Share this article on:
August 2014 HIPAA Breach Summary:
HIPPA Regulations require all covered entities to submit a report of any breach affecting more than 500 individuals to the Department of Health and Human Services’ Office for Civil Rights. Covered entities only have 60 days in order to make the report or they face a breach notification penalty.
This report contains a summary of the breaches reported to the OCR during the month of August, 2014.
Major HIPAA Breaches in August 2014
August saw a high number of HIPAA breaches reported in which over 4 million individual records were compromised – more than the total number of individuals affected by data breaches in the first six months of the year. The majority of the victims were created by a huge data breach at Community Health Systems Professional Services Corporation (TN) which exposed the records of 4,500,000 individuals.
The CHS HIPAA breach was one of the largest ever recorded, and resulted in hackers obtaining personal identifiers and Social Security numbers, in what was described as “a highly sophisticated attack”.
In any other month the hacking of Business Associate Onsite Health Diagnostics (OHD) (TX) would have attracted more press. This incident resulted in 60,562 patient records being obtained by cybercriminals; although no medical information or Social Security numbers were compromised in the breach.
Iron Mountain (CA), a Business Associate of Orthopaedic Specialty Institute Medical Group, reported an atypical data breach in which the x-rays of 49,714 patients were potentially compromised. Two former employees allegedly stole 742 boxes of X-rays, which were sold to a recycling firm for the silver they contained. The OCR was notified of a further 11,674 records lost by the Business Associate in a subsequent breach report, in addition to the original 49K incident.
Jersey City Medical Center, run by Barnabas Health (NJ) lost a CD containing the PHI of 36,400 of its patients, while the hacking of a network server at the Central Utah Clinic, P.C. (UT) exposed 31,677 records, including Social Security numbers and a limited amount of healthcare data. Although few details have been released, CareAll Management, LLC (TN) reported 28,300 records were lost in an incident classified as “improper disposal or records.
Other breaches reported for the month involving over 10,000 records include:
- Dennis Flynn MD (IL) – 13,646 records – Theft of an unencrypted laptop computer
- Kaiser Foundation Health Plan of Colorado (CO) – 11,551 records –Unauthorized access and disclosure
- PST Services Inc, as McKesson Co. (GA) – 10,104 records – Hacking of a network server
- Duke University Health System (NC) – 10,993 records – Theft of an unencrypted portable device
- AltaMed Health Services Corporation (CA) – 10,604 records – Employee theft of PHI
Summary of Reported Breaches
In August, 2014, a total of 4,815,065 individuals were affected in 29 HIPAA data breaches, as reported to the OCR through its breach portal.
Hackers targeted the healthcare industry in August and caused 6 HIPAA breaches, including the 60K breach at Onsite Health Diagnostics, although it was the theft of an unencrypted device which caused the largest data breach of the month. It was also a month in which the improper disposal of PHI resulted in 8,113 records being exposed.
Breaches by Covered Entity
Business Associates registered a similar number of breaches as last month, and it was a BA that caused the largest HIPAA breach of the year to date – one that ranks as the second highest data breach ever recorded behind only the Tricare breach of 2011. BAs also reported two other major breaches involving 50K and 60K-records. Healthcare providers registered the highest number of breaches with 18; health plans reported 3, while clearinghouses were unaffected in August.
Location of Breached Information
HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w
*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.