HIPAA Breach Report: May 2014
May 2014 HIPAA Breach Summary:
The Health Insurance Portability and Accountability Act of 1996 requires all healthcare providers, insurers and other covered entities – including their Business Associates – to report all data breaches affecting more than 500 individuals. The report must be made via the DHHS’ Office for Civil Rights (OCR) breach notification portal within 60 days of the discovery of a breach.
This report contains a summary of the breaches which have been reported to the OCR during the month of May, 2014.
Major HIPAA Breaches in May 2014
May saw substantially fewer HIPAA breaches reported than in April, with the volume falling by approximately half. However, due to a huge data breach at Sutherland Healthcare Solutions, Inc. (NJ) – which exposed 342,197 records –the victim count for May was substantially higher than April’s total. The Sutherland data breach – the second largest of 2014 – was caused when thieves broke into the company’s Torrance facilities and stole 8 computers containing unencrypted PHI.
Jamaica Hospital Medical Center (NY) reported a data breach in which 26,162 records were potentially viewed by two members of staff at the hospital. The staff has been accused of accessing the records of patients and provided the details to attorneys. Some of the patients had not yet received treatment and were still in the hospital.
Health plan Triple-S Salud reported two incidents in April involving 5,795 and 7,911 records, and in May the company reported another much more serious data breach which exposed the records of 56,853 plan members. The Health Plan could potentially be fined millions of dollars for the incident this month. The company was involved in a 400K-record breach in 2010 for which it received a $100K fine. A history of violations is considered when the OCR considers applying HIPAA financial penalties.
Another serial suffer of HIPAA breaches, American Health Inc. (PR), reported another large scale data breach for the second month in a row, with May’s breach exposing 11,531 records.
Central City Concern (OR) reported an incident involving the unauthorized accessing or PHI by a former employee, who potentially viewed and/or used 17,914 confidential health records to file fake tax returns.
Summary of Reported Breaches
In May, 2014, a total of 475,704 individuals were affected by 15 HIPAA data breaches, according to breach reports issued to the OCR in the 60-day allocated time frame.
Breaches recorded in May were at 50% of the level seen the previous month, with unauthorized accessing of records and theft of devices the major causes of breaches in May. The massive 342K-record data breach at Sutherland Healthcare Solutions is the biggest HIPAA breach recorded this year.
Breaches by Covered Entity
Healthcare providers and their Business Associates were hit hard with breaches in May, with the largest data breach of the year recorded by a Business Associate. There was one hacking incident, although it only exposed 502 records.
Location of Breached Information
HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w
*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.