HIPAA Breach Report: June 2014

June 2014 HIPAA Breach Summary:

The Breach Notification Rule of HIPAA places a requirement on covered entities and their Business Associates to notify the Department of Health and Human Services’ Office for Civil Rights of data breaches affecting more than 500 individuals. The time limit for doing so this is stipulated in the Breach Notification Rule as 60 days from discovery of the breach.

This report contains a summary of the breaches reported to the OCR during the month of June, 2014.

Major HIPAA Breaches in June 2014

Three major data breaches were reported in June which exposed tens of thousands of medical records. NRAD Medical Associates, P.C. (NY) reported an incident in which a former member of staff gained access to, and copied, the records of 97,000 patients. The employee was believed to have taken the data with intent of using the information for personal gain.

Santa Rosa Memorial Hospital (CA), recently acquired by the St. Joseph Health System, suffered a break-in at the Redwood Regional Medical Group offices which resulted in 33,702 unencrypted medical records being obtained by thieves.

The Union Labor Life Insurance Company (MD) also reported a major HIPAA breach in which 42,713 of the insurer’s records were compromised, after a laptop containing unencrypted data was stolen from its Silver Spring, MD offices

Rady Children’s Hospital in San Diego (CA) demonstrated that even with rigorous safeguards to protect data from hackers, the threat from within should not be ignored. The hospital reported two data breaches involving 14,121 and 6,307 records, with the incident caused by human error when a spreadsheet containing real patient data was accidentally sent to potential job applicants.

June was a month in which individual doctors suffered more breaches than in other months, with three physicians reporting HIPAA breaches. Abrham Tekola, M.D., Inc., (CA) reported the theft of a desktop computer containing 5,471 patient records, a desktop computer theft was also reported by Mark A. Gillispie (CA) – exposing 5,845 records – while a hacking incident resulted in 11,000 records of David DiGiallorenzo, D.M.D. (PA) being exposed.

Doctors First Choice Billings, Inc (FL) suffered two breaches exposing 9,255 and 1,831 records as a result of a hacking incident and theft of equipment, while Salina Health Education Foundation (Salina Family Healthcare Center) (KS) exposed 9,640 records when a file containing PHI was submitted to the National Commission for Quality Assurance, before personal identifiers were stripped out of the data, as a part of involvement in a care coordination research study.

Summary of Reported Breaches

In June, 2014, a total of 252,873 individuals were affected in 23 HIPAA breaches, according to the OCR breach portal. The total number of victims of HIPAA breaches in Q2, 2014 was 1,168,892. The total number of breach victims for 2014 so far is 3,267,839.

Breach Type

The theft of unencrypted devices resulted in 11 HIPAA breaches this month. Had data encryption been used on these devices, these breaches, including the 42,713-breach at The Union Labor Life Insurance Company, could have been avoided. However, it was hacking that exposed the most records, including 97,000 at NRAD Medical Associates.



Breaches by Covered Entity

Health plans and Business Associates both registered two data breaches, but this month it was healthcare providers that were hit the hardest, registering 19 breaches.


Location of Breached Information



View Breach Report for May, 2014

Data Source:

HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w

*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.