HIPAA Breach Report: March 2014
March 2014 HIPAA Breach Summary:
The HIPAA Breach Notification Rule requires covered entities to report all data breaches involving HIPAA-covered data to the Department of Health and Human Services’ Office for Civil Rights.
Breach reports must be submitted via its website portal, and CEs have 60 days from the discovery of the breach in order to do this.
This report contains a summary of the breaches which have been reported to the OCR during the month of March, 2014.
Major HIPAA Breaches in March 2014
The number of individuals affected by data breaches in March 2014 was substantially lower, with 68% fewer victims compared to last month, although there were 7 more breaches reported in March.
Phoenix-based not-for-profit health system, Banner Health (AZ), reported the largest HIPAA breach after 55,207 individuals had their Social Security numbers or Medicare numbers printed on magazine labels in a marketing error when sending its quarterly magazine to patients.
HealthPartners, Inc. (MN) reported a 27,839-record accidental disclosure data breach, in addition to three data breaches reported under HealthPartners Administrators, Inc, which exposed a total of 3,210 records.
The loss or theft of unencrypted devices (laptops, pen drives, desktop computers) was a major cause of data breaches in March, with the University of California, San Francisco (CA) – 9,861-records – Mission City Community Network (CA) – 7,800 records – Todd M. Burton, M.D. (TX) – 5,000 records and NOVA Chiropractic & Rehab Center (VA) – 5,534 records – and Palomar Health (CA) – 5,499 records – and Valley View Hospital Association (CO) – 5,415 records – all reporting data breaches.
Franciscan Medical Group (WA) – reported an email phishing scam which resulted in hackers obtaining 8,300 records.
Summary of Reported Breaches
In March, 2014, a total of 160,855 individuals were affected in 30 data/HIPAA/HIPAA data breaches that were reported to the OCR through its breach report portal.
A wide range of security incidents occurred in March, and while the loss and theft of unencrypted devices caused a number of breaches, it was unauthorized disclosures of PHI which dominated the monthly breach reports in March.
Breaches by Covered Entity
A high number of breaches were recorded in March compared to previous months, with Business Associates hit hard with 10 breaches – the worst they have fared in the past 6 months. Two health plans were affected and 18 healthcare providers.
Location of Breached Information
HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w
*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.