HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Breach Report: December 2014

December 2014 HIPAA Breach Summary:

The Breach Notification Rule of HIPAA places a requirement on covered entities and their Business Associates, to notify the Office for Civil Rights of the Department of Health and Human Services of data breaches affecting more than 500 individuals. The time limit for doing so is 60 days from discovery of the breach.

This report contains a summary of the breaches reported to the OCR during the month of December, 2014.

Major HIPAA Breaches in December 2014

December saw a major fall in the number of reported breaches with just 9 incidents reported for the month. The massive data breach at Sony Pictures dominated the newspaper headlines, and while huge volumes of highly sensitive data were obtained by hackers, the majority of this information was not covered by HIPAA. However, 30,000 records relating to the Sony Pictures Entertainment Health and Welfare Benefits Plan was present in the data stolen by the cybercriminals.

Walgreen Co. (IL) reported another data breach involving paper records. In this incident, of which scant details were released, up to 160,000 confidential records were compromised. Walgreen could face OCR penalties after this incident as a “repeat offender”. This breach is believed to have occurred between August 1st and November 6th of this year.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The individuals responsible for the Sony Pictures hacking incident attempted to hold the company to ransom, as did the hackers who gained access to the Clay County Hospital (IL) network, although the two incidents are not believed to be related. The 18-bed Clay County Hospital in Flora received an email demand in which the person responsible demanded “a substantial payment from the hospital”; otherwise the data of 12,621 patients – including Social Security numbers – would be divulged.

ReachOut Home Care (KY) also reported a data breach in which 4,500 were exposed after a laptop computer containing unencrypted PHI was stolen from the healthcare provider’s facilities.

Summary of Reported Breaches

In December, 2014, a total of 213,932 individuals were affected by 9 HIPAA data breaches. The total number of individuals affected by HIPAA breaches in Q4, 2014 was 990,970. The total number of breach victims for 2014 is 12,503,190, based on OCR breach reports.

Breach Type

There were relatively few breaches reported in December, which after last month’s high number of breaches is certainly good news.



Breaches by Covered Entity

For the first time this year, Business Associates managed to last a month without registering any data breaches. Health plans only recorded one incident while no healthcare clearinghouses were affected.


Location of Breached Information



View Breach Report for November, 2014

Data Source:

HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w

*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.