The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Breach Report: June 2014

Posted By on Sep 5, 2014

June 2014 HIPAA Breach Summary:

The Breach Notification Rule of HIPAA places a requirement on covered entities and their Business Associates to notify the Department of Health and Human Services’ Office for Civil Rights of data breaches affecting more than 500 individuals. The time limit for doing so this is stipulated in the Breach Notification Rule as 60 days from discovery of the breach.

This report contains a summary of the breaches reported to the OCR during the month of June, 2014.

Major HIPAA Breaches in June 2014

Three major data breaches were reported in June which exposed tens of thousands of medical records. NRAD Medical Associates, P.C. (NY) reported an incident in which a former member of staff gained access to, and copied, the records of 97,000 patients. The employee was believed to have taken the data with intent of using the information for personal gain.

Santa Rosa Memorial Hospital (CA), recently acquired by the St. Joseph Health System, suffered a break-in at the Redwood Regional Medical Group offices which resulted in 33,702 unencrypted medical records being obtained by thieves.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The Union Labor Life Insurance Company (MD) also reported a major HIPAA breach in which 42,713 of the insurer’s records were compromised, after a laptop containing unencrypted data was stolen from its Silver Spring, MD offices

Rady Children’s Hospital in San Diego (CA) demonstrated that even with rigorous safeguards to protect data from hackers, the threat from within should not be ignored. The hospital reported two data breaches involving 14,121 and 6,307 records, with the incident caused by human error when a spreadsheet containing real patient data was accidentally sent to potential job applicants.

June was a month in which individual doctors suffered more breaches than in other months, with three physicians reporting HIPAA breaches. Abrham Tekola, M.D., Inc., (CA) reported the theft of a desktop computer containing 5,471 patient records, a desktop computer theft was also reported by Mark A. Gillispie (CA) – exposing 5,845 records – while a hacking incident resulted in 11,000 records of David DiGiallorenzo, D.M.D. (PA) being exposed.

Doctors First Choice Billings, Inc (FL) suffered two breaches exposing 9,255 and 1,831 records as a result of a hacking incident and theft of equipment, while Salina Health Education Foundation (Salina Family Healthcare Center) (KS) exposed 9,640 records when a file containing PHI was submitted to the National Commission for Quality Assurance, before personal identifiers were stripped out of the data, as a part of involvement in a care coordination research study.

Summary of Reported Breaches

In June, 2014, a total of 252,873 individuals were affected in 23 HIPAA breaches, according to the OCR breach portal. The total number of victims of HIPAA breaches in Q2, 2014 was 1,168,892. The total number of breach victims for 2014 so far is 3,267,839.

Breach Type

The theft of unencrypted devices resulted in 11 HIPAA breaches this month. Had data encryption been used on these devices, these breaches, including the 42,713-breach at The Union Labor Life Insurance Company, could have been avoided. However, it was hacking that exposed the most records, including 97,000 at NRAD Medical Associates.

hipaa-breach-type-jun-14

 

Breaches by Covered Entity

Health plans and Business Associates both registered two data breaches, but this month it was healthcare providers that were hit the hardest, registering 19 breaches.

hipaa-breach-report-june-14

Location of Breached Information

 

HIPAA-breaches-by-location-jun-14

View Breach Report for May, 2014

Data Source:

HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w

*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist