What is this Healthcare Breach Data?
This data set contains breaches in healthcare throughout the United States. The set reports variables such as the Name of the Covered Entity, State, Covered Entity Type, Individuals Affected, Breach Submission Date, Type of Breach, Location of Breached Information, Business Associate Present, and Web Description. The data has been reported on the OCR data portal since 2009: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
Creating my Own Summary Statisitcs
To start, I created 5 different visuals to get acquainted with the data. I started with simply wanting to know the number of cases in my home state versus the state I am moving to post graduation. Following that I wanted to see if there were any cases were less than 1000 individuals were affected. At first glance at the data, it seems like these are all massive cases, but it turns out they are not all huge cases. Next, I wanted to see the average amount of individuals affected overall. From my last statistic, I wanted to then find the overall average. My fourth summary statistic I wanted to look at the specific email breaches. I still know people make passwords as silly as “Password1!” so I wanted to see how many cases resulted from email breaches. Lastly, after my last statistic, I wanted to then see wait if that many come from emails who is still keeping important files on paper or film. Personally, that seems very inefficient so I wanted to see, comparably, how many breaches there then was in Paper and Films.
| x |
|---|
| 72703.15 |
Number of Healthcare Data Breaches by Year
Below, the visual depicts the amount of breaches each year. It is shown that there is really no pattern or consistency with how many are reported each year. It is just at random.
The Top 25 Largest Healthcare Data Breaches
Below displays a table of the largest data breaches over this period of time. It is interesting how no one state or region is heavily represented, it is all over the United States that this happens.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Breach Submission Date | Type of Breach | Location of Breached Information | Business Associate Present | Web Description | Theft | Hacking/IT Incident | Improper Disposal | Loss | Unauthorized Access/Disclosure | Unknown | Other |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Anthem, Inc. Affiliated Covered Entity | IN | Health Plan | 78800000 | 2015-03-13 | Hacking/IT Incident | Network Server | No | On February 4, 2015, Anthem, Inc. disclosed that criminal hackers had broken into its servers and potentially stolen over 37.5 million records that contain |
FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | FALSE |
| Science Applications International Corporation (SA | VA | Business Associate | 4900000 | 2011-11-04 | Loss | Other | Yes | FALSE | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | |
| Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group | IL | Healthcare Provider | 4029530 | 2013-08-23 | Theft | Desktop Computer | No | Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan. This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country. |
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.” OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (“AMG”). The combined breaches affected the ePHI of approximately 4 million individuals. The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCR’s investigations into these incidents revealed that Advocate failed to: •conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI; •implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center; •obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and •reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight. Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois. |TRUE |FALSE |FALSE |FALSE |FALSE |FALSE |FALSE | |21st Century Oncology |FL |Healthcare Provider | 2213597|2016-03-04 |Hacking/IT Incident |Network Server |No |Failure to protect the health records of millions of persons costs entity millions of dollars 21st Century Oncology, Inc. (21CO) has agreed to pay $2.3 million in lieu of potential civil money penalties to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and adopt a comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. 21CO is a provider of cancer care services and radiation oncology. With their headquarters located in Fort Myers, Florida, 21CO operates and manages 179 treatment centers, including 143 centers located in 17 states and 36 centers located in seven countries in Latin America.
On two separate occasions in 2015, the Federal Bureau of Investigation (FBI) notified 21CO that patient information was illegally obtained by an unauthorized third party and produced 21CO patient files purchased by an FBI informant. As part of its internal investigation, 21CO determined that the attacker may have accessed 21CO’s network SQL database as early as October 3, 2015, through the remote desktop protocol from an exchange server within 21CO’s network. 21CO determined that 2,213,597 individuals were affected by the impermissible access to their names, social security numbers, physicians’ names, diagnoses, treatment, and insurance information. OCR’s subsequent investigation revealed that 21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI); failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; and disclosed protected health information (PHI) to third party vendors without a written business associate agreement.
“People need to trust that their private health information will remain exactly that; private,” said OCR Director Roger Severino. “It’s not just my hope that covered entities will learn from this example and proactively find and address their security risks, it’s what the law requires.”
In addition to a $2.3 million monetary settlement, a corrective action plan requires 21CO to complete a risk analysis and risk management plan, revise policies and procedures, educate its workforce on policies and procedures, provide all maintained business associate agreements to OCR, and submit an internal monitoring plan.
On May 25, 2017, 21CO filed for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York. The settlement with OCR will resolve OCR’s claims against 21CO and the corrective action plan will ensure that the reorganized entity emerges from bankruptcy with a strong HIPAA compliance program in place. The settlement with OCR was approved by the Bankruptcy Court on December 11, 2017.
The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/21CO/index.html. |FALSE |TRUE |FALSE |FALSE |FALSE |FALSE |FALSE | |Xerox State Healthcare, LLC |TX |Business Associate | 2000000|2014-09-10 |Unauthorized Access/Disclosure |Desktop Computer, Email, Laptop, Network Server, Other, Other Portable Electronic Device |Yes ||FALSE |FALSE |FALSE |FALSE |TRUE |FALSE |FALSE | |IBM |NY |Business Associate | 1900000|2011-04-14 |Unknown |Other |Yes ||FALSE |FALSE |FALSE |FALSE |FALSE |TRUE |FALSE | |GRM Information Management Services |NJ |Business Associate | 1700000|2011-02-11 |Theft |Electronic Medical Record, Other |Yes |Unencrypted clinical system backup tapes that contained the electronic protected health information (ePHI) of 1,700,000 individuals were stolen from the unlocked vehicle of an employee of the covered entity’s (CE) business associate (BA). The ePHI included names, medical record numbers, social security numbers, addresses, telephone numbers, health plan numbers, dates of birth, dates of admission, dates of treatment, dates of discharge, dates of death, mother’s name, next of kin, clinical information related to diagnosis, treatment, prognosis, laboratory tests and results, and medications. Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and affected individuals. As a result of OCR’s investigation, the CE terminated its BA agreement and installed encryption software on backup media. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI. |TRUE |FALSE |FALSE |FALSE |FALSE |FALSE |FALSE | |AvMed, Inc. |FL |Health Plan | 1220000|2010-06-03 |Theft |Laptop |No |Two laptop computers with questionable encryption (each containing the electronic protected health information (ePHI) of 350,000 individuals) were stolen from the covered entity’s (CE) premises. The types of ePHI involved included demographic and clinical information, diagnoses/conditions, medications, lab results, and other treatment data. After discovering the breach, the CE reported the theft to law enforcement and worked with the local police to recover the laptops. As a result of OCR’s investigation, the CE developed and implemented new policies and procedures to comply with the Security Rule. The CE also provided breach notification to all affected individuals, HHS, and the media and placed an accounting of disclosures in the medical records of all affected individuals. |TRUE |FALSE |FALSE |FALSE |FALSE |FALSE |FALSE | |Montana Department of Public Health & Human Services |MT |Health Plan | 1062509|2014-07-07 |Hacking/IT Incident |Network Server |No |Montana Department of Public Health and Human Services, the covered entity (CE), experienced a server hacking incident due to an undetected and unpatched application code vulnerability, which allowed misuse of its information system resources for about 9 months. The incident affected over 1 million individuals’ demographic, clinical, and/or financial information. Upon discovery, the CE immediately took the affected server offline, reported the incident to state and federal law enforcement, and conducted an investigation with assistance from an independent forensics firm. The CE provided breach notification to HHS, affected individuals, and the media. It also set up a call center and offered credit monitoring and identity theft services for all eligible individuals. OCR confirmed that the CE implemented a number of corrective actions as a result of this incident, including technical enhancements and safeguards to protect its information systems and network resources. OCR provided substantial technical assistance, and the CE implemented alternate safeguards, policies, and procedures to more effectively identify and remediate potential vulnerabilities in its server-hosted applications. |FALSE |TRUE |FALSE |FALSE |FALSE |FALSE |FALSE | |The Nemours Foundation |FL |Healthcare Provider | 1055489|2011-10-07 |Loss |Other |No |A locked cabinet was removed from an IT service desk area at the Wilmington, Delaware facility of the covered entity (CE), The Nemours Foundation during an August 2011 remodeling project. The cabinet housed three unencrypted backup tapes containing the electronic protected health information (ePHI) of 1,055,489 individuals. The ePHI involved in the breach included patients’ names, addresses, social security numbers, diagnoses and procedure codes. The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of free credit monitoring to affected individuals. Following the incident, the CE hired a private investigator to assist in locating the missing backup tapes; however, they were not recovered. Additionally, the CE retained Navigant Consulting to assess the recoverability of the information and to conduct a validation review of CE’s internal analyses. In response to the incident, the CE improved safeguards by encrypting all backup tapes, storage devices, and electronic media that may contain e-PHI, moving backup tapes to a secure off-site facility, installing non-movable storage cabinets in its data centers, and implementing two-factor authentication for access to ePHI. It also hired a system administrator to manage and audit backup procedures, retrained staff, and updated and created HIPAA policies and procedures, including role-based access to cabinets containing backup data. OCR obtained assurances that the corrective actions listed above were carried out. |FALSE |FALSE |FALSE |TRUE |FALSE |FALSE |FALSE | |BlueCross BlueShield of Tennessee, Inc. |TN |Health Plan | 1023209|2010-11-01 |Theft |Other |No ||TRUE |FALSE |FALSE |FALSE |FALSE |FALSE |FALSE | |Sutter Medical Foundation |AL |Healthcare Provider | 943434|2011-11-17 |Theft |Desktop Computer |No ||TRUE |FALSE |FALSE |FALSE |FALSE |FALSE |FALSE | |Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants |AZ |Healthcare Provider | 882590|2016-08-12 |Hacking/IT Incident |Network Server |No |The covered entity (CE), Valley Anesthesiology Consultants, Inc., d/b/a Valley Anesthesiology and Pain Consultants, was acquired by Sheridan Healthcorp, Inc., and became its subsidiary. A third party may have gained unauthorized access to the CE’s computer systems on March 30, 2016, affecting 88,590 individuals. The types of electronic protected health information (ePHI) that were potentially accessed included demographic and clinical information. In response to the breach, the CE immediately disabled the account through which unauthorized access was potentially gained. A forensics firm investigated the breach and reported that approximately nine additional foreign internet protocol (IP) addresses attempted to use remote desktop protocols to access various parts of the CE’s computer systems using accounts with administrator privileges. The CE “blacklisted” these IP addresses as the investigation continued in order to allow the firewall to block any attempts to access the electronic health record program through the remote desktop protocol. The forensics firm also identified fifteen suspicious local accounts and three administration accounts that were potentially compromised. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice in accordance with the Breach Notification Rule. OCR provided technical assistance regarding the CE’s obligations to conduct a comprehensive and current security risk analysis and implement a corresponding risk management/mitigation plan to address any findings. OCR also provided TA regarding the CE’s obligations to document evidence of its implemented security awareness training program, to include training material (not just email reminders), and a record of completion by workforce and management. Additionally, OCR stated the expectation that the CE clarify why non-ePHI applications are not governed by the same user access review procedures. |FALSE |TRUE |FALSE |FALSE |FALSE |FALSE |FALSE | |Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates |NJ |Business Associate | 839711|2014-01-03 |Theft |Laptop |Yes ||TRUE |FALSE |FALSE |FALSE |FALSE |FALSE |FALSE | |Iron Mountain Data Products, Inc. (now known as |PA |Business Associate | 800000|2010-07-19 |Loss |Electronic Medical Record, Other, Other Portable Electronic Device |Yes ||FALSE |FALSE |FALSE |TRUE |FALSE |FALSE |FALSE | |Utah Department of Technology Services |UT |Business Associate | 780000|2012-04-11 |Hacking/IT Incident |Network Server |Yes |OCR opened an investigation of the covered entity (CE), Utah Department of Health, after it reported that a hacker had gained access to the network server of it business associate (BA), Utah Department of Technology Services (DTS). During the cyberattack, the hacker copied the unencrypted electronic protected health information (ePHI) of approximately 780,000 individuals to an internet protocol address in Romania. The ePHI involved in the breach included names, addresses, birth dates, social security numbers, physicians’ names, and procedure codes designed for billing purposes. The CE provided breach notification to HHS, affected individuals, and the media, and provided free credit monitoring to affected individuals. Following the breach, the CE entered into a BA agreement with DTS. It also improved safeguards by developing an incident response plan, improving its password management process, strengthening its security practices to include encryption and improved firewalls, and completing a new risk analysis and risk management plan. OCR obtained assurances that the CE implemented the corrective actions noted above. |FALSE |TRUE |FALSE |FALSE |FALSE |FALSE |FALSE | |AHMC Healthcare Inc. and affiliated Hospitals |CA |Healthcare Provider | 729000|2013-10-25 |Theft |Laptop |No |Two unencrypted laptop computers containing the protected health information (PHI) of 729,000 individuals were stolen from a secure office on October 23, 2013. The types of PHI involved in the breach included financial information, diagnoses, conditions, treatment information, and demographic information. The covered entity (CE), AHMC, provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE implemented and maintained an encryption plan. It also developed policies and procedures regarding access to and receipt and removal of electronic PHI (ePHI). It also improved safeguards to reduce risks and vulnerabilities to ePHI. As a result of this investigation, OCR provided technical assistance to the CE regarding its obligations to implement and maintain policies and procedures that comply with the Privacy and Security Rules, conduct an accurate and thorough risk analysis, and implement a risk management plan. OCR also provided technical assistance regarding encryption. |TRUE |FALSE |FALSE |FALSE |FALSE |FALSE |FALSE | |EISENHOWER MEDICAL CENTER |CA |Healthcare Provider | 514330|2011-03-30 |Theft |Desktop Computer |No ||TRUE |FALSE |FALSE |FALSE |FALSE |FALSE |FALSE | |Radiology Regional Center, PA |FL |Healthcare Provider | 483063|2016-02-12 |Loss |Paper/Films |Yes |On December 19, 2015, 12 boxes containing 483,063 patients’ records fell off of the business associate’s (BA) truck and onto the street while being transported to the incinerator. The types of PHI in the records included patients’ names, addresses, dates of birth, social security numbers, claims information, credit card/bank information, diagnosis codes, lab results, and treatment information. The CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its website. It also activated a call center on January 12th, 2016, which provided information about the breach for 90 days, and provided identity protection for one year to the affected individuals. In response to the incident, the CE opened an internal investigation and interviewed all relevant staff and its business associate. The CE ended its business relationship with the BA, Lee County Solid Waste Division, and improved safeguards by changed the process for records’ destruction. OCR obtained assurances that the CE implemented the corrective actions listed above. |FALSE |FALSE |FALSE |TRUE |FALSE |FALSE |FALSE | |Puerto Rico Department of Health - Triple S Management Corp. |PR |Health Plan | 475000|2010-11-04 |Unauthorized Access/Disclosure |Network Server |Yes |On November 5, 2010, the Puerto Rico Department of Health (DOH), a hybrid entity, reported on behalf of the covered entity (CE), Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico, that it discovered that two former staff members of the business associates (BAs) Triple-S Salud (TSS) and Triple-C, improperly accessed restricted areas of TSS’ proprietary internet IPA database managed by Triple-C, Inc. The staff members, who were employed by a competitor, were able to gain access to the database because their access rights were not terminated upon leaving the employment of TSS. As a result, the electronic protected health information in the database, including 400,000 of the CE’s members’ names, contract numbers, home addresses, diagnostic codes, and treatment codes, was accessed. DOH provided breach notification to HHS, and TSS provided breach notification to affected individuals, and the media. Due to OCR’s investigation, the CE committed to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and retrain its staff within a specified period. |FALSE |FALSE |FALSE |FALSE |TRUE |FALSE |FALSE | |St Joseph Health System |TX |Healthcare Provider | 405000|2014-02-05 |Hacking/IT Incident |Network Server |No |A computer server containing the records of 405,124 patients of the covered entity (CE), St. Joseph Health System, was hacked during a power surge. The electronic protected health information (ePHI) on the server included names, dates of birth, social security numbers, medical information, bank account information, and addresses. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved administrative and technical security and developed and revised policies and procedures addressing the breach. OCR obtained assurances that the CE implemented the corrective actions listed. |FALSE |TRUE |FALSE |FALSE |FALSE |FALSE |FALSE | |Spartanburg Regional Healthcare System |SC |Healthcare Provider | 400000|2011-05-27 |Theft |Desktop Computer |No |Three unencrypted desktop computers and one unencrypted laptop computer in need of repair were stolen from an IT employee’s vehicle when he stopped at his home when transporting the equipment from an offsite location to the main hospital. The home stop was against the CE’s internal policies and procedures and exposed the protected health information (PHI) of 402,647 patients, including names, addresses, dates of birth and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media and also offered affected individuals one year of free credit monitoring. In response to the breach, the CE revised its new employee and upper management orientation materials to reflect updated HIPAA revisions. The CE encrypted all of the hard drives on its computers. It also updated policies and procedures regarding electronic data and use of company vehicles. Additionally, the CE began distributing an information security newsletter to employees. The CE sanctioned the involved employee for violating the CE’s handling of computer equipment policy. OCR obtained assurances that the CE implemented the corrective actions listed above. |TRUE |FALSE |FALSE |FALSE |FALSE |FALSE |FALSE | |Triple-S Salud, Inc. - Breach Case#2 |PR |Health Plan | 398000|2014-01-24 |Theft |Network Server |Yes |Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun.
“OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”
TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement.
After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:
Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI; Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:
A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA.
“Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. “We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.” |TRUE |FALSE |FALSE |FALSE |FALSE |FALSE |FALSE | |Triple-S Salud, Inc. |PR |Health Plan | 398000|2010-11-18 |Theft |Network Server |No |Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun.
“OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”
TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries. TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement.
After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:
Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI; Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement; Use or Disclosure of more PHI than was necessary to carry out mailings; Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:
A risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises.
Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA.
“Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz. “We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.” |TRUE |FALSE |FALSE |FALSE |FALSE |FALSE |FALSE | |Community Health Plan of Washington |WA |Health Plan | 381504|2016-12-21 |Hacking/IT Incident |Network Server, Other |No |Transactions Application Group, Inc., a business associate (BA) for the covered entity (CE), Community Health Plan of Washington, failed to properly secure a port on a computer network server used for transferring electronic files (a File Transfer Protocol (FTP) server), resulting in an incident of unauthorized access to electronic protected health information (ePHI) maintained at the BA. The breach affected 381,504 individuals and included individuals’ names, addresses, dates of birth, social security numbers, and certain coding information related to health care claims. The CE provided breach notification to the affected parties, the media, and HHS, and offered one year of free credit and identity theft monitoring. The CE also implemented additional technical safeguards. OCR obtained assurances that the CE implemented the corrective actions listed above . |FALSE |TRUE |FALSE |FALSE |FALSE |FALSE |FALSE |
Total Healthcare Records Exposed
This visual shows the top 10 states with the highest number of individuals affected over time. It was found that Indiana has significantly more breaches than any other state based on this data set.
Number of Healthcare Hacking Incidents by Month
Specifically, in this visual, it is showing the number of Hacking/IT incidents per month. This data does not show a lot as many of the months are relatively similar. March and April are definitely the months with the most incidents, but there is not much diversity between months.
Number of Breaches by Covered Entity Type
The table created a simple count of each covered entity type’s number of breaches. This table seems to be a simple visual, but it will be useful.
On what day of the week are breaches most often reported?
From this visual, it is easily shown that Friday is the day of the week with the most breaches reported as it is almost double each day Monday through Thursday and Sunday and Saturday report very few.
In which year(s) were there at least 50 breaches from a ‘Business Associate’ covered entity type and at least 150 breaches from a healthcare provider covered entity type?
This table quickly answers the question to find that only 2013 and 2014 meet the specified requirements in the question.
How has the type of breach changed for each year?
The table is broken down by year, the total of each breach inn that year, and the overall total of breaches that year. It is fascinating that most of these breaches are through theft and how theft heavily increases throughout the years. Most other types of breaches stay relatively consistent overall as shown below.
Which covered entity results in the highest number of individuals affected?
From this visual, it can be determined that healthcare providers report most of the breaches followed by business associates, then the healthcare plan, and healthcare cleaning house being close to nothing.
In what year are there the greatest number of people affected?
This question is answered through a visual that displays the year by the sum of the number of individuals affected. It can be seen that 2015 had the greatest number of people affected by a large amount as it is at about 80,000,000 people and the other years are all below 10,000,000 besides 2011 which is just over. From this graph, I would be interested to read more about what was going on in 2015.
Conclusion
This data set is full of interesting and thought provoking variables that in turn create fascinating visuals.