The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Breach Report: September 2014

Posted By on Dec 19, 2014

September 2014 HIPAA Breach Summary:

The HIPAA Breach Notification Rule requires covered entities to report all data breaches involving HIPAA-covered data to the Department of Health and Human Services’ Office for Civil Rights.

Breach reports must be submitted via its website portal, and CEs have 60 days from the discovery of the breach in order to do this.

This report contains a summary of the breaches reported to the OCR during the month of September, 2014.

Major HIPAA Breaches in September 2014

Large scale data breaches continue to plague the healthcare industry. Last month saw well over 4 million records exposed in hacking incidents, laptop thefts, improper access, disclosure and disposal or records.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

This month, while there were fewer incidents reported, most of which involved a few thousand records, Xerox State Healthcare, LLC (TX) reported a massive data breach in which approximately 2 million records were exposed. The incident was atypical for a HIPAA breach. Rather than records being exposed by hackers or the theft of computer equipment, this breach was caused following the cancellation of a contract between Xerox and the Texas Health and Human Services Commission. After the contract was cancelled, Xerox failed to return computer equipment containing PHI, potentially leading to that information being exposed.

Valesco Ventures (FL), a Business Associate of Aventura Hospital and Medical Center, reported a HIPAA breach which affected 82,601 individuals after an employee allegedly accessed patient health records without authorization.

Cedars-Sinai Health System (CA) reported a data breach involving 33,136 patients after a laptop containing unencrypted PHI was stolen from and employee’s home, while Bulloch Pediatric Group, LLC (GA) also reported a burglary in which 10,000 old insurance records and other payment records were stolen from its facilities.

Summary of Reported Breaches

In September, 2014, a total of 2,153,087 individuals were affected in 21 HIPAA data breaches. The total number of victims of HIPAA breaches in Q3, 2014 was 8,244,381. The total number of breach victims so far reported in 2014 is 11,512,220.

Breach Type

The theft of laptop computers and unauthorized accessing of PHI accounted for virtually all of the breaches reported to the OCR in September.

hipaa-breach-type-sept-14

 

Breaches by Covered Entity

Only one health plan registered a data breach in September, so it is healthcare providers that dominate the OCR data breach reports, registering 14 incidents for the month. Business Associates only registered 6 HIPAA breaches, but that included the massive 2-million record breach at Xerox State Healthcare. No healthcare clearinghouses recorded breaches in September.

 

hipaa-breach-report-sept-14

Location of Breached Information

 

HIPAA-breaches-by-location-sept-14

View Breach Report for August, 2014

Data Source:

HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w

*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist