Skip to main content

The Roll Call of Horrors -- Health Information Breaches

In honor of Data Privacy Day, we'd thought we'd let you know about some of the latest breach notices posted to the Health and Human Services public notice website.   Remember, these are all breaches of protected health information (PHI) and involve the information of more than 500 patients......


  • A computer containing PHI was stolen from a covered entity's reception area.  It is believed that a cleaning crew left the door unlocked and possibly ajar.
  • A covered entity failed to abide by its own shredding policy prior to disposal of paper documents.  PHI was found in a recycling bin located behind the facility.
  • A laptop was stolen from the bag of an employee making a home health visit.  The covered entity had a policy of encrypting and password protecting its laptops, but the employee had changed the security settings on her computer and the PHI was unsecured.
  • A laptop containing PHI was stolen from a physician's personal residence.
  • A file cabinet containing PHI was not cleaned out prior to delivery to a vendor for removal.
  • A file cabinet containing PHI was not cleaned out prior to being donated to a non-profit.
  • A business associate prepared a document for a covered entity and accidentally included the names and social security numbers of thousands of patients.  The document was posted on the Internet.
  • PHI was stolen by an imposter posing as the representative of a recycling service.
  • Unencrypted external backup drives were stolen from a safe in the locked office of a covered entity.
  • A nurse used a hospital's PHI to obtain narcotics for her own personal use (AGAIN, THIS BREACH INVOLVED THE PHI OF 500 OR MORE PATIENTS!)
  • A pharmacy log book containing the names of veteran patients just disappeared and is still missing.

Thanks to Dianne Bourque for contributing these!

Subscribe To Viewpoints


Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.