HIPAA Breach Report: November 2013

November 2013 HIPAA Breach Summary:

The Health Insurance Portability and Accountability Act requires all covered entities – including Business Associates – to report all data breaches affecting more than 500 individuals. The reports must be made via the DHHS’ Office for Civil Rights (OCR) breach notification portal and covered entities have up to 60 days from the date of discovery of the breach to notify the OCR.

This report contains a summary of the breaches reported to the OCR during the month of November, 2013.

Major HIPAA Breaches in November 2013

November saw a dramatic drop in the number of victims from data breaches. There were 24 HIPAA breaches reported for the month – five less than in October – with the number of victims falling by 75%. UW Medicine (WA) recorded the largest breach, in which 76,183 patient records were exposed in a hacking incident.

The Kaiser Foundation Hospital in Orange County (CA) potentially exposed 49,000 patient records after a portable device containing unencrypted PHI was lost. An unauthorized disclosure of PHI at Triple S Salud Inc. (PR) potentially compromised 13,336 patient records, while the theft of portable devices and laptops resulted in United Dynacare exposing 9,328 records.

The Hospice of the Chesapeake (MD) reported 7,606 compromised records and a further 11,500 were exposed at DaVita HealthCare Partners Inc (CO). Superior HealthPlan, Inc. (TX) registered a breach of 6,284 paper records in November.

Summary of Reported Breaches

In November 2013, a total of 212,471 individuals were affected by 24 data breaches that were reported to the OCR through its breach report portal.

Breach Type

The theft of unencrypted laptops continues to be the major cause of HIPAA breaches, although unauthorized access and disclosures exposed tens of thousands of records, including the 13,336-records Triple-S-Salud breach.


Breaches by Covered Entity

Healthcare providers were hit the hardest by data breaches in November, registering 19 incidents. There were no healthcare clearinghouse breaches, although 3 business associates and 2 health plans reported incidents in November.


Location of Breached Information



 View Breach Report for October, 2013

Data Source:

HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w

*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.