Share this article on:
December 2014 HIPAA Breach Summary:
The Breach Notification Rule of HIPAA places a requirement on covered entities and their Business Associates, to notify the Office for Civil Rights of the Department of Health and Human Services of data breaches affecting more than 500 individuals. The time limit for doing so is 60 days from discovery of the breach.
This report contains a summary of the breaches reported to the OCR during the month of December, 2014.
Major HIPAA Breaches in December 2014
December saw a major fall in the number of reported breaches with just 9 incidents reported for the month. The massive data breach at Sony Pictures dominated the newspaper headlines, and while huge volumes of highly sensitive data were obtained by hackers, the majority of this information was not covered by HIPAA. However, 30,000 records relating to the Sony Pictures Entertainment Health and Welfare Benefits Plan was present in the data stolen by the cybercriminals.
Walgreen Co. (IL) reported another data breach involving paper records. In this incident, of which scant details were released, up to 160,000 confidential records were compromised. Walgreen could face OCR penalties after this incident as a “repeat offender”. This breach is believed to have occurred between August 1st and November 6th of this year.
The individuals responsible for the Sony Pictures hacking incident attempted to hold the company to ransom, as did the hackers who gained access to the Clay County Hospital (IL) network, although the two incidents are not believed to be related. The 18-bed Clay County Hospital in Flora received an email demand in which the person responsible demanded “a substantial payment from the hospital”; otherwise the data of 12,621 patients – including Social Security numbers – would be divulged.
ReachOut Home Care (KY) also reported a data breach in which 4,500 were exposed after a laptop computer containing unencrypted PHI was stolen from the healthcare provider’s facilities.
Summary of Reported Breaches
In December, 2014, a total of 213,932 individuals were affected by 9 HIPAA data breaches. The total number of individuals affected by HIPAA breaches in Q4, 2014 was 990,970. The total number of breach victims for 2014 is 12,503,190, based on OCR breach reports.
There were relatively few breaches reported in December, which after last month’s high number of breaches is certainly good news.
Breaches by Covered Entity
For the first time this year, Business Associates managed to last a month without registering any data breaches. Health plans only recorded one incident while no healthcare clearinghouses were affected.
Location of Breached Information
HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w
*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.