Share this article on:
January 2014 HIPAA Breach Summary:
The HIPAA Breach Notification Rule demands that Healthcare providers, health plans healthcare clearing houses and BAs report data breaches involving more than 500 individuals to the Office for Civil Rights of the HHS within sixty days of the discovery of the breach.
This report contains a summary of the breaches which have been reported to the OCR during the month of .January, 2014
Major HIPAA Breaches in January 2014
After two relatively quiet months, January saw a high volume of data breaches, including two massive data breaches that exposed hundreds of thousands of patient records. The theft of a laptop computer from Horizon Healthcare Services, Inc. (As Horizon Blue Cross Blue Shield of New Jersey) resulted in 839,711 potentially being exposed, while a network server incident at Triple-C, Inc. (PR) was reported to the OCR as exposing 398,000 and 8,000 patient-records.
The large breach at the North Carolina Department of Health and Human Services (NC) appears small by comparison, although the unauthorized disclosure affected 48,752 individuals. Another health plan, Virginia Premier Health Plan (VPHP) (VA) also registered a breach – involving 25,513 paper records and Cook County Health & Hospitals System (IL) registered an email-related HIPAA breach involving 22,511 patient records.
Data encryption would have saved Network Pharmacy Knoxville (TN) from having to send 9,602 breach notification letters, had it of been installed on the company’s laptops.
Similarly, the loss of an unencrypted portable storage device resulted in Business Associate, The University of Wisconsin-Madison School of Pharmacy (WI), potentially exposing 41,437 patient records.
Summary of Reported Breaches
In January, 2014, a total of 1,440,600 individuals were affected in 27 data/HIPAA/HIPAA data breaches that were reported to the OCR through its breach report portal. This represents approximately 7 times the volumes of victims as were recorded last month and approximately the same volume of records was compromised this month, as were exposed in Q4 of 2013.
The theft of healthcare laptops was the main cause of HIPAA breaches in January. These incidents could have been avoided had data encryption been used. The unauthorized disclosure of PHI resulted in 6 HIPAA breaches in January.
Breaches by Covered Entity
January saw more than twice as many Business Associates hit by HIPAA breaches as last month, and almost as many breaches as they caused in all of Q4, 2013. Healthcare providers were the worst affected, registering 14 breaches. Healthcare clearing houses avoided any breaches, while insurers reported two incidents, including a 48,752-record breach by the North Carolina Department of Health and Human Services.
Location of Breached Information
HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w
*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.