HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Breach Report: October 2014

October 2014 HIPAA Breach Summary:

The Breach Notification Rule of the Health Insurance Portability and Accountability Act requires all covered entities, and their Business Associates to report all PHI data breaches involving more than 500 individuals to the HHS’ Office for Civil Rights (OCR). These breaches must be reported within 60 days of the discovery of the breach.

This report contains a summary of the breaches reported to the OCR during the month of October, 2014.

Major HIPAA Breaches in October 2014

October saw a high volume of data breaches recorded, which exposed over 450,000 private and confidential health records. The largest data breach was reported by Touchstone Medical Imaging LLC (TN), which resulted in 307,528 individuals having their billing information and personal identifiers exposed. The incident involved a folder containing PHI being placed on an unsecured server with that information potentially accessible over the internet.

MD Manage (NJ) – operating under the name Vcarve LLC- reported an incident to the Office for Civil Rights in which 35,357 records were potentially compromised. Few details were released about the HIPAA breach, although it is understood from the OCR breach report to have involved the compromising of a network server.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Nisar A. Quraishi, M.D. (NY) reported the burglary of a shed which he was using as a storage facility. In that shed were more boxes of old paper files containing the medical records of some 20,000 of his former patients. Those records were stolen in the break in.

While only exposing a limited amount of data, a mailing error by Health Services Advisory Group, Inc. (AZ) resulted in postcards being sent to 15,380 behavioral health patients, on which names and addresses were clearly visible.

Coordinated Health (PA) reported the theft of a laptop computer containing the unencrypted PHI of 13,907 individuals; New York City Health & Hospitals Corporation (NY) reported the improper accessing and potential disclosure of 10,058 paper files and Mount Sinai Beth Israel (NY) reported the theft of a laptop computer containing 10,793 patient records. While this laptop was password protected, the data was not encrypted.

Summary of Reported Breaches

In October, 2014, a total of 451,324 individuals were affected by 26 HIPAA data breaches according to the OCR breach report portal.

Breach Type

There were two hacking incidents reported in October which exposed a combined total of 5,826 records, although it was the theft of unencrypted laptops that dominated the OCR breach reports in October. The single largest cause of breaches was unauthorized disclosures, and also caused of the largest breach recorded this month – the massive 307,528-record breach at Touchstone Medical Imaging.



Breaches by Covered Entity

Business Associates reported 5 major data breaches, including a 35,357-record breach at MD Manage and 15,380 records at the Health Services Advisory Group, although it was healthcare providers who registered the most breaches with a total of 19 for the month. Two insurers registered HIPAA breaches, while no reports were received by healthcare clearinghouses.


Location of Breached Information



View Breach Report for September, 2014

Data Source:

HHS OCR Breach Portal: ttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF4A0922D09B6E1CF5DAE375E0D0.ajp13w

*Data does not include HIPAA breaches reported to the OCR after the 60-day reporting deadline, as demanded by the Breach Notification Rule. Any errors made by CEs during the submission of HIPAA breach reports via the online portal will be reflected in this breach summary. Figures are deemed to be correct at the time of publishing, although covered entities are permitted to update breach reports after the 60 day deadline as further information becomes available.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.