| Brooke Army Medical Center | TX | Healthcare Provider | 1000 | 10/21/2009 | Theft | Paper/Films | No | A binder containing the protected health information (PHI) of up to 1,272 individuals was stolen from a staff member's vehicle. The PHI included names, telephone numbers, detailed treatment notes, and possibly social security numbers. In response to the breach, the covered entity (CE) sanctioned the workforce member and developed a new policy requiring on-call staff members to submit any information created during their shifts to the main office instead of adding it to the binder. Following OCR's investigation, the CE notified the local media about the breach. |
| Mid America Kidney Stone Association, LLC | MO | Healthcare Provider | 1000 | 10/28/2009 | Theft | Network Server | No | Five desktop computers containing unencrypted electronic protected health information (e-PHI) were stolen from the covered entity (CE). Originally, the CE reported that over 500 persons were involved, but subsequent investigation showed that about 260 persons were involved. The ePHI included demographic and financial information. The CE provided breach notification to affected individuals and HHS. Following the breach, the CE improved physical security by installing motion detectors and alarm systems security monitoring. It improved technical safeguards by installing enhanced antivirus and encryption software. As a result of OCR's investigation the CE updated its computer password policy. |
| Alaska Department of Health and Social Services | AK | Healthcare Provider | 501 | 10/30/2009 | Theft | Other, Other Portable Electronic Device | No | \N |
| Health Services for Children with Special Needs, Inc. | DC | Health Plan | 3800 | 11/17/2009 | Loss | Laptop | No | A laptop was lost by an employee while in transit on public transportation. The computer contained the protected health information of 3800 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity has installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and updated it risk assessment. In addition, all employees received additional security training.
\ |
| Mark D. Lurie, MD | CA | Healthcare Provider | 5166 | 11/20/2009 | Theft | Desktop Computer | No | A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,166 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 5,166 affected indiv's and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place.
\ |
| L. Douglas Carlson, M.D. | CA | Healthcare Provider | 5257 | 11/20/2009 | Theft | Desktop Computer | No | A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,257 individuals who were patients of the CE. The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the covered entity notified all 5,257 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules.
\ |
| David I. Cohen, MD | CA | Healthcare Provider | 857 | 11/20/2009 | Theft | Desktop Computer | No | A shared Computer that was used for backup was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite was unlocked and perhaps ajar. The Computer contained certain electronic protected health information (ePHI) of 857 patients. The ePHI involved in the breach included names, dates of birth, and clinical information. Following the breach, the covered entity notified all affected individuals and the media, added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer, added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet, and added administrative safeguards by requiring annual refresher retraining staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place.
\ |
| Michele Del Vicario, MD | CA | Healthcare Provider | 6145 | 11/20/2009 | Theft | Desktop Computer | No | A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 6,145 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 6,145 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place.
\ |
| Joseph F. Lopez, MD | CA | Healthcare Provider | 952 | 11/20/2009 | Theft | Desktop Computer | No | A shared Computer that was used for backup was stolen on 9/27/09. The Computer contained certain electronic protected health information (ePHI) of 952 patients. Following the breach, the covered entity notified all 952 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of staff for Privacy and Security Rules.
\ |
| City of Hope National Medical Center | CA | Healthcare Provider | 5900 | 11/23/2009 | Theft | Laptop | No | A laptop computer was stolen from a workforce member's car. The laptop computer contained the protected health information of approximately 5,900 individuals. Following the breach, the covered entity encrypted all protected health information stored on lap tops. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and retraining employees.
\ |
| The Children's Hospital of Philadelphia | PA | Healthcare Provider | 943 | 11/24/2009 | Theft | Laptop | No | A laptop computer was stolen from a hospital employee’s vehicle. The computer contained the protected health information (PHI) of 943 individuals and included names, contact information, dates of birth, social security numbers, medical record numbers, and health insurance information including diagnosis codes and billing code descriptions. The CE provided breach notification to HHS, affected individuals, and the media. In response to this incident, the CE accelerated and completed implementation of a pre-existing plan to encrypt all hospital laptops. Additionally, the CE revised its information security policies and retrained its workforce. OCR obtained assurances that the CE implemented the corrective actions listed above. |
| Cogent Healthcare, Inc. | TN | Business Associate | 6400 | 11/25/2009 | Theft | Laptop | Yes | A laptop was stolen from a locked office at the Aurora St. Lukes Medical Center. The laptop contained protected health information pertaining to 6,400 individuals. The information included patient names, dates of birth, social security numbers, medical record numbers, and in some cases diagnosis codes. In response to the theft, the hospital implemented several corrective action measures, including accelerated efforts to encrypt all laptop hard drives, improved physical locks on the office where the theft occurred, staff training regarding the appropriate use and storage of devices containing ePHI, and encryption of portable flash drives and Blackberry devices. |
| Democracy Data & Communications, LLC ( | VA | Business Associate | 83000 | 12/08/2009 | Other | Paper/Films | Yes | In its breach report and during the course of OCR's investigation, the covered entity advised that it took various corrective actions to prevent a reoccurrence of the breach. Specifically, the covered entity conducted a risk assessment which revealed that the breach posed a significant risk of financial, reputational, or other harm to the 83,000 members. The covered entity sent notification letters to 83,000 members apologizing for the breach and offered a year of free credit monitoring and a $25,000 insurance policy against identity theft ($10,000 for New York residents). The covered entity also provided training to its call centers on November 29, 2009 to answer inquiries from callers concerned about the breach. In addition, media outlets were contacted to alert of a breach in states in which more than 500 members were impacted by the breach. The covered entity advised that media outlets were identified based on location of membership impacted, as well as ensuring it was a major media outlet and press releases were sent to 21 major media outlets on December 18, 2009. The covered entity also created and implemented a new policy titled 'Personal Health Information and Personal Identifiable Information Data Security and Handling Policy Acknowledgement Form' that centralized all data requests through a 'Team Track' which is an internal electronic submission request that ensures all PHI requested data receives the sign off of the Privacy Officer and Security Officer prior to release. Further, the covered entity also provided a mandatory annual computer-based training to all staff in May 2010.
\ |
| Kern Medical Center | CA | Healthcare Provider | 596 | 12/10/2009 | Theft | Other | No | \N |
| Rick Lawson, Professional Computer Services | NC | Business Associate | 2000 | 12/11/2009 | Theft | Desktop Computer, Electronic Medical Record, Network Server | Yes | The covered entity (CE) changed the business associate (BA) it used as its information technology vendor. During the transition, a workforce member of the outgoing BA entered the CE's computer system, changed the passwords, disabled all accounts, and removed drive mappings on the computer server for all of the workstations. The BA also removed the CE's backup program and deactivated all of its antivirus software. The breach affected approximately 2,000 individuals. The protected health information (PHI) involved in the breach included patients' names, addresses, dates of birth, social security numbers, appointments, insurance information, and dental records. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE implemented security measures in its computer system to ensure that its information technology associates do not have access to the CE's master system and enabled direct controls for the CE. A new server was installed with no ties to the previous BA. The new BA corrected the CE's passwords and settings, mitigating the issues caused by the previous vendor. The CE provided OCR with copies of its HIPAA security and privacy policies and procedures, and its signed BA agreements that included the appropriate HIPAA assurances required by the Security Rule. As a result of OCR's investigation, the CE improved its physical safeguards and retrained employees.
\
\
\ |
| Detroit Department of Health and Wellness Promotion | MI | Healthcare Provider | 646 | 12/15/2009 | Theft | Desktop Computer, Laptop | No | A desktop and four laptop computers were stolen from the covered entity's locked facility. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, types of services received, and Medicare/Medicaid numbers.Following the breach, the covered entity installed new office door locks with assigned keys, installed security cameras with alarms, and physically secured computers to desks. The covered entity now stores billing information in its patient management system, and it ensured that no electronic protected health information was stored locally. Additionally, OCR's investigation resulted in the covered entity providing training to workforce members regarding the incident
\ |
| Detroit Department of Health and Wellness Promotion | MI | Healthcare Provider | 10000 | 12/15/2009 | Theft | Other Portable Electronic Device | No | \N |
| University of California, San Francisco | CA | Healthcare Provider | 610 | 12/15/2009 | Other | Email | No | \N |
| Daniel J. Sigman MD PC | MA | Business Associate | 1860 | 01/07/2010 | Theft | Electronic Medical Record, Other, Other Portable Electronic Device | Yes | Computer backup tapes containing EPHI for the office practice management program including electronic medical records were stolen from the home of the practice manager on December 11, 2009. The breach affected approximately 1,860 patients. The protected health information on the tapes contained patients' names, addresses, telephone numbers, dates of birth, insurance information, social security numbers and medical record information. Following the breach, Sigman took the following voluntary corrective actions: (1) upgraded software application for backup security; implemented a new external backup system in case the server goes down; (2) encryption software was implemented for data contained on both its backup tapes and network storage device; (3) revised its security policy for transporting backup media; backup tapes must now be stored in a lockbox within a locked office in its facility; the revised policy also prohibits the movement of backup tapes from the facility as well as restricts access to the tapes to designated workforce; (4) employees were retrained on the policies and procedures in place and received training on the new policies and procedures for safeguarding backup tapes; (5) notified affected individuals and the media.
\ |
| Service Benefits Plan Administrative Services Corp | DC | Business Associate | 3400 | 01/08/2010 | Theft | Paper/Films | Yes | The covered entity's (CE) business associate (BA) incorrectly updated contract holders' addresses and mailed protected health information (PHI) to the wrong address of approximately 3,400 individuals. The PHI involved included demographic information, explanations of benefits, clinical information, and diagnoses. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. Upon discovery of the breach, the CE obtained assurances that the BA took steps to enforce the requirements of the BA agreement. Specifically, the BA updated its processes and created an incident tracking report. In addition, a contract was executed for a new vendor to handle mail address verification. Following OCR's investigation, the BA improved its code review process to catch the system error that caused this incident and instituted a manual quality review process. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.
\
\ |
| Massachusetts Eye and Ear Infirmary | MA | Healthcare Provider | 1076 | 01/08/2010 | Theft | Other | No | Two employees of the covered entity (CE) misused credit card information from several different departments that served approximately 1,076 individuals. The protected health information (PHI) involved in the breach included names, addresses, and credit card information. Following the breach, the CE notified the affected individuals, the media, and HHS and offered one free year of credit monitoring to all affected individuals. The CE also terminated the employees involved, revised its data breach prevention policy, and reviewed the physical processes involved when payment is made in person using a credit card. OCR reviewed the CE's breach notification policies to assure that they contained the required elements and obtained assurances that the CE provided breach notification.
\
\
\ |
| Merkle Direct Marketing | MD | Business Associate | 15000 | 01/11/2010 | Theft | Paper/Films | Yes | The covered entity's (CE) business associate (BA) mailed protected health information (PHI) of approximately 15,000 individuals to incorrect addresses due to an error in its quarterly address update process. The mailing contained demographic information, explanations of benefits, clinical information, and diagnoses. Upon discovery of the breach, the CE collected the returned mail and verified that it had not been delivered, and updated its HIPAA policies and procedures. Following OCR's investigation, the CE was able to recover all or nearly all of the misdirected envelopes. |
| Kaiser Permanente Medical Care Program | CA | Healthcare Provider | 15500 | 01/12/2010 | Theft | Other, Other Portable Electronic Device | No | An unencrypted portable hard drive containing the electronic protected health information (ePHI) of approximately 15,500 individuals was stolen from the vehicle of the covered entity's (CE) employee. The ePHI involved in the breach included names, medical record numbers, and treatment information. A subset of records may also have included dates of birth, age, gender, and phone numbers. Following the breach, the responsible employee was terminated for violating the CE's policies. OCR obtained assurances of the CE's policies and procedures for safeguarding ePHI and verification that the CE provided breach notification to affected individuals, the media, and HHS. In addition, the CE deployed encryption software for removable media. |
| United Micro Data | ID | Business Associate | 2562 | 01/14/2010 | Theft | Other | Yes | The covered entity's (CE's) business associate (BA) mailed a package to the CE that was supposed to contain a backup data tape and compact disc containing protected health information (PHI); however, the tape was not in the package when delivered. Approximately 2,000 individuals were affected by the breach. The PHI included demographic, financial, and clinical information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE revised its procedures for back up data storage instead of sending tapes via the mail. Following OCR's investigation, the CE continued to reevaluate ways to enhance administrative, physical, and technical safeguards.
\ |
| Goodwill Industries of Greater Grand Rapids, Inc. | MI | Healthcare Provider | 10000 | 01/15/2010 | Theft | Other | No | On December 15, 2009, a safe was stolen from Goodwill's off-site facility, which contained five unencrypted back-up tapes. The breach affected approximately 10,000 individuals. The protected health information involved in the breach included full names, addresses, dates of birth, reasons for referral, dates of service, miscellaneous demographics, and, in some cases, Social Security numbers. The covered entity moved the off-site storage of back-up tapes to a new site controlled by Goodwill. The tapes are now kept in a commercial grade safe with a combination lock. The actions taken by Goodwill prior to OCR's formal investigation brought the covered entity into compliance.
\ |
| Children's Medical Center of Dallas | TX | Healthcare Provider | 3800 | 01/18/2010 | Loss | Other, Other Portable Electronic Device | No | \N |
| Ashley and Gray DDS | MO | Healthcare Provider | 9309 | 01/19/2010 | Theft | Desktop Computer | No | \N |
| Concentra | TX | Healthcare Provider | 900 | 01/19/2010 | Theft | Laptop | No | An unencrypted laptop computer containing the electronic protected health information (ePHI) of approximately 900 patients was stolen from one of the covered entity's (CE) facilities. The ePHI included demographic and clinical data. Following the breach, the CE filed a police report and notified affected patients, HHS and the media. Following OCR's investigation, the CE required all business units to identify any devices that contain PHI and revised procedures for future computer purchases. The CE also implemented physical and technical safeguards for all testing devices that contain ePHI and replaced outdated machines that could not be encrypted. Additionally, the CE revised existing physician agreements to disallow the use of equipment containing ePHI that is not encrypted. OCR obtained assurances that the CE implemented the corrective action listed above.
\
\ |
| Advocate Health Care | IL | Healthcare Provider | 812 | 01/22/2010 | Theft | Laptop | No | On November 24, 2009, an Advocate nurse's laptop computer was stolen. The missing laptop computer contained the protected health information of approximately 812 individuals. The protected health information involved in the breach included name, address, dates of birth, social security numbers, insurance information, medication, and diagnoses. Following the breach, Advocate specifically addressed mobile device security and accepted use. Additionally, OCR's investigation resulted in Advocate workforce members that use mobile devices are now required to fill out and submit an acknowledgment form that establish proper administrative, technical, and physical security safeguards.
\ |
| The Methodist Hospital | TX | Healthcare Provider | 689 | 01/25/2010 | Theft | Other | No | An unencrypted laptop computer was stolen from the covered entity's unlocked testing office. The laptop computer contained the protected health information of approximately 689 individuals. The protected health information involved in the breach included names, dates of birth, Social Security numbers, and the age, gender, race, and medication information of affected individuals. Following the breach, the covered entity restricted the storage of electronic protected health information to network drives. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and in retraining employees.
\ |
| University of California, San Francisco | CA | Healthcare Provider | 7300 | 01/27/2010 | Theft | Laptop | No | \N |
| Carle Clinic Association | IL | Healthcare Provider | 1300 | 01/28/2010 | Theft | Other, Paper/Films | No | \N |
| Health Behavior Innovations (HBI) | UT | Business Associate | 5700 | 02/05/2010 | Theft | Other | Yes | A laptop computer containing the protected health information (PHI) of 3,500 individuals was stolen from the covered entity's (CE) locked medical office. The PHI involved in the breach included names, addresses, dates of birth, social security numbers, and medication information. As a result of this incident, the CE encrypted all PHI stored on the medical office computers. Following OCR's investigation, the CE improved its physical safeguards and retrained employees. |
| Center for Neurosciences | AZ | Healthcare Provider | 1100 | 02/10/2010 | Theft | Laptop | No | \N |
| Blue Cross Blue Shield of RI | RI | Business Associate | 528 | 02/16/2010 | Other | Paper/Films | Yes | On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown University's health plan was impermissibly disclosed to two other BCBSRI agents. The reports contained the PHI of approximately 528 individuals. The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers. Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected members' claim history to ensure no fraud.
\ |
| MSO of Puerto Rico | PR | Business Associate | 605 | 02/17/2010 | Theft | Paper/Films | Yes | The covered entity's (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 605 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CE's BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCR's investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures.
\
\ |
| MSO of Puerto Rico, Inc. | PR | Business Associate | 1907 | 02/17/2010 | Theft | Paper/Films | Yes | The covered entity's (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 1,907 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CE's BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCR's investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures.
\
\
\ |
| Cardiology Consultants/Baptist Health Care Corporation | FL | Healthcare Provider | 8000 | 02/18/2010 | Theft | Desktop Computer | No | A desktop computer that contained the e-PHI of approximately 8,000 individuals was stolen from the covered entity's (CE) locked medical suite. The PHI involved in the breach included names, dates of birth, medical record numbers, ultrasound information, exam dates, and reasons for the ultrasound. The computer that was stolen used proprietary software and a special electronic key to access the PHI. The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notification on its website. Following the breach, the CE worked with law enforcement to identify the possible suspect. The CE upgraded its facility access controls to include proximity card readers for every location that stores PHI. As a result of OCR's investigation the CE updated its risk analysis and carried out additional risk management activities.
\
\ |
| State of TN, Bureau of TennCare | TN | Health Plan | 3900 | 02/19/2010 | Theft | Paper/Films | No | The covered entity (CE) mailed the wrong information to 3,900 individuals based on a corrupted data file it received from a state agency. The types of PHI involved were names, dates of birth, social security numbers, member identification numbers, and in some cases, diagnoses, treatments, conditions, and medications. Following the breach, the CE immediately fixed the corrupted file and mailed corrected letters. The CE provided breach notification to HHS, the media, and affected individuals and provided substitute notification by posting on its website. It also offered affected individuals one year of free credit monitoring and comprehensive credit services. The CE also worked with the state agency to implement a new procedure to improve safeguards for PHI. OCR obtained assurances that the CE implemented the corrective action listed above.
\
\ |
| Lucille Packard Children's Hospital | CA | Healthcare Provider | 532 | 02/21/2010 | Other | Desktop Computer | No | \N |
| University of New Mexico Health Sciences Center | NM | Healthcare Provider | 1900 | 02/23/2010 | Other | Desktop Computer | No | \N |
| Advanced NeuroSpinal Care | CA | Healthcare Provider | 3500 | 02/23/2010 | Theft | Network Server | No | A computer containing the electronic protected health information (ePHI) of 3,500 individuals was stolen from the office of a covered entity (CE). The ePHI included patient names, addresses, dates of birth, social security numbers, driver's licenses, claims information, diagnoses, and conditions. As a result of the loss, the CE upgraded the alarm system and replaced the server housing and storage security lock-up. The CE also notified affected individuals, the media, appropriate government agencies, and law enforcement. In addition, the CE established an office-based hotline to assist affected individuals. As a result of OCR's investigation, the CE has implemented regularly scheduled security risk analyses and has installed window bars, roll down shutters, four video surveillance cameras, and other physical security measures to prevent theft. |
| Central Brooklyn Medical Group, PC | NY | Healthcare Provider | 500 | 02/25/2010 | Theft | Paper/Films | No | OCR opened an investigation of the covered entity (CE), Preferred Health Partners f/k/a Central Brooklyn Medical Group, after it reported appointment schedules, pathology reports and portions of medical records containing the protected health information (PHI) of 500 individuals were stolen from an office. The PHI included names, ages, telephone numbers, social security numbers, medical insurance information, pathology reports, and other clinical information. Upon discovery of the breach, the CE filed a police report and worked with law enforcement authorities to recover as much of the PHI as possible that was stolen. As a result of OCR's investigation, the CE removed PHI such as social security or medical insurance numbers from tracking logs. In addition, the CE improved safeguards by storing log binders in a locked area and shredding documents regularly. Further, the CE replaced the manual process of printing certain records with an electronic verification system. The CE also archived, stored off site, and locked up all paper records and retrained all staff on its HIPAA policies and procedures. |
| Shands at UF | FL | Healthcare Provider | 12580 | 03/01/2010 | Theft | Laptop | No | A laptop containing certain information collected on approximately 12,580 individuals referred to Shands at UF GI Clinical Services was stolen from the private residence of an employee. The stolen information included patient names, social security numbers, and medical record numbers. As a result of the incident, the employee was counseled by her supervisor, issued written corrective action with a 3-day suspension, and provided additional HIPAA training. OCR reviewed Shands at UF's most recent Risk Analysis and Risk Management Plans and they revealed no high risk findings related to encryption, workstation use, or physical security. OCR's investigation found that Shands at UF has implemented appropriate technical safeguards, such as secure VPN network connections and network storage for workforce usage, encrypted USB portable flash drives, and PGP whole disk encryption.
\ |
| Wyoming Department of Health | WY | Health Plan | 9023 | 03/02/2010 | | Network Server | No | \N |
| Thrivent Financial for Lutherans | WI | Health Plan | 9500 | 03/03/2010 | Theft | Laptop | No | On January 29, 2010, there was a break-in at one of the Thrivent's offices and five laptop computers were stolen; four of the five laptops were recovered. The missing laptop computer contained the protected health information of approximately 9,400 individuals. The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCR's formal investigation brought the CE into compliance.
\ |
| North Carolina Baptist Hospital | NC | Healthcare Provider | 554 | 03/03/2010 | Theft | Paper/Films | No | An employee’s car was broken into and a tote bag, which had a paper spreadsheet containing protected health information (PHI), was stolen. The spreadsheet contained PHI pertaining to 554 patients and included patients’ names, ages, weight, race, social security numbers, and blood and tissue typing. The covered entity (CE), North Carolina Baptist Hospital, provided breach notification to HHS, affected individuals, and the media, and offered affected individuals a year of credit monitoring services along with a toll-free number to contact. Following the breach, the CE reviewed the applicable policies and procedures with the clinic responsible, revised the spreadsheet to no longer include patients’ social security numbers, and counseled and warned the involved employee about the requirements for properly safeguarding PHI. Additionally, the Chief Executive Officer of the Medical Center emailed all employees to re-educate them about the importance of properly safeguarding PHI and the expectations for compliance and commitment to adhering to federal and state privacy and security laws. As a result of OCR’s investigation, the CE provided an alternate, secure way to electronically access the clinic spreadsheet, installed video cameras in the parking dock, and externally inspected employee vehicles to assure no PHI was visible. The CE established a Privacy and Information Security Council to help identify ways to improve and strengthen privacy and security policies and practices. |
| Montefiore Medical Center | NY | Healthcare Provider | 625 | 03/09/2010 | Theft | Laptop | No | An unencrypted laptop computer containing the electronic protected health information (ePHI) of 625 individuals was stolen from the covered entity's (CE) mobile dental van. The ePHI included names, dates of birth, medical record numbers and dental x-rays. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and affected individuals. As a result of OCR's investigation, the CE revised its procedures so that all ePHI is stored in a data center, rather than the mobile dental van laptop. In addition, the CE encrypted all mobile dental van laptops and improved physical security for the van. The CE developed a new policy on ePHI security and retrained all staff. OCR obtained assurances that the CE implemented the corrective action listed above. |
| Ernest T. Bice, Jr. DDS, P.A. | TX | Healthcare Provider | 21000 | 03/10/2010 | Theft | Other, Other Portable Electronic Device | No | Three unencrypted external back-up drives were stolen from a safe in the covered entity's locked office. The laptop computer contained the protected health information of approximately 21,000 individuals. The protected health information involved in the breach included names, addresses phone numbers, dates of birth, social security numbers, insurance information, and treatment histories. Following the breach, the covered entity moved back-up data offsite and encrypted all workstations. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and in retraining employees.
\ |
| Lee Memorial Health System | FL | Healthcare Provider | 3800 | 03/17/2010 | Other | Paper/Films | No | The covered entity sent postcards to approximately 3,800 patients, which listed the patients' demographic information, and a statement that read, 'Your Physician Has Moved,' with a name and description of the practice, Infectious Disease Specialist. The types of PHI involved were demographic and clinical information. Voluntary actions taken prior to OCR's investigation include the issuance of sanctions and review of policies and procedures.
\ |
| Laboratory Corporation of America/Dynacare Northwest, Inc. | WA | Healthcare Provider | 5080 | 03/18/2010 | Theft | Laptop | No | A laptop computer was stolen from a workforce member's car. The laptop computer contained the protected health information of approximately 5080 individuals. The protected health information involved in the breach included names, addresses, dates of birth, Social Security numbers, and lab results. Following the breach, the covered entity encrypted all laptop computers.
\ |
| Mount Sinai Medical Center | FL | Healthcare Provider | 2600 | 03/23/2010 | Theft | Laptop | No | \N |
| Griffin Hospital | CT | Healthcare Provider | 957 | 03/26/2010 | Hacking/IT Incident | Network Server | No | \N |
| Hypertension, Nephrology, Dialysis and Transplantation, PC | AL | Healthcare Provider | 2465 | 03/27/2010 | Theft | Laptop | No | \N |
| Computer Program and Systems, Inc. (CPSI) | AL | Business Associate | 768 | 03/30/2010 | | Email | Yes | \N |
| Laboratory Corporation of America / US LABS / Dianon Systems, Inc | AZ | Healthcare Provider | 2773 | 04/01/2010 | Theft | Other Portable Electronic Device | No | An external hard drive containing ePHI of 2,773 individuals was stolen. The ePHI included first and last name, medical record number, date of birth, laboratory test information data, and some social security numbers. CE advises OCR that notice to the individuals went out April 13 and 14, 2010. The media (St. Petersburg Times) was notified. CE added emails will now be password protected and encrypted. As a result of the loss, CE has initiated an encryption project to encrypt external hard drives and related media.
\
\ |
| University of Pittsburgh Student Health Center | PA | Healthcare Provider | 8000 | 04/02/2010 | Loss, Theft | Paper/Films | No | \N |
| VHS Genesis Lab Inc. | IL | Healthcare Provider | 6800 | 04/05/2010 | Loss | Paper/Films | No | The covered entity (CE), VHS Genesis Lab, Inc., misplaced a month’s worth of client invoices which were never located. The invoices contained the protected health information (PHI) of over 500 individuals and included names, dates of birth, and medical testing information. The CE provided breach notification to HHS, affected individuals and the media, and placed notice on its website. Following the breach, the CE arranged for a business associate to handle the mailing of invoices. OCR obtained assurances that the CE implemented the corrective actions listed above. |
| Providence Hospital | MI | Healthcare Provider | 83945 | 04/05/2010 | Other | Other | No | \N |
| Pediatric Sports and Spine Associates | TX | Healthcare Provider | 955 | 04/09/2010 | Theft | Laptop | No | An unencrypted laptop was stolen from an employee's vehicle. The laptop contained the protected health information of approximately 955 individuals. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses, medications and other treatment information. Following the discovery of the breach, the covered entity revised policies, retrained staff and implemented additional physical and technical safeguards including encryption software. The covered entity also removed the stolen laptop's access to the server, sanctioned the involved employee, notified the affected individuals and notified the local media.
\ |
| McKesson Information Solutions, LLC | GA | Business Associate | 660 | 04/09/2010 | Other | Paper/Films | Yes | \N |
| Affinity Health Plan, Inc. | NY | Health Plan | 344579 | 04/14/2010 | Theft | Other | No | Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780. Affinity Health Plan is a not-for-profit managed care plan serving the New York metropolitan area.
\Affinity filed a breach report with the HHS Office for Civil Rights (OCR) on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.
\Affinity estimated that up to 344,579 individuals may have been affected by this breach. OCR's investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.
\This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it's recycled, thrown away or sent back to a leasing agent, said OCR Director Leon Rodriguez. 'HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals' data, and have appropriate safeguards in place to protect this information.'
\In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.
\ |
| Tomah Memorial Hospital | WI | Healthcare Provider | 600 | 04/16/2010 | Other | Other | No | A nurse impermissibly used the protected health information (PHI) of approximately 600 patients to obtain narcotics from the covered entity (CE), Tomah Memorial Hospital, for her own use. The PHI involved in the breach included patients’ names and account numbers. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE improved safeguards by creating a monthly audit of Schedule II narcotics, matched to the dispense log, medical order, and bill. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also terminated the involved employee’s employment. |
| Praxair Healthcare Services, Inc. (Home Care Supply in NY) | CT | Healthcare Provider | 54165 | 04/19/2010 | Theft | Laptop | No | A laptop computer was stolen from the covered entity's office by a former employee after it had been damaged. The laptop computer contained the PHI of approximately 54,165 individuals. The computer contained a limited amount of PHI, including client names and one or more of the following: addresses, phone numbers, social security numbers, insurance provider names and policy numbers, medical diagnostic codes or medical equipment. Following the breach, the covered entity notified all affected individuals, the media, and HHS of the breach. Additionally, the covered entity completed its laptop encryption project to cover all PHI stored on computers in the office. Additionally, OCR's investigation resulted in the covered entity reinforcing the requirements of HIPAA to its employees.
\ |
| Massachusetts Eye and Ear Infirmary | MA | Healthcare Provider | 3594 | 04/20/2010 | Theft | Laptop | No | \N |
| Blue Cross & Blue Shield of Rhode Island | RI | Health Plan | 12000 | 04/21/2010 | Theft | Paper/Films | No | A covered entity (CE) donated a file cabinet containing the protected health information (PHI) of 12,000 individuals before cleaning it out. The PHI included members' names, addresses, telephone numbers, social security numbers, and Medicare identification numbers. The covered entity (CE) provided breach notification to HHS, the affected individuals, and media, and offered all affected individuals free credit monitoring for a period of one year. Following the breach, the CE sanctioned the employees involved in the incident and held a mandatory training regarding the HIPAA Privacy and Security Rule for all departments involved in the breach. The CE also revised the policy for office moves. OCR obtained assurances that the CE implemented the corrective action listed above.
\
\ |
| South Carolina Department of Health and Environmental Control | SC | Health Plan | 2850 | 04/22/2010 | Improper Disposal | Paper/Films | No | \N |
| St. Joseph Heritage Healthcare | CA | Healthcare Provider | 22012 | 04/23/2010 | Theft | Desktop Computer | No | 22 computers were stolen from Clinical Management Service office.Five of the stolen computers contained the protected health information of approximately 22,012 individuals. The protected health information involved in the breach included name, date of birth, social security number, referral number, encounter number, facility, member ID, diagnosis, procedure, and/or diagnosis code. As a result of this incident, St. Joseph notified the potentially affected individuals, notified the local media, installed security cameras, re-trained employees, and installed encryption software on all laptops and Computers enterprise-wide. OCR's investigation resulted in the covered entity improving their physical and technological safeguards and retraining employees.
\ |
| John Muir Physician Network | CA | Healthcare Provider | 5450 | 04/24/2010 | Theft | Laptop | No | Two laptop computers containing the electronic protected health information (ePHI) of approximately 5,450 individuals were stolen from the CE. The ePHI included patient names, dates of birth, and social security numbers. The CE provided breach notification to all affected individuals, HHS, and the media. As a result of OCR's investigation, the CE installed encryption software and increased physical security. |
| Medical Center At Bowling Green | KY | Healthcare Provider | 5148 | 04/26/2010 | Theft | Other, Other Portable Electronic Device | No | \N |
| UnitedHealth Group health plan single affiliated covered entity | MN | Health Plan | 735 | 04/27/2010 | Theft | Other, Paper/Films | No | On March 2, 2010, the covered entity (CE), UnitedHealth Group, discovered that remittance forms containing member information which accompany paper checks were stolen. The invoices contained the protected health information (PHI) of over 735 individuals. The types of PHI included demographic and claims information. The CE provided breach notification to HHS, affected individuals, and the media, and provided affected individuals with credit monitoring services. Following the breach, the CE reviewed its payment and remittance information controls and notified its provider call centers to remain on a high level alert to monitor all remittance payments. OCR obtained assurances that the CE implemented the corrective actions listed above. |
| TOWERS WATSON | VA | Business Associate | 1874 | 04/27/2010 | Theft | Other | Yes | A business associate (BA), Towers Watson, of the covered entity (CE), General Agencies Welfare Benefits Program, lost two electronic media disks containing protected health information (PHI) while transporting the disks between two BA offices. The disks contained the names, health plan numbers, and social security numbers of 1,874 individuals. The BA notified all affected individuals and provided two years of enhanced credit services. The CE notified HHS and the media and posted substitute notice on its website. The CE had the BA destroy any of its PHI that had been retained by the BA and executed a new BA agreement for any remaining PHI that the BA was unable to destroy because they were archival files. After OCR's investigation, the CE updated its privacy and breach notification policies and procedures.
\
\ |
| South Texas Veterans Health Care System | TX | Healthcare Provider | 1430 | 04/28/2010 | Improper Disposal, Loss | Paper/Films | No | \N |
| Rockbridge Area Community Services | VA | Healthcare Provider | 500 | 04/29/2010 | Theft | Desktop Computer, Laptop | No | \N |
| Millennium Medical Management Resources, Inc. | IL | Business Associate | 180111 | 04/29/2010 | Theft | Other, Other Portable Electronic Device | Yes | \N |
| Miami VA Healthcare System | FL | Healthcare Provider | 568 | 05/05/2010 | Theft | Paper/Films | No | A covered entity's (CE) pharmacy log book, containing the protected health information (PHI) of 568 individuals, was misplaced and never recovered. The PHI affected by the breach included names and partial social security numbers. Following the breach, the CE provided breach notification as required by the HIPAA Breach Notification Rule and instructed employees to cease the practice of keeping log books. Following OCR's investigation, the CE revised and/or updated its policies and procedures with respect to safeguarding PHI. Regarding logbooks, it established a written employee agreement, implemented an employee authorization process, and established safeguards. Additionally, the CE provided training to all staff in the pharmacy department regarding the use of logbooks and accounted for the disclosures in each of the affected individuals' accounting log. |
| VA Eastern Colorado Health Care System | CO | Healthcare Provider | 649 | 05/05/2010 | Theft | Paper/Films | No | A covered entity's (CE's) employee placed paper records containing protected health information (PHI) in an unsecured box that was left undiscovered in a public parking garage for four days. The box contained the PHI of 649 patients. The PHI included treatment records, productivity reports, coding information, names, medical treatments, conditions, diagnoses, and social security numbers. Upon discovery of the breach, the CE notified the affected individuals and provided credit protection to those whose social security numbers had been breached. The CE provided OCR with copies of its breach prevention policies and procedures. Following OCR's investigation, the employee who left the records resigned from her position and the CE improved its breach response procedures. |
| Heriberto Rodriguez-Ayala, M.D. | TX | Healthcare Provider | 4200 | 05/11/2010 | Theft | Laptop | No | An unencrypted laptop computer containing the protected health information (PHI) of approximately 4,200 individuals was stolen from a personal vehicle. The PHI included names, addresses, phone numbers, dates of birth, social security numbers, treatment histories, and driver license numbers. The covered entity (CE) provided breach notification to the affected individuals, HHS, and the media. As a result of OCR's investigation the covered entity implemented new policies and procedures, retrained staff, and installed encryption software on all workstations. |
| Georgetown University Hospital | DC | Healthcare Provider | 2416 | 05/13/2010 | Other, Theft | Email, Other Portable Electronic Device | No | An employee of the covered entity emailed protected health information (PHI) to an offsite research office (which is not itself a covered entity) in violation of the review preparatory to research protocol. The research office stored the electronic information on an external hard drive that was later stolen. The device contained the PHI of 2,416 individuals. The PHI involved in the breach included names, dates of birth, and clinical information. In response to this incident, the covered entity terminated transmission of the PHI to this research office and gave the responsible employee a verbal warning and counseling. Additionally, the covered entity undertook a review of all research affiliations involving PHI of hospital patients to confirm that appropriate documentation and procedures are in place.
\ |
| Silicon Valley Eyecare Optometry and Contact Lenses | CA | Healthcare Provider | 40000 | 05/13/2010 | Theft | Network Server | No | A computer network server and a television were stolen from the covered entity (CE), Silicon Valley Eyecare. The CE’s network sever contained the electronic protected health information (ePHI) of approximately 40,000 individuals and included demographic information, social security numbers, diagnoses, and insurance information. The CE investigated the incident and provided breach notification to HHS, affected individuals, and media. As a result of OCR’s investigation, the CE provided its most recent risk analysis, risk management plan, security training program, and policies and procedures regarding administrative, physical and technical safeguards. |
| Heritage Health Solutions | TX | Business Associate | 656 | 05/14/2010 | Theft | Laptop | Yes | \N |
| Oconee Physician Practices | SC | Healthcare Provider | 653 | 05/20/2010 | Theft | Laptop | No | On May 9, 2010, the covered entity (CE), Oconee Physician Practices, discovered that a password-protected, unencrypted laptop computer used for EKG testing was missing from its facility. The loss potentially exposed the demographic and clinical information of 653 individuals. The CE provided breach notification to HHS, affected individuals, and the media. The CE improved safeguards by changing access codes and physical locks to the building and retrained its workforce on the importance of password protection and laptop security. The CE developed a plan to create a stronger policy for asset tracking, accountability, and activity monitoring and upgrade its procedures for password strength, automatic log-off capabilities, and limiting the number of sign-on attempts. The CE also developed a plan to encrypt laptops and other portable media containing electronic protected health information (ePHI). OCR reviewed the CE’s policies and procedures and supporting documents. |
| University of Rochester Medical Center and Affiliates | NY | Healthcare Provider | 2628 | 05/20/2010 | Other | Paper/Films | No | The covered entity (CE), University of Rochester Medical Center and Affiliates, reported that on April 19, 2010, 2,628 patient billing statements for Strong Memorial Hospital were sent to the wrong patients. The statements contained patients’ names, addresses, guarantors’ names, guarantors’ addresses, dollar amounts owed, health insurance plans, subscriber numbers, social security numbers, general descriptions of services rendered (such as inpatient room charge, outpatient visit charge, physical therapy, laboratory, pharmacy, radiology, etc.) and dates of service. The CE provided breach notification to HHS, affected individuals, and the media. As a result of the breach, the CE established a numerical counter to ensure that the numbers of statements that run through the folding machine are matching the numbers of statements that are printing. In addition, a report was added to the statement bundles distributed by the printing center that identifies the number of pages printed for each statement run. Further, a quality control process was put into place where a second staff member manually inspects stuffed envelopes on a random basis to ensure that the correct number of pages are inserted as well as verifying that the contents are all for the same patient. As a result of OCR investigation, OCR reviewed a copy of the CE’s risk assessment and policies and procedures relating to uses and disclosures of protected health information (PHI) and safeguarding PHI. |
| Omaha Construction Industry , Privacy Manager Breach | NE | | 800 | 05/21/2010 | Theft | Laptop | Yes | \N |
| City of Charlotte, NC (Health Plan) | NC | Health Plan | 5220 | 05/24/2010 | Loss | Other | No | \N |
| VA North Texas Health Care System | TX | Healthcare Provider | 4083 | 05/25/2010 | Improper Disposal | Paper/Films | No | \N |
| Rainbow Hospice and Palliative Care | IL | Healthcare Provider | 1000 | 05/26/2010 | Theft | Laptop | No | An employee's laptop was stolen out of her bag while she was making an admission visit in a patient's home. The evidence showed that although the covered entity had a policy of encrypting and password-protecting its computers, this particular computer did not require a password most of the time. The invoices contained the protected health information (PHI) of approximately 1,000 individuals. The PHI stored on the laptop included names, addresses, dates of birth, phone numbers, Social Security numbers, Medicare numbers, electronic health records and commercial insurance information. Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in The Daily Herald, sanctioned the employee for changing the security settings on the laptop in question, and established stringent computer security guidelines, and retrained its staff in the new requirements, with the intention of preventing a similar event from occurring again.
\ |
| Occupational Health Partners | KS | Healthcare Provider | 1105 | 06/01/2010 | Theft | Laptop | No | \N |
| University of Louisville Research Foundation, Inc., DBA The Kidney Disease Program | KY | Healthcare Provider | 708 | 06/01/2010 | Hacking/IT Incident | Network Server | No | An outside computer’s unique numerical code (Internet Protocol address) accessed the covered entity’s (CE) website which contained a database containing the protected health information of 708 patients. The types of PHI involved in the breach included names, social security numbers, and treatment information. The CE provided breach notification to HHS and affected individuals. Following the breach, the CE disabled the website containing the breached PHI. As a result of OCR’s investigation, the CE removed social security numbers from its site, added a time out feature, retrained staff, and completed a risk assessment. |
| Cincinnati Childrens Hospital Medical Center | OH | Healthcare Provider | 60998 | 06/01/2010 | Theft | Laptop | No | An unencrypted laptop computer containing the electronic protected health information (ePHI) of 60,998 individuals was stolen out of a workforce member's car. The ePHI stored on the laptop included names, medical record numbers, and services received. The covered entity (CE) provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE established a new internal procedure to encrypt all new computers before they are given to employees. OCR obtained assurances that the CE implemented the corrective action listed above.
\
\
\ |
| AvMed, Inc. | FL | Health Plan | 1220000 | 06/03/2010 | Theft | Laptop | No | Two laptop computers with questionable encryption (each containing the electronic protected health information (ePHI) of 350,000 individuals) were stolen from the covered entity's (CE) premises. The types of ePHI involved included demographic and clinical information, diagnoses/conditions, medications, lab results, and other treatment data. After discovering the breach, the CE reported the theft to law enforcement and worked with the local police to recover the laptops. As a result of OCR's investigation, the CE developed and implemented new policies and procedures to comply with the Security Rule. The CE also provided breach notification to all affected individuals, HHS, and the media and placed an accounting of disclosures in the medical records of all affected individuals. |
| Nihal Saran, MD | MI | Healthcare Provider | 2300 | 06/04/2010 | Theft | Laptop | No | A password protected laptop computer containing protected health information (PHI) was stolen from Dr. Saran's personal residence. The laptop contained the PHI of approximately 2,300 individuals. The PHI stored on the laptop included patients' names, addresses, dates of birth, Social Security numbers, insurance information, and diagnoses. Following the breach, Dr. Saran notified the Northville Township Police Department of the theft, contacted the individuals reasonably believed to have been affected by the breach, sent a notice of the breach to the Detroit Free Press and the Monroe News, and installed encryption software for its billing software.
\ |
| Siemens Medical Solutions, USA, Inc | PA | Business Associate | 130495 | 06/04/2010 | Theft | Other | Yes | The covered entity's business associate (BA), Siemens Medical Solutions USA, Inc., shipped seven unencrypted compact disks (CDs) that contained the electronic protected health information (ePHI) of 130,495 individuals to the covered entity (CE), Lincoln Medical and Mental Health Center. The CD's, containing back-up data, were lost in transit. The ePHI included names, addresses, social security numbers, medical record numbers, health plan information, dates of birth, dates of admission and discharge, diagnostic and procedural codes, and driver's license numbers. The CE provided breach notification to affected individuals, HHS, and the media. Upon discovery of the breach, the CE directed the BA to cease using the shipping service as a means of transporting the CDs. As a result of OCR's investigation, the BA adopted a procedure to encrypt CDs. The CE also implemented a procedure for a senior employee of the BA to physically deliver the encrypted CDs to the CE. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. |
| UnitedHealth Group health plan single affiliated covered entity | MN | Health Plan | 16291 | 06/04/2010 | Other | Paper/Films | No | Paper correspondence to certain members in UnitedHealth's prescription drug plans were in advertently sent to the incorrect temporary address due to a database administration error. Approximately 16,291 individuals were affected by the breach. UnitedHealth member's name, plan number and in some instances, date of birth and/or limited medical information. United Health reported that it stopped using PDI's proprietary database for address updates and made outbound verifications calls to members to get accurate temporary addresses. United Health reported that it revised its address update process.
\ |
| St. Jude Children's Research Hospital | TN | Healthcare Provider | 1745 | 06/08/2010 | Loss | Laptop | No | \N |
| DentaQuest | MA | Business Associate | 10515 | 06/09/2010 | Theft | Laptop | Yes | A car containing an unencrypted laptop computer was stolen from West Monroe Partners, a contractor for the covered entity's (CE) business associate (BA), DentaQuest. The laptop stored a database containing the electronic protected health information (ePHI) of approximately 76,000 individuals, including data on 10,515 of the CE's members. The types of PHI involved in the breach included names, social security numbers, dates, and certain provider identification numbers. The CE and BA worked together to provide breach notification to affected individuals and the media, and offered free credit monitoring and enhanced credit services to affected individuals for one year. The CE reported the breach to HHS and provided substitute notification on its website. The BA implemented procedures to ensure that any third party laptops connecting to its network employ disk encryption. Further, the BA established a policy to prohibit contractors from storing PHI on laptops. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.
\
\ |
| Comprehensive Care Management Corporation | NY | Health Plan | 1020 | 06/14/2010 | Theft | Desktop Computer, Email, Laptop, Network Server | No | OCR opened an investigation of the covered entity (CE), Comprehensive Care Management Corporation, after it reported two former employees sent emails that contained the electronic protected health information (ePHI) of 1,020 individuals to their personal email accounts to open a competitor organization. The ePHI included names, addresses, and enrollment information. Upon discovery of the breach, the CE conducted an internal inquiry and found that the former employees disclosed the ePHI to its competitor. As a result of OCR's investigation, the CE replaced and strengthened external firewalls, restricted access to email websites, restricted the use of portable devices, limited the ability to upload data to external websites, and evaluated new monitor and control software for network information. In addition, the CE provided training to all staff on its HIPAA policies and procedures. The CE also entered into an agreement with its competitor who hired the former employees to return or destroy the ePHI. |
| The Children's Medical Center of Dayton | OH | Healthcare Provider | 1001 | 06/14/2010 | Other | Email | No | \N |
| University of Kentucky | KY | Healthcare Provider | 2027 | 06/18/2010 | Theft | Laptop | No | A laptop computer containing the protected health information (PHI) of approximately 2,027 individuals was stolen from the covered entity (CE), University of Kentucky, Department of Pediatrics. The information was part of the New Born Screening Program sent to that department by the state screening program. The types of PHI involved in the breach included demographic information, specifically, names, addresses, dates of birth, social security numbers, and other identifiers, and clinical information. As a result of OCR’s investigation the CE provided OCR with an updated status report of its encryption project that it had previously reported as one of its corrective measures. It also trained workforce members on encryption of computing devices and provided reminders to workforce members about its facility locking procedures. Additionally, the CE provided a report of its information security assessment with details of security gaps as evidence of its risk analysis, along with recommendations for remediation of the gaps identified in the assessment. The CE also improved physical safeguards. The CE provided documentation of compliance with the applicable notification provisions of the Breach Notification Rule. It also updated its accounting of disclosures policy, and drafted a new policy relating to accounting of disclosures regarding breach incidents. |
| alma aguado md pa | TX | Healthcare Provider | 600 | 06/21/2010 | Theft | Network Server | No | OCR investigated the covered entity (CE) following a report that its main server and desktop computers containing the electronic protected health information (ePHI) of 600 individuals were taken from the CE's office. The ePHI involved in the breach included patient names, addresses, dates of birth, and social security numbers. As a result of OCR's investigation, the CE changed its privacy and security policies, retrained its employees and provided additional physical security to better safeguard patient ePHI. |