HIPAA Breach Report: February 2014

February 2014 HIPAA Breach Summary:

HIPPA Regulations require all covered entities to submit a report of any breach affecting more than 500 individuals to the Department of Health and Human Services’ Office for Civil Rights. Covered entities only have 60 days in order to make the report, or they face a breach notification penalty.

This report contains a summary of the breaches which have been reported to the OCR during the month of February, 2014.

Major HIPAA Breaches in February 2014

Had it not have been for a huge HIPAA breach at St. Joseph Health System (TX), in which 405,000 patient records were exposed after a network server was hacked, February would have been a relatively good month for the healthcare industry. There were 23 HIPAA breaches reported during the course of the month, but St. Joseph’s aside, only 92,492 records were exposed.

StayWell Health Management, LLC made 4 separate breach reports involving a total of 16,841 individuals, all of which involved the unauthorized disclosure of records as a result of a network server incident. 16,446 electronic medical records were stolen from healthcare provider Kmart Corporation (IL), while the University of Miami (FL) reported a 13,074-record breach involving physical PHI records.

Joseph Michael Benson M.D (TX) was one of two doctors reporting thefts of stolen unencrypted devices in February. In his case a desktop computer containing 7,500 of his patient’s records was stolen, while Min Yi, M.D (CA) also had a device stolen containing 4,676 records.

Summary of Reported Breaches

In February, 2014, a total of 497,492 individuals were affected in 23 data/HIPAA/HIPAA data breaches that were reported to the OCR through its breach report portal.

Breach Type

The theft of laptop computers dominates the breach report for February, with unauthorized disclosures also a major issue for the month. While there were only two hacking incidents, they exposed more records – 407,269 – than all other breaches combined.


Breaches by Covered Entity

Healthcare providers registered the most data breaches in February with 13 incidents, healthcare clearing houses avoided any breaches while 7 Business Associates and 3 health plans were affected.


Location of Breached Information



View Breach Report for January, 2014

Data Source:

HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w

*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.