HHS starts to reveal healthcare breaches reported to government

When HITECH was passed as part of the stimulus bill, it introduced new data breach notification requirements, including a requirement that breaches of unsecured personal health information held by covered entities or their business associates affecting more than 500 individuals be reported to the U.S. Department of Health & Human Services.

The requirement was somewhat watered down in the final regulations that introduced a harm threshold for reporting, and it seems that HHS has decided that its obligation is to provide a summary of the reports filed by entities instead of uploading the actual reporting forms, but the web site for such reports is now displaying summary reports received by HHS since September 23, 2009.

Many of the incidents reported have never been revealed in the media even though affected individuals may have been notified:  23 of the 36 reports below were never previously reported on this site or PHIprivacy.net.

It is not clear why HHS is seemingly shielding the name of private practitioners as if the whole purpose of this provision of the HITECH Act was to inform the public, shielding the names of doctors does not further that goal.

In the following list, breaches indicated by  asterisks have not been reported in the media or included on this site previously.

The Methodist Hospital

State: Texas
Approx. # of Individuals Affected: 689
Date of Breach: 1/18/10
Type of Breach: Theft
Location of Breached Information: Computer

Carle Clinic Association

State: Illinois
Approx. # of Individuals Affected: 1,300
Date of Breach: 1/13/10
Type of Breach: Theft
Location of Breached Information: Paper Records and Films

** Ashley and Gray DDS

State: Missouri
Approx. # of Individuals Affected: 9,309
Date of Breach: 1/10/10
Type of Breach: Theft
Location of Breached Information: Desktop Computer

** Educators Mutual Insurance Association of Utah

State: Utah
Business Associate Involved: Health Behavior Innovations
Approx. # of Individuals Affected: 5,700
Date of Breach: 12/27/09
Type of Breach: Theft
Location of Breached Information: CDs

Goodwill Industries of Greater Grand Rapids, Inc.

State: Michigan
Approx. # of Individuals Affected: 10,000
Date of Breach: 12/15/09
Type of Breach: Theft
Location of Breached Information: Backup Tapes

** Private Practice

City and State: Stoughton, MA
Approx. # of Individuals Affected: 1,860
Date of Breach: 12/11/09
Type of Breach: Theft
Location of Breached Information: Portable Electronic Device/Electronic Medical Record

AvMed, Inc.

State: Florida
Approx. # of Individuals Affected: 359,000
Date of Breach: 12/10/09
Type of Breach: Theft
Location of Breached Information: Laptop

** Blue Island Radiology Consultants

State: Illinois
Business Associate Involved: United Micro Data
Approx. # of Individuals Affected: 2,562
Date of Breach: 12/09/09
Type of Breach: Loss
Location of Breached Information: Backup Tapes

** Private Practice

City and State: Wilmington, NC
Business Associate Involved: Rick Lawson, Professional Computer Services
Approx. # of Individuals Affected: 2,000
Date of Breach: 12/08/09
Type of Breach: Hacking/IT Incident
Location of Breached Information: Computer/Network Server/Electronic Medical Record

Kaiser Permanente Medical Care Program

State: California
Approx. # of Individuals Affected: 15,500
Date of Breach: 12/01/09
Type of Breach: Theft
Location of Breached Information: Portable Electronic Device

University of California, San Francisco

State: California
Approx. # of Individuals Affected: 7,300
Date of Breach: 11/30/09
Type of Breach: Theft
Location of Breached Information: Laptop

Detroit Department of Health and Wellness Promotion

State: Michigan
Approx. # of Individuals Affected: 646
Date of Breach: 11/26/09
Type of Breach: Theft
Location of Breached Information: Laptop, Desktop Computer

** Advocate Health Care

State: Illinois
Approx. # of Individuals Affected: 812
Date of Breach: 11/24/09
Type of Breach: Theft
Location of Breached Information: Laptop

** Concentra

State: Texas
Approx. # of Individuals Affected: 900
Date of Breach: 11/19/09
Type of Breach: Theft
Location of Breached Information: Laptop

** Children’s Medical Center of Dallas

State: Texas
Approx. # of Individuals Affected: 3,800
Date of Breach: 11/19/09
Type of Breach: Loss
Location of Breached Information: Portable Electronic Device

Universal American, Inc.

State: New York
Business Associate Involved: Democracy Data & Communications, LLC
Approx. # of Individuals Affected: 83,000
Date of Breach: 11/12/09
Type of Breach: Incorrect Mailing
Location of Breached Information: Postcards

Massachusetts Eye and Ear Infirmary

State: Massachusetts
Approx. # of Individuals Affected: 1,076
Date of Breach: 11/10/09
Type of Breach: Theft
Location of Breached Information: Other

Kern Medical Center

State: California
Approx. # of Individuals Affected: 596
Date of Breach: 10/31/09
Type of Breach: Theft
Location of Breached Information: Paper Records

** Blue Cross Blue Shield Association

State: District of Columbia
Business Associate Involved: Service Benefits Plan Administrative Services Corp.
Approx. # of Individuals Affected: 3,400
Date of Breach: 10/26/09
Type of Breach: Unauthorized Access
Location of Breached Information: Mailings

Detroit Department of Health and Wellness Promotion

State: Michigan
Approx. # of Individuals Affected: 10,000
Date of Breach: 10/22/09
Type of Breach: Theft
Location of Breached Information: Portable Electronic Device

The Children’s Hospital of Philadelphia

State: Pennsylvania
Approx. # of Individuals Affected: 943
Date of Breach: 10/20/09
Type of Breach: Theft
Location of Breached Information: Laptop

** Public Employee Health Insurance Plan (Kentucky Employees’ Health Plan)

State: Kentucky
Approx. # of Individuals Affected: 676
Date of Breach: 10/20/09
Type of Breach: Misdirected E-mail
Location of Breached Information: E-mail

** Brooke Army Medical Center

State: Texas
Approx. # of Individuals Affected: 1,000
Date of Breach: 10/16/09
Type of Breach: Theft
Location of Breached Information: Paper Records

** Alaska Department of Health and Social Services

State: Alaska
Approx. # of Individuals Affected: 501
Date of Breach: 10/12/09
Type of Breach: Theft
Location of Breached Information: Portable USB Device

** Cogent Healthcare of Wisconsin, S.C.

State: Tennessee
Business Associate Involved: Cogent Healthcare, Inc.
Approx. # of Individuals Affected: 6,400
Date of Breach: 10/11/09
Type of Breach: Theft
Location of Breached Information: Laptop

** Health Services for Children with Special Needs, Inc.

State: District of Columbia
Approx. # of Individuals Affected: 3,800
Date of Breach: 10/09/09
Type of Breach: Loss
Location of Breached Information: Laptop

** Blue Cross Blue Shield Association

State: District of Columbia
Business Associate Involved: Merkle Direct Marketing
Approx. # of Individuals Affected: 15,000
Date of Breach: 10/07/09
Type of Breach: Unauthorized Access
Location of Breached Information: Mailings

Blue Cross Blue Shield of Tennessee

State: Tennessee
Approx. # of Individuals Affected: 500,000
Date of Breach: 10/02/09
Type of Breach: Theft
Location of Breached Information: Hard Drives

** City of Hope National Medical Center

State: California
Approx. # of Individuals Affected: 5,900
Date of Breach: 9/27/09
Type of Breach: Theft
Location of Breached Information: Laptop

** Private Practice

City and State: Torrance, CA
Approx. # of Individuals Affected: 6,145
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer

** Private Practice

City and State: Torrance, CA
Approx. # of Individuals Affected: 5,166
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer

** Private Practice

City and State: Torrance, CA
Approx. # of Individuals Affected: 5,257
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer

** Private Practice

City and State: Torrance, CA
Approx. # of Individuals Affected: 857
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer

** Private Practice

City and State: Torrance, CA
Approx. # of Individuals Affected: 952
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer

** University of California, San Francisco

State: California
Approx. # of Individuals Affected: 610
Date of Breach: 9/22/09
Type of Breach: Phishing Scam
Location of Breached Information: Email

** Mid America Kidney Stone Association, LLC

State: Missouri
Approx. # of Individuals Affected: 1,000
Date of Breach: 9/22/09
Type of Breach: Theft
Location of Breached Information: Network Server

Cross-posted from PHIprivacy.net

[Corrected to 23 out of 36; Universal American breach was previously known.]

About the author: Dissent

Comments are closed.