Share this article on:
October 2013 HIPAA Breach Summary:
The Breach Notification Rule of the Health Insurance Portability and Accountability Act requires all covered entities and their Business Associates to report all data breaches affecting more than 500 individuals to the Department of Health and Human Services’ Office for Civil Rights (OCR). These breaches must be reported within 60 days of the discovery of the breach.
This report contains a summary of the breaches that were reported to the OCR during the month of October 2013.
Major HIPAA Breaches in October 2013
AHMC Healthcare Inc. and Affiliated Hospitals suffered a large data breach which exposed the records of 729,000 individuals after a laptop computer containing unencrypted PHI was stolen. This HIPAA breach compromised more records that the rest of the month’s data breaches combined.
Professional Transcription Services, a healthcare Business Associate, reported an unauthorized disclosure incident involving a network server in which 37,000 records were exposed.
Rotech Healthcare Inc. (FL) reported an incident involving a laptop computer, with the unauthorized disclosure compromising 10,680 records. Device theft also exposed 5,232 records at Paragon Benefits (GA), 5,500 records at Seton Healthcare Family (TX) and 5,840 at Greater Dallas Orthopaedic (TX).
Summary of Reported Breaches
In October 2013, a total of 840,429 individuals were affected by HIPAA data breaches in 29 incidents reported to the OCR within the 60-day Breach Notification period.
The theft of portable devices containing unencrypted PHI was the single largest cause of HIPAA breaches for the month. There were no reported hacking incidents this month.
Breaches by Covered Entity
Healthcare providers suffered the most data breaches in October 2013. These incidents exposed the data of 783,844 patients. Business Associates were responsible for 5 data breaches – involving 54,285 individuals – while there was only one breach reported by a Healthcare clearinghouse which exposed 2,300 records. No Health Plans reported any breaches in October.
Location of Breached Information
HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w
*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.