HIPAA Breach Report: January 2015

January 2015 HIPAA Breach Summary:

The HIPAA Breach Notification Rule demands that Healthcare providers, health plans healthcare clearinghouses and Business Associates report data breaches involving more than 500 individuals to the Office for Civil Rights of the HHS within sixty days of the discovery of the breach.

A summary of the HIPAA breaches reported to the OCR for the month of January, 2015 is detailed below:

Major HIPAA Breaches in January 2015

Following the relatively quiet month of December when few HIPAA breathes were reported, data theft increased in January with 17 separate incidents being reported to the Office for Civil Rights via its breach reporting portal.

The Tennessee Rural Health Improvement Association (TN) Health Plan recorded a major HIPAA breach in which 79,000 of its plan member records were potentially accessed and disclosed to unauthorized individuals.

Aspire Indiana, Inc. (IN) reported the theft of a number of laptop computers which contained the Social Security numbers and personal identifiers of 43,890 of its employees and clients; although no electronic health records were exposed in the incident.

UMass Memorial Medical Group, Inc. (MA) discovered that a former employee had accessed the data of up to 14,000 of its patients without any apparent reason. The incident potentially resulted in patients’ names, addresses, dates of birth, medical records, social security numbers and credit and debit card numbers being compromised.

Riverside County Regional Medical Center (CA) reported the theft of an unencrypted laptop containing 7,925 patient records, VA Corporate Data Center Operations/Austin Information Technology Center (TX) reported that a network server had been hacked which potentially resulted in 7,029 records being obtained by the culprit and St. Peter’s Health Partners (NY) issued a breach report after a portable electronic device – containing unencrypted PHI – was stolen; resulting in 5,117 patient health records being exposed.

Summary of Reported Breaches

In January, 2015, a total of 176,408 individuals were affected in 17 HIPAA data breaches that were reported to the OCR through its breach report portal.

Breach Type

Two hacking incidents were reported for the month, although the theft of devices containing unencrypted PHI and unauthorized disclosures caused the most HIPAA breaches this month, with the largest breach resulting from the latter.


Breaches by Covered Entity

There were no Business Associate HIPAA breaches recorded in January, making this two months in a row that BAs defenses have not been breached. Three health plans were affected, including the Tennessee Rural Health Improvement Association which recorded the largest breach of the month. However the breach reports are dominated by healthcare providers again, with 14 incidents reported to the OCR.



Location of Breached Information


View Breach Report for December, 2014

Data Source:

HHS OCR Breach Portal: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w

*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.