Skip to main content

Today's compliance deadline - Enforcement of the HITECH/HIPAA data breach notification rule

February and March are just full of significant deadlines for privacy/security reporting and compliance.

Today is the day that the Health & Human Services Office of Civil Rights begins to enforce the HITECH/HIPAA data breach notification rule. To "celebrate" the occasion, the agency publicly posted the first list of reported breaches affecting 500 or more individuals. The list is available on the HHS’ website, but I thought I would post them here. Reasonably instructive…..see any trends??

Breaches Affecting 500 or More Individuals
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The following breaches have been reported to the Secretary.

The Methodist Hospital
State:
Texas
Approx. # of Individuals Affected:
689
Date of Breach:
1/18/10
Type of Breach:
Theft
Location of Breached Information:
Computer

Carle Clinic Association
State:
Illinois
Approx. # of Individuals Affected:
1,300
Date of Breach:
1/13/10
Type of Breach:
Theft
Location of Breached Information:
Paper Records and Films

Ashley and Gray DDS
State:
Missouri
Approx. # of Individuals Affected:
9,309
Date of Breach:
1/10/10
Type of Breach:
Theft
Location of Breached Information:
Desktop Computer

Educators Mutual Insurance Association of Utah
State:
Utah
Business Associate Involved:
Health Behavior Innovations
Approx. # of Individuals Affected:
5,700
Date of Breach:
12/27/09
Type of Breach:
Theft
Location of Breached Information:
CDs

Goodwill Industries of Greater Grand Rapids, Inc.
State:
Michigan
Approx. # of Individuals Affected:
10,000
Date of Breach:
12/15/09
Type of Breach:
Theft
Location of Breached Information:
Backup Tapes

Private Practice
City and State:
Stoughton, MA
Approx. # of Individuals Affected:
1,860
Date of Breach:
12/11/09
Type of Breach:
Theft
Location of Breached Information:
Portable Electronic Device/Electronic Medical Record

AvMed, Inc.
State:
Florida
Approx. # of Individuals Affected:
359,000
Date of Breach:
12/10/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Blue Island Radiology Consultants
State:
Illinois
Business Associate Involved:
United Micro Data
Approx. # of Individuals Affected:
2,562
Date of Breach:
12/09/09
Type of Breach:
Loss
Location of Breached Information:
Backup Tapes

Private Practice
City and State:
Wilmington, NC
Business Associate Involved:
Rick Lawson, Professional Computer Services
Approx. # of Individuals Affected:
2,000
Date of Breach:
12/08/09
Type of Breach:
Hacking/IT Incident
Location of Breached Information:
Computer/Network Server/Electronic Medical Record

Kaiser Permanente Medical Care Program
State:
California
Approx. # of Individuals Affected:
15,500
Date of Breach:
12/01/09
Type of Breach:
Theft
Location of Breached Information:
Portable Electronic Device

University of California, San Francisco
State:
California
Approx. # of Individuals Affected:
7,300
Date of Breach:
11/30/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Detroit Department of Health and Wellness Promotion
State:
Michigan
Approx. # of Individuals Affected:
646
Date of Breach:
11/26/09
Type of Breach:
Theft
Location of Breached Information:
Laptop, Desktop Computer

Advocate Health Care
State:
Illinois
Approx. # of Individuals Affected:
812
Date of Breach:
11/24/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Concentra
State:
Texas
Approx. # of Individuals Affected:
900
Date of Breach:
11/19/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Children's Medical Center of Dallas
State:
Texas
Approx. # of Individuals Affected:
3,800
Date of Breach:
11/19/09
Type of Breach:
Loss
Location of Breached Information:
Portable Electronic Device

Universal American, Inc.
State:
New York
Business Associate Involved:
Democracy Data & Communications, LLC
Approx. # of Individuals Affected:
83,000
Date of Breach:
11/12/09
Type of Breach:
Incorrect Mailing
Location of Breached Information:
Postcards

Massachusetts Eye and Ear Infirmary
State:
Massachusetts
Approx. # of Individuals Affected:
1,076
Date of Breach:
11/10/09
Type of Breach:
Theft
Location of Breached Information:
Other

Kern Medical Center
State:
California
Approx. # of Individuals Affected:
596
Date of Breach:
10/31/09
Type of Breach:
Theft
Location of Breached Information:
Paper Records

Blue Cross Blue Shield Association
State:
District of Columbia
Business Associate Involved:
Service Benefits Plan Administrative Services Corp.
Approx. # of Individuals Affected:
3,400
Date of Breach:
10/26/09
Type of Breach:
Unauthorized Access
Location of Breached Information:
Mailings

Detroit Department of Health and Wellness Promotion
State:
Michigan
Approx. # of Individuals Affected:
10,000
Date of Breach:
10/22/09
Type of Breach:
Theft
Location of Breached Information:
Portable Electronic Device

The Children's Hospital of Philadelphia
State:
Pennsylvania
Approx. # of Individuals Affected:
943
Date of Breach:
10/20/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Public Employee Health Insurance Plan (Kentucky Employees' Health Plan)
State:
Kentucky
Approx. # of Individuals Affected:
676
Date of Breach:
10/20/09
Type of Breach:
Misdirected E-mail
Location of Breached Information:
E-mail

Brooke Army Medical Center
State:
Texas
Approx. # of Individuals Affected:
1,000
Date of Breach:
10/16/09
Type of Breach:
Theft
Location of Breached Information:
Paper Records

Alaska Department of Health and Social Services
State:
Alaska
Approx. # of Individuals Affected:
501
Date of Breach:
10/12/09
Type of Breach:
Theft
Location of Breached Information:
Portable USB Device

Cogent Healthcare of Wisconsin, S.C.
State:
Tennessee
Business Associate Involved:
Cogent Healthcare, Inc.
Approx. # of Individuals Affected:
6,400
Date of Breach:
10/11/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Health Services for Children with Special Needs, Inc.
State:
District of Columbia
Approx. # of Individuals Affected:
3,800
Date of Breach:
10/09/09
Type of Breach:
Loss
Location of Bre
ached Information:
Laptop

Blue Cross Blue Shield Association
State:
District of Columbia
Business Associate Involved:
Merkle Direct Marketing
Approx. # of Individuals Affected:
15,000
Date of Breach:
10/07/09
Type of Breach:
Unauthorized Access
Location of Breached Information:
Mailings

Blue Cross Blue Shield of Tennessee
State:
Tennessee
Approx. # of Individuals Affected:
500,000
Date of Breach:
10/02/09
Type of Breach:
Theft
Location of Breached Information:
Hard Drives

City of Hope National Medical Center
State:
California
Approx. # of Individuals Affected:
5,900
Date of Breach:
9/27/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
6,145
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer

Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
5,166
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer

Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
5,257
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer

Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
857
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer

Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
952
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer

University of California, San Francisco
State:
California
Approx. # of Individuals Affected:
610
Date of Breach:
9/22/09
Type of Breach:
Phishing Scam
Location of Breached Information:
Email

Mid America Kidney Stone Association, LLC
State:
Missouri
Approx. # of Individuals Affected:
1,000
Date of Breach:
9/22/09
Type of Breach:
Theft
Location of Breached Information:
Network Server

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.