Share this article on:
July 2014 HIPAA Breach Summary:
The HIPAA Breach Notification Rule demands that Healthcare providers, health plans healthcare clearinghouses and BAs report data breaches involving more than 500 individuals to the Office for Civil Rights of the HHS within sixty days of discovery of the breach.
This report contains a summary of the breaches reported to the OCR during the month of July, 2014.
Major HIPAA Breaches in July 2014
A number of large scale HIPAA breaches were reported to the Office for Civil Rights in July, exposing more patient records than in any other month since January this year. The data breach at the Montana Department of Public Health and Human Services (MT) is the largest reported HIPAA breach of the year, exposing 1,062,509 records. This is almost as many records as were exposed in the HIPAA breaches at Horizon Healthcare Services, Inc., (January) and Sutherland Healthcare Solutions (May) combined.
Human error was cited as the reason for a data breach at St. Vincent Hospital and Health Care Center, Inc. (IN) after 63,325 individuals received a mailing in which names, addresses and appointment details were mailed to incorrect recipients.
Business Associate, InSync Computer Solutions, Inc. (AL), issued breach notification letters to 50,918 individuals after a network server incident potentially exposed some of their Protected Health Information.
The theft of an unencrypted laptop from Self Regional Healthcare (SC) exposed the PHI – including Social Security numbers, driver’s license numbers, payment card information, financial account information and other sensitive information – of 38,906 individuals.
PRN Medical Services, LLC (as Symbius Medical, LLC) (AZ) and Western Regional Center for Brain and Spine Surgery (NV) both reported network server incidents in June which exposed 13,877 and 12,000 records respectively.
Summary of Reported Breaches
In July, 2014, a total of 1,276,229 individuals were affected in 22 reportable HIPAA data breaches.
The theft of devices containing unencrypted Protected Health Information and unauthorized disclosures accounted for the majority of incidents reported to the OCR in July. However it was hacking that caused the largest breach in which 1,062,509 records were compromised.
Breaches by Covered Entity
Healthcare providers may have registered 11 HIPAA breaches in July, but it was a health plan – The Montana Department of Public Health and Human Services – that was hit the hardest with its breach exposing the most records. Healthcare clearing houses registered no data breaches in August.
Location of Breached Information
HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w
*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.