HIPAA Breach Report: November 2014

November 2014 HIPAA Breach Summary:

Under the Health Insurance Portability and Accountability Act, all covered entities – including their Business Associates – are required to report data breaches affecting more than 500 individuals to the Office for Civil Rights. The report must be made via the HHS’ breach notification portal. Covered entities have up to 60 days to report breaches from the data of discovery

This report contains a summary of the breaches reported to the OCR during the month of November, 2014.

Major HIPAA Breaches in November 2014

Although relatively few data breaches were reported as having occurred in November, a high proportion involved the disclosure of tens of thousands of patient records. The largest HIPAA breaches involved the theft of data and network server incidents.

The Central Dermatology Center, P.A. (NC), reported a data breach in which 76,258 health records were exposed after malware was identified on its network, although it is not clear if any information was viewed or obtained.

Visionworks Inc. (TX) announced a 74,944-record HIPAA breach followed by a second announcement that a further 47,683 records had been exposed. These data breaches involved medical records being obtained by thieves – mostly lens prescription information – along with names and addresses when a decommissioned server was stolen.

It was healthcare providers who were hit the hardest in November, although the MetroPlus Health Plan, Inc. (NY) reported a 31,980-record data breach after an employee sent PHI via unencrypted email to a personal e-mail account rather than a work account.

Reeve-Woods Eye Center discovered malware had been installed on two computers in its network, which potentially resulted in 30,000 of the clinic’s patients having their PHI exposed. The malware took snapshots of computer screens and sent that information over the internet. Business Associate, Computer Programs and Systems, Inc. (AL) reported a network server incident which resulted in 25,764 records being compromised.

It was not only large healthcare providers to be affected by HIPAA breaches in November. Loi Luu, M.D (CA) reported the theft of a server and other equipment which potentially exposed 13,177 records, although these were believed, but not confirmed, to be encrypted.

Summary of Reported Breaches

In November, 2014, a total of 325,714 individuals were affected by 17 HIPAA data breaches.

Breach Type

There were major breaches affecting all covered entities except clearinghouses this month. There were seven breaches reported that exposed more than 10,000 records each. It was the theft of electronic equipment which caused the most breaches this month, resulting in a total of 209,798 records being compromised.



Breaches by Covered Entity

One health plan and one healthcare provider share the honors for the largest breaches for the month, with both affected by loss and theft of equipment that exposed approximately 75K records each. Overall, healthcare providers were hit the worst, registering 11 HIPAA breaches in November.


Location of Breached Information



View Breach Report for October, 2014

Data Source:

HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w

*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.