Skip to content

Instantly share code, notes, and snippets.

@jcdcodes

jcdcodes/HealthInfoBreachesClean.csv

Last active April 21, 2022 08:18
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save jcdcodes/dc53c30527e990097e8a to your computer and use it in GitHub Desktop.
Save jcdcodes/dc53c30527e990097e8a to your computer and use it in GitHub Desktop.
Download ZIP
Health Information Breaches
Raw
README.md

HIPAA breaches as reported to HHS (as of October 15, 2014).

I washed the dirty, dirty CSV file that HHS published, and now we can see the data only cover Q4 of 2009 through the end of 2013. That's a log scale on the left, so the number of people whose medical data got leaked or stolen is kind of enormous: several percent of the whole US population so far.

Raw
HealthInfoBreachesClean.csv
Name of Covered Entity State Business Associate Involved Individuals Affected Clean Individuals Affected Date of Breach Type of Breach Location of Breached Information Date Posted or Updated Clean Date Summary
Brown University RI Blue Cross Blue Shield of Rhode Island 528 528 12/11/2009 Unauthorized Access/Disclosure Paper 3/4/2010 12/11/2009 On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown Universityís health plan was impermissibly disclosed to two other BCBSRI agents. The reports contained the PHI of approximately 528 individuals. The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers. Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected membersí claim history to ensure no fraud.
MMM Health Care Inc. NY MSO of Puerto Rico, Inc. 1907 1907 2/4/2010 Unauthorized Access/Disclosure Paper 3/4/2010 2/4/2010
PMC Medicare Choice NY MSO of Puerto Rico, Inc. 605 605 2/4/2010 Unauthorized Access/Disclosure Paper 3/4/2010 2/4/2010 In its breach report and during the course of OCRís investigation, the covered entity advised that it took various corrective actions to prevent a reoccurrence of the breach. Specifically, the covered entity conducted a risk assessment which revealed that the breach may pose a significant risk of financial, reputational, or other harm to the 1,907 patients. The covered entity sent notification letters to the affected 1,907 patients apologizing for the breach. In addition, the covered entity had a radio advertisement played on the Radio Isla Radio Station in Puerto Rico on February 14, 2010 The covered entity implemented a corrective action plan in which the Health Services Department established a quality control process in order to ensure that letters that are sent by mail have the correct mailing address. In addition, the covered entity created and implemented a new policy and procedure which the Production Services Department will require a form to be completed when a print or mail job is requested. The covered entity also issued a directive from the Vice President of Member Services to all Production Services Department staff regarding the need to verify emails with the requesters and to request confirmation from requesters prior to proceeding with the mailing of each print job. Further, on February 19, 2010, the covered entity provided training to all staff on the newly revised policies and procedures
Center for Neurosciences AZ 1101 1101 12/15/2009 Theft Laptop 3/4/2010 12/15/2009
Cardiology Consultants/Baptist Health Care Corporation FL 7600 7600 12/19/2009 Theft Computer 3/4/2010 12/19/2009
Educators Mutual Insurance Association of Utah UT Health Behavior Innovations 5700 5700 12/27/2009 Theft Others (CDs) 3/4/2010 12/27/2009
AvMed, Inc. FL 1220000 1220000 12/10/2009 Theft Laptop 6/4/2010 12/10/2009
The Methodist Hospital TX 689 689 1/18/2010 Theft Computer 2/22/2010 1/18/2010 An unencrypted laptop computer was stolen from the covered entityís unlocked testing office. The laptop computer contained the protected health information of approximately 689 individuals. The protected health information involved in the breach included names, dates of birth, Social Security numbers, and the age, gender, race, and medication information of affected individuals. Following the breach, the covered entity restricted the storage of electronic protected health information to network drives. Additionally, OCRís investigation resulted in the covered entity improving their physical safeguards and in retraining employees.
Carle Clinic Association IL 1300 1300 1/13/2010 Theft Paper and Films 2/22/2010 1/13/2010 Protected health information was released from the covered entity when an imposter, posing as representatives of the legitimate recycling service used by the covered entity, removed several barrels of purged x-ray films and film jackets. The barrels contained the protected health information of approximately 1,300 individuals. The protected health information involved in the breach included full patient names, patient dates of birth, patient genders, patient clinic medical numbers, internal accession numbers, type of film and site locations, dates and times of image creation, physician or provider names, and internal provider numbers. Following the breach, the covered entity contacted the affected individuals by the breach, offered credit monitoring services to these individuals, investigated the root cause of the breach, and retrained the employee responsible for the breach on verification of identity policies and procedures. Additionally, OCRís investigation resulted in the covered entity creating a new policy and procedure that specifically addresses the verification of identity of disposal vendors and trained all relevant staff on the new policy.
Ashley and Gray DDS MO 9309 9309 1/10/2010 Theft Computer 2/22/2010 1/10/2010
Goodwill Industries of Greater Grand Rapids, Inc. MI 10000 10000 12/15/2009 Theft Other (Backup Tapes) 2/22/2010 12/15/2009 On December 15, 2009, a safe was stolen from Goodwillís off-site facility, which contained five unencrypted back-up tapes. The breach affected approximately 10,000 individuals. The protected health information involved in the breach included full names, addresses, dates of birth, reasons for referral, dates of service, miscellaneous demographics, and, in some cases, Social Security numbers. The covered entity moved the off-site storage of back-up tapes to a new site controlled by Goodwill. The tapes are now kept in a commercial grade safe with a combination lock. The actions taken by Goodwill prior to OCRís formal investigation brought the covered entity into compliance.
Daniel J. Sigman MD, PC MA 1860 1860 12/11/2009 Theft Other Portable Electronic Device, Electronic Medical Record 2/22/2010 12/11/2009 Computer backup tapes containing EPHI for the office practice management program including electronic medical records were stolen from the home of the practice manager on December 11, 2009. The breach affected approximately 1,860 patients. The protected health information on the tapes contained patientsí names, addresses, telephone numbers, dates of birth, insurance information, social security numbers and medical record information. Following the breach, Sigman took the following voluntary corrective actions: (1) upgraded software application for backup security; implemented a new external backup system in case the server goes down; (2) encryption software was implemented for data contained on both its backup tapes and network storage device; (3) revised its security policy for transporting backup media; backup tapes must now be stored in a lockbox within a locked office in its facility; the revised policy also prohibits the movement of backup tapes from the facility as well as restricts access to the tapes to designated workforce; (4) employees were retrained on the policies and procedures in place and received training on the new policies and procedures for safeguarding backup tapes; (5) notified affected individuals and the media.
Blue Island Radiology Consultants IL United Micro Data 2562 2562 12/9/2009 Loss Other (Backup Tapes) 2/22/2010 12/9/2009 The business associate mailed a package to the covered entity that was supposed to contain a backup data tape and compact disc (CD) containing protected health information, but the tape and the CD were not in the package. Approximately 2,000 individuals were affected by the breach. Individual demographic, financial and clinical information was included in the protected health information. The covered entity provided written notice and an apology to affected individuals, provided them with details of the incident, described ways for these individuals to protect themselves from identity theft and provided a toll-free telephone number for the individuals to call if they had additional questions. Following the breach, the covered entity continues to backup data on tapes, but it now stores the tapes in a safe deposit box instead of sending them via the mail.
Keith W. Mann, DDS, PLLC NC Rick Lawson, Professional Computer Services 2000 2000 12/8/2009 Hacking/IT Incident Computer, Network Server, Electronic Medical Record 2/22/2010 12/8/2009
Kaiser Permanente Medical Care Program CA 15500 15500 12/1/2009 Theft Other Portable Electronic Device, Electronic Medical Record 2/22/2010 12/1/2009 An employee left an external portable hard drive containing electronic protected health information in a vehicle that was stolen. The hard drive contained the protected health information of approximately 15,500 individuals. The protected health information involved in the breach included names, medical record numbers, and information relating to the care and treatment of various chronic health conditions. A subset of records may also have included dates of birth or ages, gender, phone numbers, and general information relating to the care and treatment of chronic health conditions. Following the breach, the responsible employee was terminated for violating KPís policies. Additionally, OCRís investigation resulted in the covered entity initiating deployment of a Removable Media Encryption software tool.
University of California, San Francisco CA 7300 7300 11/30/2009 Theft Laptop 2/22/2010 11/30/2009
Detroit Department of Health and Wellness Promotion MI 646 646 11/26/2009 Theft Laptop, Computer 2/22/2010 11/26/2009 A desktop and four laptop computers were stolen from the covered entityís locked facility. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, types of services received, and Medicare/Medicaid numbers.Following the breach, the covered entity installed new office door locks with assigned keys, installed security cameras with alarms, and physically secured computers to desks. The covered entity now stores billing information in its patient management system, and it ensured that no electronic protected health information was stored locally. Additionally, OCRís investigation resulted in the covered entity providing training to workforce members regarding the incident
Advocate Health Care IL 812 812 11/24/2009 Theft Laptop 2/22/2010 11/24/2009 On November 24, 2009, an Advocate nurseís laptop computer was stolen. The missing laptop computer contained the protected health information of approximately 812 individuals. The protected health information involved in the breach included name, address, dates of birth, social security numbers, insurance information, medication, and diagnoses. Following the breach, Advocate specifically addressed mobile device security and accepted use. Additionally, OCRís investigation resulted in Advocate workforce members that use mobile devices are now required to fill out and submit an acknowledgment form that establish proper administrative, technical, and physical security safeguards.
Concentra TX 900 900 11/19/2009 Theft Laptop 2/22/2010 11/19/2009
Children's Medical Center of Dallas TX 3800 3800 11/19/2009 Loss Other Portable Electronic Device 2/22/2010 11/19/2009
Universal American NY Democracy Data & Communications, LLC 83000 83000 11/12/2009 Unauthorized Access/Disclosure Paper 2/22/2010 11/12/2009 In its breach report and during the course of OCRís investigation, the covered entity advised that it took various corrective actions to prevent a reoccurrence of the breach. Specifically, the covered entity conducted a risk assessment which revealed that the breach posed a significant risk of financial, reputational, or other harm to the 83,000 members. The covered entity sent notification letters to 83,000 members apologizing for the breach and offered a year of free credit monitoring and a $25,000 insurance policy against identity theft ($10,000 for New York residents). The covered entity also provided training to its call centers on November 29, 2009 to answer inquiries from callers concerned about the breach. In addition, media outlets were contacted to alert of a breach in states in which more than 500 members were impacted by the breach. The covered entity advised that media outlets were identified based on location of membership impacted, as well as ensuring it was a major media outlet and press releases were sent to 21 major media outlets on December 18, 2009. The covered entity also created and implemented a new policy titled ìPersonal Health Information and Personal Identifiable Information Data Security and Handling Policy Acknowledgement Formî that centralized all data requests through a ìTeam Trackî which is an internal electronic submission request that ensures all PHI requested data receives the sign off of the Privacy Officer and Security Officer prior to release. Further, the covered entity also provided a mandatory annual computer-based training to all staff in May 2010.
Massachusetts Eye and Ear Infirmary MA 1076 1076 11/10/2009 Theft Other 2/22/2010 11/10/2009 Two employees misused patientsí credit card information. The employees worked in several different departments that served approximately 1,076 individuals. The protected health information involved in the breach included: names, addresses, and credit card information. Following the breach, the covered entity notified the affected individuals, the media and HHS. The entity also terminated the employees involved, offered mitigation in the form of one free year of credit monitoring for all affected individuals, revised their safeguards policy to include ìData Breach Preventionî and reviewed the physical processes involved when payment is made in person using a credit card
Kern Medical Center CA 596 596 10/31/2009 Theft Paper 2/22/2010 10/31/2009
Blue Cross Blue Shield Association DC Service Benefits Plan Administrative Services Corp. 3400 3400 10/26/2009 Unauthorized Access/Disclosure Paper (Mailing) 2/22/2010 10/26/2009 The business associate incorrectly updated the contract holdersí addresses resulting in the mailing of protected health information to incorrect recipients. The breach affected approximately 3,400 members. The protected health information involved included demographic information, EOBs, clinical information, and diagnoses. In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with SBP. The business associate improved its code review process to catch the system error that caused this incident and instituted a manual quality review process designed to identify bad addresses.
Detroit Department of Health and Wellness Promotion MI 10000 10000 10/22/2009 Theft Other Portable Electronic Device 2/22/2010 10/22/2009
The Children's Hospital of Philadelphia PA 943 943 10/20/2009 Theft Laptop 2/22/2010 10/20/2009 A laptop computer was stolen from a hospital employeeís vehicle. The computer contained the protected health information of 943 individuals. The protected health information involved in the breach included names, contact information, dates of birth, social security numbers, medical record numbers, and health insurance information including diagnosis code in numeric form and billing code description. In response to this incident, the covered entity accelerated implementation of a pre-existing plan to encrypt all hospital laptops. Encryption of new and existing laptops was completed in June 2010. Additionally, the covered entity revised its information security policies and retrained its workforce.
Brooke Army Medical Center TX 1000 1000 10/16/2009 Theft Paper 2/22/2010 10/16/2009 A binder with printed protected health information (PHI) was stolen from an employee's vehicle. The covered entity was unable to determine the number of affected individuals, but the stolen binder contained the PHI of up to 1,272 patients. The PHI involved in the breach included names, telephone numbers, detailed notes regarding treatment, and possibly Social Security numbers. Following the breach, the covered entity sanctioned the employee and developed a new policy requiring the on-call staff to submit any information created during the shift to the main office rather than adding it to the binder. Additionally, OCR's investigation resulted in the covered entity notifying the local media about the breach.
Blue Cross Blue Shield Association DC Merkle Direct Marketing 15000 15000 10/7/2009 Unauthorized Access/Disclosure Paper 2/22/2010 10/7/2009
University of California, San Francisco CA 610 610 9/22/2009 Hacking/IT Incident Email 2/22/2010 9/22/2009
Alaska Department of Health and Social Services AS 501 501 10/12/2009 Theft Other Portable Electronic Device 2/22/2010 10/12/2009
Cogent Healthcare of Wisconsin, S.C. TN Cogent Healthcare, Inc. 6400 6400 10/11/2009 Theft Laptop 2/22/2010 10/11/2009
Health Services for Children with Special Needs DC 3800 3800 10/9/2009 Loss Laptop 2/22/2010 10/9/2009 A laptop was lost by an employee while in transit on public transportation. The computer contained the protected health information of 3800 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity has installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and updated it risk assessment. In addition, all employees received additional security training.
Blue Cross Blue Shield of Tennessee TN 1023209 1023209 10/2/2009 Theft Other (hard drives) 2/22/2010 10/2/2009
City of Hope National Medical Center CA 5900 5900 9/27/2009 Theft Laptop 2/22/2010 9/27/2009 A laptop computer was stolen from a workforce memberís car. The laptop computer contained the protected health information of approximately 5,900 individuals. Following the breach, the covered entity encrypted all protected health information stored on lap tops. Additionally, OCRís investigation resulted in the covered entity improving their physical safeguards and retraining employees.
Michele Del Vicario, MD CA 6145 6145 9/27/2009 Theft, Unauthorized Access/Disclosure Computer 2/22/2010 9/27/2009 A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 6,145 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 6,145 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctorís private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place.
Mark D. Lurie, MD CA 5166 5166 9/27/2009 Theft, Unauthorized Access/Disclosure Computer 2/22/2010 9/27/2009 A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,166 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 5,166 affected indivís and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctorís private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place.
L. Douglas Carlson, M.D. CA 5257 5257 9/27/2009 Theft, Unauthorized Access/Disclosure Computer 2/22/2010 9/27/2009 A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,257 individuals who were patients of the CE. The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the covered entity notified all 5,257 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctorís private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules.
David I. Cohen, MD CA 857 857 9/27/2009 Theft, Unauthorized Access/Disclosure Computer 2/22/2010 9/27/2009 A shared Computer that was used for backup was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite was unlocked and perhaps ajar. The Computer contained certain electronic protected health information (ePHI) of 857 patients. The ePHI involved in the breach included names, dates of birth, and clinical information. Following the breach, the covered entity notified all affected individuals and the media, added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer, added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctorís private office or in a secure filing cabinet, and added administrative safeguards by requiring annual refresher retraining staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place.
Joseph F. Lopez, MD CA 952 952 9/27/2009 Theft, Unauthorized Access/Disclosure Computer 2/22/2010 9/27/2009 A shared Computer that was used for backup was stolen on 9/27/09. The Computer contained certain electronic protected health information (ePHI) of 952 patients. Following the breach, the covered entity notified all 952 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctorís private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of staff for Privacy and Security Rules.
Mid America Kidney Stone Association, LLC MO 1000 1000 9/22/2009 Theft Network Server 2/22/2010 9/22/2009
State of TN, Bureau of TennCare TN 3900 3900 12/23/2009 Unauthorized Access/Disclosure Paper 3/9/2010 12/23/2009
Lucille Packard Children's Hospital CA 532 532 1/11/2010 Loss Computer 3/9/2010 1/11/2010
University of New Mexico Health Sciences Center NM 1898 1898 2/8/2010 Hacking/IT Incident Computer 3/9/2010 2/8/2010 Malware compromised two workstation hard drives. The compromise affected 1898 individuals. The protected health information involved in the breach included patient names, dates of birth, medical record numbers, names of the patientsí health plans and type of health services provided for the patients. Following the discovery of the breach, the CE removed and replaced the affected computers and audited workstations to ensure PHI was not stored on hard drives in violation of policy. Additionally, the CE notified the affected individuals and local media and retrained staff.
Advanced NeuroSpinal Care CA 3500 3500 12/30/2009 Theft, Loss Network Server, Computer 3/9/2010 12/30/2009
Aspen Dental Care P.C. CO 2500 2500 10/4/2009 Theft Other 3/23/2010 10/4/2009 Computer hard disks were stolen from a safe in the covered entityís locked dental office. The computer hard disks contained the protected health information of approximately 2,500 individuals. The protected health information involved in the breach included names, addresses, dates of birth, Social Security numbers, and dental information. Further investigation showed that the protected health information had been encrypted, rendering it unusable, unreadable, or undecipherable to unauthorized individuals pursuant to guidance issued by OCR, such that the theft of the computer hard disks did not constitute a breach of unsecured protected health information. Despite the fact that no breach was found to have occurred, following the incident, the covered entity upgraded physical security for the dental office by installing an alarm system.
Shands at UF FL 12580 12580 1/27/2010 Theft Laptop 3/9/2010 1/27/2010 A laptop containing certain information collected on approximately 12,580 individuals referred to Shands at UF GI Clinical Services was stolen from the private residence of an employee. The stolen information included patient names, social security numbers, and medical record numbers. As a result of the incident, the employee was counseled by her supervisor, issued written corrective action with a 3-day suspension, and provided additional HIPAA training. OCR reviewed Shands at UFís most recent Risk Analysis and Risk Management Plans and they revealed no high risk findings related to encryption, workstation use, or physical security. OCRís investigation found that Shands at UF has implemented appropriate technical safeguards, such as secure VPN network connections and network storage for workforce usage, encrypted USB portable flash drives, and PGP whole disk encryption.
Wyoming Department of Health WY 9023 9023 12/2/2009 Unauthorized Access/Disclosure Network Server 3/23/2010 12/2/2009
North Carolina Baptist Hospital NC 554 554 2/15/2010 Theft Paper 3/9/2010 2/15/2010 An employeeís car was broken into and a tote bag, which had a spreadsheet containing PHI was stolen from the car. The paper file that was in the tote bag had PHI pertaining to 554 patients. The type of PHI involved in the breach included the following: patientsí name, age, weight, race, Social Security number, and blood and tissue typing. Following the breach, among other things, the covered entityís Privacy Office reviewed the applicable policies and procedures with the clinic responsible, the employee involved was counseled, and affected patients were offered a year of credit monitoring services along with a toll-free number to contact the covered entity if the patients or their family members had any questions concerning the reported breach. As a result of OCRís investigation, the covered entity took several compliance actions, including creating an action plan to address the breach, installing video cameras in the parking dock for the clinic, and establishing a new Privacy and Information Security Council to help identify ways to improve and strengthen privacy and security policies and practices across the Medical Center.
Thrivent Financial for Lutherans WI 9500 9500 1/29/2010 Theft Laptop 3/23/2010 1/29/2010 On January 29, 2010, there was a break-in at one of the Thriventís offices and five laptop computers were stolen; four of the five laptops were recovered. The missing laptop computer contained the protected health information of approximately 9,400 individuals. The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCRís formal investigation brought the CE into compliance.
Montefiore Medical Center NY 625 625 2/20/2010 Theft Laptop 3/23/2010 2/20/2010
Ernest T. Bice, Jr. DDS, P.A. TX 21000 21000 2/20/2010 Theft Other Portable Electronic Device 3/23/2010 2/20/2010 Three unencrypted external back-up drives were stolen from a safe in the covered entityís locked office. The laptop computer contained the protected health information of approximately 21,000 individuals. The protected health information involved in the breach included names, addresses phone numbers, dates of birth, social security numbers, insurance information, and treatment histories. Following the breach, the covered entity moved back-up data offsite and encrypted all workstations. Additionally, OCRís investigation resulted in the covered entity improving their physical safeguards and in retraining employees.
University Medical Center of Southern Nevada NV 5103 5103 10/31/2009 Theft, Unauthorized Access/Disclosure Paper 3/31/2010 10/31/2009 Between the dates of July 31, 2009 and November 19, 2009, a former UMC volunteer faxed patient face sheets to an attorney who used the sheets to contact prospective clients. Although UMC only had proof of two disclosures, it chose to notify all 5,301 individuals that could have been affected by the breach. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, and diagnoses. Following the breach, UMC conducted an internal investigation, notified all 5,301 individuals, notified the media, and notified the Secretary. Additionally, UMC reformulated face sheets so that they no longer include full social security numbers and provided all possible affected individuals with a year of free credit monitoring. As a result of this breach, at least one person has been indicted on one count of conspiracy to illegally disclose personal health information in violation of the HIPAA
Lee Memorial Health System FL 3800 3800 1/29/2010 Unauthorized Access/Disclosure Paper 3/31/2010 1/29/2010 The covered entity sent postcards to approximately 3,800 patients, which listed the patientsí demographic information, and a statement that read, ìYour Physician Has Moved,î with a name and description of the practice, Infectious Disease Specialist. The types of PHI involved were demographic and clinical information. Voluntary actions taken prior to OCRís investigation include the issuance of sanctions and review of policies and procedures.
Laboratory Corporation of America/Dynacare Northwest, Inc. WA 5080 5080 2/12/2010 Theft Laptop 3/31/2010 2/12/2010 A laptop computer was stolen from a workforce memberís car. The laptop computer contained the protected health information of approximately 5080 individuals. The protected health information involved in the breach included names, addresses, dates of birth, Social Security numbers, and lab results. Following the breach, the covered entity encrypted all laptop computers.
Griffin Hospital CT 957 957 2/4/2010 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server 4/12/2010 2/4/2010
Mount Sinai Medical Center FL 2600 2600 3/9/2010 Theft, Unauthorized Access/Disclosure Laptop 4/12/2010 3/9/2010
Hypertension, Nephrology, Dialysis and Transplantation, PC AL 2024 2024 3/6/2010 Theft Laptop 4/12/2010 3/6/2010
John Muir Physician Network CA 5450 5450 2/4/2010 Theft Laptop 4/15/2010 2/4/2010 John Muir Health reported to OCR-HQ that two laptops containing EPHI including patient names, dates of birth, and social security number was stolen from John Muir Health Womenís Health Center. Approximate 5,450 individualsí PHI was stolen. The types of EPHI involved in the breach are patient names, dates of birth, and social security numbers. The media was informed and all individuals were notified. John Muir Health advises that now, laptops are locked down with cables and encryption software has been installed.
Laboratory Corporation of America/US LABS/Dianon Systems, Inc. AZ 2773 2773 2/18/2010 Theft Other Portable Electronic Device 4/15/2010 2/18/2010 An external hard drive containing ePHI of 2,773 individuals was stolen. The ePHI included first and last name, medical record number, date of birth, laboratory test information data, and some social security numbers. CE advises OCR that notice to the individuals went out April 13 and 14, 2010. The media (St. Petersburg Times) was notified. CE added emails will now be password protected and encrypted. As a result of the loss, CE has initiated an encryption project to encrypt external hard drives and related media.
VHS Genesis Lab Inc. IL 6800 6800 1/10/2010 Loss Paper 4/15/2010 1/10/2010 A monthís worth of client invoices went missing; evidence shows that the documents were never mailed, but despite a thorough search, the invoices were never located. The invoices contained the protected health information of over 500 individuals. The protected health information involved in the breach included names, dates of birth, and medical testing information. Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in the Chicago Tribune, arranged for a business associate to handle the mailing of invoices in the future, and provided OCR with documentation of these actions.
Providence Hospital MI 83945 83945 2/4/2010 Loss Other 4/15/2010 2/4/2010
University of Pittsburgh Student Health Center PA 8000 8000 3/11/2010 Theft, Loss Paper 4/15/2010 3/11/2010 Documents containing protected health information were lost when an employee of the covered entity confiscated and eventually destroyed them. The breach affected approximately 8,000 individuals. The documents contained names and financial information. Following the breach, the covered entity reviewed its policies and procedures for safeguarding the physical security of Paper. The covered entity terminated the employee who violated these policies by stealing the records.
Reliant Rehabilitation Hospital North Houston TX Computer Program and Systems, Inc. (CPSI) 763 763 2/9/2010 Unauthorized Access/Disclosure Email 4/20/2010 2/9/2010
Tomah Memorial Hospital WI 600 600 3/19/2010 Unauthorized Access/Disclosure Other 4/26/2010 3/19/2010 A nurse impermissibly used the protected health information of patients to obtain narcotics from the Tomah Memorial Hospital for her own personal use. Tomah Memorial Hospital reported that approximately 600 patients were affected by the breach. The protected health information involved in the breach included the name and account number of the patient. Tomah Memorial Hospital terminated the nurse. Following the breach, Tomah Memorial Hospital created a monthly audit of Schedule II narcotics by each patient care department, which will match the medication dispense log to the order and bill.
Affinity Health Plan, Inc. NY 344579 344579 11/24/2009 Other Other 4/27/2010 11/24/2009
Beatrice Community Hospital and Health Center NE McKesson Information Solutions, LLC 660 660 3/19/2010 Unauthorized Access/Disclosure Paper 4/29/2010 3/19/2010
St. Joseph Heritage Healthcare CA 22012 22012 3/6/2010 Theft Computer 4/30/2010 3/6/2010 22 computers were stolen from Clinical Management Service office.Five of the stolen computers contained the protected health information of approximately 22,012 individuals. The protected health information involved in the breach included name, date of birth, social security number, referral number, encounter number, facility, member ID, diagnosis, procedure, and/or diagnosis code. As a result of this incident, St. Joseph notified the potentially affected individuals, notified the local media, installed security cameras, re-trained employees, and installed encryption software on all laptops and Computers enterprise-wide. OCRís investigation resulted in the covered entity improving their physical and technological safeguards and retraining employees.
South Carolina Department of Health and Environmental Control SC 2850 2850 2/17/2010 Improper Disposal Paper 5/4/2010 2/17/2010 The covered entity failed to adhere to its own policy to shred protected health information (PHI), and a third party found patient PHI in a paper recycling container behind the covered entity's building. The covered entity reported that approximately 2,850 individuals were affected. The PHI involved in the breach included names, addresses, dates of birth, Social Security numbers,payment information, and clinical information. Following the breach, the covered entity took several actions, including notifying affected individuals, revising and updating its policies for handling confidential information, educated staff, and terminated the courier that was responsible for taking the information to the recycling center. As a result of OCRís investigation, the covered entity provided written assurance that it had revised its policies and procedures.
Medical Center at Bowling Green KY 5418 5418 3/24/2010 Theft Other Portable Electronic Device 5/4/2010 3/24/2010
Our Lady of Peace Hospital KY 24600 24600 3/31/2010 Theft, Loss Other Portable Electronic Device 5/4/2010 3/31/2010
Blue Cross & Blue Shield of Rhode Island RI 12000 12000 12/20/2009 Unauthorized Access/Disclosure Paper 5/4/2010 12/20/2009 On April 6, 2010, the covered entity learned that a filing cabinet it donated to a non-profit organization on December 20, 2009, contained membersí protected health information (PHI). The cabinet contained the PHI of approximately 12,000 individuals. The PHI involved member information for Medicare Health Surveys from 2001 to 2004, which contained names, addresses, telephone numbers, Social Security numbers, and Medicare identification numbers. Following the breach, the covered entity notified the affected individuals of the breach, notified the media, sanctioned the employees involved in the incident, held a mandatory training for all departments involved in the breach regarding Privacy, Security, and Compliance rules, regulations, and responsibilities, revised the policy for office moves requiring a series of checklists and approvals prior to moving furniture offsite, and offered all affected individuals free credit monitoring, including assistance with identify theft protection.
Massachusetts Eye and Ear Infirmary MA 3621 3621 2/19/2010 Theft Laptop 5/4/2010 2/19/2010
Praxair Healthcare Services, Inc. CT 54165 54165 2/18/2010 Theft Laptop 5/4/2010 2/18/2010 A laptop computer was stolen from the covered entityís office by a former employee after it had been damaged. The laptop computer contained the PHI of approximately 54,165 individuals. The computer contained a limited amount of PHI, including client names and one or more of the following: addresses, phone numbers, social security numbers, insurance provider names and policy numbers, medical diagnostic codes or medical equipment. Following the breach, the covered entity notified all affected individuals, the media, and HHS of the breach. Additionally, the covered entity completed its laptop encryption project to cover all PHI stored on computers in the office. Additionally, OCRís investigation resulted in the covered entity reinforcing the requirements of HIPAA to its employees.
Pediatric Sports and Spine Associates TX 955 955 2/10/2010 Theft Laptop 5/6/2010 2/10/2010 An unencrypted laptop was stolen from an employeeís vehicle. The laptop contained the protected health information of approximately 955 individuals. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses, medications and other treatment information. Following the discovery of the breach, the covered entity revised policies, retrained staff and implemented additional physical and technical safeguards including encryption software. The covered entity also removed the stolen laptopís access to the server, sanctioned the involved employee, notified the affected individuals and notified the local media.
Emergency Healthcare Physicians, Ltd. IL Millennium Medical Management Resources, Inc. 180111 180111 2/27/2010 Theft Other Portable Electronic Device 5/5/2010 2/27/2010
General Agencies Welfare Benefits Program TN Towers Watson 1874 1874 2/5/2010 Loss Other 5/5/2010 2/5/2010
South Texas Veterans Health Care System TX 1430 1430 9/30/2009 Loss, Improper Disposal Paper 5/12/2010 9/30/2009 The covered entity reported hard copies of medical records missing from a locked file room. The hard copies of the medical records contained the protected health information of approximately 1,430 individuals. The protected health information involved in the breach included names, Social Security numbers, and treatment information. Following the breach, the covered entity eliminated all hard copy logs by transferring them to an electronic database. The electronic database is accessible by authorized workforce members only. Additionally, OCRís investigation resulted in the covered entity improving their physical safeguards and retraining employees.
Miami VA Healthcare System FL 568 568 1/19/2010 Loss Paper 5/13/2010 1/19/2010 A pharmacy log book was found missing in January that contained the protected health information (PHI) of veteran patients. Unfortunately, this logbook has not been uncovered. The pharmacy log book contained the names and partial Social Security numbers of 568 veterans. Following the breach, the covered entity sent out appropriate notification letters, and it instructed the employees to cease the practice of keeping log books. As a result of OCRís investigation, the covered entity revised and/or updated its policies and procedures with respect to safeguarding PHI and has now restricted the use of logbooks.
Loma Linda University Health Care CA 584 584 4/4/2010 Theft Computer 5/17/2010 4/4/2010
Silicon Valley Eyecare Optometry and Contact Lenses CA 40000 40000 4/2/2010 Theft Network Server 5/17/2010 4/2/2010
VA Eastern Colorado Health Care System CO 649 649 1/19/2010 Improper Disposal Paper 5/17/2010 1/19/2010
Heriberto Rodriguez-Ayala, M.D. TX 4200 4200 4/3/2010 Theft Laptop 5/18/2010 4/3/2010 An unencrypted laptop computer was stolen from a personal vehicle. The laptop computer contained the protected health information of approximately 4,200 individuals. The protected health information involved in the breach included names, addresses, phone numbers, dates of birth, Social Security numbers, treatment histories, and some driverís license numbers. The covered entity notified the affected individuals and the media. Following the breach, the covered entity implemented new policies and procedures, retrained staff, and installed encryption software on all workstations.
Veterans Health Administration DC Heritage Health Solutions 656 656 4/22/2010 Theft Laptop 5/19/2010 4/22/2010 A laptop was stolen from an employee of the business associate. The computer contained the protected health information (PHI) of 656 individuals. The PHI involved in the breach included names, social security numbers, dates of birth, and medication information. In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with Heritage Health. The business associate installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and made improvements to the physical security of the building. In addition, the responsible employee was counseled, and all employees received additional security training.
State of New Mexico Human Services Department, Medical Assistance Division NM DentaQuest 9600 9600 3/20/2010 Theft Laptop 5/19/2010 3/20/2010 The business associate's contractor left a laptop in a car. The car was stolen with the laptop containing protected health information of approximately 9,600 individuals. The EPHI involved in the breach included names, social security numbers, and demographic information. Following the breach, CE encrypted all laptops that contained PHI.
Georgetown University Hospital DC 2416 2416 3/26/2010 Theft Email, Other Portable Electronic Device 5/19/2010 3/26/2010 An employee of the covered entity emailed protected health information (PHI) to an offsite research office (which is not itself a covered entity) in violation of the review preparatory to research protocol. The research office stored the electronic information on an external hard drive that was later stolen. The device contained the PHI of 2,416 individuals. The PHI involved in the breach included names, dates of birth, and clinical information. In response to this incident, the covered entity terminated transmission of the PHI to this research office and gave the responsible employee a verbal warning and counseling. Additionally, the covered entity undertook a review of all research affiliations involving PHI of hospital patients to confirm that appropriate documentation and procedures are in place.
Rockbridge Area Community Services VA 500 500 3/12/2010 Theft Laptop, Computer 5/19/2010 3/12/2010
VA North Texas Health Care System TX 4083 4083 5/4/2010 Improper Disposal Paper 5/25/2010 5/4/2010 A binder and clipboard containing patientsí protected health information were missing from a file room. Approximately 4,083 individuals were affected. The protected health information involved in the breach included names, social security numbers, and dates of birth. Following the breach, the covered entity has eliminated all hard copy logs by transferring them to an electronic database. The electronic database is accessible by authorized workforce members only. Additionally, OCRís investigation resulted in the covered entity improving their physical safeguards and retraining employees.
Oconee Physician Practices SC 653 653 5/9/2010 Theft Laptop 5/27/2010 5/9/2010
University of Rochester Medical Center Affiliates NY 2628 2628 4/19/2010 Unauthorized Access/Disclosure Paper 5/28/2010 4/19/2010
City of Charlotte Health Plan NC Towers Watson 5220 5220 2/3/2010 Loss Other 6/3/2010 2/3/2010
Rainbow Hospice and Palliative Care IL 1000 1000 4/12/2010 Theft Laptop 6/3/2010 4/12/2010 An employeeís laptop was stolen out of her bag while she was making an admission visit in a patientís home. The evidence showed that although the covered entity had a policy of encrypting and password-protecting its computers, this particular computer did not require a password most of the time. The invoices contained the protected health information (PHI) of approximately 1,000 individuals. The PHI stored on the laptop included names, addresses, dates of birth, phone numbers, Social Security numbers, Medicare numbers, electronic health records and commercial insurance information. Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in The Daily Herald, sanctioned the employee for changing the security settings on the laptop in question, and established stringent computer security guidelines, and retrained its staff in the new requirements, with the intention of preventing a similar event from occurring again.
Cincinnati Children's Hospital Medical Center OH 60998 60998 3/27/2010 Theft Laptop 6/3/2010 3/27/2010 An employeeís newly-issued, unencrypted laptop was stolen out of a car. Although the covered entity had a policy of encrypting its computers, an investigation revealed that new computers are not encrypted before they are given to employees. The laptop contained the protected health inforamtion (PHI) of approximately 60,998 individuals. The PHI stored on the laptop included names, medical record numbers, and services received at the covered entity. Following the breach, the covered entity notified its clients by letter of the incident, placed notice on various websites and in The Cincinnati Enquirer, and established a new internal procedure whereby all new computers would be encrypted before they are given to employees.
Omaha Construction Industry Health and Welfare Plan NE DeBoer & Associates 800 800 11/11/2009 Theft Laptop 6/4/2010 11/11/2009
Nihal Saran, MD MI 2300 2300 5/2/2010 Theft Laptop 6/9/2010 5/2/2010 A password protected laptop computer containing protected health information (PHI) was stolen from Dr. Saran's personal residence. The laptop contained the PHI of approximately 2,300 individuals. The PHI stored on the laptop included patients' names, addresses, dates of birth, Social Security numbers, insurance information, and diagnoses. Following the breach, Dr. Saran notified the Northville Township Police Department of the theft, contacted the individuals reasonably believed to have been affected by the breach, sent a notice of the breach to the Detroit Free Press and the Monroe News, and installed encryption software for its billing software.
UnitedHealth Group--SACE MN 16291 16291 1/26/2010 Unauthorized Access/Disclosure Paper 6/9/2010 1/26/2010 Paper correspondence to certain members in UnitedHealthís prescription drug plans were in advertently sent to the incorrect temporary address due to a database administration error. Approximately 16,291 individuals were affected by the breach. UnitedHealth memberís name, plan number and in some instances, date of birth and/or limited medical information. United Health reported that it stopped using PDIís proprietary database for address updates and made outbound verifications calls to members to get accurate temporary addresses. United Health reported that it revised its address update process.
St. Jude Children's Research Hospital TN 1745 1745 4/19/2010 Loss Laptop 6/10/2010 4/19/2010
Occupational Health Partners KS 1105 1105 5/12/2010 Theft Laptop 6/11/2010 5/12/2010
TennCare TN DentaQuest 10515 10515 3/20/2010 Theft Laptop 6/11/2010 3/20/2010
WellPoint, Inc. IN 31700 31700 11/3/2009 Hacking/IT Incident Network Server 8/6/2010 11/3/2009
Lincoln Medical and Mental Health Center NY Siemens Medical Solutions, USA, Inc. 130495 130495 3/24/2010 Loss Other 6/29/2010 3/24/2010
The Children's Medical Center of Dayton OH 1001 1001 4/22/2010 Unauthorized Access/Disclosure Email 6/26/2010 4/22/2010
Comprehensive Care Management Corporation NY 1020 1020 4/30/2010 Theft, Unauthorized Access/Disclosure Laptop, Computer, Network Server, Email 6/29/2010 4/30/2010
Mary M. Desch, M.D. AZ 5893 5893 5/15/2010 Theft Laptop 7/1/2010 5/15/2010
University Health System NV 7526 7526 6/11/2010 Theft Network Server 7/1/2010 6/11/2010
Children's Hospital & Research Center at Oakland CA 1000 1000 5/25/2010 Unauthorized Access/Disclosure Paper 7/1/2010 5/25/2010
Sinai Hospital of Baltimore, Inc. MD Aramark Healthcare Support Services, Inc. 937 937 5/3/2010 Unauthorized Access/Disclosure Email 7/1/2010 5/3/2010 A business associate employee sent an email to multiple patients without concealing patient email addresses. The message concerned a dietary program in which the names and email addresses were visible to all recipients. The breach affected 937 individuals. In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with Aramark. The business associate counseled the employee responsible for the breach and retrained all employees who may communicate with patients via email on the requirements of the Privacy and Security Rules as well as related policies and procedures.
Alma Aguado, MD P.A. TX 600 600 5/29/2010 Theft Network Server 7/6/2010 5/29/2010
University Hospital GA Augusta Data Storage, Inc. 14000 14000 5/7/2010 Loss Other 7/12/2010 5/7/2010
University of Florida FL 2047 2047 5/24/2010 Unauthorized Access/Disclosure Paper 7/12/2010 5/24/2010 The covered entity mailed letters to patients which included either the childís social security number or Florida Medicaid number on the address label. The letters were mailed to approximately 2,047 individuals. Following the breach, the covered entity recalled the faulty files from the printing company and the medical survey company; notified all affected individuals and conducted mitigation discussions. Additionally, OCRís investigation resulted in the covered entity improving their physical safeguards and retraining employees.
Centerstone TN 1537 1537 5/1/2010 Loss Computer, Paper 7/12/2010 5/1/2010
SunBridge Healthcare Corporation NM 3830 3830 5/11/2010 Theft Laptop 7/12/2010 5/11/2010
California Department of Healthcare Services CA Care 1st Health Plan 29808 29808 4/29/2010 Loss Other Portable Electronic Device 7/12/2010 4/29/2010
Long Island Consultation Center NY 800 800 5/21/2010 Loss Other Portable Electronic Device 7/19/2010 5/21/2010
NYU Hospital Center NY 2563 2563 5/8/2010 Loss Other Portable Electronic Device 7/19/2010 5/8/2010
E. Brooks Wilkins Family Medicine, PA NC 13000 13000 2/1/2010 Theft, Unauthorized Access/Disclosure Computer, Other 7/19/2010 2/1/2010 The breach report indicated that former employees took protected health information (PHI) pertaining to 13,000 patients and disclosed it to a competing medical practice. The PHI included the names and contact information for the patients. Following the breach, the entity terminated the employees who impermissibly used and disclosed the PHI. OCR also confirmed that the entity complied with the provisions of the Breach Notification Rule and notified the affected individuals. Additionally, the entity retrained its staff regarding the policies and procedures for safeguarding of PHI.
University of Louisville Research Foundations, Inc. KY 708 708 5/17/2010 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server 7/21/2010 5/17/2010
South Shore Hospital MA Iron Mountain Data Products, Inc. (now known as Archive Data Solutions, LLC) 800000 800000 2/26/2010 Loss Other Portable Electronic Device, Electronic Medical Record, Other 7/21/2010 2/26/2010
Prince William County Community Services VA 669 669 6/18/2010 Theft Other Portable Electronic Device 7/21/2010 6/18/2010
John Deere Health Benefit Plan for Wage Employees IL UnitedHealth Insurance Company 1097 1097 6/24/2010 Unauthorized Access/Disclosure Paper 7/22/2010 6/24/2010
Department of Health Care Policy & Financing CO Governor's Office of Information Technology 105470 105470 5/17/2010 Theft Computer 7/22/2010 5/17/2010
Aetna CT 6372 6372 3/29/2010 Unauthorized Access/Disclosure Paper 7/29/2010 3/29/2010 On May 28, 2010 Aetna discovered that a file cabinet containing member protected health information (PHI) was not cleaned out before it was given to Aetnaís vendor for removal. The documents inside the file cabinet contained the PHI of approximately 6,372 individuals. The information contained in the file cabinet included names, addresses/zip, dates of birth, and social security numbers of Aetna members. Following the breach, the covered entity notified the affected individuals of the incident, notified the media, provided each affected member with a free year of credit monitoring, noted the disclosure in the affected membersí records for accounting purposes. Additionally, employees were reminded about the importance of complying with Aetnaís policies for safeguarding membersí PHI, policies and procedures were updated, employees were retrained, and Aetna is currently updating supporting procedures to enhance controls surrounding the appropriate storage and destruction of confidential information.
Medina County OB/GYN Associates, Inc. OH 1200 1200 6/13/2010 Improper Disposal Paper 7/29/2010 6/13/2010
UnitedHealth Group--SACE MN 735 735 3/2/2010 Theft, Unauthorized Access/Disclosure Paper 8/4/2010 3/2/2010 On March 2, 2010, the covered entity, United, discovered that remittance forms containing member information that accompany paper checks were stolen. The invoices contained the protected health information of over 735 individuals. The protected health information involved member information that allowed providers to properly record claim payments and credit accounts on behalf of each member for whom United was making a payment. Following the breach, the covered entity notified its clients of the incident, placed notice in The Miami Herald, provided each member with a credit monitoring package, reviewed its payment and remittance information controls, and notified its provider call centers to remain on a high level alert to monitor all remittance payments.
Charles Mitchell, MD TX 6873 6873 6/27/2010 Theft Computer 8/4/2010 6/27/2010
The University of Texas at Arlington TX 27000 27000 2/19/2010 Hacking/IT Incident Network Server 8/4/2010 2/19/2010 A file server at the Office of Health Services was compromised and impermissibly accessed. The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source. The protected health information involved in the breach included names, addresses diagnostic codes, name of medication prescribed, medication costs and some social security numbers. Following the discovery of the breach, UTA removed the server from the network, notified the affected individuals and notified local media. Following the breach, the covered entity also replaced the operating system and implemented additional technical safeguards.
Trinity Health Corporation Welfare Benefit Plan MI Mercer Health & Benefits 1073 1073 3/29/2010 Loss Other 8/4/2010 3/29/2010 Trinity Health Corporation Welfare Benefit Planís business associate, Mercer Health & Benefits (Mercer) lost a server backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Trinity Health was about 1,073 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Trinity Health notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercerís Boise office now encrypts backup tapes. Trinity Health has not had a business relationship with Mercer for many years and Mercer currently does not store any original PHI belonging to Trinity Health.
DC Chartered Health Plan, Inc. DC 540 540 5/26/2010 Theft Laptop 8/6/2010 5/26/2010
Montefiore Medical Center NY 23753 23753 6/9/2010 Theft Computer 8/6/2010 6/9/2010
Montefiore Medical Center NY 16820 16820 5/22/2010 Theft Computer 8/6/2010 5/22/2010
Thomas Jefferson University Hospitals, Inc. PA 21000 21000 6/14/2010 Theft Laptop 8/18/2010 6/14/2010
Beauty Dental, Inc. IL 657 657 6/5/2010 Theft, Loss Paper 8/18/2010 6/5/2010 Following the breach, the covered entity notified its clients by letter of the incident, submitted a press release that outlined the circumstances of the breach to the Chicago Tribune and the Chicago Sun Times, required the individual who allegedly stole the documents to return all physical patient PHI in her possession and sign a statement swearing that she no longer possessed any patient documents, would not use or disclose the PHI in any manner and would erase an excel spreadsheet she had in her possession, installed a new security system for the office that requires the input of a code specific to each employee, and implemented new technical safeguards that limited employee access to ePHI according to the employeeís position and rank.
Wright State Physicians OH 1309 1309 6/11/2010 Loss Laptop 8/18/2010 6/11/2010 On June 11, 2010, a laptop computer containing PHI was mistakenly discarded in the trash. The laptop computer contained the protected health information of approximately 1,309 individuals. The protected health information involved in the breach included patient full names or first initial and last name, dates of service, and in some cases, a brief description of medical condition or care. Following the breach, the covered entity submitted evidence of its progress in implementing encryption on its laptop computers in its various departments.
Fort Worth Allergy and Asthma Associates TX 25000 25000 6/29/2010 Theft Network Server 8/18/2010 6/29/2010 A burglary occurred on the CEís premises. Approximately 25,000 individuals were affected. The PHI included name, addresses, dates of birth, SSNs, driver license numbers, and diagnosis and conditions. Following the breach, the covered entity is using an ASP model for its management practices, with the database stored in an off-site location. Access to the database is allowed only through an encrypted, password-protected VPN. Also, physical security was improved. After the initiation of OCRís investigation, CE amended its BAA with its BA.
Jewish Hospital KY 2089 2089 7/16/2010 Theft Laptop 8/18/2010 7/16/2010
Walsh Pharmacy MA McKesson Pharmacy Systems LLC 11440 11440 6/3/2010 Loss Other Portable Electronic Device 8/18/2010 6/3/2010
Carolina Center for Development and Rehabilitation NC 1590 1590 6/24/2010 Loss Paper 8/18/2010 6/24/2010 The covered entity inadvertently sent 23 boxes containing protected health information to a recycling center. These boxes contained the names, addresses, Social Security numbers, insurance identification numbers, clinical information, and credit/debit card numbers of 1,590 individuals. Following the breach, the covered entity reviewed its policies and procedures, suspended several employees, and set up credit monitoring for those individuals affected. As a result of OCRís investigation, the covered entity placed a record into its accounting of disclosure log for each member impacted, terminated the suspended employees, revised its policies and procedures, and retrained staff.
Humana Inc. KY Matrix Imaging 2631 2631 6/25/2010 Unauthorized Access/Disclosure Paper 8/18/2010 6/25/2010 The covered entityís business associate, Matrix Imaging, which was contracted to send out coverage determination letters to Humana customers, sent the letters to incorrect addresses. Approximately 2,631 individuals were affected by the coverage determination letters being misrouted. Following the breach, the covered entity reprinted all erroneous coverage determination letters with an apology notice; implemented a process for the business associate to increase the timing for the quality assurance process to identify and suppress bad addresses; implemented additional manual quality controls and verification after the enveloping process with the business associate; and among other things, established an identification code printed on each letter that links the Member Address file to the actual printed letter. As a result of OCRís investigation, the covered entity placed a record into its accounting of disclosure records for each member impacted, and the accounting records for all 2,631 individuals have been updated to reflect the disclosures.
UNCG Speech and Hearing Center NC 2300 2300 6/10/2010 Hacking/IT Incident Computer 8/20/2010 6/10/2010
Loma Linda University School of Dentistry CA 10100 10100 6/13/2010 Theft Computer 8/20/2010 6/13/2010
Ward A. Morris, DDS WA 2698 2698 7/16/2010 Theft Computer 8/20/2010 7/16/2010 A computer server containing the electronic protected health information of 2,698 patients was stolen during an office burglary. The server was password-protected but not encrypted. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, and medical information. Following the breach, the covered entity encrypted all protected health information on workstations and servers. Additionally, OCRís investigation resulted in the covered entity improving their physical safeguards and retraining employees.
Aultman Hospital OH 13867 13867 6/7/2010 Theft Laptop 8/20/2010 6/7/2010
Penn Treaty Network America Insurance Company PA 560 560 6/4/2010 Unauthorized Access/Disclosure Other 8/20/2010 6/4/2010 Social security numbers were inadvertently printed on the address labels in a newsletter mailing. The mailing had 560 recipients. The covered entity acted to mitigate the disclosure by verifying that the all mail was correctly delivered. It also counseled the responsible employee and updated its policies and procedures.
St. John's Mercy Medical Group MO 1907 1907 6/6/2010 Improper Disposal Paper 8/20/2010 6/6/2010 Covered entity improperly disposed of patients' Protected Health Information (PHI), by placing the PHI in a dumpster outside of a doctor's office. The PHI involved in the breach included demographic, financial, clinical, and other medical information. Following the breach, the covered entity notified all affected individuals of the breach, posted a notice about the incident on its website; attempted to retrieve and track all of the medical records that were inappropriately disposed of; offered all affected individuals identity theft protection; obtained a formal apology from and assumed direct office operations management of the physician involved; re-educated its workforce to reinforce policies relating to appropriate medical record protection and disposal requirements.
Idaho Power Group Health Plan ID Mercer Health & Benefits 5500 5500 3/29/2010 Loss Other 8/20/2010 3/29/2010 Idaho Power Group Health Plan's business associate, Mercer Health and Benefits, lost a backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Idaho Power was about 5,500 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Idaho Power notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer's Boise office now encrypts backup tapes. Following the incident, Idaho Power renegotiated its contract with Mercer and continues to evaluate its business relationship with Mercer.
Yale University CT 1000 1000 7/28/2010 Theft Laptop 8/20/2010 7/28/2010
Baylor College of Medicine/Texas Children's Hospital TX 694 694 5/13/2010 Theft Laptop 9/1/2010 5/13/2010
Cook County Health & Hospitals System IL 7081 7081 5/30/2010 Theft Laptop 9/1/2010 5/30/2010 An employeeís laptop was stolen out of a locked office; evidence shows that the laptop was password protected but not encrypted. The laptop contained the protected health information (PHI) of approximately 7,000 individuals. The PHI stored on the laptop included names, dates of birth, Social Security numbers, internal encounter numbers, and other administrative codes. Following the breach, the covered entity notified those individuals reasonably believed to have been affected by the breach, placed notice on its website and with a local news center; established stringent computer security guidelines, and retrained its staff in the new requirements with the intention of preventing a similar event from occurring again.
University of Kentucky KY 2027 2027 6/18/2010 Theft Laptop 9/1/2010 6/18/2010
Chattanooga Family Practice Associates, PC TN 1711 1711 7/15/2010 Loss Other Portable Electronic Device 9/1/2010 7/15/2010
Holyoke Medical Center MA 24750 24750 7/26/2010 Improper Disposal Paper 9/1/2010 7/26/2010
Eastmoreland Surgical Clinic OR 4328 4328 7/5/2010 Theft Laptop, Computer, Other Portable Electronic Device 9/1/2010 7/5/2010 Three Computers, one laptop computer, and a backup drive, containing the electronic protected health information (EPHI) of 4,328 individuals, were stolen on July 5, 2010. The EPHI involved in the breach included names, addresses, phone numbers, dates of birth, Social Security numbers, reason for visits, and insurance information. Following the breach, the covered entity implemented backup and whole disk encryption on electronic information systems that maintain EPHI and improved their physical safeguards. Additionally, OCRís investigation resulted in the covered entity improving their administrative safeguards, such as password complexity requirements and data backup protocols.
Saint Barnabas Medical Center NJ KPMG LLP 3630 3630 5/10/2010 Loss Other Portable Electronic Device 9/10/2010 5/10/2010
Newark Beth Israel Medical Center NJ KPMG LLP 956 956 5/10/2010 Loss Other Portable Electronic Device 9/10/2010 5/10/2010
NYU School of Medicine Aging and Dementia Clinical Research Center NY 1200 1200 4/3/2010 Loss Other Portable Electronic Device 9/10/2010 4/3/2010
SunBridge Healthcare Corporation NM 1000 1000 6/26/2010 Theft Other Portable Electronic Device 9/10/2010 6/26/2010
LabCorp Patient Service Center NV 507 507 8/2/2010 Theft Paper 9/20/2010 8/2/2010
The Kent Center RI 1361 1361 7/13/2010 Theft Paper 9/20/2010 7/13/2010 Following the breach, the covered entity notified all affected individuals, the media, and HHS of the breach. Additionally, the covered entity sanctioned the employee involved, revised its confidentiality policy related to safeguarding client lists, and re-trained its employees. Additionally, OCRís investigation resulted in the covered entity revising and updating its Breach Notification policies and reinforcing the requirements of the Privacy and Breach Rules to its employees.
Mayo Clinic MN 1740 1740 7/15/2010 Unauthorized Access/Disclosure Electronic Medical Record 9/20/2010 7/15/2010 Following the breach, the covered entity: conducted an investigation; terminated the employee who had inappropriately accessed the PHI; re-educated its employees regarding patient privacy and access to PHI; enhanced its supervision of employees and monitoring of their access activity; notified individuals reasonably believed to have been affected and provided them with an information hotline and identity theft services at no cost, if so requested; placed a notice of the breach on its website and in the local newspaper; and submitted a breach report to OCR along with documentation of its voluntary compliance actions
Curtis R. Bryan, MD VA 2739 2739 7/12/2010 Theft Laptop 9/20/2010 7/12/2010
State of Delaware Health Plan DE Aon Consulting 22642 22642 8/16/2010 Unauthorized Access/Disclosure Network Server 9/20/2010 8/16/2010 The business associate prepared a document as part of a request for proposal for the covered entityís vision benefit program which mistakenly included protected health information of 22,642 individuals. The document was posted online for five days. The protected health information involved in the breach included social security numbers, dates of birth, gender, zip codes, and vision plan enrollment information. In response to this incident, the covered entity implemented additional safeguards to prevent this type of impermissible disclosure of protected health information. In particular, the covered entity will now require several layers of review before allowing public disclosure of documents prepared by the business associate. The covered entity also took steps to enforce the requirements of its business associate agreement with Aon Consulting. Aon will provide affected individuals with free credit monitoring, fraud resolution resources, and identity theft insurance. Additionally, the business associate has provided assurances to the covered entity that it has taken steps to prevent this type of impermissible disclosure in the future.
Pediatric and Adult Allergy, PC IA 19222 19222 7/11/2010 Loss Other Portable Electronic Device 9/20/2010 7/11/2010
University of Rochester Medical Center and Affiliates NY 857 857 8/2/2010 Loss Other Portable Electronic Device 9/21/2010 8/2/2010
Ault Chiropractic Center IN 2000 2000 9/15/2010 Theft Laptop, Computer 9/21/2010 9/15/2010
Matthew H. Conrad, MD, PA KS 1200 1200 8/20/2010 Theft Laptop, Paper 10/1/2010 8/20/2010
Milford Regional Medical Center MA 19750 19750 7/26/2010 Improper Disposal Paper 10/1/2010 7/26/2010
St. James Hospital and Health Centers IL 967 967 8/10/2010 Improper Disposal Paper 10/1/2010 8/10/2010
St. Vincent Hospital and Health Care Center, Inc. IN 1199 1199 7/25/2010 Theft Laptop 10/1/2010 7/25/2010
University of Oklahoma-Tulsa, Neurology Clinic OK 19264 19264 7/25/2010 Hacking/IT Incident Computer 10/1/2010 7/25/2010
County of Los Angeles CA 33000 33000 7/29/2010 Theft Paper 10/1/2010 7/29/2010
Counseling and Psychotherapy of Throggs Neck NY 9000 9000 9/6/2010 Theft Computer 10/1/2010 9/6/2010
New York Presbyterian Hospital and Columbia University Medical Center NY 6800 6800 7/1/2010 Hacking/IT Incident Network Server 10/1/2010 7/1/2010
State of Alaska, Department of Health and Social Services AK Alaskan AIDS Assistance Association 2000 2000 9/7/2010 Theft Other Portable Electronic Device 10/1/2010 9/7/2010
Milton Pathology Associates, P.C. MA Goldthwait Associates 11000 11000 7/26/2010 Improper Disposal Paper 10/5/2010 7/26/2010
Lorenzo Brown, MD, Inc. CA 928 928 8/17/2010 Theft Computer 10/7/2010 8/17/2010
Wright Patterson Air Force Base OH 2123 2123 7/29/2010 Improper Disposal Paper 10/7/2010 7/29/2010
UnitedHealth Group--SACE MN CareCore National 1270 1270 7/8/2010 Unauthorized Access/Disclosure Paper 10/7/2010 7/8/2010
Alliance HealthCare Services, Inc. CA Eden Medical Center 1474 1474 8/5/2010 Loss Other Portable Electronic Device 10/7/2010 8/5/2010 Two USB storage devices containing ePHI of 1,474 individuals was lost. The USB storage devices contained 1,474 individualsí ePHI.The ePHI included first and last name, date of birth, and treatment information. As a result of the breach, the covered entity's email will now be password protected and encrypted. As a result of the loss, the CE has initiated an encryption project to encrypt external hard drives and related media. Additionally, the CE filed a police report, changed policies and procedures, and encrypted USB devices.
Alliance HealthCare Services, Inc. CA Oroville Hospital 1469 1469 7/31/2010 Loss Other Portable Electronic Device 10/7/2010 7/31/2010 Two USB storage devices containing ePHI of 1,469 individuals was lost. The ePHI included first and last name, date of birth, and treatment information. As a result of the breach, the covered entity's email will now be password protected and encrypted. As a result of the loss, the CE has initiated an encryption project to encrypt external hard drives and related media. Additionally, the CE filed a police report, changed policies and procedures, and encrypted USB devices.
Utah Department of Health UT Utah Department of Workforce Services 1298 1298 3/1/2010 Unauthorized Access/Disclosure Computer, Paper 10/18/2010 3/1/2010
Cumberland Gastroenterology, P.S.C. KY 2207 2207 9/18/2010 Theft Paper 10/18/2010 9/18/2010 Following the breach, the covered entity took the following voluntary action: the local police department was contacted and a police report was filed; inventory was taken and reports were generated to get an accounting of patients who were affected by the storage break-in and the subsequent missing reports; individual notices to the affected individuals were sent; a press release was issued to the media; the entity implemented more physical security; and implemented action policy to expedite conversion to electronic medical records. As a result of OCRís investigation Cumberland Gastroenterology, P.S.C. reported taking the following additional steps: the covered entity now contracts with a shredding company to shred all documents containing PHI, and it has a valid Business Associate contract in place with this shredding company; the entity provided further written assurance that it is working with its current software provider to expedite transition to their Intergy Electronic Health Record; the entity provided further written assurance that it re-educated its workforce members on the revised policies and procedures with respect to storage and handling of PHI; and the entity placed an accounting of disclosures of protected health information in each of the affected individualsí medical records.
LoneStar Audiology Group TX 585 585 8/11/2010 Theft Laptop 10/18/2010 8/11/2010 A laptop was stolen from a workforce memberís home. Approximately 585 individuals were affected. The PHI included addresses, dates of birth, diagnosis and conditions, medications and other treatment information. Following the breach, the covered entity encrypted all its laptops. After the initiation of OCRís investigation, the encryption of the laptops was completed.
WESTMED Medical Group NY 578 578 8/17/2010 Theft Laptop 10/18/2010 8/17/2010
Johns Hopkins University Applied Physics Laboratory Medical and Dental Insurance Plan MD 692 692 6/15/2010 Unauthorized Access/Disclosure Email 10/19/2010 6/15/2010 Protected health information was attached to an email addressed to 85 employees by a benefits staff member. Within 5 days, all recipients were notified, and the email was deleted. Approximately 692 individuals were affected by this breach. The email included names, dates of birth, social security numbers, and marital and disability status. To prevent a similar breach from happening in the future, the covered entity instituted a policy to encrypt emails containing protected health information before it is sent out from the benefits department. Following OCRís investigation, the covered entity updated its policies and procedures establishing a new business process to require that all emails sent by the benefits office to 5 or more staff members that includes an attachment be reviewed by another team member to ensure the proper document is attached and took personnel action with the responsible employee. Further, the benefits office will use an encryption specialist to train all benefits office staff in the proper methods of encryption, explore future capability of automated flagging of any electronic communications sent by benefits office staff containing potentially sensitive data such as 9-digit numbers, and obtain additional HIPAA training.
SW Seattle Orthopaedic and Sports Medicine WA 9493 9493 9/4/2010 Hacking/IT Incident Network Server 10/28/2010 9/4/2010 A database web server, containing the electronic protected health information (EPHI) of 9,493 individuals, was breached by an unknown, external person(s) for use as a game server. Although there was no indication of access to EPHI, the EPHI on the database web server included names, dates of birth, types of x-rays, and dates of x-rays. Following the breach, the covered entity relocated two servers to its more secure primary data center and removed the Internet access line that resulted in the breach. Additionally, OCRís investigation resulted in the covered entity improving their administrative safeguards, such as incident response and reporting.
University of Arkansas for Medical Sciences AR 1000 1000 10/12/2010 Theft Other Portable Electronic Device 10/28/2010 10/12/2010
Keystone/AmeriHealth Mercy Health Plans PA 808 808 9/20/2010 Loss Other Portable Electronic Device 10/28/2010 9/20/2010
Debra C. Duffy, DDS TX 4700 4700 8/5/2010 Theft Laptop, Network Server 11/10/2010 8/5/2010 An unencrypted laptop and network server were stolen during a burglary of the office.The breach affected approximately 4700 individuals.The protected health information involved in the breach included treatment information for pediatric dental patients and social security numbers, insurance identification numbers and driverís license numbers. Following the discovery of the breach, the CE relocated the practice servers, secured the laptops and installed steel doors at the front entrance of the facility. Additionally, the CE notified the affected individuals and local media and retrained staff.
Northridge Hospital Medical Center CA 837 837 10/16/2010 Loss Paper 11/10/2010 10/16/2010 The entity mailed documents containing protected health information via Fed Ex and was later informed that the documents did not arrive at the desired destination. The entity conducted an investigation to determine the root cause of the breach; provided OCR with evidence that it had made significant efforts to contact the individuals reasonably believed to have been affected by the breach; and submitted its privacy procedures relevant to this investigation. The entity also took assertive action to prevent a future recurrence by modifying its standard procedures that require paper record submission and instead to accept a secure electronic transmission of all future documents containing PHI. Now all such records are sent only via secure electronic delivery.
Aetna, Inc. CT 2345 2345 9/9/2010 Unauthorized Access/Disclosure Network Server 11/10/2010 9/9/2010 Aetna notified all possibly affected individuals of the breach, filed a breach report with OCR, commenced an investigation to identify and correct the root cause of the issue; the coding changes that were causing the breach were removed from IPS via Aetnaís emergency Change Management procedures to prevent any further exposure while the problem was analyzed; once the specific code that conflicted with its proxy server settings was identified as the root cause of the breach, it was removed. Also, in an effort to mitigate any harm as a result of the breach, Aetna offered all affected individuals one year of free credit monitoring, and the notification letters included a toll-free number which was established specifically to answer questions related to this incident.
Manor Care of Indy (South), LLC IN 845 845 9/11/2010 Unauthorized Access/Disclosure Paper 11/19/2010 9/11/2010
Sta-Home Health & Hospice MS 1104 1104 9/16/2010 Theft Computer 11/19/2010 9/16/2010
VNA of Southeasten CT CT 12000 12000 9/30/2010 Theft Laptop 11/19/2010 9/30/2010
Henry Ford Hospital MI 3700 3700 9/24/2010 Theft Laptop 11/19/2010 9/24/2010
Puerto Rico Department of Health PR Triple-S Management, Corp.; Triple-S Salud, Inc. 400000 400000 9/21/2010 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server 11/19/2010 9/21/2010
Prime Home Care, LLC NE 1716 1716 9/13/2010 Theft Computer 12/2/2010 9/13/2010
Robert Wheatley, DDS, PC MO 1400 1400 10/17/2010 Theft Laptop 12/2/2010 10/17/2010
Puerto Rico Department of Health PR Medical Card System/MCS-HMO/MCS Advantage/MCS Life 115000 115000 9/3/2010 Unauthorized Access/Disclosure Other Portable Electronic Device 12/2/2010 9/3/2010
Holy Cross Hospital FL 1500 1500 7/27/2010 Theft Paper 12/2/2010 7/27/2010
Memorial Hospital of Gardena CA 771 771 10/14/2010 Unauthorized Access/Disclosure Paper 12/10/2010 10/14/2010
Albert Einstein Healthcare Network PA 613 613 10/21/2010 Theft Computer 12/10/2010 10/21/2010
Oklahoma City VA Medical Center OK 1950 1950 10/8/2010 Theft, Loss, Improper Disposal Paper 12/10/2010 10/8/2010
Kings County Hospital Center NY 542 542 8/22/2010 Theft Computer 12/10/2010 8/22/2010
Triple-S Salud, Inc. PR Triple-C, Inc. 8000 8000 10/3/2010 Theft, Unauthorized Access/Disclosure Network Server 12/10/2010 10/3/2010
Triple-S Salud, Inc. PR Triple-C, Inc. 398000 398000 9/9/2010 Theft Network Server 12/10/2010 9/9/2010
Newark Beth Israel Medical Center NJ Professional Transcription Company, Inc. 1744 1744 1/1/2010 Unauthorized Access/Disclosure Network Server 12/10/2010 1/1/2010
University of Tennessee Medical Center TN 8200 8200 9/23/2009 Improper Disposal Paper 12/10/2010 9/23/2009 Following the breach, UTMC placed a shredding container in its Computer Services department to dispose of all paper documents with patient sensitive information. As a result of OCRís investigation, UTMC reported taking the following corrective actions: UTMC provided OCR with a copy of its ìRisk of Harmî analysis, which documented UTMCís steps in determining whether a breach in unsecured PHI occurred as reported in its breach report; it provided OCR with a copy of its sanctions policy, and a description of the sanctions imposed against the Computer Services Operation Center Supervisor, which included a cited violation of ìfailure to monitor work activity in area and appropriately supervise employees to ensure proper disposal of report containing PHI,î and the sanctions imposed were a written reprimand in the workforce memberís personnel file, and suspension for three (3) days without pay (OCR notes that UTMC applied the appropriate sanctions for this type of offense and/or violation); and UTMC implemented a corrective action plan to prevent future occurrences of the same nature..
Ochsner Health System LA H.E.L.P. Financial Corporation 9475 9475 9/27/2010 Unauthorized Access/Disclosure Paper 12/10/2010 9/27/2010 A programming error in a business associateís IT system caused the PHI of patients to be printed on letters sent to other patients. The printing error affected approximately 9475 individuals.The protected health information involved in the breach included patient names, medical record numbers and account balances. Following the discovery of the breach, the BA corrected the programming error and implemented additional quality checks. Additionally, the BA notified the affected individuals and the CE notified the local media.
Mountain Vista Medical Center AZ 2284 2284 10/13/2010 Loss Other Portable Electronic Device 12/22/2010 10/13/2010
Zarzamora Family Dental Care TX 800 800 10/15/2010 Theft Computer 12/22/2010 10/15/2010
Hospital Auxilio Mutuo PR 1000 1000 11/9/2010 Theft, Unauthorized Access/Disclosure, Hacking/IT Incident Laptop, Computer 12/22/2010 11/9/2010
Cook County Health & Hospitals System IL 556 556 11/1/2010 Theft Computer 12/22/2010 11/1/2010
Dean Health Systems, Inc.; St. Mary's Hospital; St. Mary's Dean Ventures, Inc. WI 3288 3288 11/8/2010 Theft Laptop 12/22/2010 11/8/2010
Pinnacle Health System PA Gair Medical Transcription Services, Inc. 1085 1085 9/23/2009 Unauthorized Access/Disclosure Network Server 1/4/2011 9/23/2009 Pinnacle Health Systems was notified that a business associate, a medical transcription service, had a server compromised in which reports of Pinnacle patients could be viewed online. The server compromise involved the protected health information of 1085 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity immediately discontinued its relationship with the business associate and engaged another medical transcription service. The covered entity also contracted with forensic consultants to ensure that the cause of the compromise was found that that all traces of breached medical reports were removed from online and inaccessible in the future.
Gary C. Spinks, DMD, PC MD 1000 1000 9/29/2010 Hacking/IT Incident Computer, Network Server 1/4/2011 9/29/2010
Riverside Mercy Hospital and Ohio/Mercy Diagnostics OH 1000 1000 11/15/2010 Improper Disposal Paper 1/4/2011 11/15/2010
California Therapy Solutions CA 1226 1226 11/15/2010 Theft Other Portable Electronic Device 11/15/2010
Blue Cross Blue Shield Michigan MI Agent Benefits Corporation 2979 2979 11/17/2010 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server 11/17/2010
Indiana Family and Social Services IN The Southwestern Indiana Regional Council on Aging 757 757 11/9/2010 Theft Laptop 11/9/2010
OhioHealth Corporation dba Grant Medical Center OH 501 501 11/5/2010 Theft Laptop, Computer 11/5/2010
Osceola Medical Center WI Hils Transcription 500 500 11/25/2010 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server 11/25/2010
Mankato Clinic MN 3159 3159 11/2/2010 Theft Laptop 11/2/2010
International Union of Operating Engineers Health and Welfare Fund MD Zenith Administrators, Inc, 800 800 11/3/2010 Theft Paper 11/3/2010
Geisinger Wyoming Valley Medical Center PA 2928 2928 11/6/2010 Unauthorized Access/Disclosure Email 11/6/2010
Centra VA 11982 11982 11/12/2010 Theft Laptop 11/12/2010
Kadlec Regional Medical Center WA 834 834 11/11/2010 Unauthorized Access/Disclosure, Hacking/IT incident Network Server 11/11/2010
Ankle & foot Center of Tampa Bay, Inc. FL 156000 156000 11/10/2010 Hacking/IT Incident Network Server 11/10/2010
Southern Perioperative Services, P.C. AL 2000 2000 11/17/2010 Theft Other Portable Electronic Device 11/17/2010
Friendship Center Dental Office FL 2200 2200 12/20/2010 Theft Laptop 12/20/2010
Texas Health Harris Methodist Hospital Azle TX 9922 9922 4/22/2010 Theft, Loss Other Portable Electronic Device 4/22/2010
Seacoast Radiology, PA NH 231400 231400 11/12/2010 Hacking/IT Incident Network Server 11/12/2010
Fransiscan Medical Group WA 1250 1250 11/18/2010 Theft Computer 11/18/2010
St. Vincent Hospital - Indianapolis IN 1848 1848 11/15/2010 Hacking/IT Incident Network Server/Email 11/15/2010
Benefit Resources, Inc. SC 16200 16200 11/22/2010 Loss Other Portable Electronic Device 11/22/2010
Baylor Heart and Vascular Center TX 8241 8241 12/2/2010 Theft Other Portable Electronic Device 12/2/2010
Grays Harbor Pediatrics, PLLC WA 12,594 12594 11/23/2010 Theft Other Portable Electronic Device 11/23/2010
Baptist Memorial Hospital - Huntingdon TN 4800 4800 11/27/2010 Loss Other 11/27/2010
State of South Carolina Budge and Control Board Employee Insurance Program (EIP) SC 5596 5596 11/18/2010 Hacking/IT Incident Computer 11/18/2010
Hanger Prosthetics & Orthotics, Inc. TX 4486 4486 11/24/2010 Theft Laptop 11/24/2010 An unencrypted laptop was stolen from an employee offsite. The laptop contained the PHI of 4,486 patients. The protected health information involved in the breach contained names, addresses and procedure codes. Following the breach, the CE filed a police report, notified affected patients and notified the media. Following the discovery of the breach, the covered entity encrypted all existing laptops and implemented a policy requiring all future purchased laptops to be encrypted prior to being issued for use.
Lake Woods Nursing and Rehabilitation Center MI 656 656 12/28/2010 Theft Laptop, Computer 12/28/2010
New York City Health & Hospitals Corporation's North Bronx Healthcare Network NY GRM Information Management Systems 1700000 1700000 12/23/2010 Theft Electronic Medical Record, Other 12/23/2010
University of Nebraska Medical Center NE 611 611 11/22/2010 Theft Computer 11/22/2010
Saint Louis University MO 800 800 12/11/2010 Hacking/IT Incident Computer 12/11/2010
CHC Memphis CMHC, LLC TN 900 900 12/4/2010 Theft Computer 12/4/2010
Green River District Health Department KY Intragenetics 18,871 18871 1/12/2011 Hacking/IT Incident Network Server 1/12/2011
Cancer Care Northwest P.S. WA 3100 3100 1/7/2011 Loss Paper 1/7/2011
Ortho Montana, PSC MT 37000 37000 12/17/2010 Theft/Loss Laptop 12/17/2010
Long Beach Memorial Medical Center CA 2250 2250 12/10/2010 Unauthorized Access/Disclosure Other 12/10/2010
Jefferson Center for Mental Health CO 546 546 12/13/2010 Theft Paper 12/13/2010
Health Net, Inc. CA IBM 1900000 1900000 1/21/2011 Unknown Other 1/21/2011
Clarksburg--Louis A. Johnson VA Medical Center WV 1470 1470 10/26/2010 Unauthorized Access/Disclosure Paper 10/26/2010 An employee of the VA left a file containing the protected health information of 1,470 patients in a government owned vehicle. The information included appointment sheets listing names, social security numbers and medical information specific to the upcoming appointment. The employee received disciplinary action, and staff received retraining in policies and procedures for safeguarding PHI .
University Health Services, University of Massachusetts, Amherst MA 942 942 9/29/2010 Unauthorized Access/Disclosure Computer 9/29/2010
University of Missouri Health Plan MO Coventry Health Care, Inc. 765 765 1/10/2011 Unauthorized Access/Disclosure Paper 1/10/2011
Puerto Rico Department of Health PR 2621 2621 3/14/2010 Unknown Computer 3/14/2010
Henry Ford Hospital MI 2777 2777 1/31/2011 Loss Other Portable Electronic Device 1/31/2011
Charleston Area Medical Center, Inc WV Xforia Web Services 3655 3655 2/8/2011 Unauthorized Access/Disclosure Network Server 2/8/2011
JEFFREY J. SMITH, MD OK 600 600 11/24/2010 Loss Computer/Other Portable Electronic Device 11/24/2010
Texas Health Arlington Memorial Hospital TX 654 654 12/23/2010 Unknown Electronic Medical Record 12/23/2010 The IT department turned on the switch to a BA HIE without notifying patients of the exchange or obtaining authorization. The interface transmitted the PHI of 654 individuals. The PHI disclosed included patient names, addresses, dates of birth, social security numbers, other identifiers, diagnosis/conditions, medications, lab results, other treatment information and financial information. Following the breach, the CE revised the IT process, created a checklist that included notifying the affected departments and provided additional training to IT and registration employees.
Blue Cross and Blue Shield of Florida FL 7366 7366 10/16/2010 Unauthorized Access/Disclosure Paper 10/16/2010
Central Brooklyn Medical Group, PC/Preferred Health Partners NY 500 500 8/3/2010 Theft Paper 8/3/2010
Eisenhower Medical Center CA 514330 514330 3/11/2011 Theft Computer 3/11/2011
Omnicare, Inc. KY 8845 8845 1/19/2011 Theft Laptop 1/19/2011
County of Los Angeles CA 667 667 2/23/2011 Theft Laptop 2/23/2011
Brian J Daniels D.D.S.,Paul R Daniels D.D.S. AZ 10000 10000 3/1/2011 Theft Other Portable Electronic Device 3/1/2011
MidState Medical Center CT 93500 93500 2/14/2011 Loss Other 2/14/2011
Catholic Social Services AK Trisha Elaine Cordova 1700 1700 2/1/2011 Theft Laptop 2/1/2011 A personal laptop computer was stolen from a contractorís vehicle. The laptop computer contained approximately 493 adoption home studies/ the protected health information of 1700 individuals. The protected health information involved in the breach included names, addresses, phone numbers, dates of birth, driverís license numbers, and health information; 20% of the files contained social security numbers. The covered entity did not have a business associate contract with the contractor at the time of the breach. OCRís investigation resulted in the covered entity developing policies and procedures for obtaining business associate contracts when required by the Privacy Rule and verifying that the contractor involved was not an independent covered entity.
Rape & Brooks Orthodontics, P.C. AL 20744 20744 2/3/2011 Theft Computer/Network Server/Other Portable Electronic Device 2/3/2011
NYU School of Medicine Faculty Group Practice NY 670 670 1/27/2011 Theft Computer 1/27/2011
Park Avenue Obstetrics & Gynecology, PC AZ 635 635 3/25/2011 Theft Other Portable Electronic Device 3/25/2011
SW General Inc. AZ 566 566 2/16/2011 Theft Paper 2/16/2011
Union Security Insurance Company MO 935 935 2/18/2011 Unauthorized Access/Disclosure Other 2/18/2011
Aiken Community Based Outpatient Clinic SC 2717 2717 2/16/2011 Improper Disposal Paper 2/16/2011
Community Action Partnership of Natrona County WY 15000 15000 2/23/2011 Hacking/IT Incident Computer 2/23/2011
TRICARE Management Activity CO 4500 4500 6/25/2010 Unauthorized Access/Disclosure Paper 6/25/2010
Reid Hospital & Health Care Services IN 22001 22001 4/2/2011 Theft Laptop 4/2/2011
Drs. Edalji & Komer MA 563 563 4/12/2011 Theft Laptop 4/12/2011
Methodist Charlton Medical Center TX 1500 1500 4/16/2011 Theft Laptop 4/16/2011 An unencrypted laptop was stolen from a locked office in the hospital. The laptop contained the PHI of 1523 patients. The protected health information involved in the breach contained demographic and clinical data. Following the breach, the CE filed a police report, notified affected patients and notified the media. Additionally, the CE expanded its encryption policy to include more laptops and implemented additional physical safeguards.
Keith & Fisher, DDS, PA NC 6000 6000 2/16/2011 Hacking/IT Incident Network Server 2/16/2011
Indiana Regional Medical Center PA 1388 1388 9/28/2010 Theft Paper 9/28/2010
MMM Healthcare, Inc. PR 29,143 29143 3/8/2011 Theft Computer 3/8/2011
PMC Medicare Choice PR 22,568 22568 3/8/2011 Theft Computer 3/8/2011
Union Security Insurance Company MO 850 850 3/24/2011 Unauthorized Access/Disclosure Other 3/24/2011
New York State Department of Health NY St. Mary's Hospital for Children 550 550 4/17/2011 Theft Paper 4/17/2011
Imaging Center of Garland TX 1031 1031 3/15/2011 Improper Disposal Other (X-ray films) 3/15/2011
Center for Arthritis and Rheumatic Diseases FL 8000 8000 2/25/2011 Theft Paper 2/25/2011
Robert B. Neves, M.D., Inc. CA 611 611 5/8/2011 Theft Laptop 5/8/2011
Robert B. Miller, MD CA 620 620 4/1/2011 Theft Laptop 4/1/2011
VA Caribbean Healthcare System PR 6006 6006 3/30/2011 Improper Disposal Paper 3/30/2011
Medicare Fee-for-Service Program MD Cahaba Government Benefit Administrators, LLC 13,412 13412 4/11/2011 Unauthorized Access/Disclosure Paper 4/11/2011
Spartanburg Regional Healthcare System SC 400,000 400000 3/28/2011 Theft Computer 3/28/2011
Tuba City Regional Health Care Corporation AZ 2,000 2000 4/1/2011 Loss/Improper Disposal Paper 4/1/2011
Navos WA 2,700 2700 3/15/2011 Unknown Paper 3/15/2011
New River Health Association WV 950 950 4/1/2011 Unauthorized Access/Disclosure Paper 4/1/2011
Foothills Nephrology, PC SC 1,280 1280 4/28/2011 Theft Other Portable Electronic Device 4/28/2011
Silverpop Systems, Inc. Health and Welfare Plan GA 884 884 4/15/2011 Theft Laptop 4/15/2011
Gene S. J. Liaw, MD. PS WA 1,105 1105 4/4/2011 Loss Other Portable Electronic Device 4/4/2011 An unencrypted USB drive used to store patient information could not be found in the office. The device contained data for 1,105 patients, including names, addresses, phone numbers, dates of birth, diagnosis codes, insurance information, and Social Security numbers. To prevent such a loss in the future, the entity replaced the missing drive with encryption-capable USB drives; put in place secure, locked storage facilities for its mobile devices; implemented policies preventing removal of such devices from the office; and provided individual notice to each of the affected patients.
HealthCare Partners CA 15,677 15677 4/17/2011 Theft Computers 4/17/2011
Sutter Gould Medical Foundation (SGMF) CA Fidelity National Technology Imaging (FNTI) 1,192 1192 5/23/2011 Loss Paper 5/23/2011
University of Missouri Health Care MO 1,288 1288 6/14/2011 Uknown Paper 6/14/2011
Blue Cross and Blue Shield of Florida FL 3,463 3463 4/11/2011 Unauthorized Access/Disclosure Paper 4/11/2011
Accendo AZ 175,350 175350 1/1/2011 Unauthorized Access/Disclosure Paper 1/1/2011
Health Plan of San Mateo CA 694 694 4/25/2011 Unauthorized Access/Disclosure Paper 4/25/2011
Ohio Health Plans OH Area Agency on Aging, Ohio District 5 78,042 78042 6/3/2011 Theft Laptop 6/3/2011
The Mount Sinai Hospital NY 712 712 6/7/2011 Theft Laptop 6/7/2011
Beth Israel Deaconess Medical Center MA 2,021 2021 4/17/2011 Hacking/IT Incident Network Server 4/17/2011
Jackson Health System FL 1,562 1562 10/1/2009 Unauthorized Access/Disclosure Electronic Medical Record 10/1/2009
Troy Regional Medical Center AL 880 880 3/22/2011 Unauthorized Access/Disclosure Paper 3/22/2011
Austin Center for Therapy and Assessment, LLC TX 1,870 1870 7/8/2011 Theft Laptop 7/8/2011
DeKalb Medical Center, Inc. d/b/a DeKalb Medical Hillandale GA 7,500 7500 7/11/2010 Theft Paper 7/11/2010
Anderson Air Force Base Guam VA 700 700 5/13/2011 Improper Disposal Paper 5/13/2011 The protected health information for 700 individuals was mistakenly disposed of in a recycle bin and subsequently bundled, shredded. The information included patients' medical history, immunization records and appointment schedules. Despite evidence that there was no risk of disclosure the covered entity notified all affected individuals. All staff received retraining on safeguards of PHI and proper disposal of PHI.
Molina Medicare CA RxAmerica 4,573 4573 1/1/2011 Unauthorized Access/Disclosure Paper 1/1/2011
Mills-Peninsula Health Services CA 1,438 1438 11/1/2009 Unauthorized Access/Disclosure Paper 11/1/2009
Brigham and Women's Hospital and Faulkner Hospital MA 638 638 6/21/2011 Loss Other Portable Electronic Device 6/21/2011
Treatment Services Northwest OR 1,200 1200 7/29/2011 Theft Computer 7/29/2011
Washington State Department of Social and Health Services WA 3,950 3950 7/1/2011 Unauthorized Access/Disclosure Paper 7/1/2011
Gail Gillespie and Associates, LLC TX 2,334 2334 6/25/2011 Theft Laptop, Computer, Network Server 6/25/2011
Clara Maass Medical Center ††††††††††††††††††† NJ Med Assets 8,795 8795 6/24/2011 Theft Other Portable Electronic Device 6/24/2011
Community Medical Center†††††††††††††††††††† NJ Med Assets 6,950 6950 6/24/2011 Theft Other Portable Electronic Device 6/24/2011
Kimball Medical Center †† ††††††††††††††††††††††† NJ Med Assets 6,785 6785 6/24/2011 Theft Other Portable Electronic Device 6/24/2011
Monmouth Medical Center ††††††††† ††††††††††† NJ Med Assets 6,443 6443 6/24/2011 Theft Other Portable Electronic Device 6/24/2011
Newark Beth Israel Medical Center ††††††† NJ Med Assets 15,015 15015 6/24/2011 Theft Other Portable Electronic Device 6/24/2011
Saint Barnabas Medical Center †††††††††††††† NJ Med Assets 6,179 6179 6/24/2011 Theft Other Portable Electronic Device 6/24/2011
Capron Rescue Squad District IL 815 815 2/5/2011 Unauthorized Access/Disclosure Laptop 2/5/2011
Health Care Service Corporation IL 501 501 6/28/2011 Theft Paper 6/28/2011
Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan IN AssureCare Risk Management, Inc. 506 506 8/9/2011 Hacking/IT Incident Network Server 8/9/2011
Indiana University IN 3,266 3266 8/16/2011 Theft Laptop 8/16/2011
Cook County Health & Hospitals System IL Med Assets 32,008 32008 6/24/2011 Theft Other Portable Electronic Device 6/24/2011
Yanez Dental Corporation CA 10,190 10190 5/22/2011 Theft Computer, Network Server 5/22/2011
Stanford Hospital & Clinics CA Multi-Speciality Collection Services, LLC 19,651 19651 9/9/2010 Unauthorized Access/Disclosure Other 9/9/2010
NYU Hospital for Joint Diseases Inventory Management Department NY 2,600 2600 6/23/2011 Improper Disposal Paper 6/23/2011
VA Gulf Coast Veterans Health Care System MS 1,797 1797 7/21/2011 Unautorized Access/Disclosure Paper 7/21/2011
Diversified Resources, Inc. GA 863 863 8/11/2011 Theft Laptop 8/11/2011
Health Research Institute, Inc., Pfeiifer Treatment Center IL 2,000 2000 7/1/2011 Theft Computer, Network Server 7/1/2011
University of Wisconsin Oshkosh WI Living Healthy Community Clinic 3,000 3000 7/18/2011 Hacking/IT Incident Computer, 7/18/2011
North Memorial MN Accretive Health, Inc 2,800 2800 7/25/2011 Theft Laptop 7/25/2011
Fairview Health Services MN Accretive Health, Inc 14,000 14000 7/25/2011 Theft Laptop 7/25/2011
VA Illiana Health Care System IL 518 518 7/14/2011 Loss Paper 7/14/2011
Indiana University School of Optometry IN 757 757 8/12/2011 Unauthorized Access/Disclosure Network Server 8/12/2011 The security configuration of its server was changed and this resulted in a doctorís letters and reports being accessible over the Internet from 8/12 to 9/9/11.The information accessible contained the protected health information (PHI) of 757 individuals.The PHI appearing on the Internet included patient names, birth dates, medical history, diagnoses, and treatment plans. It identified and blocked the internet protocol (IP) address that was allowing access to IUSOís ePHI over the Internet, and removed the web portal that was facilitating access and restored the teacher server to its previous security configuration.Systems that allow and or transmit ePHI are now monitored and reported to the Privacy Officer for privacy and security assurance.
Jonathan Noel MD IN 2,059 2059 7/13/2011 Theft Other Portable Electronic Device 7/13/2011
Maryville Academy IL 3,897 3897 1/25/2011 Unknown Other Portable Electronic Device 1/25/2011
Freda J. Bowman MD PA TX 1,300 1300 8/8/2011 Unauthorized Access/Disclsoure, Hacking/IT Incident Network Server 8/8/2011
NEA Baptist Clinic AR 3,116 3116 7/12/2011 Hacking/IT Incident Network Server 7/12/2011
Texas Health and Human Services Commission TX 1,696 1696 3/10/2011 Theft Laptop 3/10/2011 An unencrypted laptop was stolen from an employeeís vehicle. The laptop contained the ePHI of 1,696 patients. The information at issue included patient names, dates of birth, gender, Medicaid identification numbers, procedure codes and diagnosis. Following discovery of the breach, the CE notified affected patients and notified the media. Following the breach, the CE confirmed encryption of laptops per CEís policy and sanctioned three involved employees.
The Neurological Institute of Savannah & Center of Spine GA 63,425 63425 7/2/2011 Theft Other Portable Electronic Device 7/2/2011
Gypsum Management and Supply, Inc. Medical and Dental Plan GA AssureCare Risk Management, Inc. 25,330 25330 5/9/2011 Unauthorized Access/Disclosure Network Server 5/9/2011
Texas Health Presbtyerian Hospital Flower Mound TX Texas Health Partners 10,345 10345 6/21/2011 Theft Laptop 6/21/2011
Muir Orthopaedic Specialists, A Medical Group Inc. CA 1,800 1800 7/27/2011 Theft Paper 7/27/2011
Windsor Health Plan TN RxAmerica 1,378 1378 3/1/2011 Unauthorized Access/Disclosure Paper 3/1/2011
Knox Community Hospital OH 500 500 10/1/2010 Improper Disposal Other (X-ray film) 10/1/2010
Fairview Health Services MN 1,215 1215 2/19/2011 Loss Paper 2/19/2011
Centro de Ortodancia PR 2,000 2000 5/6/2010 Unauthorized Access/Disclosure Paper 5/6/2010
Lexington VAMC KY 1,432 1432 5/23/2011 Unauthorized Access/Disclosure Laptop, Other Portable Electronic Device, Paper 5/23/2011
Henry Ford Health System MI 520 520 8/8/2011 Theft Computer 8/8/2011
Adult & Pediatric Dermatology, PC MA 2,200 2200 9/14/2011 Theft Other Portable Electronic Device 9/14/2011
Mutual of Omaha Insurance Company NE Futurity First Insurance Group 705 705 7/28/2011 Theft Other Portable Electronic Device 7/28/2011
United of Omaha Life Insurance Company NE Futurity First Insurance Group 1,631 1631 7/28/2011 Loss Other Portable Electronic Device 7/28/2011
United Health Group Health Plan MN Futurity First Insurance Group 3,994 3994 7/28/2011 Theft Other Portable Electronic Device 7/28/2011
InStep Foot Clinic, P.A. MN 2,600 2600 8/28/2011 Theft Laptop, Electronic Medical Record 8/28/2011
Summit Medical Group, PLLC TN 731 731 9/4/2011 Theft Paper 11/4/2011 9/4/2011
American Continental Insurance Company TN Futurity First Insurance Group 690 690 7/28/2011 Theft Other Portable Electronic Device 11/4/2011 7/28/2011
TRICARE Management Activity (TMA) VA Science Application International Corporation (SAI) 4,901,432 4901432 9/13/2011 Loss Other (Backup Tapes) 11/4/2011 9/13/2011
Thomas Jefferson University Hospitals, Inc. PA 3,150 3150 9/5/2011 Theft Other (x-ray films) 11/4/2011 9/5/2011
The Nemours Foundation FL 1,055,489 1055489 8/10/2011 Loss Other (Backup Tapes) 11/4/2011 8/10/2011
Florida Hospital FL 12,784 12784 8/10/2011 Unauthorized Access/Disclosure Electronic Medical Record 11/4/2011 8/10/2011
Amerigroup Community Care of New Mexico, Inc NM 1,537 1537 7/15/2011 Theft Paper 11/18/2011 7/15/2011
Stone Oak Urgent Care & Family Practice TX 3,079 3079 10/23/2011 Theft/Loss Computer 11/18/2011 10/23/2011
Concordia Plan Services†(CPS) MO HITS Scanning Solutions, Inc. 7,059 7059 3/17/2011 Loss Other 11/18/2011 3/17/2011
Conway Regional Medical Center AR 1,472 1472 8/24/2011 Loss Other (CDs) 11/18/2011 8/24/2011
Morris Heights Health Center NY 927 927 8/27/2011 Theft Laptop 11/18/2011 8/27/2011
Premier Imaging NC 551 551 9/14/2011 Unauthorized Access/Disclosure Paper 11/18/2011 9/14/2011 A newly hired employee impermissibly took patient registration documents home. The records taken included the protected health information of 551 patients. The information at issue included names, addresses, birth dates, social security numbers, and driverís license numbers. As a result, the CE terminated the employee, provided notice to the affected individuals, amended registration procedures, implemented additional safeguards for such information, and offered identity theft protection to the affected individuals.
UCLA Health System CA 2,761 2761 9/7/2011 Theft Other Portable Electronic Device 11/18/2011 9/7/2011
Julie A. Kennedy, D.M.D., P.A. FL 2,900 2900 9/30/2011 Theft Network Server 11/18/2011 9/30/2011
Medcenter One ND 650 650 10/21/2011 Theft Laptop 12/8/2011 10/21/2011
Lankenau Medical Center PA 500 500 9/6/2011 Theft Other (X-ray film) 12/8/2011 9/6/2011
Good Samaritan Hospital MD 1,500 1500 9/9/2011 Theft Other (X-ray film) 12/8/2011 9/9/2011
Sutter Medical Foundation CA 943,434 943434 10/15/2011 Theft Computer 12/8/2011 10/15/2011
Logan County Emergeny Ambulance Service Authority WV 12,563 12563 10/1/2011 Theft/Loss Laptop 12/8/2011 10/1/2011
Dallas County Hospital District dba Parkland Health & Hospital System TX 2,464 2464 9/5/2011 Unauthorized Access/Disclosure Electronic Medical Record/Paper 12/8/2011 9/5/2011
KCI USA, Inc. TX 567 567 9/8/2011 Theft Other Portable Electronic Device 12/8/2011 9/8/2011
Lebanon Internal Medicine Associates PA 55,000 55000 9/10/2011 Improper Disposal Network Server 12/8/2011 9/10/2011
Rite Aid Corporation PA 2,900 2900 10/7/2011 Other Paper 1/10/2012 10/7/2011
University of Kentucky UK HealthCare KY 878 878 9/25/2011 Loss Other Portable Electronic Device 1/10/2012 9/25/2011
State of Tennessee Sponsored Group Health Plan TN 1,770 1770 10/6/2011 Unauthorized Access/Disclosure Paper 1/10/2012 10/6/2011 An equipment operator at the stateís postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope. The error affected approximately 1770 enrollees. The letters contained information such as names, addresses, birth dates, and social security numbers. As a result, the CE retrained the employee, submitted a breach report to HHS, provided notice to the affected individuals, notified the media, created a toll-free number for information regarding the incident, posted notice on its website, modified policies to remove the SSN on templates for future mailings, and offered identity theft protection to the affected individuals. Following the OCR investigation, the CE provided reviewed its policies and procedures to ensure adequate safeguards are in place.
Advanced Occupational Medicine Specialists IL Blue Vantage Group 7,226 7226 10/12/2011 Unauthorized Access/Disclosure Network Server 1/10/2012 10/12/2011
Open MRI of Chicago IL Nation Wise Machine Buyers 2,000 2000 9/6/2011 Improper Disposal Paper 1/10/2012 9/6/2011
Roberts S. Smith M.D. Inc. GA 17,000 17000 10/17/2011 Theft Laptop 1/31/2012 10/17/2011
Molina Healthcare of California CA 11,081 11081 09/23/2009 -10/18/2011 Unauthorized Access/Disclosure Paper 1/31/2012 1/31/2012
Aegis Sciences Corporation TN 2,184 2184 11/22/2011 Theft Laptop, Other Portable Electronic Device 1/31/2012 11/22/2011
Smile Designs FL 1,670 1670 12/1/2011 Theft Computer, Network Server 1/31/2012 12/1/2011
Foundation Medical Partners NH 771 771 11/19/2011 - 12/01/2011 Unauthorized Access/Disclosure Paper 1/31/2012 1/31/2012
Muskogee Regional Medical Center OK 844 844 12/5/2011 Loss Other 1/31/2012 12/5/2011
Concentra Health MO 870 870 11/30/2011 Theft Laptop 1/31/2012 11/30/2011
Kansas Department on Aging KS 7,757 7757 1/11/2012 Theft Laptop 2/3/2012 1/11/2012
Delta Dental CA 11,646 11646 12/22/2011 - 12/23/2011 Unauthorized Access/Disclosure Paper 2/3/2012 2/3/2012
PBH NC 50,000 50000 11/15/2011 Unauthorized Access/Disclosure Network Server, Email 2/24/2012 11/15/2011
Olendorf Medical Services † NY 549 549 1/17/2012 Theft Laptop 2/24/2012 1/17/2012
Department of Medical Assistance Services VA ACS, Affiliated Computer Services, Inc. 1,444 1444 11/02/2011 - 11/16/2011 Unauthorized Access/Disclosure Paper 2/24/2012 2/24/2012
Flex Physical Therapy WA 3,100 3100 12/30/2011 Theft Computer 2/24/2012 12/30/2011
University of Miami FL 1,219 1219 11/24/2011 Theft Other Portable Electronic Device 2/24/2012 11/24/2011
Triumph LLC NC 2,000 2000 12/13/2011 Theft Laptop 2/24/2012 12/13/2011
Metro Community Provider Network CO 3,200 3200 12/5/2011 Hacking/IT Incident Email 3/19/2012 12/5/2011
Lakeview Medical Center WI 698 698 1/4/2012 Theft Laptop 3/19/2012 1/4/2012
Goshen Health System, Inc. IN 660 660 12/22/2011 Hacking/IT Incident Other 3/19/2012 12/22/2011
Loma Linda University Medical Center (LLUMC) CA 1,366 1366 12/19/2011 Unauthorized Access/Disclosure Paper 3/19/2012 12/19/2011
Medco Health Solutions, Inc. NJ 1,287 1287 11/30/2011 Unauthorized Access/Disclosure Paper 3/19/2012 11/30/2011
Indiana Internal Medicine Consultants IN 20,000 20000 2/11/2012 Theft Laptop 3/19/2012 2/11/2012
CardioNet, Inc PA 1,300 1300 11/10/2011 Theft Laptop 3/19/2012 11/10/2011
Georgetown University Hospital DC 1,549 1549 11/1/2011 Unauthorized Access/Disclosure Paper 3/19/2012 11/1/2011
CardioNet, Inc PA 728 728 12/29/2011 Theft Laptop 3/19/2012 12/29/2011
Applegate Valley Family Medicine OR Dr. Trandinh 2,300 2300 12/01/2011 - 12/17/2011 Theft Laptop 4/17/2012 12/01/2011 - 12/17/2011
Anchorage Community Mental Health Services Inc. AK 2,743 2743 12/20/2011 - 01/04/2012 Unauthorized Access/Disclosure Computer 4/17/2012 12/20/2011 - 01/04/2012
Alliant Health Plans, Inc. GA Catalyst Health Solutions, Inc. 632 632 1/1/2012 Unauthorized Access/Disclosure Other 4/17/2012 1/1/2012
Kern Medical Center CA 1,431 1431 2/25/2012 Theft Paper 4/17/2012 2/25/2012
Jeremaih J. Twomey, F.A.C.P., P.A. TX 2,559 2559 12/31/2011 Theft Other 4/17/2012 12/31/2011
Robley Rex VA Medical Center KY 1,182 1182 1/9/2012 Theft/Loss Paper 4/17/2012 1/9/2012
Baylor Heart and Vascular Center, LLP TX 1,972 1972 1/26/2012 Theft Other Portable Electronic Device 4/17/2012 1/26/2012
First Medical Center PR Quantum Health Consulting 7,706 7706 1/11/2012 Theft Laptop 4/17/2012 1/11/2012
Tufts Associated Health Maintenance Organization, Inc. and Tufts Insurance Company MA Caremark PCS Health, L.L.C. 3,482 3482 1/17/2012 Other Paper 4/17/2012 1/17/2012
William F. DeLuca Jr., M.D. NY 577 577 1/16/2012 Theft Laptop 4/17/2012 1/16/2012
Advanced Clinical Research Institute CA 875 875 1/26/2012 Theft Paper 4/17/2012 1/26/2012
St. Joseph's Medical Center CA 712 712 2/2/2012 Theft Paper 4/17/2012 2/2/2012
Georgia Health Sciences University GA 513 513 1/18/2012 Theft Laptop 4/17/2012 1/18/2012
Policlinica La Familia IPA 343 PR Quantum Health Consulting 5,994 5994 1/11/2012 Theft Laptop 5/10/2012 1/11/2012
Proveedores Aliados por tu Salud PR Quantum Health Consulting 4,645 4645 1/11/2012 Theft Laptop 5/10/2012 1/11/2012
Access Medical Group PR Quantum Health Consulting 7,606 7606 1/11/2012 Theft Laptop 5/10/2012 1/11/2012
Servicios Medicos Integrados de Fajardo PR Quantum Health Consulting 36,609 36609 1/11/2012 Theft Laptop 5/10/2012 1/11/2012
Grupo Medico- IPA 341 PR Quantum Health Consulting 7,923 7923 1/11/2012 Theft Laptop 5/10/2012 1/11/2012
Utah Department of Health UT Utah Department of Technology 780,000 780000 03/10/2012-04/02/2012 Hacking/IT Incident Network Server 5/10/2012 5/10/2012
The Neighborhood Christian Clinic AZ 9,565 9565 2/7/2012 Loss Other Portable Electronic Device 5/10/2012 2/7/2012
Seton Health Plan TX HealthLOGIX 555 555 3/9/2012 Unauthorized Access/Disclosure Paper 5/10/2012 3/9/2012
University of Arkansas for Medical Sciences AR 7121 7121 2/15/2012 Unauthorized Access/Disclosure Other 5/10/2012 2/15/2012
Desert AIDS Project CA 4,400 4400 4/12/2012 Theft Computer 5/10/2012 4/12/2012
Roy E. Gondo, M.D. WA 2,100 2100 2/21/2012 Theft Computer, Electronic Medical Record 5/10/2012 2/21/2012
Memorial Healthcare System FL 9,497 9497 08/01/2011 - 02/12/2012 Theft Other 5/10/2012 5/10/2012
DRD Management, Inc. D/B/A DRD Knoxville Medical Clinic - Central TX 1,000 1000 2/16/2012 Improper Disposal Paper 5/10/2012 2/16/2012
Rhinebeck Health Center/Center for Progressive Medicine NY 6,745 6745 11/15/2011-12/14/2011 Hacking/IT Incident Computer, Network Server 5/10/2012 5/10/2012
Awklein CA 2,000 2000 2/1/2011 Theft Other 6/8/2012 2/1/2011
IU Medical Group IN 1,000 1000 4/11/2012 Improper Disposal Paper 6/8/2012 4/11/2012
Rex Smith, DPM -Rex Smith Podiatry OR 20,915 20915 2/19/2012 Theft Computer 6/8/2012 2/19/2012
Emory Healthcare GA 315,000 315000 02/07/2012 - 02/20/2012 Unknown Other (Backup Disks) 6/8/2012 6/8/2012
UnitedHealth Group MN 19,100 19100 6/28/2011 Unauthorized Access/Disclosure Other 6/8/2012 6/28/2011
University of Houston for UH College of Optometry TX 7,000 7000 02/22/2012-02/23/2012 Unauthorized Access/Disclosure, Hacking/IT incident Network Server 6/8/2012 6/8/2012
South Carolina Department of Health and Human Services SC 228,435 228435 01/31/2012 - 04/02/2012 Unauthorized Access/Disclosure Email 6/8/2012 6/8/2012
IntraCare North Hospital TX 741 741 03/15/2011 - 08/18/2011 Theft Paper 6/8/2012 6/8/2012
Stephen Haggard, DPM Podiatry WA 1,597 1597 3/4/2012 Theft Network Server 6/8/2012 3/4/2012
Safe Ride Services, Inc AZ 42,000 42000 8/31/2011 -1/31/2012 Unauthorized Access/Disclosure, Hacking/IT incident Network Server 6/8/2012 6/8/2012
SHIELDS For Families CA 961 961 2/27/2012 Theft Network Server 6/8/2012 2/27/2012
Iowa Department of Human Services IA 3,000 3000 02/06/2012 - 03/14/2012 Improper Disposal Paper 6/8/2012 6/8/2012
Hogan Services Inc. Health Care Premium Plan MO 1,134 1134 3/30/2012 Unauthorized Access/Disclosure Email 6/8/2012 3/30/2012
Our Lady of the Lake Regional Medical Center LA 17,339 17339 3/16/2012 Theft, Loss Laptop 6/8/2012 3/16/2012
Ameritas Life Insurance Corp. NE 3,000 3000 3/21/2012 Theft Laptop 6/8/2012 3/21/2012
St. Mary Medical Center CA 3,900 3900 5/7/2012 Loss Other Portable Electronic Device 6/8/2012 5/7/2012
Upper Valley Medical Center OH 15,000 15000 10/01/2010-03/21/2012 Unauthorized Access/Disclosure Other 7/3/2012 7/3/2012
Luz Colon, DPM Podiatry FL 1,137 1137 3/20/2012 Theft, Loss Laptop 7/3/2012 3/20/2012
Duke University Health System NC 1,961 1961 04/21/2004-02/16/2012 Unauthorized Access/Disclosure Other 7/3/2012 7/3/2012
Independence Physical Therapy CT 925 925 8/1/2011 Theft Computer 7/3/2012 8/1/2011
Ameritas Life Insurance Corp. NE 3,000 3000 3/21/2012 Theft Laptop 7/3/2012 3/21/2012
Titus Regional Medical Center TX 500 500 3/29/2012 Theft Other 7/3/2012 3/29/2012
Lutheran Community Services Northwest WA 756 756 03/29/2012-03/30/2012 Theft Computer, Other Portable Electronic Device 7/3/2012 7/3/2012
West Dermatology CA 1,900 1900 04/21/2012 - 04/22/2012 Theft Other 7/3/2012 7/3/2012
Physician's Automated Laboratory CA 745 745 03/23/2012 - 03/26/2012 Theft Paper 7/3/2012 7/3/2012
Robert Witham, MD, FACP OR 11,136 11136 4/16/2012 Theft Computer 7/3/2012 4/16/2012
Volunteer State Health Plan, Inc. TN 1,102 1102 03/16/2012-04/20/2012 Loss Paper 7/3/2012 7/3/2012
Memorial Sloan-Kettering Cancer Center NY 568 568 08/13/2009-04/12/2012 Unauthorized Access/Disclosure Email, Other 7/3/2012 7/3/2012
Wolf & Yun KY 824 824 4/24/2012 Theft Laptop 7/26/2012 4/24/2012
Bruce G. Peller, DMD, PA NC 9,953 9953 4/22/2012 Unauthorized Access/Disclosure Computer 7/27/2012 4/22/2012
Memorial Healthcare System FL 102,153 102153 01/01/2011 - 07/05/2012 Theft Electonic Medical Record 7/27/2012 7/27/2012
Hamner Square Dental CA Patterson Dental, Inc 1,112 1112 5/12/2012 Unknown Other Portable Electronic Device 7/27/2012 5/12/2012
River Arch Dental CA Patterson Dental, Inc 2,533 2533 5/12/2012 Unknown Other Portable Electronic Device 7/27/2012 5/12/2012
Pamlico Medical Equipment LLC NC 2,917 2917 5/16/2012 Loss Other Portable Electronic Device 7/27/2012 5/16/2012
The Surgeons of Lake County, LLC † IL 7,067 7067 06/22/2012-06/25/2012 Other Network Server 7/27/2012 7/27/2012
Adult & Child Care Center IN Choices, INC 550 550 5/10/2012 Hacking/IT Incident Other 7/27/2012 5/10/2012
The University of Texas MD Anderson Cancer Center TX 29,201 29201 4/30/2012 Theft Laptop 7/27/2012 4/30/2012
Sharon L. Rogers, Ph.D., ABPP TX 585 585 6/16/2012 Theft Laptop 7/27/2012 6/16/2012
Charlie Norwood VA Medical Center GA 824 824 3/30/2012 Loss Other Portable Electronic Device 7/27/2012 3/30/2012
Gessler Clinic, P.A. FL 1,409 1409 05/03/2012-05/04/2012 Theft Paper 7/27/2012 7/27/2012
University of Kentucky HealthCare KY 4,490 4490 5/1/2012 Theft Laptop 7/27/2012 5/1/2012
Beth Israel Deaconess Medical Center MA 3,900 3900 5/22/2012 Theft Laptop 8/1/2012 5/22/2012
Oregon Health & Science University OR 702 702 7/4/2012 Theft Other 8/2/2012 7/4/2012
Stanford University Medical Center CA 2,603 2603 07/15 -07/16/12 Theft Computer 8/13/2012 8/13/2012
Upper Valley Medical Center OH Data Image, Inc 15000 15000 10/1/2010-03/21/2012 Unauthorized Access/Disclosure Other 8/13/2012 8/13/2012
The Surgeons of Lake County, LLC IL 7067 7067 6/22/2012-06/26/2012 Unauthorized Access/Disclosure Network Server 8/13/2012 8/13/2012
Kindred Healthcare Inc d/b/a Kindred Transitional Care And Rehablititation Sellersburg IN 1504 1504 06/01/2012-06/04/2012 Theft Other 8/13/2012 8/13/2012
Walgreen Co. IL 1240 1240 7/5/2012 Theft Paper 8/13/2012 7/5/2012
Northwestern Memorial Hospital IL 4211 4211 6/11/2012 Theft Laptop, Other Portable Electronic Device 8/13/2012 6/11/2012
Diversified Support Services IN Choices, Inc. 505 505 5/10/2012 Hacking/IT Incident Other 8/13/2012 5/10/2012
Midtown Mental Health Center IN CHOICES, Inc 890 890 5/10/2012 Hacking/IT Incident Other 8/13/2012 5/10/2012
NYU School of Medicine Faculty Group Practice NY 8488 8488 5/22/2012 Theft Computer 8/13/2012 5/22/2012
Jeffrey Paul Edelstein M.D. AZ 4800 4800 5/28/2012 Theft Network Server 8/13/2012 5/28/2012
Central States Southeast and Southwest Areas Health and Welfare Fund IL 754 754 7/31/2012 Unauthorized Access/Disclosure,Other Paper 8/27/2012 7/31/2012
Apria Healthcare, Inc. CA 65700 65700 6/14/2012 Theft Laptop 8/27/2012 6/14/2012
TEMPLE COMMUNITY HOSPITAL CA 603 603 7/3/2012 Theft Computer 8/27/2012 7/3/2012
Liberty Resources, Inc. PA 3183 3183 8/4/2012 Theft Laptop 8/27/2012 8/4/2012
Howard University Hospital DC 66601 66601 1/25/2012 Theft Laptop 8/27/2012 1/25/2012
The University of Texas MD Anderson Cancer Center TX 2264 2264 7/13/2012 Loss Other Portable Electronic Device 9/5/2012 7/13/2012
Tricounty Behavioral Health Clinic GA 4000 4000 8/26/2012 Theft Laptop 9/11/2012 8/26/2012
Charlote Clark-Neitzel, MD WA 942 942 7/24/2012 Theft Laptop 9/14/2012 7/24/2012
University of Miami FL 64846 64846 7/18/2012 Unauthorized Access/Disclosure, Other Paper 9/20/2012 7/18/2012
Lana Medical Care FL 500 500 8/18/2012 Theft Laptop 9/20/2012 8/18/2012
St. Therese Medical Group, Inc CA 3031 3031 7/22/2012 Theft Computer 10/1/2012 7/22/2012
Sierra Plastic Surgery NV 800 800 8/19/2011 09/20/2011 Unauthorized Access/Disclosure, Hacking/IT incident Network Server 10/1/2012 10/1/2012
Valley Plastic Surgery, P.C. VA 4873 4873 7/15/2012 Theft Other Portable Electronic Device 10/17/2012 7/15/2012
Colon & Digestive Health Specialists AR Ecco Health, LLC 5713 5713 7/16/2012 Loss Other Portable Electronic Device 10/17/2012 7/16/2012
Alexander J. Tikhtman, M.D. KY 2376 2376 8/15/2012 Loss Other Portable Electronic Device 11/6/2012 8/15/2012
Gulf Coast Health Care Services Inc FL 13000 13000 8/17/2012 Theft, UnauthorizedAccess/Disclosure, Hacking/IT Incident Network Server 11/6/2012 8/17/2012
Blount Memorial Hospital, Inc TN 27799 27799 8/25/2012 Theft Laptop 11/6/2012 8/25/2012
Women & Infants Hospital of Rhode Island RI 14004 14004 9/13/2012 Loss Other 11/9/2012 9/13/2012
Philip P Corneliuson, DDS, INC. CA 980 980 9/15/2012 Theft Desktop Computer 11/9/2012 9/15/2012
Surgical Associates of Utica, PC NY Quanterion Solutions, Inc. 1017 1017 9/18/2012 Theft Network Server 11/16/2012 9/18/2012
First Step Counseling, Inc. NJ 638 638 5/1/2011-08/05/2011 Unauthorized Access/Disclosure Paper 11/16/2012 11/16/2012
Alere Home Monitoring, Inc. CA 116506 116506 9/23/2012 Theft Laptop 11/16/2012 9/23/2012
CVS Caremark RI 955 955 8/13/2012 Theft Paper 11/16/2012 8/13/2012
Christus St. John Hospital TX 5748 5748 9/25/2012 Loss Other Portable Electronic Device 12/3/2012 9/25/2012
Brigham & Women's Hospital MA 615 615 10/16/2012 Theft Desktop Computer 12/3/2012 10/16/2012
James M. McGee, D.M.D., P.C. GA 1306 1306 09/19/2012 09/26/2012 Theft Paper 12/3/2012 09/19/2012 09/26/2012
Robbins Eye Center CT 1749 1749 10/7/2012 Theft Desktop Computer 12/3/2012 10/7/2012
Landmark Medical Center RI 683 683 10/1/2012 Theft Laptop 12/3/2012 10/1/2012
City of Covington Kentucky Fire Department KY 1548 1548 06/15/2012-10/01/2012 Theft Desktop Computer 12/18/2012 12/18/2012
Okaloosa County Public Safety FL 715 715 06/15/2012 - 10/01/2012 Theft Desktop Computer 12/18/2012 12/18/2012
Vidant Pungo Hospital NC 1100 1100 10/4/2012 Improper Disposal Paper 12/18/2012 10/4/2012
City of Gloucester, Fire Department MA 1286 1286 06/15/2012-10/01/2012 Theft Desktop Computer 12/18/2012 12/18/2012
City of El Centro Fire Department CA 1500 1500 10/1/2012 Theft, Unauthorized Access/Disclosure Desktop Computer 12/18/2012 10/1/2012
City of Overland Park Fire Department FL 911 911 06/15/2012 - 10/01/2012 Theft Desktop Computer 12/20/2012 12/20/2012
Osceola County EMS FL 949 949 06/15/2012-10/01/2012 Theft Desktop Computer 12/20/2012 12/20/2012
Coastal Behavioral Healthcare, Inc. FL 4907 4907 4/11/2011 Theft Paper 12/20/2012 4/11/2011
Sumner County Emergency Medical Services TN 774 774 06/15/2012 - 10/01/2012 Theft Desktop Computer 12/20/2012 12/20/2012
Calif. Dept. of Health Care Services (DHCS) CA 2643 2643 12/10/2012 - 12/18/2012 Unauthorized Access/Disclosure Other 1/17/2013 1/17/2013
University Of Michigan Health System MI Omnicell, Inc. 3999 3999 11/14/2012 Theft Laptop 1/17/2013 11/14/2012
Cabinet for Health & Family Services, Department of Medicaid Services KY HP Enterprise Services 1090 1090 11/15/2012 Hacking/IT Incident Laptop 1/17/2013 11/15/2012
Group Health Incorporated NY 1771 1771 11/13/2012 Unauthorized Access/Disclosure Paper 1/17/2013 11/13/2012
South Shore Medical Center MA Clearpoint Design, Inc. 4100 4100 10/18/2012 Hacking/IT Incident Network Server 1/17/2013 10/18/2012
St. Mark's Medical Center TX 2988 2988 5/21/2012 Hacking/IT Incident Desktop Computer 1/17/2013 5/21/2012
Westerville Dental Center OH 850 850 12/2/2012 Theft Laptop, Network Server 1/17/2013 12/2/2012
Harbor Medical Associates, P.C. MA Clearpoint Design, Inc 4343 4343 10/18/2012 - 11/04/2012 Hacking/IT Incident Network Server 1/17/2013 1/17/2013
OHP PHSP, Inc. NY HealthPlus, Amerigroup 28187 28187 08/31/2012 - 09/21/2012 Unauthorized Access/Disclosure Other 1/17/2013 1/17/2013
Child & Family Psychological Services, Inc. MA Clearpoint Design, Inc. 7250 7250 10/18/2012-10/29/2012 Hacking/IT Incident Network Server 1/17/2013 1/17/2013
Lee Miller Rehab Associates MD 10480 10480 1/15/2012 Theft Network Server 2/7/2013 1/15/2012
Atlanta Fire and Rescue Department GA 908 908 06/15/2012-10/01/2012 Theft Desktop Computer 2/7/2013 2/7/2013
The University of Texas MD Anderson Cancer Center TX 29021 29021 4/30/2012 Theft Laptop 2/7/2013 4/30/2012
American HomePatient Inc. TN LifeGas 1103 1103 10/11/2012 Theft Laptop 2/7/2013 10/11/2012
Riderwood Village MD 3230 3230 11/18/2012 Theft Laptop 2/8/2013 11/18/2012
County of San Bernardino Department of Behavioral Health CA 683 683 1/12/2013 Theft Paper 3/4/2013 1/12/2013
Catoctin Dental/Richard B. Love, D.D.S., P.A. MD Patterson Dental Supply/Patterson 6400 6400 1/3/2013 Hacking/IT Incident Network Server 3/4/2013 1/3/2013
Agency for Health Care Administration FL DentaQuest of Florida, Inc 1892 1892 11/01/2012 - 12/20/2012 Unauthorized Access/Disclosure Paper 3/4/2013 3/4/2013
Kindred Healthcare, Inc. d/b/a Kindred Transitional Care and Rehabilitation - Marl MA 716 716 12/15/2012-12/17/2012 Theft Other Portable Electronic Device 3/4/2013 3/4/2013
ABQ HealthPartners NM 778 778 12/20/2012 Theft Laptop 3/4/2013 12/20/2012
Arizona Oncology AZ 501 501 11/21/2012 Theft Laptop 3/4/2013 11/21/2012
Crescent Health Inc. - a Walgreens Company CA 109000 109000 12/28/2012 Theft Desktop Computer 3/4/2013 12/28/2012
Center for Pain Management, LLC MD 5822 5822 1/22/2013 Theft Laptop 3/4/2013 1/22/2013
Heyman HospiceCare at Floyd GA 1819 1819 1/4/2013 Theft Laptop 3/4/2013 1/4/2013
HomeCare of Mid-Missouri, Inc. MO 4027 4027 12/14/2012 Theft Laptop 3/4/2013 12/14/2012
Intervention Services, Inc. FL 1200 1200 1/19/2013 Theft Laptop 3/4/2013 1/19/2013
West Georgia Ambulance GA 500 500 12/13/2012 Loss Laptop 3/4/2013 12/13/2012
Multiple Health Plans CA Coast Healthcare Management 1368 1368 12/7/2013 Theft, Other Paper 3/4/2013 12/7/2013
HealthCare for Women, Inc. MA 8727 8727 01/18/2013-01/23/2013 Hacking/IT Incident Network Server 3/27/2013 3/27/2013
University of Connecticut Health Center CT 1382 1382 06/07/2010 - 12/07/2012 Unauthorized Access/Disclosure Network Server 3/27/2013 3/27/2013
Anthem Blue Cross Blue Shield (IN) IN Connextions c/o Anthem BCBS 528 528 11/01/2011-10/01/2012 Theft, Unauthorized, Access/Disclosure Network Server 3/27/2013 3/27/2013
Anthem Blue Cross Blue Shield (OH) IN Connextions c/o Anthem BCBS 1678 1678 11/01/2011-10/01/2012 Theft, Unauthorized, Access/Disclosure Network Server 3/27/2013 3/27/2013
Empire Blue Cross Blue Shield IN Connextions c/o Empire BCBS 2608 2608 11/01/2011-10/01/2012 Theft, Unauthorized, Access/Disclosure Network Server 3/27/2013 3/27/2013
The Brookdale University Hospital and Medical Center NY Health Plus Amerigroup 28187 28187 9/21/2012 Unauthorized Access/Disclosure Other Portable Electronic Device 3/27/2013 9/21/2012
The Brookdale University Hospital and Medical Center NY Standard Register 2261 2261 8/11/2012 Unauthorized Access/Disclosure Paper 3/27/2013 8/11/2012
United Home Care Services of Southwest Florida< LLC FL United HomeCare Services, Inc. 1318 1318 1/8/2013 Theft Laptop 3/27/2013 1/8/2013
United HomeCare Services, Inc. FL 12299 12299 1/8/2013 Theft Laptop 3/27/2013 1/8/2013
WOMENS HEALTH ENTERPRISE, INC., dba FAMILY HEALTH ENTERPRISE GA 3000 3000 1/2/2013 Theft Laptop 3/27/2013 1/2/2013
South Miami Hospital FL 834 834 6/1/2011 Unauthorized Access/Disclosure Electronic Medical Record 3/27/2013 6/1/2011
Riderwood Village MD 5270 5270 11/18/2012 Theft Laptop 3/27/2013 11/18/2012
Utah Department of Health UT Goold Health System (Goold) 6332 6332 01/10/2013-01/11/2013 Loss Other Portable Electronic Device 3/27/2013 3/27/2013
Lancaster General Medical Group PA 527 527 2/5/2013 Theft Paper 3/27/2013 2/5/2013
State of California, Dept. of Developmental Services CA North Los Angeles County, Regional Center 18162 18162 11/10/2012 Theft Laptop 3/27/2013 11/10/2012
John J. Pershing VA Medical Center MO 589 589 2/20/2013 Other Paper 4/23/2013 2/20/2013
Oregon Health & Science University OR 1076 1076 2/22/2013 Theft Laptop 4/23/2013 2/22/2013
WA Department of Social and Health Services WA Sunil Kakar, Psy.D. 629 629 2/4/2013 Theft Laptop 4/23/2013 2/4/2013
Shands Jacksonville Medical Center, Inc. FL 1,025 1025 05/02/2012-06/22/2012 Theft, unauthorized access/ disclosure Electronic Medical Record 4/23/2013 4/23/2013
University of Florida FL 14519 14519 03/01/2009- 10/25/2012 Theft, unauthorized access/ disclosure Desktop Computer, Electronic Medical Record 4/23/2013 4/23/2013
Hospice and Palliative Care Center of Alamance Caswell NC 5371 5371 2/24/2013 Theft, Unauthorized Access/ Disclosure Laptop, Paper 4/23/2013 2/24/2013
Texas Health Care, P.L.L.C. TX 554 554 3/10/2013 Theft Paper 4/23/2013 3/10/2013
Texas Tech Unversity Health Sciences Center TX 697 697 2/18/2013 Unauthorized Access/Disclosure Paper 4/23/2013 2/18/2013
Oregon Health & Science University OR 1114 1114 2/22/2013 Theft Laptop 4/23/2013 2/22/2013
Lake Granbury Medicl Ceter TX 502 502 2/13/2012 Theft Paper 4/23/2013 2/13/2012
Carpenters Health & Welfare Trust Fund for California CA QuickRunner, Inc. (dba,RoadRunner Mailing Services 2400 2400 03/11/2013-03/12/2013 Unauthorized Access/Disclosure Paper 4/23/2013 4/23/2013
Mount Sinai Medical Center FL 628 628 10/1/2012- 02/18/2013 Theft Desktop Computer, Paper 4/23/2013 4/23/2013
University of Mississippi Medical Center MS 10,000 10000 11/01/2012-01/19/2013 Loss Laptop 4/23/2013 4/23/2013
Thomas L. Davis, Jr. DDS OR 3269 3269 2/12/2013 Theft Desktop Computer, Electronic Medical Record 4/23/2013 2/12/2013
Mid America Health, Inc IN PrevMED 1444 1444 4/6/2012 Theft Laptop 4/23/2013 4/6/2012
GLENS FALLS HOSPITAL NY PORTAL HEALTHCARE SOLUTIONS LLC 2360 2360 11/02/2012 - 03/14/2013 Unauthorized Access/Disclosure, Hacking/IT incident Network Server 4/23/2013 4/23/2013
Hope Hospice TX 818 818 12/27/2012 - 02/22/2013 Other E-mail 5/17/2013 5/17/2013
IHC Health Services, Inc. dba Intermountain Life Flight UT 857 857 10/12/2009 Unauthorized Access/Disclosure Other 5/17/2013 10/12/2009
Seattle - King County Department of Public Health WA 750 750 3/7/2013 Improper Disposal Paper 5/17/2013 3/7/2013
El Centro Regional Medical Center CA Digital Archive Management 189489 189489 11/7/2012 Improper Disposal Paper 5/17/2013 11/7/2012
Orthopedics & Adult Reconstructive Surgery TX AssuranceMD f/k/a Harbor Group 22000 22000 03/01/2013 - 03/13/2013 Loss Other Portable Electronic Device 5/17/2013 5/17/2013
Delta Dental of Pennsylvania PA ZDI 14829 14829 3/20/2013 Loss Paper 5/17/2013 3/20/2013
Lutheran Social Services of South Central PA PA 7325 7325 06/01/2012 - 03/07/2013 Hacking/IT Incident Network Server 5/17/2013 5/17/2013
Valley Mental Health UT 700 700 2/27/2013 Theft Desktop Computer 5/17/2013 2/27/2013
Wood County Hospital OH 2500 2500 3/19/2013 Theft Other 5/17/2013 3/19/2013
The Guidance Center of Westchester NY 1416 1416 2/21/2013 Theft Desktop Computer 5/17/2013 2/21/2013
Stronghold Counseling Services Inc SD 8500 8500 12/24/2012 Theft Desktop Computer 5/17/2013 12/24/2012
Arizona Counseling & Treatment Services, LLC AZ 3800 3800 03/18/2013-03/25/2013 Theft Other Portable Electronic Device 5/17/2013 5/17/2013
Indiana University Health Arnett IN 10350 10350 4/9/2013 Theft Laptop 5/17/2013 4/9/2013
Sovereign Medical Group, LLC NJ 27,800 27800 10/10/2012 Theft, Hacking/IT Incident Network Server 5/20/2013 10/10/2012
South Jersey Hospital Inc. NJ Omnicell Inc. 8555 8555 11/14/2012 Theft Laptop 5/20/2013 11/14/2012
Hawaii State Department of Health, Adult Mental Health Division HI 674 674 9/25/2012 Hacking/IT Incident Desktop Computer 5/20/2013 9/25/2012
L.A. Care Health Plan CA 18000 18000 09/17/2012-09/20/2012 Other Other 5/21/2013 5/21/2013
Calvin Schuster,MD CA 532 532 11/4/2012 Theft Desktop Computer 5/21/2013 11/4/2012
SilverScript Insurance Company AZ 0 10/31/2012 Unauthorized Access/Disclosure Paper 5/21/2013 10/31/2012 Individuals affected 852
Raleigh Orthopaedic Clinic NC 17300 17300 1/15/2013 Theft, Improper Disposal, Unauthorized Access/Disclosure Paper 5/21/2013 1/15/2013
Independence Care System NY 2434 2434 5/7/2013 Theft Laptop 6/5/2013 5/7/2013
Health Resources of Arkansas AR 1900 1900 4/14/2013 Theft, Unauthorized Access/Disclosure Other 6/5/2013 4/14/2013
University of Florida FL 5875 5875 02/01/2012- 04/11/2013 Theft, UnauthorizedAccess/Disclosure Electronic Medical Record 6/5/2013 6/5/2013
University of Rochester Medical Center & Affiliates NY 537 537 2/15/2013 Loss Other Portable Electronic Device 6/5/2013 2/15/2013
Presbyterian Anesthesia Associates PA NC E-dreamz, Inc. 9988 9988 4/1/2013 Hacking/IT Incident Network Server 6/5/2013 4/1/2013
Comfort Dental Marion and Kokomo IN Just the Connection Inc 5388 5388 03/14/2013-03/18/2013 Improper Disposal Other 6/5/2013 6/5/2013
Regional Medical Center TN 1180 1180 2/4/2013 Unauthorized Access/Disclosure E-mail 6/7/2013 2/4/2013
Piedmont HealthCare, P.A. NC E-dreamz, Inc. 1924 1924 3/28/2013 Hacking/IT Incident Network Server 6/7/2013 3/28/2013
Integrity Oncology, an office of Baptist Medical Group TN North Atlantic Telecom, Inc. 539 539 3/5/2013 Other Desktop Computer 6/7/2013 3/5/2013
City of Norwood OH 500 500 04/14/2013 - 04/19/2013 Loss Laptop 6/7/2013 6/7/2013
Sonoma Valley Hospital CA 1386 1386 2/14/2013 Other Other 6/7/2013 2/14/2013
Dent Neurologic Group, LLP NY 10202 10202 5/13/2013 Other E-mail 6/7/2013 5/13/2013
Fayetteville VAMC NC 1093 1093 4/17/2013 Improper Disposal Paper 7/1/2013 4/17/2013
UMASSAmherst MA 1670 1670 10/22/2012 Hacking/IT Incident Desktop Computer 6/21/2013 10/22/2012
Various Health Plans AL SynerMed / Inland Valleys IPA 3164 3164 04/14/2013-04/15/2013 Theft Laptop 7/1/2013 7/1/2013
Lincoln County Health and Human Services/Lincoln Community Health Center OR 959 959 4/17/2013 Unauthorized Access/Disclosure Paper 7/1/2013 4/17/2013
Lucile Packard Children's Hospital CA 12900 12900 5/8/2013 Theft Laptop 7/1/2013 5/8/2013
Union Security Insurance Company MO 1127 1127 5/17/2013 Improper Disposal E-mail 7/1/2013 5/17/2013
Palm Beach County Health Department FL 877 877 1/7/2013 Unauthorized Access/Disclosure Desktop Computer 7/1/2013 1/7/2013
Gulf Breeze Family Eyecare, Inc. FL 9,626 9626 03/08/2013-05/09/2013 Theft, Unauthorized Access/Disclosure Electronic Medical Record,Network Server, E-mail, Electronic Medical Record, Paper 7/1/2013 7/1/2013
Texas Health Harris Methodist Hospital Fort Worth TX Shred-it International Inc. 277014 277014 5/11/2013 Improper Disposal Other 7/26/2013 5/11/2013
Sheet Metal Local 36 Welfare Fund MO People Resource Corporation 4560 4560 08/01/2012-07/08/2013 Unauthorized Access/Disclosure Other 7/26/2013 7/26/2013
San Jose Medical Supply Co., Inc. CA Jesle Kuizon 800 800 10/01/2011-11/31/2011 Theft, Unauthorized Access/Disclosure, Hacking/IT Incident Desktop Computer, network server 7/26/2013 7/26/2013
Harris County TX 21000 21000 08/15/2005 - 06/14/2007 Unauthorized Access/Disclosure Desktop Computer 7/26/2013 7/26/2013
South Florida Neurology Associates, P.A. FL 900 900 05/25/2013-05/30/2013 Theft Laptop 7/26/2013 7/26/2013
MED-EL Coproration NC 609 609 6/25/2013 Other E-mail 7/26/2013 6/25/2013
Sutter Health East Bay Region, Alta Bates Summit Medical ctr,Sutter Delta Medical Center;Eden Medical Center CA Nelson Family of Companies 4479 4479 3/1/2011 Unauthorized Access/Disclosure E-mail 7/26/2013 3/1/2011
Illinois Department of Healthcare and Familiy Services IL Family Health Network 3133 3133 5/8/2013 Other Paper 7/26/2013 5/8/2013
Medtronic, Inc MN 2764 2764 03/28/2013-03/29/2013 Loss Paper 7/26/2013 7/26/2013
Long Beach Memorial Medical Center CA 2864 2864 09/01/2012-07/01/2013 Unauthorized Access/Disclosure Electronic Medical Record 7/26/2013 7/26/2013
Delta Dental of Pennsylvania PA ZDI 4718 4718 5/13/2013 Loss Paper 7/26/2013 5/13/2013
Northrop Grumman Retiree Health Plan VA CVS Caremark 4305 4305 5/20/2013 Other Paper 7/26/2013 5/20/2013
Health Net, Inc. CA 8331 8331 04/01/2013 - 05/31/2013 Other Paper 7/26/2013 7/26/2013
Aflac GA Alberto Gerardo Vazquez Rivera 679 679 5/9/2013 Theft Laptop 7/26/2013 5/9/2013
James A. Fosnaugh NE 2125 2125 05/01/2013 - 05/03/2013 Loss Other Portable Electronic Device 7/26/2013 7/26/2013
Lone Star Circle of Care TX 1955 1955 05/01/2013-05/02/2013 Theft Laptop 7/26/2013 7/26/2013
Jacksonville Spine Center FL 5200 5200 4/25/2013 Unauthorized Access/Disclosure Paper 7/26/2013 4/25/2013
Samaritan Regional Health System OH 2203 2203 5/29/2013 Other Paper 7/26/2013 5/29/2013
Iowa Department of Human Services IA 7335 7335 4/30/2013 Loss, Unknown Other 7/26/2013 4/30/2013
Louisiana State University Health Care Services Division LA 6994 6994 12/1/2011 Unauthorized Access/Disclosure Desktop Computer 8/9/2013 12/1/2011
Vitreo-Retinal Medical Group, Inc CA 1837 1837 6/5/2013 Theft Laptop 8/9/2013 6/5/2013
GEO Care, LLC FL 710 710 4/16/2013 Unauthorized Access/Disclosure Desktop Computer 8/9/2013 4/16/2013
The Brookdale Hospital and Medical Center NY 2700 2700 5/24/2013 Loss Other Portable Electronic Device 8/9/2013 5/24/2013
California Correctional Health Care Services CA 1001 1001 6/19/2013 Unknown Other 8/9/2013 6/19/2013
Indiana Family & Social Services Administration IN 187533 187533 04/06/2013-05/21/2013 Other Paper 8/26/2013 8/26/2013
Missouri Department of Social Services MO InfoCrossing, Inc. 1357 1357 10/16/2011 - 06/07/2013 Unauthorized Access/Disclosure Paper 8/26/2013 8/26/2013
Rocky Mountain Spine Clinic, P.C. CO 532 532 6/11/2013 Theft, Unauthorized Access/Disclosure Network Server 8/26/2013 6/11/2013
Cogent Healthcare, Inc. TN M2ComSys Inc. 32151 32151 05/05/2013-06/24/2013 Unauthorized Access/Disclosure Network Server 8/26/2013 8/26/2013
Foundations Recovery Network TN 5690 5690 6/15/2013 Theft Laptop 8/26/2013 6/15/2013
Janna Benkelman LPC LLC CO 1500 1500 8/1/2013 Theft Laptop 8/26/2013 8/1/2013
Young Family Medicine Inc. OH 2045 2045 6/12/2013 Theft Laptop 8/26/2013 6/12/2013
Hancock OB/GYN IN 1396 1396 11/09/2011 - 06/17/2013 Unauthorized Access/Disclosure Electronic Medical Record 8/26/2013 8/26/2013
The Brookdale Hospital and Medical Center NY 2700 2700 5/24/2013 Loss Other Portable Electronic Device 8/27/2013 5/24/2013
Kaiser Foundation Health Plan of the Northwest OR 647 647 3/15/2013 Unauthorized Access/Disclosure Electronic Medical Record 9/11/2013 3/15/2013
UT Physicians TX 596 596 07/22/2013-08/02/2013 Theft, Loss Laptop 9/11/2013 9/11/2013
Olson & White Orthodontics MO 10000 10000 7/22/2013 Theft Desktop Computer,Network Server 9/11/2013 7/22/2013
Summit Community Care Clinic CO 921 921 7/22/2013 Hacking/IT Incident Desktop Computer 9/11/2013 7/22/2013
Parkview Community Hospital Medical Center CA Cogent Healthcare, Inc. 32000 32000 05/05/2013 - 06/24/2013 Other Network Server 9/11/2013 9/11/2013
Jackson Health System FL 1471 1471 01/08/2013 - 01/10/2013 Other Paper 9/11/2013 9/11/2013
St. Anthony's Physician Organization MO 2600 2600 7/29/2013 Theft Laptop, Other Portable Electronic Device 9/11/2013 7/29/2013
Minne-Tohe Health Center/Elbowoods Memorial Health Center ND 10000 10000 10/1/2011 Improper Disposal, Unauthorized, Access/Disclosure Desktop Computer, Other 9/11/2013 10/1/2011
Logan Community Resources, Incorporated (Logan) IN 2900 2900 8/24/2012 Hacking/IT Incident Network Server 9/11/2013 8/24/2012
St. Francis Health Network, aka Franciscan Alliance ACO IN Advantage Health Solutions, Inc. 2575 2575 10/19/2012 Other Other 9/11/2013 10/19/2012
Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group IL 4029530 4029530 7/15/2013 Theft Desktop Computer 9/11/2013 7/15/2013
Wm. Jennings Bryan Dorn VAMC SC 7405 7405 2/11/2013 Loss Laptop 9/26/2013 2/11/2013
Dermatology Associates of Tallahassee FL 915 915 00/00/0000 Unknown Other 9/26/2013 00/00/0000
Boy Scouts of America Employee Benefit Plan TX RR Donnelley (a sub-BA for UnitedHealth Group) 8911 8911 09/15/2012-11/30/2012 Theft Desktop Computer 9/26/2013 9/26/2013
CCS Medical, Inc. TX 6601 6601 05/01/2012 - 09/21/2012 Unauthorized Access/Disclosure Network Server, Other 9/26/2013 9/26/2013
Atlanta Center for Reproductive Medicine GA 654 654 7/12/2013 Other E-mail 9/26/2013 7/12/2013
ACO of Puerto Rico PR PHMHS 5000 5000 03/05/2013 - 07/16/2013 Unauthorized Access/Disclosure Network Server 9/26/2013 9/26/2013
Dreyer Medical Clinic IL Blackhawk Consulting Group 998 998 06/30/2013 - 08/15/2013 Hacking/IT Incident Network Server 9/26/2013 9/26/2013 0
South Shore Physicians, PC NY 8000 8000 01/01/2006 - 01/12/2012 Theft Network Server 9/26/2013 9/26/2013
Good Samaritan Hospital CA 3833 3833 7/8/2013 Theft Laptop 10/29/2013 7/8/2013
Saint Louis University MO 3100 3100 7/25/2013 Unauthorized Access/Disclosure E-mail 10/29/2013 7/25/2013
AHMC Healthcare Inc. and affiliated Hospitals CA 729000 729000 10/12/2013 Theft Theft 10/29/2013 10/12/2013
Texas Health Presbyterian Dallas Hospital TX 949 949 8/22/2013 Theft Desktop Computer 10/29/2013 8/22/2013
ICS Collection Service, Inc. on behalf of University of Chicago Physicians Group IL 1290 1290 7/9/2013 Hacking/IT Incident Other 10/29/2013 7/9/2013
Ferris State University - MI College of Optometry MI 3947 3947 12/1/2011 Hacking/IT Incident Network Server 10/29/2013 12/1/2011
Comprehensive Podiatry LLC OH 1360 1360 8/3/2013 Theft Laptop 10/29/2013 8/3/2013
Access Counseling, LLC IN 566 566 8/23/2013 Theft Laptop 10/29/2013 8/23/2013
Memorial Hospital of Lafayette County WI Healthcare Management System 4330 4330 8/3/2013 Unauthorized Access/Disclosure Paper 10/29/2013 8/3/2013
BriovaRx IL 1067 1067 07/03/2013 - 07/11/2013 Unauthorized Access/Disclosure E-mail 10/29/2013 10/29/2013
SSM Health Care of Wisconsin DBA: St. Maryís Janesville Hospital WI 631 631 8/27/2013 Theft Laptop 10/29/2013 8/27/2013
Carol L. Patrick, Ph.D. OH 517 517 08/08/2013-08/09/2013 Theft Network Server 10/29/2013 10/29/2013
Seton Healthcare Family TX 5500 5500 10/4/2013 Theft Laptop 10/31/2013 10/4/2013
Sentara Healthcare VA 3645 3645 10/01/2012 - 07/11/2013 Theft Electronic Medical Record,Paper 10/31/2013 10/31/2013
Region Ten Community Services Board VA 10228 10228 7/29/2013 Hacking/IT Incident E-mail 10/31/2013 7/29/2013
Reconstructive Orthopaedic Associates II, P.C. d/b/a Rothman Institute PA 2350 2350 03/18/2013-05/13/2013 Theft, Unauthorized, Access/Disclosure Paper 10/31/2013 10/31/2013
Hospice of the Chesapeake MD 7606 7606 8/9/2013 Unauthorized Access/Disclosure E-mail 10/31/2013 8/9/2013
Schuylkill Health System PA 2810 2810 8/7/2013 Theft Laptop 10/31/2013 8/7/2013
TSYS Employee Health Plan GA 5232 5232 9/5/2013 Theft E-mail 10/31/2013 9/5/2013
CaroMont Medical Group NC 1310 1310 8/5/2013 Other E-mail 10/31/2013 8/5/2013
Broward Health Medical Center FL 960 960 10/01/2012 - 12/31/2012 Unauthorized Access/Disclosure Desktop Computer 10/31/2013 10/31/2013
HOPE Family Health TN 6932 6932 8/4/2013 Theft Laptop 10/31/2013 8/4/2013
University of California, San Francisco CA 3553 3553 9/9/2013 Theft Laptop, Paper 10/31/2013 9/9/2013
Santa Clara Valley Medical Center CA 579 579 09/14/2913 - 09/15/2013 Theft Laptop 10/31/2013 10/31/2013
Sarah Benjamin, DPM - Littleton Podiatry CO 3512 3512 8/27/2013 Theft Laptop 10/31/2013 8/27/2013
Holy Cross Hospital, Inc. FL 9900 9900 8/14/2013 Theft, Unauthorized, Access/Disclosure Desktop Computer, network server 10/31/2013 8/14/2013
North Country Hospital and Health Center, Inc VT 550 550 9/18/2013 Theft Laptop 10/31/2013 9/18/2013
Sierra View District Hospital CA 1009 1009 07/01/2013 - 08/02/2013 Unauthorized Access/Disclosure Electronic Medical Record 10/31/2013 10/31/2013
Hankyu Chung, M.D. CA 2182 2182 6/17/2013 Theft Laptop 10/31/2013 6/17/2013
Paul G. Klein, DPM NJ 2500 2500 10/1/2013 Theft Laptop 11/13/2013 10/1/2013
Hospital for Special Surgery NY 537 537 3/19/2013 Theft Desktop Computer, Paper 11/13/2013 3/19/2013
Superior HealthPlan, Inc. TX 6284 6284 10/4/2013 Other Paper 11/13/2013 10/4/2013
Mount SInai Medical Center NY 1586 1586 8/6/2013 Improper Disposal Paper 11/13/2013 8/6/2013
Mount Sinai Medical Center NY 610 610 8/1/2013 Loss Other Portable Electronic Device 11/13/2013 8/1/2013
UnityPoint Health Affiliated Covered Entity ("UnityPoint") IA 1825 1825 02/01/2013-08/27/2013 Unauthorized Access/Disclosure Electronic Medical Record 11/13/2013 11/13/2013
Group Health Cooperative WA 1015 1015 9/16/2013 Other Paper 11/13/2013 9/16/2013
Hope Community Resources, Inc. AK 1556 1556 8/19/2013 Unauthorized Access/Disclosure E-mail 11/13/2013 8/19/2013
Rose Medical Center CO 606 606 06/28/2013 - 07/16/2013 Improper Disposal Paper 11/13/2013 11/13/2013
Rotech Healthcare Inc. FL 10680 10680 11/26/2010 - 10/01/2013 Unauthorized Access/Disclosure Laptop 12/16/2013 12/16/2013
Comprehensive Psychological Services LLC SC 3500 3500 10/28/2013 Theft Laptop 12/16/2013 10/28/2013
Spirit Home Health Care, Corp FL 603 603 9/19/2013 Improper Disposal Paper 12/16/2013 9/19/2013
Greater Dallas Orthopaedics, PLLC TX 5840 5840 8/30/2013 Theft Desktop Computer 12/16/2013 8/30/2013
Martin Luther King Jr. Health Center, Inc. NY 37000 37000 9/23/2009 Unauthorized Access/Disclosure Network Server 12/16/2013 9/23/2009
Reimbursement Technologies, Inc. PA 2300 2300 05/01/2013 - 07/26/2013 Unauthorized Access/Disclosure Network Server 12/16/2013 12/16/2013
Genesis Rehabilitation Services PA 1167 1167 8/30/2013 Loss Other Portable Electronic Device 12/16/2013 8/30/2013
Barnabas Health Medical Group NJ 1100 1100 9/24/2013 Theft Laptop 12/16/2013 9/24/2013
Blue Cross and Blue Shield of North Carolina NC 687 687 10/14/2013 Unauthorized Access/Disclosure Paper 12/16/2013 10/14/2013
UHS-Pruitt Corporation GA 1300 1300 9/26/2013 Theft Laptop 12/16/2013 9/26/2013
United Dynacare, LLC dba Dynacare Laboratories WI 9328 9328 10/22/2013 Theft Other Portable Electronic Device 12/16/2013 10/22/2013
Scottsdale Dermatology, LTD AZ All Source Medical Management 1456 1456 01/01/2013 -10/04/2013 Theft Other 12/16/2013 12/16/2013
Redwood Memorial Hospital CA 1039 1039 11/6/2013 Loss Other Portable Electronic Device 12/16/2013 11/6/2013
DaVita, a division of DaVita HealthCare Partners Inc CO 11500 11500 9/6/2013 Theft, Other Laptop 12/16/2013 9/6/2013
Colorado Health & Wellness, Inc CO 651 651 9/4/2013 Theft, Unauthorized Access/Disclosure Electronic Medical Record 12/16/2013 9/4/2013
David DiGiallorenzo, D.M.D. PA 2600 2600 9/17/2012 Unauthorized Access/Disclosure,Hacking Incident Network Server, Electronic Medical Record 12/16/2013 9/17/2012
Lee D. Pollan, DMD, PC NEW YORK 19178 19178 11/06/2012-11/15/2012 Theft Laptop 11/06/2012
The Feinstein Institute for Medical Research NEW YORK 13000 13000 09/02/2012 Theft Laptop 09/02/2012
Servicios Medicos Integrados de Fajardo PUERTO RICO T & P Consulting, Inc. d/b/a Quantum Health Consulting 10000 10000 01/11/2012 Loss Laptop, Other Portable Electronic Device 01/11/2012
Columbia University Medical Center and NewYork-Presbyterian Hospital NEW YORK 4929 4929 10/12/2012-10/15/2012 Theft Desktop Computer 10/12/2012
CenterLight Healthcare NEW YORK 642 642 01/27/2012 Unauthorized Access/Disclosure E-mail 01/27/2012
WYATT DENTAL GROUP, LLC LOUISIANA 10271 10271 11/04/2011 -04/15/2012 Theft, Unauthorized Access/Disclosure Electronic Medical Record 11/04/2011
DFA, Employee Benefits Division ARKANSAS Health Advantage 7039 7039 10/13/2012 - 10/27/2012 Other Paper 10/13/2012
Titus Regional Medical Center TEXAS 5700 5700 03/27/2012 Loss, Unknown Laptop 03/27/2012
Health Advantage ARKANSAS 2863 2863 10/13/2012 - 10/27/2012 Other Paper 10/13/2012
University of New Mexico Health Sciences Center NEW MEXICO 2365 2365 05/21/2012 Hacking/IT Incident Network Server 05/21/2012
Pousson Family Dentistry LOUISIANA 1400 1400 12/03/2012 Theft Laptop 12/03/2012
Baptist Health System ARKANSAS Health Advantage 811 811 10/13/2012-10/27/2012 Other Paper 10/13/2012
Original Medicine Acupuncture & Wellness, LLC NEW MEXICO 540 540 09/07/2012 - 09/09/2012 Theft Laptop 9/7/2012
Litton & Giddings Radiological Associates, P.C. MISSOURI PST Services, Inc 13074 13074 07/31/2012 - 08/02/2012 Improper Disposal Paper 7/31/2012
Visiting Nurse Services of Iowa IOWA 1298 1298 05/27/2012 Theft Paper 5/27/2012
Washington University School of Medicine MISSOURI 1105 1105 11/28/2012 Theft Laptop 11/28/2012
University of Nevada School of Medicine NEVADA 1483 1483 10/11/2012 Improper Disposal Paper 10/11/2012
County of San Bernardino Department of Public Heatlh CALIFORNIA 1370 1370 09/28/2012 - 09/30/2012 Unauthorized Access/Disclosure Paper 9/28/2012
AccentCare Home Health of California, Inc. CALIFORNIA 1000 1000 04/20/2012 - 04/21/2012 Unauthorized Access/Disclosure E-mail 4/20/2012
El Centro Regional Medical Center CALIFORNIA Digital Archive Management 501 501 11/07/2012 Theft, Improper Disposal Network Server, Paper 11/07/2012
Molalla Family Dental OREGON 4354 4354 05/17/2012 Unauthorized Access/Disclosure, Hacking/IT Incident, Other Network Server 05/17/2012
St. Elizabeth's Medical Center MASSACHUSETTS 6831 6831 02/01/2012 Loss Paper 02/01/2012
Children's Hospital Boston MASSACHUSETTS 2159 2159 03/25/2012 Theft Laptop 03/25/2012
New Mexico Oncology Hematology Consultants, Ltd NM 12354 12354 11/13/2013 Theft Laptop 11/13/2013
South Carolina Health Insurance Pool SC De Loach & Williamson 3432 3432 10/16/2013 Theft Laptop 10/16/2013
L.A. Gay & Lesbian Center CA 59000 59000 09/17/2013 - 11/08/2013 Hacking/IT Incident Network Server 9/17/2013
Rob Meaglia, Dds CA 1400 1400 12/16/2013 Theft Desktop Computer 12/16/2013
Wyoming Department Of Health WY 11935 11935 10/16/2013 Unauthorized Access/Disclosure Network Server 10/16/2013
Terrell County Health Department GEORGIA 18000 18000 01/09/2012 - 04/17/2012 Unauthorized Access/Disclosure Network Server 1/9/2012
Carolinas Medical Center - Randolph NORTH CAROLINA 5600 5600 03/11/2012 - 10/08/2012 Hacking/IT Incident E-mail 3/11/2012
Florida Healthy Kids Corporation FLORIDA DentaQuest of Florida, LLC 3667 3667 11/01/2012-12/20/2012 Unauthorized Access/Disclosure Paper 11/1/2012
Coastal home Respiratory, LLP GEORGIA 3440 3440 10/04/2012 Theft Other 10/04/2012
Miami Beach Healthcare Group Ltd. dba Aventura Hospital and Medical Center FLORIDA 2560 2560 01/01/2012 - 09/12/2012 Theft Electronic Medical Record 1/1/2012
Baptist Health System ALABAMA 1655 1655 03/08/2012 Improper Disposal Paper 03/08/2012
Volunteer State Health Plan, Inc. TENNESSEE 1102 1102 03/16/2012-04/20/2012 Loss Paper 3/16/2012
Vidant Pungo Hospital NORTH CAROLINA 1100 1100 10/04/2012 Improper Disposal Paper 10/04/2012
Jackson Health System FLORIDA 566 566 05/26/2011 - 02/18/2012 Other Paper 5/26/2011
St. Joseph Health System CALIFORNIA 31,798 31798 02/01/2011-02/13/2012 Unauthorized Access/Disclosure Network Server 2/1/2011
Advanced Data Processing, Inc. FLORIDA Advanced Data Processing, Inc. 32000 32000 06/15/2012 -10/01/2012 Theft Desktop Computer 6/15/2012 Incident involved PHI from: 1st response Medical Transpot Corp.; City of North College Hill; Okaloosa County Public Safety; Sumner County Emergency Medical Services; City of Seguin - Fire/EMS Department; City of Overland Park Fire Department; Osceola County EMS; City of Gloucester, Fire Department; Washington County EMS; City of Covington Kentucky Fire Department; Sandoval County Fire Department; Frederick County Division of Fire Rescue; Village of North Palm Beach Fire Rescue; Bonham Fire Department; North Lake Tahoe Fire Protection District; Tahoe Douglas Fire Protection District; McAlester Fire/EMS; City of Blue Springs EMS; City of Azle Fire Department; City of Casselberry; Harris County Emergency Corps; Valparaiso Fire Department; City of Victoria Fire Department; City of Yuma; City of Atlanta/ Atlanta Fire Rescue Department; Omaha Fire & Rescue; City of Omaha; City of Berkeley; Cumberland County Hospital System, Inc.; Grady Health System; City of Los Angeles/Los Angeles Fire Dept.; City of Corona; City of Yuma; and City of Omaha
Memorial Health System COLORADO 6262 6262 05/01/2012 Loss Paper 05/01/2012
Metcare of Florida, Inc. FLORIDA 2557 2557 05/01/2012 - 05/02/2012 Theft Other Portable Electronic Device 5/1/2012
Cabinet for Health and Family Services, Department for Community Based Services (Protection and Permanency) KENTUCKY 2500 2500 07/20/2012 Unauthorized Access/Disclosure E-mail 07/20/2012
Health Texas Provider Network - Cardiovascular Consultants of North Texas TEXAS 2462 2462 03/16/2012 - 05/11/2012 Unauthorized Access/Disclosure Electronic Medical Record 3/16/2012
Ochsner Health System LOUISIANA 2088 2088 01/19/2012 Loss Other Portable Electronic Device 01/19/2012
CIty of Joliet ILLINOIS Quality Health Claims Consultants, LLC 1573 1573 10/08/2013 Unauthorized Access/Disclosure E-mail 10/08/2013
City of Chicago ILLINOIS 2080 2080 06/18/2013 - 10/07/2013 Unauthorized Access/Disclosure Network Server 6/18/2013
Medical Mutual of Ohio OHIO 643 643 10/16/2013 - 10/17/2013 Unauthorized Access/Disclosure Paper 10/16/2013
Kaiser Foundation Hospital- Orange County CALIFORNIA 49000 49000 09/25/2013 Loss Other Portable Electronic Device 09/25/2013
Molina Healthcare of Texas, Inc. TEXAS 2826 2826 10/01/2013 Other Paper 10/01/2013
Jones Chiropractic and Maximum Health INDIANA 1500 1500 10/13/2013 Theft Desktop Computer 10/13/2013
Ronald Schubert MD PLLC WASHINGTON 950 950 11/22/2013 Theft Laptop 11/22/2013
North Carolina Department of Health and Human Services - Division of State Operated Health Care Facilities NORTH CAROLINA 1315 1315 08/13/2013 Unauthorized Access/Disclosure Other 08/13/2013
Puerto Rico Health Insurance Administration (PRHIA) PUERTO RICO Triple S Salud Inc. 13336 13336 09/20/2013 Unauthorized Access/Disclosure Paper 09/20/2013
Triple-S Salud PUERTO RICO 70189 70189 09/20/2013 Unauthorized Access/Disclosure Paper 09/20/2013
Associated Urologists of North Carolina NORTH CAROLINA 7300 7300 09/17/2012 - 09/17/2013 Other Other 9/17/2012
Kemmet Dental Design NORTH DAKOTA 2000 2000 11/10/2013 Theft, Other Paper 11/10/2013
SSM St. Maryís Health Center MISSOURI Saint Louis University 1300 1300 07/25/2013 Unauthorized Access/Disclosure E-mail 07/25/2013
Good Samaritan Hospital CALIFORNIA 3833 3833 07/08/2013 Theft Laptop 07/08/2013
BRONX-LEBANON HOSPITAL CENTER NEW YORK PROFESSIONAL TRANSCRIPTION SERVICES 10930 10930 09/23/2009 Unauthorized Access/Disclosure Network Server 09/23/2009
SIU HealthCare ILLINOIS 1891 1891 09/13/2013 - 10/15/2013 Theft, Loss Laptop 9/13/2013
The Good Samaritan Health Center GEORGIA 5000 5000 11/06/2013 Other Desktop Computer 11/06/2013
UniHealth Source GEORGIA 4500 4500 10/08/2013 Theft Laptop 10/08/2013
Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates NEW JERSEY 839711 839711 11/01/2013 Theft Laptop 11/01/2013
Walgreen Co. ILLINOIS 17350 17350 09/18/2013 - 10/04/2013 Other Paper 9/18/2013
Methodist Dallas Medical Center TEXAS 44000 44000 09/01/2005 - 08/01/2013 Unauthorized Access/Disclosure Other 8/1/2013
Florida Digestive Health Specialists FLORIDA 4400 4400 03/06/2013 -09/09/2013 Unauthorized Access/Disclosure Desktop Computer 3/6/2013
Northside Hospital, Inc. GEORGIA 4879 4879 10/10/2013 Loss Laptop 10/10/2013
Health Help, Inc. KENTUCKY 535 535 10/15/2013 Theft Other Portable Electronic Device 10/15/2013
Mosaic NEBRASKA 3857 3857 10/11/2013 Other E-mail 10/11/2013
New Jersey Department of Human Services NEW JERSEY Island Peer Review Organization 9642 9642 10/18/2013 Loss Other Portable Electronic Device 10/18/2013
Fairfax County, Virginia VIRGINIA Molina Healthcare In 1499 1499 09/09/2013 - 10/03/2013 Unauthorized Access/Disclosure Network Server 9/9/2013
Shiloh Medical Clinic MONTANA 1900 1900 11/08/2013 Unauthorized Access/Disclosure Desktop Computer, E-mail 11/08/2013
Tennova Cardiology TENNESSEE Colby DeHart 2777 2777 10/21/2013 Theft Laptop 10/21/2013
Tranquility Counseling Services NORTH CAROLINA 1683 1683 11/01/2013 Other Paper 11/01/2013
Raw
index.html
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/html">
<meta charset="utf-8">
<style>
body {
height: 500px;
width: 960px;
}
svg {
font: 14px "Gill Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
}
.axis path, .axis line{
fill:none;
stroke:black;
stroke-width:1px;
}
.dot {
fill:steelblue;
stroke:none;
}
.line {
fill: none;
stroke: steelblue;
stroke-width: 1.5px;
}
</style>
<script src="//d3js.org/d3.v3.min.js"></script>
<body>
<script>
var margin = {top: 20, right: 5, bottom: 40, left: 70},
width = 960 - margin.left - margin.right,
height = 500 - margin.top - margin.bottom;
var svg = d3.select("body").append("svg")
.attr("width", width + margin.left + margin.right)
.attr("height", height + margin.top + margin.bottom)
.append("g")
.attr("transform", "translate(" + margin.left + "," + margin.top + ")");
function parseDate(datetext) {
var parts = datetext.split("/");
return new Date(parts[2], parts[0]-1, parts[1]);
};
y = d3.scale.log().domain([500, 5000000]).range([height, 0]);
x = d3.time.scale()
.domain([parseDate("12/01/2009"), parseDate("11/30/2013")])
.range([0, width])
.nice(d3.time.year);
var xAxis = d3.svg.axis()
.scale(x)
.orient("bottom")
.tickSize(15);
var yAxis = d3.svg.axis()
.scale(y)
.orient("left")
.tickSize(4)
.tickFormat(function(d, i) { return (i * (i%3-2) * (i%9-6)) ? "" : d3.format("s")(d); })
;
var xAxisG = svg.append("g")
.attr("class", "axis")
.attr("transform", "translate(0,"+(height+4)+")")
.call(xAxis)
.selectAll("text")
.attr("x", 20)
.attr("y", 5)
.attr("text-anchor", null);
var yAxisG = svg.append("g")
.attr("class", "axis")
.attr("transform", "translate(" + (-4) + ",0)")
.call(yAxis);
d3.csv("HealthInfoBreachesClean.csv", function(data) {
data.forEach(function(d) {
d.individuals_affected = +d["Clean Individuals Affected"];
d.date_of_breach = parseDate(d["Clean Date"]);
//d.date_of_breach = parseDate(d["Date Posted or Updated"]);
});
var color = d3.scale.category20();
svg.selectAll("circle")
.data(data)
.enter().append("circle")
.attr("fill", function(d) { return color(d["Type of Breach"]); })
.attr("cx", function(d) { return x(d.date_of_breach); })
.attr("cy", function(d) { return y(d.individuals_affected); })
.attr("r", 5)
;
});
svg.append("text")
.attr("x", -170)
.attr("y", -50)
.attr("transform", "rotate(-90)")
.text("Number of Patients Affected")
;
svg.append("text")
.attr("x", 690)
.attr("y", 475)
.text("Date Reported (or Incident Date)")
;
</script>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment