, Inc. reported that its business associate (BA), StayWell Health Management LLC, disclosed 1,746 individualâs protected health information on the internet. The PHI included names, email addresses, unique StayWell identification numbers, and information about participation in a wellness program. The BA provided breach notification to HHS and affected individuals. The BA also filed a separate breach report which was investigated by OCR. As a result of the breach, the BA implemented procedures to address the data compromise issue which included the performance of an initial analysis and risk assessment. Further, the BA implemented policies and procedures to safeguard PHI and trained its employees. OCR obtained assurances that the BA implemented the corrective actions listed above. | StayWell Health Management, LLC MN Business Associate 1746 | Tuesday | 2014 |
| Berkshire Medical Center | MA | Healthcare Provider | 1745 | 2016-11-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | A former employee of a business associate (BA), Ambucor Health Solutions, stole the protected health information (PHI) of the covered entity’s (CE) patients that was contained in a mobile computer drive. The types of PHI involved in the breach included clinical and demographic information such as patients’ names, dates of birth, diagnoses, and treatment, and affected1,745 individuals. OCR reviewed the CE’s BA agreement and determined that it is compliance with the Privacy Rule. OCR obtained assurances that individuals affected by this breach were notified in accordance with the Breach Notification Rule. | Berkshire Medical Center MA Healthcare Provider 1745 | Wednesday | 2016 | |
| St. Jude Children’s Research Hospital | TN | Healthcare Provider | 1745 | 2010-06-08 | Loss | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | St. Jude Children’s Research Hospital TN Healthcare Provider 1745 | Tuesday | 2010 | |
| Professional Transcription Company, Inc. | NY | Business Associate | 1744 | 2010-11-24 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity’s (CE) business associate (BA), Professional Transcription Company, posted the electronic protected health information (ePHI) of 1,744 individuals on a website portal of the BA. The ePHI included names, dates of birth, diagnosis, and other clinical information. Upon discovery of the breach, the BA shut down the applicable server. The CE, Newark Beth Israel Medical Center, provided breach notification to HHS, the media, and affected individuals and also posted substitute notice on its website. As a result of OCR’s investigation, the BA located the ePHI online and contacted Google to block files that contained ePHI. In addition, the BA retrained all employees regarding its security policies. The CE terminated its BA agreement with the BA. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. | Professional Transcription Company, Inc. NY Business Associate 1744 | Wednesday | 2010 |
| Area Agency of Aging 1-B | MI | Healthcare Provider | 1741 | 2017-04-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | This is a duplicate case and is being deleted. | Area Agency of Aging 1-B MI Healthcare Provider 1741 | Thursday | 2017 | |
| Portland VA Medical Center | OR | Healthcare Provider | 1740 | 2014-10-29 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Veterans Health Administration Portland VA Medical Center, took home paper lists of patientsâ protected health information (PHI) to work on over the weekend and forgot to return the information. The employeeâs husband subsequently found the lists in their garage six months later. The lists included names, social security numbers, provider names, eligibility codes, and diagnostic, clinical and demographic information for about 1,740 individuals. The employeeâs husband who found the lists returned the PHI and signed a statement that he made no copies of the documents and that he knew of no others that had viewed the lists. The CE retrained the employee who took the lists home. The CE provided breach notification to HHS, the media, and affected individuals, and offered free credit monitoring for a year. OCRâs investigation confirmed that the CE took the corrective action steps listed and provided substitute notification. | Portland VA Medical Center OR Healthcare Provider 1740 | Wednesday | 2014 |
| Mayo Clinic | MN | Healthcare Provider | 1740 | 2010-09-08 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No |
An employee of the covered entity (CE) impermissibly accessed medical records containing the protected health information (PHI) of 1,740 patients for a period of 4 �� years. The PHI affected by the breach included the demographic information of 691 individuals, and both demographic and clinical information of 1,049 individuals. Following the breach, the CE conducted an investigation, terminated the involved employee, re-trained its employees regarding patient privacy and access to PHI, and enhanced its supervision and monitoring of employees’ PHI access activities. It also provided breach notification to the affected individuals, HHS, and the media, as well as substitute notice on its website. OCR obtained assurances that the CE completed the voluntary compliance action described above. |
Mayo Clinic MN Healthcare Provider 1740 | Wednesday | 2010 |
| Capitol Administrators, Inc | CA | Business Associate | 1733 | 2018-05-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Capitol Administrators, Inc CA Business Associate 1733 | Friday | 2018 | |
| Wellmont Health System | TN | Healthcare Provider | 1726 | 2015-04-24 | Improper Disposal | NA | NA | NA | NA | NA | Other | Paper/Films | NA | NA | NA | NA | NA | NA | No | On March 1, 2015, the covered entity (CE), Wellmont Health System, discovered that one of its employees had disposed of hand-written notes containing protected information (PHI) for 1,726 individuals at a local recycling center. The types of PHI involved in the breach included demographic and clinical information. The employee voluntarily resigned from her position. The CE provided breach notification to HHS, to affected individuals, to the media, and on its website. In response to the breach, the CE retrained its workforce to emphasize the importance of safeguarding and properly disposing of PHI. In addition, the CE reported that employees now utilize laptops and other mobile devices to create notes in patient records, making paper notes virtually nonexistent. OCR obtained assurances that the CE implemented the corrective actions listed above. | Wellmont Health System TN Healthcare Provider 1726 | Friday | 2015 |
| Metropolitan Government of Nashville and Davidson County (Metro) Public Health Department | TN | Health Plan | 1717 | 2014-08-29 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Metropolitan Government of Nashville and Davidson County Public Health Department, reported that on July 18, 2014, during the relocation of the Children’s Special Services Clinic, two small metal filing units, holding standard sized paper index cards on patients seen in the CSS clinic, were inadvertently tipped over and the index cards fell out of the filing units. The index cards contained full names, addresses, dates of birth, social security numbers, and diagnosis codes of 1,717 patients. The CE provided breach notification to HHS, affected individuals, and the media, placed a conspicuous notice on its website, and offered credit monitoring and identity theft protection to all affected individuals. In response to the incident, the CE investigated, interviewed all relevant staff and the contractorâs employees, and reviewed surveillance recordings. As a result of its investigation, the CE eliminated the index card system, re-evaluated its process on retention and use of paper records, created and implemented additional HIPAA policies and procedures, and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. | Metropolitan Government of Nashville and Davidson County (Metro) Public Health Department TN Health Plan 1717 | Friday | 2014 |
| California Physicians Service d/b/a Blue Shield of California | CA | Health Plan | 1717 | 2018-04-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | California Physicians Service d/b/a Blue Shield of California CA Health Plan 1717 | Friday | 2018 | |
| Arch City Dental, LLC - Drs. Baloy and Donatelli | OH | Healthcare Provider | 1716 | 2017-10-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Arch City Dental, LLC - Drs. Baloy and Donatelli OH Healthcare Provider 1716 | Thursday | 2017 | |
| John Hancock Life Insurance Company (U.S.A.) | MA | Health Plan | 1715 | 2017-10-06 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | John Hancock Life Insurance Company (U.S.A.) MA Health Plan 1715 | Friday | 2017 |
| Chattanooga Family Practice Associates, P.C. | TN | Healthcare Provider | 1711 | 2010-08-16 | Loss | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | A physician of the CE lost a flash drive which he routinely used for data backup and remote access to patient data. The flash drive contained names, dates of birth and treatment notes for approximately 1,711 patients. Following the breach, the CE notified affected individuals. The CE retrained the physician who lost the flash drive and implemented an organization-wide decision to prohibit storage of protected health information on any removable electronic devices. As a result of OCRâs investigation, the CE notified the media and posting substitute notification on its website. | Chattanooga Family Practice Associates, P.C. TN Healthcare Provider 1711 | Monday | 2010 |
| The Trustees of Purdue University | IN | Healthcare Provider | 1711 | 2018-05-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | The Trustees of Purdue University IN Healthcare Provider 1711 | Friday | 2018 |
| Physicians Health Plan of Northern Indiana, Inc. | IN | Health Plan | 1708 | 2015-12-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) mistakenly mailed protected health information (PHI) to unauthorized individuals following a folder/inserter machine error. Approximately 1,708 individuals that include all dependents of the CE’s subscribers were affected by this breach. The erroneous billing statement mailing included names, addresses, PHP member identification numbers, and premium amounts. The CE provided breach notification to HHS, affected individuals, and the media. To prevent a similar breach from happening in the future, the CE implemented a formal audit checklist that requires independent verification by mailroom personnel. OCR obtained assurances that the CE implemented the corrective actions listed above. | Physicians Health Plan of Northern Indiana, Inc. IN Health Plan 1708 | Friday | 2015 |
| Hospitalists of Arizona | AZ | Healthcare Provider | 1706 | 2014-03-16 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Hospitalists of Arizona AZ Healthcare Provider 1706 | Sunday | 2014 | |
| Multnomah County | OR | Healthcare Provider | 1700 | 2017-01-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Multnomah County OR Healthcare Provider 1700 | Friday | 2017 | |
| COMPLETE MEDICAL HOMECARE | KS | Healthcare Provider | 1700 | 2014-01-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On December 12, 2013, the covered entityâs (CE) business partner, All American Medical Supplies (AAMS) received a portable computer drive containing protected health information (PHI), including electronic copies of medical records from the CE, that was delivered in error. The incident affected approximately 1,700 individuals and the types of PHI included patientsâ names, addresses, medical diagnoses, and in some cases social security numbers. Although AAMS accessed the portable drive, it subsequently deleted the data and returned the drive to the CE. The CE provided breach notification to HHS and affected individuals. As a result of OCRâs investigation, the CE began developing policies and procedures related to breach notification, training, removal of hardware and electronic media, and encryption and decryption of PHI, and indicated that it would train its workforce on the new policies and procedures once they were implemented. On December 5, 2016, the CEâs former parent company provided written documentation that the CE legally dissolved on December 23, 2015, and has ceased carrying on business. | COMPLETE MEDICAL HOMECARE KS Healthcare Provider 1700 | Tuesday | 2014 |
| Affiliated Computer Services, Inc. (ACS, Inc.) A Xerox Company | NJ | Business Associate | 1700 | 2012-02-08 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Affiliated Computer Services, Inc. (ACS, Inc.) A Xerox Company NJ Business Associate 1700 | Wednesday | 2012 | |
| WageWorks, Inc. | CA | Business Associate | 1700 | 2012-01-13 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | WageWorks, Inc. CA Business Associate 1700 | Friday | 2012 | |
| Trisha Elaine Cordova | AK | Business Associate | 1700 | 2011-03-31 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | A personal laptop computer containing the electronic protected health information (ePHI) of 1,700 individuals and approximately 493 adoption home studies was stolen from a contractor’s vehicle. The ePHI involved included names, addresses, phone numbers, dates of birth, driver’s license numbers, health information, and social security numbers. At the time of the breach, the covered entity (CE) did not have a business associate (BA) contract with the contractor. Following OCR’s investigation, the CE developed policies and procedures for obtaining BA contracts as required by the Privacy Rule and verified that the contractor no longer had a business relationship with the CE. OCR obtained assurances that breach notification was provided to the affected individuals, HHS, and the media. | Trisha Elaine Cordova AK Business Associate 1700 | Thursday | 2011 |
| GI Care for Kids Endoscopy Center | GA | Healthcare Provider | 1700 | 2017-06-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | GI Care for Kids Endoscopy Center GA Healthcare Provider 1700 | Tuesday | 2017 |
| HealthPartners Administrators, Inc. | MN | Business Associate | 1699 | 2014-03-21 | Loss | Unauthorized Access/Disclosure | NA | NA | NA | NA | Desktop Computer | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | Yes | HealthPartners Administrators, Inc. MN Business Associate 1699 | Friday | 2014 | |
| Indiana Health Centers, Inc. | IN | Healthcare Provider | 1697 | 2017-09-12 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | NA | Indiana Health Centers, Inc. IN Healthcare Provider 1697 | Tuesday | 2017 |
| Texas Health and Human Services Commission | TX | Health Plan | 1696 | 2011-09-09 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
An unencrypted laptop was stolen from an employee’s vehicle. The laptop contained the ePHI of 1,696 patients. The information at issue included patient names, dates of birth, gender, Medicaid identification numbers, procedure codes and diagnosis. Following discovery of the breach, the CE notified affected patients and notified the media. Following the breach, the CE confirmed encryption of laptops per CE’s policy and sanctioned three involved employees. |
Texas Health and Human Services Commission TX Health Plan 1696 | Friday | 2011 |
| Worldwide Insurance Services, LLC | PA | Business Associate | 1692 | 2018-04-30 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Worldwide Insurance Services, LLC PA Business Associate 1692 | Monday | 2018 | |
| 7-Eleven, Inc. Comprehensive Welfare Benefits Plan No. 525 | TX | Health Plan | 1688 | 2015-03-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | 7-Eleven, Inc. Comprehensive Welfare Benefits Plan No. 525 TX Health Plan 1688 | Wednesday | 2015 |
| Tranquility Counseling Services | NC | Healthcare Provider | 1683 | 2013-12-23 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Tranquility Counseling Services NC Healthcare Provider 1683 | Monday | 2013 | |
| Saints Mary and Elizabeth Hospital | KY | Healthcare Provider | 1682 | 2016-06-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Saints Mary and Elizabeth Hospital, sent an email reminder to potential participants of the hospitalâs bariatric patient support group and inadvertently attached a spreadsheet of patientsâ names associated with bariatric-related surgery. The spreadsheet contained the names, surgery dates, addresses, emails, and phone numbers of 1,682 individuals. The CE unsuccessfully tried to recall the message. The CEâs internal investigation determined that the involved employee failed to utilize the auto-encryption feature for email containing protected health information (PHI). The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notices on its website. Following the breach, the CE retrained its employees on email policies and procedures and best practices for securing PHI sent through email. The CE sanctioned the involved employee and ceased using email to send reminders about support group activities. OCR obtained assurances that the CE implemented the corrective actions listed above. | Saints Mary and Elizabeth Hospital KY Healthcare Provider 1682 | Friday | 2016 | |
| LTC Dental, P.C. | AL | Healthcare Provider | 1680 | 2015-10-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | LTC Dental, P.C. AL Healthcare Provider 1680 | Wednesday | 2015 |
| Ambucor Health Solutions, an unincorporated division of The ScottCare Corporation | DE | Business Associate | 1679 | 2016-07-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | Ambucor Health Solutions is a business associate (BA) utilized by multiple covered entities (CEs) to provide remote monitoring services for cardiac devices. The BA reported that on March 17, 2016, a rogue employee downloaded thousands of its files containing protected health information (PHI) onto a portable “thumb” drive, while he was under indictment for federal crimes, including felony identity theft in a matter unrelated to the BA. The BA immediately shut off the employee’s computer access and conducted a thorough investigation. The former employee was incarcerated and cooperated with federal law enforcement authorities. Eventually, the thumb drives were returned to the BA and a computer forensic firm and data review team identified a total of 53 CEs, which included approximately 53,000 individual patients affected by the breach. The types of PHI affected by the breach varied by patient and may have included patients’ first and last names, phone numbers, diagnoses, medications, dates of birth, addresses, testing data and results, medical device information, enrollment dates and physicians’ names as well as 650 patients’ social security numbers. The BA provided breach notification to HHS and its 53 customers (the CEs), as well as all affected individuals that its customers asked it to notify. The BA offered identity protection services to all affected individuals at no cost and provided a call center to respond to questions and concerns. Following the breach, the BA re-ran background checks on all of its management team. In addition, it performed a comprehensive enterprise-wide risk assessment, reconfigured the universal serial bus (USB) ports on its computer workstations to allow read-only access, and enhanced its related policies and procedures. It also provided additional HIPAA training to all employees. OCR obtained assurances that the BA implemented the corrective actions listed. In this case, the BA’s sanction of the involved employee included termination of employment. | Ambucor Health Solutions, an unincorporated division of The ScottCare Corporation DE Business Associate 1679 | Friday | 2016 | |
| Connextions c/o Anthem BCBS | IN | Business Associate | 1678 | 2013-03-14 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | From November 11, 2011 through October 1, 2012, an employee of the covered entityâs (CE) business associate (BA), Connextions, improperly accessed the protected health information (PHI) of the CE’s Medicare members, and the employee may have disclosed their social security numbers to a third party. This breach affected approximately 528 Indiana members. The PHI involved in the breach included demographic information and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. Following the breach, the BA completed a security risk assessment, phased out the call center where the at-fault employee worked, and engaged in an independent, external audit. OCR reviewed the BA agreement in place between the CE and BA and obtained assurances that the CE and BA implemented corrective actions in this matter. In addition, the involved individualâs employment was terminated. | Connextions c/o Anthem BCBS IN Business Associate 1678 | Thursday | 2013 |
| Iron Mountain Records Management | CA | Business Associate | 1674 | 2014-08-13 | Improper Disposal | Loss | Theft | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Iron Mountain Records Management CA Business Associate 1674 | Wednesday | 2014 | |
| ZDI | CA | Business Associate | 1674 | 2013-12-20 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | This case, along with two companion cases, involved data lost due to damage and/or opening of priority mail during processing and transit through the United States Post Office. In this case, potentially 1,700 individuals may have been affected. The types of protected health information (PHI) involved in the breach included names, social security numbers, group names, and group numbers. The data was not recovered. The covered entity (CE), Delta Dental of Pennsylvania, provided breach notification to HHS, affected individuals, and the media. It also took immediate and appropriate steps to mitigate potential damages to individuals and to reduce the likelihood of recurrence. From December 2013 to case closure in September 2015, no further incidents occurred, and OCR determined that the CEâs corrective actions were effective. | ZDI CA Business Associate 1674 | Friday | 2013 |
| UMASSAmherst | MA | Healthcare Provider | 1670 | 2013-06-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No |
University of Massachusetts Amherst (UMass) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). UMass will pay $650,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. UMass notified OCR that a workstation in its Center for Language, Speech, and Hearing (Center) was infected with a malware program which resulted in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes. The University determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place. OCRâs investigation indicated the following potential violations of the HIPAA Rules: ⢠Failure to designate all of its health care components when hybridizing ⢠Failure to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the Center ⢠Failure to conduct an accurate and thorough risk analysis prior to September 2015 ⢠Impermissible disclosure of 1,670 individualsâ ePHI In addition to the monetary settlement, UMass has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis; develop and implement a risk management plan; revise its policies and procedures, and train its staff on these policies and procedures. The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/umass. |
UMASSAmherst MA Healthcare Provider 1670 | Wednesday | 2013 |
| Smile Designs | FL | Healthcare Provider | 1670 | 2012-01-06 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | Smile Designs FL Healthcare Provider 1670 | Friday | 2012 | |
| Forrest General Hospital | MS | Healthcare Provider | 1670 | 2018-02-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Forrest General Hospital MS Healthcare Provider 1670 | Thursday | 2018 | |
| Cardiology Associates of Jonesboro, Inc. | AR | Healthcare Provider | 1669 | 2016-03-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On or about February 18, 2016, the covered entity (CE), Cardiology Associates of Jonesboro, Inc., discovered that its business associate (BA), Document Output Center, LLC, accidentally mailed appointment reminders to incorrect patients due to a software error. The letters disclosed the names, appointment times and, in some cases, appointment types, of approximately 1,669 patients. In response to the incident, the CE worked with the BA to implement a process to check merged files before mailing to make sure they are correct. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions listed above. | Cardiology Associates of Jonesboro, Inc. AR Healthcare Provider 1669 | Friday | 2016 |
| VARO Healthcare | PA | Business Associate | 1667 | 2014-10-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | VARO Healthcare PA Business Associate 1667 | Tuesday | 2014 | |
| Henry Ford Health System | MI | Healthcare Provider | 1658 | 2018-04-10 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Henry Ford Health System MI Healthcare Provider 1658 | Tuesday | 2018 |
| Baptist Health System | AL | Healthcare Provider | 1655 | 2012-05-04 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On March 8, 2012, a trash bag containing discarded appointment schedules was inadvertently removed from a âshred binâ at Baptist Health Systemâs Talladega clinic by the office cleaning service and disposed of in a dumpster without being shredded. The protected health information (PHI) involved in the breach included patientsâ names, dates of birth, dates of service, account numbers, and chart numbers for approximately 2,000 individuals. The CE provided breach notification to affected individuals, the media, and HHS. Following the breach, the CE initiated an internal investigation, conducted a risk assessment, and updated its policies and procedures regarding access to shred bins. As a result of OCRâs investigation, the CE reviewed its policies and procedures with staff to ensure the adequacy of safeguards. | Baptist Health System AL Healthcare Provider 1655 | Friday | 2012 |
| Virtua Medical Group | NJ | Healthcare Provider | 1654 | 2016-03-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | Other | NA | NA | NA | NA | NA | NA | No | Virtua Medical Group, the covered entity (CE), reported a breach by its transcription vendor when the business associate unintentionally misconfigured its server leading to exposure of the transcription documents via an internet search engine. The CE estimated the transcription documents may have included the electronic protected health information (ePHI) of 1,654 patientsâ names, birthdates and treatment information from office visits. The CE provided breach notification to HHS, the media, and the affected individuals, and posted notice to its website. As a result of OCRâs investigation, the CE contacted law enforcement, and contacted the transcription vendor to facilitate the removal of the entire site at issue from Google cache. The CE received assurances that Google removed the individual patient records that were accessible via searching the internet and that no other search engine was involved. The CE also terminated its relationship with the transcription vendor. Additionally, the CE is expected to take additional corrective actions in connection with the consent judgment entered into by CE with the Attorney General of the State of New Jersey and the New Jersey Division of Consumer Affairs. | Virtua Medical Group NJ Healthcare Provider 1654 | Friday | 2016 |
| Prima CARE, PC | MA | Healthcare Provider | 1651 | 2015-07-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Two binders belonging to a former employee were discovered at Daveâs Beach in Fall River, MA on May 25, 2015. The binders contained the protected health information (PHI) of 1,651 patients of the covered entity (CE), Prima Care, P.C. The PHI predominantly consisted of names, dates of birth, diagnoses, admission and treatment dates, medical record numbers, and hospital account number. For three individuals, the PHI also included partial or complete social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. It also provided a dedicated telephone number for questions and free credit monitoring services to those with breached social security numbers. As a result of the breach and OCRâs investigation, the CE revised its policies and procedures related to uses and disclosures of PHI, safeguards, and the minimum necessary standard. | Prima CARE, PC MA Healthcare Provider 1651 | Wednesday | 2015 |
| Advanced Orthopedic Center | FL | Healthcare Provider | 1647 | 2018-07-02 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Advanced Orthopedic Center FL Healthcare Provider 1647 | Monday | 2018 |
| Baylor College of Medicine | TX | Healthcare Provider | 1646 | 2010-07-30 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted laptop computer was stolen from an administrative office. The laptop contained the protected health information (PHI) of approximately 1,618 patients (originally reported as 1,646). The types of PHI involved in the breach included the demographic and clinical information of pediatric cardiology patients, including names, medical record numbers, dates of service, diagnoses, and dates of birth. Following the breach, the covered entity (CE), Texas Childrenâs Hospital, and Baylor College of Medicine (which filed a separate breach report) jointly notified the affected individuals and the local media after a delay due to a law enforcement request. As a result of OCRâs investigation, the CE revised several information technology policies and modified physical safeguards. | Baylor College of Medicine TX Healthcare Provider 1646 | Friday | 2010 |
| University of Oklahoma, OU Physicians | OK | Healthcare Provider | 1637 | 2017-04-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), University of Oklahoma Health Sciences Center, reported that a resident physician set his university email to automatically forward to his personal email account. The protected health information (PHI) involved the names, medical information, dates of birth, and social security numbers for approximately 1,637 individuals. As a result of the breach, the CE improved safeguards, updated its policies and procedures, and trained its workforce members on better practices to protect PHI. Further, the CE provided breach notification to HHS, affected individuals, and the media. During the course of the investigation, OCR provided technical assistance, and the CE provided substitute notice to those individuals not notified. OCR obtained the notice to the media provided by the CE, and obtained assurances that the CE implemented the corrective actions listed in the response to OCRâs data request and the breach report. | University of Oklahoma, OU Physicians OK Healthcare Provider 1637 | Tuesday | 2017 | |
| Indian Health Service, Aberdeen Area Office | SD | Health Plan | 1632 | 2014-11-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Indian Health Service, Aberdeen Area Office SD Health Plan 1632 | Thursday | 2014 | |
| Futurity First Insurance Group | CT | Business Associate | 1631 | 2011-10-03 | Loss | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | Futurity First Insurance Group CT Business Associate 1631 | Monday | 2011 | |
| Northwest Oncology & Hematology, S.C. | IL | Healthcare Provider | 1625 | 2016-05-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Northwest Oncology & Hematology, S.C. IL Healthcare Provider 1625 | Wednesday | 2016 | |
| Colorado Department of Health Care Policy and Financing | CO | Health Plan | 1622 | 2015-08-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Between May 25, 2015 and July 5, 2015, the Governorsâ Office of Technology, a business associate (BA), sent letters containing protected health information (PHI) on behalf of the covered entity (CE), the Colorado Department of Health Care Policy and Financing, to the wrong Medical Assistance Program clients due to a technical error in the BAâs computer system. The breach affected up to 3,537 individuals, and the types of PHI involved (which varied from household to household) included names, addresses, state identification numbers, Medicaid case numbers, employersâ names, amount of income, amount of approved Advanced Premium Tax Credit, approvals/denials for the Medical Assistance Program, and dates of birth. The CE provided breach notification to HHS, affected individuals, and the media. To prevent a recurrence of this type of incident, the BAâs subcontractor, Deloitte, fixed the software that is used for the Colorado Benefits Management System to ensure that the CEâs letters are addressed to the appropriate recipients, and implemented additional procedures for quality control of mailings. OCR obtained written assurances that the CE, BA and its subcontractor implemented the corrective actions noted above. | Colorado Department of Health Care Policy and Financing CO Health Plan 1622 | Tuesday | 2015 |
| UnityPoint Health Affiliated Covered Entity | IA | Healthcare Provider | 1620 | 2016-05-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | UnityPoint Health Affiliated Covered Entity IA Healthcare Provider 1620 | Wednesday | 2016 |
| Terros Incorporated | AZ | Healthcare Provider | 1618 | 2018-06-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Terros Incorporated AZ Healthcare Provider 1618 | Tuesday | 2018 | |
| Bridget P Early MD LLC d/b/a Namaste Health Care | MO | Healthcare Provider | 1617 | 2017-10-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Bridget P Early MD LLC d/b/a Namaste Health Care MO Healthcare Provider 1617 | Thursday | 2017 |
| North Carolina Department of Health and Human Services | NC | Health Plan | 1615 | 2015-10-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | North Carolina Department of Health and Human Services NC Health Plan 1615 | Monday | 2015 | |
| North Big Horn Hospital | WY | Healthcare Provider | 1607 | 2014-12-01 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), North Big Horn Hospital, reported that on October 2, 2014, it discovered that an Emergency Department (ED) logbook containing protected health information (PHI) was lost, affecting 1,607 individuals. The logbook contained the demographic and clinical information of patients seen in the ED from May 2012 through October 2013. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained and reviewed the CE’s relevant HIPAA policies and procedures and provided technical assistance. On August 25, 2015, the CE reported that during a recent re-organization it found the reported logbook in a locked office on a shelf behind several binders. Accordingly, OCR has closed the investigation. | North Big Horn Hospital WY Healthcare Provider 1607 | Monday | 2014 |
| VA Palo Alto Health Care System | CA | Healthcare Provider | 1600 | 2018-03-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | VA Palo Alto Health Care System CA Healthcare Provider 1600 | Monday | 2018 |
| Ronald D. Garrett-Roe, MD | TX | Healthcare Provider | 1600 | 2015-01-23 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Alleged hackers gained unauthorized access to one or two hard drives on the desktop computers of the covered entity (CE), Dr. Ronald D. Garrett-Roe, affecting approximately 1,600 patientsâ protected health information. The CE reported that the hard drive had been removed, all of the files copied, and the hard drive formatted, which caused all of the computer programs, the operating system, and many patient records to be erased. Dr. Garrett-Roe is no longer a covered entity. | Ronald D. Garrett-Roe, MD TX Healthcare Provider 1600 | Friday | 2015 |
| Aetna Inc. | CT | Health Plan | 1600 | 2017-11-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Aetna Inc. CT Health Plan 1600 | Wednesday | 2017 |
| Stephen Haggard, DPM Podiatry | WA | Healthcare Provider | 1597 | 2012-05-04 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Computer equipment and a safe containing unencrypted the electronic protected health information (ePHI) of 1,597 individuals were stolen from the covered entitiyâs (CE) office on March 4, 2012. The ePHI involved in the breach included names, addresses, dates of birth, social security numbers, claims information, diagnoses, and medication information. Following the breach, the covered entity purchased a new door and locks, a new alarm system, and alarm monitoring. As a result of OCRâs investigation, the CE conducted a risk analysis and developed breach notification policies and procedures. The CE also encrypted its computer server. | Stephen Haggard, DPM Podiatry WA Healthcare Provider 1597 | Friday | 2012 |
| W. W. Grainger, Inc. | IL | Health Plan | 1594 | 2017-09-18 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | W. W. Grainger, Inc. IL Health Plan 1594 | Monday | 2017 |
| Carolina Center for Development and Rehabilitation | NC | Healthcare Provider | 1590 | 2010-07-30 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity’s (CE) staff inadvertently sent twenty-three boxes containing the protected health information (PHI) of 1,590 patients to a recycling center. The PHI included patients’ full names, addresses, dates of birth, social security numbers, insurance identification numbers, driver’s license numbers, diagnoses, medication information, checking and savings account numbers, credit and debit card numbers, and photographs of the patients. Following the breach, the CE immediately took steps for the records to be returned. The CE notified HHS, the media, and all individuals affected by the breach, and established a toll free number for patients to call for more information. The CE cooperated with the state attorney general’s investigation and suspended the responsible staff members. Following OCR’s investigation, the CE placed a record into its accounting of disclosure log for each individual affected and terminated the employment of the staff involved in the breach. In addition, the CE revised its policies and procedures regarding the rights of individuals and safeguards for PHI, and re-trained staff. | Carolina Center for Development and Rehabilitation NC Healthcare Provider 1590 | Friday | 2010 |
| Jeffrey D. Rice, O.D., L.L.C. | OH | Healthcare Provider | 1586 | 2017-02-02 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Jeffery D. Rice, O.D./Vision Source, the covered entity (CE), reported that, on or about December 12, 2016, seven boxes that contained past and current patientsâ protected health information (PHI) were stolen from a warehouse. This breach affected approximately 1,586 individuals. The types of protected health information (PHI) involved in the breach included contained names, address, social security numbers, and medical diagnoses/conditions. Following the breach, the CE inventoried the storage unit to note what was missing, informed the police of the theft, recovered the stolen PHI, reviewed the recovered PHI, and moved their offsite PHI to a new location. The CE provided breach notification to HHS and affected individuals. In response to OCRâs investigation the CE revised its policies for uses and disclosure of PHI policy and for safeguarding PHI and trained its staff on these updated policies. The CE also trained an employee to regularly check on the PHI that is stored off site. OCR obtained documentation of all actions taken in this matter. | Jeffrey D. Rice, O.D., L.L.C. OH Healthcare Provider 1586 | Thursday | 2017 |
| Mount SInai Medical Center | NY | Healthcare Provider | 1586 | 2013-10-04 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Mt. Sinai Medical Center, after it reported that a trash vendor placed two garbage bags in an open box containing the protected health information (PHI) of 1,586 patients outside the Mt. Sinaiâs Department of Preventive Medicineâs facility with the regular trash. The PHI involved in the breach included names, dates of service, payer information, patientsâ clinical information, mental health information and social security numbers. As a result of the breach, the CE retrieved the two trash bags and the box that contained PHI, provided training to its staff regarding appropriate disposal of PHI including paper files, and sanctioned the supervisor for failing to follow its policy regarding confidential waste. OCR provided TA to the CE regarding accounting of disclosures. CE assured OCR that the disclosures would be documented. | Mount SInai Medical Center NY Healthcare Provider 1586 | Friday | 2013 |
| Woodhull Medical and Mental Health Center | NY | Healthcare Provider | 1581 | 2015-10-19 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Woodhull Medical and Mental Health Center NY Healthcare Provider 1581 | Monday | 2015 |
| Laboratory Corporation of America | NC | Healthcare Provider | 1580 | 2013-05-01 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | A desktop computer tagged for destruction was stolen after hours from a facility of the covered entity (CE), Laboratory Corporation of America (LabCorp). The computer contained the electronic protected health information (ePHI)) of approximately 1,580 individuals, including clinical and demographic information, such as diagnoses, names, social security numbers, and dates of birth. The CE provided breach notification to HHS and affected individuals. The CE also notified law enforcement and initiated an internal investigation. In coordination with OCRâs investigation, the CE retrained its employees, changed the storage location of mobile devices and computers, and updated the encryption for its desktop computers. | Laboratory Corporation of America NC Healthcare Provider 1580 | Wednesday | 2013 |
| Quality Health Claims Consultants, LLC | IL | Business Associate | 1573 | 2013-12-06 | Theft | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes |
The Covered Entity’s (CE) Business Associate (BA) mailed letters to their clients to request certain documents containing identifying information. An erroneous fax number listing caused some clients to fax their information to the wrong number. Approximately 1,573 individuals were affected by the breach. The protected health information (PHI) involved included names, addresses, dates of birth, and social security numbers. Following the breach, the BA confirmed that any faxes sent to the incorrect fax number were destroyed. The BA also standardized all company literature to require manual data entry of client-specific contact information to assure quality control. OCR provided information to assist the CE to revise its BA agreement. |
Quality Health Claims Consultants, LLC IL Business Associate 1573 | Friday | 2013 | |
| Blue Cross & Blue Shield of Rhode Island | RI | Health Plan | 1567 | 2018-09-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Blue Cross & Blue Shield of Rhode Island RI Health Plan 1567 | Thursday | 2018 |
| Jackson Health System | FL | Healthcare Provider | 1562 | 2011-07-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | Other | NA | NA | NA | NA | NA | NA | No | The CEâs employee removed protected health information of 1,562 patients from the CEâs premises over a period of 18 months in order to commit identity theft. The types of PHI involved in the breach included names, addresses, dates of birth, and social Security numbers. The CE notified affected individuals, HHS, and the media about the breach. It offered a year of credit monitoring to those affected. Following the breach, the CE terminated the employee and initiated an auditing program to automatically detect excessive accesses to PHI on its electronic health record system. OCRâs investigation confirmed that the appropriate notifications were made and that corrective actions steps were taken. | Jackson Health System FL Healthcare Provider 1562 | Friday | 2011 |
| Hope Community Resources, Inc. | AK | Healthcare Provider | 1556 | 2013-10-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | A client contact list was inadvertently attached to a group email to parents and guardians of clients by an employee of the covered entity (CE), Hope Community Resources, affecting 1,556 individuals. The protected health information (PHI) involved in the breach included client names, contact information for client support persons, dates of birth, and internal identification numbers issued by the CE. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned the responsible employee and improved safeguards by instituting new quality measure for large mailings. Following OCRâs investigation, the CE updated its risk analysis through an outside vendor. | Hope Community Resources, Inc. AK Healthcare Provider 1556 | Wednesday | 2013 | |
| Carolina Oncology Specialists | NC | Healthcare Provider | 1551 | 2017-10-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | On or about August 11, 2017, the covered entity (CE), Carolina Oncology Specialists, received correspondence from credit card companies addressed to three of its patients using the CEâs address. On September 6, 2017, one of the three patients reported a suspicious credit card transaction to the CE. The CE investigated and found that the perpetrator of the fraudulent transaction was a former employee who had had access to 1,551 patient files containing names, addresses, birthdates, social security numbers, and some medical information. The former employee had legitimate access to these files as an employee and it is unclear how many records she accessed in an unauthorized manner. In response to the breach, the CE notified the police and initiated an internal investigation. The police identified the same employee as the prime suspect for misusing patient information to open fraudulent credit card accounts. The CE found that there was no unauthorized access to its network or electronic medical records in the days immediately preceding the incident. To prevent such an incident in the future, the CE implemented additional technical safeguards to better track users on its network and limit the exposure of protected health information through more granular controls. The CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its website. The CE briefly delayed providing notification based on a law enforcement request. OCR obtained assurances that the CE implemented the corrective actions noted above. | Carolina Oncology Specialists NC Healthcare Provider 1551 | Monday | 2017 |
| Duke LifePoint Conemaugh Memorial Medical Center | PA | Healthcare Provider | 1551 | 2015-05-15 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entityâs (CE) business associate (BA), Medical Management, LLC (âMMLâ), disclosed the demographic information of 1,551 of the CEâs patients to outside parties. The protected health information (PHI) involved in the breach included names, dates of birth, and social security numbers. Following the breach, the CE assisted the BA in responding to the breach and notifying affected individuals. Additionally, OCR reviewed the CEâs risk analysis to ensure compliance with the Security Rule | Duke LifePoint Conemaugh Memorial Medical Center PA Healthcare Provider 1551 | Friday | 2015 |
| Otolaryngology Associates of Central New Jersey, P.C. | NJ | Healthcare Provider | 1551 | 2017-11-10 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Otolaryngology Associates of Central New Jersey, P.C. NJ Healthcare Provider 1551 | Friday | 2017 |
| Ecolab Health and Welfare Benefits Plan | MN | Health Plan | 1550 | 2016-02-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Ecolab Health and Welfare Benefits Plan MN Health Plan 1550 | Friday | 2016 |
| Prime Home Care, LLC | NE | Healthcare Provider | 1550 | 2010-11-12 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Prime Home Care, LLC NE Healthcare Provider 1550 | Friday | 2010 | |
| Georgetown University Hospital | DC | Healthcare Provider | 1549 | 2012-02-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Georgetown University Hospital DC Healthcare Provider 1549 | Wednesday | 2012 | |
| Simonian Sports Medicine Clinic, A Medical Corporation | CA | Healthcare Provider | 1541 | 2018-09-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Simonian Sports Medicine Clinic, A Medical Corporation CA Healthcare Provider 1541 | Monday | 2018 |
| Amerigroup Community Care of New Mexico, Inc | NM | Health Plan | 1537 | 2011-11-13 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A workforce member of the covered entity (CE), Amerigroup Community Care of New Mexico, accessed the company data system to compile a list of membersâ names, dates of birth, and social security numbers. The protected health information (PHI) of approximately 1,526 individuals was involved in the breach. The workforce member did not have a job specific purpose for accessing and downloading the information. Following this breach, the CE terminated the workforce member involved. Further, the CE conducted an internal review of its procedures to determine whether additional security controls are needed. As a result of OCRâs investigation, the CE provided additional training, through email reminders, about workforce membersâ responsibilities to protect member information and to report incidents when observed. | Amerigroup Community Care of New Mexico, Inc NM Health Plan 1537 | Sunday | 2011 |
| Centerstone | TN | Healthcare Provider | 1537 | 2010-07-02 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Paper/Films | NA | NA | NA | NA | NA | NA | No | A major flooding event damaged a building where the CE operated its school-based program offices. The flooding was so significant that the area was deemed a federal disaster area. An estimated 1,537 individuals were affected by the loss of data due to flood damage. The types of PHI involved were names, addresses, dates of birth, and social security numbers. After the flood, the CE attempted to collect as much PHI as it could from the site but access was limited by authorities because the building was deemed toxic and salvage cleanup commenced prior to the CE’s ability to access the building. PHI in paper format was either washed away or disposed of during salvage procedures. Computers and equipment in the building were destroyed by water damage. Because the CE relied primarily on their electronic health records stored on an offsite server, medical data was still intact for continuity of care purposes. The CE provided breach notification to individuals, HHS, and the media, and posted substitute notice on its website. The CE has since moved its school-based operations to a CE owned facility. OCR obtained assurances that the CE implemented the corrective action listed above. | Centerstone TN Healthcare Provider 1537 | Friday | 2010 |
| Blue Cross Blue Shield of North Carolina | NC | Health Plan | 1530 | 2015-09-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), Blue Cross Blue Shield of North Carolina, discovered on August 14, 2015, that its business associate (BA), EDM Americas, had accidently sent invoices to members that contained information for other members, affecting 1,530 individuals. The types of protected health Information (PHI) in the invoice included member names, addresses, internal account numbers, group numbers, coverage dates, and premium amounts due. The CE provided breach notification to HHS, on its website and to the media. The BA sent individual notification on behalf of the CE. In response to the breach, the BA retrained its staff and revised its internal validation and quality control procedures. OCR obtained assurances that the CE implemented the corrective actions listed above. | Blue Cross Blue Shield of North Carolina NC Health Plan 1530 | Friday | 2015 |
| Rush University Medical Center | IL | Healthcare Provider | 1529 | 2015-11-06 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | On September 9, 2015, a business associate (BA), Standard Register, erroneously mailed announcements concerning a retirement for the covered entity (CE), Rush University Medical Center, which resulted in misdirected letters being sent to the wrong patients associated with the clinic. The breach affected 1,529 individuals and included patientsâ names. The CE provided breach notification to HHS, the media, and affected individuals, and provided substitute notice on its website. The CE also entered into a BA agreement with Standard Register and created policies and procedures to establish quality measures for mass mailings. OCR obtained documentation confirming that the CE implemented the corrective actions listed above. | Rush University Medical Center IL Healthcare Provider 1529 | Friday | 2015 |
| Detroit Medical Center | MI | Healthcare Provider | 1529 | 2017-07-13 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Paper/Films | NA | NA | NA | NA | NA | NA | No | NA | Detroit Medical Center MI Healthcare Provider 1529 | Thursday | 2017 |
| Walla Walla VA Medical Center | WA | Healthcare Provider | 1519 | 2013-12-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Walla Walla VA Medical Center WA Healthcare Provider 1519 | Wednesday | 2013 | |
| Memorial Hospital at Gulfport | MS | Healthcare Provider | 1512 | 2018-02-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Memorial Hospital at Gulfport MS Healthcare Provider 1512 | Wednesday | 2018 | |
| StayWell Health Management, LLC | MN | Business Associate | 1511 | 2014-02-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | StayWell Health Management, LLC MN Business Associate 1511 | Tuesday | 2014 | |
| Lee Memorial Health System | FL | Healthcare Provider | 1508 | 2015-09-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Lee Memorial Health System, erroneously sent a letter to about 1,600 patients with the incorrect patientsâ names due to an administrative error. The CE determined that the protected health information (PHI) of 1,508 individuals was involved in the breach, including names, physiciansâ names and specialties. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE reviewed the incident, determined where the breakdown occurred, and identified opportunities for improvement. Additionally, the CE improved administrative safeguards by implementing new procedures for data requests. The CE also retrained the responsible workforce members. OCR obtained assurances that the CE implemented the corrective actions listed above. | Lee Memorial Health System FL Healthcare Provider 1508 | Monday | 2015 |
| Aetna, Inc. | CT | Health Plan | 1506 | 2017-10-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Aetna, the covered entity (CE), reported that a business associate (BA), Real Time Health Quotes LLC, an insurance producer was using an unsecured cloud storage application to store protected health information (PHI). Aetna determined 1,506 individuals were affected by this breach. The protected health information included names, dates of birth, Social Security numbers, medical histories, as well as bank account and credit card information. As part of an investigation, OCR reviewed the CEâs business associate agreement with the BA. The CE provided breach notification to HHS, the media, affected individuals, offered the affected individuals free credit monitoring and terminated its relationship with the BA. Additionally, the CE is conducting a review of cloud storage application use among its other similar BAs and will provide training to any that use these applications. | Aetna, Inc. CT Health Plan 1506 | Monday | 2017 |
| Atique Orthodontics | OR | Healthcare Provider | 1506 | 2016-04-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | On February 29, 2016, the covered entity (CE), Atique Orthodontics, reported that files on its web server were compromised by a potential unauthorized access through one of its computers. The files on the server contained the names, dates of birth, addresses, phone numbers, credit card numbers, insurance information, and social security numbers of approximately 1,506 individuals. The CE provided breach notification to HHS and affected individuals and offered identity theft protection services. Following the breach, the CE disconnected the computer from the network server, reconfigured it, and disabled the remote desktop connection. The CE also implemented access controls, upgraded its firewall and anti-virus and other anti-malware protection software, and encrypted its electronic protected health information (ePHI). Additionally, the CE developed a plan to perform periodic system audits, adopted policies and procedures to ensure that ePHI is not stored on laptops, desktops, or other mobile device, and updated its log-off policy for unattended computers. The CE also inventoried hardware and software which is stored off site and updated workforce members’ training with the new policies and procedures. OCR obtained assurances from the CE that it implemented the corrective actions listed above. | Atique Orthodontics OR Healthcare Provider 1506 | Friday | 2016 |
| Kindred Healthcare Inc d/b/a Kindred Transitional Care and Rehabilitation-Sellersburg | IN | Healthcare Provider | 1504 | 2012-07-25 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Kindred Healthcare Inc d/b/a Kindred Transitional Care and Rehabilitation-Sellersburg IN Healthcare Provider 1504 | Wednesday | 2012 | |
| Robert Smith DMD, PC | TN | Healthcare Provider | 1500 | 2018-01-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Robert Smith DMD, PC TN Healthcare Provider 1500 | Monday | 2018 |
| Christine D. Collins, APC & Ann Hofstadter, MD Inc. | CA | Healthcare Provider | 1500 | 2017-07-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Christine D. Collins, APC & Ann Hofstader, MD Inc., discovered that a third party may have gained unauthorized access to its computer systems when email access credentials belonging to an employee were wrongfully acquired as a result of a cyber-security attack on May 27, 2017. The CEâs investigation determined that the employeeâs email account was subject to unauthorized access between May 27, 2017, and May 28, 2017. The breach involved the protected health information (PHI) of 1,500 individuals and included names, addresses, dates of birth, social security numbers, and medical information. In response to the breach incident the CE immediately disabled the account, reset the credentials for the impacted user account, implemented two-factor authentication for email access, and updated its policies and procedures. The CE provided breach notification to HHS, affected individuals, and the media. OCR provided technical assistance regarding the CEâs obligation to conduct a comprehensive and current security risk analysis, along with implementing a corresponding risk management/mitigation plan to address the findings of its risk analysis report. | Christine D. Collins, APC & Ann Hofstadter, MD Inc. CA Healthcare Provider 1500 | Thursday | 2017 | |
| Jennie Stuart Medical Center | KY | Healthcare Provider | 1500 | 2016-09-23 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Hackers placed ransomware on the covered entity’s (CE) computer server. The servers stored protected health information (PH)Iâaddresses, dates of birth, driverâs license data, names, social security numbers, claims information, credit card and bank account information, medical diagnoses, lab results, medications, and other treatment informationâfor approximately 1,500 individuals. The data on the servers was encrypted and the hackers placed encryption on top of the CEâs encryption, preventing access by the CE. The hackers demanded a ransom, which the CE paid. After payment of the ransom, the CE re-gained access to the data on the server. The CE hired a third party to perform a forensic investigation, and the CE provided a complete copy of the investigative report to OCR. The CE also provided OCR with a detailed analysis of its risk assessment and its determination that the probability that data was compromised was very low. Out of an abundance of caution, the CE expanded its data security monitoring, updated its security management policies, and provided additional training to staff. OCR obtained assurances that the CE implemented the actions listed above. | Jennie Stuart Medical Center KY Healthcare Provider 1500 | Friday | 2016 |
| PruittHealth Home Health – Low Country | SC | Healthcare Provider | 1500 | 2016-04-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On March 2, 2016, a break-in occurred at the office of the covered entity (CE), PruittHealth. The perpetrators broke the glass of the front door and broke into the file cabinets, but it did not appear that any medical records were taken. The perpetrators had the opportunity to access the paper medical records of 1,500 individuals. The types of protected health information (PHI) contained in the records included patientsâ names, addresses, social security numbers, dates of birth, dates of service, location of service, and other clinical information. The CE provided breach notification to HHS, affected individuals and media and also provided substitute notice on its website. The CE also set up a toll free telephone number to answer questions about the breach. Following the breach, the CE reviewed its policies and retrained staff. Additionally, the CE initiated a criminal investigation with local law enforcement, repaired the door used to gain access to the building, purchased file cabinets with more secure locks, and initiated a search for a more secure office location. | PruittHealth Home Health – Low Country SC Healthcare Provider 1500 | Friday | 2016 |
| Felicia Lewis, MD Lakewood Hills Internal Medicine | TX | Healthcare Provider | 1500 | 2016-01-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | OCR closed the investigation after it determined that the covered entity (CE) had closed its medical practice and was no longer a CE. | Felicia Lewis, MD Lakewood Hills Internal Medicine TX Healthcare Provider 1500 | Thursday | 2016 |
| Carolyn B Lyde, MD, PA | TX | Healthcare Provider | 1500 | 2015-11-30 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted, password protected laptop computer containing the protected health information (PHI) of approximately 1,500 individuals, was stolen from the covered entity (CE), Dermatology Center of Lewisville. The laptop was used as a storage device and individuals’ names and images of individuals’ skin conditions. As a result of OCRâs investigation, the CE adopted encryption technologies, updated its Risk Analysis, implemented its corresponding Risk Management Plan, improved physical security, and retrained its workforce members on its revised policies and procedures. | Carolyn B Lyde, MD, PA TX Healthcare Provider 1500 | Monday | 2015 |
| PT Northwest, LLC | OR | Healthcare Provider | 1500 | 2015-08-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), PT Northwest, LLC inadvertently emailed a questionnaire to patients that was copied to 1,500 patients. The e-mail should have been distributed to recipients as a blind carbon copy. Some of the e-mail addresses contained patients’ names. Following the breach, the CE sanctioned the employee who was responsible for the impermissible disclosure. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCRâs investigation, the CE conducted companywide annual HIPAA training, and started the process of conducting in person follow-up HIPAA trainings to be completed by December 2015. | PT Northwest, LLC OR Healthcare Provider 1500 | Friday | 2015 | |
| Jones Chiropractic and Maximum Health | IN | Healthcare Provider | 1500 | 2013-11-26 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Jones Chiropractic and Maximum Health IN Healthcare Provider 1500 | Tuesday | 2013 | |
| Janna Benkelman LPC LLC | CO | Healthcare Provider | 1500 | 2013-09-03 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On August 1, 2013, the covered entity (CE), Dr. Benkelman, discovered that her unencrypted office laptop computer had been stolen from her unlocked office. The resulting breach affected approximately 1,500 patients, and the electronic protected health information (ePHI) included demographic and mental health information (diagnoses/conditions). The CE reported the theft to the police, and provided breach notification to HHS, the media, and affected individuals. The CE also offered credit monitoring to affected individuals. The CE closed the practice in the fall of 2013 due to the breach. | Janna Benkelman LPC LLC CO Healthcare Provider 1500 | Tuesday | 2013 |
| ADPI-West | CA | Business Associate | 1500 | 2012-11-29 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | Yes | ADPI-West CA Business Associate 1500 | Thursday | 2012 | |
| SwedishAmerican Health System | IL | Healthcare Provider | 1500 | 2012-10-26 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | No web description - case is a duplicate. The duplicate is posted on the webpage with a summary. | SwedishAmerican Health System IL Healthcare Provider 1500 | Friday | 2012 |
| Mills-Peninsula Health Services | CA | Healthcare Provider | 1500 | 2011-07-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Mills-Peninsula Health Services CA Healthcare Provider 1500 | Friday | 2011 | |
| Methodist Charlton Medical Center | TX | Healthcare Provider | 1500 | 2011-05-05 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted laptop was stolen from a locked office in the hospital. The laptop contained the PHI of 1523 patients. The protected health information involved in the breach contained demographic and clinical data. Following the breach, the CE filed a police report, notified affected patients and notified the media. Additionally, the CE expanded its encryption policy to include more laptops and implemented additional physical safeguards. | Methodist Charlton Medical Center TX Healthcare Provider 1500 | Thursday | 2011 |
| Holy Cross Hospital | FL | Healthcare Provider | 1500 | 2010-11-16 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A covered entity’s (CE) employee impermissibly obtained copies of patient data sheets containing protected health information (PHI) and sold the PHI to a third party. The PHI included names, addresses, dates of birth, social security numbers, insurance information, and diagnoses affecting 38 individuals; however, the initial investigation addressed a report of approximately 1,500 affected individuals. The CE provided breach notification to 44,000 individuals (including those who were potentially affected), HHS and the media. In addition, free credit monitoring was offered. Following the breach, the CE cooperated with federal authorities, law enforcement, and the state health administration agency, and provided a report to a national accreditation organization. As a result of this incident, the CE convened a high level work group to oversee privacy and security issues and hired an expert forensic investigator to perform a risk assessment. The CE updated its privacy and security policies and procedures, developed a plan to adopt electronic health records and initiated a continuous review process including random HIPAA compliance audits. The CE also expanded its HIPAA training program for employees. OCR obtained written assurances that the CE implemented the corrective action listed above. | Holy Cross Hospital FL Healthcare Provider 1500 | Tuesday | 2010 |
| Molina Healthcare In | CA | Business Associate | 1499 | 2013-12-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | A business associate (BA), Molina Healthcare of Virginia, for the covered entity (CE), Fairfax County, Virginia, used a subcontractor, Health Business Systems, Inc. (HBS), a subsidiary of Catamaran/HBS. An employee of HBS placed a pharmacy claims report containing the protected health information (PHI) of 1,499 individuals in a non-secured file transfer protocol (FTP) site when troubleshooting issues during a systems conversion. Upon discovering the breach, Catamaran/HBS notified the BA, conducted a thorough investigation and removed the file from the non-secure server. A copy of the file was encrypted and password protected. The CE provided breach notification to HHS. Affected individuals were offered free identify theft protection. Following this breach, Catamaran/HBS retrained employees, updated its security software and enabled an alert feature when files containing potential PHI are saved on an FTP server. OCR obtained written assurance that the CE implemented the corrective action listed above. | Molina Healthcare In CA Business Associate 1499 | Monday | 2013 |
| East Bay Perinatal Medical Associates | CA | Business Associate | 1494 | 2015-07-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | NA | East Bay Perinatal Medical Associates CA Business Associate 1494 | Wednesday | 2015 |
| Rockdale Blackhawk, LLC d/b/a Little River Healthcare | TX | Healthcare Provider | 1494 | 2018-09-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | Other | NA | NA | NA | NA | NA | NA | No | NA | Rockdale Blackhawk, LLC d/b/a Little River Healthcare TX Healthcare Provider 1494 | Friday | 2018 |
| Tri Lakes Medical Center | MS | Healthcare Provider | 1489 | 2014-01-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Tri Lakes Medical Center MS Healthcare Provider 1489 | Wednesday | 2014 |
| St. Mary Mercy Hospital | MI | Healthcare Provider | 1488 | 2014-12-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | St. Mary Mercy Hospital MI Healthcare Provider 1488 | Friday | 2014 | ||
| University of Nevada School of Medicine | NV | Healthcare Provider | 1483 | 2013-01-08 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | University of Nevada School of Medicine NV Healthcare Provider 1483 | Tuesday | 2013 | |
| West Kendall Baptist Hospital | FL | Healthcare Provider | 1480 | 2018-04-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | West Kendall Baptist Hospital FL Healthcare Provider 1480 | Monday | 2018 |
| SUNSHINE STATE HEALTH PLAN, INC. | FL | Health Plan | 1479 | 2016-07-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Sunshine State Health Plan, Inc., discovered that a case manager emailed a daily inpatient census report to an incorrect email address. The email contained the protected health information (PHI) of 1,479 individuals including member names, addresses, dates of birth, plan and eligibility information, hospitalization dates, Medicaid and Medicare ID numbers, diagnoses, and procedures. The CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its website. The CE offered free credit monitoring and identity theft restoration services. In response to the breach, the CE revised its encryption and decryption policy and procedures to require all employees to encrypt emails containing PHI and sensitive data. The CE also revised its confidentiality and release of PHI policy and its mitigation policies and procedures. The CE sanctioned the involved employee for violating its policies. OCR obtained assurances that the CE implemented the corrective actions listed above. | SUNSHINE STATE HEALTH PLAN, INC. FL Health Plan 1479 | Thursday | 2016 | |
| Special Agents Mutual Benefit Association | MD | Health Plan | 1475 | 2015-07-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | OCR closed this investigation and consolidated this review into a compliance review that involves the same hacking incident involving CareFirst BlueCross BlueShield. | Special Agents Mutual Benefit Association MD Health Plan 1475 | Monday | 2015 |
| Eden Medical Center | CA | Business Associate | 1474 | 2010-09-23 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE) lost two portable electronic storage devices containing the electronic protected health information (ePHI) of 1,474 individuals. The ePHI included patients’ names, dates of birth, and treatment information. Upon discovery of the breach, the covered entity (CE) notified individuals, HHS, and the media. Additionally, the CE initiated a project to encrypt emails, external hard drives, and related electronic media. Following OCR’s investigation, the CE filed a police report, updated its policies and procedures in order to better safeguard patients’ ePHI, and encrypted portable electronic computer devices. | Eden Medical Center CA Business Associate 1474 | Thursday | 2010 |
| Oroville Hospital | CA | Business Associate | 1474 | 2010-09-23 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes |
The covered entity (CE) filed a breach report with OCR after two USB storage devices containing electronic protected health information (ePHI) of 1,474 individuals were lost. The ePHI included names, dates of birth, and treatment information. Upon discovery of the breach, the CE notified individuals, OCR and the media. Additionally, the CE initiated an encryption project to encrypt emails, external hard drives, and related media. Following OCR’s investigation, the CE filed a police report, updated its policies and procedures in an effort to better safeguard ePHI, and encrypted USB devices. |
Oroville Hospital CA Business Associate 1474 | Thursday | 2010 |
| Conway Regional Medical Center | AR | Healthcare Provider | 1472 | 2011-10-21 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | A business associate (BA) of the covered entity (CE), Conway Regional Medical Center, sent the CE two compact disks containing scanned medical records which were mislaid following receipt. The protected health information (PHI) involved in the breach included the demographic and financial information of 1,472 individuals. The CE provided breach notification to HHS, the media, and affected individuals. Following this breach, the CE instructed its BA to encrypt any removable media that contains PHI and hand deliver the removable media to the CEâs Medical Records Department. Further, the CE improved administrative safeguards by updating its policy and procedures, which now requires a signature of an employee in the receiving department when packages are delivered. Also, all workforce members in the department involved in the breach attended additional HIPAA training. As a result of OCRâs investigation, the CE no longer routinely sends PHI off site for scanning. | Conway Regional Medical Center AR Healthcare Provider 1472 | Friday | 2011 |
| Jackson Health System | FL | Healthcare Provider | 1471 | 2013-08-22 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Jackson Health System FL Healthcare Provider 1471 | Thursday | 2013 | |
| Clarksburg - Louis A. Johnson VA Medical Center | WV | Healthcare Provider | 1470 | 2011-03-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Clarksburg - Louis A. Johnson VA Medical Center WV Healthcare Provider 1470 | Wednesday | 2011 | |
| Insulet Corporation | MA | Healthcare Provider | 1469 | 2017-10-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Insulet Corporation MA Healthcare Provider 1469 | Tuesday | 2017 |
| Midland County Hospital District d/b/a Midland Memorial Hospital | TX | Healthcare Provider | 1468 | 2016-06-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A physician affiliated with Midland Memorial Hospital, the covered entity (CE), allowed access to 1,468 individualsâ unsecured medical paper records at the physicianâs foreclosed home for approximately one month while bank and property management staff prepared the property for re-sale. The types of protected health information (PHI) involved in the breach included patientsâ names, addresses, dates of birth, social security numbers, diagnoses/conditions, medications, and other treatment information. The CE provided breach notification to the affected individuals, the media and HHS. Following the breach, the CE implemented a new safeguard policy specifically addressing the removal of PHI from the facility, and retrained workforce members. OCR obtained assurances that the CE implemented the corrective actions noted above. | Midland County Hospital District d/b/a Midland Memorial Hospital TX Healthcare Provider 1468 | Tuesday | 2016 |
| Peabody Retirement Community | IN | Healthcare Provider | 1466 | 2016-10-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Peabody Retirement Community IN Healthcare Provider 1466 | Friday | 2016 | |
| The WellPoint Affiliated Covered Entities | IN | Health Plan | 1464 | 2014-09-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The WellPoint Affiliated Covered Entities IN Health Plan 1464 | Monday | 2014 | |
| Children’s Mercy Hospital | MO | Healthcare Provider | 1463 | 2018-06-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Children’s Mercy Hospital MO Healthcare Provider 1463 | Wednesday | 2018 |
| Consultants Choice, P.A. | FL | Healthcare Provider | 1458 | 2017-09-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Consultants Choice, P.A. FL Healthcare Provider 1458 | Friday | 2017 |
| Washington National Insurance Company | IN | Health Plan | 1458 | 2016-11-18 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Washington National Insurance Company IN Health Plan 1458 | Friday | 2016 |
| Triple S Advantage, Inc | PR | Health Plan | 1458 | 2015-03-31 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No |
Triple-S Management Corporation (âTRIPLE-Sâ), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc., formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun. âOCR remains committed to strong enforcement of the HIPAA Rules,â said OCR Director Jocelyn Samuels. âThis case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.â TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement. After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entitiesâ compliance with HIPAA Rules. OCRâs investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including: Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiariesâ PHI; Impermissible disclosure of its beneficiariesâ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes: A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. |
Triple S Advantage, Inc PR Health Plan 1458 | Tuesday | 2015 |
| Elite Imaging | FL | Healthcare Provider | 1457 | 2016-01-04 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A log book (sign-in book) containing information about the covered entityâs (CE) patients was stolen from its offices and returned anonymously with a letter. The log-book contained the patientsâ full names and the name of the procedure conducted for each patient. The breach affected 1,457 patients. The CE provided breach notification to HHS, affected individuals, and the media. The CE conducted a full review of the incident and filed a police report. It also reviewed and modified its safeguards policies and internal procedures, implemented a new log in procedure, updated its software, and re-trained all staff received on its new policies. The CEâs shredding vendor securely disposed of the log books. OCR obtained assurances that the CE implemented the corrective actions listed above. | Elite Imaging FL Healthcare Provider 1457 | Monday | 2016 |
| KidsPeace | PA | Healthcare Provider | 1456 | 2016-09-19 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Kids Peace, discovered that a box of documents from the medical records department was missing. It is believed that a custodian threw the box, which was left next to a wastepaper basket, in the trash. The breach included the protected health information (PHI) of 1,456 individuals and included names, dates of birth, medical record and patient account numbers, and service dates. Following the breach, the CE retrained staff and restricted custodiansâ access to the medical records department. Additionally, OCR reviewed the CEâs risk analysis to ensure compliance with the Security Rule. OCR obtained assurances that the CE implemented the corrective actions listed above. | KidsPeace PA Healthcare Provider 1456 | Monday | 2016 |
| All Source Medical Management | AZ | Business Associate | 1456 | 2013-11-13 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | All Source Medical Management AZ Business Associate 1456 | Wednesday | 2013 | |
| Minneapolis Clinic of Neurology, Ltd. | MN | Healthcare Provider | 1450 | 2015-08-31 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On July 8, 2015, the covered entity (CE), Minneapolis Clinic of Neurology, Ltd., discovered that a laptop computer was missing from one of its clinics. The breach affected approximately 1,450 individuals and the types of protected health information (PHI) involved in the breach included patients’ names and addresses. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE sanctioned the involved employee with a written warning, distributed its computer network and internet access policy to all employees, and retrained all employees ahead of its annual training. The CE also implemented policies and procedures contained in a new HIPAA Privacy and Security Handbook, increased technical and security safeguards on its mobile electronic devices, and updated the security on its virtual private network software. OCR obtained assurances that the CE implemented the corrective actions listed above. | Minneapolis Clinic of Neurology, Ltd. MN Healthcare Provider 1450 | Monday | 2015 |
| Baptist Primary Care, Inc. | FL | Healthcare Provider | 1449 | 2014-11-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Baptist Primary Care, Inc. FL Healthcare Provider 1449 | Thursday | 2014 | |
| Southwest Oregon IPA | OR | Health Plan | 1449 | 2018-09-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Southwest Oregon IPA OR Health Plan 1449 | Tuesday | 2018 |
| Jersey City Medical Center | NJ | Healthcare Provider | 1447 | 2015-04-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Jersey City Medical Center NJ Healthcare Provider 1447 | Friday | 2015 | |
| Howard University | DC | Healthcare Provider | 1445 | 2015-07-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On May 6, 2015, business associates (BAs) sent out 1,445 misdirected collection letters on behalf of the covered entity (CE), Howard University Faculty Practice Plan. The types of protected health information (PHI) involved in the breach included names, account numbers, and dates of service. The BAs involved in the CE’s collections efforts included California Healthcare Medical Billing, Inc. (âCHMBâ) and JP Recovery Services, Inc. (âJPRSâ). The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notification on its website. Following the breach, CHMB developed policies and procedures to enhance its quality assurance process for reports containing PHI. The JPRS IT staff worked closely with the CE to ensure that all future placement data files are verified as correct prior to downloading them into the collection system. The CE provided OCR with copies of the BA agreements between the CE and the two BAs. OCR obtained assurances that the CE implemented the corrective actions listed. | Howard University DC Healthcare Provider 1445 | Friday | 2015 |
| PrevMED | MD | Business Associate | 1444 | 2012-06-04 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | PrevMED MD Business Associate 1444 | Monday | 2012 | |
| ACS, Affiliated Computer Services, Inc., A Xerox Company | VA | Business Associate | 1444 | 2012-01-23 | Other | Unauthorized Access/Disclosure | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | ACS, Affiliated Computer Services, Inc., A Xerox Company VA Business Associate 1444 | Monday | 2012 | |
| PathGroup | TN | Health Plan | 1443 | 2016-12-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | PathGroup TN Health Plan 1443 | Thursday | 2016 |
| PruittHealth Hospice Beaufort | SC | Healthcare Provider | 1437 | 2016-06-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On April 11, 2016, the covered entity (CE), PruittHealth Hospice, experienced a break-in at its Beaufort offices. The perpetrators entered the offices by breaking a side window and then broke into the file cabinets, although it did not appear that any medical records were disturbed or taken. The perpetrators had the opportunity to access the paper medical records for 1,437 individuals. The types of protected health information (PHI) contained in the paper medical records included patients’ names, addresses, social security numbers, dates of birth, dates of service, service locations, and other clinical information. Following the breach, the CE reviewed its policies and trained staff on data privacy and information security. Additionally, the CE initiated a criminal investigation with local law enforcement. It improved physical safeguards by replacing the broken window, purchasing file cabinets with more secure locks, and purchasing a monitored security system. The CE provided breach notification to HHS, all patients it ever served, and the media. It also provided substitute notice on its website and set up a toll free information line for affected individuals. OCR obtained assurances that the CE implemented the corrective actions listed above. | PruittHealth Hospice Beaufort SC Healthcare Provider 1437 | Thursday | 2016 |
| Lexington VAMC | KY | Healthcare Provider | 1432 | 2011-08-25 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | Paper/Films | NA | NA | NA | NA | NA | No |
The covered entity’s (CE) workforce member impermissibly stored the protected health information (PHI) of 1,432 individuals in a personal computer and other portable electronic media in order to conduct research. The PHI included social security numbers, names, initials, ages, and diagnoses. Additional PHI was found in the workforce member’s residence. The CE provided breach notification to a total of 1,890 affected individuals and HHS. Following the breach, the responsible workforce member is no longer employed by the CE. opened a compliance review of VA Medical Centers and is consolidating the investigation of this incident into the compliance review. |
Lexington VAMC KY Healthcare Provider 1432 | Thursday | 2011 |
| Kern Medical Center | CA | Healthcare Provider | 1431 | 2012-03-12 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Kern Medical Center CA Healthcare Provider 1431 | Monday | 2012 | |
| South Texas Veterans Health Care System | TX | Healthcare Provider | 1430 | 2010-04-28 | Improper Disposal | Loss | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | South Texas Veterans Health Care System TX Healthcare Provider 1430 | Wednesday | 2010 | |
| Cancer Care Northwest | WA | Healthcare Provider | 1426 | 2015-08-17 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A workforce member of the covered entity (CE), Cancer Care Northwest, lost a paper binder containing protected health information (PHI). The binder was likely thrown away with the garbage when it was not properly safeguarded in an otherwise secure office. Approximately 1,426 individuals were affected by this breach. The PHI included names, dates of birth, diagnoses/conditions and other treatment information. To prevent a similar breach from happening in the future, the CE instructed the work force member to only take notes electronically and retrained the workforce member on its HIPAA policies. The CE provided breach notification to HHS, affected individuals, and the media, and offered identity theft and fraud protection services to affected individuals. OCR obtained assurances that the CE implemented these corrective actions. | Cancer Care Northwest WA Healthcare Provider 1426 | Monday | 2015 |
| inSite Digestive Health Care | CA | Healthcare Provider | 1424 | 2018-03-09 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | inSite Digestive Health Care CA Healthcare Provider 1424 | Friday | 2018 |
| St.Vincent Physician Network | IN | Healthcare Provider | 1423 | 2012-01-26 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | St.Vincent Physician Network IN Healthcare Provider 1423 | Thursday | 2012 | |
| Medical Mutual of Ohio | OH | Business Associate | 1420 | 2014-01-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Medical Mutual of Ohio OH Business Associate 1420 | Monday | 2014 | |
| Union County Board of Developmental Disabilities | OH | Health Plan | 1420 | 2012-11-05 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On October 23, 2010, an unencrypted laptop computer containing the protected health information (PHI) of 1,420 individuals with disabilities served by the covered entity (CE), Union County Board of Developmental Disabilities, was stolen from a service consultantâs car. The laptop contained names, dates of birth, social security numbers, Medicare/Medicaid numbers, addresses, behavior plans, diagnoses, guardianship information, phone numbers, email addresses, parentsâ names, dates of eligibility, case notes, third party insurance information, and current living arrangements. The CE provided breach notification to HHS, affected individuals, and the media. The CE also reported the theft to the proper authorities, who later recovered the laptop. Following the breach, the CE encrypted its laptops and retrained staff. As a result of OCRâs investigation, the CE implemented written HIPAA policies and procedures, including uses and disclosures, safeguarding PHI/ and electronic PHI, and breach notification policies and procedures. The CE provided documentation substantiating all actions taken. | Union County Board of Developmental Disabilities OH Health Plan 1420 | Monday | 2012 |
| Houston Methodist Hospital | TX | Healthcare Provider | 1417 | 2017-03-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | A workforce member erroneously sent an email disclosing the protected health information (PHI) of 1,417 patients to other patients listed on the email. The CE provided breach notification to HHS, affected individuals, and the media. In response to the incident, the CE implemented an additional technical safeguard to prevent similar situations and re-trained its workforce members on the proper use of email when communicating with patients. OCR obtained assurances that the CE implemented the corrective actions noted above. | Houston Methodist Hospital TX Healthcare Provider 1417 | Friday | 2017 | |
| The Guidance Center of Westchester | NY | Healthcare Provider | 1416 | 2013-04-17 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | February 22, 2013, a CPU that contained the protected health information (PHI) of 1,416 individuals was stolen from the covered entity (CE), Guidance Center of Westchester. The types of PHI involved in the breach included the individualsâ names, dates of birth, dates of admittance, insurance carriersâ names, home addresses, diagnoses, outpatient treatment authorization requests, social security numbers, treating physiciansâ names, case numbers and other identifiable information. Upon discovering the breach, the CE filed a police report and notified the New York State Attorney Generalâs Office, New York State Office of Cyber Security, New York State Department of State Division of Consumer Protection and the Connecticut Attorney Generalâs Office. The CE provided breach notification to HHS, affected individuals, and the media and offered one year of free credit monitoring services to affected individuals. As a result of the breach, the CE encrypted all of its desktop and laptop computers and disabled the use of portable devices with a Universal Serial Bus (USB) connection. The CE initiated plans to relocate two of its offices to buildings with security cameras and to install security cameras at another location. OCR obtained assurances that the CE implemented the corrective actions listed above. | The Guidance Center of Westchester NY Healthcare Provider 1416 | Wednesday | 2013 |
| Saint Francis Hospital | GA | Healthcare Provider | 1412 | 2018-03-14 | Improper Disposal | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Saint Francis Hospital GA Healthcare Provider 1412 | Wednesday | 2018 |
| Inspira Health Network Inc. | NJ | Healthcare Provider | 1411 | 2014-02-21 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Inspira Health Network Inc. NJ Healthcare Provider 1411 | Friday | 2014 | |
| Hopebridge | IN | Healthcare Provider | 1411 | 2018-08-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Hopebridge IN Healthcare Provider 1411 | Friday | 2018 | |
| Gessler Clinic, P.A. | FL | Healthcare Provider | 1409 | 2012-06-14 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Gessler Clinic, P.A. FL Healthcare Provider 1409 | Thursday | 2012 | |
| UnitedHealth Group Single Affiliated Covered Entity | MN | Health Plan | 1408 | 2016-11-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | UnitedHealth Group Single Affiliated Covered Entity MN Health Plan 1408 | Tuesday | 2016 |
| PeaceHealth | WA | Healthcare Provider | 1407 | 2015-11-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | A former PeaceHealth mployee continued to access the electronic protected health information (ePHI) of the covered entity’s (CE) patients through websites used for third-party prior authorization and insurance verification. Approximately 1,407 individuals were affected by the breach. The types of ePHI involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses/conditions, medications, medical record numbers, and payor identification numbers. In response to the breach, the CE implemented database tracking for employees who have third party portal access, so that the database will alert management when an employee leaves employment and the portal companies will be immediately contacted to terminate access. The CE provided breach notification to HHS, affected individuals, and the media. The CE also provided one year of free credit monitoring for those individuals whose social security numbers were included in the breach. OCR provided the CE with technical assistance regarding the risk analysis and risk management provisions of the Security Rule. | PeaceHealth WA Healthcare Provider 1407 | Monday | 2015 |
| Mount Sinai Medical Center | FL | Healthcare Provider | 1406 | 2015-03-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Mt. Sinai, discovered that an employee was printing paper face sheets in excess of her job duties for an illicit purpose. The face sheets contained the demographic and clinical information of 1,406 individuals. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE altered its policies to limit the users allowed to print face sheets. In addition, the CE retrained its workforce and disseminated educational material. OCR obtained assurances that the CE implemented the corrective actions listed. The CE also terminated the employment of the involved employee. | Mount Sinai Medical Center FL Healthcare Provider 1406 | Friday | 2015 |
| U.S. HealthWorks | CA | Healthcare Provider | 1400 | 2016-09-09 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | U.S. HealthWorks, the covered entity (CE), experienced a breach on July 18, 2016 due to the theft of a CE-issued laptop computer and a notebook containing the laptop encryption password from an employeeâs automobile. The breach involved the protected health information (PHI) of 1,400 individuals and included patients names, clinical information, visit dates, and social security numbers for some patients. The CE provided breach notification to HHS, affected individuals, and the media and also provided substitute notification. Additionally, the CE offered individuals who had their social security numbers involved in the breach one year of complimentary credit monitoring and identity theft protection services. Following the breach, the CE sanctioned the employee involved in the breach and retrained all employees on information security. OCR provided the CE with technical assistance regarding the Security Rule, including risk analysis and risk management. | U.S. HealthWorks CA Healthcare Provider 1400 | Friday | 2016 |
| Endocrinology Associates, Inc. | OH | Healthcare Provider | 1400 | 2015-08-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of Endocrinology Associates, the covered entity (CE), after it reported that on June 15, 2015, and June 19, 2015, it discovered that an unauthorized individual had broken and removed the lock securing a portable on demand (POD) storage container that held the protected health information (PHI) of approximately 1,400 individuals. The PHI included individualsâ names, addresses, dates of birth, social security numbers, lab results, diagnoses, and clinical information. The CE provided notification of the breach to the individuals affected by the breach, HHS, and the media. Following the breach, the CE reported the incidents to the local police department, enhanced the physical safeguards applied to the POD storage container, and retrained workforce members on its HIPAA policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. | Endocrinology Associates, Inc. OH Healthcare Provider 1400 | Friday | 2015 |
| VGM Homelink | IA | Business Associate | 1400 | 2014-04-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | A business associate (BA), Tri State Adjustments, of the covered entity (CE), VGM Homelink, committed a programing error which resulted in individuals receiving the wrong billing statements. This breach affected approximately 1,400 individuals and included patientsâ names, addresses, insurance information, and the medical equipment provided to them. The CE provided breach notification to HHS, affected individuals, and the media, and placed a notification about the breach on its website. The CE required its BA to implement new safeguards to prevent a similar breach from occurring. As a result of OCRâs investigation, the CE had its BA update its policy and procedures for Breach Rule notification. | VGM Homelink IA Business Associate 1400 | Friday | 2014 |
| Rob Meaglia, DDS | CA | Healthcare Provider | 1400 | 2013-12-23 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Rob Meaglia, DDS CA Healthcare Provider 1400 | Monday | 2013 | |
| Pousson Family Dentistry | LA | Healthcare Provider | 1400 | 2013-01-10 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Pousson Family Dentistry LA Healthcare Provider 1400 | Thursday | 2013 | |
| Robert Wheatley, DDS, PC | MO | Healthcare Provider | 1400 | 2010-11-15 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Robert Wheatley, DDS, PC MO Healthcare Provider 1400 | Monday | 2010 | |
| Indiana University Health | IN | Healthcare Provider | 1399 | 2017-11-03 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Indiana University Health IN Healthcare Provider 1399 | Friday | 2017 |
| Hancock OB/GYN | IN | Healthcare Provider | 1396 | 2013-08-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Hancock OB/GYN impermissibly accessed the electronic protected health information (ePHI) of 1,396 individuals without a necessary business reason to do so. The ePHI included names, dates of service, medical record numbers, and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. Upon discovering the breach, the CE terminated the responsible individualsâ employment. As a result of OCRâs investigation, the CE revised its policies and procedures related to safeguarding ePHI and implemented routine audits of employee access to ePHI. | Hancock OB/GYN IN Healthcare Provider 1396 | Monday | 2013 |
| MDeverywhere, Inc. | TX | Business Associate | 1396 | 2017-08-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | NA | MDeverywhere, Inc. TX Business Associate 1396 | Thursday | 2017 |
| Indiana Regional Medical Center | PA | Healthcare Provider | 1388 | 2011-05-09 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Indiana Regional Medical Center PA Healthcare Provider 1388 | Monday | 2011 | |
| Sonoma Valley Hospital | CA | Healthcare Provider | 1386 | 2013-05-24 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Sonoma Valley Hospital CA Healthcare Provider 1386 | Friday | 2013 | |
| University of Connecticut Health Center | CT | Healthcare Provider | 1382 | 2013-03-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | University of Connecticut Health Center CT Healthcare Provider 1382 | Friday | 2013 | |
| Molina Healthcare | FL | Health Plan | 1380 | 2017-12-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Molina Healthcare, Inc., the covered entity (CE), made an error when it prepared mailing lists for its business associate (BA), Merrill Communications, LLC, to use when it sent letters to Molina beneficiaries from October 13, 2017 through October 23, 2017. As a result of the error, when the BA sent the letters they were delivered to an incorrect beneficiary. The breach affected 1,380 individuals and the types of protected health information (PHI) listed in the letters included beneficiariesâ names, member identification numbers, dates of service, and the name of the beneficiariesâ physicians. The CE sent timely breach notification to HHS, the affected individuals, and the media. It also offered affected individuals 24 months of free identity theft protection. To mitigate the breach, the CE conducted an outreach campaign to collect copies of the misdirected mail and sanctioned and retrained the responsible employees. OCR obtained assurances that the CE implemented the corrective actions listed above. | Molina Healthcare FL Health Plan 1380 | Thursday | 2017 |
| Windsor Health Plan | TN | Business Associate | 1378 | 2011-07-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | A third-line sub-contractor of Windsor Health Planâs business associate (BA), CVS Caremark, changed the printing format on letters mailed to the covered entityâs (CE) members, potentially causing protected health information (PHI) to be visible through the envelope window. The letters included the names, addresses, and some clinical information of 1,378 individuals. RxAmerica, an operating subsidiary of CVS Caremark, subcontracted its mailing services to Accendo, who in turn subcontracted printing services to Progressive Direct Mail (PDM). The CE provided breach notification to HHS and affected individuals; media notification did not occur because the impacted members did not exceed 500 in any single state or geographic area. However, CVS issued a media release regarding the incident. In response to the incident, Accendo conducted a full review of the incident, notified PDM of the formatting error, and ensured it was corrected. Accendo also conducted an onsite visit at the PDM facility and implemented new quality assurance protocols and internal validation steps. OCR obtained written assurances the CE provided the breach notification as indicated above. | Windsor Health Plan TN Business Associate 1378 | Friday | 2011 |
| Midwest Womens Healthcare Specialist | MO | Healthcare Provider | 1376 | 2014-08-26 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Midwest Womens Healthcare Specialist MO Healthcare Provider 1376 | Tuesday | 2014 | |
| Community Health Plan of Washington | WA | Health Plan | 1375 | 2017-01-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On January 3, 2017, the covered entity (CE) reported that on November 3, 2016, Summit Reinsurance, a business associate (BA), indicated it discovered ransomware on one of its computer servers. The breach affected approximately 1,375 individualsâ protected health information (PHI) and included patientsâ names, addresses, dates of birth, provider names, and health insurance claim information. The CE provided breach notification to HHS, affected individuals, and the media, and also provided free credit monitoring. The CE revised its policies and procedures related to the nature of the breach. OCR provided substantial technical assistance to the CE and obtained assurances that the CE implemented the corrective actions noted above. | Community Health Plan of Washington WA Health Plan 1375 | Tuesday | 2017 |
| Berkeley Endocrine Clinic | CA | Business Associate | 1370 | 2016-05-24 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE) reported to OCR that it disclosed electronic protected health information (ePHI) when it inadvertently sent a notification to 1,370 individuals without blind copying the recipients. The ePHI involved in the breach included patients’ first and last names and email addresses. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised administrative procedures for email communications, enhanced technical measures (including encryption for desktop computers), and retrained staff. OCRâs investigation resulted in the CE enhancing its practices for safeguarding ePHI. | Berkeley Endocrine Clinic CA Business Associate 1370 | Tuesday | 2016 | |
| County of San Bernardino Department of Public Heatlh | CA | Healthcare Provider | 1370 | 2012-11-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | County of San Bernardino Department of Public Heatlh CA Healthcare Provider 1370 | Thursday | 2012 | |
| Duke University Health System | NC | Healthcare Provider | 1370 | 2012-03-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Duke University Health System NC Healthcare Provider 1370 | Friday | 2012 | |
| Coast Healthcare Management, LLC | CA | Business Associate | 1368 | 2013-02-12 | Other | Theft | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Coast Healthcare Management, LLC CA Business Associate 1368 | Tuesday | 2013 | |
| Loma Linda University Medical Center (LLUMC) | CA | Healthcare Provider | 1366 | 2012-02-08 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Loma Linda University Medical Center (LLUMC) CA Healthcare Provider 1366 | Wednesday | 2012 | |
| Ferguson Advertising, Inc. | IN | Business Associate | 1361 | 2014-04-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Ferguson Advertising, Inc. IN Business Associate 1361 | Friday | 2014 | |
| Oregon Health & Science University | OR | Healthcare Provider | 1361 | 2013-07-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No |
Oregon Health & Science University (OHSU) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following an investigation by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) that found widespread and diverse problems at OHSU, which will be addressed through a comprehensive three-year corrective action plan. The settlement includes a monetary payment by OHSU to the Department for $2,700,000. OCRâs investigation began after OHSU submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive. These incidents each garnered significant local and national press coverage. OCRâs investigation uncovered evidence of widespread vulnerabilities within OHSUâs HIPAA compliance program, including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement. OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses. OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCRâs investigation found that these analyses did not cover all ePHI in OHSUâs enterprise, as required by the Security Rule. While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level. OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk. âFrom well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI,â said OCR Director Jocelyn Samuels. âThis settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.â OHSU is a large public academic health center and research university centered in Portland, Oregon, comprising two hospitals, and multiple general and specialty clinics throughout Portland and throughout the State of Oregon. |
Oregon Health & Science University OR Healthcare Provider 1361 | Sunday | 2013 |
| The Kent Center | RI | Healthcare Provider | 1361 | 2010-09-10 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A briefcase containing paper documents including the protected health information (PHI) of approximately 1,361 individuals was stolen from an employeeâs car. The types of PHI involved in the breach included clientsâ names, dates of birth, and for a small number of clients, limited clinical information. The covered entity (CE), The Kent Center, provided breach notification to affected individuals, the media, and HHS. Following the breach, the CE sanctioned the employee involved, revised its confidentiality policy related to safeguarding client lists, and re-trained its employees. Additionally, as a result of OCRâs investigation the CE revised and updated its breach notification policies and reinforced the requirements of the Privacy and Breach Rules to its employees. | The Kent Center RI Healthcare Provider 1361 | Friday | 2010 |
| Comprehensive Podiatry LLC | OH | Healthcare Provider | 1360 | 2013-09-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Comprehensive Podiatry LLC OH Healthcare Provider 1360 | Friday | 2013 | |
| Houston Methodist Hospital | TX | Healthcare Provider | 1359 | 2017-09-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Houston Methodist Hospital TX Healthcare Provider 1359 | Monday | 2017 | |
| HealthSouth Rehabilitation Hospital of Round Rock | TX | Healthcare Provider | 1359 | 2015-12-24 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The CE reported that an employeeâs unencrypted laptop computer was stolen from a vehicle. The CE determined that the laptop, which was password-protected, potentially included local copies of e-mails containing individualsâ names, addresses, dates of birth, social security numbers, phone numbers, insurance numbers, diagnoses, referral identification numbers or medical record numbers. The CE provided breach notification to HHS, affected individuals, and the media. At the time of the incident, the CE was in the process of acquiring another facility and encrypting laptops owned by the facility. In response to the breach, the CE took additional steps to locate and secure any other remaining laptops owned by the facility it was acquiring. Further, the CE implemented additional technical safeguards to prevent similar breaches and sanctioned the involved workforce member. OCR obtained assurances that the CE implemented the corrective actions listed above. | HealthSouth Rehabilitation Hospital of Round Rock TX Healthcare Provider 1359 | Thursday | 2015 |
| Dino-Peds | CO | Healthcare Provider | 1357 | 2018-05-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Dino-Peds CO Healthcare Provider 1357 | Wednesday | 2018 |
| InfoCrossing, Inc. | MO | Business Associate | 1357 | 2013-08-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | InfoCrossing, Inc. MO Business Associate 1357 | Tuesday | 2013 | |
| Missouri Department of Social Services | MO | Business Associate | 1357 | 2013-08-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | On June 6, and August 13, 2013, the covered entity (CE) Missouri Department of Social Services, discovered that itâs business associate (BA), InfoCrossing Inc., mailed Missouri Medicaid (MO) participantsâ enrollment correspondence to incorrect addresses during the period of October 16, 2011 to June 7, 2013. The correspondence contained MO Medicaid participantsâ names, dates of birth, MO Medicaid account numbers, counties, phone numbers, and the last four digits of participantsâ Social Security numbers, affecting approximately 1,546 individuals. The CE provided breach notification to HHS, affected individuals, and the media, as well as the Missouri Attorney General’s Office. To prevent similar breaches from happening in the future, the CE deleted all its participantsâ mailing addresses from its system and provided training to its workforce on its policies and procedures regarding cybersecurity awareness. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | Missouri Department of Social Services MO Business Associate 1357 | Friday | 2013 |
| Heart Center of Southern Maryland, L.L.P. | MD | Healthcare Provider | 1350 | 2016-07-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Between June 2, 2016 and June 7, 2016, a staff member of the covered entity (CE), Heart Center of Southern Maryland, LLP, copied patient profile information from the CEâs system and pasted it onto her computer. The staff member inappropriately permitted a third party to access her computer and disclosed the protected health information of 1,350 individuals who were treated by a physician who was leaving his employment with the CE. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained the CEâs Security Rule policies and procedures and confirmed that the CE provided employee training. OCR determined that the actions were committed by a rogue employee who is no longer employed with the CE. | Heart Center of Southern Maryland, L.L.P. MD Healthcare Provider 1350 | Thursday | 2016 |
| Lister Healthcare | AL | Healthcare Provider | 1349 | 2016-11-09 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On October 10, 2016,the covered entity (CE), Lister Healthcare Corporation, discovered that a physician employee downloaded protected health information (PHI) from the CEâs electronic health records (EHR) system on her last day of employment. The PHI downloaded by the employee included the PHI of patients that she had never treated in any capacity and that she sought to solicit. The types of PHI involved in the breach included patients’ names, addresses, dates of birth, gender, social security numbers, telephone numbers, email addresses, employment status, marital status, race, ethnicity and insurance payer information, and potentially affecting 1, 349 individuals. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE contacted its EHR provider to prevent employees from downloading, printing or otherwise transferring any PHI from the EHR system without first obtaining the express approval of the CEâs Chief Executive Officer. Additionally, the CE hired outside counsel to re-train its workforce members regarding HIPAA and their obligations with respect to this breach. The CE also reviewed its HIPAA policies and procedures to strengthen them as appropriate to prevent another incident such as this breach incident or another breach of PHI from occurring again in the future. OCR obtained assurances that the CE implemented the corrective actions listed above. | Lister Healthcare AL Healthcare Provider 1349 | Wednesday | 2016 |
| Public Education Employees’ Health Insurance Plan | AL | Health Plan | 1349 | 2016-09-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Public Education Employeesâ Health Insurance Plan, discovered that as a result of an information technology (IT) upgrade some documents that included protected health information (PHI) related to multiple members inadvertently became viewable to other members through its Member Online System (MOS). The PHI involved in the breach included membersâ and dependentsâ names, program identification numbers, birth dates, and retirement dates pertaining to 1,349 individuals. Some of the document also contained social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. The CE provided credit monitoring services to all affected individuals for 12 months at no cost to them. In response to the breach, the CE investigated and worked in conjunction with Deloitte (the company hired to provide software and professional services for the new IT system) to revise the newly implemented software coding to terminate access to the documents involved in this incident. The CE and Deloitte were able to apply an emergency fix on the same day that the incident was discovered. Additionally, the CE revised its internal protocols for uploading documents. OCR obtained assurances that the CE implemented the corrective actions listed above. | Public Education Employees’ Health Insurance Plan AL Health Plan 1349 | Friday | 2016 |
| Freeport Memorial Hospital | IL | Healthcare Provider | 1349 | 2016-02-26 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Freeport Memorial Hospital, reported the theft of a computer hard drive from the private office of an employee and that the device was later located at a secure non-public area of the hospital. The CE provided breach notification to HHS, the media, and the affected individuals, including the offer of free credit monitoring to the affected individuals. The CE also filed a police report regarding the incident. The number of individuals affected by the breach was 1,349. The protected health information included patientsâ diagnosis/conditions, medications and other treatment information (PHI). Following the incident, the CE required users of the affected computer to change individual passwords, reviewed its safeguards, and conducted an audit, which determined that the PHI was not accessed. The CE also implemented an alert system for the records of the individuals affected by the breach, implementing additional safeguards for those records. In response to the breach, the CE also expanded its encryption program to include all electronic devices. OCR obtained verification from the CE that a complete review of its encryption process, and its information security system policies was undertaken. b | Freeport Memorial Hospital IL Healthcare Provider 1349 | Friday | 2016 |
| FastHealth Corporation | AL | Business Associate | 1345 | 2018-02-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | FastHealth Corporation AL Business Associate 1345 | Tuesday | 2018 |
| Sharon J. Jones, M.D. | CA | Business Associate | 1342 | 2015-05-19 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Paper/Films | NA | NA | NA | NA | NA | Yes | A burglar broke into the office of the covered entity (CE) and stole 17 paper patient charts, an unencrypted desktop computer, two unencrypted laptop computers, and one encrypted computer server. The breach affected approximately 1,342 individualsâ protected health information (PHI) and included demographic, financial, and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. It also established a dedicated call center to answer questions related to the incident and offered free credit monitoring to the affected individuals. Following the breach, the CE moved to a more secure locale and completed risk analyses in July 2015 and February 2016. The CE implemented a risk mitigation plan to reflect the current work environment, updated its policies and procedures on mobile devices, enhanced physical security, and trained workforce members on security awareness. OCR provided technical assistance regarding the HIPAA Security Rule and obtained assurances that the CE implemented the corrective actions listed above. | Sharon J. Jones, M.D. CA Business Associate 1342 | Tuesday | 2015 |
| Sharon J. Jones M.D. | CA | Healthcare Provider | 1342 | 2015-03-05 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | OCR opened an investigation of the covered entity (CE), Sharon J. Jones, after it reported a breach of 1,342 patientsâ protected health information (PHI) when its office was burglarized on January 8, 2015. The CE immediately reported the incident to local law enforcement. The compromised PHI included a combination of first and last names, dates of birth, addresses, telephone numbers, social security numbers, medical insurance information, medical records, and the last four digits of credit card numbers. The CE provided breach notification to HHS, affected individuals, and the media and provided affected individuals with complimentary identity theft protection for one year. Following the breach the CE improved safeguards for paper PHI, especially after having a second burglary on March 20, 2015, which resulted in another breach that OCR investigated separately. The CE secured a new office lease and moved its operations to a more secure building and location. It drafted a facility security plan and implemented physical security enhancements, such as utilizing interior locks, installing alarms and cameras, and shredding unnecessary paper documents. The CE also updated its policies and procedures and provided additional training to its workforce members. OCR obtained assurances that the CE implemented the corrective action listed above. | Sharon J. Jones M.D. CA Healthcare Provider 1342 | Thursday | 2015 |
| Luque Chiropractic, Inc. | CA | Healthcare Provider | 1341 | 2016-11-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | On September 18, 2016, a business associate (BA), EMR4all Inc., notified the covered entity (CE), Luque Chiropractic, Inc., that the BAâs Amazon “S3” storage account was subject to unauthorized access. The breach affected the protected health information (PHI) of approximately 1,341 individuals and included patientsâ names, dates of birth, treatment locations, treatment dates, social security numbers, driverâs license numbers, and diagnoses. The CE provided breach notification to affected individuals, the media, and HHS. The CE also provided free credit monitoring for affected individuals. The CE terminated its business relationship with the BA and revised its HIPAA policies and procedures. OCR provided substantial technical assistance to the CE and obtained assurances that the CE implemented the corrective actions noted above. | Luque Chiropractic, Inc. CA Healthcare Provider 1341 | Thursday | 2016 |
| Houston Methodist Hospital | TX | Healthcare Provider | 1341 | 2014-01-02 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Houston Methodist Hospital TX Healthcare Provider 1341 | Thursday | 2014 |
| Ventura County Health Care Agency | CA | Healthcare Provider | 1339 | 2015-05-06 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Ventura County Health Care Agency, discovered that a backpack containing documents for 1,399 patients was left at an elementary school after it was stolen from an employeeâs car. All of the files were intact, and the types of protected health information (PHI) involved in the breach included names, balances owed, and internal account numbers. The CE provided breach notification to HHS, affected individuals, and the media and posted notice on its website, In response to the breach, the CE sanctioned the workforce member in question and retrained staff. The CE also provided OCR with additional documentation, specifically its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation. Additionally, the CE provided OCR with written assurance that it provided refresher reminders to all staff members about its HIPAA Privacy policies and procedures. | Ventura County Health Care Agency CA Healthcare Provider 1339 | Wednesday | 2015 |
| Complete Family Medicine, LLC | NE | Healthcare Provider | 1331 | 2018-04-30 | Theft | NA | NA | NA | NA | NA | Laptop | Paper/Films | NA | NA | NA | NA | NA | NA | No | NA | Complete Family Medicine, LLC NE Healthcare Provider 1331 | Monday | 2018 |
| Premier Family Care I, Inc. | TX | Healthcare Provider | 1326 | 2016-07-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On April 8, 2016, representatives of Midland Memorial Hospital notified the covered entity (CE), Premier Family Care I, Inc., that some of the CE’s patient documents had been discovered, unsecured, in a room of a former employeeâs residence during foreclosure proceedings. The documents contained the protected health information (PHI) of approximately 1,326 individuals and included patients’ names, dates of birth, social security numbers, addresses and zip codes, diagnoses/conditions, lab results, medications and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE secured the involved records, updated its HIPAA policies, and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed above. | Premier Family Care I, Inc. TX Healthcare Provider 1326 | Wednesday | 2016 |
| UC Davis Medical Center, Privacy Manager Breach | CA | Healthcare Provider | 1326 | 2014-10-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | UC Davis Medical Center, Privacy Manager Breach CA Healthcare Provider 1326 | Wednesday | 2014 | ||
| Rocky Mountain Health Maintenance Organization, Inc. | CO | Health Plan | 1320 | 2017-03-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On January 23, 2017, the covered entity (CE), Rocky Mountain Health Maintenance Organization, Inc., mailed letters containing protected health information (PHI) to incorrect recipients. The types of PHI involved in the breach included demographic information, and the last four digits of social security numbers or dates of birth for approximately 1,320 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE investigated the cause of the breach and revised its related HIPAA policies and procedures. OCR obtained assurances that the CE implemented the corrective actions noted above. | Rocky Mountain Health Maintenance Organization, Inc. CO Health Plan 1320 | Friday | 2017 |
| Albertina Kerr Centers | OR | Healthcare Provider | 1320 | 2014-10-06 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Thieves took two notebook computers belonging to the covered entity (CE), Albertina Kerr Centers, which contained the electronic protected health information (ePHI) of 1,320 patients. The CE reported the burglary to the local law enforcement, but neither computer was recovered. The computers were encrypted, but certain cache files for email were unencrypted. The types of ePHI involved in the breach included names, addresses, dates of birth, social security numbers, phone numbers, medications, and treatments. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. To prevent a similar breach from happening in the future, the CE enhanced mobile device security and encryption, improved the physical security of its facility, revised its policies and procedures, and retrained its workforce members. OCR obtained assurances that the CE implemented the corrective actions listed. | Albertina Kerr Centers OR Healthcare Provider 1320 | Monday | 2014 |
| University of Maryland Orthopaedic Associates, P.A. | MD | Healthcare Provider | 1320 | 2017-01-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | University of Maryland Orthopaedic Associates, P.A. MD Healthcare Provider 1320 | Friday | 2017 | |
| North Carolina Department of Health and Human Services - Division of State Operated Health Care Facilities | NC | Healthcare Provider | 1315 | 2013-11-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), North Carolina Department of Health and Human Services Division of State Operated Health Care Facilities, impermissibly disclosed the protected health information (PHI) of 1,315 individuals by exposing their PHI on its website, NC Open Book, without authorizations. The PHI involved in the breach included patient payment information, names, addresses, and facility names, which were erroneously posted as vendor payments on the website. The CE removed the information from the website immediately upon discovery. The CE also provided breach notification to HHS, affected individuals, and the media, and placed substitute notice on its website. In addition, the CE provided a toll-free phone number for affected individuals to obtain additional information. Following the breach the CE implemented procedures limiting the types of personally identifiable information that are disclosed in the accounting system. Additionally, the CE improved safeguards for all HIPAA-related documents and email correspondence containing PHI. Finally, the CE implemented a procedure that requires prior review of any data being released to the public and redaction of confidential information. OCR obtained assurances that the corrective actions listed above were completed. | North Carolina Department of Health and Human Services - Division of State Operated Health Care Facilities NC Healthcare Provider 1315 | Friday | 2013 |
| California Department of Developmental Services, Privacy Manager Breach | CA | Healthcare Provider | 1312 | 2013-01-15 | Hacking/IT Incident | Improper Disposal | Loss | Other | Theft | Unauthorized Access/Disclosure | Desktop Computer | Electronic Medical Record | Laptop | Network Server | Other Portable Electronic Device | Paper/Films | NA | No | NA | California Department of Developmental Services, Privacy Manager Breach CA Healthcare Provider 1312 | Tuesday | 2013 | |
| Dean Health Plan | WI | Health Plan | 1311 | 2018-06-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Dean Health Plan WI Health Plan 1311 | Friday | 2018 |
| CaroMont Medical Group | NC | Healthcare Provider | 1310 | 2013-10-04 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On August 8, 2013, the covered entity (CE), CaroMont Medical Group, performed an internal audit that found an unencrypted email was sent by an employee on August 5, 2013. The employee emailed a spreadsheet to her personal email containing the following protected health information (PHI) for 1,310 individuals: patientsâ names, dates of birth, medical record numbers, insurance providers, insurance numbers, diagnoses, and two Medicaid/Medicare numbers. The CE provided breach notification to HHS, affected individuals, and the media. In response to this incident, the CE reviewed its policies, updated its secure email policy, and required employees to attest to reviewing the new policy. The CE trained staff on data privacy and information security, and it implemented security controls for the encryption of all external emails containing an attachment. OCR obtained assurances that the CE implemented the corrective actions noted above. | CaroMont Medical Group NC Healthcare Provider 1310 | Friday | 2013 | |
| Anne Arundel Dermatology, P.A. | MD | Healthcare Provider | 1310 | 2018-08-09 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Anne Arundel Dermatology, P.A. MD Healthcare Provider 1310 | Thursday | 2018 |
| Wright State Physicians | OH | Healthcare Provider | 1309 | 2010-08-03 | Other | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
On June 11, 2010, a laptop computer containing PHI was mistakenly discarded in the trash. The laptop computer contained the protected health information of approximately 1,309 individuals. The protected health information involved in the breach included patient full names or first initial and last name, dates of service, and in some cases, a brief description of medical condition or care. Following the breach, the covered entity submitted evidence of its progress in implementing encryption on its laptop computers in its various departments. |
Wright State Physicians OH Healthcare Provider 1309 | Tuesday | 2010 |
| Palomar Health (Palomar Medical Center (Escondido) | CA | Healthcare Provider | 1309 | 2018-01-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Palomar Health (Palomar Medical Center (Escondido) CA Healthcare Provider 1309 | Monday | 2018 |
| James M. McGee, D.M.D., P.C. | GA | Healthcare Provider | 1306 | 2012-11-27 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entityâs (CE) locked storage unit was broken into and hard copies of 1,306 patientsâ medical records were stolen. The types of protected health information (PHI) in records included patientsâ full names, social security numbers, home addresses, telephone numbers, dental charts, insurance information, and payment information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE repaired the door to the storage unit, added a professional lock, and destroyed outdated patient records. The CE retrained staff, deployed new practice management software for storage of electronic patient records, and transferred storage of paper records on-site. OCR obtained assurances that the CE implemented the corrective actions listed above. | James M. McGee, D.M.D., P.C. GA Healthcare Provider 1306 | Tuesday | 2012 |
| Open Cities Health Center | MN | Healthcare Provider | 1304 | 2014-06-05 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Open Cities Health Center MN Healthcare Provider 1304 | Thursday | 2014 | ||
| Progressions Behavioral Health Services, Inc. | PA | Healthcare Provider | 1303 | 2018-06-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Progressions Behavioral Health Services, Inc. PA Healthcare Provider 1303 | Monday | 2018 | |
| Sutter Valley Medical Foundation d/b/a Sutter Medical Foundation | CA | Healthcare Provider | 1303 | 2017-11-22 | Theft | NA | NA | NA | NA | NA | Laptop | Paper/Films | NA | NA | NA | NA | NA | NA | No | NA | Sutter Valley Medical Foundation d/b/a Sutter Medical Foundation CA Healthcare Provider 1303 | Wednesday | 2017 |
| RiverMend Health, LLC | GA | Healthcare Provider | 1300 | 2017-10-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | RiverMend Health, LLC GA Healthcare Provider 1300 | Monday | 2017 | |
| Michael Benjamin, M.D., Inc. | CA | Healthcare Provider | 1300 | 2015-12-28 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Michael Benjamin, M.D., Inc., reported that the office and file cabinets were broken into and patient charts containing protected health information (PHI) were taken. The types of PHI involved in the breach included demographic information, recorded vital signs, insurance eligibility information, and some copies of insurance cards and driverâs licenses or identification. Although 1,300 patient charts were in the cabinet, only 100 were actually taken, and 30 of the 100 were recovered from law enforcement. The CE provided breach notification to affected individuals, HHS, and the media. Following the break-in, the CE implemented more robust HIPAA policies and procedures. The CE improved safeguards by reinforced the physical security of its office. OCR obtained assurances that the CE implemented the corrective actions noted above. | Michael Benjamin, M.D., Inc. CA Healthcare Provider 1300 | Monday | 2015 |
| HealthPoint | WA | Healthcare Provider | 1300 | 2015-11-13 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) reported a breach concerning the theft of a laptop computer from its medical office. The laptop was used for eye scans and contained the names, dates of birth, and medical record numbers of 1,300 patients. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCRâs investigation, and to prevent a similar breach from happening in the future, the CE undertook a comprehensive risk analysis, encrypted its mobile devices, and ensured that physical safeguards were in place. It also retrained employees and revised its security policies and procedures. | HealthPoint WA Healthcare Provider 1300 | Friday | 2015 |
| UHS-Pruitt Corporation | GA | Healthcare Provider | 1300 | 2013-11-15 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
A manager’s unencrypted laptop computer was stolen from a hotel parking lot which also included the employee’s login and system password and the covered entity’s (CE) long term care software application. The laptop contained 1,300 individuals’ protected health information (PHI) and included names, social security numbers, addresses, dates of birth, bank account numbers, Medicare numbers, possible diagnoses, and patient locations. Following the breach, the CE changed the employee’s password and performed an analysis to ensure no attempts had been made to access the system and long term care application using the prior account and password. The CE improved safeguards by encrypting electronic devices and employing devices that do not allow local storage. The CE has also re-trained employees. OCR has consolidated this review into a compliance review that involves the same corporate entity and another stolen unencrypted laptop. |
UHS-Pruitt Corporation GA Healthcare Provider 1300 | Friday | 2013 |
| CardioNet, Inc | PA | Healthcare Provider | 1300 | 2012-01-10 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | CardioNet, Inc PA Healthcare Provider 1300 | Tuesday | 2012 | |
| Freda J Bowman MD PA | TX | Healthcare Provider | 1300 | 2011-09-20 | Hacking/IT Incident | Unauthorized Access/Disclosure | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Freda J Bowman MD PA TX Healthcare Provider 1300 | Tuesday | 2011 | |
| Carle Clinic Association | IL | Healthcare Provider | 1300 | 2010-01-28 | Theft | NA | NA | NA | NA | NA | Other | Paper/Films | NA | NA | NA | NA | NA | NA | No | Carle Clinic Association IL Healthcare Provider 1300 | Thursday | 2010 | |
| UNC Health Care | NC | Healthcare Provider | 1298 | 2017-03-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | UNC Health Care NC Healthcare Provider 1298 | Monday | 2017 |
| Visiting Nurse Services of Iowa | IA | Healthcare Provider | 1298 | 2012-07-16 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Visiting Nurse Services of Iowa IA Healthcare Provider 1298 | Monday | 2012 | |
| Utah Department of Workforce Services | UT | Business Associate | 1298 | 2010-10-13 | Other | NA | NA | NA | NA | NA | Desktop Computer | Paper/Films | NA | NA | NA | NA | NA | NA | Yes | Utah Department of Workforce Services UT Business Associate 1298 | Wednesday | 2010 | |
| Colorado River Indian Tribes | AZ | Healthcare Provider | 1296 | 2014-11-14 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entityâs (CE) health care component, Department of Health and Human Services, emailed a file containing electronic protected health information (ePHI) to his personal web-based email account in October 2013 to complete his work off-site. The breach affected the ePHI of 1,296 individuals, including demographic, financial, clinical, and other information. The CE provided breach notifications to individuals, the media, and HHS. Following the breach, the CE sanctioned the involved employee and retrained employees. It also strengthened its administrative, technical and physical safeguards for ePHI, analyzed risks to its ePHI, and took steps to manage risks regarding ePHI. It also revised its written security policies and procedures. OCR obtained assurances that the CE implemented the corrective actions noted above. | Colorado River Indian Tribes AZ Healthcare Provider 1296 | Friday | 2014 | |
| Local 693 Plumbers & Pipefitters Health & Welfare Fund | VT | Health Plan | 1291 | 2017-03-13 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Local 693 Plumbers & Pipefitters Health & Welfare Fund VT Health Plan 1291 | Monday | 2017 |
| ICS Collection Service, Inc. | IL | Business Associate | 1290 | 2013-09-06 | Hacking/IT Incident | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | ICS Collection Service, Inc. IL Business Associate 1290 | Friday | 2013 | |
| InterAct of Michigan, Inc. | MI | Healthcare Provider | 1290 | 2018-08-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | InterAct of Michigan, Inc. MI Healthcare Provider 1290 | Tuesday | 2018 | |
| University of Missouri Health Care | MO | Healthcare Provider | 1288 | 2011-06-23 | Unknown | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | University of Missouri Health Care MO Healthcare Provider 1288 | Thursday | 2011 | |
| Medco Health Solutions, Inc. | NJ | Healthcare Provider | 1287 | 2012-02-13 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Medco Health Solutions, Inc., reported that it mailed letters that contained the protected health information (PHI) of 4,341 individuals to incorrect addresses due to a corruption of data in the mailing software programming code. After conducting a risk assessment, the CE determined that the actual number of affected individuals was 1,287. The PHI included names, medication names, and prescription numbers. The CE provided breach notification to HHS and affected individuals. Upon discovery of the breach, the CE immediately ceased using the update to its mailing software system. As a result of OCR’s investigation, the CE corrected the update to its mailing software system and established a manual quality check process. The CE also implemented the use of a daily automated surveillance system for its mailing software. | Medco Health Solutions, Inc. NJ Healthcare Provider 1287 | Monday | 2012 |
| Diana S. Guth DBA Home Respiratory Care | CA | Healthcare Provider | 1285 | 2015-01-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Home Respiratory Care, reported a breach of 1,285 individualsâ electronic protected health information (ePHI), as a result of a workforce member emailing holiday cards and newsletters to its patients in a group email without masking the recipients’ addresses. This action, or lack thereof, left every recipient’s email address exposed, which may have included names, as well as an implicit indication that the individual had received respiratory treatment. The CE provided OCR with evidence that it responded to the security incident and undertook steps to prevent the risk of future security incidents by implementing new mail merge safeguards; implementing new, technical safeguards; sanctioning the workforce members involved; and re-training the entire workforce. OCR provided technical assistance regarding the HIPAA Security Rule. | Diana S. Guth DBA Home Respiratory Care CA Healthcare Provider 1285 | Wednesday | 2015 | |
| FOOTHILLS NEPHROLOGY, PC | SC | Healthcare Provider | 1280 | 2011-06-09 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | A company-issued laptop computer containing the protected health information (PHI) of approximately 1,280 individuals was stolen from the vehicle of a covered entity’s (CE) employee. The PHI included demographic and clinical information. The CE provided breach notification to the affected individuals, HHS, and the media and created a toll-free number for information regarding the incident. As a result of this incident, the CE contacted law enforcement, retrained staff on the use of portable media, and initiated a risk analysis. Following the OCR investigation, the CE reviewed and updated its policies and procedures to ensure adequate safeguards, instituted a new electronic medical records system which encrypts medical information, updated password requirements for computers, and retrained employees. | FOOTHILLS NEPHROLOGY, PC SC Healthcare Provider 1280 | Thursday | 2011 |
| University of South Florida, USF Health Care | FL | Healthcare Provider | 1279 | 2017-12-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | University of South Florida, USF Health Care FL Healthcare Provider 1279 | Monday | 2017 |
| UPMC | PA | Healthcare Provider | 1279 | 2013-11-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | An employee impermissibly accessed the protected health information (PHI) of 1,279 individuals. The types of PHI accessed included names, dates of birth, social security numbers, and addresses, as well as clinical information. The covered entity (CE), UPMC, provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned the employee and notified law enforcement. OCR reviewed the CE’s risk analysis to ensure compliance with the Security Rule. | UPMC PA Healthcare Provider 1279 | Wednesday | 2013 |
| Sound Community Services, Inc. | CT | Healthcare Provider | 1278 | 2017-05-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Sound Community Services, Inc. CT Healthcare Provider 1278 | Friday | 2017 | |
| New Dimension Group, LLC | NC | Healthcare Provider | 1275 | 2015-11-25 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (âCEâ), New Dimensions Group, LLC, discovered that on September 29, 2015, three unencrypted flash drives were reported missing. The breach affected 1,200 individuals, and the protected health information (PHI) that was potentially exposed included names, dates of birth, social security numbers, driverâs license numbers, and clinical information. The CE provided timely breach notification to HHS, to affected individuals, and on its website. Media notification was issued to the Duplin Times and the Star News. The CE provided free credit monitoring for the affected individuals for 12 months. In response to the breach, the CE banned the use of flash drives, developed policies and procedures for media and device controls, and updated its policies and procedures to protect patient PHI. The CE purchased new software to encrypt emails containing PHI and trained employees on its policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed above. | New Dimension Group, LLC NC Healthcare Provider 1275 | Wednesday | 2015 |
| SAY San Diego | CA | Healthcare Provider | 1272 | 2017-12-22 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | SAY San Diego CA Healthcare Provider 1272 | Friday | 2017 |
| South Bend Orthopaedic Associates Inc | IN | Healthcare Provider | 1272 | 2017-08-18 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | South Bend Orthopaedic Associates Inc IN Healthcare Provider 1272 | Friday | 2017 |
| CareCore National | SC | Business Associate | 1270 | 2010-09-20 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | CareCore National SC Business Associate 1270 | Monday | 2010 | |
| The University of Texas MD Anderson Cancer Center | TX | Healthcare Provider | 1266 | 2018-05-31 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | The University of Texas MD Anderson Cancer Center TX Healthcare Provider 1266 | Thursday | 2018 | |
| Metropolitan Community Health Services, Inc. | NC | Healthcare Provider | 1263 | 2011-06-09 | Unknown | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Metropolitan Community Health Services, Inc. NC Healthcare Provider 1263 | Thursday | 2011 | ||
| New Jersey Department of Human Services | NJ | Health Plan | 1263 | 2018-06-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | New Jersey Department of Human Services NJ Health Plan 1263 | Friday | 2018 |
| Nephropathology Associates, PLC | AR | Healthcare Provider | 1260 | 2015-10-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On July 30, 2015, a physician e-mailed a spreadsheet containing 1,260 patientsâ names and clinical information to a vendor that the covered entity (CE), Nephropathology Associates, PLC, was considering for a potential project. The CE notified the hospitals that had referred its patients to the CE and provided breach notification to HHS and affected individuals. The CE did not contact the media because the impermissible disclosures affected less than 500 patients in any one state. Following the breach, the CE obtained assurances from the vendor that it destroyed all files and e-mails that it received from the CE or created using the protected health information (PHI) and that the electronic PHI (ePHI) was not copied or transferred to any other entity. As a result of this incident, the CE issued a written warning to the responsible workforce member and also retrained the employee regarding safeguarding PHI. The CE reminded workforce members to safeguard PHI, including ePHI. OCR obtained assurances that the CE implemented the corrective actions listed above. | Nephropathology Associates, PLC AR Healthcare Provider 1260 | Friday | 2015 | |
| Health Texas Provider Network | TX | Healthcare Provider | 1259 | 2011-09-23 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted laptop possibly containing the electronic protected health information (ePHI) of 1,259 patients was stolen from an employeeâs personal vehicle. The ePHI that was potentially involved in the breach included patientsâ names, contact information, social security numbers, dates of birth, diagnoses, account numbers, physician names, types of procedures and services, dates of service, and health insurance information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach the CE terminated the employee. As a result of OCRâs investigation, the CE updated its encryption policies and procedures to require and verify the encryption of computers before use, and conducted mandatory annual computer safety training. | Health Texas Provider Network TX Healthcare Provider 1259 | Friday | 2011 |
| Midwest Orthopaedics at Rush, LLC | IL | Healthcare Provider | 1256 | 2014-03-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On February 10, 2014, an unknown party gained unauthorized access to the personal email account of a physician at Midwest Orthopaedics at Rush, the covered entity (CE), disclosing protected health information (PHI) that affected approximately 1,256 individuals. The emails contained electronic PHI including names, physicians’ surgical schedules, surgical descriptions, codes, dates and instructions. The CE provided breach notification to HHS, affected individuals, and the media. The CE also conducted an investigation and determined the root cause of the breach. Additionally, the CE disabled the physicianâs Gmail account to which the PHI was sent, and trained the physician and his staff on the use of the secure email. The CE revised email procedures by eliminating all external email addresses from the CE’s distribution list of physicians and support staff and discontinued the use of outside email addresses for sending or receiving of PHI. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | Midwest Orthopaedics at Rush, LLC IL Healthcare Provider 1256 | Monday | 2014 | |
| Associated Dermatology & Skin Cancer Clinic of Helena, PC | MT | Healthcare Provider | 1254 | 2018-06-28 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Associated Dermatology & Skin Cancer Clinic of Helena, PC MT Healthcare Provider 1254 | Thursday | 2018 |
| Baylor Medical Center at McKinney | TX | Healthcare Provider | 1253 | 2014-04-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Baylor Medical Center at McKinney TX Healthcare Provider 1253 | Friday | 2014 | ||
| Apple Valley Care Center | CA | Healthcare Provider | 1251 | 2014-08-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Apple Valley Care Center CA Healthcare Provider 1251 | Tuesday | 2014 | |
| Franciscan Medical Group | WA | Healthcare Clearing House | 1250 | 2011-01-13 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Franciscan Medical Group WA Healthcare Clearing House 1250 | Thursday | 2011 | |
| California Therapy Solutions | CA | Healthcare Provider | 1250 | 2010-12-22 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | California Therapy Solutions CA Healthcare Provider 1250 | Wednesday | 2010 | |
| MultiCare Health System | WA | Healthcare Provider | 1249 | 2017-01-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | MultiCare Health System WA Healthcare Provider 1249 | Thursday | 2017 | |
| Clinton County Board of Developmental Disabilities | OH | Healthcare Provider | 1243 | 2017-05-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On May 5, 2017, the covered entity (CE) reported that on March 16, 2017, it discovered that a person accessed its computer server and deployed ransomware, which prevented the CEâs employees from accessing data on its server. The server contained patientsâ clinical information, diagnoses, conditions, and other treatment information and affected approximately 1,243 individuals. The CE provided notification to HHS, affected individuals, and the media. It also reported the matter to the Clinton County Ohio Prosecutorâs office and the Clinton County Administrator. To prevent similar breaches from happening in the future, the CE decommissioned the affected server, migrated to a cloud solution, and upgraded its anti-virus software to a managed solution monitored by help desk staff. The CE also updated its policy and procedure regarding passwords, implemented its software restrictions policy, and trained its workforce on its policies and procedures regarding HIPAA and safeguards for PHI. OCR obtained documented assurances that the CE implemented the corrective actions noted above. | Clinton County Board of Developmental Disabilities OH Healthcare Provider 1243 | Friday | 2017 |
| University of California, Los Angeles Health | CA | Healthcare Provider | 1242 | 2015-09-01 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | University of California, Los Angeles Health CA Healthcare Provider 1242 | Tuesday | 2015 |
| Walgreen Co. | IL | Healthcare Provider | 1240 | 2012-07-30 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Walgreen Co. IL Healthcare Provider 1240 | Monday | 2012 | |
| Beacon Health System | IN | Healthcare Provider | 1239 | 2017-05-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Beginning on or around March 1, 2014, an employee of the covered entity (CE), Beacon Health System, impermissibly accessed Emergency Room (ER) patient records while working in the billing department. The employee had access to protected health information (PHI) for 1,239 ER patients, including addresses, dates of birth, names, social security numbers, ages, room numbers, claims information, billing, accounts, invoices, health insurance, illness, and chief complaint. The CE provided breach notification to HHS, affected individuals and the media. It also provided credit monitoring to affected individuals. Following the breach, the CE sanctioned the employee in accordance with its sanction policy. During our investigation, we found that a large number of the CE’s staff either did not complete HIPAA training or only completed a portion of the training for 2016. OCR requested that the CE update its HIPAA training policy and audit policy. In response, the CE provided OCR with documentation of actions it took, including redrafting its HIPAA training policy, updating its audit policy and providing evidence of daily audits and log runs. | Beacon Health System IN Healthcare Provider 1239 | Friday | 2017 |
| HP Enterprise Services, LLC | TX | Business Associate | 1235 | 2016-11-07 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | HP Enterprise Services, LLC, a business associate (BA) of the Indiana Family Social Services Administration, reported the theft of a laptop bag from an employeeâs vehicle. The bag contained an encrypted laptop computer and an unsecured printed report which contained the protected health information (PHI) of 1,235 individuals. The PHI included demographic information. The BA provided breach notification to HHS, affected individuals, and the media and offered the affected individuals free credit monitoring services. Following the breach, the BA sanctioned the employee responsible for the breach in accordance with its sanction policy. As a result of OCRâs investigation, the BA updated its policies and procedures to prevent similar incidents. As a result of OCR’s investigation, OCR provided technical assistance regarding breach notification requirements and the BA revised its breach notification template. | HP Enterprise Services, LLC TX Business Associate 1235 | Monday | 2016 |
| Valley COmmunity Healthcare | CA | Healthcare Provider | 1233 | 2015-03-06 | Loss | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On February 24, 2015, the covered entity (CE), Valley Community Healthcare, discovered that a laptop computer connected to the EKG/ECG machine was missing, and it was never recovered. The password protected, unencrypted laptop contained the demographic information of 1,233 individuals The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCRâs investigation, the CE evaluated the threats and vulnerabilities to its electronic protected health information. In addition, the CE implemented encryption pursuant to the Security Rule and increased the frequency of emails reminding employees to change their passwords. OCR obtained assurances that the CE implemented the corrective actions noted above. | Valley COmmunity Healthcare CA Healthcare Provider 1233 | Friday | 2015 |
| County of Wayne Department of Personnel/Human Resources Benefits Administration Division | MI | Health Plan | 1229 | 2012-04-06 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | County of Wayne Department of Personnel/Human Resources Benefits Administration Division MI Health Plan 1229 | Friday | 2012 | ||
| University of Miami | FL | Healthcare Provider | 1219 | 2012-01-30 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted USB drive was stolen from the vehicle of a University of Miami pathologist. The drive contained the electronic protected health information (ePHI) of 1,219 patients, including names, ages, diagnoses, and treatment information. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. It also established a website related to the breach and offered credit monitoring to affected individuals. Following the breach, the CE implemented sanctions by ceasing relations with the pathologist (an independent contractor) and retrained personnel on safeguards, notably encryption, data protection and security awareness. OCR obtained assurances that the corrective actions listed above were completed. | University of Miami FL Healthcare Provider 1219 | Monday | 2012 |
| Fairview Health Services | MN | Healthcare Provider | 1215 | 2011-04-14 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Fairview Health Services MN Healthcare Provider 1215 | Thursday | 2011 | |
| WellCare Health Plans, Inc. | FL | Health Plan | 1214 | 2017-08-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | On July 13, 2017 and July 17, 2017, OâNeil Printing, Inc., a business associate (BA) of WellCare Health Plans, Inc. accidentally sent 1,214 mislabeled envelopes containing insurance membership identification cards to incorrect addresses. The mistake was discovered on July 20, 2017 and exposed the names, addresses, birthdates, and membership numbers of 1,214 affected individuals. In response to the breach, the CE and BA investigated the cause of the breach, finding that a problem in the naming conventions of the BAâs file processing had caused the name and address of members to become mismatched. The problem was promptly fixed and the BA implemented additional verification steps to prevent similar problems in the future. The CE provided timely breach notification to HHS, the affected individuals, and media outlets throughout the state of Missouri. It also mailed self-addressed, stamped envelopes to the individuals who received the mislabeled mail, along with an explanation, so that they could return the incorrectly-received information. OCR obtained assurances that the CE implemented the corrective actions listed above. | WellCare Health Plans, Inc. FL Health Plan 1214 | Friday | 2017 |
| Kern County Mental Health | CA | Health Plan | 1212 | 2016-06-14 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Kern County Mental Health, discovered a 290-page paper printout of accounts receivables for the month of September 2006 in an open file container that was left in a vacated area of their facility on April 15, 2016. The protected health information (PHI) involved in the breach included patients’ names, medical record numbers, dates of service, numerical service codes, and amounts billed. Approximately 1,212 individuals were affected by this breach. The CE initially provided substitute and media breach notifications and notification to HHS. After receiving technical assistance from OCR, the CE provided individual breach notification. Following the breach, the CE revised its policies and procedures for moving and vacating office space to ensure that a thorough walk-through of the area is completed prior to vacating an area. The CE also retrained staff on these revised policies and procedures to ensure they are implemented. | Kern County Mental Health CA Health Plan 1212 | Tuesday | 2016 |
| Elliot Health System | NH | Healthcare Provider | 1208 | 2014-05-21 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Elliot Health System NH Healthcare Provider 1208 | Wednesday | 2014 | |
| UPMC Susquehanna | PA | Healthcare Provider | 1208 | 2017-11-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | UPMC Susquehanna PA Healthcare Provider 1208 | Wednesday | 2017 | |
| Pharmacy Innovations | NY | Healthcare Provider | 1205 | 2017-12-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Pharmacy Innovations NY Healthcare Provider 1205 | Tuesday | 2017 |
| DJO, LLC | CA | Healthcare Provider | 1203 | 2018-01-06 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | DJO, LLC CA Healthcare Provider 1203 | Saturday | 2018 |
| LSU Health Care Services Division | LA | Healthcare Provider | 1200 | 2017-10-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | LSU Health Care Services Division, the covered entity (CE), reported that a prior workforce member improperly used her job-based access to view the protected health information (PHI) of approximately 1,471 patients from August 21, 2009, through March 16, 2014. The types of PHI involved in the breach included clinical, demographic, and financial information. Following the breach, the CE provided breach notification to HHS, affected individuals and the media. The CE also implemented an access monitoring system in its sole remaining hospital. OCR obtained assurances that the CE implemented the corrective actions noted above as well as a written assurances that the CE will re-train its staff. | LSU Health Care Services Division LA Healthcare Provider 1200 | Monday | 2017 |
| Braun Dermatology & Skin Cancer Center | DC | Healthcare Provider | 1200 | 2017-07-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Braun Dermatology & Skin Cancer Center DC Healthcare Provider 1200 | Friday | 2017 | |
| Andrea Yaley, DDS | CA | Healthcare Provider | 1200 | 2017-07-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Network Server | NA | NA | NA | NA | No | NA | Andrea Yaley, DDS CA Healthcare Provider 1200 | Monday | 2017 | |
| ELLIOT J MARTIN CHIROPRACTIC PC | NY | Healthcare Provider | 1200 | 2016-02-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | ELLIOT J MARTIN CHIROPRACTIC PC NY Healthcare Provider 1200 | Wednesday | 2016 |
| AHRC Nassau | NY | Healthcare Provider | 1200 | 2016-01-06 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | AHRC Nassau NY Healthcare Provider 1200 | Wednesday | 2016 |
| Lancaster Cardiology Medical Group, and Sunder Heart Institute and Vascular Medical Clinic | CA | Healthcare Provider | 1200 | 2015-08-24 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Network Server | Other Portable Electronic Device | NA | NA | NA | NA | No | The covered entity (CE), Lancaster Cardiology Medical Group and Sunder Heart Institute & Vascular Medical Clinic, reported that sometime between June 20, 2015, and June 21, 2015, laptop computers, desktop computers, servers, and other portable electronic devices were stolen from its facility during a burglary. Approximately 2,071 individuals were affected by this breach. The types of electronic protected health information (ePHI) involved in the breach included clinical and demographic information. Following the breach, the CE promptly reported the incident to law enforcement. It provided breach notification to HHS, affected individuals, and the media. As a result of this incident, as well as OCRâs corresponding investigation, the CE implemented a plan to encrypt all ePHI stored on its devices. The CE also implemented additional physical safeguards, which included the installation of new locks and improved video surveillance. The CE updated its policies and procedures addressing administrative, technical, and physical safeguards. OCR obtained assurances that the CE implemented the corrective actions noted above. | Lancaster Cardiology Medical Group, and Sunder Heart Institute and Vascular Medical Clinic CA Healthcare Provider 1200 | Monday | 2015 |
| Alabama Department of Public Health | AL | Healthcare Provider | 1200 | 2014-06-26 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Alabama Department of Public Health, disclosed the protected health information (PHI) of approximately 1,200 individuals to a third party, potentially for tax fraud purposes. Federal law enforcement informed the CE of the breach on March 21, 2014. The U.S. District Court, Middle District of Alabama indicted the workforce member responsible for the breach for her criminal activities related to the breach, and she is no longer employed by the CE. Following the breach, the CE implemented additional safeguards. | Alabama Department of Public Health AL Healthcare Provider 1200 | Thursday | 2014 |
| Sports Rehabilitation Consultants | OH | Healthcare Provider | 1200 | 2013-03-06 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Sports Rehabilitation Consultants OH Healthcare Provider 1200 | Wednesday | 2013 | |
| Intervention Services, Inc. | FL | Healthcare Provider | 1200 | 2013-02-07 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop from the covered entity (CE), Intervention Services, was stolen from a workforce memberâs vehicle. The electronic protected health information (ePHI) on the laptop included patient names, dates of birth, Medicaid numbers, and the names of the patientsâ funding source for approximately 1,200 individuals. Upon discovering the breach, the CE filed a police report. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security, sanctioned the involved workforce member, and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. | Intervention Services, Inc. FL Healthcare Provider 1200 | Thursday | 2013 |
| Treatment Services Northwest | OR | Healthcare Provider | 1200 | 2011-07-29 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Treatment Services Northwest OR Healthcare Provider 1200 | Friday | 2011 | |
| Matthew H. Conrad, M.D., P.A. | KS | Healthcare Provider | 1200 | 2010-09-19 | Theft | NA | NA | NA | NA | NA | Laptop | Paper/Films | NA | NA | NA | NA | NA | NA | No | Matthew H. Conrad, M.D., P.A. KS Healthcare Provider 1200 | Sunday | 2010 | |
| NYU School of Medicine–Aging and Dementia Clinical Research Center | NY | Healthcare Provider | 1200 | 2010-08-27 | Loss | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | NYU School of Medicine–Aging and Dementia Clinical Research Center NY Healthcare Provider 1200 | Friday | 2010 | |
| Medina OB/GYN Associates, Inc | OH | Business Associate | 1200 | 2010-07-23 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Medina OB/GYN Associates, Inc OH Business Associate 1200 | Friday | 2010 | |
| St. Vincent Hospital and Health Care Center, Inc. | IN | Healthcare Provider | 1199 | 2010-09-23 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A St. Vincent Hospital and Health Care Center, Inc. laptop computer containing the protected health information (PHI of approximately 1,199 individuals was stolen from an employeeâs home. The types of PHI involved in the breach included names, dates of birth, and in some instances, Social Security numbers, diagnoses, procedure types, physicians’ names, home and work telephone numbers, and registration and medical record numbers. The CE provided breach notification to HHS, the media, and affected individuals. Following the breach, the CE encrypted its laptops, updated its policies and procedures related to safeguarding mobile devices, and implemented new procedures regarding physical security for laptops. OCR obtained documentation that the CE implemented the corrective actions noted above. | St. Vincent Hospital and Health Care Center, Inc. IN Healthcare Provider 1199 | Thursday | 2010 |
| Fidelity National Technology Imaging (FNTI) | CA | Business Associate | 1192 | 2011-06-10 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Fidelity National Technology Imaging (FNTI) CA Business Associate 1192 | Friday | 2011 | |
| National DCP Health Plan | GA | Health Plan | 1190 | 2017-08-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | National DCP Health Plan GA Health Plan 1190 | Tuesday | 2017 | |
| The Carle Foundation | IL | Healthcare Provider | 1185 | 2016-08-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | The Carle Foundation IL Healthcare Provider 1185 | Thursday | 2016 |
| WAYNE MEMORIAL HOSPITAL | PA | Healthcare Provider | 1184 | 2013-01-18 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Wayne Memorial Hospital, lost an unencrypted compact disk (CD) containing the electronic protected health information (ePHI) of approximately 1182 individuals in the U.S. mail. The types of ePHI involved in the breach included patientsâ names, account balances and Medicare numbers (which contain social security numbers). The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE attempted to locate the CD. The CE also encrypted a CD that contains similar data, to be used for the same purpose. As a result of OCRâs investigation, the CE retrained employees and evaluated ePHI maintained on computers in its most recent risk analysis. | WAYNE MEMORIAL HOSPITAL PA Healthcare Provider 1184 | Friday | 2013 |
| Robley Rex VA Medical Center | KY | Healthcare Provider | 1182 | 2012-03-06 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A workforce member of the covered entity (CE), Robley Rex VA Medical Center, lost or had stolen a binder of coding reports, which contained the protected health information (PHI) of 1,182 individuals. The binder was left unattended outside the entrance of the facility and returned soon thereafter to a workforce member by an inpatient at the facility who discovered the log book. The PHI involved in the breach included PHI of approximately 1,182 individuals, including names, social security numbers, and discharge dates. The CE provided breach notification to HHS, affected individuals, and the media, and offered free credit protection to all affected individuals. Following the breach, the CE suspended the employee, sent a bulletin to all employees indicating that they were not permitted to maintain log books or transport PHI outside the facility without authorization. As a result of OCRâs investigation, the CE reviewed its policies and procedures to ensure the adequacy of safeguards. | Robley Rex VA Medical Center KY Healthcare Provider 1182 | Tuesday | 2012 |
| Regional Medical Center | TN | Healthcare Provider | 1180 | 2013-05-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Regional Medical Center TN Healthcare Provider 1180 | Tuesday | 2013 | ||
| PracMan, Inc. | AL | Business Associate | 1179 | 2014-03-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | PracMan, Inc. AL Business Associate 1179 | Monday | 2014 | |
| Center for Comprehensive Services, Inc. | MA | Healthcare Provider | 1176 | 2018-03-21 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Center for Comprehensive Services, Inc. MA Healthcare Provider 1176 | Wednesday | 2018 |
| Massachusetts Department of Public Health - Tewksbury Hospital | MA | Healthcare Provider | 1176 | 2017-07-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Massachusetts Department of Public Health - Tewksbury Hospital MA Healthcare Provider 1176 | Friday | 2017 |
| St. Francis Hospital | GA | Healthcare Provider | 1175 | 2014-06-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On May 30, 2014, a staff member sent an email to approximately 1,175 patients that erroneously permitted them to see the email addresses of all recipients. The covered entity (CE), St. Francis Hospital, investigated the incident, replaced its information technology department leadership and its security officer, and counseled the employee involved. Additionally, the CE updated its HIPAA policies and trained the entire workforce on its updated policies. The CE also began upgrading its equipment to better prevent security incidents. The CE provided breach notification to the affected individuals via e-mail message, sent notification to the media, and placed a conspicuous notice on its website. In response to OCRâs provision of technical assistance, the CE provided written notification to the affected individuals. | St. Francis Hospital GA Healthcare Provider 1175 | Monday | 2014 | |
| Heartland Pathology Associates, P.A. | FL | Healthcare Provider | 1175 | 2012-08-15 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Heartland Pathology Associates, P.A., the covered entity (CE), discovered that its past business associate (BA), Medical Business Service, Inc., suffered a breach when an employee downloaded protected health information (PHI) to a portable computer drive and provided the drive to a third party. The breach affected 1,175 individuals and included patients’ names, addresses, telephone numbers, social security numbers, dates of birth, insurance carriers, insurance policy numbers, physicians’ name, diagnosis information, medical record numbers, account numbers, admission and discharge dates, and gender. The CE delayed providing breach notification due to a law enforcement investigation. Once given approval, the CE timely sent breach notification to HHS, affected individuals, and the media and posted substitute notification online. The CE contracted with Florida Hospital Heartland Medical Center (âHospitalâ) for annual HIPAA training and for use of a computer maintained and monitored by the Hospitalâs information technology department. The CE received assurances that PHI maintained by its BA was destroyed. OCR obtained assurances that the CE has implemented the corrective actions listed above. | Heartland Pathology Associates, P.A. FL Healthcare Provider 1175 | Wednesday | 2012 |
| Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates | NJ | Health Plan | 1173 | 2015-09-24 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | Other | NA | NA | NA | NA | NA | NA | No | NA | Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates NJ Health Plan 1173 | Thursday | 2015 |
| Stanislaus Surgical Hospital | CA | Healthcare Provider | 1170 | 2015-06-04 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Other Portable Electronic Device | Paper/Films | NA | NA | NA | NA | NA | No | On April 4, 2015, two paper binders containing the protected health information (PHI) of up to 1,166 individuals were stolen from one of the covered entityâs (CE) facilities along with several other items that did not contain PHI. The type of PHI involved in the breach was financial information. The CE filed a formal police report and police identified two potential suspects. The CE provided breach notification to HHS, affected individuals, and the media and offered credit monitoring to all individuals affected. Following the breach, the CE improved physical security for the facility and the locked file cabinets that contain PHI and updated security procedures for employeesâ access to the premises. It also converted its payment system to a paperless, all electronic system and implemented an encryption requirement for all information that is stored on a shared drive. The CE also trained all employees on the changes to its security policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. | Stanislaus Surgical Hospital CA Healthcare Provider 1170 | Thursday | 2015 |
| VA Black Hills Health Care System | SD | Healthcare Provider | 1168 | 2015-08-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Veterans Affairs, reported that between May 15 and 17, 2015, paper records containing protected health information (PHI) were left in an outside trash dumpster on its Hot Springs campus. The breach affected 1,168 individuals and involved names, partial and full social security numbers, addresses, and dates of birth. Following the breach, the CE destroyed the records. Although the CE complied with its breach notification requirements, as a result of OCRâs substantial technical assistance, it initiated a revision of its breach notification procedure. The CE also offered credit monitoring to the 980 veterans whose full social security numbers were potentially breached. | VA Black Hills Health Care System SD Healthcare Provider 1168 | Tuesday | 2015 |
| Genesis Rehabilitation Services | PA | Healthcare Provider | 1167 | 2013-11-01 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Two unencrypted flash drives containing the electronic protected health information (ePHI) of 1,167 individuals were stolen from a staff memberâs office. The ePHI involved in the breach included names, dates of birth, treatment and diagnosis information, medical insurance identification numbers, and, in some instances, social security numbers. The covered entity (CE), Genesis Rehabilitation Services, provided breach notification to HHS, affected individuals, the media, and provided free credit monitoring. The CE retrained all staff members on its policies regarding encryption of flash drives. Additionally, OCRâs investigation resulted in the CE revising its HIPAA policies. | Genesis Rehabilitation Services PA Healthcare Provider 1167 | Friday | 2013 |
| Community Support Services, Inc. | OH | Healthcare Provider | 1167 | 2013-06-03 | Theft | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Community Support Services, Inc. OH Healthcare Provider 1167 | Monday | 2013 | ||
| Monroe Operations, LLC d/b/a Newport Academy and Center for Families | TN | Healthcare Provider | 1165 | 2018-08-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Monroe Operations, LLC d/b/a Newport Academy and Center for Families TN Healthcare Provider 1165 | Friday | 2018 | |
| Midland County Hospital District d/b/a Midland Memorial Hospital | TX | Healthcare Provider | 1160 | 2017-12-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Midland County Hospital District d/b/a Midland Memorial Hospital TX Healthcare Provider 1160 | Tuesday | 2017 | |
| JASACare | NY | Healthcare Provider | 1154 | 2016-03-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Unauthorized individuals hacked a workforce memberâs email account and accessed the electronic protected health information (ePHI) of 1,154 patients. The types of ePHI involved in the breach included names, addresses, phone numbers, dates of birth, social security numbers, insurance identification numbers, insurance information, and account balance information. The covered entity (CE), JASACare, provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. The CE also provided one year free credit monitoring services for the affected individuals. Following the breach, the CE shut down the workforce memberâs email account and reset all login information. As a result of OCRâs investigation and technical assistance, the CE developed new policies regarding emailing ePHI and distributed them to its workforce members. The CE is expected to perform a thorough and accurate risk analysis and establish a risk management plan. It is also expected to implement mechanisms to record and examine activity in information systems that contain or use ePHI. Additionally, the CE is expected to implement technical security measures to guard against unauthorized access to ePHI, implement procedures for identity verification for access to ePHI, and provide training to all staff on the newly implemented policies and procedures. | JASACare NY Healthcare Provider 1154 | Monday | 2016 | |
| Associated Catholic Charities Incorporated | MD | Healthcare Provider | 1145 | 2017-01-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Unauthorized users gained access to an employeeâs email account after a phishing attack and automatically forwarded the employeeâs emails to an external account. The breach included the protected health information (PHI) of 1,145 individuals and included names, addresses, dates of birth, social security numbers, and clinical information. Following the breach, the covered entity (CE), Associated Catholic Charities, added additional protection software to its email system and provided employees with additional security awareness training. Additionally, OCR reviewed the covered entityâs risk analysis to ensure compliance with the Security Rule. OCR obtained assurances that the CE implemented the corrective actions listed above. | Associated Catholic Charities Incorporated MD Healthcare Provider 1145 | Friday | 2017 | |
| PracMan, Inc. | AL | Business Associate | 1145 | 2014-03-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | On January 10, 2014, a business associate (BA), PracMan, Inc., of two covered entities (CE), Monarch Womenâs Health (Monarch) and Punuru J.M. Reddy, M.D., Inc. (Dr. Reddy), impermissibly disclosed the protected health information (PHI) of the CEsâ patients when the BAâs technology subcontractor, MASHNet, copied and stored computer files in error on an unsecured server. The PHI included demographic, clinical, and financial information, including names, account numbers, insurance providers, procedures, diagnoses, social security numbers (SSN), and account balances affecting approximately 1,179 of Dr. Reddyâs patients and approximately 1,145 of Monarchâs patients. The BA provided breach notification to HHS, affected individuals, and the media. It also established a toll-free number and website dedicated to providing information regarding the breach, and offered one year of free credit monitoring to individuals whose SSN was potentially exposed online. In response to the breach, the BA engaged a third party to perform a risk analysis of its operations and updated its privacy and security policies. The BA ensured that the data was removed from the unsecured server and all cached copies of links to the PHI were removed. OCR obtained assurances that the BA implemented the corrective actions listed above. Additionally, the BA terminated its relationship with the subcontractor and restructured its corporate network. | PracMan, Inc. AL Business Associate 1145 | Friday | 2014 |
| University Urology, P.C. | TN | Healthcare Provider | 1144 | 2014-04-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A nurse practitioner (âNPâ) of the covered entity (CE), University Urology, left the practice to start her own clinic. An administrative assistant of the CE provided the NP with lists of patient information in June 2013 and January 2014 that contained the names, addresses, gender, age, and first and last dates of service for 1,144 individuals. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE terminated the administrative assistantâs employment and sent a âcease and desistâ letter to the NP. The CE also ensured that the lists were destroyed. Finally, the CE reviewed and revised its policies and re-trained its workforce. OCR obtained assurances that the CE implemented the corrective actions listed above. | University Urology, P.C. TN Healthcare Provider 1144 | Monday | 2014 |
| Benefit Outsourcing Solutions | MI | Business Associate | 1144 | 2018-06-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Benefit Outsourcing Solutions MI Business Associate 1144 | Thursday | 2018 |
| St. Vincent Hospital and Healthcare Inc | IN | Healthcare Provider | 1142 | 2014-02-18 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A St. Vincent Hospital and Healthcare Inc. laptop computer that was connected to an EEG diagnostic system was stolen from a procedure cart located in a nursing unit within the hospital. This breach affected approximately 1,142 individuals and the types of protected health information (PHI) involved in the breach included patients’ names, dates of birth, dates of service, gender, physicians’ name and types of studies. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE encrypted its laptops, updated its policies and procedures related to safeguarding mobile devices, and implemented procedures for the use of laptop security cables. OCR obtained documented assurances that the CE implemented the corrective actions noted above. | St. Vincent Hospital and Healthcare Inc IN Healthcare Provider 1142 | Tuesday | 2014 |
| Our Lady of the Angels Hospital | LA | Healthcare Provider | 1140 | 2017-09-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Our Lady of the Angels Hospital LA Healthcare Provider 1140 | Friday | 2017 |
| Stephen P. Courtney, M.D. | TX | Healthcare Provider | 1140 | 2017-03-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | Paper/Films | NA | NA | NA | NA | NA | NA | No | OCR conducted an investigation of the breach report filed by Dr. Stephen Courtney on August 29, 2017, after he reported that a former workforce member impermissibly accessed approximately 1,561 patientsâ medical records at Plano Orthopedic Sports Medicine & Spine Center (POSMC). Upon discovering the breach, Dr. Courtney filed a Breach Report with HHS and took steps to mitigate the harm. As a result of OCRâs investigation, OCR determined that the appropriate covered entity is POSMC. | Stephen P. Courtney, M.D. TX Healthcare Provider 1140 | Wednesday | 2017 |
| Health Care Solutions at Home Inc. | OH | Health Plan | 1139 | 2014-02-14 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) mistakenly mailed protected health information (PHI) to the wrong addresses of approximately 1,139 individuals following a computer error at the business associate (BA). The PHI involved in the breach included names, addresses, dates of birth, dates of service, claims information, and diagnoses. The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website. To prevent a similar breach from happening in the future, the CE and BA improved safeguards by updating policies to require multiple reviews of PHI in mailings. Following OCR’s investigation, the CE updated its policies and procedures relating to the minimum necessary standard. | Health Care Solutions at Home Inc. OH Health Plan 1139 | Friday | 2014 |
| Walgreen Co. | IL | Healthcare Provider | 1138 | 2015-05-01 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On March 4, 2015, the covered entity (CE), Walgreens Pharmacy, reported that it discovered its pharmacy paper log in Stafford, Texas was missing. The approximate number of individuals affected by the breach was 1,138. The protected health information (PHI) involved in the breach included patientsâ prescription numbers, first and last names, dates of birth, addresses, photo identification types, and the number of individuals who picked up prescriptions. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE re-trained its pharmacy staff and communicated to them the importance of safeguarding patient information. OCR obtained documentation which showed that the CE implemented the corrective actions listed. | Walgreen Co. IL Healthcare Provider 1138 | Friday | 2015 |
| Luz Colon, DPM Podiatry | FL | Healthcare Provider | 1137 | 2012-05-19 | Loss | Theft | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On March 20, 2012, an unencrypted laptop computer containing patient information was lost or stolen. The laptop contained the demographic, clinical and financial information of 1,137 individuals. The covered entity (CE), Absolute Foot and Ankle Specialists Inc., provided breach notification to HHS, affected individuals, and English and Spanish media. In response to the breach, the CE disallowed removal of equipment from the premises and began using cloud-based electronic medical record software. OCR obtained assurances that the CE implemented the corrective actions listed above. | Luz Colon, DPM Podiatry FL Healthcare Provider 1137 | Saturday | 2012 |
| Kaiser Permanente Northern California | CA | Health Plan | 1136 | 2016-07-12 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Kaiser Permanente Northern California CA Health Plan 1136 | Tuesday | 2016 |
| Benesch, Friedlander, Coplan & Aronoff LLP | OH | Business Associate | 1134 | 2017-02-10 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Benesch, Friedlander, Coplan & Aronoff LLP OH Business Associate 1134 | Friday | 2017 |
| OsteoMed LP | TX | Health Plan | 1134 | 2015-10-20 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Upon review of information provided from the reporting entity, OCR determined that the material identified in the breach report did not meet the definition of protected health information as it was employment records (i.e., human resource data). | OsteoMed LP TX Health Plan 1134 | Tuesday | 2015 |
| Hogan Services Inc. Health Care Premium Plan | MO | Health Plan | 1134 | 2012-05-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On March 30, 2012, Hogan Services Inc. (HSI), the sponsor of a fully insured employee health plan, erroneously distributed an email to 287 employees containing the electronic protected health information (ePHI) of approximately 1,134 individuals. The ePHI included names, social security numbers, dates of birth, gender, group health plan identification numbers, member identifications, enrollment dates, and types of coverage for employees and names, dates of birth, and relationship information for employeesâ spouses and dependents enrolled in the group health insurance plan. Upon discovering the breach, HSI directed its email vendor to shut down its email server, and constructed an incident response team that went to each workstation and deleted the ePHI from employeesâ computers, and shredded any copies of the email that had been printed. HSI provided breach notification to HHS and affected individuals. As a result of OCRâs investigation, HSI made a decision not to accept, store, or transmit ePHI, and it retrained its workforce regarding the HIPAA Rules. HSI also added encryption software to employeesâ accounts that have access to ePHI. OCR obtained assurances that HSI implemented the corrective actions listed above. | Hogan Services Inc. Health Care Premium Plan MO Health Plan 1134 | Friday | 2012 | |
| Apex EDI, Inc. | UT | Business Associate | 1132 | 2017-03-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Apex EDI, Inc. UT Business Associate 1132 | Friday | 2017 |
| Gordon Schanzlin New Vision Institute | CA | Healthcare Provider | 1130 | 2018-08-10 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Gordon Schanzlin New Vision Institute CA Healthcare Provider 1130 | Friday | 2018 |
| Compassion Care Hospice Las Vegas, LLC | NV | Healthcare Provider | 1128 | 2017-12-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Compassion Care Hospice Las Vegas, LLC NV Healthcare Provider 1128 | Thursday | 2017 |
| Union Security Insurance Company | MO | Health Plan | 1127 | 2013-06-17 | Improper Disposal | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Union Security Insurance Company MO Health Plan 1127 | Monday | 2013 | ||
| TriHealth, Inc. | OH | Healthcare Provider | 1126 | 2017-01-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | Paper/Films | NA | NA | NA | NA | NA | NA | No | Due to a technical error during a data conversion process, the covered entity (CE) sent correspondence to 1,126 patientsâ incorrect addresses. The types of protected health information (PHI) involved in the breach varied based on the correspondence and may have included the full names, former addresses, birthdates, claims information, diagnoses/conditions, lab results, medications, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE retrained staff, corrected addresses, and developed a plan to implement additional safeguards for data conversions. OCR obtained documented assurances that the CE implemented the corrective actions noted above. | TriHealth, Inc. OH Healthcare Provider 1126 | Thursday | 2017 |
| Kindred Nursing Centers West, L.L.C. | CA | Healthcare Provider | 1125 | 2015-09-25 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | On August 31, 2015, the covered entity (CE), Kindred Nursing Centers West, LLC, discovered that a password-protected office computer had been stolen from a locked office within its facility. The types of protected health information (PHI) contained in computer included the names of 1,125 patients and one or more of the following: admission and discharge dates, facility names, patient ID numbers, and certain accounting-related information. The CE provided breach notification to HHS, the affected individuals, and the media. OCR obtained assurances that the CE improved its physical safeguards, revised its encryption policy, strengthened its password requirements, and retrained workforce members. | Kindred Nursing Centers West, L.L.C. CA Healthcare Provider 1125 | Friday | 2015 |
| Bozeman Health Deaconess Hospital | MT | Healthcare Provider | 1124 | 2016-03-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Due to a misaligned spreadsheet, on or about February 19, 2016, Executive Services, a business associate (BA) of the covered entity (CE), Bozeman Health Deaconess Hospital, erroneously sent letters to 1,124 patients containing the another patientâs name. The type of protected health information (PHI) involved in the breach included names. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE implemented a new process for sending mass mailings, required the responsible employee, as well as managers and supervisors, to attend HIPAA refresher training, and required the responsible employee to take a class on specific spreadsheet software. OCR obtained assurances that the CE implemented the corrective actions noted above. | Bozeman Health Deaconess Hospital MT Healthcare Provider 1124 | Monday | 2016 |
| Rocky Mountain Women’s Health Center, Inc. | UT | Healthcare Provider | 1123 | 2018-01-25 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Rocky Mountain Women’s Health Center, Inc. UT Healthcare Provider 1123 | Thursday | 2018 |
| Oregon Health & Science University | OR | Healthcare Provider | 1114 | 2013-03-26 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
Oregon Health & Science University (OHSU) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following an investigation by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) that found widespread and diverse problems at OHSU, which will be addressed through a comprehensive three-year corrective action plan. The settlement includes a monetary payment by OHSU to the Department for $2,700,000. OCRâs investigation began after OHSU submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive. These incidents each garnered significant local and national press coverage. OCRâs investigation uncovered evidence of widespread vulnerabilities within OHSUâs HIPAA compliance program, including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement. OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses. OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCRâs investigation found that these analyses did not cover all ePHI in OHSUâs enterprise, as required by the Security Rule. While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level. OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk. âFrom well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI,â said OCR Director Jocelyn Samuels. âThis settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.â OHSU is a large public academic health center and research university centered in Portland, Oregon, comprising two hospitals, and multiple general and specialty clinics throughout Portland and throughout the State of Oregon. |
Oregon Health & Science University OR Healthcare Provider 1114 | Tuesday | 2013 |
| Hamner Square Dental, Privacy Manager Breach | CA | Healthcare Provider | 1112 | 2012-07-16 | Loss | Theft | Unauthorized Access/Disclosure | Unknown | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Hamner Square Dental, Privacy Manager Breach CA Healthcare Provider 1112 | Monday | 2012 |
| Guardant Health, Inc. | CA | Healthcare Provider | 1112 | 2018-09-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Guardant Health, Inc. CA Healthcare Provider 1112 | Friday | 2018 | |
| Sioux Falls VA Health Care System | SD | Healthcare Provider | 1111 | 2015-07-30 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | In early April 2015, while performing a non-routine pharmacy audit, the covered entity (CE), Sioux Falls Veterans Administration Health Care System, discovered that paper prescription records were missing from its secured vault; it was unable to determine what happened to the records, so it reported a breach. The missing records affected 1,111 individuals, and contained clinical and/or demographic protected health information (PHI). The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE discontinued attaching progress notes with full social security numbers. The CE also implemented an inventory for pharmacy records, removed obsolete language from its procedures regarding the Breach Notification Rule, and trained all relevant staff on safeguarding paper records containing PHI and timely discovery and notifications. OCR obtained assurances the CE implemented the corrective actions noted above. | Sioux Falls VA Health Care System SD Healthcare Provider 1111 | Thursday | 2015 |
| Washington University School of Medicine | MO | Healthcare Provider | 1105 | 2013-01-11 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Washington University School of Medicine MO Healthcare Provider 1105 | Friday | 2013 | |
| Gene S. J. Liaw, MD. PS | WA | Healthcare Provider | 1105 | 2011-06-17 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | An unencrypted portable computer drive (a USB) containing the electronic protected health information (ePHI) of 1,105 patients was misplaced and could not be found in the entity’s office. The ePHI included names, addresses, phone numbers, dates of birth, diagnosis codes, insurance information, and social security numbers. The entity provided breach notification to affected individuals and HHS. Following the breach, the entity replaced the missing drive with encryption-capable USB drives, provided secure, locked storage facilities for its mobile devices, and implemented policies preventing removal of such devices from the office. OCR’s investigation found that the entity in fact is not a covered entity under the Privacy and Security Rules. | Gene S. J. Liaw, MD. PS WA Healthcare Provider 1105 | Friday | 2011 |
| Occupational Health Partners | KS | Healthcare Provider | 1105 | 2010-06-01 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Occupational Health Partners KS Healthcare Provider 1105 | Tuesday | 2010 | |
| Sta-home Health & Hospice | MS | Healthcare Provider | 1104 | 2010-11-08 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Sta-home Health & Hospice MS Healthcare Provider 1104 | Monday | 2010 | |
| LifeGas | GA | Business Associate | 1103 | 2013-02-04 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | On October 11, 2012, an employee of LifeGas , a business associate (BA) of the covered entity (CE), American Home Patient Inc., lost or misplaced an unencrypted laptop computer containing the electronic protected health information (ePHI) of 1,103 of the CEâs clients across 13 states. The ePHI stored in the laptop included patientsâ names, addresses, and an indicator showing that the patient received oxygen supplies. The CE determined that a thumb drive that was misplaced in the same incident did not contain PHI. The CE conducted an internal investigation, and provided breach notification to HHS and affected individuals. In addition, the CE negotiated a new agreement with the BA, including stringent provisions regarding the timeframes allowed for future breach notifications. OCR obtained assurances the CE completed the corrective actions listed. | LifeGas GA Business Associate 1103 | Monday | 2013 |
| Volunteer State Health Plan, Inc. | TN | Health Plan | 1102 | 2012-05-31 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Volunteer State Health Plan, mailed three envelopes containing the protected health information (PHI) that arrived at the contracted providerâs address damaged, with the contents missing. The envelopes were damaged at the U.S. postal facility where they were processed and contained member claim information of 1,102 individuals, including membersâ names, identification numbers, claim numbers, dates of service, procedure codes, charges, and provider information. In response to this incident, an investigator for the CE visited the mail facility where the damage occurred in an attempt to determine that the documentation was appropriately shredded under USPS policy for damaged mail. Additionally, the CEâs mailroom began using tear resistant envelopes for oversized mailings, and the CE trained its mailroom employees on the new envelope policy. Finally, the CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. | Volunteer State Health Plan, Inc. TN Health Plan 1102 | Thursday | 2012 |
| WellCare Health Plans, Inc. | FL | Health Plan | 1101 | 2018-06-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | NA | WellCare Health Plans, Inc. FL Health Plan 1101 | Wednesday | 2018 |
| Best Health Physical Therapy, LLC | CT | Healthcare Provider | 1100 | 2016-11-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Best Health Physical Therapy, LLC CT Healthcare Provider 1100 | Thursday | 2016 |
| Health Incent, LLC | TN | Healthcare Provider | 1100 | 2016-07-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Health Incent, the covered entity (CE), discovered on June 8, 2016 that a patient database containing electronic protected health information (ePHI) was available on the internet through web searches. The breach affected 1,100 individuals and the types of ePHI involved in the breach included patient names, dates of birth, email addresses, and mailing addresses. The CE provided timely breach notification to HHS, affected individuals, and the media. The CE successfully contacted all affected individuals who did not receive the initial notification. In response to the breach, CE sanctioned those responsible for the breach and created a new process for uploading files to its website. OCR obtained assurances from CE that it implemented the corrective actions noted above. | Health Incent, LLC TN Healthcare Provider 1100 | Monday | 2016 |
| D&J Optical Inc. | AL | Health Plan | 1100 | 2014-07-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | In June 2014, the covered entity (CE), D&J Optical, suspected that a former independently contracted optometrist had created credentials for herself and accessed electronic protected health information (ePHI) without authorization. This inappropriate access would have exposed the demographic and clinical information of 1,100 individuals. The CE filed a breach report with HHS and met the requirements of the Breach Notification Rule. In response to this suspected incident, the CE increased security for access to its server and software, eliminated wireless internet capabilities in its office, and strengthened procedures for password access. OCR reviewed evidence of the subsequent investigation by a computer forensic expert which revealed that no inappropriate access had occurred and no ePHI was disclosed. | D&J Optical Inc. AL Health Plan 1100 | Monday | 2014 |
| Palo Verde Hospital, Privacy Manager Breach | CA | Healthcare Provider | 1100 | 2014-02-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | NA | Palo Verde Hospital, Privacy Manager Breach CA Healthcare Provider 1100 | Tuesday | 2014 |
| Barnabas Health Medical Group, P.C. | NJ | Healthcare Provider | 1100 | 2013-11-05 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Barnabas Health Medical Group, P.C. NJ Healthcare Provider 1100 | Tuesday | 2013 | |
| Louisiana State University Health Care Services Division | LA | Healthcare Provider | 1100 | 2013-07-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Electronic protected health information (ePHI) was used and disclosed by a workforce member of the covered entity (CE), Louisiana State University Health Care Services Division, to produce fraudulent checks and steal cash. The ePHI included the checking accounts, driverâs licenses, social security numbers, and other demographic information for approximately 6,994 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Upon discovering the breach, the CE sanctioned the involved workforce member. The CE improved physical security by adopting new security procedures. OCR obtained assurances that the CE implemented the corrective actions listed. | Louisiana State University Health Care Services Division LA Healthcare Provider 1100 | Thursday | 2013 |
| Vidant Pungo Hospital | NC | Healthcare Provider | 1100 | 2012-11-29 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Vidant Pungo Hospital NC Healthcare Provider 1100 | Thursday | 2012 | |
| Thresholds Inc. | MI | Business Associate | 1100 | 2011-10-28 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Thresholds Inc. MI Business Associate 1100 | Friday | 2011 | |
| Center for Neurosciences | AZ | Healthcare Provider | 1100 | 2010-02-10 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Center for Neurosciences AZ Healthcare Provider 1100 | Wednesday | 2010 | |
| MorshedEye, PLLC | KY | Healthcare Provider | 1100 | 2018-04-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | MorshedEye, PLLC KY Healthcare Provider 1100 | Friday | 2018 | |
| Rhode Island Executive Office of Health and Human Services | RI | Health Plan | 1100 | 2018-02-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Rhode Island Executive Office of Health and Human Services RI Health Plan 1100 | Tuesday | 2018 |
| UnitedHealthcare Insurance Company | MN | Business Associate | 1097 | 2010-07-17 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | UnitedHealthcare Insurance Company MN Business Associate 1097 | Saturday | 2010 | |
| Fayetteville VAMC | NC | Healthcare Provider | 1093 | 2013-06-14 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Fayetteville VA Medical Clinic Optical Shop, impermissibly disclosed the protected health information (PHI) of approximately 1,094 individuals by placing consultation reports in the recycling bin rather than the shred bin from January to April 2013. The PHI involved in the breach included patientsâ names, social security numbers, birthdates, addresses, and phone numbers. The CE provided breach notification to HHS, the media, and all potentially affected patients and also offered credit monitoring. The CE investigated the incident, removed and shredded all identified documents from the recycle bin, and provided a document shredder on-site. Additionally, the CE retrained employees regarding security and disposal methods for documents containing PHI. Moreover, the responsible staff member was sanctioned according to the CEâs policy. OCR obtained assurances that the corrective actions listed above were completed. | Fayetteville VAMC NC Healthcare Provider 1093 | Friday | 2013 |
| Escambia County Alabama Community Hospitals, Inc. D/B/A Atmore Community Hospital | AL | Healthcare Provider | 1090 | 2017-01-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Escambia County Alabama Community Hospitals, Inc. dba Atmore Community Hospital, discovered that a unit secretary viewed medical records of 1,090 patients from the emergency department, outside the scope of her job duties. The records included protected health information, such as patientsâ names and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE sanctioned the involved employee, reviewed its record audit procedures, and implemented an additional access control mechanism for patient records from the emergency department. In addition, the CE retrained all employees. OCR obtained assurances that the CE implemented the corrective actions listed above. In this case, the sanctions included termination of employment. | Escambia County Alabama Community Hospitals, Inc. D/B/A Atmore Community Hospital AL Healthcare Provider 1090 | Thursday | 2017 |
| HP Enterprise Services | KY | Business Associate | 1090 | 2012-12-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes |
An employee of a subcontractor for the covered entity’s (CE) Business Associate (BA), responded to a telephone phishing attack and permitted a hacker to remotely access the laptop computer of the subcontractor. In violation of the subcontractor BA’s policies, the laptop contained the protected health information (PHI) of 1,090 individuals, including names, dates of birth, diagnosis codes, and diagnosis code descriptions and some social security numbers and treatment descriptions. The CE, through its BA, provided breach notification to HHS, affected individuals, and the media, and provided substitute notice. The BA also offered a year of credit monitoring to those affected. In response to the incident, the subcontractor improved safeguards by initiating laptop audits to ensure PHI is not stored on them, re-trained employees, and applied employee sanctions by terminating the employee who failed to follow its policy. OCR obtained assurances that the corrective action listed above was completed. |
HP Enterprise Services KY Business Associate 1090 | Friday | 2012 |
| Pitney Bowes Management Services, Inc. | CT | Business Associate | 1089 | 2011-10-28 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | Yes | Pitney Bowes Management Services, Inc. CT Business Associate 1089 | Friday | 2011 | |
| Detroit Medical Center - Harper University Hospital | MI | Healthcare Provider | 1087 | 2014-03-13 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Patientsâ medical information was found in the possession of an employee who had worked for the covered entity, Detroit Medical Center Harper University. The protected health information (PHI) included the names, dates of birth, age, gender and reasons for visits for approximately 1,087 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of credit protection and monitoring service at no cost to all affected patients. OCR obtained documentation which showed that the CE implemented the corrective actions listed. | Detroit Medical Center - Harper University Hospital MI Healthcare Provider 1087 | Thursday | 2014 |
| Rocky Mountain Health Care Services | CO | Healthcare Provider | 1087 | 2018-07-13 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Rocky Mountain Health Care Services CO Healthcare Provider 1087 | Friday | 2018 |
| Nova Southeastern University | FL | Healthcare Provider | 1086 | 2017-05-02 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Nova Southeastern University FL Healthcare Provider 1086 | Tuesday | 2017 |
| Birmingham Printing and Publishing, Inc dba Paper Airplane | AL | Business Associate | 1085 | 2014-01-24 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | On September 6, 2013, the covered entity (CE), discovered that its business associate (BA) had mislabeled invitations for an event for cancer survivor patients. While the address was correct, the name on the envelope was incorrect for 1,085 individuals. The BA re-sent the invitations to the correct names and addresses with a letter explaining the mistake to the affected individuals. In response to the breach, the CE terminated its business relationship with the BA and changed to processing bulk mailings in-house. Although the CE had a policy in place before the breach that clearly outlined breach notification requirements, the CE did not perform media notification after this breach. OCR provided technical assistance on this topic. In addition, OCR obtained assurances that the CE implemented the corrective actions listed above. | Birmingham Printing and Publishing, Inc dba Paper Airplane AL Business Associate 1085 | Friday | 2014 |
| Gair Medical Transcription Services, Inc. | PA | Business Associate | 1085 | 2010-12-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes |
Pinnacle Health Systems was notified that a business associate, a medical transcription service, had a server compromised in which reports of Pinnacle patients could be viewed online. The server compromise involved the protected health information of 1085 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity immediately discontinued its relationship with the business associate and engaged another medical transcription service. The covered entity also contracted with forensic consultants to ensure that the cause of the compromise was found that that all traces of breached medical reports were removed from online and inaccessible in the future. |
Gair Medical Transcription Services, Inc. PA Business Associate 1085 | Wednesday | 2010 |
| The MS Center of Saint Louis and Mercy Clinic Neurology - Town and Country | MO | Healthcare Provider | 1081 | 2017-09-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | The MS Center of Saint Louis and Mercy Clinic Neurology - Town and Country MO Healthcare Provider 1081 | Saturday | 2017 |
| Talyst | WA | Business Associate | 1079 | 2014-03-24 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | Talyst WA Business Associate 1079 | Monday | 2014 | |
| Florida Department of Health | FL | Healthcare Provider | 1076 | 2016-04-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Florida Department of Health, discovered on February 17, 2016, that an additional 1,076 individuals were affected by a breach previously reported in 2013 as affecting 877 individuals. The breach occurred when an employee with legitimate access to PHI stole demographic information for illegal purposes. The CE provided breach notification to HHS, the additionally identified individuals, and the media, as well as posting substitute notice on its website. Following the 2013 breach, the CE reviewed and revised its policies relating to access to PHI and began masking social security numbers. OCR obtained assurances that the CE implemented the corrective actions listed above. | Florida Department of Health FL Healthcare Provider 1076 | Wednesday | 2016 |
| Oregon Health & Science University | OR | Healthcare Provider | 1076 | 2013-04-11 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Oregon Health & Science University OR Healthcare Provider 1076 | Thursday | 2013 | |
| Massachusetts Eye and Ear Infirmary | MA | Healthcare Provider | 1076 | 2010-01-08 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No |
Two employees of the covered entity (CE) misused credit card information from several different departments that served approximately 1,076 individuals. The protected health information (PHI) involved in the breach included names, addresses, and credit card information. Following the breach, the CE notified the affected individuals, the media, and HHS and offered one free year of credit monitoring to all affected individuals. The CE also terminated the employees involved, revised its data breach prevention policy, and reviewed the physical processes involved when payment is made in person using a credit card. OCR reviewed the CE’s breach notification policies to assure that they contained the required elements and obtained assurances that the CE provided breach notification. |
Massachusetts Eye and Ear Infirmary MA Healthcare Provider 1076 | Friday | 2010 |
| Ridgeview Medical Center | MN | Healthcare Provider | 1074 | 2017-09-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Ridgeview Medical Center MN Healthcare Provider 1074 | Friday | 2017 | |
| Mercer | MI | Business Associate | 1073 | 2010-07-30 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Mercer MI Business Associate 1073 | Friday | 2010 | |
| Polk County Health Services, Inc | IA | Health Plan | 1071 | 2018-04-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Polk County Health Services, Inc IA Health Plan 1071 | Thursday | 2018 | |
| Genesis Clinical Laboratory | IL | Healthcare Provider | 1070 | 2011-04-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Network Server | NA | NA | NA | NA | No | Genesis Clinical Laboratory IL Healthcare Provider 1070 | Monday | 2011 | ||
| Front Range Dermatology Associates, P.C. | CO | Healthcare Provider | 1070 | 2018-03-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | Laptop | NA | NA | NA | NA | NA | No | NA | Front Range Dermatology Associates, P.C. CO Healthcare Provider 1070 | Wednesday | 2018 | |
| Patients Choice | TX | Healthcare Provider | 1069 | 2017-09-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Patients Choice TX Healthcare Provider 1069 | Tuesday | 2017 |
| Emergency Room Associates doing business as Emergency Medicine Associates | AZ | Healthcare Provider | 1067 | 2016-05-19 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Five monthsâ worth of hospital labels containing protected health information (PHI) were stolen from the car of a workforce member physician that was parked offsite from the covered entity (CE). The PHI was located in a locked briefcase within the car. The types of PHI involved in the breach included patientsâ names, birthdates, ages, sex, and treatment facilities. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE filed a report with local law enforcement and retrained the workforce member involved. As a result of OCRâs investigation, the CE provided assurances that it conducted a full risk assessment and reviewed and updated its policies and procedures. | Emergency Room Associates doing business as Emergency Medicine Associates AZ Healthcare Provider 1067 | Thursday | 2016 |
| BriovaRx | IL | Healthcare Provider | 1067 | 2013-10-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE) who later resigned effective July 17, 2013, emailed confidential documents from his company-issued laptop computer to his personal email account without authorization. The emailed data contained the protected health information (PHI) of approximately 1,067 individuals. The protected health information involved in the breach included first and last names, diagnoses, and medication names. The CE provided breach notification to HHS, affected individuals, and the media. Upon discovery of the breach, the CEâs outside legal counsel the CE contacted the employee and the employeeâs new employer for assurances and affidavits prohibiting the involved employee or the employeeâs new employer from transferring and/or disclosing sensitive confidential information and PHI, and later obtained a preliminary injunction motion. OCR obtained assurances that the CE implemented the corrective actions listed above. | BriovaRx IL Healthcare Provider 1067 | Monday | 2013 | |
| UC Health, LLC | OH | Healthcare Provider | 1064 | 2015-11-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | UC Health, LLC OH Healthcare Provider 1064 | Saturday | 2015 | |
| Washington DC VA Medical Center | DC | Healthcare Provider | 1062 | 2016-05-31 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On March 31, 2016, the covered entity’s (CE) Lead Narcotic Inspector discovered that the monthly narcotic reports were missing. On April 6, 2016, CE’s police notified the facility Privacy Officer of the incident and reported the incident to the VA Network and Security Operations Center. The CE provided breach notification to HHS, the media, and affected individuals and offered credit monitoring. The CE’s Police Security Service reviewed the available closed circuit television footage and could not determine who removed the documents from the location. The CE transferred the duties of the Lead Narcotic Inspector to another employee. OCR obtained assurances that the CE implemented the corrective actions listed. | Washington DC VA Medical Center DC Healthcare Provider 1062 | Tuesday | 2016 |
| Oak Cliff Orthopaedic Associates | TX | Healthcare Provider | 1057 | 2016-12-14 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On October 17, 2016, the covered entity (CE), Oak Cliff Orthopaedic Associates, received a call from the local police stating that two boxes with protected health information (PHI) pertaining to its patients were recovered from a hotel located in Texas. The boxes contained patientsâ demographic, financial, and clinical information. The CE filed a police report and retrieved the boxes from the police department the next day. On Dec. 9, 2016, the CE contracted with a third-party vendor to mail breach notification to the affected individuals. The CE completed media notification and offered the affected individuals one (1) year of free identity theft protection services. In addition, it set up a call center to assists individuals with questions. The CE also improved physical security. OCR provided technical assistance regarding business associates and obtained documented assurances that the CE implemented the corrective actions noted above. | Oak Cliff Orthopaedic Associates TX Healthcare Provider 1057 | Wednesday | 2016 |
| Penn Medicine | PA | Healthcare Provider | 1050 | 2018-01-02 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Penn Medicine PA Healthcare Provider 1050 | Tuesday | 2018 |
| RoxSan Pharmacy, Inc. | CA | Healthcare Provider | 1049 | 2018-03-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On March 12, 2018, RoxSan Pharmacy, Inc., the covered entity (CE), reported to OCR that an impermissible disclosure of electronic protected health information (ePHI) occurred on January 20, 2015, when an employee of the CE emailed a spreadsheet containing ePHI to an attorney representing an employee of a business associate. The spreadsheet contained the ePHI of approximately 1,049 individuals. The ePHI included patient information, such as insurance information, prescription information, and physician names. The CE determined that the disclosure was impermissible because it was not made for the purposes of treatment, payment, or health care operations. The CE provided notice to HHS, individual notification, and media notification. OCR obtained documentation of the individual and media breach notifications. OCR also obtained documentation showing that the CE took the following steps in response to the breach and OCRâs corresponding investigation: (1) the CE updated its policies and procedures addressing the use and disclosure of PHI, safeguarding PHI, de-identifying PHI, and employee sanctions for noncompliance with HIPAA; (2) the employee responsible for the breach was sanctioned and counseled on how to better safeguard PHI to prevent future breach incidents; and (3) all employees of the CE were retrained on the updated policies and procedures. | RoxSan Pharmacy, Inc. CA Healthcare Provider 1049 | Monday | 2018 | |
| The Biomechanics LLC | AZ | Healthcare Provider | 1049 | 2016-11-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | A security researcher accessed the covered entity’s electronic protected health information (ePHI) due to a vulnerability in a business associate’s (BA) data storage system. The researcher reportedly did not intend to use or disclose the information. The breach affected 1,049 individuals and involved in the breach included names, addresses, birthdates, driver’s license numbers, social security numbers, and clinical information such as diagnoses, lab results, and medications. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the BA returned the ePHI to the covered entity. The BA was closing its business at the time of the breach and is now out of business. OCR obtained a copy of the CE’s BA agreement with this BA. As a result of OCRâs investigation the CE increased its awareness of its responsibilities with respect to its BAs. | The Biomechanics LLC AZ Healthcare Provider 1049 | Wednesday | 2016 |
| Alliant Health Plans, Inc. | GA | Health Plan | 1042 | 2016-12-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On December 20, 2016, Alliant Health Plans, Inc., the covered entity (CE), submitted a Breach Report stating that Summit Reinsurance, a reinsurer for the CE, had experienced a data security event. OCR has reviewed the matter, and based on our review, OCR has determined that no violation of the HIPAA laws occurred. | Alliant Health Plans, Inc. GA Health Plan 1042 | Tuesday | 2016 |
| Sentara Healthcare | VA | Healthcare Provider | 1040 | 2015-10-02 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Sentara Healthcare VA Healthcare Provider 1040 | Friday | 2015 |
| Redwood Memorial Hospital | CA | Healthcare Provider | 1039 | 2013-11-19 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Redwood Memorial Hospital CA Healthcare Provider 1039 | Tuesday | 2013 | |
| California Correctional Health Care Services | CA | Healthcare Provider | 1033 | 2013-08-16 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | California Correctional Health Care Services CA Healthcare Provider 1033 | Friday | 2013 | |
| Quarles & Brady, LLP | WI | Business Associate | 1032 | 2016-04-19 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Quarles & Brady, LLP WI Business Associate 1032 | Tuesday | 2016 |
| Imaging Center of Garland | TX | Healthcare Provider | 1031 | 2011-05-19 | Improper Disposal | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Imaging Center of Garland TX Healthcare Provider 1031 | Thursday | 2011 | |
| Children’s Eyewear Sight | CA | Healthcare Provider | 1030 | 2015-01-12 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Children’s Eyewear Sight CA Healthcare Provider 1030 | Monday | 2015 |
| VA Long Beach Healthcare System | CA | Healthcare Provider | 1030 | 2018-06-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | VA Long Beach Healthcare System CA Healthcare Provider 1030 | Friday | 2018 |
| Meritus Medical Center, Inc. | MD | Healthcare Provider | 1029 | 2015-06-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Meritus Medical Center, reported that an audit revealed that a vendorsâs employee (from Walgreens pharmacy) accessed the protected health information (PHI) of approximately 1,029 patients without a business need to do so. The types of PHI potentially accessed included demographic information such as names, dates of birth, medical record numbers and, in some instances health insurance information or Medicare identification numbers, as well as clinical information. The CE confirmed that it terminated the employeeâs access to the electronic health record (EHR) and escorted the employee from the Meritus campus. The CE provided breach notification to HHS, the media, and affected individuals and offered credit monitoring. The CE implemented a new system for implementing technical measures so that the vendorâs employeesâ access is limited to a separate system that interfaces with the EHR and pulls only limited patient information specifically related to those patients receiving Walgreensâ services. OCR obtained assurances that the CE implemented the corrective actions listed. | Meritus Medical Center, Inc. MD Healthcare Provider 1029 | Friday | 2015 |
| John E. Gonzalez DDS | CA | Healthcare Provider | 1025 | 2016-08-14 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On July 25, 2016, Dr. John E Gonzalezâs car window was broken and his briefcase was stolen from his car. The briefcase contained an external hard drive with electronic protected health information (ePHI). Approximately 1,025 individuals were affected by the breach. The ePHI on the external hard drive contained social security numbers, phone numbers, dates of birth, physical and email addresses, health insurance information, and pictures of patientsâ teeth with the patientâs first and last names listed. The CE provided breach notifications to HHS, affected individuals, and the media, as well as substitute notice. In response to the breach, the CE added safeguards to prevent unauthorized access to the data on its external hard drive and purchased an encrypted external hard drive. OCR provided the CE with technical assistance regarding breach notification and the Security Rule risk analysis and risk management provisions. | John E. Gonzalez DDS CA Healthcare Provider 1025 | Sunday | 2016 |
| Shands Jacksonville Medical Center, Inc. | FL | Healthcare Provider | 1025 | 2013-04-02 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | A clinical intern at the covered entity (CE), University of Florida Health Jacksonville (UFHJ) (formerly Shands Jacksonville Medical Center), took photographs of protected health information (PHI) and emailed the PHI to an unauthorized third person for the purpose of filing fraudulent tax returns. The PHI included the names, addresses, social security numbers, dates of birth, and treatment information of 1,025 individuals. Law enforcement agencies that learned of the breach informed the CE and requested delays of breach notification. The CE later provided breach notification to affected individuals, HHS, and the media, and offered affected individuals one year of free identity theft protection. Following the breach, the CE sanctioned two workforce members who had allowed the intern, who was no longer at the CE, to use their credentials to access the electronic medical records in violation of its policies. The CE also retrained workforce members on its privacy policies; increased access restrictions to social security numbers; and ended its clinic-based internships. OCR provided technical assistance and obtained assurances of the CE’s plan to update its breach notification policies and procedures. | Shands Jacksonville Medical Center, Inc. FL Healthcare Provider 1025 | Tuesday | 2013 |
| City of Hope | CA | Healthcare Provider | 1024 | 2016-03-04 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), City of Hope, received a phishing email on January 18, 2016, causing unauthorized access to several employee email accounts. The protected health information (PHI) involved in the breach included patients’ names, medical record numbers, dates of birth, addresses, email addresses, telephone numbers, clinical information, test results, and dates of service and for one patient, the social security number and financial information. Approximately 1,024 individuals were affected by the breach. The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice. Following the breach, the CE blocked access to a form in the embedded link contained in the phishing email, blocked the sender of the phishing email from sending additional emails, updated its spam filter, removed the email from the inboxes of users who received it, and sent an email to all staff to advise them of the issue. Additionally, the CE began updating its anti-phishing defenses and has upgraded its firewall. OCR provided the CE with technical assistance regarding the Security Rule including risk analysis and risk management. | City of Hope CA Healthcare Provider 1024 | Friday | 2016 | |
| The Pediatric Endocrinology and Diabetes Specialists | NV | Healthcare Provider | 1021 | 2018-01-18 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Laptop | NA | NA | NA | NA | NA | No | NA | The Pediatric Endocrinology and Diabetes Specialists NV Healthcare Provider 1021 | Thursday | 2018 |
| Comprehensive Care Management Corporation | NY | Health Plan | 1020 | 2010-06-14 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Network Server | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Comprehensive Care Management Corporation, after it reported two former employees sent emails that contained the electronic protected health information (ePHI) of 1,020 individuals to their personal email accounts to open a competitor organization. The ePHI included names, addresses, and enrollment information. Upon discovery of the breach, the CE conducted an internal inquiry and found that the former employees disclosed the ePHI to its competitor. As a result of OCR’s investigation, the CE replaced and strengthened external firewalls, restricted access to email websites, restricted the use of portable devices, limited the ability to upload data to external websites, and evaluated new monitor and control software for network information. In addition, the CE provided training to all staff on its HIPAA policies and procedures. The CE also entered into an agreement with its competitor who hired the former employees to return or destroy the ePHI. | Comprehensive Care Management Corporation NY Health Plan 1020 | Monday | 2010 | |
| QUANTERION SOLUTIONS INC | NY | Business Associate | 1017 | 2012-11-01 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes |
An unencrypted thumb drive that contained the electronic protected health information (ePHI) of 1,017 individuals was stolen by an employee of the covered entity’s (CE) business associate (BA), Quanterion Solutions, Inc. The ePHI included names, addresses, dates of birth, driver’s license numbers, social security numbers, claims information, clinical information, diagnosis/conditions, lab results, treatment information, and medications. Upon discovery of the breach, the CE, Surgical Associates of Utica, PC, filed a police report and the employee was arrested. The CE provided breach notification to HHS, the media, and affected individuals and provided credit monitoring services for these individuals. As a result of OCR’s investigation, the CE executed a BA agreement. |
QUANTERION SOLUTIONS INC NY Business Associate 1017 | Thursday | 2012 |
| Group Health Cooperative | WA | Healthcare Provider | 1015 | 2013-10-03 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The CE sent an erroneous mailing to 1,105 individuals which displayed protected health information (PHI) in the address window of the envelope. The PHI involved in the breach included patientsâ names, medical record numbers, diagnoses, and addresses. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE reviewed, updated and implemented applicable procedures to correct the causes of this incident. In response to OCRâs investigation, CE provided documentation of the corrective actions taken. | Group Health Cooperative WA Healthcare Provider 1015 | Thursday | 2013 |
| National Mentor Healthcare, LLC. | MA | Healthcare Provider | 1015 | 2018-03-21 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | NA | National Mentor Healthcare, LLC. MA Healthcare Provider 1015 | Wednesday | 2018 |
| Brigham and Women’s Hospital | MA | Healthcare Provider | 1009 | 2016-01-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Brigham and Women’s Hospital MA Healthcare Provider 1009 | Monday | 2016 | |
| Barrington Orthopedic Specialists, Ltd | IL | Healthcare Provider | 1009 | 2015-09-24 | Theft | NA | NA | NA | NA | NA | Laptop | Other | NA | NA | NA | NA | NA | NA | No | On August 18, 2015, an employee of the covered entity (CE), Barrington Orthopedic Specialists, Ltd., discovered that a laptop and an electromyography (EMG) machine were stolen from her vehicle. The laptop and the EMG machine contained the names, dates of birth, and clinical and demographic information of approximately 1,009 individuals. The CE provided breach notification to HHS, affected individuals, and the media. It also filed a police report. To prevent similar breaches from happening in the future, the CE added additional units to its inventory, and stopped transporting EMG machines. The CE also retrained and counseled the employee involved in this matter on its HIPAA policies and procedures. OCR obtained and reviewed documentation that substantiates all the CE’s actions taken in response to the breach incident. | Barrington Orthopedic Specialists, Ltd IL Healthcare Provider 1009 | Thursday | 2015 |
| Sierra View District Hospital | CA | Healthcare Provider | 1009 | 2013-09-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | A workforce member of the covered entity (CE), Sierra View Medical Center, impermissibly accessed an internal hospital roster covering different departments over a period of several days between July and August 2013, which potentially affected the electronic protected health information (ePHI) of approximately one thousand nine (1,009) individuals. The ePHI included patients’ names, room numbers, treating physicians’ information, diagnoses, and medical record data, including treatment notes. The CE provided breach notification to HHS, affected individuals, and the media. The CE investigated and determined that the employee had not used the information, despite impermissibly accessing it. The CE sanctioned the employee, implemented compliance actions to meet workforce security standards, including log-in monitoring. The CE also revised policies and procedures and conducted training on the security awareness standard. OCR provided substantive technical assistance and identified corrective actions that the CE must complete to comply with the Security Rule, which includes the following: conduct and monitor a comprehensive, enterprise-wide risk analysis, update and monitor its risk management plan, and monitor its information access management to ensure adequate safeguards of ePHI. | Sierra View District Hospital CA Healthcare Provider 1009 | Friday | 2013 |
| KEYSTONE INSURERS GROUP | IN | Business Associate | 1008 | 2014-05-06 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), City of Henderson, discovered that on several occasions between January 23, 2013, and March 3, 2013, its business associate (BA) broker, Keystone Insurers Group, disclosed more than the minimum necessary information to several health care providers who were being considered as a possible partner with the City in development of a City-run healthcare clinic. The BA had been hired to assist in the evaluation process of determining whether a City-operated health clinic would reduce health care costs. The types of protected health information (PHI) involved in the breach included demographic information such as names, insurance numbers, addresses, birthdates, and clinical information, such as diagnoses, treatment, prescriptions, and expenses. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. In response to the incident, the CE obtained certificates of deletion and destruction from the recipients of the PHI and it terminated its agreement with the BA. The CE also revised its request for proposals process to include information about potential brokersâ HIPAA training and any prior HIPAA breaches. In response to OCRâs investigation, the CE created and implemented privacy policies and procedures, and trained staff on its HIPAA policies. | KEYSTONE INSURERS GROUP IN Business Associate 1008 | Tuesday | 2014 | |
| OhioHealth | OH | Healthcare Provider | 1006 | 2015-07-24 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On May 29, 2015, the covered entity (CE), OhioHealth, discovered that an unencrypted portable computer drive (âthumb driveâ) was missing. This breach affected approximately 1,006 individuals. The types of protected health information (PHI) involved in the breach included patientsâ names, medical record numbers, names of insurance companies, addresses, dates of birth, physiciansâ names, referral and treatment dates, type of procedures, and in certain limited instances, clinical information and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned and retrained the employee who lost the thumb drive, suspended use of thumb drives in the involved department, and retrained employees. The CE also revised its policies on mobile storage device security and usage and on disposition of thumb drives. Additionally, the CE encrypted mobile storage devices and revised and launched annual compliance education for its employees. OCR obtained documentation that the CE implemented the corrective actions steps noted above. | OhioHealth OH Healthcare Provider 1006 | Friday | 2015 |
| Baylor College of Medicine | TX | Healthcare Provider | 1004 | 2015-08-07 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | Paper/Films | NA | NA | NA | NA | NA | NA | No | A physicianâs backpack containing five unencrypted portable data drives and a handwritten notebook with the protected health information (PHI) of approximately 1,004 pediatric patients was stolen from an automobile. The types of PHI involved in the breach included names, dates of birth, hospital medical record numbers, types of surgery performed, and treating physiciansâ names. One of the drives contained surgical images of twenty patients. The breach affected approximately 876 patients of Texas Children’s Hospital (TCH) and 128 patients of Memorial-Hermann. The physician, a surgical fellow for the covered entity (CE), Baylor College of Medicine, reported the theft to the police and notified TCH. TCH initiated an investigation and notified the CE of the breach on July 15, 2015. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE distributed an acknowledgment and attestation document to each medical resident and fellow addressing the CEâs patient privacy and security policies, including incident reporting procedures. Due to OCRâs involvement, all residents, fellows and learners are required to complete the acknowledgment and attestation at the beginning of each academic year. The CE also initiated a policy to require the acknowledgment and attestation to be included in each graduate medical education program participantâs contract at the beginning of each academic year. | Baylor College of Medicine TX Healthcare Provider 1004 | Friday | 2015 |
| California Correctional Health Care Services, Privacy Manager Breach | CA | Healthcare Provider | 1001 | 2013-07-30 | Unknown | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | California Correctional Health Care Services, Privacy Manager Breach CA Healthcare Provider 1001 | Tuesday | 2013 |
| The Children’s Medical Center of Dayton | OH | Healthcare Provider | 1001 | 2010-06-14 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The Children’s Medical Center of Dayton OH Healthcare Provider 1001 | Monday | 2010 | ||
| Missouri Dept. of Mental Health | MO | Healthcare Provider | 1000 | 2018-02-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Missouri Dept. of Mental Health MO Healthcare Provider 1000 | Wednesday | 2018 |
| Black Hawk College | IL | Health Plan | 1000 | 2016-12-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | A computer server for the covered entityâs (CE) reinsurer was infected with ransomware from March 12 to August 8, 2016, making protected health information (PHI) accessible. The PHI included the names, addresses, dates of birth, Social Security numbers, and clinical data pertaining to approximately 1,000 individuals. The CE submitted a breach report to HHS out of caution even though the reinsurer was not a business associate (BA). The CE provided evidence that a BA was not necessary and the disclosures were permitted under HIPAA for health care operations purposes. The reinsurer provided breach notification to the affected individuals and the CE sent notice to the media and posted a substitute notice on its website. The CE also retrained staff and reviewed its BA agreements and its HIPAA policies and procedures. OCR obtained documentation that the CE implemented the actions listed above. | Black Hawk College IL Health Plan 1000 | Thursday | 2016 |
| McLaren Greater Lansing Cardiovascular Group | MI | Healthcare Provider | 1000 | 2016-09-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Other | NA | NA | NA | NA | NA | No | NA | McLaren Greater Lansing Cardiovascular Group MI Healthcare Provider 1000 | Wednesday | 2016 |
| Martin Army Community Hospital | GA | Healthcare Provider | 1000 | 2016-09-09 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | In December 2013 The IRS notified the covered entity (CE), Martin Army Community Hospital,that one of its employees was involved in identity theft activities. This review was consolidated with another review of this CE. | Martin Army Community Hospital GA Healthcare Provider 1000 | Friday | 2016 |
| CalOptima | CA | Health Plan | 1000 | 2016-08-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | An employee of CalOptima, the covered entity (CE), impermissibly copied data files containing the protected health information (PHI) of patients to an unauthorized electronic mobile storage device (a universal serial bus (USB)) on her last days of employment with the CE. The CE discovered the breach through its data loss prevention system. The breach affected approximately 15,800 individuals. The types of PHI involved included full names, addresses, dates of birth, claims information, diagnosis/conditions, medications, treatment information, Medicaid beneficiary numbers, and social security numbers. The CE provided breach notification to affected individuals, the media, and HHS, and also provided substitute notice. Following the breach, the CE immediately reported the incident to local law enforcement. As a result of the incident, the CE updated its policies and procedures, disabled USB device write privileges for all employees, and made sure its information security team will be informed when employees separated from the CE. The CE also implemented a new procedure requiring employees to justify and receive approval from management before submitting a request to its information security team to receive permission to write to USB devices. OCR obtained assurances from the CE that it implemented the corrective actions listed above. | CalOptima CA Health Plan 1000 | Monday | 2016 |
| The Outer Banks Hospital | NC | Healthcare Provider | 1000 | 2016-08-19 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Outer Banks Hospital, lost two unencrypted portable computer drives (“flash” drives) containing the protected health information (PHI) of approximately 1,000 individuals during a move. The types of PHI on the lost flash drives included names, addresses, birthdates, social security numbers, diagnoses/conditions, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE retrained its workforce with respect to appropriate portable devices and media storage. Additionally, the CE initiated the deployment of new technology on all computer workstations to detect and prevent PHI from being downloaded to portable storage media devices. The CE also began using auto-encryption technology rather than relying on user actions to encrypt data and implemented related procedures. Further, the CE drafted a new procedure for physical practice acquisitions which includes a more thorough risk assessment of privacy and security components. OCR obtained assurances that the CE implemented the corrective actions listed above. | The Outer Banks Hospital NC Healthcare Provider 1000 | Friday | 2016 |
| Florida Medical Clinic, PA | FL | Healthcare Provider | 1000 | 2016-05-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Doc already approved with closure letter. | Florida Medical Clinic, PA FL Healthcare Provider 1000 | Wednesday | 2016 |
| United Community & Family Services | CT | Healthcare Provider | 1000 | 2016-04-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | United Community Family Services, the covered entity (CE), mistakenly sent an email blast that advertised dental services, to current and former patients, with email addresses visible to all of the other recipients of the email. The emails were encrypted so that that only the recipients could have accessed them. Approximately 1,095 individuals were affected by this breach. The types of protected health information (PHI) involved in the breach included some names as part of the email addresses and the implied suggestion that these individuals had received dental services from this CE. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCRâs investigation, the CE implemented plans to review and revise its policies to ensure adequate safeguards of electronic PHI. Additionally, the covered entity re-trained staff on its HIPAA policies and issued periodic HIPAA reminders to staff. | United Community & Family Services CT Healthcare Provider 1000 | Tuesday | 2016 | |
| Unity Recovery Group, Inc.,Starting Point Detox LLC, Lakeside Treatment Center LLC, Changing Tides Transitional Living LLC, Unity Recovery Center, Inc | FL | Healthcare Provider | 1000 | 2015-05-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | Other Portable Electronic Device | NA | NA | NA | NA | NA | No | Unity Recovery Group, Inc. (Unity) shared patient information with other covered entities for continuation of substance abuse treatment. It erroneously believed this practice to be an impermissible disclosure and filed a breach report with HHS. After OCR determined that no breach had occurred, OCR provided technical assistance to Unity regarding permissible disclosures for treatment purposes, the difference between âconsentâ and âauthorizationâ under HIPAA, the definition of a breach of protected health information, when notification must be provided, and when notification is not required. Further, Unity and its affiliates permanently closed on December 31, 2015 with no intention to resume future operations in the same legal entity name. | Unity Recovery Group, Inc.,Starting Point Detox LLC, Lakeside Treatment Center LLC, Changing Tides Transitional Living LLC, Unity Recovery Center, Inc FL Healthcare Provider 1000 | Monday | 2015 | |
| City of Dallas Fire-Rescue Department | TX | Healthcare Provider | 1000 | 2014-10-15 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Multiple laptop computers containing EKG strips were lost, stolen, or unaccounted for from the covered entity (CE), City of Dallas Fire-Rescue Department. The electronic protected health information (ePHI) on the laptops included EKG strips in addition to the names, addresses, medical history, diagnoses, dates of birth, and the social security numbers of approximately 1,000 individuals. Upon discovering the breach, the CE formed a breach assessment team to review and address investigation findings. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security to address deficiencies within its system. OCR obtained assurances that the CE implemented the corrective actions listed. | City of Dallas Fire-Rescue Department TX Healthcare Provider 1000 | Wednesday | 2014 |
| Howard L. Weinstein D.P.M. | TX | Healthcare Provider | 1000 | 2014-05-10 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Four encrypted laptop computers and the back-up system containing the electronic protected health information (ePHI) of approximately 1,000 individuals were stolen as a result of a break-in at the office of the covered entity (CE), Howard L. Weinstein, D.P.M. The CE immediately reported the incident to police and an investigation ensued. The ePHI involved in the theft was encrypted and the CE determined that a breach of ePHI was unlikely. However, the CE responded to the incident as though a breach had occurred and personnel notified the potential affected parties through mailing, media notification, and website notification. They also followed the procedure to file a Breach Notification Report with HHS. The CE implemented additional physical, technical, and administrative safeguards to ensure the security of ePHI. In addition, the CE immediately acted on the recovery plan, and has moved data to a cloud encrypted storage system. | Howard L. Weinstein D.P.M. TX Healthcare Provider 1000 | Saturday | 2014 |
| Medical Center of Plano | TX | Business Associate | 1000 | 2014-03-31 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entity (CE), Medical Center of Plano, reported that the business associate (BA), Relay-Health, inadvertently sent an incorrect mailing affecting 1,000 individuals. The CE learned that the actual number of individuals affected by the breach was one patient and filed an addendum to reflect the correct number of patients affected by the breach. The protected health information (PHI) involved in the breach included the individualâs name, address, account number, admission and discharge dates, and payment information. Following the breach, the BA reviewed the standard operating procedure with the entire project management team and modified its mailing process. It also contacted the affected individual and provided contact information if needed to address concerns and questions in reference to the incident. | Medical Center of Plano TX Business Associate 1000 | Monday | 2014 |
| Stoetzel’s Planet Chiropractic | IL | Healthcare Provider | 1000 | 2014-03-25 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | An unauthorized individual broke into the covered entity’s (CE) facility and stole a laptop computer containing the electronic protected health information (ePHI) of approximately 1,000 individuals, including names, credit card numbers, bank account numbers, treatment information, and x-ray images. The CE provided breach notification to HHS, affected individuals, and prominent media outlets in Illinois. Following the breach, the CE reported the theft to the local police department, relocated to a new facility, and implemented facility security measures, including a security alarm system. It also enhanced its policies and procedures implementing the Privacy and Security Rules. OCR obtained assurances that the CE implemented the corrective actions listed. | Stoetzel’s Planet Chiropractic IL Healthcare Provider 1000 | Tuesday | 2014 |
| Berea College | KY | Healthcare Provider | 1000 | 2014-03-20 | Other | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Berea College KY Healthcare Provider 1000 | Thursday | 2014 | |
| American Anesthesiology, Inc. | FL | Healthcare Provider | 1000 | 2013-12-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entityâs (CE) business associate (BA), Financial Imaging, LLC, erroneously mailed 1,000 patient invoices to the wrong patients. The types of protected health information (PHI) involved in the breach included patientsâ names, dates of service, and procedures performed. The BA sent breach notification letters to affected individuals and reimbursed the CE for all costs associated with breach notification it provided to the media. Following the breach, the BA revised its quality assurance process to ensure the accuracy of future print jobs and counseled and retrained the staff involved in the breach. The CE had a BA agreement in place and policies that were in compliance with the HIPAA Rules. OCR obtained assurances that CE and BA implemented the corrective actions listed above. | American Anesthesiology, Inc. FL Healthcare Provider 1000 | Wednesday | 2013 |
| Yadkinville Chiropractic DCPA | NC | Business Associate | 1000 | 2013-02-06 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | Yes | On February 1, 2013, the back door to the covered entityâs (CE) facility was pried open and its unencrypted desktop computer was stolen. Due to the theft, the protected health information (PHI) of 1,000 individuals was potentially exposed, including names, dates of birth, and social security numbers. The CE provided timely breach notification to HHS, affected individuals, and the media, and posted substitute notice in the lobby of its facility. In response to the breach, the CE replaced the back door, upgraded its security system, and installed cameras. The CE updated its billing software and on October 30, 2014, the CE was sold and effectively ceased operations. OCR obtained assurances that the CE implemented the corrective actions listed above. | Yadkinville Chiropractic DCPA NC Business Associate 1000 | Wednesday | 2013 |
| DRD Management, Inc. D/B/A DRD Knoxville Medical Clinic - Central | TX | Healthcare Provider | 1000 | 2012-04-16 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | After an extensive investigation, OCR determined that DRD Knoxville was not a HIPAA covered entity at the time that the incident occurred. | DRD Management, Inc. D/B/A DRD Knoxville Medical Clinic - Central TX Healthcare Provider 1000 | Monday | 2012 |
| IU Medical Group | IN | Healthcare Provider | 1000 | 2012-04-12 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | IU Medical Group IN Healthcare Provider 1000 | Thursday | 2012 | |
| AccentCare Home Health of California, Inc. Medicare # 057564 CA state License # 080000226 | CA | Healthcare Provider | 1000 | 2012-04-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | A former workforce member of the covered entity (CE), AccentCare Home Health Care of CA, downloaded and forwarded the electronic protected health information (ePHI) of approximately 1,000 individuals via a personal email account to other ex-workforce members. The ePHI included names, addresses, zip codes, social security numbers, diagnoses and conditions. This was discovered nearly a year after the incident during a deposition. The intended recipients denied requesting or receiving the ePHI. The CE provided breach notification to HHS, affected individuals, and the media. Following discovery of the breach, the CE hired a third party to conduct a risk assessment, followed through with recommended risk management processes and began working toward obtaining a HITRUST Certification. As a result of OCRâs investigation, the CE improved its understanding of the risk analysis and risk management process. | AccentCare Home Health of California, Inc. Medicare # 057564 CA state License # 080000226 CA Healthcare Provider 1000 | Tuesday | 2012 | |
| Riverside Mercy Hospital and Ohio/Mercy Diagnostics | OH | Healthcare Provider | 1000 | 2010-12-21 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Riverside Mercy Hospital and Ohio/Mercy Diagnostics OH Healthcare Provider 1000 | Tuesday | 2010 | |
| Gary C. Spinks, DMD, PC | MD | Healthcare Provider | 1000 | 2010-12-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | Gary C. Spinks, DMD, PC MD Healthcare Provider 1000 | Monday | 2010 | |
| Hospital Auxilio Mutuo | PR | Healthcare Provider | 1000 | 2010-12-13 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Hospital Auxilio Mutuo de Puerto Rico, Inc., reported that on November 9, 2010, an employee resigned his position and removed two computer hard drives and a laptop computer that contained electronic protected health information (ePHI), potentially affecting over 30,000 individuals. The CE initially reported that the breached ePHI included names, addresses, zip codes, dates of births, social security numbers, diagnostic conditions and other treatment information. During the investigation, the CE retrieved the hard drives and laptop and determined that the hard drives contained confidential financial information and business making decisions by the CE, and did not include the types of identifiers (e.g. patient names, Social Security numbers, home addresses, etc.) that could be used to re-identify an individual. Thus, the CE determined that the theft did not constitute a breach of ePHI. Further, the CE determined that the laptop was an information technology department laptop that only contained financial data and upper management e-mails. As of the result of OCRâs investigation, OCR has required the CE to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and re-train its staff. | Hospital Auxilio Mutuo PR Healthcare Provider 1000 | Monday | 2010 |
| University of Arkansas for Medical Sciences | AR | Healthcare Provider | 1000 | 2010-10-18 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | University of Arkansas for Medical Sciences AR Healthcare Provider 1000 | Monday | 2010 | |
| SunBridge Healthcare Corporation | NM | Healthcare Provider | 1000 | 2010-08-25 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | A BlackBerry personal digital assistant device, which stored the protected health information (PHI) of 1,000 patients, was stolen from a workforce member. The types of PHI involved in the breach included names, birthdates, diagnoses/conditions, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media, and offered identity theft protection services to the individuals. Following the breach, the CE encrypted and password protected all its Blackberry devices. As a result of OCRâs investigation, the CE changed its Blackberry encryption policy. | SunBridge Healthcare Corporation NM Healthcare Provider 1000 | Wednesday | 2010 |
| Yale University | CT | Healthcare Provider | 1000 | 2010-08-18 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unsecured laptop computer containing sensitive protected health information (PHI) involving the Ryan White Part A program, involving approximately 1,000 individuals, was stolen from an office building on Yaleâs premises. The types of PHI contained on the laptop consisted of names, dates of birth, diagnoses/conditions, medications, lab results, and other treatment information. The covered entity (CE) provided breach notification to HHS, the media and affected individuals. Following the breach, the CE installed access card readers for entry to the office suite, inspected the facilityâs alarm system, replaced custodial staff, and limited cleaning to office hours. The CE also accelerated the implementation of safeguards created prior to the theft, implemented mandatory encryption for all mobile devices, and created a new system to ensure all employees complete mandatory Privacy and Security Awareness training. The CE also revised several policies and procedures on ePHI security. OCR obtained assurances that the CE implemented the corrective actions listed above. | Yale University CT Healthcare Provider 1000 | Wednesday | 2010 |
| Children’s Hospital & Research Center at Oakland | CA | Healthcare Provider | 1000 | 2010-06-29 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Children’s Hospital & Research Center at Oakland CA Healthcare Provider 1000 | Tuesday | 2010 | |
| Rainbow Hospice and Palliative Care | IL | Healthcare Provider | 1000 | 2010-05-26 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An employee’s laptop was stolen out of her bag while she was making an admission visit in a patient’s home. The evidence showed that although the covered entity had a policy of encrypting and password-protecting its computers, this particular computer did not require a password most of the time. The invoices contained the protected health information (PHI) of approximately 1,000 individuals. The PHI stored on the laptop included names, addresses, dates of birth, phone numbers, Social Security numbers, Medicare numbers, electronic health records and commercial insurance information. Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in The Daily Herald, sanctioned the employee for changing the security settings on the laptop in question, and established stringent computer security guidelines, and retrained its staff in the new requirements, with the intention of preventing a similar event from occurring again. | Rainbow Hospice and Palliative Care IL Healthcare Provider 1000 | Wednesday | 2010 |
| Mid America Kidney Stone Association, LLC | MO | Healthcare Provider | 1000 | 2009-10-28 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Five desktop computers containing unencrypted electronic protected health information (e-PHI) were stolen from the covered entity (CE). Originally, the CE reported that over 500 persons were involved, but subsequent investigation showed that about 260 persons were involved. The ePHI included demographic and financial information. The CE provided breach notification to affected individuals and HHS. Following the breach, the CE improved physical security by installing motion detectors and alarm systems security monitoring. It improved technical safeguards by installing enhanced antivirus and encryption software. As a result of OCR’s investigation the CE updated its computer password policy. | Mid America Kidney Stone Association, LLC MO Healthcare Provider 1000 | Wednesday | 2009 |
| Brooke Army Medical Center | TX | Healthcare Provider | 1000 | 2009-10-21 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A binder containing the protected health information (PHI) of up to 1,272 individuals was stolen from a staff member’s vehicle. The PHI included names, telephone numbers, detailed treatment notes, and possibly social security numbers. In response to the breach, the covered entity (CE) sanctioned the workforce member and developed a new policy requiring on-call staff members to submit any information created during their shifts to the main office instead of adding it to the binder. Following OCR’s investigation, the CE notified the local media about the breach. | Brooke Army Medical Center TX Healthcare Provider 1000 | Wednesday | 2009 |
| University of Wisconsin - Madison | WI | Healthcare Provider | 1000 | 2017-09-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | University of Wisconsin - Madison WI Healthcare Provider 1000 | Thursday | 2017 |
| Brigham and Women’s Hospital | MA | Healthcare Provider | 999 | 2014-11-17 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Brigham & Womenâs Hospital, had an encrypted laptop and cell phone stolen during an armed robbery and was forced to disclose password and encryption keys during the robbery. The devices contained the protected health information PHI) of 999 individuals. The types of PHI involved in the breach included names, medical records numbers, age, and diagnostic information. In response to OCRâs investigation, the CE initiated a new enterprise wide risk analysis. | Brigham and Women’s Hospital MA Healthcare Provider 999 | Monday | 2014 |
| BlueCross BlueShield of South Carolina | SC | Business Associate | 998 | 2016-02-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | A business associate (BA), BlueCross, of the covered entity (CE), South Carolina Public Employee Benefit Authority, incorrectly mailed pre-authorization dental letters to the CEâs members due to a computer error. During the mailing sorting process, the names of the envelopes were not matched to the correct addresses. The breach affected 998 individuals and included financial, demographic, and clinical information. The BA provided breach notification to HHS, affected individuals, and the media. Following the breach, the BA revised its procedures for ensuring data integrity and accuracy and enhanced procedures to include a quality control validation step. The BA trained systems support staff and confirmed that it requires all of its employees, contractors and consultants employed or retained for longer than 45 days to receive HIPAA training. OCR obtained assurances that the BA implemented the corrective actions listed above. | BlueCross BlueShield of South Carolina SC Business Associate 998 | Friday | 2016 |
| Dreyer Medical Clinic | IL | Business Associate | 998 | 2013-09-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Dreyer Medical Clinic IL Business Associate 998 | Friday | 2013 | |
| Gallant Risk & Insurance Services, Inc. | CA | Business Associate | 995 | 2015-06-03 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | On April 4, 2015, laptop computers belonging to the business associate (BA), Gallant Risk & Insurance Services, Inc., were stolen due to an office break-in. The breach affected 995 individualsâ protected health information (PHI), including a combination of individualsâ names, addresses, dates of birth, social security numbers, group policy numbers, and insurance identification numbers. The BA reported the incident to local law enforcement and to the affected covered entities. In response to OCRâs investigation, the BA ensured the proper breach notifications were provided, increased physical security, increased technical safeguards for electronic PHI (such as utilizing additional encryption), and adopted HIPAA policies and procedures. OCR obtained documented assurances that the BA implemented these corrective steps.. | Gallant Risk & Insurance Services, Inc. CA Business Associate 995 | Wednesday | 2015 |
| Mentor ABI, LLC | MA | Healthcare Provider | 994 | 2018-03-21 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Mentor ABI, LLC MA Healthcare Provider 994 | Wednesday | 2018 |
| Baxter Healthcare | IL | Healthcare Provider | 992 | 2016-10-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On September 15, 2016, an employee transmitted an email to patients inviting them to participate in a product-specific Patient Advisory Council. The email contained patientsâ complete email addresses in the âToâ field of the email message, so that recipients could see other recipientâs email addresses, which may have also included names. Approximately 992 individuals were affected by the breach. The covered entity (CE), Baxter Healthcare, provided breach notification to HHS, affected individuals, and the media, and also filed a police report. To prevent similar breaches from happening in the future, the CE reeducated and counseled the employee involved in this matter on its HIPAA policies and procedures and sanctioned the employee in accordance with its sanctions policy. The CE also provided training to its workforce on its policies and procedures regarding HIPAA, which highlighted the risks involved with emailing protected health information. OCR obtained written assurances that the CE implemented the corrective actions noted above. | Baxter Healthcare IL Healthcare Provider 992 | Monday | 2016 | |
| Center for Minimmally Invasive Bariatric and General Surgery | PA | Healthcare Provider | 992 | 2016-08-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An employee erroneously emailed a group of 992 patients about a support group and copied other patients so that they were able to see the email addresses of all the other individuals to whom the email was sent. The types of protected health information (PHI) involved in this incident included email addresses and information which may have suggested that the individual was a patient of the covered entity (CE). The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised its policies and procedures, attempted to recall the email, and retrained workforce members. OCR obtained assurances that the CE implemented the corrective actions noted above and provided technical assistance on reasonable safeguards. | Center for Minimmally Invasive Bariatric and General Surgery PA Healthcare Provider 992 | Friday | 2016 | |
| Pathways Professional Counseling | AL | Healthcare Provider | 986 | 2015-11-24 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On September 25, 2015, an employee’s unencrypted, password-protected laptop computer was stolen from his vehicle. The computer contained the protected health information (PHI) of 985 patients, including addresses, names, dates of birth, clinical diagnoses, financial information, social security numbers, email addresses, physician information, health insurance information, treatment information, and medication information. The CE, Pathways Professional Counseling, provided breach notification to HHS, affected individuals, and the media. In response to this breach, the CE engaged a third party to encrypt its computers and retrain employees who may use, disclose, or access PHI. It also revised its HIPAA Compliance Plan, implemented a policy requiring encryption for mobile devices before access is granted, and implemented a policy requiring reasonable security measures when employees use their own electronic devices. The CE also sanctioned the employee involved in the breach. OCR obtained assurances that the CE implemented the corrective actions listed above. | Pathways Professional Counseling AL Healthcare Provider 986 | Tuesday | 2015 |
| Midwest Urological Group | IL | Healthcare Provider | 982 | 2014-07-30 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On May 30, 2014, an unencrypted laptop computer was stolen from a company closet. The laptop contained the protected health information (PHI) of approximately 982 individuals, including names and data from medical tests. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media and also notified police. Following the breach, the CE sanctioned and retrained the employee responsible for securing the computer and implemented new policies and procedures to improve safeguards to PHI. OCR obtained written assurances that the CE implemented the corrective actions listed above. | Midwest Urological Group IL Healthcare Provider 982 | Wednesday | 2014 |
| Family & Children’s Services of Mid Michigan, Inc. | MI | Healthcare Provider | 981 | 2016-04-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Family & Children’s Services of Mid Michigan, Inc. MI Healthcare Provider 981 | Wednesday | 2016 |
| The MetroHealth System | OH | Healthcare Provider | 981 | 2015-05-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | The MetroHealth System OH Healthcare Provider 981 | Friday | 2015 |
| Philip P Corneliuson, DDS, INC. | CA | Healthcare Provider | 980 | 2012-10-22 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Philip P Corneliuson, DDS, INC. CA Healthcare Provider 980 | Monday | 2012 | |
| Clinical Reference Laboratory, Inc. | KS | Healthcare Provider | 979 | 2014-04-09 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Clinical Reference Laboratory, Inc., sent a parcel which was damaged and opened during the mailing process by the United States Postal Services (USPS). The protected health information (PHI) involved in the breach included the names, dates of birth, partial social security numbers, and lab test types of approximately 979 individuals residing in multiple states. The CE provided breach notification to HHS and affected individuals. Since multiple breach reports have been received involving the same CE and fact pattern, this investigation was consolidated into one investigation. | Clinical Reference Laboratory, Inc. KS Healthcare Provider 979 | Wednesday | 2014 |
| Rite Aid Store 01617 | NY | Healthcare Provider | 976 | 2016-02-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | Other | NA | NA | NA | NA | NA | NA | No | From November 19, 2014, through November 18, 2015, an employee of the covered entity (CE), Rite Aid Pharmacy Store 01617, obtained customersâ credit card information along with other personal identifiers, which he used to commit credit card fraud. The incident affected 976 individuals. The electronic protected health information (ePHI) involved included patientsâ names, addresses, dates of birth, and credit card information. As a result of the breach, the CE conducted an internal investigation, sanctioned the employee responsible for the incident, and revised its policy regarding handling of payment cards. The CE provided breach notification to HHS, affected individuals, and the media and provided one year free of credit monitoring services. OCR provided the CE with technical assistance regarding the requirements of the HIPAA Security Rule with respect to risk analyses, development of risk management plans, and implementation of procedures to review records of information system activity, grant access to ePHI, and deploy audit controls. In this case, employee sanctions included termination of employment. | Rite Aid Store 01617 NY Healthcare Provider 976 | Wednesday | 2016 |
| Edwin Shaw Rehabilitation | OH | Healthcare Provider | 975 | 2016-04-22 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | On February 19, 2016, an employee of the covered entity (CE), Edwin Shaw Rehabilitation, mistakenly left behind a day planner that contained an unencrypted mobile computer drive (a universal serial bus, or âUSBâ drive), at a business-related function. The drive contained a spreadsheet file that included the names, medical record numbers, insurance providersâ names, and limited clinical information of 975 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned the involved employee, conducted mandatory privacy and security training for all members of its leadership team, and implemented a month-long security awareness campaign for all employees that included HIPAA education and collection of unencrypted USB drives. The CE also deployed new forms for employees to request an encrypted mobile computer drive. OCR obtained written assurances that the CE implemented the corrective actions noted above. | Edwin Shaw Rehabilitation OH Healthcare Provider 975 | Friday | 2016 |
| WhiteGlove Health | TX | Healthcare Provider | 975 | 2015-12-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) sent an email containing 975 patientsâ names, addresses, dates of birth and insurance identification numbers to an email address outside of the company. On December 6, 2017, OCR received notification from WhiteGloveâs attorney that WhiteGlove ceased all healthcare business activities, effective August 31, 2017. OCR verified this information through a statement posted on WhiteGloveâs website. Under these circumstances WhiteGlove is no longer a CE and is not subject to the requirements of HIPAA. | WhiteGlove Health TX Healthcare Provider 975 | Wednesday | 2015 | |
| Associates In EyeCare, P.S.C. | KY | Healthcare Provider | 971 | 2016-05-16 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | An office of the covered entity (CE), Associates in EyeCare, P.S.C., was broken into and two laptop computers and an external hard drive were stolen. The breach affected 971 individuals and the types of protected health information (PHI) involved in the breach included patientsâ names, internal account numbers, optical images, technical information about the images, and dates of birth. The CE provided timely breach notification to HHS, affected individuals, and the media. The CE also posted notification about the breach to its website. In response to the breach, the CE changed the exterior locks on the clinic doors, revised its policies for moving laptops between offices, began saving all patient information to the cloud, and equipped its new laptop with encryption and physical security. Further, CE revised its security policies. OCR obtained assurances that the CE will train its employees on its updated policies. | Associates In EyeCare, P.S.C. KY Healthcare Provider 971 | Monday | 2016 |
| Highland Rivers Community Service Board | GA | Healthcare Provider | 967 | 2017-03-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A staff member of Highland Rivers Community Service Board, the covered entity (CE), sent incorrect information to the CEâs billing agent. Relying on the incorrect information, the billing agent mailed statements to 967 individuals, some of which contained protected health information (PHI) for the wrong patients. The statements contained the individualâs name, account number, dates of service, fess for service, and cumulative balance. Following the incident, the CE sanctioned the staff member involved, provided HIPAA retraining, and reviewed its policies and procedures. As a result of OCRâs investigation, the CE created a new, more secure written procedure for sharing PHI with vendors. The CE also provided breach notification to HHS, the affected individuals, and the media. Further, in response to technical assistance provided by OCR, the CE provided substitute notice on its website and in person, when individuals next visited the CE for services. | Highland Rivers Community Service Board GA Healthcare Provider 967 | Monday | 2017 |
| St. James Hospital and Health Centers | IL | Healthcare Provider | 967 | 2010-09-24 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | St. James Hospital and Health Centers IL Healthcare Provider 967 | Friday | 2010 | |
| SHIELDS For Families | CA | Healthcare Provider | 961 | 2012-04-26 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On February 27, 2012, a computer server was stolen from the covered entity (CE), Shields for Families. The server contained the electronic protected health information (ePHI) of 961 individuals and included names, addresses, zip codes, birth dates and referral information. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical safeguards by relocating the new server to a locked office and securing it within the room. The CE initiated major improvements to its IT infrastructure, revised its security program, and retrained workforce members on its revised policies and procedures. OCR obtained assurances that the CE implemented the corrective actions noted above. | SHIELDS For Families CA Healthcare Provider 961 | Thursday | 2012 |
| Specialty Dental Partners of Philadelphia, PLLC.- DBA Rich Orthodontics | PA | Healthcare Provider | 960 | 2017-03-23 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | NA | Specialty Dental Partners of Philadelphia, PLLC.- DBA Rich Orthodontics PA Healthcare Provider 960 | Thursday | 2017 |
| Dean Health Plan | WI | Health Plan | 960 | 2015-11-11 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A mailing that contained estimate of payment (EOP) documents was damaged in transit from the covered entityâs (CE) business associate (BA), Emdeon, to a bank via United Parcel Services (UPS). On September 25, 2015, the United States Postal Service returned 31 pages of the 148 page mailing to the CE. The breach incident involved the protected health information (PHI) of approximately 960 individuals and included dates of service, member names, health plan member identification numbers, and procedure codes. The CE investigated the breach but was unable to determine who was at fault. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE worked with the BA to develop and implement procedures to reduce the number of paper documents transmitted. As a result of OCRâs investigation, OCR reviewed copies of the correspondence with the BA and UPS regarding this matter, the BA agreement, and the CEâs HIPAA policies and procedures. | Dean Health Plan WI Health Plan 960 | Wednesday | 2015 |
| Broward Health Medical Center | FL | Healthcare Provider | 960 | 2013-10-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Broward Health Medical Center, the covered entity (CE), discovered that an employee had taken paper patient facesheets off the premises, which were then stolen from the employeeâs home by a visitor. The names, dates of birth, addresses, telephone numbers, social security numbers, primary insurance providers, insurance guarantors, reasons for visits, employers, and emergency contact information pertaining to 960 potentially affected individuals was exposed due to the breach. The CE provided breach notification to HHS, to affected individuals and to the media. At the time of the breach the CE had policies in place prohibiting the removal of PHI from the facility and the employee at fault for this incident is no longer employed by the CE. In response to the breach, the CE re-trained its workforce to reinforce its existing policies. OCR provided technical assistance regarding procedures for responding to and reporting privacy incidents as well as the CEâs obligations under the Breach Notification Rule in the event of a law enforcement delay. OCR obtained assurances that the CE has implemented the corrective actions listed above. | Broward Health Medical Center FL Healthcare Provider 960 | Thursday | 2013 |
| Lincoln County Health and Human Services/Lincoln Community Health Center | OR | Healthcare Provider | 959 | 2013-06-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entityâs (CE) locked building was burglarized and a locked medical chart room containing protected health information (PHI) in paper form was broken into and accessed by an unknown person(s). No PHI was removed and forensics determined there were no attempts to access electronic PHI on the CEâs computers. The medical charts potentially accessed included names, dates of birth, addresses, social security numbers, financial information, medications, treatment information, and lab results for 956 individuals. The CE improved physical safeguards by repairing or replacing the broken locks and adding a security camera. OCRâs investigation confirmed that the appropriate breach notifications were made and that corrective actions steps were taken. OCR also required the CE to update its breach notification policies and procedures, and retrain its staff on its revised policies. | Lincoln County Health and Human Services/Lincoln Community Health Center OR Healthcare Provider 959 | Friday | 2013 |
| Community Memorial Health System | CA | Healthcare Provider | 959 | 2017-09-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Community Memorial Health System CA Healthcare Provider 959 | Tuesday | 2017 | |
| CDC/NIOSH World Trade Center Health Program (WTCHP) | GA | Health Plan | 958 | 2015-04-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On February 5, 2015, a remittance advice report containing the health services and financial information of approximately 958 individuals was ripped open while at the U.S. postal office, improperly disclosing the individualsâ protected health information (PHI), including patientsâ names, member numbers, services rendered, dates of service, and provider information. The postal office rewrapped the remaining pages from the package, and delivered them to a business associate (BA) of the covered entity (CE), World Trade Center Health Program, to which they were addressed. The CE provided breach notification to HHS and affected individuals, but no media notice was required due to the geographic locations of the affected individuals. In response to the breach, the CE revised its HIPAA training program. Additionally, National Government Services, the BA that sent the mailing on behalf of the CE, revised its mailing processes and procedures by using only non-tear envelopes or boxes for future mailings. OCR obtained assurances that the CE implemented the correction actions listed above. | CDC/NIOSH World Trade Center Health Program (WTCHP) GA Health Plan 958 | Thursday | 2015 |
| City of Corona, Privacy Manager Breach | CA | Business Associate | 958 | 2012-12-13 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | City of Corona, Privacy Manager Breach CA Business Associate 958 | Thursday | 2012 |
| Rotech Healthcare Inc. | FL | Healthcare Provider | 957 | 2016-08-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Rotech Healthcare, Inc., the covered entity (âCEâ), discovered that medical records from its electronic medical records system were printed, removed from the office, and recovered by the Secret Service. The breach affected 957 patients in 27 states. There were less than 500 individuals affected in any given state. The records involved in the breach contained patients’ names, social security numbers, patients’ numbers, dates of birth, dates of death, addresses, phone numbers, and the names of the Rotech subsidiary companies from which the individual received healthcare services. The CE sent timely breach notification to HHS and to affected individuals, and posted notification to its website. The CE also offered two years of free identity protection to affected individuals. In response to the breach, the CE revised its data monitoring policies and procedures, revised physical safeguards in office locations with the highest risk factors for a future breach, and sanctioned the employees alleged to have been involved in the breach. OCR obtained assurances that the CE implemented the corrective actions listed above. | Rotech Healthcare Inc. FL Healthcare Provider 957 | Thursday | 2016 |
| Griffin Hospital | CT | Healthcare Provider | 957 | 2010-03-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Griffin Hospital CT Healthcare Provider 957 | Friday | 2010 | |
| KPMG LLP | NY | Business Associate | 956 | 2010-08-26 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | Yes | OCR opened an investigation of the covered entity (CE), Newark Beth Israel Medical Center, after it reported an employee of the CE’s business associate (BA), KPMG LLP, lost an unencrypted USB drive that contained the electronic protected health information (ePHI) of 956 individuals. The ePHI included names and clinical information. Upon discovery of the breach, the CE’s BA conducted a search of the area. The CE provided breach notification to HHS, the Media and affected individuals. As a result of OCR’s investigation, the BA installed and implemented encryption software to its electronic equipment and devices. In addition, the BA encrypted and password protected all equipment and devices that could contain the CE’s data. The BA also reprimanded and retrained the employee and retrained all employees on safeguarding ePHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. | KPMG LLP NY Business Associate 956 | Thursday | 2010 |
| Haywood County NC | NC | Healthcare Provider | 955 | 2015-02-09 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On or around October 31, 2014, a paper accounts receivable report went missing from the covered entityâs (CE) billing office. The report contained the protected health information (PHI) of 955 individuals and included patientsâ internal identification numbers, names, clinics visited, and amounts owed. The CE provided breach notification to HHS, affected individuals, and the media, and set up a toll free number answer line and e-mail contact. In response to the incident, the CE conducted an internal investigation and also contacted law enforcement and asked them to investigate. As a result of its investigation, the CE enhanced the physical security for the billing office, provided locked file cabinets, and restricted access to that office. In addition, the CE retrained staff, updated the roles and responsibilities for its HIPAA officer, and reviewed all HIPAA policies and procedures. As part of this investigation, OCR obtained and reviewed the CEâs relevant HIPAA policies and procedures and documentation of staff training. | Haywood County NC NC Healthcare Provider 955 | Monday | 2015 |
| CVS Caremark | RI | Healthcare Provider | 955 | 2012-10-26 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | CVS Caremark RI Healthcare Provider 955 | Friday | 2012 | |
| Pediatric Sports and Spine Associates | TX | Healthcare Provider | 955 | 2010-04-09 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
An unencrypted laptop was stolen from an employee’s vehicle. The laptop contained the protected health information of approximately 955 individuals. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses, medications and other treatment information. Following the discovery of the breach, the covered entity revised policies, retrained staff and implemented additional physical and technical safeguards including encryption software. The covered entity also removed the stolen laptop’s access to the server, sanctioned the involved employee, notified the affected individuals and notified the local media. |
Pediatric Sports and Spine Associates TX Healthcare Provider 955 | Friday | 2010 |
| Vertiv Co. Health & Welfare Plan | OH | Health Plan | 955 | 2017-01-31 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Vertiv Co. Health & Welfare Plan OH Health Plan 955 | Tuesday | 2017 |
| Southwest General Health Center | OH | Healthcare Provider | 953 | 2014-01-13 | Unknown | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) misplaced a binder containing the protected health information (PHI) of approximately 953 individuals from its Maternity Unit. The PHI involved in the breach included names, dates of birth, medical record numbers and limited clinical information. The CE provided breach notification to affected individuals, HHS, and the media. To prevent a similar breach from occurring in the future, the covered entity strengthened its physical safeguards and retrained employees on safeguarding PHI. OCR obtained assurances that the corrective actions listed above were completed. | Southwest General Health Center OH Healthcare Provider 953 | Monday | 2014 |
| Joseph F. Lopez, MD | CA | Healthcare Provider | 952 | 2009-11-20 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | A shared Computer that was used for backup was stolen on 9/27/09. The Computer contained certain electronic protected health information (ePHI) of 952 patients. Following the breach, the covered entity notified all 952 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor’s private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of staff for Privacy and Security Rules. | Joseph F. Lopez, MD CA Healthcare Provider 952 | Friday | 2009 |
| MVP Health Care, Inc. | NY | Health Plan | 951 | 2017-04-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | MVP Health Care, Inc. NY Health Plan 951 | Friday | 2017 |
| Ronald Schubert MD PLLC | WA | Healthcare Provider | 950 | 2013-11-26 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A covered entity (CE) physicianâs car was broken into while parked in a public non-work location and an unencrypted laptop computer under the seat was stolen. The electronic protected health information (ePHI) involved in the breach included addresses, birth dates, social security numbers and clinical information in password-protected electronic medical record software and affected 950 individuals. The CE filed a police report and notified practice partners. Breach notification was provided to HHS, affected individuals, and the media. Following the breach, the CE improved safeguards by encrypting all devices and media that store, access or transmit ePHI. As a result of OCRâs investigation, OCR provided technical assistance and the CE implemented a policy to formalize the procedures for safeguarding mobile devices. | Ronald Schubert MD PLLC WA Healthcare Provider 950 | Tuesday | 2013 |
| New River Health Association | WV | Healthcare Provider | 950 | 2011-06-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | New River Health Association WV Healthcare Provider 950 | Thursday | 2011 | |
| Billings Clinic | MT | Healthcare Provider | 949 | 2018-04-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Billings Clinic MT Healthcare Provider 949 | Friday | 2018 | |
| Texas Health Presbyterian Dallas Hospital | TX | Healthcare Provider | 949 | 2013-10-22 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Texas Health Presbyterian Dallas Hospital TX Healthcare Provider 949 | Tuesday | 2013 | |
| Aventura Hospital and Medical Center | FL | Healthcare Provider | 948 | 2014-08-26 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Aventura Hospital and Medical Center FL Healthcare Provider 948 | Tuesday | 2014 |
| Rite Aid #2255 | WV | Health Plan | 948 | 2013-07-19 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Rite Aid #2255 WV Health Plan 948 | Friday | 2013 |
| Middlesex Hospital | CT | Healthcare Provider | 946 | 2015-12-04 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Four Middlesex Hospital employees responded to a phishing email, resulting in the disclosure of the protected health information (PHI) of 945 individuals. The information accessed included patientsâ names, addresses, dates of birth and social security numbers. The covered entity (CE), provided breach notification to HHS, affected individuals, and the media. The CE also set up a dedicated call center to answer questions for affected individuals and provided affected individuals with 12 months of credit monitoring services at no cost. Following the breach, the CE developed a mandatory Phishing Awareness and Response Training program for employees and required additional training for all supervisors and managers to provide to their staff. Additional mitigation included the designation of March as âCyber Awarenessâ month, which includes the implementation of a number of tools to educate staff on cyber threats, separate personal meetings and trainings between those employees whose accounts had been compromised, and the procurement of a vendor to conduct social engineering testing to assess the effectiveness of the CE’s staff training. The CE also upgraded its anti-virus program and will continue to utilize the security reporting tool it had purchased, which detected this breach. OCR obtained assurances that the CE implemented the corrective action steps listed above. | Middlesex Hospital CT Healthcare Provider 946 | Friday | 2015 | |
| The Children’s Hospital of Philadelphia | PA | Healthcare Provider | 943 | 2009-11-24 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop computer was stolen from a hospital employeeâs vehicle. The computer contained the protected health information (PHI) of 943 individuals and included names, contact information, dates of birth, social security numbers, medical record numbers, and health insurance information including diagnosis codes and billing code descriptions. The CE provided breach notification to HHS, affected individuals, and the media. In response to this incident, the CE accelerated and completed implementation of a pre-existing plan to encrypt all hospital laptops. Additionally, the CE revised its information security policies and retrained its workforce. OCR obtained assurances that the CE implemented the corrective actions listed above. | The Children’s Hospital of Philadelphia PA Healthcare Provider 943 | Tuesday | 2009 |
| Charlotte Clark-Neitzel, MD | WA | Healthcare Provider | 942 | 2012-09-07 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Charlotte Clark-Neitzel, MD WA Healthcare Provider 942 | Friday | 2012 | |
| University Health Services, University of Massachusetts, Amherst | MA | Healthcare Provider | 942 | 2011-03-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | University Health Services, University of Massachusetts, Amherst MA Healthcare Provider 942 | Monday | 2011 | |
| Baylor All Saints Medical Center at Fort Worth | TX | Healthcare Provider | 940 | 2013-08-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | A former employee the covered entity (CE), Baylor All Saints Medical Center at Fort Worth, breached protected health information (PHI) via text messages forwarded from a pager of the CE. The PHI involved in the breach included the names, demographic information, patientsâ bed locations in the emergency department, and ER admission notifications of approximately 940 individuals. Breach notification was provided to HHS, affected individuals, and the media. Following the breach, the CE disabled the copy forward feature on all pagers receiving messages from the pager vendor, and revised pager procedures. As a result of OCRâs investigation, the vendorâs software and paging server configuration was changed, and the CE revised its pager requisition form to reflect prohibited device settings. | Baylor All Saints Medical Center at Fort Worth TX Healthcare Provider 940 | Monday | 2013 |
| Florida Blue | FL | Health Plan | 939 | 2017-10-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Florida Blue FL Health Plan 939 | Friday | 2017 |
| MN Urology | MN | Healthcare Provider | 939 | 2017-09-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | MN Urology MN Healthcare Provider 939 | Monday | 2017 | |
| Hospital for Special Surgery | NY | Healthcare Provider | 937 | 2014-01-21 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Paper/Films | NA | NA | NA | NA | NA | NA | No | Hospital for Special Surgery NY Healthcare Provider 937 | Tuesday | 2014 | |
| Aramark Healthcare Support Services, LLC | PA | Business Associate | 937 | 2010-06-24 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | A business associate employee sent an email to multiple patients without concealing patient email addresses. The message concerned a dietary program in which the names and email addresses were visible to all recipients. The breach affected 937 individuals. In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with Aramark. The business associate counseled the employee responsible for the breach and retrained all employees who may communicate with patients via email on the requirements of the Privacy and Security Rules as well as related policies and procedures. | Aramark Healthcare Support Services, LLC PA Business Associate 937 | Thursday | 2010 | |
| Union Security Insurance Company | MO | Health Plan | 935 | 2011-04-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | On February 18, 2011, a Union Security Insurance Co. policy holder notified the covered entity (CE) that while accessing their online account, they were also able to access the accounts of other policy holders. Approximately 1,500 individuals were affected by this breach. These accounts included names, dates of birth, social security numbers, and other identifiers. In addition, on May 17, 2013, an employee of the CE impermissibly emailed a spreadsheet which included identifiable data belonging to a customer group of the CE. Approximately 1,127 group members were affected by this breach. The email included names and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. To prevent similar breaches from happening in the future, the CE disabled its website, reversed the problematic coding, and increased the number of vulnerability scans of the CEâs website. The CE also retrained employees, to include distribution of its revised policy and procedure for safeguarding social security numbers. Following OCRâs investigation, the CE prohibited social security numbers on any document being sent to any customer. The CE provided OCR documentation that substantiates all its actions taken in response to the two breach incidents. | Union Security Insurance Company MO Health Plan 935 | Friday | 2011 |
| Affinity Health Plan | NY | Health Plan | 933 | 2012-04-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Affinity Health Plan NY Health Plan 933 | Tuesday | 2012 | |
| Texas Children’s Health Plan | TX | Health Plan | 932 | 2017-10-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Texas Children’s Health Plan TX Health Plan 932 | Friday | 2017 | |
| City of Berkeley, Privacy Manager Breach | CA | Business Associate | 931 | 2012-11-29 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | City of Berkeley, Privacy Manager Breach CA Business Associate 931 | Thursday | 2012 |
| Aflac | GA | Health Plan | 930 | 2016-05-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Due to a vendor error, the covered entity (CE), Aflac, erroneously sent correspondence containing protected health information (PHI) to the wrong customers, affecting 930 policyholders. The types of PHI included names, policy numbers, types of coverage, employee numbers, and premium amounts, depending on the type of correspondence mailed. In addition, six policyholdersâ social security numbers were potentially comprised. In response to the breach, the CE retrained employees and revised its impermissible disclosures and safeguard policies. Additionally, the CE sanctioned the manager who led the address standardization project and terminated its contract with all third party vendors and contractors involved in the breach. The CE provided breach notification to HHS, and affected individuals. Media notice was not required because the incident did not involve more than 500 residents in any particular state. OCR obtained assurances that the CE implemented the corrective actions listed above. | Aflac GA Health Plan 930 | Friday | 2016 |
| LORENZO BROWN, MD INC. | CA | Healthcare Provider | 928 | 2010-09-29 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | LORENZO BROWN, MD INC. CA Healthcare Provider 928 | Wednesday | 2010 | |
| Morris Heights Health Center | NY | Healthcare Provider | 927 | 2011-10-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted laptop computer containing the electronic protected health information (ePHI) of 927 individuals was stolen from the covered entity’s (CE) school based health center. The ePHI included names, dates of birth, sex, ethnicities, height, weight, body mass index data, complete physical examination information such as asthma and obesity information, health action plans, and enrollment dates. Upon discovery of the breach, the CE filed a police report to recover the stolen laptop. As a result of OCR’s investigation, the CE purchased locks to physically secure its’ school health computers to the desks where the computers are located. In addition, the CE encrypted all portable devices’ hard drives and installed software to track portable devices. The CE also retrained all staff on its policies and procedures for using and securing ePHI. | Morris Heights Health Center NY Healthcare Provider 927 | Thursday | 2011 |
| Independence Physical Therapy | CT | Healthcare Provider | 925 | 2012-05-25 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Independence Physical Therapy CT Healthcare Provider 925 | Friday | 2012 | |
| Coastal Cape Fear Eye Associates, P.A. | NC | Healthcare Provider | 925 | 2018-02-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Coastal Cape Fear Eye Associates, P.A. NC Healthcare Provider 925 | Thursday | 2018 |
| Summit Community Care Clinic, Inc. | CO | Healthcare Provider | 921 | 2013-08-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | An employee impermissibly disclosed approximately 921 patientsâ protected health information (PHI) when the employee sent an email message to patients and failed to place the patientsâ email addresses in the blind carbon copy area of the email. The only type of PHI involved in the breach was email addresses. The CE provided breach notification to HHS, affected individuals, and the media. The covered entity (CE), Summit Community Care Clinic, Inc. had a policy and procedure in place addressing security issues regarding email. In response to the incident the CE re-trained its staff on its policy and procedure, and individually counseled the responsible employee. OCR provided technical assistance regarding the CEâs obligations under the Security and Breach Notification Rules and obtained assurances that the CE implemented the corrective actions listed above. | Summit Community Care Clinic, Inc. CO Healthcare Provider 921 | Tuesday | 2013 |
| Riverside Medical Group | VA | Healthcare Provider | 919 | 2014-01-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Riverside Medical Group VA Healthcare Provider 919 | Monday | 2014 |
| Pedes Orange County, Inc. | CA | Healthcare Provider | 917 | 2018-01-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Pedes Orange County, Inc. CA Healthcare Provider 917 | Friday | 2018 |
| Dermatology Associates of Tallahassee | FL | Healthcare Provider | 915 | 2013-09-16 | Unknown | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Dermatology Associates of Tallahassee FL Healthcare Provider 915 | Monday | 2013 | |
| Thomas Cristello, Chiropractor PC | NY | Healthcare Provider | 914 | 2014-09-09 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Thomas Cristello, Chiropractor PC NY Healthcare Provider 914 | Tuesday | 2014 | |
| Young Adult Institute, Inc. | NY | Healthcare Provider | 913 | 2016-11-28 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | The covered entity’s (CE) former Chief Information Officer instructed a former Assistant IT Director to copy files containing the protected health information (PHI) of 913 clients onto a portable computer drive. Subsequently, the former CIO took the drive with him to his new employer after he was terminated. The types of PHI involved in the breach included names, addresses, dates of birth, social security numbers, Medicaid numbers and diagnoses The CE provided breach notification to HHS, the affected individuals, and the media. As a result of OCRâs investigation, the CE revised its procedures with respect to assigning an approval process for access to removable media. In addition, the CE conducted a risk analysis and established a risk management plan to manage and reduce the risks identified in the risk analysis, including, but not limited to, access to removable drives. As a result of OCR’s investigation it is expected to implement technical security measures to guard against unauthorized access to ePHI, and review and revise its policies and procedures and training materials regarding the Security Rule. Additionally, the CE is expected to execute HIPAA-compliant business associate agreements with all existing business associates by September 1, 2017. | Young Adult Institute, Inc. NY Healthcare Provider 913 | Monday | 2016 |
| Walgreen Co. | IL | Healthcare Provider | 910 | 2018-04-06 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Walgreen Co. IL Healthcare Provider 910 | Friday | 2018 |
| Rocky Mountain Health Care Services | CO | Healthcare Provider | 909 | 2017-11-16 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Rocky Mountain Health Care Services CO Healthcare Provider 909 | Thursday | 2017 |
| Cardiology Associates | MD | Healthcare Provider | 907 | 2016-08-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | A Cardiology Associatesâ employee mailed patientsâ protected health information (PHI) to her personal email address without a legitimate business purpose. The breach included the PHI of 907 individuals and included names, dates of birth, and social security numbers. Following the breach, the covered entity (CE) sanctioned the employee, which included termination in this case, and notified the Federal Bureau of Investigation. OCR reviewed the CE’s risk assessment to ensure compliance with the Security Rule. | Cardiology Associates MD Healthcare Provider 907 | Wednesday | 2016 | |
| City of Yuma, Privacy Manager Breach | AZ | Business Associate | 905 | 2012-12-13 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | City of Yuma, Privacy Manager Breach AZ Business Associate 905 | Thursday | 2012 |
| Spectrum Health System | MI | Healthcare Provider | 902 | 2017-08-03 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Spectrum Health System MI Healthcare Provider 902 | Thursday | 2017 |
| South Florida Neurology Associates, P.A. | FL | Healthcare Provider | 900 | 2013-07-03 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop computer was stolen after hours from a lab of the covered entity (CE), South Florida Neurology Associates. The laptop contained the protected health information (PHI) of approximately 900 patients and contained demographic and clinical information, including patientsâ names, dates of birth, and diagnoses. The CE notified law enforcement which initiated an investigation. Additionally, the CE provided breach notification to HHS, the affected individuals, and the media, and posted substitute notice on its website. The CE improved physical safeguards and improved administrative safeguards by imposing more restrictive access policies for the lab. | South Florida Neurology Associates, P.A. FL Healthcare Provider 900 | Wednesday | 2013 |
| Concentra | TX | Healthcare Provider | 900 | 2010-01-19 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
An unencrypted laptop computer containing the electronic protected health information (ePHI) of approximately 900 patients was stolen from one of the covered entity’s (CE) facilities. The ePHI included demographic and clinical data. Following the breach, the CE filed a police report and notified affected patients, HHS and the media. Following OCR’s investigation, the CE required all business units to identify any devices that contain PHI and revised procedures for future computer purchases. The CE also implemented physical and technical safeguards for all testing devices that contain ePHI and replaced outdated machines that could not be encrypted. Additionally, the CE revised existing physician agreements to disallow the use of equipment containing ePHI that is not encrypted. OCR obtained assurances that the CE implemented the corrective action listed above. |
Concentra TX Healthcare Provider 900 | Tuesday | 2010 |
| Kaiser Foundation Health Plan of Colorado | CO | Health Plan | 900 | 2018-08-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Kaiser Foundation Health Plan of Colorado CO Health Plan 900 | Friday | 2018 |
| San Francisco Department of Public Health | CA | Healthcare Provider | 900 | 2018-06-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | San Francisco Department of Public Health CA Healthcare Provider 900 | Monday | 2018 |
| Vidant Health | NC | Healthcare Provider | 897 | 2016-03-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Vidant Health, the covered entity (CE), discovered that it filed numerous bankruptcy documents, from December 1, 2007, through March 9, 2016, that listed protected health information (PHI) that was not necessary for the filing. The breach affected 897 individuals and included patients’ billing account numbers, social security numbers, medical record numbers, dates of birth, telephone numbers, sex, marital status, names, service dates, and account balances. The CE sent timely breach notification to HHS, affected individuals, and the media and posted substitute notification on its website. The CE provided identity theft protection for affected individuals for one year. In response to the breach, the CE revised and redacted its bankruptcy filings, filed blanked protective orders, and sealed proofs of claims in the public record. It also retrained applicable staff. OCR obtained assurances that the CE implemented the corrective actions listed above. | Vidant Health NC Healthcare Provider 897 | Thursday | 2016 |
| ViaTech Publishing Solutions, Inc. | MN | Health Plan | 896 | 2018-04-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | ViaTech Publishing Solutions, Inc. MN Health Plan 896 | Tuesday | 2018 |
| Austin Pulmonary Consultants | TX | Healthcare Provider | 889 | 2016-11-07 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Austin Pulmonary Consultants, the covered entity (CE), reported that papers containing protected health information (PHI), were improperly disposed of by its cleaning crew. This incident resulted in the impermissible disclosure of PHI of approximately 889 individuals. The types of PHI involved included clinical, demographic, and financial information. The CE provided breach notification to the affected individuals, the media, and HHS. The CE updated its HIPAA policies and procedures and retrained its workforce members on proper disposal of PHI and on its new policies and procedures. It also improved safeguards PHI with regard to the shred bins and cancelled the use of cleaning services by the crew involved in the breach. OCR obtained assurances that the CE implemented the corrective actions noted above. | Austin Pulmonary Consultants TX Healthcare Provider 889 | Monday | 2016 |
| Robert E Torti, MD, PA dba Retina Specialists | TX | Healthcare Provider | 887 | 2017-02-17 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On February 17, 2017, Robert E. Torti, MD, PA d/b/a Retina Specialists, the covered entity (CE), reported that the protected health information (PHI) of 887 individuals went missing. The types of PHI involved in the breach included clinical, demographic, and financial information. The CE provided breach notification to HHS, affected individuals, and the media. It also notified law enforcement. Additionally, OCR obtained and reviewed evidence that the CE implemented improved administrative and physical safeguards, enhanced physical security measures, revised procedures for handling PHI, and retrained staff. | Robert E Torti, MD, PA dba Retina Specialists TX Healthcare Provider 887 | Friday | 2017 |
| Walgreen Co. | IL | Healthcare Provider | 880 | 2016-03-04 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On January 13, 2016, the covered entity (CE), Walgreens Pharmacy, reported that a theft took place at one of its stores located at 1350 Broadway in New York. The breach involved prescription numbers, first and last names, dates of birth, addresses, medication and insurance information for approximately 880 individuals. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE re-trained its pharmacy staff and sanctioned the employee whose action led to the breach. OCR obtained documented assurances that the CE implemented the corrective actions listed. | Walgreen Co. IL Healthcare Provider 880 | Friday | 2016 |
| County of Los Angeles | CA | Healthcare Provider | 880 | 2015-04-29 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), County of Los Angeles, reported that on April 3, 2015, during the execution of a search warrant at the home of a an individual who was employed at the County Department of Health Services (DHS) LAC+USC Medical Center, Hawkins Mental Health Center (Hawkins), in a matter unrelated to County business, law enforcement discovered and seized items that contained confidential patient information for approximately 880 Hawkins patients, treated between 2011 and 2015. The types of protected health information (PHI) involved in the breach included financial, demographic, and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned the involved employee and terminated the employeeâs electronic and information technology access, as well as physical access to DHSâ systems. DHS provided in-service HIPAA training to Hawkinsâ staff. OCR obtained assurances that the CE implemented the corrective actions listed. The employee resigned following the breach incident. | County of Los Angeles CA Healthcare Provider 880 | Wednesday | 2015 |
| CEMEX, Inc. | TX | Health Plan | 880 | 2015-04-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | CEMEX, Inc. TX Health Plan 880 | Monday | 2015 |
| McDermott Will & Emery LLP is the plan sponsor for the McDermott medical plan | IL | Health Plan | 880 | 2015-03-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | McDermott Will & Emery LLP is the plan sponsor for the McDermott medical plan IL Health Plan 880 | Tuesday | 2015 |
| Troy Regional Medical Center | AL | Healthcare Provider | 880 | 2011-07-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On March 22, 2011, during a house raid, the Secret Service discovered the protected health information (PHI) of approximately 880 patients of the covered entity (CE), Troy Regional Medical Center, in the form of admission âface sheets.â The PHI involved in the breach included demographic information, such as patientsâ names, dates of birth, social security numbers, and medical record numbers. The CE could not accurately identify the person responsible for breaching its electronic medical record (EMR) system due to a software error which erroneously recorded multiple occasions of systems access when workforce members were accessing the system for legitimate business purposes. Due to this software error, the CE could not effectively assist in the criminal investigation being conducted by local law enforcement and the Secret Service. The CE provided breach notification to HHS, the media, and affected individuals and posted substitute notice on its website. It also provided a toll-free information number and offered credit monitoring for one year. In response to the incident, the CE worked with its IT vendor to increase data security monitoring and implement automatic log-out for its EMR system. The CE also updated and added to its policies and procedures, improved system review documentation, implemented verification of user access rights, and developed sample audit logs. The CE also retrained employees on its HIPAA security policies. OCR obtained assurances that the corrective actions listed above were completed. | Troy Regional Medical Center AL Healthcare Provider 880 | Friday | 2011 |
| Baptist Health Louisville | KY | Healthcare Provider | 880 | 2017-11-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Baptist Health Louisville KY Healthcare Provider 880 | Tuesday | 2017 | |
| University of Kentucky UK HealthCare | KY | Healthcare Provider | 878 | 2011-11-23 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | University of Kentucky UK HealthCare KY Healthcare Provider 878 | Wednesday | 2011 | |
| Palm Beach County Health Department | FL | Healthcare Provider | 877 | 2013-06-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Palm Beach County Health Department FL Healthcare Provider 877 | Tuesday | 2013 | |
| Premier Medical Associates | PA | Healthcare Provider | 876 | 2017-09-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | On August 8, 2017, the covered entity (CE), Premier Medical Associates, received four website submissions informing them that patients were getting suspicious âphishingâ emails from the CE with an attachment requesting protected health information (PHI). The CE investigated the incident and discovered that the suspicious emails were coming from a personal g-mail account and determined that a website misconfiguration made by the webmaster on July 24, 2017, inadvertently permitted access to the public. The misconfiguration was corrected on August 9, 2017, and the CE terminated the contracted services with the webmaster. The CE added an email fraud alert to every page of its website, placed a fraud alert on its phone system, and sent messages to 24,000 patients through the patient portal informing patients of the fraudulent email. The CE created a list of anyone who made submissions to the website in order to determine what type of information had been accessed and who may have viewed the web pages from July 24, 2017, through August 8, 2017 and determined that the breach affected 875 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The CE eliminated the capability of website viewers to make any type of online submissions through the patient portal. The CE reached contacted Google and Bing to have the submissions removed from the internet, which was confirmed on August 30, 2017. The CE developed several new policies regarding their website administration, security, and privacy. OCR reviewed a copy of the CEâs current risk assessment, its breach notification to the affected individuals, as well as copies of relevant policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed. | Premier Medical Associates PA Healthcare Provider 876 | Friday | 2017 |
| Advanced Clinical Research Institute | CA | Health Plan | 875 | 2012-03-14 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Advanced Clinical Research Institute CA Health Plan 875 | Wednesday | 2012 | |
| Denton County Health Department | TX | Healthcare Provider | 874 | 2015-04-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On April 9, 2015, OCR received a breach report from the covered entity (CE), Denton County Health Department, stating that on February 15, 2015, an employee used an unencrypted portable computer, to save and print a personal document at FedEx/Kinkoâs. The mobile drive contained the protected health information (PHI) of approximately 874 individuals from the tuberculosis clinic. The PHI included lab test results, demographic information, and clinical data. Based on the information gathered during the investigation, OCR has opened a compliance review regarding the CE’s potential non-compliance with multiple HIPAA standards and is consolidating this investigation with that review. | Denton County Health Department TX Healthcare Provider 874 | Thursday | 2015 |
| Elizabeth Kerner, M.D. | TX | Healthcare Provider | 873 | 2015-04-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity’s (CE) staff member sent an email that contained a list of names and email addresses for 873 patients to an unintended recipient. The recipient informed the CE that he had received the information. The types of protected health information (PHI) involved in the breach included patientsâ names and email addresses. The CE provided breach notification to HHS, affected individuals, and the media. Following the incident, the intended recipient, a web designer, changed his email address. The CE implemented an encryption policy and re-trained workforce members. The CE provided OCR with a copy of its encryption policy and OCR determined that it complied with the Security Rule. | Elizabeth Kerner, M.D. TX Healthcare Provider 873 | Friday | 2015 | |
| NYU Hospitals Center | NY | Healthcare Provider | 872 | 2014-06-20 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NYU Hospitals Center NY Healthcare Provider 872 | Friday | 2014 | |
| University of Michigan/Michigan Medicine | MI | Healthcare Provider | 871 | 2018-06-25 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | University of Michigan/Michigan Medicine MI Healthcare Provider 871 | Monday | 2018 |
| Absolute Dental Hygiene, LLC | OR | Healthcare Provider | 871 | 2017-12-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | No | NA | Absolute Dental Hygiene, LLC OR Healthcare Provider 871 | Wednesday | 2017 |
| Concentra Health | TX | Healthcare Provider | 870 | 2011-12-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Concentra Health TX Healthcare Provider 870 | Wednesday | 2011 | |
| Aurora Health Care, Inc. | WI | Healthcare Provider | 869 | 2016-04-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Aurora Health Care, Inc. WI Healthcare Provider 869 | Friday | 2016 |
| Clinical Reference Laboratory, Inc. | KS | Healthcare Provider | 864 | 2015-04-28 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Clinical Reference Laboratory, Inc. sent a parcel to Massachusetts Mutual Life that was opened and damaged during the mailing process by the United States Postal Services (USPS). The damaged parcel contained the protected health information (PHI) of approximately 864 individuals, including names, partial and full social security numbers, dates of birth, and clinical test codes. OCR received two other breach reports from the CE which involved the same or similar fact patterns as the breach report for this case. OCR consolidated these investigations into one breach compliance review. The CE investigated the breaches and concluded that the likelihood of misuse or further disclosure of the PHI was remote since the USPS confirmed that all unmatched pages were segregated and shredded. The CE provided breach notification to HHS, affected individuals, and notified appropriate authorities required by each jurisdiction that included an affected individual. The CE also offered affected individuals a free two-year subscription to credit monitoring services and credit report controls. Following the breach, the CE appointed a new privacy officer, who was required to complete HIPAA training, and verified that its workforce received HIPAA-related training. The CE also implemented a new breach reporting procedure and initiated the implementation of a secure online portal for clients to obtain PHI electronically. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. | Clinical Reference Laboratory, Inc. KS Healthcare Provider 864 | Tuesday | 2015 |
| Artesia General Hospital | NM | Healthcare Provider | 864 | 2018-02-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Artesia General Hospital NM Healthcare Provider 864 | Tuesday | 2018 |
| LCS Westminster Partnership IV, LLP d/b/a Sagewood | AZ | Healthcare Provider | 863 | 2016-11-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | Laptop | Network Server | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), LCS Westminster Partnership IV, LLP d/b/a Sagewood, opened an email that appeared to be an invoice directed to the CE that was actually a Locky variant ransomware attack. The incident affected approximately 863 individuals. The types of protected health information (PHI) involved in the incident included names, addresses, dates of birth, some social security numbers, claims information, billing codes, and clinical information. The CE provided breach notification to HHS, affected individuals, and the media, and also provided substitute notice. Following the breach, which the employee immediately reported to the CEâs information technology services, the CE contained and eliminated the ransomware threat within an hour and verified that no files were missing following the attack. As a result of this incident, the CE upgraded its anti-virus software to better detect new malware threats, and conducted a risk analysis to assess threats to electronic PHI. As a result of OCRâs investigation, OCR obtained written assurances that the CE will update its policies and procedures to require regular review of information system activity. | LCS Westminster Partnership IV, LLP d/b/a Sagewood AZ Healthcare Provider 863 | Tuesday | 2016 | |
| Diversified Resources, Inc. | GA | Healthcare Provider | 863 | 2011-09-15 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On August 11, 2011, a password protected, but unencrypted laptop computer was stolen from a nurseâs car. The laptop contained the electronic protected health information (ePHI) of 863 individuals. The ePHI on the laptop included names, addresses, phone numbers, primary care physicians, caregiver contacts, and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, CE reviewed its policies and procedures, applied employee sanctions, retrained its workforce, and implemented file-level encryption. Pursuant to technical assistance provided by OCR, CE implemented additional administrative safeguards, including a new policy prohibiting employees from leaving laptops unattended in a vehicle. | Diversified Resources, Inc. GA Healthcare Provider 863 | Thursday | 2011 |
| Cigna-HealthSpring | TN | Health Plan | 862 | 2015-04-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Cigna-HealthSpring, discovered that on January 30, 2015, an employee accidently mislabeled envelopes containing health risk assessment surveys which were mailed to 862 patients. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE created new procedures for mailings and provided training to staff members. OCR obtained assurances that the CE implemented the corrective actions listed above. | Cigna-HealthSpring TN Health Plan 862 | Thursday | 2015 |
| Iowa Medicaid Enterprise | IA | Health Plan | 862 | 2014-04-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On August 5, 2015, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), Midwest Region initiated a review of the covered entity (CE), Iowa Department of Human Services. This review stems from a complaint and security breaches that the CE self-reported to OCR-HQ (as required by 45 CFR § 164.408(b)), which occurred over a period of nine years from 2005 to 2014. The CE provided breach notification to HHS, affected individuals, and the media. To prevent similar breaches from happening in the future, the CE conducted multiple internal investigations, evidenced the performance of its risk analysis and corresponding risk management plan. It also sanctioned the employees involved in the breach incidents, provided training to its staff on its policies and procedures regarding Security Awareness. Additionally, the CE implemented annual security control reviews that assess its compliance with the Privacy, Security, and Breach Notification Rules and implemented new HIPAA policies and procedures. OCR obtained copies of the CE’s executed business associate agreements and documentation that substantiates the CE’s corrective actions described above. | Iowa Medicaid Enterprise IA Health Plan 862 | Friday | 2014 |
| Boston Health Care for the Homeless Program | MA | Healthcare Provider | 861 | 2018-09-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Boston Health Care for the Homeless Program MA Healthcare Provider 861 | Friday | 2018 |
| Home for Little Wanderers | MA | Healthcare Provider | 861 | 2018-07-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Home for Little Wanderers MA Healthcare Provider 861 | Tuesday | 2018 |
| AeroCare Holdings | FL | Healthcare Provider | 860 | 2017-05-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | AeroCare Holdings, the covered entity (CE), discovered that an employee sent an email that impermissibly disclosed the identity of email recipients and contained protected health information (PHI). The breach affected 858 individuals. The PHI contained in the email identified recipients as users of CPAP devices. The CE sent timely breach notification to HHS, to affected individuals, and to the media. In response to the breach, the CE prepared an incident report, revised its policies and procedures for emails, and sanctioned the responsible employee. OCR obtained assurances that the CE implemented the corrective actions listed above. | AeroCare Holdings FL Healthcare Provider 860 | Thursday | 2017 | |
| Man Alive, Inc. and Lane Treatment Center, LLC | MD | Healthcare Provider | 860 | 2016-09-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Man Alive, Inc. and Lane Treatment Center, reported that on September 8, 2016, through remote access, a cyber-attacker hacked the CEâs computer system and installed ransomware on an employeeâs computer to gain unauthorized access into the electronic patient record system. The CE determined that the hacker accessed and downloaded summary patient profiles and lists consisting of 860 patientsâ names, birthdates, social security numbers, drug dosage information, insurance identification numbers, street addresses, phone numbers, employment status and some demographic data. The CE immediately removed the infected computer from the network and any data that was subjected to malicious encryption was restored. The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice on its website. It also notified the FBI and vendor partners. Following the breach, the CE disabled all user remote access with the exception of a few vendors and implemented a security appliance that performs virus scanning at the gateway level, blocks unwanted protocols by policy, and provides firewalls. The CE also strengthened the complexity requirements for all user passwords. OCR obtained sufficient assurances that the CE implemented the corrective actions listed above. | Man Alive, Inc. and Lane Treatment Center, LLC MD Healthcare Provider 860 | Thursday | 2016 |
| Kirkbride Center | PA | Healthcare Provider | 860 | 2014-11-19 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | In August 2014, an Assistant U.S. Attorney contacted the CE, Kirkbride Center, to advise that an individual was arrested in Florida and would be tried for identity theft. This individual had hard copies of the CEâs daily census reports containing patientsâ names, dates of birth, and some social security numbers, affecting approximately 869 individuals. The arrestee was not known to have direct ties to the CEâs facility and was convicted of identity theft. The CEâs internal investigation determined that a rogue employee stole the reports and the CE continued the investigation in hopes of determining which employee was responsible for the theft. The CE provided breach notification HHS, the media, and affected individuals, and posted notice on its website. The CE also offered affected individuals one year of free identity theft protection. Due to OCRâs investigation, the CE began using a new billing software system, which allows it to revise the daily census report to exclude patientsâ dates of birth and social security numbers. Furthermore, the CE revised the report distribution process to limit the distribution of the report to specific unit personnel. | Kirkbride Center PA Healthcare Provider 860 | Wednesday | 2014 |
| Rosalind Franklin University of Medicine | IL | Healthcare Provider | 859 | 2017-07-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Rosalind Franklin University of Medicine IL Healthcare Provider 859 | Sunday | 2017 | |
| Saint Francis Hospital and Medical Center | CT | Healthcare Provider | 858 | 2014-01-16 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Saint Francis Hospital and Medical Center CT Healthcare Provider 858 | Thursday | 2014 | |
| Silverberg Surgical and Medical Group | CA | Healthcare Provider | 857 | 2015-09-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Silverberg Surgical and Medical Group CA Healthcare Provider 857 | Friday | 2015 |
| IHC Health Services, Inc. dba Intermountain Life Flight | UT | Healthcare Provider | 857 | 2013-04-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | IHC Health Services, Ind., dba Intermountain Life Flight, the covered entity (CE), reported that, in or around October 2009, an employee inadvertently uploaded documents containing protected health information (PHI) to a departmentâs externally managed and unsecured website, in violation of its corporate policy prohibiting such conduct. The CE indicated that the website was for department operation purposes and not intended to include PHI. The breach affected 857 individualsâ demographic information (including names, addresses, dates of birth, and/or social security numbers) and/or clinical information (including diagnoses). The CE provided timely breach notification to affected individuals, the media, and HHS, and providing substitute notice by posting the breach on its website. It also offered affected individuals credit monitoring for one year. Following the breach, the CE promptly disabled the website, verified secure data destruction, and conducted an internal investigation and incident response, including root cause analysis, corrective education, and risk-based action plan that encompassed the entire enterprise. The CE also terminated its relationship with its external vendor. Additionally, the CE retrained workforce members, and assigned individuals, pursuant to its established policy and procedure, to oversee security responsibility for the department. It also implemented procedures to identify and remedy, as needed, information system resources such as externally managed servers or websites with the CEâs data. OCR obtained assurances that the CE implemented the corrective actions listed above. | IHC Health Services, Inc. dba Intermountain Life Flight UT Healthcare Provider 857 | Friday | 2013 |
| University of Rochester Medical Center and Affiliates | NY | Healthcare Provider | 857 | 2010-09-07 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | University of Rochester Medical Center and Affiliates NY Healthcare Provider 857 | Tuesday | 2010 | |
| David I. Cohen, MD | CA | Healthcare Provider | 857 | 2009-11-20 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | A shared Computer that was used for backup was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite was unlocked and perhaps ajar. The Computer contained certain electronic protected health information (ePHI) of 857 patients. The ePHI involved in the breach included names, dates of birth, and clinical information. Following the breach, the covered entity notified all affected individuals and the media, added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer, added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor’s private office or in a secure filing cabinet, and added administrative safeguards by requiring annual refresher retraining staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. | David I. Cohen, MD CA Healthcare Provider 857 | Friday | 2009 |
| Advanced Radiology Consultants, LLC | CT | Healthcare Provider | 855 | 2015-07-24 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | A patient scheduler of the covered entity (CE), Advanced Radiology Consultants, emailed 754 patientsâ protected health information (PHI) from her work email account to a personal email account in order to keep a separate record for any performance issues. An additional 100 patients were affected by the breach because the scheduler had access to PHI about them in emails and a USB device (854 total individuals affected). The PHI involved in the breach included patientsâ names, dates of birth, phone numbers, account balances, insurance information, treatment and examination information, appointment dates and times, appointment notes, and referring physiciansâ information. Following discovery of the breach, the CE sanctioned the workforce member and requested that she delete the PHI she sent to her personal email account. The CE also provided breach notification to HHS, affected individuals, and the media, and provided individuals with credit monitoring services at no cost. OCR obtained assurances that the CE implemented the corrective actions listed above. | Advanced Radiology Consultants, LLC CT Healthcare Provider 855 | Friday | 2015 |
| Total Diagnostix II, LLC | TX | Healthcare Provider | 855 | 2018-09-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Total Diagnostix II, LLC TX Healthcare Provider 855 | Wednesday | 2018 |
| Athletes’ Performance Los Angeles, LLC | AZ | Healthcare Provider | 854 | 2016-07-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On June 2, 2016, the covered entity (CE), Athleteâs Performance Los Angeles, LLC, discovered that its facility in Carson, California lost a password protected laptop computer. The laptop’s unencrypted hard drive contained electronic protected health information (ePHI) for 854 individuals including names, contact information, payment data, health information, and insurance information. The CE provided breach notification HHS, affected individuals, and the media. In response to the breach, the covered entity encrypted hard drives on laptops that are issued to its workforce members and implemented email and attachment encryption, authentication and email data loss capabilities, as well as email tracking/revocation capabilities. The CE instituted backup and e-discovery capabilities and established a business associate relationship for these services and contracted with a third party to provide web based security and privacy awareness training platform and programming. The CE also implemented HIPAA security & privacy policies and procedures. The CE also provided OCR with additional documentation including its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation. OCR obtained assurances that the CE implemented the corrective actions listed above. | Athletes’ Performance Los Angeles, LLC AZ Healthcare Provider 854 | Thursday | 2016 |
| Belgrade Regional Health Center | ME | Healthcare Provider | 854 | 2015-12-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A business associate (BA), The Snowman Group, working on behalf of the covered entity (CE), Belgrade Health Center, erroneously mailed letters to patients containing the name of another individual due to a printing mistake, affecting 854 individuals. The protected health information involved included names and an indication of a treatment relationship with the CE. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE changed its template for letters to prevent this printing mistake from occurring again. OCR reviewed the BA agreement between the CE and the BA and obtained assurances that the CE implemented the corrective actions noted above. | Belgrade Regional Health Center ME Healthcare Provider 854 | Friday | 2015 |
| SilverScript Insurance Company | AZ | Health Plan | 852 | 2013-01-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Letters for 852 prospective new members of the covered entity (CE), SilverScript Insurance Company Part D plan, were misdirected to incorrect addresses. SilverScript is a wholly-owned subsidiary of CVS Health, formerly CVS Caremark. The CE reported that the root cause of the incident was that the eligibility data file received from Northgate Arinso, a third party vendor of Energy Future Holdings, was inaccurate. The data file contained multiple, incorrect addresses, resulting in protected health information (PHI) being disclosed to other members. The letters contained membersâ names, addresses, identification numbers, and group numbers and informed the members that such information could be taken to a pharmacy and used to process pharmacy claims. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, CVS Health implemented additional quality control measures to verify information received from third parties. OCR obtained and reviewed documentation regarding the implementation of those additional quality control measures. | SilverScript Insurance Company AZ Health Plan 852 | Tuesday | 2013 |
| Cefalu Eye-Tech of Green, Inc. | OH | Healthcare Provider | 850 | 2016-07-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | An employee of Cefalu Eye-Tech of Green, Inc. (Cefalu) photographed computer screens containing the protected health information (PHI) of approximately 850 individuals, including names, addresses, email addresses, and codes for diagnosis and conditions. Following the breach, Cefalu investigated the breach and provided breach notification to HHS and the affected individuals. OCR determined that the reporting entity is no longer a covered entity. OCR obtained documentation supporting its finding that Cefalu is no longer a covered entity. | Cefalu Eye-Tech of Green, Inc. OH Healthcare Provider 850 | Thursday | 2016 |
| Westerville Dental Center | OH | Healthcare Provider | 850 | 2012-12-20 | Theft | NA | NA | NA | NA | NA | Laptop | Network Server | NA | NA | NA | NA | NA | NA | No | Westerville Dental Center OH Healthcare Provider 850 | Thursday | 2012 | |
| Union Security Insurance Company | MO | Health Plan | 850 | 2011-05-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Union Security Insurance Company MO Health Plan 850 | Monday | 2011 | |
| Merit Health Northwest Mississippi | MS | Healthcare Provider | 846 | 2015-08-26 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | An employee of Merit Health Northwest Mississippi, the covered entity (CE), impermissibly obtained protected health information (PHI) for identity theft and fraud purposes by photographing documents with a personal mobile device, writing patient information in a notebook, and removing paper medical records from the facility. After working with law enforcement and conducting an internal investigation, the CE determined that the stolen patient information included the names, dates of birth, addresses, social security numbers, medical record numbers, health insurance and clinical information of 847 individuals. The CE provided timely breach notification to HHS, to affected individuals and to the media. In addition, the CE offered free credit monitoring to the affected individuals and provided substitute notice on its website. In response to the breach, the CE re-trained its employees and revised its policy on the printing of social security numbers. The employee at fault for this incident is no longer employed by the CE. OCR obtained assurances that the CE has implemented the corrective actions listed above. | Merit Health Northwest Mississippi MS Healthcare Provider 846 | Wednesday | 2015 |
| Tulare County Health & Human Services Agency | CA | Healthcare Provider | 845 | 2015-04-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) reported a breach of 845 individualsâ electronic protected health information (e-PHI), as a result of a workforce member e-mailing information regarding logging into CEâs health care portal, without blind copying the patients, and encrypting the e-mails. This action, or lack thereof, left every patientâs e-mail address exposed. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE improved safeguards by changing and strengthening password requirements, disabling all patientsâ health portal accounts, and implementing new technical safeguards. In addition, the CE required all affected patients to re-register with its online portal, and revised and implemented new policies and procedures. The CE sanctioned the workforce members involved and re-trained the entire workforce. OCR provided technical assistance regarding the HIPAA Security Rule and obtained documented assurances that the CE implemented the corrective actions listed above. | Tulare County Health & Human Services Agency CA Healthcare Provider 845 | Thursday | 2015 | |
| California Pacific Medical Center | CA | Healthcare Provider | 845 | 2015-01-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | On or about October 15, 2014, during a routine review of workforce membersâ use of electronic protected health information (ePHI), the covered entity (CE), California Pacific Medical Center, discovered that a workforce member in the pharmacy department had impermissibly accessed the medical records of 13 coworkers. A subsequent audit showed that from October 2013 to October 2014, the workforce member had impermissibly used the medical records of a total of 845 individuals. The ePHI accessed included patient demographics, last four digits of social security numbers, clinical information about diagnoses, clinical notes, physician order information, laboratory and radiological data, and prescription information. OCR verified that the CE applied employee sanctions pursuant to its policy and procedure, provided breach notification to HHS, affected individuals, and the media, and retrained employees on relevant HIPAA policies and procedures. | California Pacific Medical Center CA Healthcare Provider 845 | Friday | 2015 |
| MacNeal Hospital | IL | Healthcare Provider | 845 | 2011-04-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Network Server | NA | NA | NA | NA | No | MacNeal Hospital IL Healthcare Provider 845 | Monday | 2011 | ||
| Manor Care Indy (South), LLC. | IN | Healthcare Provider | 845 | 2010-11-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Manor Care Indy (South), LLC. IN Healthcare Provider 845 | Friday | 2010 | |
| Muskogee Regional Medical Center | OK | Health Plan | 844 | 2012-01-20 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | A binder containing flu test results went missing from the lab of the covered entity (CE), Muskogee Regional Medical Center, on or about December 5, 2011. The binder contained the protected health information (PHI) of approximately 844 individuals, including patientsâ names, account numbers, genders, medical record numbers, dates of birth, ages, test dates, and flu test results. Although the CEâs investigation could not confirm that the information had been impermissibly disclosed, it provided breach notification to the potentially affected individuals, HHS and the media. Following discovery of the incident, the CE retrained laboratory workforce members regarding proper handling and disposal procedures for PHI. It also determined to eliminate such paper records and to store future similar records electronically. OCR obtained assurances that the corrective actions listed above were completed. | Muskogee Regional Medical Center OK Health Plan 844 | Friday | 2012 |
| California Physicians’ Service d/b/a Blue Shield of California | CA | Health Plan | 843 | 2015-06-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On May 18 2015, the covered entity (CE), Blue Shield of California, discovered that several authorized users who logged into their accounts were able to access the protected health information (PHI) of individuals who were not affiliated with their line of business due to a faulty update to the restricted web portal. The PHI of 843 individuals was affected and included names, addresses, birthdates, social security numbers, and other identifiers. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE disabled the portal, deployed a patch code to correct the problem, and improved the code testing process. The CE also sanctioned the developer who failed to follow the code merge process. OCR reviewed the CEâs HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation, and obtained assurances that the CE implemented the corrective actions listed above. | California Physicians’ Service d/b/a Blue Shield of California CA Health Plan 843 | Tuesday | 2015 |
| Santa Fe Medical Group | NM | Healthcare Provider | 843 | 2014-09-12 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On March 2, 2016, Santa Fe Medical Group/Atrinea Health filed for a Chapter 7 bankruptcy petition and provided OCR documentation of such petition. Under these circumstances Santa Fe Medical Group/Atrinea Health is no longer a covered entity and is not subject to the requirements of HIPAA. | Santa Fe Medical Group NM Healthcare Provider 843 | Friday | 2014 |
| United Methodist Homes | NY | Healthcare Provider | 843 | 2018-08-31 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | United Methodist Homes NY Healthcare Provider 843 | Friday | 2018 | |
| Memorial Hospital Clinic South | TX | Healthcare Provider | 842 | 2017-04-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | No | Memorial Hospital Clinic South reported a breach when computer malware (i.e.,ransomware) was found on its network server. This breach affected the protected health information (PHI) of 842 individuals, and included clinical and demographic information. The specific types of PHI involved in the breach included addresses, birthdates, driver’s license numbers, names, social security numbers, diagnoses/conditions, lab results, medications, and other treatment information. This review has been consolidated with another review of this covered entity. | Memorial Hospital Clinic South TX Healthcare Provider 842 | Wednesday | 2017 |
| Western Washington Medical Group Inc. | WA | Healthcare Provider | 842 | 2018-01-12 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Western Washington Medical Group Inc. WA Healthcare Provider 842 | Friday | 2018 |
| PruittHealth Pharmacy Services | GA | Healthcare Provider | 841 | 2014-02-07 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A manager’s unencrypted laptop computer was stolen from the back seat of an employee’s car. The laptop contained the protected health information (PHI) of 841 individuals and included names, possible diagnoses, prescription names, dates of service, and service locations. The covered entity (CE) has improved safeguards by encrypting devices and employing devices that do not allow local storage. The CE has also revised its privacy and security policies and re-trained employees. OCR has consolidated this review into a compliance review that involves the same corporate entity and another stolen unencrypted laptop. | PruittHealth Pharmacy Services GA Healthcare Provider 841 | Friday | 2014 |
| Capital District Physiciansâ Health Plan | NY | Health Plan | 839 | 2018-04-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Capital District Physiciansâ Health Plan NY Health Plan 839 | Friday | 2018 |
| Allina Health | MN | Healthcare Provider | 838 | 2015-04-06 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Allina Health, erroneously mailed a number of letters to patients about preventative screenings which resulted in individuals receiving a letter and a screening sample collection kit at their address, but labeled with another individualâs name. Two business associate (BA) vendors were also involved in processing the mailing. The breach affected approximately 838 individuals and the protected health information (PH)I involved in the breach included individualsâ name. Following the breach, the CE immediately ceased mailing preventative screening kits until it was able to complete an investigation to determine the root cause of the breach, which included reviewing its business associateâs practices regarding the mailing of the screening kits to ensure it had quality control processes in place and were appropriately followed. The CE also initiated and implemented its incident system to timely and effectively manage the investigation, patient notification, and risk mitigation. The CE provided breach notification to HHS, affected individuals, media outlets, and a Minnesota state senator. The CE engaged an outside vendor to mail the individual notifications and establish a call center to accommodate any patient inquiries. The CE also implemented a new workflow in its mailing processes to reduce the number of manual steps and incorporated an additional quality check so as to reduce the potential for error and to ensure the accuracy of mailing lists. The CE also retrained its employees on safeguarding PHI when mailing correspondence, and verified that its employees received the training. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. | Allina Health MN Healthcare Provider 838 | Monday | 2015 |
| Mount Carmel Health System | OH | Healthcare Provider | 836 | 2017-12-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Mount Carmel Health System OH Healthcare Provider 836 | Friday | 2017 | |
| CVS Pharmacy | RI | Healthcare Provider | 836 | 2017-10-13 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | CVS Pharmacy RI Healthcare Provider 836 | Friday | 2017 |
| SSM Health (Dr. Syed Khader) | MO | Healthcare Provider | 836 | 2017-06-09 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | SSM Health (Dr. Syed Khader) MO Healthcare Provider 836 | Friday | 2017 |
| Presence St. Joseph’s Medical Center | IL | Healthcare Provider | 836 | 2014-04-04 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Presence St. Joseph’s Medical Center IL Healthcare Provider 836 | Friday | 2014 | |
| Presence Health | IL | Healthcare Provider | 836 | 2014-01-31 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Presence Health IL Healthcare Provider 836 | Friday | 2014 | |
| BeHealthy Florida, Inc. | FL | Health Plan | 835 | 2015-10-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | On September 23, 2015, the covered entityâs (CE) business associate (BA), RR Donnelly, inadvertently placed individuals’ health insurance claim number (HICN) on the outside of envelopes containing benefit information packets that were mailed to the CE’s members. The HICN is a Medicare beneficiary’s identification number and it typically contains the beneficiary’s social security number. The breach affected 835 individuals. The CE, BeHealthy, Florida, provided breach notification to HHS, affected individuals, and the media. The CE discussed with the BA the development of a standard procedure for any ad hoc manual member mailings, to be used in the event automated processes are unavailable. It also made processing and procedural changes to prevent similar breaches in the future. OCR obtained assurances that the CE implemented the corrective actions listed above. | BeHealthy Florida, Inc. FL Health Plan 835 | Monday | 2015 |
| NYU Urology Associates | NY | Healthcare Provider | 835 | 2014-10-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NYU Urology Associates NY Healthcare Provider 835 | Friday | 2014 | |
| South Miami Hospital | FL | Healthcare Provider | 834 | 2013-03-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | South Miami Hospital FL Healthcare Provider 834 | Saturday | 2013 | |
| University Hospitals | OH | Healthcare Provider | 833 | 2015-01-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | University Hospitals OH Healthcare Provider 833 | Thursday | 2015 |
| Jeff Spiegel | MA | Healthcare Provider | 832 | 2013-12-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | Dr. Jeffrey Spiegelâs practice, the covered entity (CE), mistakenly sent a promotional email to approximately 500 patients with an attachment that included the email addresses of 832 patients. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE instituted a new procedure that requires two employees to proof promotional emails prior to sending. OCR obtained assurances that corrective actions listed above were completed. | Jeff Spiegel MA Healthcare Provider 832 | Monday | 2013 | |
| Watsonville Chiropractic, Inc. | CA | Healthcare Provider | 829 | 2016-11-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Watsonville Chiropractic, Inc. CA Healthcare Provider 829 | Thursday | 2016 |
| University of Colorado Health | CO | Healthcare Provider | 827 | 2015-12-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | On October 9, 2015, University of Colorado Health, the covered entity (CE) discovered that a nurse working in one of the CEâs network hospitals impermissibly accessed 827 individualsâ medical records between October 2014 and September 2015. The CE discovered the nurseâs impermissible accesses after an anonymous individual telephoned the CEâs privacy hotline regarding the nurseâs suspected conduct. To carry out these impermissible accesses, the nurse utilized the CEâs electronic health record (EHR) application. The CE provided breach notification to HHS, the media, and affected individuals. Based on the breach and OCRâs investigation, the CE sanctioned the nurse and terminated her access to the EHR. The CE also retrained nursing staff regarding use of the EHR in accordance with HIPAA. The CE has reported similar breaches to OCR, and OCR has consolidated the unresolved issues from this breach into a review along with related compliance concerns arising from the CEâs other breaches. | University of Colorado Health CO Healthcare Provider 827 | Wednesday | 2015 |
| PIH Health Hospital - Whittier | CA | Healthcare Provider | 826 | 2015-04-02 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Documents containing the protected health information (PHI) of 826 PIH Health Hospital patients were stolen from a resident doctorâs private vehicle. The PHI involved in the breach included names, dates of birth, diagnoses, primary providers, hospital unist, and assigned nurses names. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE sanctioned and retrained the doctor responsible for the breach, trained all residents, developed a new policy prohibiting residents from taking PHI off-campus, and developed signage reminding residents of the new policy. OCR obtained written assurances of breach notifications provided and corrective actions taken. | PIH Health Hospital - Whittier CA Healthcare Provider 826 | Thursday | 2015 |
| Center for Neurosurgical & Spine Disorders, LLC | LA | Healthcare Provider | 824 | 2016-08-31 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | An unauthorized user remotely accessed a workstation computer from the covered entity (CE), Center for Neurosurgical & Spine Disorders, LLC. The types of protected health information (PHI) accessed by the unauthorized user included the names, addresses, phone numbers, social security numbers, medical chart information, and billing information of 824 individuals. Upon discovering the breach, the CE notified the Federal Bureau of Investigation, notified the three major consumer credit reporting agencies, and provided free credit monitoring to affected individuals. The CE provided breach notification to HHS, affected individuals, and the media. Further, the CE improved its technical security posture and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. | Center for Neurosurgical & Spine Disorders, LLC LA Healthcare Provider 824 | Wednesday | 2016 |
| Wolf & Yun | KY | Healthcare Provider | 824 | 2012-06-22 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On April 24, 2012, a password protected laptop computer containing patient demographic information and auditory diagnostic testing data was stolen during office hours from a back laboratory testing room of the covered entity (CE), Wolf and Yun. The breach affected approximately 824 individuals. The electronic protected health information (ePHI) on the laptop included patientsâ names, addresses, dates of birth, and raw auditory testing data. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE filed a police report, reviewed its policies and procedures and improved physical safeguards. As a result of OCRâs investigation, the CE performed a risk analysis, installed a secure router, increased transmission security, revised its HIPAA policies, updated its computer operating system, created formal incident response and reporting procedures, and retrained its workforce. | Wolf & Yun KY Healthcare Provider 824 | Friday | 2012 |
| Charlie Norwood VA Medical Center | GA | Healthcare Provider | 824 | 2012-06-04 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Charlie Norwood VA Medical Center GA Healthcare Provider 824 | Monday | 2012 | |
| Central New York Cardiology | NY | Healthcare Provider | 824 | 2018-07-13 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Central New York Cardiology NY Healthcare Provider 824 | Friday | 2018 |
| American Urgent Care Center, PSC | KY | Healthcare Provider | 822 | 2017-01-05 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), American Urgent Care Center, PSC, discovered that, upon her resignation, a former employee took an x-ray logbook on October 28, 2016. The log book contained the names and treatment dates of 822 individuals. Following the breach, the CE revised its policies and re-trained staff, including providers and management. The CE also revised its procedures to eliminate the use of the paper x-ray log book. As a result of technical assistance from OCR, the CE provided breach notification to HHS, to affected individuals, and in the local newspaper. OCR obtained assurances that the CE implemented the corrective actions listed above. | American Urgent Care Center, PSC KY Healthcare Provider 822 | Thursday | 2017 |
| Enterprise Services LLC | CO | Business Associate | 822 | 2017-06-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | Other | NA | NA | NA | NA | NA | NA | Yes | NA | Enterprise Services LLC CO Business Associate 822 | Friday | 2017 |
| Iowa Department of Human Services | IA | Health Plan | 820 | 2017-10-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Iowa Department of Human Services IA Health Plan 820 | Friday | 2017 | |
| Hope Hospice | TX | Healthcare Provider | 818 | 2013-04-25 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An email containing electronic protected health information (ePHI) was sent from a work email address to a home email address by a workforce member of the covered entity (CE), Hope Hospice. The ePHI in the email contained the names, referral sources, admission dates, and health insurers of approximately 818 individuals. Upon discovering the breach, the CE implemented sanctions against the involved workforce member. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed. | Hope Hospice TX Healthcare Provider 818 | Thursday | 2013 | |
| Meigs County EMS | OH | Healthcare Provider | 817 | 2016-12-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | No | On October 6, 2016, the covered entity (CE), Meigs County EMS, reported that it detected a ransomware attack on its computer server, and that the hackers might have acquired patientsâ protected health information (PHI). The breach affected approximately 817 individuals, and the types of PHI involved in the breach included demographic, financial, and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE implemented physical, administrative and technical safeguards. The CE also performed an audit of its computer network accounts by removing unnecessary or stale accounts. OCR obtained assurances that the CE implemented the corrective actions noted above. | Meigs County EMS OH Healthcare Provider 817 | Monday | 2016 | |
| Capron Rescue Squad District | IL | Healthcare Provider | 815 | 2011-08-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A trustee of the covered entity (CE), Capron Rescue Squad District, removed a laptop computer containing the unencrypted electronic protected health information (ePHI) of 815 individuals from its facility under the mistaken belief that the laptop was no longer used by the CE in its provision of health care services and gave the laptop to his adult grandson. The ePHI on the laptop included individualsâ full names, social security numbers, dates of birth, home addresses, and medical histories. The CE recovered the laptop which was the subject of the breach and obtained written assurances from the individuals involved in the breach that they did not use, disclose, or retain any ePHI stored on the laptop. The CE provided breach notification to HHS, the media, and affected individuals. The CE improved safeguards by encrypting ePHI stored on its computers, including laptops. OCR obtained assurances that the corrective actions listed above were completed. | Capron Rescue Squad District IL Healthcare Provider 815 | Thursday | 2011 |
| Heritage Medical Partners, LLC | SC | Healthcare Provider | 812 | 2016-09-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Heritage Medical Partners, while moving to a new facility, left medical records unsecured in the former facility from November 17, 2014 to January 22, 2015, affecting 1,019 individuals. The types of protected health information (PHI) on the documents included patients’ names, dates of birth, addresses, phone numbers, social security numbers, genders, ages, ethnicity, height and weight, facility names, treating physicians, dates of tests, and clinical information. OCR provided technical assistance so that the CE provided breach notification to HHS, affected individuals, and the media, and on a website set up by the CE. The CE was in the process of dissolving and stopped treating patients in December 2015. The CE reported that medical records are stored in secure areas of the individual providersâ current facilities with access limited to authorized employees. OCR provided technical assistance regarding proper retention and destruction of PHI. OCR obtained assurances that the CE implemented the corrective actions listed above. | Heritage Medical Partners, LLC SC Healthcare Provider 812 | Thursday | 2016 |
| Advocate Health Care | IL | Healthcare Provider | 812 | 2010-01-22 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
On November 24, 2009, an Advocate nurse’s laptop computer was stolen. The missing laptop computer contained the protected health information of approximately 812 individuals. The protected health information involved in the breach included name, address, dates of birth, social security numbers, insurance information, medication, and diagnoses. Following the breach, Advocate specifically addressed mobile device security and accepted use. Additionally, OCR’s investigation resulted in Advocate workforce members that use mobile devices are now required to fill out and submit an acknowledgment form that establish proper administrative, technical, and physical security safeguards. |
Advocate Health Care IL Healthcare Provider 812 | Friday | 2010 |
| Camelback Women’s Health | AZ | Healthcare Provider | 810 | 2015-12-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | In early September 2015, the covered entity (CE), Camel Back Womenâs Health, discovered that a former employee retained of copies 1,564 patientsâ documents to solicit the CEâs patients for her own practice. The types of protected health information (PHI) in the documents included names, addresses, social security numbers, dates of birth, diagnoses and medical conditions, medications, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE asked the former nurse practitioner to return and/or destroy all of its patientsâ PHI in her possession and hired a lawyer to ensure that the former employee signed an affidavit and return all of the documents. Additionally, the CE revised policies and procedures and retrained workforce members. The CE also provided OCR with additional documentation including its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation. OCR obtained assurances that the CE implemented the corrective actions listed above. | Camelback Women’s Health AZ Healthcare Provider 810 | Thursday | 2015 |
| vonica chau DDS PA | TX | Healthcare Provider | 810 | 2014-10-08 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | vonica chau DDS PA TX Healthcare Provider 810 | Wednesday | 2014 | |
| NOL, LLC d/b/a Premier Radiology | TN | Healthcare Provider | 810 | 2011-06-22 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NOL, LLC d/b/a Premier Radiology TN Healthcare Provider 810 | Wednesday | 2011 | |
| MetroPlus Health Plan | NY | Health Plan | 808 | 2017-01-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | MetroPlus Health Plan NY Health Plan 808 | Tuesday | 2017 |
| Keystone/AmeriHealth Mercy Health Plans | PA | Health Plan | 808 | 2010-12-30 | Loss | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Keystone/AmeriHealth Mercy Health Plans PA Health Plan 808 | Thursday | 2010 | |
| Blue Cross Blue Shield of North Carolina | NC | Health Plan | 807 | 2015-09-11 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Blue Cross Blue Shield of North Carolina, discovered on August 24, 2015, that it had accidently sent payment letters to members that contained information for other members, affecting 806 individuals. The types of PHI in the letters included members’ name, telephone numbers, health plans, effective dates, exchange identification numbers, payment amounts, and internal payment identification numbers. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. In response to the breach, the CE revised its mailing procedures to implement a two-step verification process before material is mailed. OCR obtained assurances that the CE implemented the corrective actions listed above. | Blue Cross Blue Shield of North Carolina NC Health Plan 807 | Friday | 2015 |
| Group Health Incorporated | NY | Health Plan | 802 | 2014-08-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Group Health Incorporated NY Health Plan 802 | Wednesday | 2014 | |
| White Blossom Care Center | CA | Healthcare Provider | 800 | 2017-06-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | White Blossom Care Center CA Healthcare Provider 800 | Friday | 2017 |
| Consultants in Neurological Surgery, LLP | FL | Healthcare Provider | 800 | 2016-11-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Consultants in Neurological Surgery, LLP FL Healthcare Provider 800 | Tuesday | 2016 |
| Harrisonburg OB GYN Associates, P.C. | VA | Healthcare Provider | 800 | 2016-10-20 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Harrisonburg Obstetrics and Gynecology Associates, P.C., the covered entity (CE), reported that on August 11, 20, 2016, a physician and former president of the CE, printed out the protected health information (PHI) of approximately 800 patients prior to his resignation. The CE determined that the reports showed patients’ names, account numbers, phone numbers, addresses, dates of service and reasons for the visits. At the time of OCR’s review, the CE was in litigation for the return of the reports. The CE disabled all access to such reports except by a few employees with a business need. The CE provided breach notification to HHS, the media, and affected individuals. OCR obtained assurances that the CE implemented the corrective actions listed. | Harrisonburg OB GYN Associates, P.C. VA Healthcare Provider 800 | Thursday | 2016 |
| Keystone Rural Health Consortia, Inc. | PA | Healthcare Provider | 800 | 2016-05-24 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | Paper/Films | NA | NA | NA | NA | NA | NA | No | A former employee stole a printout of a patient listing created in January 2015 that was hanging in the locked medical records room and used the information to send letters to several patients. The breach included the protected health information (PHI) of approximately 800 individuals and included demographic information, dates of birth, insurance information, and providers’ names. The covered entity (CE), Keystone Rural Health Consortia, Inc., provided breach notification to HHS, affected individuals, and the media. OCR reviewed the CEâs most recent risk analysis to ensure compliance with the Privacy and Security Rules and obtained assurances that the CE strengthened physical safeguards to prevent similar occurrences in the future. | Keystone Rural Health Consortia, Inc. PA Healthcare Provider 800 | Tuesday | 2016 |
| Metropolitan Atlanta Rapid Transit Authority | GA | Health Plan | 800 | 2015-08-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The Metropolitan Atlanta Rapid Transit Authority (MARTA), acting on behalf of its self-insured health plan, mailed 785 Voluntary Critical Illness Insurance forms to the incorrect employees. The correspondence contained protected health information (PHI) including names, addresses, social security numbers, and dates of birth. MARTA conducted a breach assessment and provided breach notification to HHS, affected individuals, and the media. In response to the incident, MARTA developed standard operating procedure for the Benefits Office for handling employeesâ PHI and trained employees. Under the new procedures, the staff will not prepopulate employee forms, applications, worksheets, and confirmation statements with individually identifiable information nor will they send documents containing individually identifiable data to the internal print shop. OCR obtained assurances that MARTA implemented the corrective actions listed above. | Metropolitan Atlanta Rapid Transit Authority GA Health Plan 800 | Thursday | 2015 |
| Emdeon | TN | Business Associate | 800 | 2014-09-12 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Emdeon TN Business Associate 800 | Friday | 2014 |
| Jesle Kuizon | CA | Business Associate | 800 | 2013-07-18 | Hacking/IT Incident | Theft | Unauthorized Access/Disclosure | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | Yes | Between October and November of 2011, employees of San Jose Medical Supply, Inc. (SJMS) impermissibly disclosed information regarding 800 SJMS patients. The information contained on Excel spreadsheets and prescriptions contained full names, addresses, zip codes, medical conditions, diagnoses, license numbers, physiciansâ contact information, and dates prescriptions were obtained. SJMS initiated a forensics security investigation, identified the perpetrators of the breach, determined the recipients of the information, trained employees on HIPAA regulations and patient information security procedures, and filed a lawsuit against Front Medical Supply and the individual perpetrators. SJMS provided breach notification to the California Attorney General, the Secretary of HHS, the affected individuals, and the media. SJMS enhanced computer security protection and protocols to ensure that patient information is protected from unauthorized access, sanctioned responsible workforce members, and updated policies and procedures. OCR determined that SJMS is not a covered entity. | Jesle Kuizon CA Business Associate 800 | Thursday | 2013 |
| Sierra Plastic Surgery | NV | Healthcare Provider | 800 | 2012-09-05 | Hacking/IT Incident | Unauthorized Access/Disclosure | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | Sierra Plastic Surgery NV Healthcare Provider 800 | Wednesday | 2012 | |
| Saint Louis University | MO | Healthcare Provider | 800 | 2011-02-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Saint Louis University MO Healthcare Provider 800 | Thursday | 2011 | |
| Zenith Administrators, Inc. | MD | Business Associate | 800 | 2010-12-29 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Zenith Administrators, Inc. MD Business Associate 800 | Wednesday | 2010 | |
| zarzamora family dental care | TX | Healthcare Provider | 800 | 2010-12-07 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | zarzamora family dental care TX Healthcare Provider 800 | Tuesday | 2010 | |
| Long Island Consultation Center | NY | Healthcare Provider | 800 | 2010-07-07 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals. The ePHI included names, dates of birth, diagnoses, and other treatment information. Upon discovery of the breach, the CE conducted a search for the portable device. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR’s investigation, the CE improved physical security. The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. | Long Island Consultation Center NY Healthcare Provider 800 | Wednesday | 2010 |
| Omaha Construction Industry , Privacy Manager Breach | NE | Business Associate | 800 | 2010-05-21 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | Omaha Construction Industry , Privacy Manager Breach NE Business Associate 800 | Friday | 2010 | |
| Diagnostic Radiology & Imaging, LLC | NC | Healthcare Provider | 800 | 2018-04-05 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Diagnostic Radiology & Imaging, LLC NC Healthcare Provider 800 | Thursday | 2018 | |
| Center for Sports Medicine and Orthopedics | TN | Healthcare Provider | 800 | 2018-02-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Center for Sports Medicine and Orthopedics TN Healthcare Provider 800 | Monday | 2018 |
| Alicia Ann Oswald | CA | Healthcare Provider | 800 | 2018-01-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Alicia Ann Oswald CA Healthcare Provider 800 | Tuesday | 2018 | |
| HealthPartners Administrators, Inc. | MN | Business Associate | 796 | 2014-03-21 | Loss | Unauthorized Access/Disclosure | NA | NA | NA | NA | Desktop Computer | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | Yes | HealthPartners Administrators, Inc. MN Business Associate 796 | Friday | 2014 | |
| The University of Texas System Administration | TX | Health Plan | 794 | 2016-01-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The CE sent an email reminder to approximately 794 COBRA participants regarding their premium due date that, inadvertently, displayed the email addresses of all individuals who received the reminder. The email contained names and identified individuals as a plan participant. Upon discovering the breach, the CE implemented additional technical safeguards to prevent similar incidents from occurring. The CE sanctioned the workforce member responsible for the error and re-trained workforce members on its policy regarding the emailing of electronic PHI. The CE provided breach notification to HHS, affected individuals, and the media. The CE also amended its Breach Notification policies and procedures to better clarify the notice requirements specified under the Breach Notification Rule. OCR obtained assurances that the CE implemented the corrective actions listed. | The University of Texas System Administration TX Health Plan 794 | Thursday | 2016 | |
| The Seattle Indian Health Board | WA | Healthcare Provider | 793 | 2016-10-06 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The Seattle Indian Health Board, the covered entity (CE), reported that on August 10, 2016, it experienced a cyber-security attack to an employee email account. CE determined that electronic Protected Health Information (ePHI) of approximately 793 individuals may have been affected by the breach. The ePHI affected by the breach included patientsâ clinical, demographic, and financial information. As a result of discovering the breach, the CE notified affected parties and the media, provided retraining to the responsible workforce member, and provided additional training to other workforce members. The CE provided notification of the breach to the affected individuals via both U.S. Mail, and a message sent through its patient portal, as well as posting a notice about the breach on the homepage of its website. The CE took steps to prevent recurrence of the breach by implementing a company-wide password change and structured password management and control measures, including 90-day password âageâ limits. In response to OCRâs investigation, the, the CE performed an updated Risk Analysis and drafted a corresponding risk management plan, updated relevant policies and procedures and implemented additional information security safeguards. OCR provided additional technical assistance to the CE concerning further periodic risk analyses and updating its risk management plan. | The Seattle Indian Health Board WA Healthcare Provider 793 | Thursday | 2016 | |
| Healthy Connections, Inc | CA | Healthcare Provider | 793 | 2014-04-14 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | In April 2014, the covered entity (CE), Healthy Connections Inc., reported that an unencrypted mobile computer drive containing patients’ electronic protected health information (ePHI) was lost in transit between the CE and another CE. The breach was noticed when the other CE received the envelope minus the flash drive in the mail. The breach affected the demographic and clinical information of 793 individuals. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, the CE conducted a comprehensive system-wide risk analysis, implemented a risk management plan, and enhanced its entire electronic and technical security system. OCR obtained assurances that the CE implemented the corrective actions noted above. | Healthy Connections, Inc CA Healthcare Provider 793 | Monday | 2014 |
| Charles Cole Memorial Hospital | PA | Healthcare Provider | 790 | 2018-07-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Charles Cole Memorial Hospital PA Healthcare Provider 790 | Friday | 2018 | |
| ENT Partners of Texas (legally known as Irving-Coppell Ear, Nose and Throat) | TX | Healthcare Provider | 789 | 2014-09-09 | Loss | Theft | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | As the result of a burglary, a computer, two laptops, and a camera were stolen from the covered entity (CE), ENT Partners of Texas. These systems contained the electronic protected health information (ePHI) of 659 individuals. The PHI involved in the breach, included variously, names, audiology tests, dates of birth, CT scans, and clinical photographs of skin. The laptops and computer were password protected. The CE notified law enforcement as soon as the break-in was discovered. Breach notification was provided to HHS, affected individuals, and the media, and substitute notice was posted on the CEâs website and at the CEâs office. Following the breach, the CE changed the access passwords for ePHI, and the CEâs information technology (IT) provider initiated monitoring to detect whether the stolen the laptops are connected to the Internet, so that the IT provider may attempt to remotely erase the breached ePHI. Since the break-in, the CE improved physical security. The CE improved technical safeguards by installing remote wiping software on all laptops and phones and moving patient data software to a password protected and encrypted server. In addition, the CE updated its policies and procedure to prohibit public access on the CEâs wireless network and empty the contents of cameras daily. Following OCRâs investigation, the CE implemented a process for tracking security incidents and updating electronic systems. | ENT Partners of Texas (legally known as Irving-Coppell Ear, Nose and Throat) TX Healthcare Provider 789 | Tuesday | 2014 |
| Health Plan sponsored by Covenant Ministries of Benevolance | IL | Health Plan | 782 | 2015-04-03 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Health Plan sponsored by Covenant Ministries of Benevolance IL Health Plan 782 | Friday | 2015 |
| Wisconsin Department of Health Services | WI | Health Plan | 779 | 2018-04-03 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Wisconsin Department of Health Services WI Health Plan 779 | Tuesday | 2018 |
| ABQ HealthPartners | NM | Healthcare Provider | 778 | 2013-02-17 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop computer was stolen from the covered entity (CE), ABQ Health Partners. The laptop contained the electronic protected health information (ePHI) of approximately 778 patients, although the CE was unable to conclusively determine which patientsâ names were still on the laptop. The ePHI involved in the breach included names, dates of birth, age, sex, referring physiciansâ names, and raw numeric test data of less than 778 individuals. Following the breach, the CE encrypted ePHI stored on laptops and tablet computers. As a result of OCRâs investigation, the CE obtained more information about the outdated system which held the ePHI. In addition, the CE provided OCR with a copy of their IT Security Policy in which the CE focused on compliance with the HIPAA Security Rule and HITECH Act requirements. | ABQ HealthPartners NM Healthcare Provider 778 | Sunday | 2013 |
| Ventura County Health Care Agency | CA | Healthcare Provider | 777 | 2016-09-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | An employee took home paperwork containing the protected health information (PHI) of 777 individuals that was later recovered by an acquaintance of the employee and returned to the covered entity (CE), Ventura County Health Care Agency. The CE provided breach notification to HHS, affected individuals, and the media. The CE also notified the California Department of Public Health. Following the breach, the CE assigned all necessary employees for retraining, sanctioned the responsible employee, and sent a memo to all necessary staff prohibiting the removal of PHI from the facility. OCR obtained assurances that the CE implemented the corrective actions listed above. | Ventura County Health Care Agency CA Healthcare Provider 777 | Tuesday | 2016 |
| Allina Health System | MN | Healthcare Provider | 776 | 2017-02-23 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Allina Health System-Minneapolis Heart Institute, the covered entity (CE), discovered that protected health information (PHI) was placed in a recycling bin and emptied, instead of being shredded as planned. The breach was discovered on January 20, 2017, and affected approximately 776 individuals. The types of PHI involved included names, addresses, dates of birth, social security numbers, Medicare identification numbers, insurance identification numbers, clinical diagnoses, and lab results. The CE provided breach notification to affected individuals, HHS and the media. Following the breach, the CE implemented new policies and procedures and trained employees. OCR obtained assurances that the CE implemented the corrective actions noted above. | Allina Health System MN Healthcare Provider 776 | Thursday | 2017 |
| Lindsay House Surgery Center, LLC | NY | Healthcare Provider | 773 | 2016-03-18 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Lindsay House Surgery Center, LLC NY Healthcare Provider 773 | Friday | 2016 |
| Cleveland Clinic Florida | FL | Healthcare Provider | 772 | 2011-12-01 | Loss | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Cleveland Clinic Florida FL Healthcare Provider 772 | Thursday | 2011 | |
| Wal-Mart Stores, Inc. | AR | Healthcare Provider | 771 | 2016-11-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Wal-Mart Stores, Inc., the covered entity (CE), reported that the protected health information (PHI) of 771 individuals was disclosed when an internal file merging process error resulted in letters and refund checks being sent to the wrong recipients. The types of PHI included patientâs names, store locations, optical order numbers, dates of orders, and refund amounts. The CE provided breach notification to HHS and affected individuals and provided substitute notice via print media. Additionally, the CE provided evidence it implemented improved administrative safeguards and quality assurance protocols, and retrained staff to prevent similar incidents. OCR obtained assurances that the CE implemented the corrective actions listed above. | Wal-Mart Stores, Inc. AR Healthcare Provider 771 | Friday | 2016 |
| Orchid MPS Holdings, LLC Welfare Benefit Plan | MI | Health Plan | 771 | 2016-05-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On March 30, 2016, a vendor of Orchid MPS Holdings, LLC Welfare Benefit Plan, the covered entity (CE), improperly disclosed protected health information (PHI) by mailing IRS Forms 1095-C to the wrong recipients. The breach affected 771 individuals and included addresses, zip codes, names, and social security numbers. The CE provided breach notification to HHS and affected individuals. The CE instructed employees to return to Human Resources the 1095-C forms they received in error and provided free credit monitoring and identity theft protection to individuals affected by the breach. Following the breach, the CE terminated its contract with the vendor that caused the breach and entered into a business associate agreement with a new vendor. The CE also implemented additional procedures to reduce the incidence of error in the 1095-C reporting process, including personally distributing forms to current employees and ensuring the forms contain only the minimum necessary information. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | Orchid MPS Holdings, LLC Welfare Benefit Plan MI Health Plan 771 | Thursday | 2016 |
| Foundation Medical Partners | NH | Healthcare Provider | 771 | 2012-01-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Foundation Medical Partners NH Healthcare Provider 771 | Wednesday | 2012 |
| Memorial Hospital of Gardena | CA | Healthcare Provider | 771 | 2010-11-25 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Memorial Hospital of Gardena CA Healthcare Provider 771 | Thursday | 2010 | |
| The Lowell General Hospital | MA | Healthcare Provider | 769 | 2017-11-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | The Lowell General Hospital MA Healthcare Provider 769 | Friday | 2017 |
| CoreSource, Inc. | IL | Business Associate | 769 | 2018-08-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | NA | CoreSource, Inc. IL Business Associate 769 | Friday | 2018 |
| Computer Program and Systems, Inc. (CPSI) | AL | Business Associate | 768 | 2010-03-30 | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | Computer Program and Systems, Inc. (CPSI) AL Business Associate 768 | Tuesday | 2010 | ||
| South Suburban HIV/AIDS Regional Clinics | IL | Business Associate | 767 | 2014-09-17 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | South Suburban HIV/AIDS Regional Clinics IL Business Associate 767 | Wednesday | 2014 | ||
| Cook County Health and Hospitals System | IL | Healthcare Provider | 767 | 2014-09-15 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | Cook County Health and Hospitals System IL Healthcare Provider 767 | Monday | 2014 | ||
| Coventry Health Care, Inc. | MD | Business Associate | 765 | 2011-03-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Coventry Health Care, Inc. MD Business Associate 765 | Friday | 2011 | |
| Community Family Care Medical Group IPA, Inc. | CA | Healthcare Provider | 763 | 2017-09-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) Community Family Care Medical Group IPA, Inc., submitted a breach report and subsequent addendum reporting that it had discovered that at least two of its former contracted physicians impermissibly disclosed its members protected health information (PHI) to competitor independent physicians associations (IPAs). According to the CE, the membersâ PHI that the contracted physicians disclosed to the competitor IPAs included their names, addresses, dates of birth, Social Security, insurance identification numbers, health insurance information, as well as treatment, diagnosis and related information. The contracted physiciansâ actions affected 7,173 individuals. The CE notified the affected individuals, completed media notification, and provided notification to HHS. OCR provided the CE with technical assistance regarding the CEâs obligations to safeguard PHI and to ensure it has met its Breach Notification Rule obligations. | Community Family Care Medical Group IPA, Inc. CA Healthcare Provider 763 | Wednesday | 2017 |
| David S. Ng, O.D. | CA | Healthcare Provider | 758 | 2018-06-16 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | David S. Ng, O.D. CA Healthcare Provider 758 | Saturday | 2018 |
| Indiana University School of Optometry | IN | Healthcare Provider | 757 | 2011-10-25 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | A doctor’s letters and reports were exposed on the Internet for one month after the security configuration of the covered entity’s (CE) computer server was changed. The electronic protected health information (ePHI) of 757 individuals appearing on the Internet included patient names, birth dates, medical histories, diagnoses, and treatment plans. Following the breach, the CE identified and blocked the internet protocol (IP) address that was allowing access to ePHI over the Internet, removed the web portal that was facilitating access, and restored the affected server to its previous security configuration. As a result of OCR’s investigation, the CE implemented monitoring and reporting of electronic information systems that transmit ePHI. OCR obtained assurances that breach notification was provided to affected individuals, the media, and HHS. | Indiana University School of Optometry IN Healthcare Provider 757 | Tuesday | 2011 |
| The Southwestern Indiana Regional Council on Aging | IN | Business Associate | 757 | 2010-12-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | The Southwestern Indiana Regional Council on Aging IN Business Associate 757 | Monday | 2010 | |
| St.Vincent Medical Group, Inc. | IN | Healthcare Provider | 756 | 2015-04-10 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | St. Vincent Medical Group, Inc., the covered entity (CE), reported that on December 3, 2014, it learned that an employeeâs user name and password had been compromised as a result of a phishing email attack. This breach affected approximately 756 individuals. The protected health information (PHI) involved in the breach included names, addresses, dates of birth, clinical information, and in some cases, and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE disabled and reset the password for the email account responsible for the breach, and required the employee to reset their password. It also deployed software to scan internet addresses in employeesâ emails to determine if they are malicious, and required phishing training for all employees. OCR obtained documented assurances that the CE implemented the corrective action steps listed above. | St.Vincent Medical Group, Inc. IN Healthcare Provider 756 | Friday | 2015 | |
| Lutheran Community Services Northwest | WA | Healthcare Provider | 756 | 2012-05-29 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Two desktop computers and a USB drive were stolen during a break-in at the CEâs premises. The devices contained the electronic protected health information (ePHI) of approximately 757 individuals. The ePHI involved in the breach included phone numbers, email addresses, state identification card information, demographic, financial, clinical, diagnostic, and treatment information. The CE installed new locks, added HIPAA policies and procedures, and encrypted all mobile devices. As a result of OCRâs technical assistance, the CE revised policies and procedures, moved the back-up server offsite to a secure storage facility, and stopped saving ePHI to local computer drives. | Lutheran Community Services Northwest WA Healthcare Provider 756 | Tuesday | 2012 |
| Sharp Memorial Hospital | CA | Healthcare Provider | 754 | 2017-02-28 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Sharp Memorial Hospital, the covered entity (CE), reported that an unencrypted laptop computer and unencrypted external hard drive used to store electronic protected health information (ePHI) were stolen from a secure storage area. The ePHI of 791 patients was stored on the hard drive at the time of the theft. The ePHI included individualsâ names, dates of birth, prescription information and family medical history. In response to the breach incident, the CE notified the affected individuals of the breach, notified prominent media outlets of the breach, ensured the presence of encryption software on all laptops and media storage devices, updated relevant policies and procedures, implemented additional administrative, physical and technical safeguards, provided retraining to workforce members in the facility where the breach occurred. As a result of the investigation, OCR stated the expectation that the CE will complete a thorough and enterprise wide risk analysis and implement a comprehensive risk management plan. | Sharp Memorial Hospital CA Healthcare Provider 754 | Tuesday | 2017 |
| Central States Southeast and Siouthwest Areas Health & Welfare Fund | IL | Health Plan | 754 | 2012-08-21 | Other | Unauthorized Access/Disclosure | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Central States Southeast and Siouthwest Areas Health & Welfare Fund IL Health Plan 754 | Tuesday | 2012 | |
| North Lake Tahoe Fire Protection District, Privacy Manager Breach | NV | Healthcare Provider | 752 | 2012-12-13 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | North Lake Tahoe Fire Protection District, Privacy Manager Breach NV Healthcare Provider 752 | Thursday | 2012 |
| Lake Hospital System, Inc. dba Lake Health | OH | Healthcare Provider | 750 | 2017-08-15 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On June 16, 2017, the covered entity (CE), Lake Hospital System, Inc. dba Lake Health, discovered that a paper log of births that occurred in its TriPoint Medical Centerâs obstetrics (OB) department was missing. The breach affected the names, medical record numbers, any patient health complications, and patient drug screening information of 750 individuals. The CE provided breach notification to HHS, affected individuals, and the media, as well as providing substitute notice on its website, It also created a toll-free hotline to contact for additional information, and offered free identity theft protection. Followed the breach, the CE retrained OB staff on its HIPAA policies and procedures, stopped using paper OB log books, and required that all manual/paper logs within the entity be converted to electronic, secure formats or eliminated. It is also required department directors to implement a security plan to assure that log information is safeguarded and developed a director level training using the OB log incident as a case study and training all directors/department leaders. OCR obtained documented assurances that the CE implemented the corrective actions described above. | Lake Hospital System, Inc. dba Lake Health OH Healthcare Provider 750 | Tuesday | 2017 |
| Colorado Neurodiagnostics, PLLC | CO | Healthcare Provider | 750 | 2014-06-23 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted laptop computer containing protected health information (PHI) was stolen from Colorado Neurodiagnosticsâ locked offices on April 25, 2014, affecting approximately 750 individuals. The PHI on the laptop included patientsâ names, dates of birth, diagnoses, conditions, laboratory results, medications, and treatment information. The covered entity (CE) provided breach notification to affected individuals, the media, and HHS. It also immediately filed a police report and implemented additional physical safeguards. As a result of OCRâs investigation and technical assistance, the CE conducted a risk analysis, developed a risk management plan, encrypted its electronic devices containing PHI, and implemented additional technical safeguards. | Colorado Neurodiagnostics, PLLC CO Healthcare Provider 750 | Monday | 2014 |
| Seattle - King County Department of Public Health | WA | Healthcare Provider | 750 | 2013-05-07 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Public Health, Seattle & King County, discovered that the protected health information (PHI) of 450 to 750 clients was inadvertently disposed of improperly by being put in the regular recycling. The PHI involved in the breach included treatment or medical condition information, and may have included the social security numbers of five individuals. The CE provided breach notification to HHS, the media, and 2,300 individuals who had an appointment at the subject clinic during the four weeks prior to the incident. It also provided substitute notification. The CE improved safeguards by updating its PHI disposal policies and procedures. OCRâs investigation confirmed that the appropriate notifications were made, that corrective actions steps were taken, and required that the CE retrain all staff on its revised disposal policy. | Seattle - King County Department of Public Health WA Healthcare Provider 750 | Tuesday | 2013 |
| IntraCare North Hospital | TX | Healthcare Provider | 750 | 2012-05-03 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A former employee of the covered entity (CE), Intracare North Hospital, stole computers, monitors, and the CEâs billing software. The protected health information (PHI) involved in the breach included names, addresses, phone numbers, dates of birth, insurance information, and social security numbers. The District Attorneyâs Office has not provided the CE with the PHI nor have they provided the CE with the number of patients that were affected. The CE provided breach notification to HHS, the media, and affected individuals. Individual notification included a toll-free number and the Harris County District Attorneyâs contact number. Following OCRâs investigation, the CE improved safeguards by upgrading its system to allow for more specific monitoring of the activity of users and creating user codes to track copier use. The CE also improved administrative safeguards by revising workforce clearance procedures for certain jobs, and improved physical safeguards by installing surveillance cameras. In addition, staff was re-trained on the HIPAA Rules. | IntraCare North Hospital TX Healthcare Provider 750 | Thursday | 2012 |
| TLC Dental Dania, LLC | FL | Healthcare Provider | 750 | 2012-04-23 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A laptop computer and 750 paper medical records were stolen from the covered entity (CE), TLC Dental Dania, LLC, during a break-in. The CE reported the theft to the law enforcement. The CE provided timely breach notification to affected individuals and HHS, and posted notice on its website. OCR provided technical assistance to CE about the requirements for media notice. In response to the breach, the CE adopted and implemented new HIPAA policies that addressed the Security, Privacy and Breach Notification Rules. OCR obtained assurances from the CE that its staff would be trained on these new policies. | TLC Dental Dania, LLC FL Healthcare Provider 750 | Monday | 2012 |
| Chicago Muscoskeletal Institute | IL | Healthcare Provider | 750 | 2012-03-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On December 31, 2011, the names, dates of birth, medical record numbers, and clinic notes for 750 of the covered entityâs (CE) patients were available on its network server and website. The CE disabled the website and removed the 750 patientsâ demographic and clinical information from its network server. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCRâs investigation, the CE provided fraud and credit monitoring to affected individuals and retrained its staff on technical safeguards. | Chicago Muscoskeletal Institute IL Healthcare Provider 750 | Friday | 2012 |
| Physician’s Automated Laboratory | CA | Healthcare Provider | 745 | 2012-05-23 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Physician’s Automated Laboratory CA Healthcare Provider 745 | Wednesday | 2012 | |
| Kaleida Health | NY | Healthcare Provider | 744 | 2017-08-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Kaleida Health NY Healthcare Provider 744 | Friday | 2017 | |
| County of Los Angeles | CA | Healthcare Provider | 743 | 2016-08-30 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Paper documents were stolen from an employee car, while off-site. The paper documents contained the protected health information (PHI) of approximately 743 individuals. The types of PHI involved in the breach included first and last names, dates of birth, medical record numbers, telephone numbers, gender information, names of treatment clinics, appointment types, date and time of appointment(s), and reasons for the examination and/or diagnosis. Following the breach, the covered entity (CE) notified local law enforcement and re-trained staff. The CE provided breach notification to HHS, affected individuals and the media. OCR obtained assurances that the CE implemented the corrective actions listed above. | County of Los Angeles CA Healthcare Provider 743 | Tuesday | 2016 |
| Jones Family Practice, P.A. | NC | Healthcare Provider | 742 | 2017-05-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Jones Family Practice, P.A. NC Healthcare Provider 742 | Friday | 2017 |
| Orthodontic Specialists of Green Bay | WI | Healthcare Provider | 742 | 2017-04-24 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Orthodontic Specialists of Green Bay, reported a breach based on unauthorized access to one of its doctorâs email accounts that occurred between April 7, 2017 and April 10, 2017. An unauthorized individual(s) accessed a doctorâs email account at to monitor communications and receive financial gain by posing as the doctor and requesting the controller send funds to various accounts. The breached email account contained electronic protected health information (ePHI) for 742 affected individuals and included names and treatment information. Immediately following the breach, the CE contacted the Federal Bureau of Investigation (FBI) and which initiated an investigation. The covered entity provided breach notification to HHS, affected individuals, and the media. The CE directed its IT contractor to investigate the severity of the breach, and the investigation concluded that only one doctorâs email account was breached. The CE required all employees to change their passwords and created new password management policies. OCR obtained assurances that the CE implemented the corrective actions noted above. | Orthodontic Specialists of Green Bay WI Healthcare Provider 742 | Monday | 2017 | |
| Walmart Inc. | AR | Healthcare Provider | 741 | 2018-03-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | No | NA | Walmart Inc. AR Healthcare Provider 741 | Monday | 2018 | |
| California Correctional Health Care Services | CA | Healthcare Provider | 738 | 2017-02-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On February 9, 2017, the covered entity (CE), California Correctional Health Care Services, reported that its workforce member sent an email and a spreadsheet attachment to a wrong recipient who is an executive liaison to California Governorâs Office of Emergency Services and has the same last name as the intended recipient. The CE asked the recipient to delete both the email and attachment. The breach affected the electronic PHI (ePHI) of approximately 738 individuals and included names, California Department of Corrections and Rehabilitation identification numbers, housing information, mental health related information, and health care providers information. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE retrained the involved workforce member and implemented email encryption. The CE also provided OCR with additional documentation including its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation. OCR obtained assurances that the CE implemented the corrective actions listed above. | California Correctional Health Care Services CA Healthcare Provider 738 | Thursday | 2017 | |
| Fidelis Care | NY | Health Plan | 738 | 2015-12-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Fidelis Care, mailed Explanation of Benefits (EOB) letters to the wrong members. The EOBs contained the names, addresses, identification numbers and recent claim activities of 738 individuals. The CE provided breach notification to HHS and affected individuals and offered credit monitoring. Upon discovering the breach, the CE performed a risk assessment. As a result of OCRâs investigation, the CE revised its safeguards policy regarding the printing of documents containing protected health information (PHI) and implemented a quality review process to assist with the inspection of outgoing mail that contains PHI. Additionally, the CE sanctioned and retrained the employees involved in the breach. | Fidelis Care NY Health Plan 738 | Tuesday | 2015 |
| UnitedHealth Group health plan single affiliated covered entity | MN | Health Plan | 735 | 2010-04-27 | Theft | NA | NA | NA | NA | NA | Other | Paper/Films | NA | NA | NA | NA | NA | NA | No | On March 2, 2010, the covered entity (CE), UnitedHealth Group, discovered that remittance forms containing member information which accompany paper checks were stolen. The invoices contained the protected health information (PHI) of over 735 individuals. The types of PHI included demographic and claims information. The CE provided breach notification to HHS, affected individuals, and the media, and provided affected individuals with credit monitoring services. Following the breach, the CE reviewed its payment and remittance information controls and notified its provider call centers to remain on a high level alert to monitor all remittance payments. OCR obtained assurances that the CE implemented the corrective actions listed above. | UnitedHealth Group health plan single affiliated covered entity MN Health Plan 735 | Tuesday | 2010 |
| Walmart, Inc. | AR | Healthcare Provider | 735 | 2018-02-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Walmart, Inc. AR Healthcare Provider 735 | Thursday | 2018 |
| WellSpan Health | PA | Health Plan | 732 | 2017-03-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | WellSpan Health PA Health Plan 732 | Thursday | 2017 |
| Summit Medical Group, PLLC | TN | Healthcare Provider | 731 | 2011-09-28 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On September 4, 2011, a Summit Medical Group (SMG) employeeâs car was burglarized, resulting in the theft of paper reports containing the protected health information (PHI) of approximately 731 of the covered entityâs (CE) patients. The PHI involved in the breach included account numbers, patientsâ names, physiciansâ names, names of hospitals, dates of discharge, dates of birth, names of insurance providers, and discharge diagnoses. The CE provided breach notification to HHS, the media, and affected individuals. It also offered credit monitoring services and created a customer service center to handle questions. Following the breach, the CE initiated an internal investigation, filed a police report, notified the affected physician sites of the breach, conducted a risk assessment, and adopted additional identification verification measures for affected individuals. As a result of OCRâs investigation, the CE updated its HIPAA policies and procedures and improved safeguards by encrypting laptop computers. | Summit Medical Group, PLLC TN Healthcare Provider 731 | Wednesday | 2011 |
| Akron General Medical Center | OH | Healthcare Provider | 730 | 2016-11-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | The business associate (BA), Ambucor Health Solutions, filed a separate breach report for an incident also reported by this covered entity, (CE), Akron General Medical Center. OCR obtained a copy of the BA agreement between this CE and BA and a copy of the breach notification letter sent to the affected individuals. This case has been consolidated into the other review of the BA. | Akron General Medical Center OH Healthcare Provider 730 | Wednesday | 2016 |
| CardioNet, Inc. | PA | Healthcare Provider | 728 | 2012-02-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | CardioNet, Inc. PA Healthcare Provider 728 | Monday | 2012 | |
| Seven Counties Services, Inc. | KY | Healthcare Provider | 727 | 2014-10-22 | Improper Disposal | Unauthorized Access/Disclosure | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A former employee mistakenly took home a basket of items, including documents containing the protected health information (PHI) of 727 patients, which were flagged for shredding. The documents were taken to an elementary school with other materials that had been stored at the employee’s home for the summer. The PHI included social security numbers, diagnosis codes, guardiansâ names and phone numbers, supervisor recommendations concerning treatment, and insurance identification codes. The covered entity (CE), Seven Counties Services, provided breach notification to HHS, affected individuals, and the media, placed a conspicuous notice on its website, and set up a toll free information number. The CE investigated the breach and interviewed all involved individuals. As a result of OCRâs investigation, the CE developed new HIPAA awareness training focused on protecting paper records, revised its HIPAA policies and procedures regarding the disposal of documents containing PHI, and retrained staff on the new policies and procedures. | Seven Counties Services, Inc. KY Healthcare Provider 727 | Wednesday | 2014 |
| Cook County Health & Hospitals System | IL | Healthcare Provider | 727 | 2017-10-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Cook County Health & Hospitals System IL Healthcare Provider 727 | Friday | 2017 |
| Vibrant Body Wellness | CA | Healthcare Provider | 726 | 2016-03-11 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | On March 5, 2016, a password protected laptop computer and a backup computer drive were stolen from the covered entity (CE), Vibrant Body Wellness, as a result of a break-in. The laptop computer contained the protected health information (PHI) of 726 individuals, including patientsâ addresses, dates of birth, names, clinical diagnoses/conditions, and financial claims information. The CE provided breach notification to HHS, affected individuals, and the media. It also notified law enforcement. The PHI which was on the stolen external hard drive was encrypted. Following the breach, the CE trained staff regarding its policies and procedures for safeguarding electronic PHI. OCR obtained assurances that the CE implemented the corrective actions listed above. | Vibrant Body Wellness CA Healthcare Provider 726 | Friday | 2016 |
| BlueCross BlueShield of Western New York | NY | Business Associate | 725 | 2013-01-22 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | The covered entityâs (CE) business associate (BA), Blue Cross Blue Shield, mailed a monthly premium notice with invoices that contained the protected health information (PHI) of 725 individuals which was never received by the CE. The PHI included names, member identification numbers, and social security numbers. Upon discovery of the breach, the BA contacted the U.S. Post Office regarding the undelivered mailing. The CE provided breach notification to HHS and the BA notified affected individuals. The BA revised its invoice procedures to assure the removal of social security numbers and member identification numbers, and send invoices via secure email. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAâs use and disclosure of PHI and required the BA to safeguard all PHI. | BlueCross BlueShield of Western New York NY Business Associate 725 | Tuesday | 2013 |
| Blue Cross and Blue Shield of Kansas City | MO | Health Plan | 725 | 2017-05-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Blue Cross and Blue Shield of Kansas City MO Health Plan 725 | Friday | 2017 |
| CVS Health | RI | Healthcare Provider | 724 | 2017-03-08 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On January 11, 2017, a box containing hard copy controlled substance prescriptions written between January 2, 2017 and January 11, 2017, was stolen by an unknown individual from a CVS, the covered entity (CE), in Michigan City, Indiana. The breach affected 724 individuals and the types of protected health information (PHI) involved included patientsâ names, dates of birth, addresses, medication names, medication dosages, prescription numbers, and prescriber information. The CE provided breach notification to affected individuals, the media, and HHS. Following the breach, the CE retrained its staff at the Michigan City location. Additionally, the CEâs management conducted an internal audit to ensure that patient records were not easily visible to waiting customers or accessible by anyone standing outside of the pharmacy. OCR reviewed the CEâs policies and procedures on uses and disclosure of PHI and safeguarding PHI and obtained assurances that the CE implemented the corrective actions noted above. | CVS Health RI Healthcare Provider 724 | Wednesday | 2017 |
| VA St. Louis Health Care System | MO | Healthcare Provider | 724 | 2017-03-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | VA St. Louis Health Care System MO Healthcare Provider 724 | Wednesday | 2017 |
| UPMC Health Plan | PA | Health Plan | 722 | 2015-07-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), UPMC Health Plan, inadvertently sent an unsecure email with protected health information (PHI) to an incorrect, third-party email address. The breach included the electronic PHI of 722 individuals and included names, dates of birth, member identification numbers, phone numbers, types of insurance, and members’ primary care providers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE retrained staff members. OCR reviewed UPMC Health Planâs risk analysis to ensure compliance with the Security Rule and obtained assurances that the CE implemented the corrective actions listed above. | UPMC Health Plan PA Health Plan 722 | Thursday | 2015 | |
| Pulse Systems, Inc. | KS | Business Associate | 722 | 2018-09-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Pulse Systems, Inc. KS Business Associate 722 | Wednesday | 2018 |
| Childrenâs National Medical Center | DC | Healthcare Provider | 722 | 2018-03-30 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Childrenâs National Medical Center DC Healthcare Provider 722 | Friday | 2018 |
| Affinity Health Plan, Inc. | NY | Health Plan | 721 | 2015-09-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Affinity Health Plan, Inc., mistakenly sent renewal letters to members that contained a different memberâs name and address and their childrenâs names and identification numbers and coverage information. The breach affected 497 heads of household and 224 children. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE placed a hold on outgoing bulk mailings. As a result of OCRâs investigation, the CE reviewed and revised the organizationâs mailing procedures to ensure that they comply with minimum necessary standards, and quality standards. The CE also retrained all staff on its updated policies and procedures and on HIPAA safeguards for membersâ PHI. OCR obtained assurance that the CE implemented the corrective actions noted above. | Affinity Health Plan, Inc. NY Health Plan 721 | Monday | 2015 |
| Kaiser Foundation Health Plan | CA | Health Plan | 720 | 2017-10-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On September 18, 2017, a business associate (BA) completed a batch mailing of outreach letters on behalf of the covered entity (CE), Kaiser Foundation Health Plan. The CE subsequently received reports of patients receiving other patient’s outreach letters. A review of the files used by the BA revealed that the addresses for the entire batch had been superimposed, resulting in 720 patients receiving a letter intended for another patient. The PHI breached included demographic information (patientsâ names and addresses). The CE provided breach notification to HHS, affected individuals, and the media. In response to OCRâs investigation, the CE worked with the BA to ensure that secondary Quality Assurance checks by the BA against all source files are now in place, and added a manager from the CE to do final checks and sign-off on lists prior to letters being mailed. OCR obtained assurances that the CE implemented the corrective actions noted above. | Kaiser Foundation Health Plan CA Health Plan 720 | Friday | 2017 |
| The Longstreet Clinic, P. C. | GA | Healthcare Provider | 720 | 2014-08-28 | Improper Disposal | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The Longstreet Clinic, P. C. GA Healthcare Provider 720 | Thursday | 2014 | |
| EMERGENCY COVERAGE CORPORATION | TN | Healthcare Provider | 719 | 2017-10-20 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On September 5, 2017, Emergency Coverage Corporation, the covered entity (CE), discovered that two boxes of remittance advice forms fell off the back of a UPS truck. The types of protected health information (PHI) included on the forms were patientsâ names, addresses, dates of birth, health insurance policy numbers, diagnostic codes, a description of the services rendered, and full or partial social security numbers. The breach affected 730 individuals. The CE provided breach notification to HHS and the affected individuals. Media notification was not required as less than 500 affected individuals resided in a single geographic region. In response to the breach, the CE reviewed its policies and procedures, performed a risk assessment, and offered identity theft insurance coverage to the affected individuals. OCR obtained assurances that the CE implemented the corrective actions listed above. | EMERGENCY COVERAGE CORPORATION TN Healthcare Provider 719 | Friday | 2017 |
| Target Corporation Health Plan | MN | Business Associate | 719 | 2016-04-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | During the maintenance of a printer press, a technician incorrectly changed a printer setting resulting in errors on printed explanation of benefit (EOB) letters sent by a subcontractor on behalf of a business associate (BA), Kaiser Permanente Insurance Company. The error impacted the letters of 719 individuals. The protected health information (PHI) involved in the breach included names, addresses, annual deductibles, annual out of pocket maximum, dollars spent âyear to dateâ towards the deductible, and out of pocket maximums. The BA provided breach notification to HHS, affected individuals, and the media. Following the breach, the subcontractor BA updated its procedures to include additional oversight and additional print testing during printer updates or maintenance. OCRâs investigation resulted in the subcontractor BA improving safeguards in the printing of PHI for the covered entity’s health plan. | Target Corporation Health Plan MN Business Associate 719 | Tuesday | 2016 |
| Midland Women’s Clinic | TX | Healthcare Provider | 717 | 2016-06-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On April 26, 2016, the covered entity (CE), Midland Womenâs Clinic, learned that patient documents had been discovered, unsecured, at an unauthorized offsite location. The documents contained the protected health information (PHI) of approximately 717 individuals and included names, dates of birth, social security numbers, addresses and zip codes, diagnoses/conditions, lab results, medications, and other treatment information. Following the breach, the CE secured the patient records, updated its policies and procedures, and provided additional HIPAA training to its employees. OCR reviewed the CEâs breach notifications to the affected individuals and the media and provided technical assistance regarding the breach notification requirements. | Midland Women’s Clinic TX Healthcare Provider 717 | Friday | 2016 |
| Kindred Transitional Care and Rehabilitation - Marl | MA | Healthcare Provider | 716 | 2013-02-14 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Backup tapes containing the protected health information (PHI) of 716 individuals were stolen from the covered entity (CE), Kindred Transitional Care and Rehabilitation â Marlborough, during the theft of the safe where the tapes were stored. The types of PHI involved in the breach included patientsâ names, diagnoses, social security numbers, medications and Medicare numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised its process for encrypting backup tapes. Additionally, as a result of OCRâs investigation the CE stopped using tapes to backup information at individual sites. | Kindred Transitional Care and Rehabilitation - Marl MA Healthcare Provider 716 | Thursday | 2013 |
| Northridge Hospital Medical Center | CA | Healthcare Provider | 716 | 2010-11-02 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Northridge Hospital Medical Center CA Healthcare Provider 716 | Tuesday | 2010 | |
| HealthPartners Administrators, Inc. | MN | Business Associate | 715 | 2014-03-21 | Loss | Unauthorized Access/Disclosure | NA | NA | NA | NA | Desktop Computer | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | Yes | HealthPartners Administrators, Inc. MN Business Associate 715 | Friday | 2014 | |
| Lane County Health & Human Services | OR | Healthcare Provider | 715 | 2018-08-01 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Lane County Health & Human Services OR Healthcare Provider 715 | Wednesday | 2018 |
| St. Joseph’s Medical Center | CA | Healthcare Provider | 712 | 2012-03-29 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | St. Joseph’s Medical Center CA Healthcare Provider 712 | Thursday | 2012 | |
| The Mount Sinai Hospital | NY | Healthcare Provider | 712 | 2011-07-08 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Two unencrypted laptop computers containing the electronic protected health information (ePHI) of 712 individuals were stolen from the covered entity’s (CE) office. The ePHI included names, dates of birth, social security numbers, diagnostic reports, and demographic information. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR’s investigation, the CE improved physical security by installing an exit alarm lock and surveillance camera, and implementing a policy and procedure requiring managers to monitor inappropriate use of the facility’s rear exit. The CE also inventoried its ePHI systems and adopted and implemented policies and procedures for workstation security, encryption, security awareness and training, electronic devices, and media controls. | The Mount Sinai Hospital NY Healthcare Provider 712 | Friday | 2011 |
| GEO Care, LLC | FL | Healthcare Provider | 710 | 2013-07-19 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | The FBI notified the covered entity (CE), GEO Care, that a GEO Care employee, inappropriately accessed the patient admission reports of approximately 710 patients at South Florida State Hospital and provided them to a third party, the employee’s cousin, without authorization. The employee’s cousin then attempted to sell the reports for an illegal purpose. The protected health information (PHI) involved in the breach included names, dates of birth, social security numbers, admission dates, discharge dates, and patients’ unit names. The CE provided breach notification to HHS, the media, and posted substitute notice on its website. It also offered identity theft protection to the affected individuals. The responsible staff member was terminated according to the CE’s policy and has also been criminally indicted. Following the breach, the CE improved safeguards by limiting the use of full social security numbers, restricting access to documents, and performing weekly audits of those workforce members who access documents with full social security numbers. Additionally, the CE updated its privacy and security policies and procedures and developed new policies and procedures. It also revised its policies for employee access to electronic PHI based on job title and function, and provided retraining to employees regarding access and disclosure of PHI. OCR obtained assurances that the corrective actions listed above were completed. | GEO Care, LLC FL Healthcare Provider 710 | Friday | 2013 |
| Physician Associates, LLC | FL | Healthcare Provider | 710 | 2018-07-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Physician Associates, LLC FL Healthcare Provider 710 | Tuesday | 2018 |
| Shiel Sexton | IN | Health Plan | 710 | 2017-01-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Shiel Sexton IN Health Plan 710 | Friday | 2017 |
| Karen Kietzman | MT | Healthcare Provider | 708 | 2012-06-22 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | A laptop, iPad, and portable memory drive were stolen from the office of Dr. Karen Kietzman, the covered entity (CE), affecting approximately 708 individuals. The electronic protected health information (ePHI) contained on the devices included patientsâ demographic and mental health information. The CE provided breach notification to HHS, affected individuals, and media. As a result of the breach, and to prevent a recurrence, the CE improved physical safeguards, encrypted her laptop, and stopped storing ePHI on any other electronic media. As a result of OCRâs investigation and technical assistance, the CE developed a risk analysis and risk management plan and developed policies and procedures to implement the Privacy, Security, and Breach Notification Rules. | Karen Kietzman MT Healthcare Provider 708 | Friday | 2012 |
| University of Louisville Research Foundation, Inc., DBA The Kidney Disease Program | KY | Healthcare Provider | 708 | 2010-06-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | An outside computerâs unique numerical code (Internet Protocol address) accessed the covered entityâs (CE) website which contained a database containing the protected health information of 708 patients. The types of PHI involved in the breach included names, social security numbers, and treatment information. The CE provided breach notification to HHS and affected individuals. Following the breach, the CE disabled the website containing the breached PHI. As a result of OCRâs investigation, the CE removed social security numbers from its site, added a time out feature, retrained staff, and completed a risk assessment. | University of Louisville Research Foundation, Inc., DBA The Kidney Disease Program KY Healthcare Provider 708 | Tuesday | 2010 |
| Decatur Health Systems | KS | Healthcare Provider | 707 | 2016-09-07 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A CAT scan log binder containing protected health information (PHI) went missing from the covered entity (CE), Decatur Health Systems, sometime between July 22, 2016, and July 25, 2016. The breach affected 707 individuals and the types of PHI contained in the binder included patientsâ names, dates of birth, exam dates, diagnoses, ordering providers, and x-ray exposure levels. The CE provided breach notification to HHS, affected individuals, and the media. It also reported the incident to the proper law enforcement authorities. In response to the breach the CE enhanced physical safeguards in every department. Additionally, the CE implemented new privacy and security practices and retrained staff on its HIPAA policies and procedures. The CE also revised its policy to clarify how patients and third parties can access PHI, including associated fees, and educated staff on the policy. OCR obtained documentation that the CE implemented the corrective actions noted above. | Decatur Health Systems KS Healthcare Provider 707 | Wednesday | 2016 |
| Compassionate Care Hospice of Central Louisiana, LLC | LA | Healthcare Provider | 707 | 2014-09-26 | Theft | NA | NA | NA | NA | NA | Laptop | Other | NA | NA | NA | NA | NA | NA | No | Ten encrypted laptop computers and one external hard drive containing the electronic protected health information (ePHI) of approximately 707 individuals were stolen from the covered entity (CE), Compassionate Care Hospice of Central Louisiana. The laptops contained two reports. The first report listed the names, ages, admitting and discharge dates, location, medication class and other items related to 120 patients. The second report contained the names of 97 patients. The hard drive contained one file, a bereavement report listing the names, addresses, phone numbers and date of death of deceased patients. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE remotely wiped the stolen laptops. Additionally, it inventoried and assessed devices and equipment containing ePHI and brought them into compliance with the CEâs policies, including encryption requirements. OCR obtained a copy of the CE’s current risk analysis and risk management plan with evidence of implementation for security measures, including evidence of security measures to reduce the risk of computer theft. | Compassionate Care Hospice of Central Louisiana, LLC LA Healthcare Provider 707 | Friday | 2014 |
| Mutual of Omaha Insurance Co | NE | Health Plan | 705 | 2011-10-18 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | Mutual of Omaha Insurance Co NE Health Plan 705 | Tuesday | 2011 |
| Advanced Diagnostic Imaging, P.C. | TN | Healthcare Provider | 705 | 2011-06-22 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Advanced Diagnostic Imaging, P.C. TN Healthcare Provider 705 | Wednesday | 2011 | |
| Vision Care Specialists, Inc. | CO | Healthcare Provider | 703 | 2017-07-20 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Vision Care Specialists, Inc. CO Healthcare Provider 703 | Thursday | 2017 |
| Emblem Health - GHI | NY | Health Plan | 703 | 2017-02-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Emblem Health - GHI NY Health Plan 703 | Friday | 2017 |
| Motion Picture Industry Health Plans (MPI) | CA | Health Plan | 703 | 2012-02-15 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Motion Picture Industry Health Plans (MPIHP), mistakenly sent mailings containing protected health information (PHI) to the prior address of approximately 700 individuals due to a computer error. The PHI involved in the breach included names, claim numbers, dates of service, and provider names. The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website. Following the breach, the CE instituted additional safeguards including automatic suppression of documents when conflicting addresses are contained in multiple computer systems. As a result of OCR’s investigation, the CE updated its policies, conducted a new risk analysis, and developed a new risk management plan. | Motion Picture Industry Health Plans (MPI) CA Health Plan 703 | Wednesday | 2012 |
| Walgreen Co. | IL | Healthcare Provider | 703 | 2018-04-27 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Walgreen Co. IL Healthcare Provider 703 | Friday | 2018 |
| Oregon Health & Science University | OR | Healthcare Provider | 702 | 2012-07-31 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Oregon Health & Science University OR Healthcare Provider 702 | Tuesday | 2012 | |
| Chadron Community Hospital & Health Services | NE | Healthcare Provider | 702 | 2017-02-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Chadron Community Hospital & Health Services NE Healthcare Provider 702 | Sunday | 2017 |
| Borgess Medical Center d/b/a Borgess Rheumatology | MI | Healthcare Provider | 700 | 2016-02-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On April 13, 2015, the covered entity (CE), Borgess Medical Center-Borgess Rheumatology, impermissibly disclosed protected health information (PHI) due to an erroneous use of âmail merge,â which mixed up 700 patientsâ names and addresses. The PHI involved in the breach included patientsâ names, medications, and their association with Borgess Rheumatology as patients. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE implemented a new process that included verification of the data files used for mail merges, including a Privacy Officer review. It also trained workforce members and added an informal quality check of spreadsheets involving patient information. OCR obtained documented assurances that the CE implemented the corrective actions noted above. | Borgess Medical Center d/b/a Borgess Rheumatology MI Healthcare Provider 700 | Friday | 2016 |
| Valley Mental Health | UT | Healthcare Provider | 700 | 2013-04-26 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | On February 27, 2013, Valley Mental Health, the covered entity (CE), discovered that a computer hard drive had been stolen from one of its facilities. The computer was located in a common area and available for use by members. The hard drive contained protected health information (PHI)âmembers’ names, diagnostic and treatment information, financial records, media release forms, members’ photographs, activity sign-up sheets, and resumesâfor approximately 700 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach and during OCRâs investigation, the CE posted signs reminding members that information stored on shared computers is not confidential, encrypted hard drives, and stored PHI in locked offices and locked file cabinets. OCR obtained assurances that the CE implemented the corrective actions listed above, and OCR provided the CE with technical assistance regarding its Security Rule obligations. | Valley Mental Health UT Healthcare Provider 700 | Friday | 2013 |
| Thomas J O’Laughlin, MD | CA | Business Associate | 700 | 2011-10-07 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Thomas J O’Laughlin, MD CA Business Associate 700 | Friday | 2011 | |
| Andersen Air Force Base, Guam | VA | Healthcare Provider | 700 | 2011-07-22 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Andersen Air Force Base, Guam VA Healthcare Provider 700 | Friday | 2011 | |
| Waiting Room Solutions Limited Liability Limited Partnership | NY | Business Associate | 700 | 2016-12-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Waiting Room Solutions Limited Liability Limited Partnership NY Business Associate 700 | Friday | 2016 | |
| Lakeview Medical Center | WI | Healthcare Provider | 698 | 2012-02-14 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Lakeview Medical Center WI Healthcare Provider 698 | Tuesday | 2012 | |
| Caring for Women, PA | TX | Healthcare Provider | 697 | 2016-07-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | An employee of FTGU Medical Consulting, LLC (FTGU) sent the electronic protected health information (ePHI) of approximately 700 individuals to an unknown third party. FTGU is a business associate (BA) of Caring for Women, PA, the covered entity (CE). The ePHI included clinical (diagnostic and treatment) information, as well as financial information related to billing. The BA discovered the breach when the recipient of the ePHI notified the BA that he was not the intended recipient. The BA requested that the recipient delete the ePHI file from his email and his computer and received assurances from the recipient that he would comply with this request. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE provided the BA with additional training. In addition, the BA took steps to increase or implement technological safeguards, implement periodic evaluations, and retrain employees. OCR also verified that the CE had a proper BA agreement in place, which restricted the BAâs use and disclosure of PHI and required the BA to safeguard all PHI. | Caring for Women, PA TX Healthcare Provider 697 | Friday | 2016 | |
| Bon Secours Kentucky | KY | Healthcare Provider | 697 | 2014-09-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Bon Secours Kentucky, discovered suspicious activity on its billing software from the user account of a former employee. The CE found it had not properly deactivated access, putting at risk the demographic and clinical information of 697 individuals. The CE provided breach notification to HHS, affected individuals, and posted substitute notice on its website. Media notice was not performed because the number of affected individuals in each state was less than 500. In response to the breach, the CE revised its access monitoring policy and centralized its access allowance procedures. OCR obtained assurances that the CE implemented the corrective actions listed above. | Bon Secours Kentucky KY Healthcare Provider 697 | Tuesday | 2014 |
| Texas Tech Unversity Health Sciences Center | TX | Healthcare Provider | 697 | 2013-03-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Texas Tech Unversity Health Sciences Center TX Healthcare Provider 697 | Friday | 2013 | |
| Temple Physicians Inc. | PA | Healthcare Provider | 694 | 2014-01-13 | Loss | Theft | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Temple Physicians Inc. PA Healthcare Provider 694 | Monday | 2014 |
| Health Plan of San Mateo | CA | Health Plan | 694 | 2011-06-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Health Plan of San Mateo CA Health Plan 694 | Wednesday | 2011 | |
| Texas Children’s Hospital | TX | Healthcare Provider | 694 | 2010-07-30 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Texas Children’s Hospital TX Healthcare Provider 694 | Friday | 2010 | |
| Johns Hopkins University Applied Physics Laboratory (JHU/APL) Medical and Dental Insurance Plan | MD | Health Plan | 692 | 2010-10-06 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Protected health information was attached to an email addressed to 85 employees by a benefits staff member. Within 5 days, all recipients were notified, and the email was deleted. Approximately 692 individuals were affected by this breach. The email included names, dates of birth, social security numbers, and marital and disability status. To prevent a similar breach from happening in the future, the covered entity instituted a policy to encrypt emails containing protected health information before it is sent out from the benefits department. Following OCR’s investigation, the covered entity updated its policies and procedures establishing a new business process to require that all emails sent by the benefits office to 5 or more staff members that includes an attachment be reviewed by another team member to ensure the proper document is attached and took personnel action with the responsible employee. Further, the benefits office will use an encryption specialist to train all benefits office staff in the proper methods of encryption, explore future capability of automated flagging of any electronic communications sent by benefits office staff containing potentially sensitive data such as 9-digit numbers, and obtain additional HIPAA training. | Johns Hopkins University Applied Physics Laboratory (JHU/APL) Medical and Dental Insurance Plan MD Health Plan 692 | Wednesday | 2010 |
| Recovery Institute of the South East P.A. | FL | Healthcare Provider | 689 | 2017-10-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Laptop | Network Server | Other | Other Portable Electronic Device | Paper/Films | No | NA | Recovery Institute of the South East P.A. FL Healthcare Provider 689 | Saturday | 2017 | |
| The Methodist Hospital | TX | Healthcare Provider | 689 | 2010-01-25 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted laptop computer was stolen from the covered entity’s unlocked testing office. The laptop computer contained the protected health information of approximately 689 individuals. The protected health information involved in the breach included names, dates of birth, Social Security numbers, and the age, gender, race, and medication information of affected individuals. Following the breach, the covered entity restricted the storage of electronic protected health information to network drives. Additionally, OCR’s investigation resulted in the covered entity improving their physical safeguards and in retraining employees. | The Methodist Hospital TX Healthcare Provider 689 | Monday | 2010 |
| Village of Oak Park, Illinois | IL | Health Plan | 688 | 2016-08-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Village of Oak Park, Illinois IL Health Plan 688 | Thursday | 2016 | |
| Memphis VA Medical Center | TN | Healthcare Provider | 687 | 2017-03-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Memphis VA Medical Center (MVAMC), the covered entity (CE), impermissibly disclosed protected health information (PHI) due to a printing format change that caused the wrong names to be associated with addresses in a survey mailed to its members. The breach incident included the names and addresses of 687 individuals. The CE provided breach notification to affected individuals and the media. The CE conducted a full review of the incident, re-educated staff regarding the appropriate methods for handling, securing, and mailing of PHI, set up a new process to prevent similar situations from re-occurring, and counseled and retrained the staff on its Privacy/Release of Information policy. OCR obtained assurances that the CE implemented the corrective actions noted above. | Memphis VA Medical Center TN Healthcare Provider 687 | Wednesday | 2017 |
| Fidelis Care | NY | Health Plan | 687 | 2015-12-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Fidelis Care, mailed diabetes and kidney health letters to the wrong members. The letters contained the names, addresses, and identification numbers of 638 individuals. The CE provided breach notification to HHS and affected individuals and offered credit monitoring. Upon discovering the breach, the CE performed a risk assessment, As a result of OCRâs investigation, the CE revised its safeguards policy regarding the printing of documents containing protected health information (PHI) and implemented a quality review process to assist with the inspection of outgoing mail that contains PHI. Additionally, the CE sanctioned and retrained the employees involved in the breach. OCR obtained assurances that the CE implemented the corrective actions listed above. | Fidelis Care NY Health Plan 687 | Tuesday | 2015 |
| Blue Cross and Blue Shield of North Carolina | NC | Health Plan | 687 | 2013-11-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On October 14, 2013, the covered entity (CE), Blue Cross Blue Shield of North Carolina, impermissibly disclosed the protected health information (PHI) of 687 individuals when an employee inadvertently mailed notices regarding policy changes to incorrect addresses. The PHI involved in the breach included names. The CE provided breach notification to HHS and affected individuals. Following the breach the CE sanctioned the responsible workforce member. As a result of OCRâs investigation, the CE provided media notice and established a toll-free number for affected individuals. Additionally, the CE improved safeguards by retraining employees and initiating a regular review of mailing procedures. | Blue Cross and Blue Shield of North Carolina NC Health Plan 687 | Thursday | 2013 |
| Aventura Hospital and Medical Center | FL | Healthcare Provider | 686 | 2015-02-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | NA | NA | NA | NA | NA | NA | No | NA | Aventura Hospital and Medical Center FL Healthcare Provider 686 | Friday | 2015 |
| County of San Bernardino, Department of Behavioral Health | CA | Health Plan | 686 | 2013-02-25 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | County of San Bernardino, Department of Behavioral Health CA Health Plan 686 | Monday | 2013 | |
| West Lake Hospital | IL | Healthcare Provider | 686 | 2011-04-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Network Server | NA | NA | NA | NA | No | West Lake Hospital IL Healthcare Provider 686 | Monday | 2011 | ||
| Memorial Healthcare | MI | Healthcare Provider | 685 | 2017-04-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Memorial Healthcare MI Healthcare Provider 685 | Monday | 2017 |
| Landmark Medical Center | RI | Healthcare Provider | 683 | 2012-11-30 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Landmark Medical Center RI Healthcare Provider 683 | Friday | 2012 | |
| TJ Samson Community Hospital | KY | Healthcare Provider | 683 | 2017-10-24 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | TJ Samson Community Hospital KY Healthcare Provider 683 | Tuesday | 2017 |
| Braun Internal Medicine, P.C. | GA | Healthcare Provider | 680 | 2017-07-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Braun Internal Medicine, P.C. GA Healthcare Provider 680 | Friday | 2017 | |
| Tomas, Arturo | IL | Business Associate | 680 | 2015-02-09 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | On February 2, 2014, Artuo D. Tomas, MD LTD’s office, the covered entity (CE), discovered that a package containing the protected health information (PHI) of approximately 680 individuals had been lost in the process of shipment to its billing company through the U.S. Postal Service (USPS). The PHI included individualsâ names, addresses, phone numbers, dates of birth, referring physician names, medical record numbers, diagnoses, and clinical information. The CE provided notification of the breach to the affected individuals, HHS, and the media. The CE also filed a claim with the USPS regarding the missing package. Following the breach, the CE implemented a new procedure for sending PHI to the billing company that requires PHI to be transmitted either electronically through a secure and encrypted portal or through a third-party mail service with tracking capabilities. Additionally, the CE developed policies and procedures regarding compliance with the Breach Notification Rule. OCR obtained assurances that the CE implemented the corrective actions listed. | Tomas, Arturo IL Business Associate 680 | Monday | 2015 |
| Midwest Orthopaedic Center SC | IL | Business Associate | 680 | 2014-07-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | A former affiliate of the covered entityâs (CE) former business associate(BA), McKesson Corporation, that provided specialized billing services, unintentionally made records containing patient information potentially accessible on the Internet. The protected health information (PHI) of approximately 680 individuals was accessible using very specific Google search terms between December 1, 2013 and April 17, 2014. The former BA immediately safeguarded the information and made it inaccessible on the Internet. The former BA confirmed that the web server was properly removed from public Internet access, confirmed from its former affiliate that the data at issue was destroyed, contacted Google to ensure all caches pages were destroyed, and confirmed the information could not be accessed through any web search. The former BA also confirmed with its former affiliate that no other information was available via the computer server at issue or any other server. The CE confirmed that the former BAâs policies related to data security were in compliance with the CEâs data security requirements. The CE provided breach notification to HHS, affected individuals, and the media, and offered credit monitoring to the affected individuals. OCR obtained written assurances that the CE and BA implemented the corrective actions listed above. | Midwest Orthopaedic Center SC IL Business Associate 680 | Wednesday | 2014 |
| Alberto Gerardo Vazquez Rivera | PR | Business Associate | 679 | 2013-06-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | An encrypted laptop computer was stolen from an AFLAC associate’s vehicle in Puerto Rico. The laptop contained PHI of approximately 679 individuals and contained demographic, financial and clinical information, including patient names, addresses, birthdates, social security numbers, claims information, and diagnoses. The covered entity filed a police report and provided breach notification to all affected individuals, HHS, and the media. The responsible workforce member was sanctioned. OCR acknowledges that the incident does not constitute a reportable breach under the Breach Notification Rule because the laptop was sufficiently encrypted. | Alberto Gerardo Vazquez Rivera PR Business Associate 679 | Friday | 2013 |
| StatCare Group LLC | MD | Healthcare Provider | 679 | 2018-07-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | StatCare Group LLC MD Healthcare Provider 679 | Friday | 2018 | |
| North Dallas Urogynecology, PLLC. | TX | Healthcare Provider | 678 | 2015-01-29 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), North Dallas Urogynecology, reported the theft of several items and four unencrypted laptops as a result of a break-in. The incident was immediately reported to the police and an investigation ensued. Approximately 678 patientsâ protected health information (PHI) was affected by the breach, which included patientâs names, social security numbers, dates of birth, and lab results. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach the CE increased security within the office and implemented additional physical, technical, and administrative safeguards to ensure the security of electronic PHI. All laptops have encryption technology. In addition, all workforce members were trained or retrained concerning the requirements for compliance with the Privacy, Security, and Breach Notification Rules. OCR obtained assurances that the CE implemented the corrective actions listed. | North Dallas Urogynecology, PLLC. TX Healthcare Provider 678 | Thursday | 2015 |
| Baptist Health System | TX | Healthcare Provider | 678 | 2013-01-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Baptist Health System TX Healthcare Provider 678 | Tuesday | 2013 | |
| Orange County Global Medical Center | CA | Healthcare Provider | 677 | 2017-03-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On February 8, 2017, a workforce member of the covered entity (CE), Orange County Global Medical Center, inadvertently sent two medical statistical reports on C-Sections and vaginal births to an unauthorized recipient. The reports contained one or more of the following types of protected health information (PHI) about 677 of the CE’s patients: treatment and diagnostic information, medical record numbers, dates of birth of infants, treating staff names, and treatment dates. The CE reached out to the unauthorized recipient and asked that the information be destroyed and deleted from his/her e-mail. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions noted above and indicated that the CE is expected to complete an enterprise-wide security risk analysis as a result of this incident. | Orange County Global Medical Center CA Healthcare Provider 677 | Thursday | 2017 | |
| UHHS Geauga Medical Center | OH | Healthcare Provider | 677 | 2016-03-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | UHHS Geauga Medical Center OH Healthcare Provider 677 | Thursday | 2016 |
| Tampa General Hospital | FL | Healthcare Provider | 675 | 2014-09-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Tampa General Hospital FL Healthcare Provider 675 | Friday | 2014 | |
| Healthcare Solutions Team, LLC | IL | Business Associate | 675 | 2011-04-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Healthcare Solutions Team, LLC IL Business Associate 675 | Tuesday | 2011 | |
| Summit Medical Group, Inc. dba St. Elizabeth Physicians | KY | Healthcare Provider | 674 | 2016-08-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Summit Medical Group, Inc. dba St. Elizabeth Physicians, discovered that an employee at its Weight Management Center (WMC) sent an email on July 12, 2016, notifying recipients of an upcoming vitamin presentation, but inadvertently failed to blind copy the recipients. Recipients were able to see all other recipientsâ email addresses. The email was sent to 811 addresses, but because some were undeliverable and some belonged to the CEâs employees, the CE calculated the number of individuals affected as 674. On August 23, 2016, the CE provided breach notification to HHS, affected individuals, and the media. In response to the breach and as a result of OCRâs investigation, the CE reviewed and adjusted its emailing procedures, sanctioned the WMC employee, and provided training to its leadership and the WMC workforce. Additionally, the employee who sent the email started a multi-session individual training program. OCR obtained assurances that the CE implemented the corrective actions listed above. | Summit Medical Group, Inc. dba St. Elizabeth Physicians KY Healthcare Provider 674 | Tuesday | 2016 | |
| Hawaii State Department of Health, Adult Mental Health Division | HI | Healthcare Provider | 674 | 2012-11-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Hawaii State Department of Health, Adult Mental Health Division HI Healthcare Provider 674 | Tuesday | 2012 | |
| Waipahu Aloha Clubhouse, Privacy Manager Breach | HI | Healthcare Provider | 674 | 2012-10-31 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) reported unauthorized remote access into one of its desktop computers containing the protected health information (PHI) of 674 people. The CE later determined that the computer stored the PHI of 170 individuals. The PHI involved included names, addresses, dates of birth, and social security numbers. Following the breach, the CE updated its security policies and procedures, encrypted computers, updated its passwords, and retrained its employees. OCR provided technical assistance. | Waipahu Aloha Clubhouse, Privacy Manager Breach HI Healthcare Provider 674 | Wednesday | 2012 |
| Heard County EMA | GA | Business Associate | 672 | 2014-10-22 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Heard County EMA GA Business Associate 672 | Wednesday | 2014 |
| Prestera Center for Mental Health Services, Inc. | WV | Healthcare Provider | 670 | 2018-03-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Prestera Center for Mental Health Services, Inc. WV Healthcare Provider 670 | Tuesday | 2018 | |
| THE R.O.A.D.S. Foundation Inc. DBA R.O.A.D.S. Community Care Clinic | CA | Healthcare Provider | 670 | 2017-01-26 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On January 4, 2017, the covered entity (CE), R.O.A.D.S. Foundation Inc., DBA R.O.A.D.S. Community Care Clinic, noticed the lock on its mailbox was broken and there were no contents inside the mail box. The CE determined that documents, including explanations of benefits from its contracted insurance companies, were lost or stolen during the incident. The breach affected approximately 670 patients. The types of protected health information (PHI) in the missing pieces of mail included patientsâ names, claim numbers, service dates, various dollar amounts (including billed, allowed, deductible, coinsurance, paid, adjustment, withheld, code, and claim balance), and dates of birth for half of the affected individuals. The CE notified local law enforcement and the U.S. Postal Service (USPS), and in response to this incident, instructed USPS to hand-deliver its mail during business hours to a CE staff member. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions noted above. | THE R.O.A.D.S. Foundation Inc. DBA R.O.A.D.S. Community Care Clinic CA Healthcare Provider 670 | Thursday | 2017 |
| NYU School of Medicine Faculty Group Practice | NY | Healthcare Provider | 670 | 2011-03-28 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 670 individuals was stolen from the covered entity (CE), NYU Langone Medical Center. The ePHI included names, diagnoses, the results of diagnostic tests, and clinical information. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals. As a result of OCR’s investigation, the CE directed staff to store ePHI on network servers and not on desktops. In addition, the CE improved physical security by installing a locking device to secure the desktop computer and a latch guard on the office door. The CE retrained all staff on its policies and procedures for HIPAA and HITECH compliance. | NYU School of Medicine Faculty Group Practice NY Healthcare Provider 670 | Monday | 2011 |
| Prince William County Community Services (CS) | VA | Healthcare Provider | 669 | 2010-07-15 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Prince William County Community Services (CS) VA Healthcare Provider 669 | Thursday | 2010 | |
| Group Health | WA | Health Plan | 668 | 2016-09-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), through its business associate (BA), erroneously mailed coverage termination letters to the wrong members/patients. The paper documents contained the protected health information (PHI) of approximately 668 individuals and included names, addresses, insurance group names, and medical record numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE worked with the BA to take additional quality control steps. OCR obtained assurances that the CE/BA implemented the corrective actions listed above. | Group Health WA Health Plan 668 | Friday | 2016 |
| County of Los Angeles | CA | Healthcare Provider | 667 | 2011-03-30 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | County of Los Angeles CA Healthcare Provider 667 | Wednesday | 2011 | |
| Southwestern Eye Center | AZ | Healthcare Provider | 667 | 2018-08-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Southwestern Eye Center AZ Healthcare Provider 667 | Wednesday | 2018 |
| Atchison Hospital Association | KS | Healthcare Provider | 667 | 2018-04-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Atchison Hospital Association KS Healthcare Provider 667 | Wednesday | 2018 |
| Rutland Regional Medical Center | VT | Healthcare Provider | 665 | 2017-06-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Rutland Regional Medical Center, sent 668 patient surveys via email to recently discharged patients. The recipientâs email address was placed in the âToâ line of the emails making each recipientâs email address, which contained names, visible to all other recipients. Of the 668 emails in the address lines, three were duplicates, leaving 665 patient email addresses disclosed. The CE provided breach notification to HHS, affected individuals, and the media. The CE also set up an assistance help line for individuals who might have additional questions. As a result of OCRâs investigation, the CE revised its policies regarding using and disclosing protected health information and sending patient emails. Additionally, the CE re-trained its staff on its HIPAA policies. OCR obtained assurances that the CE implemented the corrective actions noted above. | Rutland Regional Medical Center VT Healthcare Provider 665 | Friday | 2017 | |
| Kinetorehab Physical Therapy, PLLC | NY | Healthcare Provider | 665 | 2016-11-04 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Kinetorehab Physical Therapy, PLLC NY Healthcare Provider 665 | Friday | 2016 |
| The Union Labor Life Insurance Company | MD | Business Associate | 664 | 2017-10-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | The Union Labor Life Insurance Company MD Business Associate 664 | Thursday | 2017 | |
| Sonoma County Indian Health Project, Inc | CA | Healthcare Provider | 662 | 2018-03-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | No | NA | Sonoma County Indian Health Project, Inc CA Healthcare Provider 662 | Friday | 2018 | |
| University of Pennsylvania Health System | PA | Healthcare Provider | 661 | 2014-07-16 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No |
A bag containing a compact disk - read only memory (CD-ROM) was stolen from the vehicle of a physician associated with the covered entity (CE). The CD-ROM involved in the breach contained names, dates of birth, social security numbers, medical histories, and the treatment information of approximately 2,046 individuals. Following the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. The CE sanctioned and retrained the physician whose bag was stolen and implemented organization wide improvements to its compliance with the Privacy and Security Rules. As a result of OCR’s investigation the covered entity posted substitute notification of the breach in the local paper and confirmed that corrective actions steps were taken. |
University of Pennsylvania Health System PA Healthcare Provider 661 | Wednesday | 2014 |
| Goshen Health System, Inc. | IN | Healthcare Provider | 660 | 2012-02-14 | Hacking/IT Incident | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Computer servers of Goshen Health Systemâs business associate (BA), Silver Tech, may have been injected with a virus on December 22, 2011. The BA operates a consumer website on behalf of the covered entity (CE) for employment and pre-registration for screenings and diagnostic testing. The BAâs servers contained the electronic protected health information (ePHI) of approximately 660 individuals, including patientsâ names, social security numbers, addresses, insurance carriers, and testing information, and financial information. The CE provided breach notification to HHS, affected individuals, the media. It also notified the Indiana Attorney Generalâs office and the FBI and offered one year of free credit monitoring services to affected individuals. Following the breach, the CE terminated its relationship with the BA, engaged an outside forensic security firm to conduct an internal investigation, and updated its website. The CE revised its HIPAA policies and procedures and updated its practices to ensure the proper execution of Business Associate Agreements with all vendors and other parties who may have access to PHI. The CE trained its employees on its policies and procedures and documented its most recent risk analysis and corresponding risk management plan. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. | Goshen Health System, Inc. IN Healthcare Provider 660 | Tuesday | 2012 |
| McKesson Information Solutions, LLC | GA | Business Associate | 660 | 2010-04-09 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | McKesson Information Solutions, LLC GA Business Associate 660 | Friday | 2010 | |
| Eastern Maine Medical Center | ME | Healthcare Provider | 660 | 2018-02-02 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Eastern Maine Medical Center ME Healthcare Provider 660 | Friday | 2018 |
| Oceans Acquisition, Inc. | TX | Healthcare Provider | 659 | 2015-12-22 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop computer from the covered entity (CE), Oceans Acquisition, Inc., was stolen from a workforce memberâs vehicle. The electronic protected health information (ePHI) on the laptop included patients’ first and last names, diagnoses, dates of treatment, dates of birth, insurance providers, and medical record numbers for approximately 659 individuals. Upon discovering the theft, the CE filed a report with the county sheriff’s office. Additionally, the CE provided breach notification to HHS, affected individuals, and the media. The CE also improved safeguards, sanctioned the involved workforce member, and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed above. | Oceans Acquisition, Inc. TX Healthcare Provider 659 | Tuesday | 2015 |
| Susquehanna Health | PA | Healthcare Provider | 657 | 2014-03-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | In response to an insurerâs routine claims request, an employee provided more protected health information (PHI) than was necessary to complete the intended purpose. Approximately 657 patients were affected. The impermissible disclosure included patientsâ names, addresses, social security numbers, dates of birth, health insurance information, payment information, encounter identification, physiciansâ names, diagnosis codes, and patientsâ employers. The covered entity (CE), Susquehanna Health, provided breach notification to HHS and affected individuals. The CE also offered one year of free identity theft protection and credit monitoring to affected individuals. Following the breach, the CE immediately ensured that all recipients of the PHI deleted the data from their computers and shredded all hard copies. OCR obtained and reviewed copies of the CEâs policies and procedures related to the issues raised in this complaint, as well as a copy of its current risk assessment. As a result of OCRâs investigation, the CE sanctioned the staff member, retrained the entire department, and revised its email policies. | Susquehanna Health PA Healthcare Provider 657 | Thursday | 2014 | |
| Beauty Dental, Inc. | IL | Healthcare Provider | 657 | 2010-08-05 | Loss | Theft | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Following the breach, the covered entity notified its clients by letter of the incident, submitted a press release that outlined the circumstances of the breach to the Chicago Tribune and the Chicago Sun Times, required the individual who allegedly stole the documents to return all physical patient PHI in her possession and sign a statement swearing that she no longer possessed any patient documents, would not use or disclose the PHI in any manner and would erase an excel spreadsheet she had in her possession, installed a new security system for the office that requires the input of a code specific to each employee, and implemented new technical safeguards that limited employee access to ePHI according to the employee’s position and rank. | Beauty Dental, Inc. IL Healthcare Provider 657 | Thursday | 2010 |
| Lake Woods Nursing & Rehabilitation Center | MI | Healthcare Provider | 656 | 2011-01-18 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | Lake Woods Nursing & Rehabilitation Center MI Healthcare Provider 656 | Tuesday | 2011 | |
| Heritage Health Solutions | TX | Business Associate | 656 | 2010-05-14 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | Heritage Health Solutions TX Business Associate 656 | Friday | 2010 | |
| Atlanta Center for Reproductive Medicine | GA | Healthcare Provider | 654 | 2013-08-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The Atlanta Center for Reproductive Medicine, the covered entity (CE), discovered that, on July 12, 2013, an employee unintentionally attached the wrong file to an email sent to one patient. The file contained protected health information (PHI) including the names, dates of birth, addresses, medical record numbers, social security numbers, conditions, and treatment and diagnostic information for 654 individuals. The CE obtained assurances that the file containing PHI was destroyed and not used or disclosed to any other parties. The CE provided timely breach notification to HHS, to affected individuals, and the media. In response to the breach, the CE revised its policies and procedures concerning the transmission of PHI via email, and provided additional training to its staff. OCR obtained assurances that the CE implemented the corrective actions listed above. | Atlanta Center for Reproductive Medicine GA Healthcare Provider 654 | Friday | 2013 | |
| CVS CAREMARK | AZ | Healthcare Provider | 654 | 2011-05-11 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), CVS Caremark, with access to patientsâ protected health information (PHI) impermissibly accessed and printed patient drug transfer reports as part of a scheme to fill fraudulent prescriptions. The prescription drug reports were then disclosed to a third party, the employeeâs boyfriend, who was a former employee of another CVS store. Law enforcement notified the CE about the breach on March 16, 2011 following a raid of the perpetratorsâ home, in which law enforcement confiscated paper documents belonging to the CE. The PHI involved in the breach included the names, addresses, birthdates, prescription numbers, telephone numbers, and prescription names of approximately 654 individuals. The CE provided breach notification to HHS and affected individuals and also offered free credit monitoring. In response to this incident, the CE immediately terminated the employee and retrained pharmacy staff on its HIPAA policies. The CE also provided evidence that both individuals have since had their pharmacy licenses suspended by the state licensing board. As a result of OCRâs investigation, OCR obtained assurances that the corrective actions listed above were completed. | CVS CAREMARK AZ Healthcare Provider 654 | Wednesday | 2011 |
| Texas Health Arlington Memorial Hospital | TX | Healthcare Provider | 654 | 2011-03-23 | Unknown | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No |
The IT department turned on the switch to a BA HIE without notifying patients of the exchange or obtaining authorization. The interface transmitted the PHI of 654 individuals. The PHI disclosed included patient names, addresses, dates of birth, social security numbers, other identifiers, diagnosis/conditions, medications, lab results, other treatment information and financial information. Following the breach, the CE revised the IT process, created a checklist that included notifying the affected departments and provided additional training to IT and registration employees. |
Texas Health Arlington Memorial Hospital TX Healthcare Provider 654 | Wednesday | 2011 |
| Kraig R. Pepper, D.O., P.A. | TX | Healthcare Provider | 653 | 2017-09-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Dr. Kraig R. Pepper, D.O., P.A. the covered entity (CE) reported that CoPilot Provider Support Services (CoPilot) suffered a data security incident exposing the protected health information (PHI) of 653 patients of the CE. The electronic PHI (ePHI) included patientsâ names, addresses, dates of birth, claims information, diagnosis, and social security numbers. Following the breach, the CE provided breach notification to HHS, the media and affected individuals. As a result of OCRâs investigation, the CE executed a business associate agreement with CoPilot and revised its authorization form regarding permitted disclosures of PHI. The CE also provided one year of identity theft protection services to affected individuals. The CE is expected to perform a thorough and accurate risk analysis, establish a risk management plan, execute agreements with other business associates and document the impermissible disclosure of the affected patientâs PHI for accounting of disclosures purposes. Further, the CE is expected to perform a technical and non-technical evaluation in response to any environmental or operational changes affecting the security of ePHI that establishes the extent to which the CEâs security policies and procedures meet the requirements of the HIPAA Security Rule. | Kraig R. Pepper, D.O., P.A. TX Healthcare Provider 653 | Tuesday | 2017 |
| Oconee Physician Practices | SC | Healthcare Provider | 653 | 2010-05-20 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On May 9, 2010, the covered entity (CE), Oconee Physician Practices, discovered that a password-protected, unencrypted laptop computer used for EKG testing was missing from its facility. The loss potentially exposed the demographic and clinical information of 653 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved safeguards by changing access codes and physical locks to the building and retrained its workforce on the importance of password protection and laptop security. The CE developed a plan to create a stronger policy for asset tracking, accountability, and activity monitoring and upgrade its procedures for password strength, automatic log-off capabilities, and limiting the number of sign-on attempts. The CE also developed a plan to encrypt laptops and other portable media containing electronic protected health information (ePHI). OCR reviewed the CEâs policies and procedures and supporting documents. | Oconee Physician Practices SC Healthcare Provider 653 | Thursday | 2010 |
| University of Alabama at Birmingham | AL | Healthcare Provider | 652 | 2017-11-27 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | University of Alabama at Birmingham AL Healthcare Provider 652 | Monday | 2017 |
| Colorado Health & Wellness, Inc. | CO | Healthcare Provider | 651 | 2013-11-02 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Colorado Health and Wellness reported an alleged impermissible use of protected health information by an employee, affecting up to 651 individuals. OCR determined that a breach had not occurred and provided technical assistance to the covered entity. | Colorado Health & Wellness, Inc. CO Healthcare Provider 651 | Saturday | 2013 |
| Eclectic Chiropractic Rehab | MI | Healthcare Provider | 650 | 2017-12-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) filed an initial over 500 breach report in error. During the investigation OCR learned that the breach was under 500 and that the CE is going out of business, so it is no longer a CE. | Eclectic Chiropractic Rehab MI Healthcare Provider 650 | Tuesday | 2017 | |
| Hillsborough County Aging Services Department | FL | Healthcare Provider | 650 | 2017-02-16 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A former employee found and returned a box of paper records containing protected health information (PHI) that had been missing for over five years and that belonged to the covered entity (CE), Hillsborough County Aging Services Department. The PHI included names, addresses, Social Security numbers, enrollment numbers, financial information, and clinical notes for 647 individuals. The CE reviewed and updated its policies and procedures to prevent any similar occurrences in the future, formalizing its procedures for safeguarding PHI outside of the office using password protected locked cases, and required all employees to review and implement the new procedures. The CE also provided breach notification to HHS, affected individuals, the media, and on its website. OCR obtained assurances that the CE implemented the corrective actions listed above. | Hillsborough County Aging Services Department FL Healthcare Provider 650 | Thursday | 2017 |
| Ceaton C Falgiano | NY | Healthcare Provider | 650 | 2016-06-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Ceaton C Falgiano, sent a group email to 599 clients and did not use blind carbon copy. This resulted in clients being able to view each otherâs email addresses, which in some cases were the individualâs first and last name. As a result of this impermissible disclosure of protected health information, the CE stopped sending group emails. The CE provided breach notification to HHS, the affected individuals, and the media. As a result of OCRâs investigation, the CE is expected to develop policies and procedures with respect to safeguarding e-PHI that is being transmitted via e-mail, mail or fax and to train staff on its new policies and procedures. | Ceaton C Falgiano NY Healthcare Provider 650 | Monday | 2016 | |
| Mark Anthony Quintero, M.D., L.L.C. | FL | Healthcare Provider | 650 | 2016-04-12 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | In January, 2015, a business associate (BA), Bizmatics, discovered that one of its computer servers was compromised by an unknown individual or individuals (hackers). The breach affected approximately 650 of the covered entity’s (CE) patients. The CE cooperated with OCR and accepted the technical assistance provided until it closed for business in February 2017. Based on the foregoing, OCR decided not to further investigate. | Mark Anthony Quintero, M.D., L.L.C. FL Healthcare Provider 650 | Tuesday | 2016 |
| Community Health Network | IN | Healthcare Provider | 650 | 2015-03-20 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On February 2, 2015, the covered entity (CE) learned that one of its facilities was unable to locate a binder containing point-of-care test results. The missing binder was never found. The binder contained the protected health information of approximately 650 individuals. The types of protected health information involved in the breach included names, dates of service, test types, test results, and possibly dates of birth. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE retrained its staff, implemented a new quality control log, and instructed medical practices to store information in its electronic medical record. OCR obtained assurances the CE implemented the corrective actions listed above. | Community Health Network IN Healthcare Provider 650 | Friday | 2015 |
| Medcenter One | ND | Healthcare Provider | 650 | 2011-11-17 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On or about October 21, 2011, the covered entity (CE), MedCenter One, Inc., which merged with Sanford Health on July 3, 2012, failed to safeguard the electronic protected health information (ePHI) of approximately 650 patients when an unencrypted, password-protected laptop computer and a bag containing 11 patient charge tickets were stolen from an employeeâs vehicle. The type of ePHI involved in the breach included demographic information. The CE provided breach notification to HHS, affected individuals, and the media. The CE encrypted all of its laptop computers, implemented new information technology security policies and procedures, retrained staff on its new policies, and sanctioned the responsible employee. OCR obtained assurances that the CE implemented the corrective actions listed above. | Medcenter One ND Healthcare Provider 650 | Thursday | 2011 |
| Imperial Valley Family Care Medical Group, APC | CA | Healthcare Provider | 649 | 2016-05-13 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On March 21, 2015, the covered entity (CE), Imperial Valley Family Care Medical Group, APC, discovered that a laptop computer was stolen when an unknown individual broken into a physicianâs office. The stolen laptop contained the protected health information (PHI) of approximately 649 individuals and included membersâ names, addresses, social security numbers, dates of birth and clinical information. Following the breach, the CE disabled access to its network server by the stolen laptop. The CE provided notification to HHS, affected individuals, and the media pursuant to the Breach Notification Rule and offered the affected individuals one year of free credit monitoring. Following the breach, the CE encrypted all of its company-issued laptops. OCR obtained assurances that the CE improved physical safeguards, revised its encryption policy, and strengthened its password requirements for electronic systems or devices containing electronic PHI. | Imperial Valley Family Care Medical Group, APC CA Healthcare Provider 649 | Friday | 2016 |
| VA Eastern Colorado Health Care System | CO | Healthcare Provider | 649 | 2010-05-05 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A covered entity’s (CE’s) employee placed paper records containing protected health information (PHI) in an unsecured box that was left undiscovered in a public parking garage for four days. The box contained the PHI of 649 patients. The PHI included treatment records, productivity reports, coding information, names, medical treatments, conditions, diagnoses, and social security numbers. Upon discovery of the breach, the CE notified the affected individuals and provided credit protection to those whose social security numbers had been breached. The CE provided OCR with copies of its breach prevention policies and procedures. Following OCR’s investigation, the employee who left the records resigned from her position and the CE improved its breach response procedures. | VA Eastern Colorado Health Care System CO Healthcare Provider 649 | Wednesday | 2010 |
| Lake Pulmonary Critical PA | FL | Healthcare Provider | 648 | 2016-04-20 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | This case was consolidated into another review of this covered entity. | Lake Pulmonary Critical PA FL Healthcare Provider 648 | Wednesday | 2016 |
| Lake Pulmonary Critical Care PA | FL | Healthcare Provider | 648 | 2016-04-20 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Lake Pulmonary Critical Care, PA, discovered that a former employee removed patient medical records from the office and took them home. The theft of this protected health information (PHI) affected 648 individuals. The medical information included patientsâ names, addresses, phone numbers, dates of birth, social security numbers, health insurance information, medical diagnoses, lab results, medications, and other treatment information. The CE provided timely breach notification to HHS, to affected individuals, and to the media. In response to the breach, the CE improved safeguards by installing employee lockers for all personal items and installing privacy walls at the nursesâ stations. In addition, the CE arranged for HIPAA training for its employees and doctors. OCR obtained assurances that the CE implemented the corrective actions listed above. | Lake Pulmonary Critical Care PA FL Healthcare Provider 648 | Wednesday | 2016 |
| Massachusetts General Hospital | MA | Healthcare Provider | 648 | 2015-07-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Massachusetts General Hospital, sent an unencrypted e-mail to the incorrect e-mail address. The e-mail contained the protected health information (PHI of 648 individuals. The types of PHI involved in the breach included names, dates of birth, medical record number sand social security numbers. Following the breach, the CE sanctioned the employee in question and changed its policy to use a secure storage application instead of e-mail to send PHI. OCR obtained assurances that the CE implemented the corrective actions listed above. | Massachusetts General Hospital MA Healthcare Provider 648 | Wednesday | 2015 | |
| Four Star Drug of Bethany, Inc. | NE | Healthcare Provider | 647 | 2016-10-18 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On August 30, 2016, the covered entity (CE), Four Star Drug of Bethany, Inc., discovered that it left boxes containing protected health information (PHI) outdoors in an unprotected area where a garbage truck eventually retrieved the boxes and transported them to a recycling plant. The breach affected the PHI of approximately 647 individuals and included patientsâ names, dates of birth, social security numbers, clinical and demographic information, claims information, and medications. The CE provided breach notification to HHS, affected individuals, and the media. The CE further advised HHS that on May 24, 2016, its pharmacy department was sold, and consequently it was closed at the time of the breach incident that occurred on August 30, 2016. Following the breach, the CE updated its HIPAA policies and procedures to ensure that its remaining records that contain PHI are safeguarded and disposed of properly. The CE no longer generates records containing PHI because it is closed. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | Four Star Drug of Bethany, Inc. NE Healthcare Provider 647 | Tuesday | 2016 |
| Hospital for Special Surgery | NY | Healthcare Provider | 647 | 2016-03-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The Hospital for Special Surgery, the covered entity (âCEâ) reported that an employee failed to safeguard the PHI by sending the email without using the BCC designation; in doing so, the email revealed the PHI of 647 patients participating in a research study to the other participants. The electronic protected health information (ePHI) included the individualsâ email addresses and general information regarding the research study. The CE provided notice to OCR and the affected individuals. Following the breach, the responsible employee was re-trained and provided with one-on-one, in-person HIPAA Privacy and Information Security Training. The CE also increased its in-person HIPAA training to at least three times a year. As a result of OCRâs investigation and technical assistance, the CE is expected to take corrective action based on OCRâs guidance. The CE is expected to revise its e-mail policy to incorporate additional safeguarding measures specifically tailored to the use of e-mail, and to retrain its staff on its revised policy. | Hospital for Special Surgery NY Healthcare Provider 647 | Thursday | 2016 | |
| Kaiser Foundation Health Plan of the Northwest | OR | Health Plan | 647 | 2013-09-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Over a period of about three and half years, an employee of Kaiser Foundation Health Plan of the Northwest, the covered entity (CE), accessed patient records either without a business need to know or beyond the minimum necessary for her job. The impermissible access by the employee totaled 647 individuals. The type of protected health information involved in the breach included names and treatment information. The CE provided breach notification to HHS and affected individuals. Following the discovery of the breach the CE retrained employees. After an intensive investigation, it terminated the employee and disciplined four others for related misconduct. OCR obtained written assurances that the corrective actions were taken. | Kaiser Foundation Health Plan of the Northwest OR Health Plan 647 | Tuesday | 2013 |
| Adams Industries, Inc. | NE | Health Plan | 647 | 2017-06-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Adams Industries, Inc. NE Health Plan 647 | Wednesday | 2017 |
| Detroit Department of Health and Wellness Promotion | MI | Healthcare Provider | 646 | 2009-12-15 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | A desktop and four laptop computers were stolen from the covered entity’s locked facility. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, types of services received, and Medicare/Medicaid numbers.Following the breach, the covered entity installed new office door locks with assigned keys, installed security cameras with alarms, and physically secured computers to desks. The covered entity now stores billing information in its patient management system, and it ensured that no electronic protected health information was stored locally. Additionally, OCR’s investigation resulted in the covered entity providing training to workforce members regarding the incident | Detroit Department of Health and Wellness Promotion MI Healthcare Provider 646 | Tuesday | 2009 |
| Unconditional Love, Incorporated | FL | Healthcare Provider | 643 | 2017-07-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Unconditional Love, Incorporated FL Healthcare Provider 643 | Friday | 2017 |
| SSM Health Cancer Care | MO | Healthcare Provider | 643 | 2015-10-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), SSM Health Cancer Care, erroneously mailed letters to the addresses of other patients due to using an inaccurate electronic file. The breach affected 670 individuals and included individualsâ names and their inferred treatment relationship. The CE provided breach notification to HHS, affected individuals, and the media. The CE performed a root cause analysis to identify risk areas and opportunities to strengthen controls and also retrained the individual who had erroneously sent out the mailings. The CE also created a new policy and procedures for patient mailings. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. | SSM Health Cancer Care MO Healthcare Provider 643 | Friday | 2015 |
| Myriad Genetic Laboratories, Inc. | UT | Healthcare Provider | 643 | 2014-03-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Myriad Genetic Laboratories, Inc., emailed unsecured protected health information (PHI) to his personal email account as a means of storing the information he used to carry out his job functions. The PHI of the affected 643 individuals included patientsâ names, dates of birth, addresses, physiciansâ name, genetic test results, test identification numbers, family and personal medical histories, and family pedigree information. The CE provided breach notification to HHS and affected individuals and also posted substitute notice of the breach. It also provided one year of free identify theft protection services to affected individuals. Following the breach, the CE revised its procedures for encrypting emails containing PHI and retrained the employee who had caused the breach. OCR provided technical assistance regarding the risk analysis and risk management requirements of the Security Rule. | Myriad Genetic Laboratories, Inc. UT Healthcare Provider 643 | Saturday | 2014 | |
| Medical Mutual of Ohio | OH | Health Plan | 643 | 2013-12-06 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) mistakenly included protected health information in two postcard mailings affecting 2,063 individuals. The first mailing included the CEâs patients and second mailing included the patients of other CEs for which the CE acted as the business associate (BA). The PHI involved in the breaches included names, home addresses, and an eleven-digit number (social security number plus two digits). The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised mailing procedures, retrained applicable staff, and sanctioned the involved employee. OCR obtained documented assurances that the CE/BA implemented the corrective actions listed above. | Medical Mutual of Ohio OH Health Plan 643 | Friday | 2013 |
| St. Louis Children’s Hospital | MO | Healthcare Provider | 643 | 2017-03-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | St. Louis Children’s Hospital MO Healthcare Provider 643 | Thursday | 2017 | |
| CenterLight Healthcare | NY | Health Plan | 642 | 2012-04-03 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | A workforce member emailed to his personal email address files containing the protected health information (PHI) of 642 individuals, including their names, Medicare numbers, Medicaid numbers, enrollment status, and some health plan names. The workforce member was a temporary worker who had intended to show his work product to potential employers to demonstrate his experience with such work. The covered entity (CE), CenterLight Healthcare, provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE ensured that the temporary worker deleted the email at issue from his personal email account and personal mobile device. The CE also attempted to secure the temporary workerâs written acknowledgment that confirmed that he either (i) did not save the files to his home desktop computer or (ii) deleted the files from his home desktop computer. The CE also sanctioned the worker. Additionally, the CE stopped using temporary workers, implemented an email encryption solution, and revised its HIPAA training. OCR obtained assurances that the CE implemented the corrective actions listed. | CenterLight Healthcare NY Health Plan 642 | Tuesday | 2012 | |
| Colorado Department of Human Services | CO | Healthcare Provider | 639 | 2017-12-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Colorado Department of Human Services CO Healthcare Provider 639 | Wednesday | 2017 |
| Kaiser Foundation Health Plan, Inc. | CA | Health Plan | 638 | 2017-12-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Kaiser Foundation Health Plan, Inc. CA Health Plan 638 | Friday | 2017 |
| First Step Counseling, Inc. | NJ | Healthcare Provider | 638 | 2012-10-23 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | From May 1, 2011, to August 5, 2011, two employees of the covered entity (CE), First Step Counseling, Inc., made photocopies of documents containing 638 patients’ protected health information (PHI) and disclosed the documents to their attorney. The PHI included names, insurance numbers, diagnosis information, dates of birth, telephone numbers and social security numbers. Upon discovery of the breach, the CE hired attorneys to seek immediate return of all photocopies that contained CE’s patients’ PHI. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, the CE transferred to an electronic billing system which is password protected. In addition, the CE improved safeguards so that all patient files are locked and unlocked by the office manager, the front desk is protected by a window, and patients are not allowed to stand beside the receptionist desk. OCR obtained assurances that the CE implemented the corrective actions listed above. | First Step Counseling, Inc. NJ Healthcare Provider 638 | Tuesday | 2012 |
| Brigham and Women’s Hospital and Faulkner Hospital | MA | Healthcare Provider | 638 | 2011-08-03 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | A covered entity’s (CE) workforce member lost an external hard drive containing the electronic protected health information (ePHI) of 638 individuals while traveling. The external hard drive included names, medical record numbers, dates of admission, medications, diagnoses, and treatment information. The CE notified HHS, the media, and all individuals affected regarding the breach and provided individuals with identity protection services. Following the breach, the CE sanctioned the workforce member involved and retrained the workforce member and division staff on safeguards for ePHI. In addition, the CE established a mitigation workgroup to review policies and procedures regarding the protection of ePHI and created a new external hard drive encryption policy. OCR obtained assurances that the CE implemented the corrective action listed above. | Brigham and Women’s Hospital and Faulkner Hospital MA Healthcare Provider 638 | Wednesday | 2011 |
| WorkflowOne | OH | Business Associate | 635 | 2013-01-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Due to a malfunction in processing benefit confirmation statements, employee information was comingled and statements were mailed to the wrong employees and dependents. The breach included the protected health information (PHI) of 635 individuals. The PHI involved in the breach included names and social security numbers. The covered entity (CE), Dimensions Healthcare System, provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE revised its correspondence handling procedures. As a result of OCRâs investigation, the CE reviewed its business associate (BA) relationships to ensure that appropriate BA agreements were in place. | WorkflowOne OH Business Associate 635 | Tuesday | 2013 |
| Park Avenue Obstetrics & Gynecology, PC | AZ | Healthcare Provider | 635 | 2011-03-31 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | Park Avenue Obstetrics & Gynecology, PC AZ Healthcare Provider 635 | Thursday | 2011 | |
| Central States Southeast and Southwest Areas Health and Welfare Fund | IL | Health Plan | 634 | 2018-01-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Central States Southeast and Southwest Areas Health and Welfare Fund IL Health Plan 634 | Tuesday | 2018 |
| Maricopa Special Health Care District - Maricopa Integrated Health System | AZ | Healthcare Provider | 633 | 2015-07-14 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | A medical resident lost an unencrypted thumb drive that contained the names, dates of birth, and clinical information or diagnoses of 633 patients selected for a chart review. The covered entity (CE), Maricopa Integrated Health System, provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE comprehensively reviewed its privacy and security practices and updated its HIPAA policies and procedures. It sanctioned and retrained the medical resident and retrained other workforce members on its HIPAA security procedures. OCRâs investigation resulted in the covered entity improving its HIPAA practices. | Maricopa Special Health Care District - Maricopa Integrated Health System AZ Healthcare Provider 633 | Tuesday | 2015 |
| Alexian Brothers Medical Center | IL | Healthcare Provider | 632 | 2015-05-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | On April 13, 2015, several files containing electronic protected health information (ePHI) were discovered on computers accessible to the public in the medical library at the covered entity (CE), Alexian Brothers Medical Center. The files included the first and last names, medical record numbers, and medication information related to 618 patients, and other clinical information for 14 patients. Approximately 632 individuals were affected by this breach. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach the CE posted signs noting that the computers were âpublic computersâ and not to save files on the device, secured computers so that no data could be saved onto the virtual desktop or the hard drive, and essentially rendered folders as âread onlyâ. The CE also implemented a process to track user access on all but one of the public computers. The CE retrained workforce groups involved in the breach. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | Alexian Brothers Medical Center IL Healthcare Provider 632 | Tuesday | 2015 |
| Catalyst Health Solutions, Inc. | MD | Business Associate | 632 | 2012-02-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Catalyst Health Solutions, Inc. MD Business Associate 632 | Tuesday | 2012 | |
| SSM Health Care of Wisconsin DBA: St. Mary���s Janesville Hospital | WI | Healthcare Provider | 631 | 2013-10-25 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
A laptop computer containing protected health information (PHI) was stolen from the vehicle of a covered entity’s (CE) workforce member. Approximately 633 individuals were affected by the breach. The PHI included patients’ names, dates of birth, medical records, and account numbers. The CE immediately reported the laptop theft to the police. In response to the breach, the CE provided notice to HHS, the affected individuals, and the media. In addition, the CE encrypted all company laptops, re-trained each provider and employee in possession of a company laptop, and applied disciplinary policies to the employees involved in the incident. OCR obtained assurances that the covered entity implemented the corrective action listed above. |
SSM Health Care of Wisconsin DBA: St. Mary���s Janesville Hospital WI Healthcare Provider 631 | Friday | 2013 |
| Kaiser Foundation Health Plan of the Mid-Atlantic States, Inc. | MD | Health Plan | 630 | 2015-01-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Due to a printing error, patients received appointment reminders containing other patientsâ protected health information (PHI). The PHI involved in the breach included the names, medical record numbers, the types of appointments to be scheduled, and provider information for approximately 630 individuals. Following the breach, additional safeguards were implemented to prevent future disclosures. OCR reviewed the covered entityâs policies and procedures to ensure compliance with the Privacy and Security Rules. | Kaiser Foundation Health Plan of the Mid-Atlantic States, Inc. MD Health Plan 630 | Thursday | 2015 |
| Mercy Hospital Logan County | OK | Healthcare Provider | 629 | 2017-08-30 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Mercy Hospital Logan County OK Healthcare Provider 629 | Wednesday | 2017 |
| Flowers Hospital | AL | Healthcare Provider | 629 | 2014-04-25 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Flowers Hospital was informed by law enforcement on February 27, 2014, that while one of its employees was being arrested, the CEâs paper facesheets were found in his possession. An internal investigation revealed that the employee may have accessed or allowed another individual access to the clinical and demographic information of 1,208 individuals. The CE provided breach notification to HHS, to affected individuals, and to the media. In response to the breach, the CE implemented procedures to further restrict access to paper records and improved its maintenance and storage procedures. OCR obtained assurances that the CE implemented the corrective actions listed above. | Flowers Hospital AL Healthcare Provider 629 | Friday | 2014 |
| Sunil Kakar, Psy.D. | WA | Business Associate | 629 | 2013-03-29 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | On February 4, 2013, a personal laptop computer used to store medical reports and information about the covered entityâs (CE) clients was lost by, or stolen from, a provider formerly contracted by the CE. The computer’s hard drive was wiped before it could be determined what information it contained, but the CE treated it as a breach affecting 629 individuals. The protected health information (PHI) involved in the breach may have included names, dates of birth, social security numbers, and clinical information, such as diagnoses or conditions. Following the breach, the CE updated contract language with business associates and contractors to include data security requirements and additional physical controls, as well as a self-assessment tool and monitoring plan. The CE added provisions to require contracted providers to provide proof of annual completion of a self-assessment tool and verification of encryption software use. OCR provided technical assistance on the Security Rule requirements and obtained assurances that breach notification was provided in accordance with the Breach Notification Rule requirements. | Sunil Kakar, Psy.D. WA Business Associate 629 | Friday | 2013 |
| Mount Sinai Medical Center | FL | Healthcare Provider | 628 | 2013-03-15 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Paper/Films | NA | NA | NA | NA | NA | NA | No | Mount Sinai Medical Center FL Healthcare Provider 628 | Friday | 2013 | |
| Peter J Parker, M.D., Inc. | CA | Healthcare Provider | 628 | 2018-06-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Peter J Parker, M.D., Inc. CA Healthcare Provider 628 | Tuesday | 2018 |
| Kelley Imaging Systems | WA | Business Associate | 627 | 2018-06-13 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | Yes | NA | Kelley Imaging Systems WA Business Associate 627 | Wednesday | 2018 |
| Pediatric Associates | FL | Healthcare Provider | 627 | 2015-03-24 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Pediatric Associates, discovered that a binder containing paper logs of patient record releases was missing on January 24, 2015. After a search and investigation, the CE determined that most likely the binder was unintentionally discarded. The types of protected health information (PHI) contained in the logs included patients’ names, internal chart numbers, recipients of releases, and explanations for the record release (i.e. âparent requestedâ). The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE changed its procedures to require that record releases be logged electronically. The CE archived or shredded all paper record release logs. OCR obtained assurances that the CE implemented the corrective actions listed above. | Pediatric Associates FL Healthcare Provider 627 | Tuesday | 2015 |
| Overlake arthritis and Osteoporosis Center | WA | Healthcare Provider | 627 | 2018-07-06 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Overlake arthritis and Osteoporosis Center WA Healthcare Provider 627 | Friday | 2018 |
| CVS Health | RI | Healthcare Provider | 626 | 2016-12-05 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | An individual broke into a CVS Pharmacy in Whiteville, NC during Hurricane Matthew. The thief stole 626 individuals’ completed prescriptions. The types of PHI on the prescriptions included names, partial birthdates, addresses, medication names and doses, providers’ names, and prescription numbers. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE assessed the damage and secured the store to prevent any other unauthorized access. OCR reviewed the CE’s policies and procedures on uses and disclosure of PHI and safeguarding PHI, and determined that they were in compliance with the Privacy Rule. OCR obtained assurances that the CE implemented the corrective actions noted above. | CVS Health RI Healthcare Provider 626 | Monday | 2016 |
| Willow Bend Dental | TX | Healthcare Provider | 625 | 2016-08-31 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | The covered entity, (CE), Willow Bend Dental, reported that on or about August 09, 2016, while in the process of transporting boxes of old patient charts for disposal, a locked trailer containing boxes of patient charts was stolen from the CE’s parking lot. These charts contained approximately 625 patientsâ protected health information (PHI) including diagnoses, lab results, and medications. In response to the incident the CE immediately alerted the authorities and by September 1, 2016, had recovered all records believed to be involved in the incident. As a result of this breach, the CE retrained all workforce members regarding the uses and disclosures of PHI and on its revised record retention and disposal policy. The CE provided breach notification to HHS, affected individuals and the media. OCR obtained assurances that the CE implemented the corrective actions noted above. | Willow Bend Dental TX Healthcare Provider 625 | Wednesday | 2016 |
| Montefiore Medical Center | NY | Healthcare Provider | 625 | 2010-03-09 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted laptop computer containing the electronic protected health information (ePHI) of 625 individuals was stolen from the covered entity’s (CE) mobile dental van. The ePHI included names, dates of birth, medical record numbers and dental x-rays. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and affected individuals. As a result of OCR’s investigation, the CE revised its procedures so that all ePHI is stored in a data center, rather than the mobile dental van laptop. In addition, the CE encrypted all mobile dental van laptops and improved physical security for the van. The CE developed a new policy on ePHI security and retrained all staff. OCR obtained assurances that the CE implemented the corrective action listed above. | Montefiore Medical Center NY Healthcare Provider 625 | Tuesday | 2010 |
| St. Joseph’s Hospital and Medical Center | AZ | Healthcare Provider | 623 | 2017-02-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | A part-time clinical employee of the covered entity (CE), St. Josephâs Hospital and Medical Center, a Dignity Health facility in Arizona, impermissibly accessed the protected health information (PHI) of patients. The breach affected the full names, dates of birth, diagnoses/conditions, and medications of approximately 623 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and also provided substitute notice. Following the breach, the CE sanctioned the employee responsible for the incident and reported the employee to his licensing board. In response to the incident, the CE conducted a thorough audit of the employeeâs medical record access during the entire term of his employment. OCE obtained assurances that the CE implemented the corrective actions listed above. In this case, the sanction included termination of employment. | St. Joseph’s Hospital and Medical Center AZ Healthcare Provider 623 | Monday | 2017 |
| The Hearing Zone | UT | Healthcare Provider | 623 | 2014-12-05 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), The Hearing Zone, after it reported that an unencrypted laptop computer containing electronic protected health information (ePHI) in the form of demographic information (names, dates of birth) and clinical information (hearing test results) was stolen from a clinic. The breach affected 623 of the CE’s patients and 556 patients from three other clinics where the CE provided audiology services pursuant to an agreement with those clinics. Upon discovering the breach, the CE filed a police report, and the police recovered the laptop a few weeks later. The CE provided breach notification to HHS, and affected individuals and offered all affected individuals credit monitoring services upon request. As a result of OCRâs investigation and substantial technical assistance, the CE provided breach notification to the media, developed written policies and procedures, implemented security awareness for its workforce, and, implemented encryption and other security measures for workstations in its network that contain or transmit ePHI. | The Hearing Zone UT Healthcare Provider 623 | Friday | 2014 |
| California College of Arts | CA | Health Plan | 623 | 2018-02-26 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | California College of Arts CA Health Plan 623 | Monday | 2018 |
| Amsterdam Nursing Home Corporation (1992) | NY | Healthcare Provider | 621 | 2015-07-10 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | OCR opened an investigation of the covered entity (CE), Amsterdam Nursing Home Corporation (1992), after it reported that on January 31, 2015, some of its protected health information (PHI) stored at its business associate (BA), Citistorage, LLC, may have been impermissibly disclosed during efforts to extinguish a fire. The incident affected 621 individuals. The typed of PHI involved in the breach included residentsâ names, addresses, dates of birth, health insurance information, social security numbers, and information about health status and treatment. The CE provided breach notification HHS, affected individuals, and the media and posted a substitute notification on its website. As a result of OCRâs investigation, the CE recorded the impermissible disclosure of the affected individualsâ PHI for accounting of disclosure purposes, reminded the BA of its notification obligations as set forth in the BA agreement, and obtained written assurances from the BA that the BA is in compliance with all relevant building and safety codes. The CE also re-issued HIPAA-compliant breach notification letters to the affected individuals residing in Massachusetts. | Amsterdam Nursing Home Corporation (1992) NY Healthcare Provider 621 | Friday | 2015 |
| Indian Health Service -Rosebud | MD | Healthcare Provider | 620 | 2014-07-15 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Indian Health Service IHS), Rosebud Service Unit, reported that on May 30, 2014, its employee left a folder of records containing protected health information (PHI) in a public restroom at the IHSâ Rapid City Hospital when she was at the hospital for a meeting. The folder contained the records of 620 individuals and included patient names and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media and also offered credit monitoring and identity theft insurance to affected individuals. Following the breach, the CE sanctioned the employee. OCR obtained written assurances from the CE that it will implement policies and procedures regarding breach notification and mitigation in accordance with the technical assistance provided by OCR pursuant to this investigation. | Indian Health Service -Rosebud MD Healthcare Provider 620 | Tuesday | 2014 |
| IHS | MD | Health Plan | 620 | 2014-06-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | IHS MD Health Plan 620 | Thursday | 2014 | |
| Robert B. Miller, MD | CA | Healthcare Provider | 620 | 2011-05-17 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Robert B. Miller, MD CA Healthcare Provider 620 | Tuesday | 2011 | |
| Shaker Clinic | OH | Healthcare Provider | 617 | 2014-04-18 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Shaker Clinic OH Healthcare Provider 617 | Friday | 2014 | |
| Mercy Medical Center Redding - Oncology Clinic, Privacy Manager Breach | CA | Healthcare Provider | 616 | 2014-12-22 | Hacking/IT Incident | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | On December 13, 2014, the covered entity (CE), Mercy Medical Centerâs Redding Oncology Clinic, reported that electronic protected health information (ePHI) was accessible on the Internet when its business associate (BA), Write-Type, Inc., left the ePHI on its website. The website contained the ePHI of approximately 616 individuals and included names, addresses, medical record numbers, physiciansâ names, and clinical information such as diagnoses, medications, lab reports, and other treatment information. The CE provided breach notification to HHS, affected individuals and the media. The CE revised its policies and procedures. OCR obtained assurances that the CE implemented the corrective actions noted above. | Mercy Medical Center Redding - Oncology Clinic, Privacy Manager Breach CA Healthcare Provider 616 | Monday | 2014 |
| District Medical Group, Privacy Manager Breach | AZ | Healthcare Provider | 616 | 2014-12-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On December 12, 2014, the covered entity (CE), District Medical Group, reported that when a workforce member used a thumb drive while working from home the contents of the thumb drive became accessible on the Internet. The media device contained the electronic protected health information (ePHI) of approximately 616 individuals. The PHI involved in the breach included names, addresses, social security numbers, transaction amounts and clinical information. The CE provided breach notification to HHS, the affected individuals and the media. The CE revised its policies and procedures and retrained workforce members. OCR obtained assurances that the CE implemented the corrective actions noted above. | District Medical Group, Privacy Manager Breach AZ Healthcare Provider 616 | Friday | 2014 |
| Brigham and Women’s Hospital | MA | Healthcare Provider | 615 | 2012-11-26 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Brigham and Women’s Hospital MA Healthcare Provider 615 | Monday | 2012 | |
| UnitedHealthcare Community Plan of Pennsylvania | PA | Business Associate | 614 | 2017-12-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | UnitedHealthcare Community Plan of Pennsylvania PA Business Associate 614 | Wednesday | 2017 |
| Healthland Inc. | MN | Business Associate | 614 | 2018-06-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Healthland Inc. MN Business Associate 614 | Sunday | 2018 |
| Cuyahoga County Board of Developmental Disabilities | OH | Healthcare Provider | 613 | 2012-11-29 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Cuyahoga County Board of Developmental Disabilities OH Healthcare Provider 613 | Thursday | 2012 | |
| Albert Einstein Healthcare Network | PA | Healthcare Provider | 613 | 2010-11-30 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Albert Einstein Healthcare Network PA Healthcare Provider 613 | Tuesday | 2010 | |
| Southern Illinois Hospital Services | IL | Healthcare Provider | 613 | 2017-06-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Southern Illinois Hospital Services IL Healthcare Provider 613 | Friday | 2017 |
| Amedisys West Virginia, LLC | WV | Healthcare Provider | 611 | 2017-04-11 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Amedisys West Virginiaâs business associate (BA), Iron Mountain, through its subcontractor, D&M, improperly disposed of two unlocked shred bins containing protected health information (PHI). The breach affected 611 individuals, and the types of PHI involved included names, addresses, dates of birth, social security numbers, and clinical information. The covered entity (CE), Amedisys, provided breach notification to HHS, affected individuals, and the media. Following the breach, the BA agreed to provide services directly to the CE without the use of a subcontractor. The BA also agreed to ensure proper security measures are taken when disposing of shred bins. OCR obtained assurances that the CE implemented the corrective actions listed above. Additionally, OCR reviewed the CEâs risk analysis and BA agreements to ensure compliance with the Privacy and Security Rules. | Amedisys West Virginia, LLC WV Healthcare Provider 611 | Tuesday | 2017 |
| Robert B. Neves, M.D. | CA | Business Associate | 611 | 2014-01-24 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Robert B. Neves, M.D. CA Business Associate 611 | Friday | 2014 |
| University of Nebraska Medical Center | NE | Healthcare Provider | 611 | 2011-12-09 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | University of Nebraska Medical Center NE Healthcare Provider 611 | Friday | 2011 | |
| Managed Health Services | IN | Health Plan | 610 | 2016-05-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On March 13, 2016, a Customer Relationship Management (CRM) export file mismatched members to addresses causing communications to be sent to incorrect member addresses on a file dated February 24, 2016. This mismatched data was submitted to a print vendor to distribute New Member Packets and Identification (âIDâ) cards. In addition, the covered entity (CE) sent the names, Medicaid ID numbers, and protected health information (PHI) of Indiana members to members in the CE’s sister plan in the state of Ohio. Approximately 610 individuals were affected by the breach. Upon discovering the breach, the CE reported the breach incident to Indianaâs state regulators. The CE provided breach notification to HHS, affected individuals, and the media. To prevent similar breaches from happening in the future, The CE corrected the error in the export file and manually repopulated the voided bad address with accurate addresses. Additionally, the CE implemented new technical safeguards and improved quality assurance procedures for print mailings in order to confirm accuracy. The CE also trained the business analyst responsible for this breach matter and trained its workforce on its policies and procedures regarding Security Awareness. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | Managed Health Services IN Health Plan 610 | Sunday | 2016 |
| Mount Sinai Medical Center | NY | Healthcare Provider | 610 | 2013-10-21 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Mount Sinai Medical Center NY Healthcare Provider 610 | Monday | 2013 | |
| University of California, San Francisco | CA | Healthcare Provider | 610 | 2009-12-15 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | University of California, San Francisco CA Healthcare Provider 610 | Tuesday | 2009 | ||
| Kaiser Foundation Health Plan | CA | Health Plan | 609 | 2017-09-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On September 8, 2017, the covered entity (CE), Kaiser Foundation Health Plan, discovered that a physician at its Riverside Medical Center scanned his daily schedule for dates of service between August 2014 to August 2017, which contained patient information including names, medical record numbers, and procedure types for 609 patients. The physician inadvertently e-mailed the information to an external gmail account that does not belong to the physician. Following the breach, the CE re-programed the device that was used to scan/email the document at issue so that it is no longer possible for an email to leave the CE’s information technology network from the device. The CE provided notification to HHS, affected individuals, and the media pursuant to the Breach Notification Rule. Following the breach, the CE retrained the physician who mis-sent the PHI at issue in this breach. OCR obtained assurances that the CE implemented the corrective actions noted above. | Kaiser Foundation Health Plan CA Health Plan 609 | Friday | 2017 | |
| MED-EL Coproration | NC | Healthcare Provider | 609 | 2013-07-05 | Other | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | MED-EL Coproration NC Healthcare Provider 609 | Friday | 2013 | ||
| University of Utah Health | UT | Healthcare Provider | 607 | 2018-06-02 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | NA | University of Utah Health UT Healthcare Provider 607 | Saturday | 2018 |
| Hancock County Board of Developmental Disabilities | OH | Healthcare Provider | 607 | 2018-05-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Hancock County Board of Developmental Disabilities OH Healthcare Provider 607 | Thursday | 2018 |
| High Plains Surgical Associates | WY | Healthcare Provider | 607 | 2018-01-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | High Plains Surgical Associates WY Healthcare Provider 607 | Monday | 2018 |
| Rose Medical Center | CO | Healthcare Provider | 606 | 2013-10-14 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A newly hired janitorial service mistakenly disposed of information face sheets awaiting removal from the covered entityâs (CE) Breach Center to shredding bins before the face sheets could be shredded. The face sheets belonged to the CE, Rose Medical Center, a Hospital Corporation of America facility, and contained protected health information (PHI), including demographic information, social security numbers, insurance information, physician information and next of kin contact information for approximately 606 individuals. The CE provided timely written notice to affected individuals, HHS, and the media. As a result of OCRâs investigation, the CE instituted a new procedure whereby all documents containing PHI must be disposed of directly into secured shredding bins, rather than recycling bins. The CE also launched a company-wide initiative to implement improved procedures to safeguard social security numbers, such as removing the numbers from documents where possible, and minimizing the printing of documents containing such PHI. The CE also retrained staff on the HIPAA Privacy Rule. Finally, the CEâs Breast Center ceased printing duplicate face sheets and full social security numbers on face sheets. | Rose Medical Center CO Healthcare Provider 606 | Monday | 2013 |
| MobilexUSA | OH | Healthcare Provider | 605 | 2014-08-06 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | MobilexUSA OH Healthcare Provider 605 | Wednesday | 2014 | |
| MSO of Puerto Rico | PR | Business Associate | 605 | 2010-02-17 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes |
The covered entity’s (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 605 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CE’s BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCR’s investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures. |
MSO of Puerto Rico PR Business Associate 605 | Wednesday | 2010 |
| Vancouver Radiologists, PC | WA | Healthcare Provider | 603 | 2016-02-26 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Vancouver Radiologists, PC, on January 4, 2016, received telephone calls from a few patients that they received a postcard mammogram reminder, but with another patientâs name. The CE mailed 603 postcards which contained names, addresses, and generic reminders to schedule a mammogram. The CE submitted a breach notification report to HHS, affected individuals, and the media. In response to the breach, the CE stopped mailing the postcard reminder and revised its mailing procedures. The CE provided OCR with additional documentation specifically its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also provided refresher reminders to all staff members about its HIPAA privacy policies and procedures. | Vancouver Radiologists, PC WA Healthcare Provider 603 | Friday | 2016 |
| Spirit Home Health Care, Corp | FL | Business Associate | 603 | 2013-10-29 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Spirit Home Health Care, Corp FL Business Associate 603 | Tuesday | 2013 | |
| TEMPLE COMMUNITY HOSPITAL | CA | Healthcare Provider | 603 | 2012-08-15 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | TEMPLE COMMUNITY HOSPITAL CA Healthcare Provider 603 | Wednesday | 2012 | |
| Mayo Clinic Health System- Red Wing | MN | Healthcare Provider | 601 | 2015-07-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | On May 18, 2015, an access audit revealed that the covered entity’s (CE) employee accessed patientsâ electronic medical records beyond the scope of authorized access and assigned job responsibilities. The CE discovered that the unauthorized access dated back to 2009. The breach affected approximately 601 individuals and the types of protected health information (PHI) involved in the breach included patients’ diagnoses and medical conditions. The CE provided breach notification to HHS, affected individuals, and the media. During OCRâs investigation, the CE retrained the revenue department in its Red Wing SE Minnesota Region on its privacy rules. OCR obtained written assurances that the CE implemented the corrective action steps listed above. | Mayo Clinic Health System- Red Wing MN Healthcare Provider 601 | Monday | 2015 |
| Care Partners Hospice and Palliative Care | OR | Healthcare Provider | 600 | 2018-05-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Care Partners Hospice and Palliative Care OR Healthcare Provider 600 | Friday | 2018 | |
| Complete Wellness | MD | Healthcare Provider | 600 | 2017-01-06 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | An employee lost a mobile computer drive resulting in a breach of protected health information (PHI) affecting 600 individuals. The types of PHI involved in the breach included names, addresses, dates of birth, social security numbers, and clinical information. Following the breach, the CE sanctioned the responsible employee, retrained employees about security awareness and implemented administrative and technical safeguards, including malware protection and encryption. As a result of OCRâs investigation, the CE completed a thorough risk analysis and developed a risk management plan. | Complete Wellness MD Healthcare Provider 600 | Friday | 2017 |
| Texas Health and Human Services Commission | TX | Health Plan | 600 | 2016-06-14 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Between April 19, 2016 and May 10, 2016, Iron Mountain, a business associate (BA) of the covered entity (CE), Texas Health and Human Services Commission, was unable to locate sixteen cartons of records containing protected health information (PHI). The types of PHI involved in the breach included the names, addresses, social security numbers, social security claim numbers, dates of birth, medical record numbers, Medicaid/individual numbers, case numbers, and bank account numbers for over 500 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the incident, the CE ensured that the BA retrained its workforce members on privacy and appropriate storage and tracking procedures. Additionally, the CE initiated a change to its procedure for reconciling file inventories and verifying file box destruction. OCR obtained assurances that the CE implemented the corrective actions noted above. | Texas Health and Human Services Commission TX Health Plan 600 | Tuesday | 2016 |
| Kane Hall Barry Neurology | TX | Healthcare Provider | 600 | 2015-03-19 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Kane Hall Barry Neurology, reported that on January 20, 2015, an unencrypted laptop computer that contained the protected health information (PHI) of 600 patients was stolen out of a workforce memberâs car. The PHI included patients’ names, addresses, dates of birth, diagnoses, conditions, and medications. As a result of this breach, the CE improved technical safeguards for its laptop computers and other software devices containing PHI to ensure they are encrypted and password protected. In addition, the CE implemented new policies and trained workforce members on the requirements of HIPAA. The CE provided breach notification to HHS, affected individuals, and the media. It also offered one year of free identity theft protection to affected individuals and established a toll free breach helpline. OCR obtained assurances that the CE implemented the corrective actions listed above. | Kane Hall Barry Neurology TX Healthcare Provider 600 | Thursday | 2015 |
| Pathway to Hope | FL | Healthcare Provider | 600 | 2015-02-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Pathway to Hope, discovered in January 2015, that a former employee emailed the protected health information (PHI) of 600 individuals to her personal email account, before her last day of employment with the CE for the purpose of building her own practice. The types of PHI in the email included the full names, referral sources, insurance information, and general diagnoses/conditions (i.e. mental health/substance abuse). The CE provided breach notification to HHS and to affected individuals. Media notice was not required. OCR provided technical assistance to the CE regarding the Privacy, Security and Breach Notification Rules. In response to the breach, the CE counseled workforce members, improved its training program, substantially revised its policies and procedures, hired a compliance officer, and began requiring that employees sign non-compete, non-solicitation confidentiality agreements. OCR obtained assurances that the CE implemented the corrective actions listed above. | Pathway to Hope FL Healthcare Provider 600 | Thursday | 2015 | |
| Data Media | GA | Business Associate | 600 | 2014-02-28 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Data Media GA Business Associate 600 | Friday | 2014 | |
| JEFFREY J. SMITH, MD | OK | Healthcare Provider | 600 | 2011-03-16 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | No | The covered entity (CE) shipped a skin analysis machine containing the electronic protected health information (ePHI) of approximately 600 individuals to the manufacturer for repairs via UPS. The machine was damaged and discarded by UPS. The ePHI included names, dates of birth and facial photographs. The CE posted breach notification on its website. As a result of OCR’s investigation, the CE revised its policy regarding the security of hardware containing PHI so that all work on hardware will be performed on-site. The policy also requires that all ePHI is to be backed up and erased from the hardware prior to any unavoidable off-site maintenance. | JEFFREY J. SMITH, MD OK Healthcare Provider 600 | Wednesday | 2011 |
| alma aguado md pa | TX | Healthcare Provider | 600 | 2010-06-21 | Theft | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | OCR investigated the covered entity (CE) following a report that its main server and desktop computers containing the electronic protected health information (ePHI) of 600 individuals were taken from the CE’s office. The ePHI involved in the breach included patient names, addresses, dates of birth, and social security numbers. As a result of OCR’s investigation, the CE changed its privacy and security policies, retrained its employees and provided additional physical security to better safeguard patient ePHI. | alma aguado md pa TX Healthcare Provider 600 | Monday | 2010 |
| Tomah Memorial Hospital | WI | Healthcare Provider | 600 | 2010-04-16 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | A nurse impermissibly used the protected health information (PHI) of approximately 600 patients to obtain narcotics from the covered entity (CE), Tomah Memorial Hospital, for her own use. The PHI involved in the breach included patientsâ names and account numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE improved safeguards by creating a monthly audit of Schedule II narcotics, matched to the dispense log, medical order, and bill. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also terminated the involved employeeâs employment. | Tomah Memorial Hospital WI Healthcare Provider 600 | Friday | 2010 |
| Spine Specialist | NJ | Healthcare Provider | 600 | 2017-04-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Spine Specialist NJ Healthcare Provider 600 | Friday | 2017 |
| St. Luke’s Medical Center | ND | Healthcare Provider | 600 | 2017-01-16 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | St. Luke’s Medical Center ND Healthcare Provider 600 | Monday | 2017 |
| Lahey Clinic | MA | Healthcare Provider | 599 | 2011-10-11 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
Lahey Hospital and Medical Center (Lahey) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Lahey will pay $850,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Lahey is a nonprofit teaching hospital affiliated with Tufts Medical School, providing primary and specialty care in Burlington, Massachusetts. Lahey notified OCR that a laptop was stolen from an unlocked treatment room during the overnight hours on August 11, 2011. The laptop was on a stand that accompanied a portable CT scanner; the laptop operated the scanner and produced images for viewing through Laheyâs Radiology Information System and Picture Archiving and Communication System. The laptop hard drive contained the protected health information (PHI) of 599 individuals. Evidence obtained through OCRâs subsequent investigation indicated widespread non-compliance with the HIPAA rules, including: â¢Failure to conduct a thorough risk analysis of all of its ePHI; â¢Failure to physically safeguard a workstation that accessed ePHI; â¢Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment; â¢Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident; â¢Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and â¢Impermissible disclosure of 599 individualsâ PHI. âIt is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment,â said OCR Director Jocelyn Samuels. âBecause these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entityâs risk analysis, and entities must ensure that necessary safeguards that conform to HIPAAâs standards are in place.â In addition to the $850,000 settlement, Lahey must address its history of noncompliance with the HIPAA Rules by providing OCR with a comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as reporting certain events and providing evidence of compliance. The Resolution Agreement and Corrective Action Plan can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/LAHEY |
Lahey Clinic MA Healthcare Provider 599 | Tuesday | 2011 |
| CDC/NIOSH/ World Trade Center Health Program (WTCHP) | GA | Health Plan | 597 | 2016-01-15 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), CDC/NIOSH/World Trade Center Health Program, discovered that mail sent via the U.S. Postal Service (USPS) containing protected health information (PHI) was damaged en route to the recipient and some of the pages were missing upon receipt. The missing documents contained the names, provider names and numbers, medical codes, dates of service, and the treatment information for 597 individuals. The CE provided breach notification to HHS, affected individuals, and substitute notice on its website. The CE also set up a toll free telephone number to answer questions. Notification to a prominent media outlet was not required as the breach did not affect 500 or more individuals residing in the same region. In response to the breach, the CE requested that the USPS conduct a Mail Recovery Search to locate the lost and/or unidentifiable pages, but the missing documents were not found. OCR obtained assurances that the CE implemented the corrective actions listed above. | CDC/NIOSH/ World Trade Center Health Program (WTCHP) GA Health Plan 597 | Friday | 2016 |
| SimplyWell | TX | Business Associate | 597 | 2018-06-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | NA | SimplyWell TX Business Associate 597 | Friday | 2018 |
| UT Physicians | TX | Healthcare Provider | 596 | 2013-08-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted laptop computer containing the electronic protected health information (ePHI) of approximately 596 individuals was stolen from the covered entity’s (CE), UT Physicians, facility. The laptop was stored in a locked closet, in an area secured by a key card. The laptop had been attached to an electromyography (EMG) nerve device and had been inventoried as a medical device. The ePHI included patients’ names, dates of birth, and medical record numbers along with the values from the EMG machine. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE replaced the stolen laptop with an encrypted laptop and improved physical safeguards for the new laptop. Additionally, it inventoried and assessed devices and equipment containing ePHI and brought them into compliance with the CEâs policies, including encryption requirements. OCR obtained a copy of the CE’s current risk analysis and risk management plan with evidence of implementation for security measures, including evidence of security measures to reduce the risk of computer theft. | UT Physicians TX Healthcare Provider 596 | Wednesday | 2013 |
| Kern Medical Center | CA | Healthcare Provider | 596 | 2009-12-10 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Kern Medical Center CA Healthcare Provider 596 | Thursday | 2009 | |
| Henry Ford Health System | MI | Healthcare Provider | 596 | 2017-06-26 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Henry Ford Health System MI Healthcare Provider 596 | Monday | 2017 |
| St. Elizabeth’s Medical Center | MA | Healthcare Provider | 595 | 2014-08-26 | Theft | NA | NA | NA | NA | NA | Laptop | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | St. Elizabeth’s Medical Center MA Healthcare Provider 595 | Tuesday | 2014 | |
| NYC Health + Hospitals/Harlem | NY | Healthcare Provider | 595 | 2018-03-29 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | NYC Health + Hospitals/Harlem NY Healthcare Provider 595 | Thursday | 2018 |
| Bay Park Hospital | OH | Healthcare Provider | 594 | 2014-05-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Bay Park Hospital, accessed the electronic protected health information (ePHI) of 594 individuals without a necessary business reason to do so. The ePHI included names, dates of birth, diagnoses and other clinical information. The CE provided breach notification to HHS, affected individuals, and the media. Upon discovering the breach, the CE questioned the responsible workforce member, who immediately resigned, and retrained its workforce members on its HIPAA policies and procedures. OCR obtained assurances that the corrective actions listed above were completed. | Bay Park Hospital OH Healthcare Provider 594 | Wednesday | 2014 |
| Supportive Concepts for Families, Inc. | PA | Healthcare Provider | 593 | 2014-02-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The CE inadvertently made an internal database containing the electronic protected health information (ePHI) of 593 individuals accessible on the Internet. The ePHI involved in the breach included names, dates of birth, social security numbers, addresses, dates of services, and customer service notes. The CE immediately removed the database from the Internet and secured it against further unauthorized disclosures. The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice online. Following the breach, the CE provided further HIPAA training to its staff and sanctioned the responsible employees. The CE also took measures to reduce the vulnerabilities identified its most recent risk analysis. As a result of OCRâs | Supportive Concepts for Families, Inc. PA Healthcare Provider 593 | Thursday | 2014 |
| Cigna Home Delivery Pharmacy | CT | Healthcare Provider | 592 | 2015-11-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A printing error affected 592 individuals, living in 13 states: The covered entity (CE) printed two customer letters on one sheet of paper (front and back) during a mailing to customers. The protected health information involved in the breach included names, mailing addresses, and medication information. The CE provided breach notification to HHS and affected individuals and provided free credit monitoring services. To prevent a printing error from occurring in the future, the CE implemented a new letter creation procedure. OCR obtained assurances that the CE implemented the corrective actions noted above. | Cigna Home Delivery Pharmacy CT Healthcare Provider 592 | Monday | 2015 |
| VA Long Beach Healthcare System | CA | Healthcare Provider | 592 | 2014-07-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | VA Long Beach Healthcare System CA Healthcare Provider 592 | Friday | 2014 | |
| Coordinated Health Mutual, Inc. | OH | Health Plan | 591 | 2016-05-20 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On April 4, 2016, the covered entity (CE), Coordinated Health Mutual, Inc. d/b/a InHealth Mutual, and its business associate (BA), HealthSCOPE Benefits, received communications from policy holders advising that they had received an incorrect IRS Form 1095-B in the mail. After researching the issue, it was determined that the issue resulted from faulty programming logic during the data compilation phase of the Form 1095-B development process. By order of the Ohio Department of Insurance on May 24, 2016, the CE was dissolved. Consequently, there is no longer a CE existing to be the subject of further investigation. | Coordinated Health Mutual, Inc. OH Health Plan 591 | Friday | 2016 |
| Duke University Health System | NC | Healthcare Provider | 591 | 2012-05-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Duke University Health System NC Healthcare Provider 591 | Friday | 2012 | |
| Thomas Jefferson University Hospitals | PA | Healthcare Provider | 590 | 2012-04-30 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Thomas Jefferson University Hospitals PA Healthcare Provider 590 | Monday | 2012 |
| John J. Pershing VA Medical Center | MO | Healthcare Provider | 589 | 2013-04-11 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No |
OCR opened an investigation of the covered entity (CE), John J. Pershing VA Medical Center, after the CE reported that its business associate (BA), Stress Laboratory, placed a box of unsecured protected health information (PHI) in an equipment storage room. The PHI included the names, social security numbers, diagnoses, and age of approximately 589 individuals. This breach incident involved a BA, and occurred prior to the September 23, 2013 compliance date. The BA employee involved in this matter separated from employment in 2012, and the BA was reorganized and has been incorporated into the CE. The CE provided breach notification to affected individuals, HHS, and the media. Substitute notification was provided through a posting on the CE’s main website with a toll-free information number. The CE also offered one year of identity protection and credit monitoring services to affected individuals. As a result of this incident, the CE adopted a new policy that provides guidance to its staff regarding the handling of PHI. Additionally, the CE trained its employees on this new policy, and re-trained its employees on the Privacy, Security, and Breach Notification Rules. Finally, OCR obtained assurances that the CE implemented the corrective action listed above. |
John J. Pershing VA Medical Center MO Healthcare Provider 589 | Thursday | 2013 |
| Tennessee Rural Health Improvement Association | TN | Health Plan | 588 | 2017-06-08 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | A business associate (BA) sent mail containing protected health information (PHI) that was damaged during transit, with pages missing upon receipt. The missing pages contained the PHI of 588 individuals, and included member identification numbers, dates of service, claim numbers, amounts billed, and amounts paid by the health plan. The covered entity (CE), Tennessee Rural Health Improvement Association, investigated the incident, gathering information from the intended recipient of the package, its mailing vendor, and the U.S. Postal Service, but the missing pages were not found. The CE provided breach notification to HHS, affected individuals, and the media, and also set up a toll free telephone number to answer questions. Following the breach, the CE began reducing the number of mailings sent to providers, encouraging participation in an electronic payment system, and working with its vendors to improve safeguards for mailings. OCR determined that the CE has an appropriate BA agreement in place with the BA. OCR obtained assurances that the CE implemented the corrective actions listed above. | Tennessee Rural Health Improvement Association TN Health Plan 588 | Thursday | 2017 |
| Orlando Health, Inc. | FL | Healthcare Provider | 586 | 2014-03-24 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted portable data drive was lost by a pharmacy resident of the Arnold Palmer Hospital, a part of the covered entity (CE). The drive contained the protected health information (PHI) of 586 individuals, including names, birth weights, gestational age, admission and discharge dates, medical record numbers, and some transfer dates. The missing drive also stored personal items, a research study proposal, and two spreadsheets containing limited information on 586 babies who were part of a study. The CE provided breach notification to HHS, the media, and to the parents of the affected individuals because they were all minors. Substitute notice was posted on the CEâs website. The CE updated its policies and procedures for its data loss prevention system and added controls. The CE retrained the resident involved in the loss of data and provided additional information to all employees and medical staff members regarding the use of portable data devices through education and published articles. OCR obtained assurances that the CE implemented the corrective actions listed above. | Orlando Health, Inc. FL Healthcare Provider 586 | Monday | 2014 |
| Vcarve LLC d/b/a MD Manage | NJ | Business Associate | 585 | 2014-10-06 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | Vcarve LLC d/b/a MD Manage NJ Business Associate 585 | Monday | 2014 | |
| Sharon L. Rogers, Ph.D., ABPP | TX | Healthcare Provider | 585 | 2012-07-03 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Sharon L. Rogers, Ph.D., ABPP TX Healthcare Provider 585 | Tuesday | 2012 | |
| Hils Transcription | IN | Business Associate | 585 | 2010-12-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Hils Transcription IN Business Associate 585 | Monday | 2010 | |
| LoneStar Audiology Group | TX | Healthcare Provider | 585 | 2010-10-08 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A laptop was stolen from a workforce member’s home. Approximately 585 individuals were affected. The PHI included addresses, dates of birth, diagnosis and conditions, medications and other treatment information. Following the breach, the covered entity encrypted all its laptops. After the initiation of OCR’s investigation, the encryption of the laptops was completed. | LoneStar Audiology Group TX Healthcare Provider 585 | Friday | 2010 |
| Florida Healthy Kids Corporation | FL | Health Plan | 580 | 2014-04-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Postal Center International, Inc., a subcontractor of the business associate (BA), Policy Studies, Inc., erroneously sent mislabeled mail to 580 individuals due to a technical error. The breach potentially exposed the individualsâ names, addresses, internal account numbers, and monthly premium amounts. The BA provided breach notification to HHS, affected individuals, and the media. In response to the breach, the subcontractor implemented a technical fix to its print processing systems and added additional quality control mechanisms to prevent reoccurrence of the incident. OCR obtained assurances from the covered entity (CE), Florida Healthy Kids Corporation, that the BA and its subcontractor implemented the corrective actions listed above. | Florida Healthy Kids Corporation FL Health Plan 580 | Wednesday | 2014 |
| Policy Studies, Inc. / Postal Center International, Inc. | FL | Business Associate | 580 | 2014-03-31 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Policy Studies, Inc. / Postal Center International, Inc. FL Business Associate 580 | Monday | 2014 | |
| Santa Clara Valley Medical Center | CA | Healthcare Provider | 579 | 2013-09-27 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Santa Clara Valley Medical Center CA Healthcare Provider 579 | Friday | 2013 |
| FIRST PRIORITY LIFE INSURANCE COMPANY | PA | Business Associate | 579 | 2011-09-28 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | FIRST PRIORITY LIFE INSURANCE COMPANY PA Business Associate 579 | Wednesday | 2011 | |
| Riverside Health System | VA | Healthcare Provider | 578 | 2016-06-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | An employee authorized to work from home failed to return paper records to the physician practice. Her ex-husband discovered the records and returned them to the physician practice. The breach included the protected health information (PHI) of 578 individuals. The PHI involved in the breach included demographic information, dates of birth, social security numbers, medical records numbers, and clinical information. Following the breach, the covered entity re-educated all employees. OCR reviewed the CE’s risk analysis to ensure compliance with the HIPAA Privacy and Security Rules. | Riverside Health System VA Healthcare Provider 578 | Friday | 2016 |
| WESTMED Medical Group | NY | Healthcare Provider | 578 | 2010-10-05 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
An unencrypted laptop computer that contained the electronic protected health information (ePHI) of 578 individuals was stolen from the covered entity (CE), WestMed Medical Group. The ePHI included names, dates of birth and test results. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS and the media. As a result of OCR’s investigation, the CE improved physical security by locking all laptops during the day and storing all laptops in a locked cabinet overnight. In addition, the CE reconfigured all laptops with strong passwords and implemented a new procedure to save data to a secure file server. Further, the CE encrypted all laptop hard drives. The CE also retrained staff on safeguarding ePHI. |
WESTMED Medical Group NY Healthcare Provider 578 | Tuesday | 2010 |
| William F. DeLuca Jr., M.D. | NY | Healthcare Provider | 577 | 2012-03-13 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 577 individuals. The ePHI included names and pictures. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR’s investigation, the CE encrypted its computers, changed the locks to a numbered key system, and installed a lock to secure portable devices in storage. In addition, the CE started using identification numbers instead of names on patients’ files. The CE also revised its security policy and trained all staff on its policies. | William F. DeLuca Jr., M.D. NY Healthcare Provider 577 | Tuesday | 2012 |
| Roper St. Francis Healthcare | SC | Healthcare Provider | 576 | 2017-01-24 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | A camera with infant security photos went missing when a nurse failed to store the camera in its normal secure location at Roper St. Francis, Mount Pleasant Hospital. The breach affected the protected health information (PHI) of 508 newborn patients. The types of PHI on the camera included photographs of patients, patientsâ last names, dates of birth, and providersâ names. In response to the breach, on December 4, 2016, the covered entity (CE) ended the procedure of taking security photos of newborns and staff members were advised to continue to ensure the safety of infants by identifying them with appropriate matching bracelets, utilization of the infant security tags and system, and education to the family. On January 24, 2017, the CE implemented an Information Services Security Incident Response Procedure to facilitate timely and effective handling of all cybersecurity computer incidents and trained staff in the affected unit on its HIPAA policies and procedures. The CE provided breach notification to HHS, the parents of affected newborns and the media. The CE offered credit monitoring and identity protection services to affected individuals and established a call center related to the breach. OCR obtained assurances that the CE implemented the corrective actions listed above. | Roper St. Francis Healthcare SC Healthcare Provider 576 | Tuesday | 2017 |
| Henry County Health Department | OH | Healthcare Provider | 574 | 2016-12-21 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | Laptop | Paper/Films | NA | NA | NA | NA | No | On October 22, 2016, the covered entity (CE), Henry County Health Department learned that a nurseâs laptop computer and some paper records were stolen from her car inside her locked garage. Approximately 575 individuals were affected by the breach of demographic and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE reprimanded the employee involved in the breach with a record of written warning. Additionally, the CE issued a policy related to safeguarding laptops taken off premises, encrypted all laptops, workstations, and servers and updated its Privacy and Security Policies. OCR obtained documented assurances that the CE implemented the corrective action steps noted above. | Henry County Health Department OH Healthcare Provider 574 | Wednesday | 2016 | |
| The Johns Hopkins Hospital | MD | Healthcare Provider | 571 | 2015-10-09 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On October 10, 2015, the covered entity (CE), Johns Hopkins Hospital, reported that a physicianâs unencrypted laptop computer storing the electronic protected health information (ePHI) of 571 individuals was stolen at an international airport with all of her belongings. The types of ePHI contained in the laptop included physicians’ names, patients’ names, medical record numbers, and clinical information. The CE provided breach notification to HHS, the media, affected individuals, and offered credit monitoring. The CE sanctioned the physician involved in accordance with the CE’s HIPAA sanctions policy. The CE also circulated a broadcast reminder to its workforce members of their existing policy requiring all devices that contain or may contain PHI to be encrypted and password protected. OCR obtained assurances that any of the CE’s portable devices that stores ePHI is required to use the CE’s encryption program. Additionally, the CE submitted a copy of its most recent risk analysis and risk management program to OCR. They also provided OCR with information related to their new encryption program that would inform a user when he or she is out of compliance and send them to a website that would refer them to local IT administration. OCR obtained assurances that the CE implemented the corrective actions listed. | The Johns Hopkins Hospital MD Healthcare Provider 571 | Friday | 2015 |
| Performance Physical Therapy and Wellness | CT | Healthcare Provider | 571 | 2017-07-21 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Performance Physical Therapy and Wellness CT Healthcare Provider 571 | Friday | 2017 | |
| Advance Rehabilitation & Consulting LTD | GA | Healthcare Provider | 570 | 2015-03-02 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On December 30, 2014, the covered entity (CE), Advance Rehabilitation & Consulting LTD, discovered that a port on one of its servers was publically accessible to the Internet and allowed an automated botnet attack to the server. Internal investigation revealed that one spreadsheet from 2009 was accessed, but there was no way of knowing if the spreadsheet was viewed. The spreadsheet contained patients’ names, diagnoses, dates of visits, account types, and therapists’/physicians’ names for 570 patients. In response to the breach, the CE conducted a security risk analysis and improved deficient areas with a detailed risk management plan. The CE provided breach notification to HHS and affected individuals. OCR provided technical assistance regarding media notification and such notification was made. OCR obtained assurances that the CE implemented the corrective actions listed above. | Advance Rehabilitation & Consulting LTD GA Healthcare Provider 570 | Monday | 2015 |
| Kennewick General Hospital dba Trios Health | WA | Healthcare Provider | 569 | 2017-05-18 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | On May 26, 2017, the covered entity (CE), Kennewick General Hospital d/b/a as Trios Health, reported that one of its workforce members impermissibly accessed protected health information (PHI) that was outside the scope of the job responsibilities. The breach potentially affected 1,603 individuals. The types of PHI involved in the breach included patients’ names, social security numbers, addresses, dates of birth, driverâs license numbers, lab results, medication information, treatment information, diagnoses and medical conditions. Following the breach, investigated the breach, sanctioned the involved workforce member, and implemented safeguards, including placing additional restrictions on access to PHI. As a result of OCRâs investigation, the CE conducted a review of its policies and procedures to determine the potential risks to its PHI and electronic PHI, revised its policies, and retrained its workforce. | Kennewick General Hospital dba Trios Health WA Healthcare Provider 569 | Thursday | 2017 |
| Synergy Specialists Medical Group, Inc / Jay S. Berenter, DPM | CA | Healthcare Provider | 569 | 2017-01-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Synergy Specialists Medical Group/Jay S. Berenter, opened a phishing email that caused patients to receive false emails from the CE. The breach of the email account affected 569 individuals. Of the 569 individuals, the CE impermissibly disclosed a subset of 71 patient names and email addresses when it failed to blind copy those names and email addresses when notifying the patients of the fraudulent email. The types of protected health information (PHI) involved included names, addresses, email addresses, dates of birth, treatment information, diagnoses, and medications. The CE took immediate action to secure its email account and began a forensic investigation to determine the cause and extent of the incident. The CE implemented additional technical safeguards, revised policies, and trained workforce members to improve its security prevention and detection practices. OCR obtained assurances that the CE implemented the corrective actions noted above. | Synergy Specialists Medical Group, Inc / Jay S. Berenter, DPM CA Healthcare Provider 569 | Friday | 2017 | |
| Southwest Virginia Physicians for Women | VA | Healthcare Provider | 568 | 2014-10-10 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | An employeeâs husband, who was also a contractor of the covered entity (CE), Southwest Virginia Physicians for Women, stole protected health information (PHI) from its office, obtaining access to paper charts and other records. The PHI involved in the breach included clinical information affecting approximately 568 individuals. The CE, with the help of the Virginia State Police, retrieved the PHI the day after it was stolen. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notification on its website. Following the breach, the CE transitioned from paper to electronic charts and updated its login, logoff, and password policies and procedures for authorized users of its online record management system. The CE also updated its policies regarding required business associate agreements. As a result of OCRâs investigation, the CE completed a risk analysis, implemented new physical security procedures, and retrained its staff regarding the changes | Southwest Virginia Physicians for Women VA Healthcare Provider 568 | Friday | 2014 |
| Memorial Sloan-Kettering Cancer Center | NY | Healthcare Provider | 568 | 2012-06-08 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | No | The covered entity’s (CE) staff member disclosed an unencrypted Microsoft Excel graph to a non-covered entity physician who re-disclosed it to a medical education organization to be used in a presentation. In addition, the medical education organization posted the presentation slides on its website. The graph contained the protected health information (PHI) of 569 individuals and included names, telephone numbers, social security numbers, ages, cities and states of residence, medical record numbers, and clinical information. Upon discovery of the breach, the CE ensured that the information was removed from the website and deleted, sanctioned the workforce member responsible, and retrained its workforce on the use of a data loss prevention tool and the risks of embedded PHI. As a result of OCR’s investigation, the CE provided OCR with evidence of its technical safeguards and security awareness initiatives and provided assurance that it implemented the corrective action listed above. | Memorial Sloan-Kettering Cancer Center NY Healthcare Provider 568 | Friday | 2012 | |
| Miami VA Healthcare System | FL | Healthcare Provider | 568 | 2010-05-05 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A covered entity’s (CE) pharmacy log book, containing the protected health information (PHI) of 568 individuals, was misplaced and never recovered. The PHI affected by the breach included names and partial social security numbers. Following the breach, the CE provided breach notification as required by the HIPAA Breach Notification Rule and instructed employees to cease the practice of keeping log books. Following OCR’s investigation, the CE revised and/or updated its policies and procedures with respect to safeguarding PHI. Regarding logbooks, it established a written employee agreement, implemented an employee authorization process, and established safeguards. Additionally, the CE provided training to all staff in the pharmacy department regarding the use of logbooks and accounted for the disclosures in each of the affected individuals’ accounting log. | Miami VA Healthcare System FL Healthcare Provider 568 | Wednesday | 2010 |
| BUFFALO HEART GROUP | NY | Healthcare Provider | 567 | 2015-05-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Buffalo Heart Group reported a breach when a staff physician provided her password to a third party, who then remotely accessed the covered entityâs electronic medical record (EMR). The breach resulted in the disclosure of 567 individualsâ electronic protected health information (ePHI). The ePHI included names, dates of birth, addresses, demographic and clinical information. The CE provided breach notification to HHS, affected individuals and the media. OCR conducted an investigation, which resulted in substantial technical assistance. The CE is expected to conduct a risk analysis that addresses all potential risk and vulnerabilities in the entire operation and corresponding risk mitigation activities, establish a risk management plan, implement a security awareness and training program to include on-going training, implement audit controls, and conduct regular information system activity reviews. | BUFFALO HEART GROUP NY Healthcare Provider 567 | Thursday | 2015 |
| KCI USA, Inc. | TX | Healthcare Provider | 567 | 2011-10-31 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | KCI USA, Inc. TX Healthcare Provider 567 | Monday | 2011 | |
| Emdeon | TN | Business Associate | 566 | 2014-09-04 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Emdeon TN Business Associate 566 | Thursday | 2014 |
| Access Counseling LLC | IN | Healthcare Provider | 566 | 2013-10-14 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Access Counseling LLC IN Healthcare Provider 566 | Monday | 2013 | |
| Jackson Health System | FL | Healthcare Provider | 566 | 2013-02-13 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Federal law enforcement notified Federal law enforcement the covered entity (CE), Jackson Health System, on March 21, 2012, that a volunteer at Jackson North Medical Center photographed paper documents containing the protected health information (PHI) of 566 patients, allegedly for use in an identity theft scheme. The type of PHI involved in the breach included patientsâ names, social security numbers, addresses, and birthdates. The Ce provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. It also offered one year of free credit monitoring. In response to the incident, the CE revised its HIPAA policies and procedures. The CE updated its volunteer program to prohibit the use of smartphones in patient care areas, require volunteers to agree in writing to conform to its privacy policies and procedures, and provide nursing staff with a list of volunteersâ permitted job duties. The CE also changed the leadership of the volunteer program and increased the supervision of the volunteers. OCR obtained assurances that the CE implemented the corrective actions listed above. | Jackson Health System FL Healthcare Provider 566 | Wednesday | 2013 |
| Sitka Wellness Center | AK | Healthcare Provider | 566 | 2011-11-22 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | NA | Sitka Wellness Center AK Healthcare Provider 566 | Tuesday | 2011 |
| SW General Inc | AZ | Healthcare Provider | 566 | 2011-04-14 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | SW General Inc AZ Healthcare Provider 566 | Thursday | 2011 | |
| Catholic Charities Neighborhood Services, Inc. | NY | Healthcare Provider | 565 | 2018-09-07 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Catholic Charities Neighborhood Services, Inc. NY Healthcare Provider 565 | Friday | 2018 | |
| New York State Office of Mental Health | NY | Healthcare Provider | 563 | 2015-04-10 | Loss | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), the New York State Office of Mental Health, reported a breach when a workforce member lost her password-protected, but unencrypted, laptop computer in a New York City taxicab. The CE reported the laptop contained the protected health information of 563 participants in certain research studies at the CEâs Nathan S. Kline Institute for Psychiatric Research (NKI). The PHI consisted of names, phone numbers, ages or birthdates, and in some cases, coded diagnostic information, data obtained from assessments/tests and/or an informational note. The CE notified HHS, the media, and the affected individuals (including the offer of one year of identity protection services at no cost). Following the breach, the CE replaced all devices found to be out of compliance with current encryption standards, and implemented a network access control device to guarantee that unencrypted devices, and devices sourced from outside of the CE will no longer work on the NKI network. The CE also required investigators to submit more detailed data security plans to the Institutional Review Board, and restricted NKI researchers from downloading data from a specific research database without prior approval from a manager. The CE also sanctioned the workforce member in connection with the breach incident. During the course of the investigation, OCR obtained assurances that the CE implemented the corrective actions listed. Additionally, OCR stated the expectation that the CE will conduct a risk analysis, implement a corresponding remediation plan, and ensure the implementation of policies and procedures relating to asset and inventory management, access and audit controls, secure storage, data loss prevention and secure configuration controls. | New York State Office of Mental Health NY Healthcare Provider 563 | Friday | 2015 |
| Riverside County Regional Medical Center | CA | Healthcare Provider | 563 | 2014-06-24 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Riverside County Regional Medical Center, reported that on or around June 18, 2014, a laptop computer used with an electromyography (EMG) machine was a lost or stolen. The laptop contained 563 patientsâ electronic protected health information (ePHI) and included patientsâ names, medical record numbers, dates of birth, ages, genders, patientsâ heights and weights, physiciansâ names, clinical data, and study reports. The CE provided breach notification to HHS, affected individuals and the media, and also reported the incident to local law enforcement. Following the breach, the CE encrypted the laptop, locked the department during non-business hours, and changed EMG data transfer processes. Additionally, the CE took steps to address gaps in its security management program to further safeguard ePHI, especially after two additional lost or stolen laptops (breach incidents) occurred within a six month period, which OCR investigated jointly with this breach. OCR obtained assurances that the CE implemented the corrective actions noted above and provided technical assistance on the requirements of the HIPAA Security Rule. | Riverside County Regional Medical Center CA Healthcare Provider 563 | Tuesday | 2014 |
| Drs Edalji and Komer | MA | Healthcare Provider | 563 | 2011-05-06 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
An unsecured laptop containing the electronic protected health information (ePHI) of approximately 563 individuals was stolen from the car of a business associate’s (BA) subcontractor. The PHI included names, addresses, dates of birth, and social security numbers. Following the breach, the covered entity (CE) notified affected individuals, HHS, and the media, and offered all affected individuals one year of free credit monitoring services. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. |
Drs Edalji and Komer MA Healthcare Provider 563 | Friday | 2011 |
| New Mexico Department of Health | NM | Healthcare Provider | 561 | 2015-12-15 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), New Mexico Department of Health, experienced a breach of protected health information (PHI) affecting 561 individuals when a workforce memberâs laptop computer was stolen out of her locked vehicle on October 4, 2015. The laptop contained patientsâ names, dates of birth, diagnoses, and medications. The CE provided breach notification to HHS and affected individuals. As a result of this incident, the CE investigated the incident, modified procedures to ensure all information technology (IT) equipment is delivered directly to the IT department and all laptops are automatically encrypted. The CE also initiated a process to identify all laptops across the enterprise that did not have full disk encryption installed and revised its security awareness training to include protection/loss prevention of mobile devices. Additionally, the CE procured a mobile device management system and a security event and incident management solution and developed an implementation schedule for these tools. OCR obtained assurances from the CE that it implemented the actions listed above. | New Mexico Department of Health NM Healthcare Provider 561 | Tuesday | 2015 |
| Arkansas Blue Cross and Blue Shield | AR | Health Plan | 560 | 2015-07-14 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | Yes | On June 16, 2015, two unencrypted desktop computers containing the protected health information (PHI) of approximately 560 individuals were stolen from the business associate (BA), Treat Insurance Agency, at its North Little Rock offices. The BA is an insurance broker that solicits and submits applications for health insurance coverage to the covered entity (CE), Arkansas Blue Cross and Blue Shield. The types of PHI involved in the breach included demographic, clinical and financial information. The CE provided breach notification to HHS, affected individuals, and the media. OCR reviewed the BA agreement in place between the CE and the BA and determined that the BA agreement was compliant with 45 C.F.R. §§ 164.314 and 164.504. | Arkansas Blue Cross and Blue Shield AR Health Plan 560 | Tuesday | 2015 |
| Penn Treaty Network America Insurance Company | PA | Health Plan | 560 | 2010-08-03 | Other | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Social security numbers were inadvertently printed on the address labels in a newsletter mailing. The mailing had 560 recipients. The covered entity acted to mitigate the disclosure by verifying that the all mail was correctly delivered. It also counseled the responsible employee and updated its policies and procedures. | Penn Treaty Network America Insurance Company PA Health Plan 560 | Tuesday | 2010 |
| Central Iowa Hospital Corporation d/b/a Blank Children’s Hospital | IA | Healthcare Provider | 557 | 2017-12-08 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Central Iowa Hospital Corporation d/b/a Blank Children’s Hospital IA Healthcare Provider 557 | Friday | 2017 |
| Cook County Health & Hospitals System | IL | Healthcare Provider | 556 | 2010-12-17 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Cook County Health & Hospitals System IL Healthcare Provider 556 | Friday | 2010 | |
| HealthLOGIX | MI | Business Associate | 555 | 2012-04-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | HealthLOGIX MI Business Associate 555 | Tuesday | 2012 | |
| Texas Health Care, P.L.L.C. | TX | Healthcare Provider | 554 | 2013-04-05 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Texas Health Care, P.L.L.C. TX Healthcare Provider 554 | Friday | 2013 | |
| North Carolina Baptist Hospital | NC | Healthcare Provider | 554 | 2010-03-03 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | An employeeâs car was broken into and a tote bag, which had a paper spreadsheet containing protected health information (PHI), was stolen. The spreadsheet contained PHI pertaining to 554 patients and included patientsâ names, ages, weight, race, social security numbers, and blood and tissue typing. The covered entity (CE), North Carolina Baptist Hospital, provided breach notification to HHS, affected individuals, and the media, and offered affected individuals a year of credit monitoring services along with a toll-free number to contact. Following the breach, the CE reviewed the applicable policies and procedures with the clinic responsible, revised the spreadsheet to no longer include patientsâ social security numbers, and counseled and warned the involved employee about the requirements for properly safeguarding PHI. Additionally, the Chief Executive Officer of the Medical Center emailed all employees to re-educate them about the importance of properly safeguarding PHI and the expectations for compliance and commitment to adhering to federal and state privacy and security laws. As a result of OCRâs investigation, the CE provided an alternate, secure way to electronically access the clinic spreadsheet, installed video cameras in the parking dock, and externally inspected employee vehicles to assure no PHI was visible. The CE established a Privacy and Information Security Council to help identify ways to improve and strengthen privacy and security policies and practices. | North Carolina Baptist Hospital NC Healthcare Provider 554 | Wednesday | 2010 |
| Miracle-Ear, Inc. and Amplifon (USA), Inc. | MN | Business Associate | 554 | 2017-12-28 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Miracle-Ear, Inc. and Amplifon (USA), Inc. MN Business Associate 554 | Thursday | 2017 | |
| Alaska Orthopedic Specialists, Inc. | AK | Healthcare Provider | 553 | 2015-11-19 | Theft | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | A workforce member of the covered entity (CE), Alaska Orthopedic Specialists, impermissibly sent copies of electronic protected health information (ePHI) to a personal email account between December 18, 2014 and April 14, 2015, which potentially affected approximately 553 individuals. The ePHI included demographic, financial and clinical information. The CE provided breach notification to HHS, affected individuals, and the media. The CE established a website, a related call center, and offered identity-theft protection at no charge. After discovering the breach, the CE hired a digital services consultant to investigate the matter and audit the companyâs computer server and email to identify the scope and content of the breach. The CE issued a âcease and desistâ letter to the former employee, demanding that the former employee take steps to secure the information and return it. The CE securely stored its remaining paper records and the computer server containing ePHI. OCR verified that business operations for the sole practitioner were officially dissolved on December 31, 2016. | Alaska Orthopedic Specialists, Inc. AK Healthcare Provider 553 | Thursday | 2015 | |
| DataStat, Inc. | MI | Business Associate | 552 | 2016-02-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | An employee of a business associate (BA), DataStat, erroneously misdirected surveys to 487 individuals after failing to following the BAâs re-print protocol after a printer paper jam. The types of protected health information (PHI) involved in the breach included demographic information, including names and addresses. The CE provided breach notification to HHS and affected individuals. The BA also improved technical safeguards to assist with quality assessment checks and sanctioned the involved employee with a written warning. OCR obtained documentation that the BA implemented the corrective actions steps listed above. | DataStat, Inc. MI Business Associate 552 | Friday | 2016 |
| Wardell Orthopaedics, P.C. | VA | Healthcare Provider | 552 | 2018-08-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Wardell Orthopaedics, P.C. VA Healthcare Provider 552 | Thursday | 2018 |
| Premier Imaging | NC | Healthcare Provider | 551 | 2011-10-28 | Unknown | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A newly hired employee impermissibly took patient registration documents home. The records taken included the protected health information of 551 patients. The information at issue included names, addresses, birth dates, social security numbers, and driver’s license numbers. As a result, the CE terminated the employee, provided notice to the affected individuals, amended registration procedures, implemented additional safeguards for such information, and offered identity theft protection to the affected individuals. | Premier Imaging NC Healthcare Provider 551 | Friday | 2011 |
| Lifestyle Therapy & Coaching | AL | Healthcare Provider | 550 | 2017-10-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Lifestyle Therapy & Coaching AL Healthcare Provider 550 | Monday | 2017 |
| Schaeffler Group USA | SC | Health Plan | 550 | 2015-04-02 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Schaeffler Group USA SC Health Plan 550 | Thursday | 2015 |
| North Country Hospital and Health Center, Inc | VT | Healthcare Provider | 550 | 2013-10-15 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A former employee of the covered entity (CE), North Country Hospital and Health Center, retained possession of a retired unencrypted laptop computer that contained protected health information (PHI) following his termination on July 15, 2013. The types of PHI involved in the breach included electronically signed physician orders with dates and ordering providersâ names, as well as patient names, demographic information and clinical information, including diagnoses. The CE provided breach notification to HHS, affected individuals, and the media. As a result of OCRâs investigation, the CE installed removable disk encryption on all of its laptops as well as desktop computers that store PHI. It also revised the computer system and risk management policy. The CE also implemented a termination checklist and a termination procedure. OCR provided technical assistance to the CE regarding risk analysis. | North Country Hospital and Health Center, Inc VT Healthcare Provider 550 | Tuesday | 2013 |
| Oregon Health Authority | OR | Healthcare Provider | 550 | 2012-04-26 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Oregon Health Authority OR Healthcare Provider 550 | Thursday | 2012 | |
| St. Mary’s Hospital for Children | NY | Business Associate | 550 | 2011-05-19 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | A bag containing 43 pages of protected health information (PHI) of 550 nursing home residents and an encrypted laptop computer were stolen from the vehicle of an employee of the covered entity’s (CE) business associate (BA). The PHI included names, dates of birth, gender identities, names of the nursing homes, and Medicaid numbers. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and all affected individuals, as well as offering one year of free identity theft protection. Following OCR’s investigation, the CE’s BA terminated the employee and re-trained its staff on its privacy and security policies, including not leaving laptops in unoccupied vehicles. In addition, the CE reminded all contractors about the need to safeguard confidential information, and reviewed the BA’s contractual obligations relating to safeguarding PHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. | St. Mary’s Hospital for Children NY Business Associate 550 | Thursday | 2011 |
| The Affiliated Sante Group | MD | Healthcare Provider | 550 | 2017-01-31 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | Yes | NA | The Affiliated Sante Group MD Healthcare Provider 550 | Tuesday | 2017 |
| Oldendorf Medical Services, PLLC | NY | Healthcare Provider | 549 | 2012-01-24 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 549 individuals. The ePHI included names, dates of birth, diagnostic test results, and social security numbers. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR’s investigation, the CE installed security cameras and new door locks and changed the codes to the outside entrance keypad lock. The CE also encrypted laptop computers. | Oldendorf Medical Services, PLLC NY Healthcare Provider 549 | Tuesday | 2012 |
| Bay Area Pain and Wellness Center | CA | Healthcare Provider | 548 | 2017-06-14 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On May 8, 2017, the covered entity (CE), Bay Area Pain and Wellness Center, discovered that its Electromyography (EMG) machine was stolen from an employee’s car. A laptop computer attached to the EMG contained the electronic protected health information (ePHI) of approximately 548 patients. The ePHI included patients’ names and dates of birth. The laptop was password protected but not encrypted. The CE provided breach notification to HHS, affected individuals and the media, as well as providing substitute notification. In response to the breach, the CE retrained its employees on its Privacy and Security Rule policies, encrypted employeesâ laptops, and updated its Security Rule policy to prohibit employees from leaving computer and computer bags in unattended public areas. OCR provided the CE with technical assistance regarding breach notification and the Security Rule risk analysis and risk management provisions. | Bay Area Pain and Wellness Center CA Healthcare Provider 548 | Wednesday | 2017 |
| Cornerstone Health Care, PA | NC | Healthcare Provider | 548 | 2014-02-26 | Loss | Theft | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Cornerstone Health Care, PA NC Healthcare Provider 548 | Wednesday | 2014 | |
| Mercy Hospital and Medical Center | IL | Healthcare Provider | 547 | 2016-10-13 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | NA | Mercy Hospital and Medical Center IL Healthcare Provider 547 | Thursday | 2016 |
| Jefferson Center for Mental Health | CO | Healthcare Provider | 546 | 2011-02-07 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A list containing the protected health information (PHI) of 546 patients was stolen from the vehicle of the covered entity’s (CE) employee. The breached PHI included names, dates of birth, social security numbers, and Medicaid information. Following the breach, the CE changed its practices and procedures to safeguard PHI and trained staff on its new policies. As a result of OCR’s investigation, the CE improved its process for reporting breaches and mitigating harm. | Jefferson Center for Mental Health CO Healthcare Provider 546 | Monday | 2011 |
| Washington Health System | PA | Healthcare Provider | 544 | 2016-12-02 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | Washington Health System Greene Home care reported that on September 27, 2016, an employee emailed a patient census list to her personal home email account and provided that information to another home health agency, Harmony Home Care (HHC). The list contained the names and addresses of approximately 544 homecare patients. Following the breach, the CE immediately sent Attestations of Destruction and Return of Patient Information letters to HHC and the former employee. The CEO of HHC signed the attestation and returned the patient list indicating that 182 letters were returned as undeliverable. The former employee indicated that she had no copies of the patient list and did not send the list to anyone else. The CE closed operations on October 30, 2016. The CE provided breach notification to 530 affected individuals and to HHS. The CE also filed reports with both the Pennsylvania State Police and the Department of Health. OCR obtained assurances that the CE implemented the corrective actions listed. | Washington Health System PA Healthcare Provider 544 | Friday | 2016 |
| Kaiser Foundation Health Plan of the Northwest | OR | Health Plan | 544 | 2016-11-06 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On October 12, 2016, Kaiser Permanente upgraded its website, kp.org, which resulted in an incorrect configuration setting for caching data. This website upgrade affected several covered entities (CEs), including the Kaiser Foundation Health Plan of the Northwest. As a result of the error, some users who logged into the website may have had some of the protected health information (PHI) they viewed online saved into the cache where it could be seen by other visitors to the webpage. Kaiser Permanente was alerted to the incident and took action to repair the error. The breach affected approximately 544 individuals participating with this CE. The types of PHI involved in the breach included clinical and demographical information. The CE provided individual and substitute breach notifications. In response to the breach, the CE created a corrective action plan to help mitigate the chances of a misconfiguration error by educating the relevant IT staff, creating new processes, ensuring sign offs and approvals at appropriate points in the process, testing an outcome before going live, and engaged a subject matter expert. OCR provided the CE with technical assistance regarding the HIPAA Security Rule including risk analysis and risk management. | Kaiser Foundation Health Plan of the Northwest OR Health Plan 544 | Sunday | 2016 |
| City of Detroit | MI | Healthcare Provider | 544 | 2018-02-05 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | NA | City of Detroit MI Healthcare Provider 544 | Monday | 2018 |
| Yellowstone Boys and Girls Ranch | MT | Healthcare Provider | 543 | 2014-03-24 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Sometime between July 11, 2013, and January 27, 2014, the covered entity (CE), Yellowstone Boys and Girls Ranch, lost a resource notebook for on-call staff in its Lewiston office. The notebook included documents containing the protected health information (PHI) of 543 individuals including clientsâ names, addresses, dates of birth, schools, treatment providers, and community-based program information. The CE provided breach notification to HHS, affected individuals, and the media. The CE immediately stopped storing PHI in the on-call resource book and sanctioned the responsible personnel. As a result of OCRâs investigation, and with substantial technical assistance from OCR, the CE began developing and revising necessary policies and procedures governing the storage, transportation, and handling of PHI. Additionally, the CE provided OCR with written assurance that it will train its staff on the new policies and procedures. | Yellowstone Boys and Girls Ranch MT Healthcare Provider 543 | Monday | 2014 |
| Little River Healthcare | TX | Healthcare Provider | 542 | 2017-06-16 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Little River Healthcare TX Healthcare Provider 542 | Friday | 2017 |
| True Vision Eyecare | OH | Healthcare Provider | 542 | 2014-11-21 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | A burglar stole two laptop computers from the covered entityâs (CE) office. One of the stolen laptops contained the protected health information (PHI) of 542 individuals that included first and last names and eyeglass prescriptions. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE purchased new laptops that are password protected with automatic shut-off features, and also retrained staff on security. OCR obtained documentation that the CE implemented the corrective actions it took in this matter. | True Vision Eyecare OH Healthcare Provider 542 | Friday | 2014 |
| Kings County Hospital Center | NY | Healthcare Provider | 542 | 2010-11-30 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 542 individuals was stolen from the covered entity (CE), Kings County Hospital Center. The ePHI included names, medical record numbers, admission and treatment dates, diagnostic treatment, pathology and/or medication information, telephone numbers and ages. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. As a result of OCR’s investigation, the CE installed an encryption system for all internal and external computers and laptops. The CE implemented a new policy that prohibits staff from storing ePHI on their local computer hard drives or Windows desktop. | Kings County Hospital Center NY Healthcare Provider 542 | Tuesday | 2010 |
| Northwest Community Healthcare | IL | Healthcare Provider | 540 | 2016-10-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | On April 18, 2016, a business associate (BA) notified the covered entity, Northwest Community Healthcare, that it left a File Transfer Protocol (FTP) port open and unsecured, which led to the exposure of patients’ protected health information (PHI) on the internet. Approximately 540 individuals were affected by the breach which included patientsâ names, addresses, dates of birth, and social security numbers. The CE suspended its relationship with the BA and required it to destroy all of the CE’s patient information that it had in its possession. The CE provided breach notification to HHS and affected individuals. OCR obtained documented assurances that the CE implemented the corrective actions listed above. | Northwest Community Healthcare IL Healthcare Provider 540 | Friday | 2016 |
| Sisters of Charity of Leavenworth Health System Health Benefits Plan | CO | Business Associate | 540 | 2016-04-05 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | A sub-subcontractor for the business associate (BA), Kaiser Permanente Insurance Company, incorrectly changed a setting on a printer press during maintenance, resulting in errors on printed, explanation of benefit (EOB), letters. The error impacted the letters of 540 individuals. The protected health information (PHI) involved in the breach included names, addresses, annual deductibles, annual out of pocket maximums, dollars spent âyear-to-dateâ towards the deductible, and out-of-pocket maximums. The BA provided breach notification to HHS, affected individuals, and the media. Following the breach, the subcontractor BA responsible for printing the EOBâs updated its procedures to include additional oversight by its workforce members and additional print testing during printer updates or maintenance. OCR reviewed the applicable BA agreements, and its investigation resulted in the BA improving safeguards for the printing of PHI for the CE’s health plan. | Sisters of Charity of Leavenworth Health System Health Benefits Plan CO Business Associate 540 | Tuesday | 2016 |
| EnvisionRx | OH | Business Associate | 540 | 2015-10-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Due to a processing error, the business associate (BA), EnvisionRx, mailed letters to the covered entityâs (CE) members that contained other members’ protected health information (PHI). The names, medications, and dates of service of 540 individuals were involved in the breach. The BA provided breach notification to HHS, affected individuals, and the media. The BA responded to the breach by implementing additional quality control procedures, updating its Breach Rule Notification policy, and training the appropriate staff. As a result of OCRâs investigation the BA updated it BA agreement with the CE, Orange-Ulster School District Health Plan. The BA also provided OCR with documentation of its corrective actions. | EnvisionRx OH Business Associate 540 | Friday | 2015 |
| Walgreen Co. | IL | Healthcare Provider | 540 | 2014-06-06 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Paper/Films | NA | NA | NA | NA | NA | NA | No | Walgreen Co. IL Healthcare Provider 540 | Friday | 2014 | |
| Original Medicine Acupuncture & Wellness, LLC | NM | Healthcare Provider | 540 | 2012-11-21 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Original Medicine Acupuncture & Wellness, LLC NM Healthcare Provider 540 | Wednesday | 2012 | |
| DC Chartered Health Plan, Inc | DC | Health Plan | 540 | 2010-07-23 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | DC Chartered Health Plan, Inc DC Health Plan 540 | Friday | 2010 | |
| North Atlantic Telecom, Inc. | TN | Business Associate | 539 | 2013-05-08 | Other | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | Yes | North Atlantic Telecom, Inc. TN Business Associate 539 | Wednesday | 2013 | |
| Denise M. Bowden, LAc | CA | Healthcare Provider | 538 | 2018-06-11 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Denise M. Bowden, LAc CA Healthcare Provider 538 | Monday | 2018 |
| Lebanon Cardiology Associates, PC | PA | Healthcare Provider | 537 | 2016-11-14 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | Yes | A business associate (BA), Ambucor Health Solutions, for the covered entity (CE), Lebanon Cardiology Associates, reported a breach by a rogue employee. The CE and BA both reported the breach to HHS. The BA’s employee, who is now incarcerated on unrelated matters, downloaded protected health information (PHI) onto two portable computer drives (i.e., “thumb” drives) which have been recovered. The types of PHI that were involved varied by patient, but may have included the first and last names, phone numbers, diagnoses, medications, dates of birth, race, home addresses, testing data, patient identification numbers, and medical device information of 537 of the CEâs patients. In addition, the thumb drives contained the social security numbers of about 650 patients of several covered entities with PHI that was also affected by the same breach incident. OCR reviewed a copy of the signed BA agreement between the BA and the CE. OCR confirmed that breach notification letters were mailed to affected individuals on June 27, 2016. This investigation has been consolidated into an existing review filed by the BA to ensure that all the requirements under the Breach Notification Rule have been met. OCR obtained assurances that the CE implemented the corrective actions listed above. | Lebanon Cardiology Associates, PC PA Healthcare Provider 537 | Monday | 2016 |
| University of Rochester Medical Center & Affiliates | NY | Healthcare Provider | 537 | 2013-05-06 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | University of Rochester Medical Center & Affiliates NY Healthcare Provider 537 | Monday | 2013 | |
| Health Help, Inc. | KY | Healthcare Provider | 535 | 2013-12-10 | Theft | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | An unencrypted portable computer drive containing the electronic protected health information (ePHI) of 535 individuals was stolen from a workforce member’s unlocked personal vehicle parked at home. The ePHI involved in the breach included names and birthdates. Upon discovering the breach, the covered entity (CE) provided notice to HHS, affected individuals and the media. Following the breach, the CE reminded employees of its safeguards policy, provided additional training to workforce members who are authorized to take laptops and mobile devices home, and improved safeguards by instituting random audits to ensure that unencrypted ePHI is not stored on computers and mobile devices. The CE also updated the computer usage agreement for employees and sanctioned the workforce member for violating its policy. OCR obtained assurances that the CE implemented the corrective action listed above. | Health Help, Inc. KY Healthcare Provider 535 | Tuesday | 2013 |
| Visiting Nurse Service Association of Schenectady County | NY | Healthcare Provider | 535 | 2010-11-12 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | An encrypted laptop computer that contained the electronic protected health information (ePHI) of 535 individuals was stolen from the covered entity (CE). The ePHI included names, addresses, and dates of birth. Upon discovery of the breach, the CE filed a police report to recover the stolen item. Following OCR’s investigation, the CE disabled the involved staff member’s account, verbally counseled the staff member, and retrained the staff member. The CE also adopted and implemented security policies and procedures for laptops/tablet devices and provided training to all staff. | Visiting Nurse Service Association of Schenectady County NY Healthcare Provider 535 | Friday | 2010 |
| Autism Home Support Services | IL | Healthcare Provider | 533 | 2016-08-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entityâs (CE) employee disclosed protected health information (PHI) to a university practicum student who contacted individuals by email to ask if they would like to participate in a survey related to autism. The PHI involved in the breach included the demographic information of approximately 533 individuals. The CE provided breach notification to HHS and affected individuals. Following the breach, the CE sanctioned and re-trained the involved employee and confirmed that the practicum student destroyed the PHI received. OCR obtained documentation that the CE implemented the corrective actions listed above. | Autism Home Support Services IL Healthcare Provider 533 | Wednesday | 2016 | |
| Cornerstone Foot & Ankle | NJ | Healthcare Provider | 533 | 2018-04-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Cornerstone Foot & Ankle NJ Healthcare Provider 533 | Monday | 2018 | |
| Sacred Heart Health System, Inc | FL | Healthcare Provider | 532 | 2016-04-12 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | On February 16, 2016, the American College of Cardiology Foundation, a business associate (BA), notified the covered entity (CE), Sacred Heart Health System, Inc., that some of its protected health information (PHI) had been inadvertently transferred to a testing environment made accessible to four vendors who were working with a software developer of the BA. The CE conducted an internal investigation and determined that the names, dates of birth, social security numbers, and internal patient identification numbers for 532 individuals had been exposed as a result of the incident. The CE immediately terminated access to the database containing the PHI, and obtained assurances from the vendors and software developer that the PHI had not been retained, or made accessible to any other unauthorized individuals. In response to the breach, the CE reviewed its policies and procedures, retrained its staff. The BA revised its policies and procedures for transferring data and added additional safeguard controls to ensure the security of PHI. Additionally, the CE provided breach notification to HHS, to the affected individuals, to the media, and posted a notice on its website. OCR obtained assurances that the CE and BA implemented the corrective actions listed above. | Sacred Heart Health System, Inc FL Healthcare Provider 532 | Tuesday | 2016 |
| Rocky Mountain Spine Clinic | CO | Healthcare Provider | 532 | 2013-07-31 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Rocky Mountain Spine Clinic, reported that an employee sent an email containing the protected health information (PHI) of approximately 532 patients to her personal email account. The PHI involved in the breach included names, social security numbers, insurance numbers and information, descriptions of procedures, and treating physicians’ names. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned the employee, ensured the PHI was no longer on the employeeâs personal computer and email account, and retrained its staff on relevant Privacy and Security Rulesâ provisions. OCR obtained copies of the CE’s HIPAA policies and procedures and obtained assurances that the CE implemented the corrective actions noted above. | Rocky Mountain Spine Clinic CO Healthcare Provider 532 | Wednesday | 2013 | |
| Calvin Schuster,MD | CA | Healthcare Provider | 532 | 2013-01-04 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Calvin Schuster,MD CA Healthcare Provider 532 | Friday | 2013 | |
| MacNeal Physician Group | IL | Healthcare Provider | 532 | 2011-04-25 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Laptop | Network Server | NA | NA | NA | NA | No | MacNeal Physician Group IL Healthcare Provider 532 | Monday | 2011 | ||
| Lucille Packard Children’s Hospital | CA | Healthcare Provider | 532 | 2010-02-21 | Other | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Lucille Packard Children’s Hospital CA Healthcare Provider 532 | Sunday | 2010 | |
| Baptist Medical Center South | FL | Healthcare Provider | 531 | 2017-06-30 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | Baptist Medical South, the covered entity (CE), lost a hard drive that was used to store backup electroencephalogram (EEG) test results. The breach affected 531 individuals and the types of protected health information (PHI) on the drive included patientsâ names, dates of birth, hospital and medical record numbers, physiciansâ orders, diagnoses, room numbers, and EEG image results. The CE provided breach notification to affected individuals, the media, and HHS and also posted notification on its website. In response to the breach, the CE initiated its security incident procedure, reviewed surveillance video footage, and interviewed employees. The CE also revised its procedures relating to hard drive storage and updated its policies. Additionally, the CE improved physical and technical safeguards, including the use of encryption. The CE also trained its staff on the updated policies and procedures. OCR provided the CE with technical assistance on breach start dates and breach reports. OCR obtained assurances that the CE implemented the corrective actions listed above. | Baptist Medical Center South FL Healthcare Provider 531 | Friday | 2017 |
| Ledet Family Chiropractic Cener | PA | Healthcare Provider | 530 | 2017-07-09 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The covered entityâs (CE) computer server was infected with ransomware. The server contained the protected health information of approximately 530 individuals and the types of protected health information involved in the breach included diagnostic information. The CE provided breach notification to HHS and affected individuals. Following the breach, the CE disabled remote access to its server and upgraded its anti-malware software. As a result of OCRâs investigation, the CE conducted a risk analysis and implemented a risk management plan. | Ledet Family Chiropractic Cener PA Healthcare Provider 530 | Sunday | 2017 |
| Glendale Adventist Medical Center | CA | Healthcare Provider | 528 | 2016-11-28 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | A workforce member of the covered entity (CE), Glendale Adventist Medical Center, an Adventist Health facility, inappropriately accessed medical records for several months from the employeeâs personal electronic device(s) via a remote connection. The breach affected 528 individualsâ electronic protected health information (ePHI) and included patientsâ names, addresses, dates of birth, social security numbers, and medical diagnoses. The CE provided breach notification to affected individuals, the media, and HHS. Following the breach and in response to OCRâs contact in this matter, the CE sanctioned the employee and revised its sanctions policy. OCR obtained assurances from the CE that it took the corrective actions noted above. The CE also reported to OCR that it planned to take measures to increase its administrative and technical safeguards of ePHI. In this case, the CEâs sanction included termination of employment. | Glendale Adventist Medical Center CA Healthcare Provider 528 | Monday | 2016 |
| Blue Cross Blue Shield of RI | RI | Business Associate | 528 | 2010-02-16 | Other | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown University’s health plan was impermissibly disclosed to two other BCBSRI agents. The reports contained the PHI of approximately 528 individuals. The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers. Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected members’ claim history to ensure no fraud. | Blue Cross Blue Shield of RI RI Business Associate 528 | Tuesday | 2010 |
| Cigna | CT | Business Associate | 527 | 2014-04-09 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | Cigna CT Business Associate 527 | Wednesday | 2014 | |
| Lancaster General Medical Group | PA | Healthcare Provider | 527 | 2013-03-04 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No |
A spreadsheet containing the protected health information (PHI) of 527 individuals was stolen from one of the covered entity’s (CE) locations. The PHI involved in the breach included names and dates of birth. Following the breach, the CE notified the local police, provided breach notification to HHS, the media, and the affected individuals, and offered identity protection services to the individuals. The CE attempted to retrieve the PHI. As a result of OCR’s investigation, the CE reviewed its policies to prevent a similar incident from occurring in the future. |
Lancaster General Medical Group PA Healthcare Provider 527 | Monday | 2013 |
| Excel Plus Home Health, Incorporated | TX | Healthcare Provider | 524 | 2016-03-23 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | Excel Plus Home Health, Incorporated TX Healthcare Provider 524 | Wednesday | 2016 |
| North Carolina Department of Health and Human Services | NC | Health Plan | 524 | 2015-11-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | North Carolina Department of Health and Human Services NC Health Plan 524 | Friday | 2015 | |
| Madison Street Provider Network | CO | Healthcare Provider | 523 | 2014-09-26 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On August 1, 2014, Madison Street Provider Network, the covered entity (CE), discovered that an employeeâs unencrypted laptop computer was stolen from a locked car. The laptop contained emails containing patientsâ names, dates of birth, telephone numbers, and clinical information. The CE determined that the beach affected 523 individuals. The CE provided breach notification to affected individuals, the media, and HHS. Following the breach, the CE encrypted all laptops, updated and revised its HIPAA policies, and counseled the responsible employee. OCR provided the CE with technical assistance regarding a security management process that accurately and thoroughly identifies and mitigates the risks posed to its receipt, maintenance, and transmission of electronic protected health information. | Madison Street Provider Network CO Healthcare Provider 523 | Friday | 2014 |
| Rite Aid Store 5256 | WA | Healthcare Provider | 522 | 2014-07-30 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | A box containing paper prescription records was removed from the backroom at the covered entityâs (CE) Milton, WA location. The box contained the protected health information (PHI) of approximately 522 individuals and included names, addresses, and dates of birth. The CE provided breach notification to affected individuals, HHS, and the media. The CE offered one year of free identity theft protection to affected individuals. Following the breach, the CE improved physical safeguards by moving all remaining hard copy prescription records to a more secure area. The CE contacted all other stores in the region to ensure that prescription records were being appropriately secured. As a result of OCRâs investigation, the CE clarified its PHI storage policies to store managers in Washington State, and implemented new security procedures at the affected location. OCR provided the CE with technical assistance regarding adequate safeguards to PHI, as well as what constitutes adequate notice to the media pursuant to the Breach Notification Rule. | Rite Aid Store 5256 WA Healthcare Provider 522 | Wednesday | 2014 |
| Memorial Hospital Clinic West | TX | Healthcare Provider | 521 | 2017-04-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | Electronic Medical Record | Network Server | NA | NA | NA | NA | NA | NA | No | Seminole Hospital District of Gaines County Texas, the covered entity (CE), was a victim of a ransomware attack on a shared computer server for Memorial Hospital Clinic West (MHCW) and Memorial Hospital Clinic South (MHCS), part of the CE. As a result of the attack, the protected health information (PHI) of approximately 521 patients from MHCW and 842 patients from MHCS was held for ransom. The types of PHI involved in the breach included demographic and clinical information. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE retrained staff and deployed additional software to block ransomware attacks. OCR obtained assurances that the CE implemented the corrective actions noted above. | Memorial Hospital Clinic West TX Healthcare Provider 521 | Wednesday | 2017 |
| Mercy Medical Center Redding | CA | Healthcare Provider | 520 | 2016-06-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | An employee of a business associate (BA), naviHealth, provided services to the covered entityâs (CE) patients using an assumed name and nursing license from June 1, 2015, to May 13, 2016, and accessed protected health information (PHI) in the course of employment. The breach affected 520 individuals who were patients of the CE’s Redding facility and a total of 1,253 Dignity Health patients in California and Nevada. The types of PHI involved in the breach included full names, addresses, dates of birth, social security numbers, claims information, diagnoses/conditions, lab results, and medications. The CE provided breach notification to HHS, affected individuals, and the media and also provided substitute notice. OCR reviewed the BA agreement in place between the CE and BA and obtained assurances that the CE implemented the corrective actions listed above. In response to the breach, the BA sanctioned the responsible employee, terminated the employeeâs access to all PHI, and contacted law enforcement to report the incident. The BA also reviewed recorded calls made by the employee and PHI accessed by the employee to ensure that PHI was accessed to provide patients with services according to the job function. In addition, the BA improved administrative safeguards by revising its workforce clearance policies and procedures. | Mercy Medical Center Redding CA Healthcare Provider 520 | Wednesday | 2016 |
| 24 ON Physicians, PC/In Compass Health,Inc. | GA | Business Associate | 520 | 2014-08-14 | Hacking/IT Incident | Other | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | On December 1, 2013, a subcontractor of 20 ON Physicians PC/ In Compass Health Inc., Williamson Medical Centerâs former business associate (BA), unintentionally made a computer server containing protected health information (PHI) potentially available for access on the internet. The PHI that was potentially available on the internet included the names, dates of service, charge amounts, and billing codes of 520 patients. The CE investigated and verified that its BA and its subcontractor had taken all necessary corrective steps to mitigate the breach. Specifically, the subject server was removed from public internet access, all data provided to the subcontractor was destroyed, and all cached pages were removed. Additionally, the CE worked with the BA to provide breach notification to HHS, affected individuals, and the media, and also posted substitute notice on its website. Additionally, the CE reviewed and confirmed that all of its BA agreements contain provisions addressing subcontractors and data security and conducted an in-depth review of its risk analysis. A separate breach investigation was opened for the BA, 20 ON Physicians PC/In Compass Health Inc. OCR reviewed the BA agreement and Breach Notification Rule policy and determined that they were sufficient. | 24 ON Physicians, PC/In Compass Health,Inc. GA Business Associate 520 | Thursday | 2014 |
| StayWell Health Management, LLC | MN | Business Associate | 520 | 2014-02-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | StayWell Health Management, LLC MN Business Associate 520 | Friday | 2014 | |
| Alamo Consumer Direct, LLC | TX | Healthcare Provider | 520 | 2014-01-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | The business associate (BA), Alamo Consumer Direct, reported that an error in its web portal security settings allowed unauthorized access to protected health information (PHI) between September 20, 2013 and October 17, 2013. The breach affected approximately 520 individuals and included names, program participation status and a program spending summary. The BA provided breach notification to HHS, affected individuals, and the media. Following the breach, the BA corrected the security settings to limit access and trained staff. As a result of OCR’s investigation, the BA entered into a new BA agreement with the covered entity, the Texas Department of Aging and Disability Services. | Alamo Consumer Direct, LLC TX Healthcare Provider 520 | Thursday | 2014 |
| Henry Ford Health System | MI | Healthcare Provider | 520 | 2011-10-03 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | Henry Ford Health System MI Healthcare Provider 520 | Monday | 2011 | |
| VA Illiana Health Care System | IL | Healthcare Provider | 518 | 2011-09-23 | Loss | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | VA Illiana Health Care System IL Healthcare Provider 518 | Friday | 2011 | |
| Department of Human Services, Commonwealth of Pennsylvania | PA | Health Plan | 517 | 2017-09-07 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Department of Human Services, Commonwealth of Pennsylvania PA Health Plan 517 | Thursday | 2017 |
| Carol L Patrick Ph. D. | OH | Healthcare Provider | 517 | 2013-09-30 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | On August 9, 2013, the covered entity (CE), Dr. Carol L. Patrick, discovered that her office was broken into and all the operational computers, network servers, and work stations were stolen. The stolen equipment contained the electronic protected health information (ePHI) of approximately 517 individuals and included clinical information, specifically psychological assessments, evaluations, letters, reports, and evaluations written on behalf of clients. The CE provided breach notification to HHS, affected individuals, and the media, and filed a police report. Following the breach, the CE improved physical safeguards by installing a security system with motion and fire protection and internal alarms. The CE also installed encryption software and updated its privacy policy. OCR obtained assurances that the CE implemented the corrective actions listed above. | Carol L Patrick Ph. D. OH Healthcare Provider 517 | Monday | 2013 |
| Nebraska Department of Health and Human Services | NE | Health Plan | 516 | 2018-09-04 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Nebraska Department of Health and Human Services NE Health Plan 516 | Tuesday | 2018 |
| Planned Parenthood of the Heartland | IA | Healthcare Provider | 515 | 2018-06-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Planned Parenthood of the Heartland IA Healthcare Provider 515 | Friday | 2018 |
| Washington State Department of Social and Health Services | WA | Healthcare Provider | 515 | 2017-11-16 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Washington State Department of Social and Health Services WA Healthcare Provider 515 | Thursday | 2017 | |
| Georgia Health Sciences University | GA | Healthcare Provider | 513 | 2012-03-15 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On January 19, 2012, the covered entityâs (CE) employee discovered that her laptop computer was stolen from the front porch of her home. The laptop contained the electronic protected health information (ePHI) of 513 patients, including names, dates of birth, and health data. The laptop lacked virtual private network connectivity and the data was password protected but not encrypted. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE encrypted all employee laptops, implemented a mobile device and remote access policy and updated its electronic data backup policy. The CE also trained staff on its HIPAA Privacy and Security policies. Additionally, the CE counseled the employee for failure to maintain physical security of the CEâs property. OCR obtained assurances that the CE implemented the corrective actions listed above. | Georgia Health Sciences University GA Healthcare Provider 513 | Thursday | 2012 |
| ST Psychotherapy, LLC | WI | Healthcare Provider | 509 | 2015-12-23 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), ST Psychotherapy, LLC, was burglarized sometime between October 21, 2015 and October 23, 2015, and a laptop computer containing the electronic protected health information (ePHI) of approximately 509 individuals was stolen. The laptop computer contained patientsâ names, driverâs license numbers, dates of birth, social security numbers, clinical, and demographic information. The CE provided breach notification to HHS, affected individuals, and the media, and also filed a police report. To prevent similar breaches from happening in the future, the CE changed the locks on its office. The CE also encrypted the laptop that replaced the stolen one and completed training on safeguarding PHI and the uses and disclosures of PHI. OCR obtained written assurances that the CE implemented the corrective actions noted above. | ST Psychotherapy, LLC WI Healthcare Provider 509 | Wednesday | 2015 |
| Episcopal Health Services Inc. d/b/a St. John’s Episcopal Hospital | NY | Healthcare Provider | 509 | 2015-06-25 | Theft | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | Yes | OCR opened an investigation of the covered entity (CE), Episcopal Health Services Inc., d/b/a St. Johnâs Episcopal Hospital, after it reported that its business associate’s (BA) employee sold 509 patients’ data to unknown persons. The protected health information (PHI) included patientsâ names, addresses, dates of birth, gender, email addresses, social security numbers, account numbers, dates of service, medications, insurance information, diagnoses, billing codes, and reasons for treatment. The BA, Zotec Partners, LLC, d/b/a Medical Management LLC, also filed a separate breach report. As a result of the breach, the BA transitioned to an improved billing system that offers more security controls, implemented software for tracking and monitoring access and user activity, and masked social security numbers from employees whose job duties do not require full access. In addition, the BA conducted updated training on the Privacy and Security Rule standards for all employees. OCR obtained assurances for this case that the BA implemented the corrective actions noted above and also opened a separate investigation of the BA. | Episcopal Health Services Inc. d/b/a St. John’s Episcopal Hospital NY Healthcare Provider 509 | Thursday | 2015 |
| VA Eastern Colorado Health Care System(ECHCS) | CO | Healthcare Provider | 508 | 2015-04-02 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On January 30, 2015, a former employee of the covered entity (CE), VHA Eastern Colorado Healthcare System, purporting to be a whistleblower, disclosed a patient waitlist to a news reporter. The breach affected 508 individuals, and the types of protected health information (PHI) involved in the breach included scheduled dates, last four digits of social security numbers, clinic names, and possibly patientsâ first and last names. The CE provided breach notification to affected individuals, the media, and HHS. The CE also investigated the incident and mitigated the effects of the breach by providing affected individuals with credit monitoring information. OCR obtained assurances that the CE implemented the corrective actions listed above. | VA Eastern Colorado Health Care System(ECHCS) CO Healthcare Provider 508 | Thursday | 2015 |
| University of Illinois, College of Nursing | IL | Business Associate | 508 | 2012-11-02 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | Yes | University of Illinois, College of Nursing IL Business Associate 508 | Friday | 2012 | |
| Burlington Northern Santa Fe Group Benefits Plan | TX | Health Plan | 507 | 2014-10-28 | Loss | NA | NA | NA | NA | NA | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | NA | No | On October 27, 2014, the covered entity (CE), Burlington Northern Santa Fe Group Benefits Plan, reported a breach when a workforce member that was on a business trip lost an unsecured flash drive that contained employeesâ protected health information (PHI). The flash drive contained the demographic and clinical information of 507 individuals. The CE provided breach notification to HHS, affected individuals, and the media. Following the incident, the CE sanctioned the workforce member, revised its policy limiting the ability of employees to transfer PHI to portable devices, installed encryption software, and retrained staff on its privacy and security policies. OCR obtained assurances that the CE implemented the corrective actions listed above. | Burlington Northern Santa Fe Group Benefits Plan TX Health Plan 507 | Tuesday | 2014 |
| AllOne Health Management Solutions, Inc. | PA | Business Associate | 507 | 2011-09-23 | Theft | Unauthorized Access/Disclosure | NA | NA | NA | NA | Laptop | Paper/Films | NA | NA | NA | NA | NA | NA | Yes | AllOne Health Management Solutions, Inc. PA Business Associate 507 | Friday | 2011 | |
| LabCorp Patient Service Center | NV | Healthcare Provider | 507 | 2010-09-10 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | LabCorp Patient Service Center NV Healthcare Provider 507 | Friday | 2010 | |
| Success 4 Kids & Families, Inc. | FL | Healthcare Provider | 506 | 2015-05-20 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | On April 5, 2015, a Success 4 Kids & Family employeeâs laptop computer was stolen out of his vehicle while parked during non-work hours. The laptop contained the protected health information (PHI) of 506 individuals, and included clientsâ names, addresses, dates of birth, social security numbers, and limited treatment-related information. The laptop was password protected, but was not encrypted. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. In response to this incident, the CE contracted with an IT vendor to upgrade servers and provide cloud backup service, encrypted all computers, reviewed its policies and procedures, implemented an encryption policy, and trained staff. OCR obtained assurances that the CE implemented the corrective actions listed above. | Success 4 Kids & Families, Inc. FL Healthcare Provider 506 | Wednesday | 2015 |
| Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan | IN | Business Associate | 506 | 2011-08-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | A computer server belonging to a former business associate (BA) and third party administrator, AssureCare Risk Management, Inc., was hacked. The server contained social security numbers, birth dates, names, addresses, gender, and physician and hospital/facility names linked with benefit payment information which could include type of service (i.e. office visit, inpatient stay, lab and x-ray, physical therapy, etc.). The breach affected 506 individuals. The relationship between the BA and the covered entity, Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan, ended in 2006, but the BA continued to retain possession of protected health information (PHI) relating to the Planâs participants because it was required to do so by law. The CE provided breach notification to HHS, affected individuals, and the media. OCR reviewed the BA agreement between the BA and CE which contained provisions regarding the use, disclosure, and safeguarding of PHI that ended in 2006, but also contained language requiring the BA to extend the protections of the agreement to the CEâs PHI after the agreement terminated. The CE obtained assurances that the BA shut down the server in question following the breach and does not maintain unsecured PHI on any other server. OCR obtained written assurances that the CE implemented the corrective actions noted above. | Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan IN Business Associate 506 | Monday | 2011 |
| Tallahassee Memorial HealthCare, Inc. | FL | Healthcare Provider | 505 | 2016-05-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Tallahassee Memorial HealthCare, Inc., the covered entity (CE), discovered that an employee attempted to upload protected health information (PHI) containing patients’ names, insurance numbers, payor financial information numbers, and account numbers to an unauthorized website. The breach affected 505 individuals. The CE sent timely breach notification to HHS and to affected individuals and provided free credit monitoring to affected individuals. In response to the breach, the CE sanctioned the responsible employee, flagged patient accounts in its internal billing system, revised its website filter to block additional web sites, and updated its employee training. OCR obtained assurances from the CE that it implemented the corrective actions listed above. | Tallahassee Memorial HealthCare, Inc. FL Healthcare Provider 505 | Friday | 2016 |
| Camas Center Clinic, Kalispel Tribe of Indians | WA | Healthcare Provider | 504 | 2016-11-21 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Desktop Computer | Paper/Films | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), the Kalispel Tribe of Indians, Camas Center Clinic, gave an âon-callâ temporary administrative assistant at the CEâs facility, who had not yet been trained in HIPAA, the employeeâs personal login and password information. The assistant used the login/password information to access electronic protected health information (ePHI) on the employeeâs computer. When the information technology department learned of this impermissible access, it quickly disabled the employeeâs login information, as the ePHI had been shared in violation of the CEâs policies. In addition to ePHI, the assistant also accessed paper PHI. The breach affected approximately 504 individuals and the types of PHI and ePHI involved included demographic, financial, and clinical information. The CE provided breach notification to the affected individuals, the media, and HHS. The CE sanctioned the employee pursuant to its policies for impermissibly sharing the login/password information and retrained its workforce members on HIPAA. OCR obtained assurances that the CE implemented the corrective action measures described. | Camas Center Clinic, Kalispel Tribe of Indians WA Healthcare Provider 504 | Monday | 2016 |
| The Kroger Co., for itself and its affiliates and subsidiaries | OH | Healthcare Provider | 504 | 2014-02-26 | Other | NA | NA | NA | NA | NA | Electronic Medical Record | NA | NA | NA | NA | NA | NA | NA | No | The Kroger Co., for itself and its affiliates and subsidiaries OH Healthcare Provider 504 | Wednesday | 2014 | |
| Truman Medical Center, Incorporated | MO | Healthcare Provider | 503 | 2015-06-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | An employee of the covered entity (CE), Truman Medical Center, found a list of patients on the internet. The list contained names, addresses, and internal identification numbers for 503 of the CE’s patients. The CE determined that the list was posted to a file transfer protocol (FTP) site by the public relations department and was a mailing list used to notify patients that a clinic was moving to a new location. The list was available on the internet from September 2012 until March 2015. The CE provided breach notification to HHS, affected individuals and the media, and provided substitute notice on its website. Following the breach, the CE immediately removed and deleted the patient list from FTP site and reviewed the other information posted on the site. The CE improved safeguards by enabling the public relations employees to send encrypted emails and providing instructions on how to use secure email. The CE also required additional training for workforce members in the public relations department. OCR obtained written assurances that the CE implemented the corrective actions listed above. | Truman Medical Center, Incorporated MO Healthcare Provider 503 | Tuesday | 2015 |
| Hillsides | CA | Healthcare Provider | 502 | 2015-12-30 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | A workforce member emailed documents containing personally identifiable information (PII) and protected health information (PHI) of patients and employees to a personal email address. The breach involved the PII and PHI of 970 individuals. The breached information included names, dates of birth, patient identification numbers, and health care provider information. Following the breach, the covered entity (CE), Hillsides, provided breach notification to HHS, affected individuals, and the media. It also sanctioned the workforce member involved, implemented safeguards, and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed above. | Hillsides CA Healthcare Provider 502 | Wednesday | 2015 | |
| Blue Cross Blue Shield of Michigan Blue Care Network | MI | Business Associate | 502 | 2014-05-19 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | Yes | Blue Cross Blue Shield of Michigan Blue Care Network MI Business Associate 502 | Monday | 2014 | ||
| Lake Granbury Medicl Ceter | TX | Healthcare Provider | 502 | 2012-04-04 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Lake Granbury Medicl Ceter TX Healthcare Provider 502 | Wednesday | 2012 | |
| State of Alaska Department of Health and Social Services | AK | Healthcare Provider | 501 | 2017-09-01 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | NA | State of Alaska Department of Health and Social Services AK Healthcare Provider 501 | Friday | 2017 |
| Health Care Service Corporation | IL | Health Plan | 501 | 2015-09-17 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | This case has been consolidated with another review of the same covered entity. | Health Care Service Corporation IL Health Plan 501 | Thursday | 2015 |
| Arizona Oncology | AZ | Healthcare Provider | 501 | 2013-02-21 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | Arizona Oncology AZ Healthcare Provider 501 | Thursday | 2013 | |
| Digital Archive Management | TX | Business Associate | 501 | 2012-11-21 | Improper Disposal | Theft | NA | NA | NA | NA | Network Server | Paper/Films | NA | NA | NA | NA | NA | NA | Yes | On or about July 26, 2012, the covered entity (CE), El Centro Regional Medical Center, learned that its business associate (BA), Digital Archive Management, abandoned the CEâs hard copy âjacketsâ for radiology films (x-rays) and radiology reports at a locked El Centro facility, instead of digitizing and destroying the records in accordance with the Business Associate Agreement. The CE recovered the jackets and radiology reports. On March 22, 2013, the CE learned from the FBI that the missing radiology films and hard copy paper documents were discovered in an abandoned commercial facility in Nevada. The breach involved the protected health information (PHI) of approximately 501 individuals and included demographic Information, including names and dates of birth and clinical information, including diagnoses and conditions. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned certain employees, reviewed and updated its HIPAA policies and procedures, and implemented security measures to reduce risks and vulnerabilities to PHI and ePHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance deadline. OCR verified that the CE had a proper BA agreement in place that restricted the BAâs use and disclosure of PHI and required the BA to safeguard all PHI. OCR also reviewed the CEâs policies and procedures, risk analysis, risk management plan, and incident report. | Digital Archive Management TX Business Associate 501 | Wednesday | 2012 |
| OhioHealth Corporation dba Grant Medical Center | OH | Healthcare Provider | 501 | 2011-01-04 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | OhioHealth Corporation dba Grant Medical Center OH Healthcare Provider 501 | Tuesday | 2011 | |
| Alaska Department of Health and Social Services | AK | Healthcare Provider | 501 | 2009-10-30 | Theft | NA | NA | NA | NA | NA | Other | Other Portable Electronic Device | NA | NA | NA | NA | NA | NA | No | The Alaska Department of Health and Social Services (DHSS) has agreed to pay the U.S. Department of Health and Human Servicesâ (HHS) $1,700,000 to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries. The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee. Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI. Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule. In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule. A monitor will report back to OCR regularly on the stateâs ongoing compliance efforts. âCovered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,â said OCR Director Leon Rodriguez. âThis is OCRâs first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.â | Alaska Department of Health and Social Services AK Healthcare Provider 501 | Friday | 2009 |
| Riverside Medical Center | IL | Healthcare Provider | 501 | 2018-04-20 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Other | NA | NA | NA | NA | NA | NA | No | NA | Riverside Medical Center IL Healthcare Provider 501 | Friday | 2018 |
| The Center For Health Care Services | TX | Healthcare Provider | 501 | 2017-11-08 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | The Center For Health Care Services TX Healthcare Provider 501 | Wednesday | 2017 |
| Clinical Pathology Laboratories Southeast | FL | Healthcare Provider | 500 | 2017-11-17 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Clinical Pathology Laboratories Southeast FL Healthcare Provider 500 | Friday | 2017 |
| Northwest Behavioral Healthcare Services | OR | Healthcare Provider | 500 | 2017-07-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Northwest Behavioral Healthcare Services OR Healthcare Provider 500 | Thursday | 2017 | |
| Syed Ahmed, MD PA | TX | Healthcare Provider | 500 | 2017-02-23 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Syed Ahmed, MD PA TX Healthcare Provider 500 | Thursday | 2017 |
| Bloom Physical Therapy, LLC dba Physicians Physical Therapy Service | AZ | Healthcare Provider | 500 | 2017-02-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | On February 1, 2017, the covered entity (CE), Bloom Physical Therapy, LLC dba Physicians Physical Therapy Service, erroneously sent an email regarding a change in ownership to past and current clients so that email addresses in the mailing were visible to all recipients. The email was sent to approximately 500 individuals and may have contained names as a portion of some email addresses. The CE provided breach notification to HHS, affected individuals, and the media. The CE revised its policies and procedures and retrained staff. OCR provided substantial technical assistance to the CE and obtained assurances that the CE implemented the corrective actions noted above. | Bloom Physical Therapy, LLC dba Physicians Physical Therapy Service AZ Healthcare Provider 500 | Thursday | 2017 | |
| Office of Dr. David Elbaum | CA | Healthcare Provider | 500 | 2017-01-09 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On November 10, 2016, the Office of Dr. David Elbaum, the covered entity (CE), discovered that paper copies of patients’ protected health information (PHI) had been stolen from a third party storage facility, a business associate (BA). The exact date of the theft is not known. The breach affected approximately 500 individuals and included clinical and demographic information. The CE provided breach notification to HHS, affected individuals, and the media. It also established a toll-free call center and offered free credit monitoring services to the affected individuals. The CE obtained assurances from the BA that it implemented additional physical safeguards at the facility following the breach. OCR obtained assurances that the CE implemented the corrective actions described above. | Office of Dr. David Elbaum CA Healthcare Provider 500 | Monday | 2017 |
| Desert Care Family and Sports Medicine | AZ | Healthcare Provider | 500 | 2016-12-20 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | In early August of 2016, ransomware infected Desert Care Family and Sports Medicineâs (DCFSMâs) server and encrypted all of the data contained on the server. DCFSM contacted its IT provider and Data Doctors but was unable to break one of the two encryption variants. DCFSM was also unable to recover the patient data on the server. DCFSM contacted the Casa Grande Police Department and the FBI to notify them of this incident. DCFSM is unsure how many individuals were affected by this incident but reported the breach as affecting over 500 individuals in an abundance of caution. DCFSM provided substitute and media breach notification but did not provide individual breach notification because its server was inaccessible due to the ransomware attack and it could not retrieve its patientsâ contact information. In response to the breach, DCFSM added an off-site backup, retrained all of its employees, and obtained a new server. DCFSM closed its business on December 20, 2016 and as of January 1, 2017, another business is operating the practice. OCR provided DCFSM with technical assistance regarding the Security Rule risk analysis and risk management provisions. | Desert Care Family and Sports Medicine AZ Healthcare Provider 500 | Tuesday | 2016 |
| San Juan Oncology Associates | NM | Healthcare Provider | 500 | 2016-09-29 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | On September 29, 2016, San Juan Oncology Associates, the covered entity (CE), reported that it discovered the âGuardware@indiaâ virus on its server. The breach affected the electronic protected health information (ePHI) of 11,383 individuals. The types of ePHI involved in the breach included demographic, financial and, clinical information. Following the breach, the CE installed a new computer server and antivirus software, completed a post risk analysis, and revised its breach notice policy to include all the elements of the media notice requirements. OCR obtained documentation of the CEâs implementation of security controls that will be continuously updated to demonstrate a culture of security compliance. OCR also provided technical assistance on breach notification and security risk analysis requirements. | San Juan Oncology Associates NM Healthcare Provider 500 | Thursday | 2016 |
| Phoenix Dental Care | TN | Healthcare Provider | 500 | 2016-08-15 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Phoenix Dental Care TN Healthcare Provider 500 | Monday | 2016 |
| Family Medicine of Weston | FL | Healthcare Provider | 500 | 2016-05-11 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Family Medicine of Weston FL Healthcare Provider 500 | Wednesday | 2016 |
| Cromwell Fire District | CT | Healthcare Provider | 500 | 2016-03-10 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Cromwell Fire District, the covered entity (CE), filed a breach report stating that a door to a storage room containing ambulance run reports was left propped open for approximately two hours. The OCR investigation revealed that the CE did not have policies and procedures in place at the time of the incident to conduct a breach risk assessment and had not conducted a breach risk assessment prior to filing the breach report with OCR. OCR provided technical assistance to the CE regarding conducting a breach risk assessment, breach notification requirements, and other provisions in the Privacy Rule. As a result of OCRâs investigation, the CE conducted a breach risk assessment and determined there was a low probability that the protected health information has been compromised based on the following factors: that the building received few visitors and was not known to have received a visitor during that time period, that the ambulance run reports appeared undisturbed, and that the situation was mitigated (the door was closed and locked) as soon as it was discovered. Thereafter, the CE determined that a breach had not occurred. In addition, as a result of OCRâs investigation, the CE revised and adopted additional policies and procedures, and implemented a new template business associate agreement. | Cromwell Fire District CT Healthcare Provider 500 | Thursday | 2016 |
| Maine General Health | ME | Healthcare Provider | 500 | 2015-12-08 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Maine General Health ME Healthcare Provider 500 | Tuesday | 2015 |
| Florida Department of Health, Children’s Medical Services | FL | Healthcare Provider | 500 | 2015-10-23 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE), Florida Department of Health, Childrenâs Medical Services, discovered that that an employee faxed an e-mail roster with all patients that needed medical supplies to each of their medical vendors. The policy is that the medical supply vendor only receives the names of patients to whom it will directly supply orthopedic supplies. The protected health information (PHI) on the e-mail roster included patients’ names, dates of birth, and the insurance information of 523 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice on its website. The CE also set up a toll free telephone number to answer questions. In response to the breach, the CE ceased the practice of sending daily rosters containing patient information to vendors. The CE sanctioned and re-trained the employee involved in this breach and retrained all employees on its HIPAA policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed above. | Florida Department of Health, Children’s Medical Services FL Healthcare Provider 500 | Friday | 2015 |
| Keystone Pharmacy, Inc. | MD | Healthcare Provider | 500 | 2015-06-09 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | Paper/Films | NA | NA | NA | NA | NA | NA | No | On April 27, 2015, rioting broke out in Baltimore, MD and the covered entity (CE), Keystone Pharmacy, was broken into, vandalized and looted. Multiple prescriptions and stock bottles of narcotics were taken. About 150 prescription bags containing patient names and the medications were stolen. The types of protected health information (PHI) contained on the prescriptions included names, addresses, and prescription information. The CE provided breach notification to HHS, affected individuals, and the media, and offered credit monitoring. The location was immediately secured. The CE installed a new front door and upgraded the security system. OCR obtained assurances that the CE implemented the corrective actions listed. | Keystone Pharmacy, Inc. MD Healthcare Provider 500 | Tuesday | 2015 |
| Puerto Rico Department of Heatlh - Medicaid Program | NA | Health Plan | 500 | 2015-04-22 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | NA | Puerto Rico Department of Heatlh - Medicaid Program NA Health Plan 500 | Wednesday | 2015 |
| New | FL | Health Plan | 500 | 2015-03-27 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Electronic Medical Record | Network Server | NA | NA | NA | NA | No | Entity is not covered by HIPAA. | New FL Health Plan 500 | Friday | 2015 | |
| National Pain Institute | FL | Healthcare Provider | 500 | 2015-01-15 | Improper Disposal | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | From July 13, 2013, to August 13, 2013, the covered entity (CE), National Pain Institute, distributed outdated computers to its employees for their personal use without first deleting all electronic protected health information (ePHI) from the computers. The computers contained the PHI of approximately 500 individuals, including names, addresses, dates of birth, diagnoses, and other treatment information. The CE provided breach notification to HHS, affected individuals, and the media. In response to the incident, The CE tracked the computers, repossessed those computers that it was able to locate, and obtained written acknowledgement from the former employees that the PHI from the computers was not used or disclosed to others. In addition, the CE improved safeguards by encrypting all computers, upgrading the malware and software of desktop computers, improving network and email security, improving identity management, and automating and standardizing security for devices containing ePHI. The CE also updated its HIPAA policies and procedures, including a policy for responding to security incidents. OCR obtained assurances that the CE implemented the corrective actions listed. | National Pain Institute FL Healthcare Provider 500 | Thursday | 2015 |
| Tri-City Medical Center | CA | Healthcare Provider | 500 | 2014-08-18 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | On August 7, 2014, an employee who was being terminated for cause took emergency department (ED) logs for 500 patients of the covered entity (CE), Tri-City Medical Center, and gave them to the California Department of Public Health (DPH) and the North County Newspaper. Upon learning of the theft, the CE contacted DPH which advised that it had the logs and would give them to the local police department once the CE filed a report for theft. The CE contacted the local police department and created a report of the 500 patientsâ electronic protected health information (ePHI). The CE provided breach notification to HHS, affected individuals, and the media and created an 800-number to provide information for affected patients. The CE improved safeguards by reformatting the ED logs required for Emergency Medical Treatment and Labor Act (EMTALA) to be handled only electronically, placing all ED paper logs in a locked/secured cabinet, converted locks, and relocated all its printers and faxes to secure areas. The CE also retrieved the ED logs from the police department, retrained its entire workforce, and developed a facility policy for tracking the check-in and check-out of facility logs. OCR obtained written assurances that the CE implemented the corrective actions listed. | Tri-City Medical Center CA Healthcare Provider 500 | Monday | 2014 |
| Minneapolis VA Health Care System | MN | Health Plan | 500 | 2014-07-17 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | The covered entity (CE) sent a batch of 500 generic letters to its members informing them of a new community based outpatient clinic opening that erroneously caused another memberâs full name and address to appear on the back side of the document. The CE provided breach notification to HHS, affected individuals, and the media, and it also posted a notice on its website. To prevent a similar breach from happening in the future, the CE implemented a quality assurance check for batch mail. OCR obtained assurances that the CE implemented the corrective actions listed above. | Minneapolis VA Health Care System MN Health Plan 500 | Thursday | 2014 |
| Porter, MD, Steven | UT | Healthcare Provider | 500 | 2014-05-06 | Improper Disposal | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Porter, MD, Steven UT Healthcare Provider 500 | Tuesday | 2014 |
| University of Mississippi Medical Center | MS | Healthcare Provider | 500 | 2013-03-21 | Loss | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No |
The University of Mississippi Medical Center (UMMC) has agreed to settle multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). OCRâs investigation of UMMC was triggered by a breach of unsecured electronic protected health information (âePHIâ) affecting approximately 10,000 individuals. During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight. UMMC will pay a resolution amount of $2,750,000 and adopt a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules. âIn addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame,â said OCR Director Jocelyn Samuels. âWe at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.â On March 21, 2013, OCR was notified of a breach after UMMCâs privacy officer discovered that a password-protected laptop was missing from UMMCâs Medical Intensive Care Unit (MICU). UMMC’s investigation concluded that it had likely been stolen by a visitor to the MICU who had inquired about borrowing one of the laptops. OCRâs investigation revealed that ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMCâs wireless network because users could access an active directory containing 67,000 files after entering a generic username and password. The directory included 328 files containing the ePHI of an estimated 10,000 patients dating back to 2008. Further, OCRâs investigation revealed that UMMC failed to: |
University of Mississippi Medical Center MS Healthcare Provider 500 | Thursday | 2013 |
| Plexus Group | IL | Business Associate | 500 | 2013-03-01 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | Yes | Prime Therapeutics, a business associate (BA) and pharmacy benefit manager for the covered entity (CE), Ultra Stores, Inc.âs health plan, electronically submitted a file containing the eligibility information for plan members to the Illinois Department of Healthcare and Family Services (IDHFS), as required by law for Medicaid subrogation. Due to a system error during the file generation process, the electronic protected health information (ePHI) of at least 500 plan members who do not reside in Illinois were also included in the file. The ePHI in the mailing included full names, social security numbers, dates of birth, and home addresses. During the investigation, OCR learned that Signet Jewelers had acquired Ultra and, consequently, Ultraâs health plan no longer exists. Additionally, Sterling Jewelers (Sterling), a business unit of Signet, informed OCR that it believes that Ultra had erroneously reported the September 13, 2012 incident to OCR, as Prime had conducted a risk assessment and had determined that the incident was not a breach, as the file in issue was not accessed or viewed by anyone at IDHFS. OCR obtained and reviewed documentation indicating that, in response to the incident, the BA obtained confirmation from IDHFS that it destroyed the file and that it did not further disclose the file. The BA also corrected the system error and implemented changes to the file generation process to prevent the same error from recurring | Plexus Group IL Business Associate 500 | Friday | 2013 |
| West Georgia Ambulance | GA | Healthcare Provider | 500 | 2013-02-11 | Loss | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | West Georgia Ambulance GA Healthcare Provider 500 | Monday | 2013 | |
| Blue Cross Blue Shield | IL | Business Associate | 500 | 2012-11-29 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | N/A | Blue Cross Blue Shield IL Business Associate 500 | Thursday | 2012 |
| Memorial Hospital | OH | Healthcare Provider | 500 | 2012-10-29 | Improper Disposal | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | Memorial Hospital OH Healthcare Provider 500 | Monday | 2012 | |
| LANA MEDICAL CARE | FL | Healthcare Provider | 500 | 2012-08-28 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | LANA MEDICAL CARE FL Healthcare Provider 500 | Tuesday | 2012 | |
| Titus Regional Medical Center | TX | Healthcare Provider | 500 | 2012-05-26 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Titus Regional Medical Center, the covered entity (CE), reported the theft of the protected health information (PHI) of an undetermined number of individuals from an offsite storage location. The PHI involved in the breach included first and last names, medical record numbers, account numbers, and in some cases, doctorâs reports. The CE filed a police report and provided breach notification to HHS, affected individuals, and the media. The CE also provided additional training to the involved employees. As a result of OCRâs investigation, the CE conducted a risk assessment and implemented additional safeguards for records contained in the storage location. | Titus Regional Medical Center TX Healthcare Provider 500 | Saturday | 2012 |
| Lankenau Medical Center | PA | Healthcare Provider | 500 | 2011-10-17 | Theft | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Lankenau Medical Center PA Healthcare Provider 500 | Monday | 2011 | |
| Knox Community Hospital | OH | Healthcare Provider | 500 | 2011-04-28 | Improper Disposal | NA | NA | NA | NA | NA | Other | NA | NA | NA | NA | NA | NA | NA | No | Knox Community Hospital OH Healthcare Provider 500 | Thursday | 2011 | |
| CHC MEMPHIS CMHC, LLC | TN | Healthcare Provider | 500 | 2011-01-28 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | CHC MEMPHIS CMHC, LLC TN Healthcare Provider 500 | Friday | 2011 | |
| Rockbridge Area Community Services | VA | Healthcare Provider | 500 | 2010-04-29 | Theft | NA | NA | NA | NA | NA | Desktop Computer | Laptop | NA | NA | NA | NA | NA | NA | No | Rockbridge Area Community Services VA Healthcare Provider 500 | Thursday | 2010 | |
| Central Brooklyn Medical Group, PC | NY | Healthcare Provider | 500 | 2010-02-25 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | OCR opened an investigation of the covered entity (CE), Preferred Health Partners f/k/a Central Brooklyn Medical Group, after it reported appointment schedules, pathology reports and portions of medical records containing the protected health information (PHI) of 500 individuals were stolen from an office. The PHI included names, ages, telephone numbers, social security numbers, medical insurance information, pathology reports, and other clinical information. Upon discovery of the breach, the CE filed a police report and worked with law enforcement authorities to recover as much of the PHI as possible that was stolen. As a result of OCR’s investigation, the CE removed PHI such as social security or medical insurance numbers from tracking logs. In addition, the CE improved safeguards by storing log binders in a locked area and shredding documents regularly. Further, the CE replaced the manual process of printing certain records with an electronic verification system. The CE also archived, stored off site, and locked up all paper records and retrained all staff on its HIPAA policies and procedures. | Central Brooklyn Medical Group, PC NY Healthcare Provider 500 | Thursday | 2010 |
| The University of Texas Health Science Center at Houston | TX | Healthcare Provider | 500 | 2018-09-18 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | The University of Texas Health Science Center at Houston TX Healthcare Provider 500 | Tuesday | 2018 |
| Leominster Dermatology LLP | MA | Healthcare Provider | 500 | 2018-09-13 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Leominster Dermatology LLP MA Healthcare Provider 500 | Thursday | 2018 |
| First coast podiatric surgery and wound | FL | Business Associate | 500 | 2018-08-27 | Unauthorized Access/Disclosure | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | Yes | NA | First coast podiatric surgery and wound FL Business Associate 500 | Monday | 2018 |
| Family Physicians of Old Town Fairfax PC | VA | Healthcare Provider | 500 | 2018-07-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Family Physicians of Old Town Fairfax PC VA Healthcare Provider 500 | Thursday | 2018 |
| Community Cancer Center | IL | Healthcare Provider | 500 | 2018-06-26 | Hacking/IT Incident | NA | NA | NA | NA | NA | Desktop Computer | Network Server | NA | NA | NA | NA | NA | NA | No | NA | Community Cancer Center IL Healthcare Provider 500 | Tuesday | 2018 |
| Family Healthcare of Lake Norman | NC | Healthcare Provider | 500 | 2018-06-19 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Family Healthcare of Lake Norman NC Healthcare Provider 500 | Tuesday | 2018 |
| Baystate Family Dental, Inc. | MA | Healthcare Provider | 500 | 2018-05-04 | Theft | NA | NA | NA | NA | NA | Paper/Films | NA | NA | NA | NA | NA | NA | NA | No | NA | Baystate Family Dental, Inc. MA Healthcare Provider 500 | Friday | 2018 |
| Memphis Pathology Laboratory d/b/a American Esoteric Laboratory | TN | Healthcare Provider | 500 | 2017-12-14 | Theft | NA | NA | NA | NA | NA | Laptop | NA | NA | NA | NA | NA | NA | NA | No | NA | Memphis Pathology Laboratory d/b/a American Esoteric Laboratory TN Healthcare Provider 500 | Thursday | 2017 |
| Metrocare Services | TX | Healthcare Provider | 500 | 2017-11-17 | Hacking/IT Incident | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | NA | No | NA | Metrocare Services TX Healthcare Provider 500 | Friday | 2017 | |
| Waco Otolaryngology Associates d/b/a Waco Ear, Nose, & Throat | TX | Healthcare Provider | 500 | 2017-08-28 | Hacking/IT Incident | NA | NA | NA | NA | NA | Network Server | NA | NA | NA | NA | NA | NA | NA | No | NA | Waco Otolaryngology Associates d/b/a Waco Ear, Nose, & Throat TX Healthcare Provider 500 | Monday | 2017 |
| Valperaiso Fire Department | IN | Health Plan | NA | 2013-09-03 | Theft | NA | NA | NA | NA | NA | Desktop Computer | NA | NA | NA | NA | NA | NA | NA | No | This case has been consolidated with another review for this covered entity. | Valperaiso Fire Department IN Health Plan NA | Tuesday | 2013 |
Question 3
Hacking / IT data breaches by year
Question 4
Breaches by Entity Type
| year | Business Associate | Health Plan | Healthcare Clearing House | Healthcare Provider | NA |
|---|---|---|---|---|---|
| 2009 | 3 | 1 | 0 | 14 | 0 |
| 2010 | 44 | 21 | 0 | 134 | 0 |
| 2011 | 45 | 18 | 1 | 135 | 0 |
| 2012 | 40 | 21 | 1 | 151 | 0 |
| 2013 | 64 | 17 | 2 | 192 | 0 |
| 2014 | 77 | 40 | 0 | 191 | 2 |
| 2015 | 12 | 62 | 0 | 195 | 0 |
| 2016 | 20 | 50 | 0 | 256 | 0 |
| 2017 | 20 | 52 | 0 | 285 | 0 |
| 2018 | 30 | 37 | 0 | 205 | 1 |
Question 5
Day of week with highest breach submission
## # A tibble: 7 x 2
## day Count
## <chr> <int>
## 1 Friday 764
## 2 Thursday 428
## 3 Tuesday 406
## 4 Monday 390
## 5 Wednesday 383
## 6 Saturday 42
## 7 Sunday 26Breach type change over each year.
## BT1 2009 2010 2011 2012 2013 2014 2015 2016
## 1 Hacking/IT Incident 0 8 17 17 29 38 57 112
## 2 Improper Disposal 0 10 7 8 13 12 6 7
## 3 Loss 1 18 19 21 24 28 24 16
## 4 Other 2 22 2 17 19 27 0 0
## 5 Theft 15 130 118 122 125 121 80 62
## 6 Unauthorized Access/Disclosure 0 10 29 28 63 83 102 129
## 7 Unknown 0 0 7 0 2 1 0 0
## 8 <NA> 0 1 0 0 0 0 0 0
## 2017 2018
## 1 149 112
## 2 11 6
## 3 16 11
## 4 0 0
## 5 56 33
## 6 125 111
## 7 0 0
## 8 0 0