HIPAA Breach Report: September 2014

September 2014 HIPAA Breach Summary:

The HIPAA Breach Notification Rule requires covered entities to report all data breaches involving HIPAA-covered data to the Department of Health and Human Services’ Office for Civil Rights.

Breach reports must be submitted via its website portal, and CEs have 60 days from the discovery of the breach in order to do this.

This report contains a summary of the breaches reported to the OCR during the month of September, 2014.

Major HIPAA Breaches in September 2014

Large scale data breaches continue to plague the healthcare industry. Last month saw well over 4 million records exposed in hacking incidents, laptop thefts, improper access, disclosure and disposal or records.

This month, while there were fewer incidents reported, most of which involved a few thousand records, Xerox State Healthcare, LLC (TX) reported a massive data breach in which approximately 2 million records were exposed. The incident was atypical for a HIPAA breach. Rather than records being exposed by hackers or the theft of computer equipment, this breach was caused following the cancellation of a contract between Xerox and the Texas Health and Human Services Commission. After the contract was cancelled, Xerox failed to return computer equipment containing PHI, potentially leading to that information being exposed.

Valesco Ventures (FL), a Business Associate of Aventura Hospital and Medical Center, reported a HIPAA breach which affected 82,601 individuals after an employee allegedly accessed patient health records without authorization.

Cedars-Sinai Health System (CA) reported a data breach involving 33,136 patients after a laptop containing unencrypted PHI was stolen from and employee’s home, while Bulloch Pediatric Group, LLC (GA) also reported a burglary in which 10,000 old insurance records and other payment records were stolen from its facilities.

Summary of Reported Breaches

In September, 2014, a total of 2,153,087 individuals were affected in 21 HIPAA data breaches. The total number of victims of HIPAA breaches in Q3, 2014 was 8,244,381. The total number of breach victims so far reported in 2014 is 11,512,220.

Breach Type

The theft of laptop computers and unauthorized accessing of PHI accounted for virtually all of the breaches reported to the OCR in September.



Breaches by Covered Entity

Only one health plan registered a data breach in September, so it is healthcare providers that dominate the OCR data breach reports, registering 14 incidents for the month. Business Associates only registered 6 HIPAA breaches, but that included the massive 2-million record breach at Xerox State Healthcare. No healthcare clearinghouses recorded breaches in September.



Location of Breached Information



View Breach Report for August, 2014

Data Source:

HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w

*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.