Name_of_Covered_Entity US State Business_Associate_Involved Individuals_Affected Type_of_Breach Location_of_Breached_Information Date_Posted_or_Updated Summary breach_start breach_end d c d d t t t Brooke Army Medical Center TX 1000 Theft Paper 2014-06-30 A binder containing the protected health information (PHI) of up to 1,272 individuals was stolen from a staff member's vehicle. The PHI included names, telephone numbers, detailed treatment notes, and possibly social security numbers. In response to the breach, the covered entity (CE) sanctioned the workforce member and developed a new policy requiring on-call staff members to submit any information created during their shifts to the main office instead of adding it to the binder. Following OCR's investigation, the CE notified the local media about the breach. 2009-10-16 Mid America Kidney Stone Association, LLC MO 1000 Theft Network Server 2014-05-30 Five desktop computers containing unencrypted electronic protected health information (e-PHI) were stolen from the covered entity (CE). Originally, the CE reported that over 500 persons were involved, but subsequent investigation showed that about 260 persons were involved. The ePHI included demographic and financial information. The CE provided breach notification to affected individuals and HHS. Following the breach, the CE improved physical security by installing motion detectors and alarm systems security monitoring. It improved technical safeguards by installing enhanced antivirus and encryption software. As a result of OCR's investigation the CE updated its computer password policy. 2009-09-22 Alaska Department of Health and Social Services AK 501 Theft Other Portable Electronic Device, Other 2014-01-23 2009-10-12 Health Services for Children with Special Needs, Inc. DC 3800 Loss Laptop 2014-01-23 "A laptop was lost by an employee while in transit on public transportation. The computer contained the protected health information of 3800 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity has installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and updated it risk assessment. In addition, all employees received additional security training. " 2009-10-09 L. Douglas Carlson, M.D. CA 5257 Theft Desktop Computer 2014-01-23 "A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,257 individuals who were patients of the CE. The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the covered entity notified all 5,257 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules. " 2009-09-27 David I. Cohen, MD CA 857 Theft Desktop Computer 2014-01-23 "A shared Computer that was used for backup was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite was unlocked and perhaps ajar. The Computer contained certain electronic protected health information (ePHI) of 857 patients. The ePHI involved in the breach included names, dates of birth, and clinical information. Following the breach, the covered entity notified all affected individuals and the media, added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer, added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet, and added administrative safeguards by requiring annual refresher retraining staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. " 2009-09-27 Michele Del Vicario, MD CA 6145 Theft Desktop Computer 2014-01-23 "A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 6,145 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 6,145 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. " 2009-09-27 Joseph F. Lopez, MD CA 952 Theft Desktop Computer 2014-01-23 "A shared Computer that was used for backup was stolen on 9/27/09. The Computer contained certain electronic protected health information (ePHI) of 952 patients. Following the breach, the covered entity notified all 952 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of staff for Privacy and Security Rules. " 2009-09-27 Mark D. Lurie, MD CA 5166 Theft Desktop Computer 2014-01-23 "A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,166 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 5,166 affected indiv's and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. " 2009-09-27 City of Hope National Medical Center CA 5900 Theft Laptop 2014-01-23 "A laptop computer was stolen from a workforce member's car. The laptop computer contained the protected health information of approximately 5,900 individuals. Following the breach, the covered entity encrypted all protected health information stored on lap tops. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and retraining employees. " 2009-09-27 The Children's Hospital of Philadelphia PA 943 Theft Laptop 2014-01-23 2009-10-20 Cogent Healthcare of Wisconsin, S.C. TN 6400 Theft Laptop 2014-04-23 A laptop was stolen from a locked office at the Aurora St. Lukes Medical Center. The laptop contained protected health information pertaining to 6,400 individuals. The information included patient names, dates of birth, social security numbers, medical record numbers, and in some cases diagnosis codes. In response to the theft, the hospital implemented several corrective action measures, including accelerated efforts to encrypt all laptop hard drives, improved physical locks on the office where the theft occurred, staff training regarding the appropriate use and storage of devices containing ePHI, and encryption of portable flash drives and Blackberry devices. 2009-10-11 Universal American NY Democracy Data & Communications, LLC ( 83000 Other Paper 2014-01-23 "In its breach report and during the course of OCR's investigation, the covered entity advised that it took various corrective actions to prevent a reoccurrence of the breach. Specifically, the covered entity conducted a risk assessment which revealed that the breach posed a significant risk of financial, reputational, or other harm to the 83,000 members. The covered entity sent notification letters to 83,000 members apologizing for the breach and offered a year of free credit monitoring and a $25,000 insurance policy against identity theft ($10,000 for New York residents). The covered entity also provided training to its call centers on November 29, 2009 to answer inquiries from callers concerned about the breach. In addition, media outlets were contacted to alert of a breach in states in which more than 500 members were impacted by the breach. The covered entity advised that media outlets were identified based on location of membership impacted, as well as ensuring it was a major media outlet and press releases were sent to 21 major media outlets on December 18, 2009. The covered entity also created and implemented a new policy titled 'Personal Health Information and Personal Identifiable Information Data Security and Handling Policy Acknowledgement Form' that centralized all data requests through a 'Team Track' which is an internal electronic submission request that ensures all PHI requested data receives the sign off of the Privacy Officer and Security Officer prior to release. Further, the covered entity also provided a mandatory annual computer-based training to all staff in May 2010. " 2009-11-12 Kern Medical Center CA 596 Theft Other 2014-01-23 2009-10-31 Keith W. Mann, DDS, PLLC NC Rick Lawson, Professional Computer Services 2000 Hacking/IT Incident Desktop Computer, Network Server, Electronic Medical Record 2014-01-23 2009-12-08 Detroit Department of Health and Wellness Promotion MI 10000 Theft Other Portable Electronic Device 2014-01-23 2009-10-22 Detroit Department of Health and Wellness Promotion MI 646 Theft Laptop, Desktop Computer 2014-01-23 "A desktop and four laptop computers were stolen from the covered entity's locked facility. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, types of services received, and Medicare/Medicaid numbers.Following the breach, the covered entity installed new office door locks with assigned keys, installed security cameras with alarms, and physically secured computers to desks. The covered entity now stores billing information in its patient management system, and it ensured that no electronic protected health information was stored locally. Additionally, OCR's investigation resulted in the covered entity providing training to workforce members regarding the incident " 2009-11-26 University of California, San Francisco CA 610 Other E-mail 2014-01-23 2009-09-22 Daniel J. Sigman MD PC MA 1860 Theft Other Portable Electronic Device, Other, Electronic Medical Record 2014-01-23 "Computer backup tapes containing EPHI for the office practice management program including electronic medical records were stolen from the home of the practice manager on December 11, 2009. The breach affected approximately 1,860 patients. The protected health information on the tapes contained patients' names, addresses, telephone numbers, dates of birth, insurance information, social security numbers and medical record information. Following the breach, Sigman took the following voluntary corrective actions: (1) upgraded software application for backup security; implemented a new external backup system in case the server goes down; (2) encryption software was implemented for data contained on both its backup tapes and network storage device; (3) revised its security policy for transporting backup media; backup tapes must now be stored in a lockbox within a locked office in its facility; the revised policy also prohibits the movement of backup tapes from the facility as well as restricts access to the tapes to designated workforce; (4) employees were retrained on the policies and procedures in place and received training on the new policies and procedures for safeguarding backup tapes; (5) notified affected individuals and the media. " 2009-12-11 Massachusetts Eye and Ear Infirmary MA 1076 Theft Other 2014-01-23 2009-11-10 BlueCross BlueShield Association DC Service Benefits Plan Administrative Services Corp 3400 Theft Paper 2014-06-30 "The covered entity's (CE) business associate (BA) incorrectly updated contract holders' addresses and mailed protected health information (PHI) to the wrong address of approximately 3,400 individuals. The PHI involved included demographic information, explanations of benefits, clinical information, and diagnoses. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. Upon discovery of the breach, the CE obtained assurances that the BA took steps to enforce the requirements of the BA agreement. Specifically, the BA updated its processes and created an incident tracking report. In addition, a contract was executed for a new vendor to handle mail address verification. Following OCR's investigation, the BA improved its code review process to catch the system error that caused this incident and instituted a manual quality review process. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2009-10-26 BlueCross BlueShield Association DC Merkle Direct Marketing 15000 Theft Paper 2014-04-24 The covered entity's (CE) business associate (BA) mailed protected health information (PHI) of approximately 15,000 individuals to incorrect addresses due to an error in its quarterly address update process. The mailing contained demographic information, explanations of benefits, clinical information, and diagnoses. Upon discovery of the breach, the CE collected the returned mail and verified that it had not been delivered, and updated its HIPAA policies and procedures. Following OCR's investigation, the CE was able to recover all or nearly all of the misdirected envelopes. 2009-10-07 Kaiser Permanente Medical Care Program CA 15500 Theft Other Portable Electronic Device, Other 2014-01-23 2009-12-01 Blue Island Radiology Consultants IL United Micro Data 2562 Theft Other 2014-06-30 "The covered entity's (CE's) business associate (BA) mailed a package to the CE that was supposed to contain a backup data tape and compact disc containing protected health information (PHI); however, the tape was not in the package when delivered. Approximately 2,000 individuals were affected by the breach. The PHI included demographic, financial, and clinical information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE revised its procedures for back up data storage instead of sending tapes via the mail. Following OCR's investigation, the CE continued to reevaluate ways to enhance administrative, physical, and technical safeguards. " 2009-12-09 Goodwill Industries of Greater Grand Rapids, Inc. MI 10000 Theft Other 2014-01-23 "On December 15, 2009, a safe was stolen from Goodwill's off-site facility, which contained five unencrypted back-up tapes. The breach affected approximately 10,000 individuals. The protected health information involved in the breach included full names, addresses, dates of birth, reasons for referral, dates of service, miscellaneous demographics, and, in some cases, Social Security numbers. The covered entity moved the off-site storage of back-up tapes to a new site controlled by Goodwill. The tapes are now kept in a commercial grade safe with a combination lock. The actions taken by Goodwill prior to OCR's formal investigation brought the covered entity into compliance. " 2009-12-15 Children's Medical Center of Dallas TX 3800 Loss Other Portable Electronic Device, Other 2014-01-23 2009-11-19 Concentra TX 900 Theft Laptop 2014-01-23 2009-11-19 Ashley and Gray DDS MO 9309 Theft Desktop Computer 2014-01-23 2010-01-10 Advocate Health Care IL 812 Theft Laptop 2014-01-23 "On November 24, 2009, an Advocate nurse's laptop computer was stolen. The missing laptop computer contained the protected health information of approximately 812 individuals. The protected health information involved in the breach included name, address, dates of birth, social security numbers, insurance information, medication, and diagnoses. Following the breach, Advocate specifically addressed mobile device security and accepted use. Additionally, OCR's investigation resulted in Advocate workforce members that use mobile devices are now required to fill out and submit an acknowledgment form that establish proper administrative, technical, and physical security safeguards. " 2009-11-24 The Methodist Hospital TX 689 Theft Other 2014-01-23 "An unencrypted laptop computer was stolen from the covered entity's unlocked testing office. The laptop computer contained the protected health information of approximately 689 individuals. The protected health information involved in the breach included names, dates of birth, Social Security numbers, and the age, gender, race, and medication information of affected individuals. Following the breach, the covered entity restricted the storage of electronic protected health information to network drives. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and in retraining employees. " 2010-01-18 University of California, San Francisco CA 7300 Theft Laptop 2014-01-23 2009-11-30 Carle Clinic Association IL 1300 Theft Other, Paper 2014-01-23 2010-01-13 Educators Mutual Insurance Association of Utah UT Health Behavior Innovations (HBI) 5700 Theft Other 2014-01-23 2009-12-27 University Medical Center of Southern Nevada NV 5103 Theft Paper 2014-01-23 "Between the dates of July 31, 2009 and November 19, 2009, a former UMC volunteer faxed patient face sheets to an attorney who used the sheets to contact prospective clients. Although UMC only had proof of two disclosures, it chose to notify all 5,301 individuals that could have been affected by the breach. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, and diagnoses. Following the breach, UMC conducted an internal investigation, notified all 5,301 individuals, notified the media, and notified the Secretary. Additionally, UMC reformulated face sheets so that they no longer include full social security numbers and provided all possible affected individuals with a year of free credit monitoring. As a result of this breach, at least one person has been indicted on one count of conspiracy to illegally disclose personal health information in violation of the HIPAA " 2009-10-31 Center for Neurosciences AZ 1100 Theft Laptop 2014-01-23 2009-12-15 Brown University RI Blue Cross Blue Shield of RI 528 Other Paper 2014-01-23 "On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown University's health plan was impermissibly disclosed to two other BCBSRI agents. The reports contained the PHI of approximately 528 individuals. The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers. Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected members' claim history to ensure no fraud. " 2009-12-11 MMM Heath Care Inc. PR MSO of Puerto Rico, Inc. 1907 Theft Paper 2014-06-03 "The covered entity's (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 1,907 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CE's BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCR's investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures. " 2010-02-04 PMC Medicare Choice PR MSO of Puerto Rico 605 Theft Paper 2014-06-03 "The covered entity's (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 605 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CE's BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCR's investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures. " 2010-02-04 Cardiology Consultants/Baptist Health Care Corporation FL 8000 Theft Desktop Computer 2014-06-30 "A desktop computer that contained the e-PHI of approximately 8,000 individuals was stolen from the covered entity's (CE) locked medical suite. The PHI involved in the breach included names, dates of birth, medical record numbers, ultrasound information, exam dates, and reasons for the ultrasound. The computer that was stolen used proprietary software and a special electronic key to access the PHI. The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notification on its website. Following the breach, the CE worked with law enforcement to identify the possible suspect. The CE upgraded its facility access controls to include proximity card readers for every location that stores PHI. As a result of OCR's investigation the CE updated its risk analysis and carried out additional risk management activities. " 2009-12-19 State of TN, Bureau of TennCare TN 3900 Theft Paper 2014-06-24 "The covered entity (CE) mailed the wrong information to 3,900 individuals based on a corrupted data file it received from a state agency. The types of PHI involved were names, dates of birth, social security numbers, member identification numbers, and in some cases, diagnoses, treatments, conditions, and medications. Following the breach, the CE immediately fixed the corrupted file and mailed corrected letters. The CE provided breach notification to HHS, the media, and affected individuals and provided substitute notification by posting on its website. It also offered affected individuals one year of free credit monitoring and comprehensive credit services. The CE also worked with the state agency to implement a new procedure to improve safeguards for PHI. OCR obtained assurances that the CE implemented the corrective action listed above. " 2009-12-23 Lucille Packard Children's Hospital CA 532 Other Desktop Computer 2014-01-23 2010-01-11 University of New Mexico Health Sciences Center NM 1900 Other Desktop Computer 2014-01-23 2010-02-08 Advanced NeuroSpinal Care CA 3500 Theft Network Server 2014-04-22 A computer containing the electronic protected health information (ePHI) of 3,500 individuals was stolen from the office of a covered entity (CE). The ePHI included patient names, addresses, dates of birth, social security numbers, driver's licenses, claims information, diagnoses, and conditions. As a result of the loss, the CE upgraded the alarm system and replaced the server housing and storage security lock-up. The CE also notified affected individuals, the media, appropriate government agencies, and law enforcement. In addition, the CE established an office-based hotline to assist affected individuals. As a result of OCR's investigation, the CE has implemented regularly scheduled security risk analyses and has installed window bars, roll down shutters, four video surveillance cameras, and other physical security measures to prevent theft. 2009-12-30 Aspen Dental Care P.C. CO 2500 Theft Other 2014-06-30 "A computer hard drive containing encrypted patient records was stolen from the covered entity's (CE) safe. The hard drive contained clinical and demographic information of approximately 2,500 patients. Following the breach, the CE provided additional training to its staff. OCR obtained assurances that the CE implemented the corrective action listed above. " 2009-10-04 Shands at UF FL 12580 Theft Laptop 2014-01-23 "A laptop containing certain information collected on approximately 12,580 individuals referred to Shands at UF GI Clinical Services was stolen from the private residence of an employee. The stolen information included patient names, social security numbers, and medical record numbers. As a result of the incident, the employee was counseled by her supervisor, issued written corrective action with a 3-day suspension, and provided additional HIPAA training. OCR reviewed Shands at UF's most recent Risk Analysis and Risk Management Plans and they revealed no high risk findings related to encryption, workstation use, or physical security. OCR's investigation found that Shands at UF has implemented appropriate technical safeguards, such as secure VPN network connections and network storage for workforce usage, encrypted USB portable flash drives, and PGP whole disk encryption. " 2010-01-27 Wyoming Department of Health WY 9023 Unauthorized Access/Disclosure Network Server 2014-01-23 2009-12-02 Thrivent Financial for Lutherans WI 9500 Theft Laptop 2014-01-23 "On January 29, 2010, there was a break-in at one of the Thrivent's offices and five laptop computers were stolen; four of the five laptops were recovered. The missing laptop computer contained the protected health information of approximately 9,400 individuals. The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCR's formal investigation brought the CE into compliance. " 2010-01-29 North Carolina Baptist Hospital NC 554 Theft Paper 2014-01-23 2010-02-15 Montefiore Medical Center NY 625 Theft Laptop 2014-06-03 An unencrypted laptop computer containing the electronic protected health information (ePHI) of 625 individuals was stolen from the covered entity's (CE) mobile dental van. The ePHI included names, dates of birth, medical record numbers and dental x-rays. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and affected individuals. As a result of OCR's investigation, the CE revised its procedures so that all ePHI is stored in a data center, rather than the mobile dental van laptop. In addition, the CE encrypted all mobile dental van laptops and improved physical security for the van. The CE developed a new policy on ePHI security and retrained all staff. OCR obtained assurances that the CE implemented the corrective action listed above. 2010-02-20 Ernest T. Bice, Jr. DDS, P.A. TX 21000 Theft Other Portable Electronic Device, Other 2014-01-23 "Three unencrypted external back-up drives were stolen from a safe in the covered entity's locked office. The laptop computer contained the protected health information of approximately 21,000 individuals. The protected health information involved in the breach included names, addresses phone numbers, dates of birth, social security numbers, insurance information, and treatment histories. Following the breach, the covered entity moved back-up data offsite and encrypted all workstations. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and in retraining employees. " 2010-02-20 Lee Memorial Health System FL 3800 Other Paper 2014-01-23 "The covered entity sent postcards to approximately 3,800 patients, which listed the patients' demographic information, and a statement that read, 'Your Physician Has Moved,' with a name and description of the practice, Infectious Disease Specialist. The types of PHI involved were demographic and clinical information. Voluntary actions taken prior to OCR's investigation include the issuance of sanctions and review of policies and procedures. " 2010-01-29 Laboratory Corporation of America/Dynacare Northwest, Inc. WA 5080 Theft Laptop 2014-01-23 "A laptop computer was stolen from a workforce member's car. The laptop computer contained the protected health information of approximately 5080 individuals. The protected health information involved in the breach included names, addresses, dates of birth, Social Security numbers, and lab results. Following the breach, the covered entity encrypted all laptop computers. " 2010-02-12 Mount Sinai Medical Center FL 2600 Theft Laptop 2014-01-23 2010-03-09 Griffin Hospital CT 957 Hacking/IT Incident Network Server 2014-01-23 2010-02-04 Hypertension, Nephrology, Dialysis and Transplantation, PC AL 2465 Theft Laptop 2014-01-23 2010-03-06 Reliant Rehabilitation Hospital North Houston TX Computer Program and Systems, Inc. (CPSI) 768 Unauthorized Access/Disclosure E-mail 2014-01-23 2010-02-09 Laboratory Corporation of America / US LABS / Dianon Systems, Inc AZ 2773 Theft Other Portable Electronic Device 2014-01-23 2010-02-18 University of Pittsburgh Student Health Center PA 8000 Theft, Loss Paper 2014-01-23 2010-03-11 Providence Hospital MI 83945 Other Other 2014-01-23 2010-02-04 VHS Genesis Lab Inc. IL 6800 Loss Paper 2014-01-23 2010-01-10 John Muir Physician Network CA 5450 Theft Laptop 2014-01-23 2010-02-04 Beatrice Community Hospital and Health Center NE McKesson Information Solutions, LLC 660 Other Paper 2014-01-23 2010-03-19 Pediatric Sports and Spine Associates TX 955 Theft Laptop 2014-01-23 "An unencrypted laptop was stolen from an employee's vehicle. The laptop contained the protected health information of approximately 955 individuals. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses, medications and other treatment information. Following the discovery of the breach, the covered entity revised policies, retrained staff and implemented additional physical and technical safeguards including encryption software. The covered entity also removed the stolen laptop's access to the server, sanctioned the involved employee, notified the affected individuals and notified the local media. " 2010-02-10 Affinity Health Plan, Inc. NY 344579 Theft Other 2014-05-28 2009-11-24 Tomah Memorial Hospital WI 600 Other Other 2014-01-23 2010-03-19 Praxair Healthcare Services, Inc. (Home Care Supply in NY) CT 54165 Theft Laptop 2014-01-23 "A laptop computer was stolen from the covered entity's office by a former employee after it had been damaged. The laptop computer contained the PHI of approximately 54,165 individuals. The computer contained a limited amount of PHI, including client names and one or more of the following: addresses, phone numbers, social security numbers, insurance provider names and policy numbers, medical diagnostic codes or medical equipment. Following the breach, the covered entity notified all affected individuals, the media, and HHS of the breach. Additionally, the covered entity completed its laptop encryption project to cover all PHI stored on computers in the office. Additionally, OCR's investigation resulted in the covered entity reinforcing the requirements of HIPAA to its employees. " 2010-02-18 Massachusetts Eye and Ear Infirmary MA 3594 Theft Laptop 2014-01-23 2010-02-19 Blue Cross & Blue Shield of Rhode Island RI 12000 Theft Paper 2014-06-30 "A covered entity (CE) donated a file cabinet containing the protected health information (PHI) of 12,000 individuals before cleaning it out. The PHI included members' names, addresses, telephone numbers, social security numbers, and Medicare identification numbers. The covered entity (CE) provided breach notification to HHS, the affected individuals, and media, and offered all affected individuals free credit monitoring for a period of one year. Following the breach, the CE sanctioned the employees involved in the incident and held a mandatory training regarding the HIPAA Privacy and Security Rule for all departments involved in the breach. The CE also revised the policy for office moves. OCR obtained assurances that the CE implemented the corrective action listed above. " 2009-12-20 South Carolina Department of Health and Environmental Control SC 2850 Improper Disposal Paper 2014-01-23 2010-02-17 St. Joseph Heritage Healthcare CA 22012 Theft Desktop Computer 2014-01-23 "22 computers were stolen from Clinical Management Service office.Five of the stolen computers contained the protected health information of approximately 22,012 individuals. The protected health information involved in the breach included name, date of birth, social security number, referral number, encounter number, facility, member ID, diagnosis, procedure, and/or diagnosis code. As a result of this incident, St. Joseph notified the potentially affected individuals, notified the local media, installed security cameras, re-trained employees, and installed encryption software on all laptops and Computers enterprise-wide. OCR's investigation resulted in the covered entity improving their physical and technological safeguards and retraining employees. " 2010-03-06 Medical Center At Bowling Green KY 5148 Theft Other Portable Electronic Device, Other 2014-01-23 2010-03-24 GENERAL AGENCIES WELFARE BENEFITS PROGRAM TN TOWERS WATSON 1874 Loss Other 2014-01-23 2010-02-05 UnitedHealth Group health plan single affiliated covered entity MN 735 Theft Other, Paper 2014-01-23 2010-03-02 South Texas Veterans Health Care System TX 1430 Loss, Improper Disposal Paper 2014-01-23 2009-09-30 Rockbridge Area Community Services VA 500 Theft Laptop, Desktop Computer 2014-01-23 2010-03-12 Emergency Healthcare Physicians, Ltd. IL Millennium Medical Management Resources, Inc. 180111 Theft Other Portable Electronic Device, Other 2014-01-23 2010-02-27 VA Eastern Colorado Health Care System CO 649 Theft Paper 2014-06-19 A covered entity's (CE's) employee placed paper records containing protected health information (PHI) in an unsecured box that was left undiscovered in a public parking garage for four days. The box contained the PHI of 649 patients. The PHI included treatment records, productivity reports, coding information, names, medical treatments, conditions, diagnoses, and social security numbers. Upon discovery of the breach, the CE notified the affected individuals and provided credit protection to those whose social security numbers had been breached. The CE provided OCR with copies of its breach prevention policies and procedures. Following OCR's investigation, the employee who left the records resigned from her position and the CE improved its breach response procedures. 2010-01-19 Miami VA Healthcare System FL 568 Loss Paper 2014-01-23 2010-01-19 Heriberto Rodriguez-Ayala, M.D. TX 4200 Theft Laptop 2014-01-23 2010-04-03 Georgetown University Hospital DC 2416 Theft, Other E-mail, Other Portable Electronic Device 2014-01-23 "An employee of the covered entity emailed protected health information (PHI) to an offsite research office (which is not itself a covered entity) in violation of the review preparatory to research protocol. The research office stored the electronic information on an external hard drive that was later stolen. The device contained the PHI of 2,416 individuals. The PHI involved in the breach included names, dates of birth, and clinical information. In response to this incident, the covered entity terminated transmission of the PHI to this research office and gave the responsible employee a verbal warning and counseling. Additionally, the covered entity undertook a review of all research affiliations involving PHI of hospital patients to confirm that appropriate documentation and procedures are in place. " 2010-03-26 Silicon Valley Eyecare Optometry and Contact Lenses CA 40000 Theft Network Server 2014-01-23 2010-04-02 Loma Linda University Health Care CA 584 Theft Desktop Computer 2014-01-23 2010-04-04 Veterans Health Administration DC Heritage Health Solutions 656 Theft Laptop 2014-01-23 2010-04-22 State of New Mexico Human Services Department, Medical Assistance Division NM DentaQuest 9600 Theft Laptop 2014-01-23 2010-03-20 Oconee Physician Practices SC 653 Theft Laptop 2014-01-23 2010-05-09 University of Rochester Medical Center and Affiliates NY 2628 Other Paper 2014-01-23 2010-04-19 Omaha Construction Industry Health and Welfare Plan NE DeBoer & Associates 800 Theft Laptop 2014-01-23 2009-01-11 City of Charlotte, NC (Health Plan) NC 5220 Loss Other 2014-01-23 2010-02-03 VA North Texas Health Care System TX 4083 Improper Disposal Paper 2014-01-23 2010-05-04 Rainbow Hospice and Palliative Care IL 1000 Theft Laptop 2014-01-23 "An employee's laptop was stolen out of her bag while she was making an admission visit in a patient's home. The evidence showed that although the covered entity had a policy of encrypting and password-protecting its computers, this particular computer did not require a password most of the time. The invoices contained the protected health information (PHI) of approximately 1,000 individuals. The PHI stored on the laptop included names, addresses, dates of birth, phone numbers, Social Security numbers, Medicare numbers, electronic health records and commercial insurance information. Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in The Daily Herald, sanctioned the employee for changing the security settings on the laptop in question, and established stringent computer security guidelines, and retrained its staff in the new requirements, with the intention of preventing a similar event from occurring again. " 2010-04-12 Cincinnati Childrens Hospital Medical Center OH 60998 Theft Laptop 2014-01-23 2010-03-27 Occupational Health Partners KS 1105 Theft Laptop 2014-01-23 2010-05-12 AvMed, Inc. FL 1220000 Theft Laptop 2014-06-30 Two laptop computers with questionable encryption (each containing the electronic protected health information (ePHI) of 350,000 individuals) were stolen from the covered entity's (CE) premises. The types of ePHI involved included demographic and clinical information, diagnoses/conditions, medications, lab results, and other treatment data. After discovering the breach, the CE reported the theft to law enforcement and worked with the local police to recover the laptops. As a result of OCR's investigation, the CE developed and implemented new policies and procedures to comply with the Security Rule. The CE also provided breach notification to all affected individuals, HHS, and the media and placed an accounting of disclosures in the medical records of all affected individuals. 2009-12-10 UnitedHealth Group health plan single affiliated covered entity MN 16291 Other Paper 2014-01-23 "Paper correspondence to certain members in UnitedHealth's prescription drug plans were in advertently sent to the incorrect temporary address due to a database administration error. Approximately 16,291 individuals were affected by the breach. UnitedHealth member's name, plan number and in some instances, date of birth and/or limited medical information. United Health reported that it stopped using PDI's proprietary database for address updates and made outbound verifications calls to members to get accurate temporary addresses. United Health reported that it revised its address update process. " 2010-01-26 Lincoln Medical and Mental Health Center NY Siemens Medical Solutions, USA, Inc 130495 Theft Other 2014-06-19 The covered entity's business associate (BA), Siemens Medical Solutions USA, Inc., shipped seven unencrypted compact disks (CDs) that contained the electronic protected health information (ePHI) of 130,495 individuals to the covered entity (CE), Lincoln Medical and Mental Health Center. The CD's, containing back-up data, were lost in transit. The ePHI included names, addresses, social security numbers, medical record numbers, health plan information, dates of birth, dates of admission and discharge, diagnostic and procedural codes, and driver's license numbers. The CE provided breach notification to affected individuals, HHS, and the media. Upon discovery of the breach, the CE directed the BA to cease using the shipping service as a means of transporting the CDs. As a result of OCR's investigation, the BA adopted a procedure to encrypt CDs. The CE also implemented a procedure for a senior employee of the BA to physically deliver the encrypted CDs to the CE. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. 2010-03-24 Nihal Saran, MD MI 2300 Theft Laptop 2014-01-23 "A password protected laptop computer containing protected health information (PHI) was stolen from Dr. Saran's personal residence. The laptop contained the PHI of approximately 2,300 individuals. The PHI stored on the laptop included patients' names, addresses, dates of birth, Social Security numbers, insurance information, and diagnoses. Following the breach, Dr. Saran notified the Northville Township Police Department of the theft, contacted the individuals reasonably believed to have been affected by the breach, sent a notice of the breach to the Detroit Free Press and the Monroe News, and installed encryption software for its billing software. " 2010-05-02 University of Louisville Research Foundation, Inc., DBA The Kidney Disease Program KY 708 Hacking/IT Incident Network Server 2014-01-23 2008-10-01 St. Jude Children's Research Hospital TN 1745 Loss Laptop 2014-01-23 2010-04-19 TennCare TN DentaQuest 10515 Theft Laptop 2014-06-20 "A car containing an unencrypted laptop computer was stolen from West Monroe Partners, a contractor for the covered entity's (CE) business associate (BA), DentaQuest. The laptop stored a database containing the electronic protected health information (ePHI) of approximately 76,000 individuals, including data on 10,515 of the CE's members. The types of PHI involved in the breach included names, social security numbers, dates, and certain provider identification numbers. The CE and BA worked together to provide breach notification to affected individuals and the media, and offered free credit monitoring and enhanced credit services to affected individuals for one year. The CE reported the breach to HHS and provided substitute notification on its website. The BA implemented procedures to ensure that any third party laptops connecting to its network employ disk encryption. Further, the BA established a policy to prohibit contractors from storing PHI on laptops. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2010-03-20 The Children's Medical Center of Dayton OH 1001 Other E-mail 2014-01-23 2010-04-22 Comprehensive Care Management Corporation NY 1020 Theft Laptop, Desktop Computer, Network Server, E-mail 2014-06-19 OCR opened an investigation of the covered entity (CE), Comprehensive Care Management Corporation, after it reported two former employees sent emails that contained the electronic protected health information (ePHI) of 1,020 individuals to their personal email accounts to open a competitor organization. The ePHI included names, addresses, and enrollment information. Upon discovery of the breach, the CE conducted an internal inquiry and found that the former employees disclosed the ePHI to its competitor. As a result of OCR's investigation, the CE replaced and strengthened external firewalls, restricted access to email websites, restricted the use of portable devices, limited the ability to upload data to external websites, and evaluated new monitor and control software for network information. In addition, the CE provided training to all staff on its HIPAA policies and procedures. The CE also entered into an agreement with its competitor who hired the former employees to return or destroy the ePHI. 2010-04-30 alma aguado md pa TX 600 Theft Network Server 2014-04-23 OCR investigated the covered entity (CE) following a report that its main server and desktop computers containing the electronic protected health information (ePHI) of 600 individuals were taken from the CE's office. The ePHI involved in the breach included patient names, addresses, dates of birth, and social security numbers. As a result of OCR's investigation, the CE changed its privacy and security policies, retrained its employees and provided additional physical security to better safeguard patient ePHI. 2010-05-29 University Hospital GA Augusta Data Storage, Inc 14000 Loss Other 2014-01-23 2010-05-07 University Health System NV 7526 Theft Network Server 2014-01-23 2010-06-11 Sinai Hospital of Baltimore, Inc. MD Aramark Healthcare Support Services, LLC 937 Other E-mail 2014-01-23 "A business associate employee sent an email to multiple patients without concealing patient email addresses. The message concerned a dietary program in which the names and email addresses were visible to all recipients. The breach affected 937 individuals. In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with Aramark. The business associate counseled the employee responsible for the breach and retrained all employees who may communicate with patients via email on the requirements of the Privacy and Security Rules as well as related policies and procedures. " 2010-05-03 Mary M. Desch,MD/PathHealer, LTD AZ 5893 Theft Laptop 2014-01-23 2010-05-15 Children's Hospital & Research Center at Oakland CA 1000 Other Paper 2014-01-23 2010-05-25 Centerstone TN 1537 Other Desktop Computer, Paper 2014-01-23 2010-05-01 California Department of Healthcare Services CA Care 1st Health Plan 29000 Loss, Other Other Portable Electronic Device, Other 2014-01-23 2010-04-29 Long Island Consultation Center NY 800 Theft Other Portable Electronic Device, Other 2014-06-19 The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals. The ePHI included names, dates of birth, diagnoses, and other treatment information. Upon discovery of the breach, the CE conducted a search for the portable device. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE improved physical security. The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. 2010-05-21 NYU Hospitals Center NY 2563 Theft Other Portable Electronic Device 2014-05-28 The covered entity (CE) misplaced an unencrypted USB drive that contained the electronic protected health information (ePHI) of 2,563 individuals. The ePHI included names, medical record numbers, ages, genders, procedures, attending physicians' names, anesthesiologists' names, types of anesthesia, times of arrival in the recovery room, and times of discharge. Upon discovery of the breach, the CE reported the incident to internal security as a possible theft and conducted a thorough search of the perimeter. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE stopped using USB drives and local desktop computers for data storage. In addition, the CE updated physical security in the recovery room and installed data prevention software to monitor, block or encrypt mobile media used in the CE. Further, the CE purchased encrypted USB drives for workforce members with an identified need to download and store ePHI. The CE also revised its mobile device and portable storage media policy and retrained all workforce members on its policies. 2010-05-08 University of Florida FL 2047 Other Paper 2014-01-23 2010-05-24 SunBridge Healthcare Corporation NM 3830 Theft Laptop 2014-01-23 2010-05-11 Department of Health Care Policy & Financing CO Governor's Office of Information Technology 105470 Theft Desktop Computer 2014-01-23 2010-05-17 Prince William County Community Services (CS) VA 669 Theft Other Portable Electronic Device 2014-01-23 2010-06-18 E. Brooks Wilkins Family Medicine, PA NC 13000 Theft Desktop Computer, Other 2014-01-23 "The breach report indicated that former employees took protected health information (PHI) pertaining to 13,000 patients and disclosed it to a competing medical practice. The PHI included the names and contact information for the patients. Following the breach, the entity terminated the employees who impermissibly used and disclosed the PHI. OCR also confirmed that the entity complied with the provisions of the Breach Notification Rule and notified the affected individuals. Additionally, the entity retrained its staff regarding the policies and procedures for safeguarding of PHI. " 2010-02-01 John Deere Health Benefit Plan for Wage Employees IL UnitedHealthcare Insurance Company 1097 Other Paper 2014-01-23 2010-06-24 South Shore Hospital MA Iron Mountain Data Products, Inc. (now known as 800000 Loss Other Portable Electronic Device, Other, Electronic Medical Record 2014-01-23 2010-02-26 Montefiore Medical Center NY 16820 Theft Desktop Computer 2014-06-19 Two unencrypted desktop computers containing the electronic protected health information (ePHI) of 16,820 individuals were stolen from the covered entity (CE). The ePHI included medical record numbers, dates of birth, admission /discharge dates, billing codes, and social security numbers. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals. It also provide substitute notification by posting on its website. As a result of OCR's investigation, the CE replaced its building alarm and installed bars on the windows. In addition, the CE directed its staff to save patient data only on a centralized network drive, moved all ePHI stored on desktop hard drives to centralized secured network servers, and encrypted all of its computers. The CE also revised its policy and procedure on password management and provided training to all staff on its new policy. 2010-05-22 DC Chartered Health Plan, Inc DC 540 Theft Laptop 2014-01-23 2010-05-26 Montefiore Medical Center NY 23753 Theft Desktop Computer 2014-06-19 OCR opened an investigation of the covered entity (CE), Montefiore Medical Center, after it reported three unencrypted desktop computers were stolen that contained the electronic protected health information (ePHI) of 23,753 individuals. The ePHI included names, medical record numbers, dates of birth, parent or guardian contact numbers, asthma diagnoses, vaccination information, and number of visits to the school health clinic. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. As a result of OCR's investigation, the CE updated its building alarm to include additional motion sensors and installed surveillance cameras. Further, the CE encrypted all of its computers, advised that no ePHI is stored on desktop hard drives, removed all ePHI from its computers, and stored ePHI on the centralized secured network servers. The CE also revised its policy and procedure on password management and provided training to all staff on its new policy. 2010-06-09 Medina County OB/GYN OH 1200 Improper Disposal Paper 2014-01-23 2010-06-13 The University of Texas at Arlington TX 27000 Hacking/IT Incident Network Server 2014-01-23 "A file server at the Office of Health Services was compromised and impermissibly accessed. The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source. The protected health information involved in the breach included names, addresses diagnostic codes, name of medication prescribed, medication costs and some social security numbers. Following the discovery of the breach, UTA removed the server from the network, notified the affected individuals and notified local media. Following the breach, the covered entity also replaced the operating system and implemented additional technical safeguards. " 2009-02-19 Aetna CT 6372 Improper Disposal Paper 2014-01-23 2010-03-29 Charles Mitchell MD TX 6873 Theft Desktop Computer 2014-06-30 A burglary occurred at the covered entity's (CE) facility and two desktop computers containing protected health information (PHI) were stolen. Approximately 6873 individuals were affected. The PHI involved included names, addresses, dates of birth, social security numbers, diagnoses and conditions, medications, and other treatment information. OCR closed this investigation after determining that the individual who reported the breach worked for a CE no longer in existence. 2010-06-27 Humana Inc [case 4486] KY Matrix Imaging 2631 Other Paper 2014-01-23 2010-06-25 WellPoint, Inc. IN 31700 Hacking/IT Incident Network Server 2014-01-23 2009-11-03 Carolina Center for Development and Rehabilitation NC 1590 Theft Paper 2014-06-30 The covered entity's (CE) staff inadvertently sent twenty-three boxes containing the protected health information (PHI) of 1,590 patients to a recycling center. The PHI included patients' full names, addresses, dates of birth, social security numbers, insurance identification numbers, driver's license numbers, diagnoses, medication information, checking and savings account numbers, credit and debit card numbers, and photographs of the patients. Following the breach, the CE immediately took steps for the records to be returned. The CE notified HHS, the media, and all individuals affected by the breach, and established a toll free number for patients to call for more information. The CE cooperated with the state attorney general's investigation and suspended the responsible staff members. Following OCR's investigation, the CE placed a record into its accounting of disclosure log for each individual affected and terminated the employment of the staff involved in the breach. In addition, the CE revised its policies and procedures regarding the rights of individuals and safeguards for PHI, and re-trained staff. 2010-06-24 Trinity Health Corporation Welfare Benefit Plan MI Mercer 1073 Loss Other 2014-01-23 2010-03-29 Texas Children's Hospital TX 694 Theft Laptop 2014-01-23 2010-05-13 Baylor College of Medicine TX 1646 Theft Laptop 2014-04-24 An unencrypted laptop containing electronic protected health information (ePHI) of approximately 1,618 individuals was stolen from the covered entity's (CE) affiliate. The ePHI involved in the breach included names, medical reconciliation numbers, dates of service, diagnoses, and dates of birth. Upon discovery of the breach, the CE and its affiliate jointly notified the affected individuals, OCR, and the local media. Notifications were delayed at the request of law enforcement. Following OCR's investigation, the CE revised policies and procedures to require encryption of all mobile devices containing PHI and began encrypting all necessary devices in order to ensure reasonable safeguards. 2010-05-13 Wright State Physicians OH 1309 Other Laptop 2014-01-23 "On June 11, 2010, a laptop computer containing PHI was mistakenly discarded in the trash. The laptop computer contained the protected health information of approximately 1,309 individuals. The protected health information involved in the breach included patient full names or first initial and last name, dates of service, and in some cases, a brief description of medical condition or care. Following the breach, the covered entity submitted evidence of its progress in implementing encryption on its laptop computers in its various departments. " 2010-06-11 Penn Treaty Network America Insurance Company PA 560 Other Other 2014-01-23 "Social security numbers were inadvertently printed on the address labels in a newsletter mailing. The mailing had 560 recipients. The covered entity acted to mitigate the disclosure by verifying that the all mail was correctly delivered. It also counseled the responsible employee and updated its policies and procedures. " 2010-06-04 Aultman Hospital OH 13867 Theft Laptop 2014-01-23 2010-06-07 Fort Worth Allergy and Asthma Associates TX 25000 Theft Network Server 2014-01-23 2010-06-29 Beauty Dental, Inc. IL 657 Theft, Loss Paper 2014-01-23 "Following the breach, the covered entity notified its clients by letter of the incident, submitted a press release that outlined the circumstances of the breach to the Chicago Tribune and the Chicago Sun Times, required the individual who allegedly stole the documents to return all physical patient PHI in her possession and sign a statement swearing that she no longer possessed any patient documents, would not use or disclose the PHI in any manner and would erase an excel spreadsheet she had in her possession, installed a new security system for the office that requires the input of a code specific to each employee, and implemented new technical safeguards that limited employee access to ePHI according to the employee's position and rank. " 2010-06-05 Walsh Pharmacy MA McKesson Pharmacy Systems LLC 11440 Other Other Portable Electronic Device, Other 2014-01-23 2010-06-03 Jewish Hospital KY 2089 Theft Laptop 2014-01-23 2010-07-16 St. John's Mercy Medical Group MO 1907 Improper Disposal Paper 2014-01-23 "Covered entity improperly disposed of patients' Protected Health Information (PHI), by placing the PHI in a dumpster outside of a doctor's office. The PHI involved in the breach included demographic, financial, clinical, and other medical information. Following the breach, the covered entity notified all affected individuals of the breach, posted a notice about the incident on its website; attempted to retrieve and track all of the medical records that were inappropriately disposed of; offered all affected individuals identity theft protection; obtained a formal apology from and assumed direct office operations management of the physician involved; re-educated its workforce to reinforce policies relating to appropriate medical record protection and disposal requirements. " 2010-06-07 Thomas Jefferson University Hospitals, Inc. PA 21000 Theft Laptop 2014-01-23 2010-06-14 UNCG Speech and Hearing Center NC 2300 Hacking/IT Incident Desktop Computer 2014-01-23 1997-01-01 Idaho Power Group Health Plan ID Mercer Health & Benefits 5500 Loss Other 2014-01-23 "Idaho Power Group Health Plan's business associate, Mercer Health and Benefits, lost a backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Idaho Power was about 5,500 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Idaho Power notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer's Boise office now encrypts backup tapes. Following the incident, Idaho Power renegotiated its contract with Mercer and continues to evaluate its business relationship with Mercer. " 2010-03-29 Loma Linda University School of Dentistry CA 10100 Theft Desktop Computer 2014-01-23 2010-06-13 Ward A. Morris, DDS WA 2698 Theft Desktop Computer 2014-01-23 2010-07-16 Chattanooga Family Practice Associates, P.C. TN 1711 Loss Other Portable Electronic Device, Other 2014-01-23 2010-07-15 Yale University CT 1000 Theft Laptop 2014-01-23 2010-07-28 University of Kentucky KY 2027 Theft Laptop 2014-01-23 2010-06-18 Cook County Health & Hospitals System IL 7081 Theft Laptop 2014-01-23 "An employee's laptop was stolen out of a locked office; evidence shows that the laptop was password protected but not encrypted. The laptop contained the protected health information (PHI) of approximately 7,000 individuals. The PHI stored on the laptop included names, dates of birth, Social Security numbers, internal encounter numbers, and other administrative codes. Following the breach, the covered entity notified those individuals reasonably believed to have been affected by the breach, placed notice on its website and with a local news center; established stringent computer security guidelines, and retrained its staff in the new requirements with the intention of preventing a similar event from occurring again. " 2010-05-30 Eastmoreland Surgical Clinic, William Graham, DO OR 4328 Theft Laptop, Desktop Computer, Other Portable Electronic Device, Other 2014-01-23 "Three desktop computers, one laptop computer, and a backup drive, containing the electronic protected health information (EPHI) of 4,328 individuals, were stolen on July 5, 2010. The EPHI involved in the breach included names, addresses, phone numbers, dates of birth, Social Security numbers, reason for visits, and insurance information. Following the breach, the covered entity implemented backup and whole disk encryption on electronic information systems that maintain EPHI and improved their physical safeguards. Additionally, OCR's investigation resulted in the covered entity improving their administrative safeguards, such as password complexity requirements and data backup protocols. " 2010-07-05 SunBridge Healthcare Corporation NM 1000 Theft Other Portable Electronic Device, Other 2014-01-23 2010-06-26 Holyoke Medical Center MA Pioneer Valley Pathology 24750 Improper Disposal Paper 2014-01-23 2010-07-26 Newark Beth Israel Medical Center NJ KPMG LLP 956 Theft Other Portable Electronic Device, Other 2014-06-19 OCR opened an investigation of the covered entity (CE), Newark Beth Israel Medical Center, after it reported an employee of the CE's business associate (BA), KPMG LLP, lost an unencrypted USB drive that contained the electronic protected health information (ePHI) of 956 individuals. The ePHI included names and clinical information. Upon discovery of the breach, the CE's BA conducted a search of the area. The CE provided breach notification to HHS, the Media and affected individuals. As a result of OCR's investigation, the BA installed and implemented encryption software to its electronic equipment and devices. In addition, the BA encrypted and password protected all equipment and devices that could contain the CE's data. The BA also reprimanded and retrained the employee and retrained all employees on safeguarding ePHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. 2010-05-10 Saint Barnabas Medical Center NJ KPMG LLP 3630 Theft Other Portable Electronic Device 2014-06-19 The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals. The ePHI included names, dates of birth, diagnoses, and other treatment information. Upon discovery of the breach, the CE conducted a search for the portable device. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE improved physical security. The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. 2010-05-10 NYU School of Medicine--Aging and Dementia Clinical Research Center NY 1200 Loss Other Portable Electronic Device, Other 2014-01-23 2010-04-03 University of Rochester Medical Center and Affiliates NY 857 Loss Other Portable Electronic Device 2014-01-23 2010-08-02 State of Delaware Health Plan DE Aon Consulting 22642 Other Network Server 2014-01-23 "The business associate prepared a document as part of a request for proposal for the covered entity's vision benefit program which mistakenly included protected health information of 22,642 individuals. The document was posted online for five days. The protected health information involved in the breach included social security numbers, dates of birth, gender, zip codes, and vision plan enrollment information. In response to this incident, the covered entity implemented additional safeguards to prevent this type of impermissible disclosure of protected health information. In particular, the covered entity will now require several layers of review before allowing public disclosure of documents prepared by the business associate. The covered entity also took steps to enforce the requirements of its business associate agreement with Aon Consulting. Aon will provide affected individuals with free credit monitoring, fraud resolution resources, and identity theft insurance. Additionally, the business associate has provided assurances to the covered entity that it has taken steps to prevent this type of impermissible disclosure in the future. " 2010-08-16 Curtis R. Bryan, M.D. VA 2739 Theft Laptop 2014-01-23 2010-07-12 Mayo Clinic MN 1740 Unauthorized Access/Disclosure Electronic Medical Record 2014-01-23 2009-07-15 LabCorp Patient Service Center NV 507 Theft Paper 2014-01-23 2010-08-02 The Kent Center RI 1361 Theft Paper 2014-01-23 2010-07-13 Pediatric and Adult Allergy, PC IA 19222 Loss Other Portable Electronic Device 2014-01-23 2010-07-11 Ault Chiropractic Center IN 2000 Theft Laptop, Desktop Computer 2014-01-23 2010-09-15 County of Los Angeles CA 33000 Theft Paper 2014-01-23 2010-07-29 Matthew H. Conrad, M.D., P.A. KS 1200 Theft Laptop, Paper 2014-01-23 2010-08-20 UnitedHealth Group health plan single affiliated covered entity MN CareCore National 1270 Other Paper 2014-01-23 2010-07-08 Counseling and Psychotherapy of Throggs Neck NY 9000 Theft Desktop Computer 2014-01-23 2010-09-06 United States Air Force OH 2123 Improper Disposal Paper 2014-01-23 2010-07-29 State of Alaska, Department of Health and Social Services AK Alaskan AIDS Assistance Association 2000 Theft Other Portable Electronic Device, Other 2014-01-23 2010-09-07 St. Vincent Hospital and Health Care Center, Inc. IN 1199 Theft Laptop 2014-01-23 2010-07-25 Milford Regional Medical Center MA 20000 Improper Disposal Paper 2014-01-23 2010-07-26 Alliance HealthCare Services, Inc. CA Oroville Hospital 1474 Theft Other Portable Electronic Device, Other 2014-04-24 "The covered entity (CE) filed a breach report with OCR after two USB storage devices containing electronic protected health information (ePHI) of 1,474 individuals were lost. The ePHI included names, dates of birth, and treatment information. Upon discovery of the breach, the CE notified individuals, OCR and the media. Additionally, the CE initiated an encryption project to encrypt emails, external hard drives, and related media. Following OCR's investigation, the CE filed a police report, updated its policies and procedures in an effort to better safeguard ePHI, and encrypted USB devices. " 2010-07-31 Alliance HealthCare Services, Inc. CA Eden Medical Center 1474 Theft Other Portable Electronic Device, Other 2014-06-24 The covered entity (CE) lost two portable electronic storage devices containing the electronic protected health information (ePHI) of 1,474 individuals. The ePHI included patients' names, dates of birth, and treatment information. Upon discovery of the breach, the covered entity (CE) notified individuals, HHS, and the media. Additionally, the CE initiated a project to encrypt emails, external hard drives, and related electronic media. Following OCR's investigation, the CE filed a police report, updated its policies and procedures in order to better safeguard patients' ePHI, and encrypted portable electronic computer devices. 2010-08-05 NewYork-Presbyterian Hospital and Columbia University Medical Center NY 6800 Theft Network Server 2014-06-19 "Data breach results in $4.8 million HIPAA settlements Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients' electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results. NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as 'New York Presbyterian Hospital/Columbia University Medical Center.' NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI. The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet. In addition to the impermissible disclosure of ePHI on the internet, OCR's investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management. 'When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,' said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. 'Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.' NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports. " 2010-07-01 St. James Hospital and Health Centers IL 967 Improper Disposal Paper 2014-01-23 2010-08-10 University of Oklahoma - Tulsa, Neurology Clinic OK 19200 Hacking/IT Incident Desktop Computer 2014-01-23 2010-07-28 LORENZO BROWN, MD INC. CA 928 Theft Desktop Computer 2014-01-23 2010-08-17 Milton Pathology Associates, P.C. MA Joseph A. Gagnon d/b/a Goldthwait Associates 11000 Improper Disposal Paper 2014-01-23 2010-07-26 WESTMED Medical Group NY 578 Theft Laptop 2014-06-19 "An unencrypted laptop computer that contained the electronic protected health information (ePHI) of 578 individuals was stolen from the covered entity (CE), WestMed Medical Group. The ePHI included names, dates of birth and test results. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS and the media. As a result of OCR's investigation, the CE improved physical security by locking all laptops during the day and storing all laptops in a locked cabinet overnight. In addition, the CE reconfigured all laptops with strong passwords and implemented a new procedure to save data to a secure file server. Further, the CE encrypted all laptop hard drives. The CE also retrained staff on safeguarding ePHI. " 2010-08-17 Debra C. Duffy, DDS TX 4700 Theft Laptop, Network Server 2014-01-23 "An unencrypted laptop and network server were stolen during a burglary of the office.The breach affected approximately 4700 individuals.The protected health information involved in the breach included treatment information for pediatric dental patients and social security numbers, insurance identification numbers and driver's license numbers. Following the discovery of the breach, the CE relocated the practice servers, secured the laptops and installed steel doors at the front entrance of the facility. Additionally, the CE notified the affected individuals and local media and retrained staff. " 2010-08-05 Cumberland Gastroenterology, P.S.C. KY 2200 Theft Paper 2014-01-23 2010-09-18 Johns Hopkins University Applied Physics Laboratory (JHU/APL) Medical and Dental Insurance Plan MD 692 Other Other 2014-01-23 "Protected health information was attached to an email addressed to 85 employees by a benefits staff member. Within 5 days, all recipients were notified, and the email was deleted. Approximately 692 individuals were affected by this breach. The email included names, dates of birth, social security numbers, and marital and disability status. To prevent a similar breach from happening in the future, the covered entity instituted a policy to encrypt emails containing protected health information before it is sent out from the benefits department. Following OCR's investigation, the covered entity updated its policies and procedures establishing a new business process to require that all emails sent by the benefits office to 5 or more staff members that includes an attachment be reviewed by another team member to ensure the proper document is attached and took personnel action with the responsible employee. Further, the benefits office will use an encryption specialist to train all benefits office staff in the proper methods of encryption, explore future capability of automated flagging of any electronic communications sent by benefits office staff containing potentially sensitive data such as 9-digit numbers, and obtain additional HIPAA training. " 2010-06-15 LoneStar Audiology Group TX 585 Theft Laptop 2014-01-23 "A laptop was stolen from a workforce member's home. Approximately 585 individuals were affected. The PHI included addresses, dates of birth, diagnosis and conditions, medications and other treatment information. Following the breach, the covered entity encrypted all its laptops. After the initiation of OCR's investigation, the encryption of the laptops was completed. " 2010-08-11 Utah Department of Health UT Utah Department of Workforce Services 1298 Other Desktop Computer, Paper 2014-01-23 2010-03-01 SW Seattle Orthopaedic and Sports Medicine WA 9493 Hacking/IT Incident Network Server 2014-01-23 "A database web server, containing the electronic protected health information (EPHI) of 9,493 individuals, was breached by an unknown, external person(s) for use as a game server. Although there was no indication of access to EPHI, the EPHI on the database web server included names, dates of birth, types of x-rays, and dates of x-rays. Following the breach, the covered entity relocated two servers to its more secure primary data center and removed the Internet access line that resulted in the breach. Additionally, OCR's investigation resulted in the covered entity improving their administrative safeguards, such as incident response and reporting. " 2010-09-04 University of Arkansas for Medical Sciences AR 1000 Theft Other Portable Electronic Device, Other 2014-01-23 2010-10-12 BlueCross BlueShield of Tennessee, Inc. TN 1023209 Theft Other 2014-01-23 2009-10-02 Northridge Hospital Medical Center CA 716 Loss Paper 2014-01-23 2010-10-16 Puerto Rico Department of Health PR Triple-S Management, Corp.; Triple-S Salud, Inc.; 475000 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server 2014-01-23 2008-10-03 Aetna, Inc. CT 2345 Unauthorized Access/Disclosure Network Server 2014-01-23 "Aetna notified all possibly affected individuals of the breach, filed a breach report with OCR, commenced an investigation to identify and correct the root cause of the issue; the coding changes that were causing the breach were removed from IPS via Aetna's emergency Change Management procedures to prevent any further exposure while the problem was analyzed; once the specific code that conflicted with its proxy server settings was identified as the root cause of the breach, it was removed. Also, in an effort to mitigate any harm as a result of the breach, Aetna offered all affected individuals one year of free credit monitoring, and the notification letters included a toll-free number which was established specifically to answer questions related to this incident. " 2010-09-09 Sta-home Health & Hospice MS 1104 Theft Desktop Computer 2014-01-23 2010-09-16 Puerto Rico Department of Health PR Medical Card System/MCS-HMO/MCS Advantage/MCS Life 115000 Unauthorized Access/Disclosure Other Portable Electronic Device, Other 2014-01-23 2010-09-03 VNA of Southeastern Ct. CT 12000 Theft Laptop 2014-01-23 2010-09-30 Prime Home Care, LLC NE 1550 Theft Desktop Computer 2014-01-23 2010-09-13 Visiting Nurse Service Association of Schenectady County NY 535 Theft Laptop 2014-06-19 An encrypted laptop computer that contained the electronic protected health information (ePHI) of 535 individuals was stolen from the covered entity (CE). The ePHI included names, addresses, and dates of birth. Upon discovery of the breach, the CE filed a police report to recover the stolen item. Following OCR's investigation, the CE disabled the involved staff member's account, verbally counseled the staff member, and retrained the staff member. The CE also adopted and implemented security policies and procedures for laptops/tablet devices and provided training to all staff. 2010-09-14 Manor Care Indy (South), LLC. IN 845 Unauthorized Access/Disclosure Paper 2014-01-23 2010-09-11 Robert Wheatley, DDS, PC MO 1400 Theft Laptop 2014-01-23 2010-10-17 Henry Ford Hospital MI 3700 Theft Laptop 2014-01-23 2010-09-24 Holy Cross Hospital FL 1500 Theft Paper 2014-01-23 2010-07-27 Newark Beth Israel Medical Center NJ Professional Transcription Company, Inc. 1744 Theft Network Server 2014-06-19 The covered entity's (CE) business associate (BA), Professional Transcription Company, posted the electronic protected health information (ePHI) of 1,744 individuals on a website portal of the BA. The ePHI included names, dates of birth, diagnosis, and other clinical information. Upon discovery of the breach, the BA shut down the applicable server. The CE, Newark Beth Israel Medical Center, provided breach notification to HHS, the media, and affected individuals and also posted substitute notice on its website. As a result of OCR's investigation, the BA located the ePHI online and contacted Google to block files that contained ePHI. In addition, the BA retrained all employees regarding its security policies. The CE terminated its BA agreement with the BA. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. 2010-01-01 Memorial Hospital of Gardena CA 771 Unauthorized Access/Disclosure Paper 2014-01-23 2010-10-14 Oklahoma City VA Medical Center OK 1950 Theft, Loss, Improper Disposal Paper 2014-01-23 2010-10-08 Albert Einstein Healthcare Network PA 613 Theft Desktop Computer 2014-01-23 2010-10-21 Kings County Hospital Center NY 542 Theft Desktop Computer 2014-06-19 An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 542 individuals was stolen from the covered entity (CE), Kings County Hospital Center. The ePHI included names, medical record numbers, admission and treatment dates, diagnostic treatment, pathology and/or medication information, telephone numbers and ages. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. As a result of OCR's investigation, the CE installed an encryption system for all internal and external computers and laptops. The CE implemented a new policy that prohibits staff from storing ePHI on their local computer hard drives or Windows desktop. 2010-08-22 University of Tennessee Medical Center TN 8200 Improper Disposal Paper 2014-01-23 2009-09-23 Ochsner Health System LA H.E.L.P. Financial Corporation 9475 Unauthorized Access/Disclosure Paper 2014-01-23 "A programming error in a business associate's IT system caused the PHI of patients to be printed on letters sent to other patients. The printing error affected approximately 9475 individuals.The protected health information involved in the breach included patient names, medical record numbers and account balances. Following the discovery of the breach, the BA corrected the programming error and implemented additional quality checks. Additionally, the BA notified the affected individuals and the CE notified the local media. " 2010-09-27 zarzamora family dental care TX 800 Theft Desktop Computer 2014-01-23 2010-10-15 Hospital Auxilio Mutuo PR 1000 Theft, Unauthorized Access/Disclosure, Hacking/IT Incident Laptop, Desktop Computer 2014-01-23 2010-11-09 Pinnacle Health System PA Gair Medical Transcription Services, Inc. 1085 Unauthorized Access/Disclosure Network Server 2014-01-23 "Pinnacle Health Systems was notified that a business associate, a medical transcription service, had a server compromised in which reports of Pinnacle patients could be viewed online. The server compromise involved the protected health information of 1085 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity immediately discontinued its relationship with the business associate and engaged another medical transcription service. The covered entity also contracted with forensic consultants to ensure that the cause of the compromise was found that that all traces of breached medical reports were removed from online and inaccessible in the future. " 2008-10-01 Gary C. Spinks, DMD, PC MD 1000 Hacking/IT Incident Desktop Computer, Network Server 2014-01-23 2010-09-29 Cook County Health & Hospitals System IL 556 Theft Desktop Computer 2014-01-23 2010-11-01 Dean Health Systems, Inc.; St. Mary's Hospital; St. Marys Dean Ventures, Incorporated WI 3288 Theft Laptop 2014-01-23 2010-11-08 Riverside Mercy Hospital and Ohio/Mercy Diagnostics OH 1000 Improper Disposal Paper 2014-01-23 2003-03-29 California Therapy Solutions CA 1250 Theft Other Portable Electronic Device, Other 2014-01-23 2010-11-11 Osceola Medical Center WI Hils Transcription 585 Unauthorized Access/Disclosure Other 2014-01-23 2010-11-25 Indiana Family and Social Services Administration IN The Southwestern Indiana Regional Council on Aging 757 Theft Laptop 2014-01-23 2010-11-04 Mankato Clinic MN 3159 Theft Laptop 2014-01-23 2010-11-01 Geisinger Wyoming Valley Medical Center PA 2928 Unauthorized Access/Disclosure E-mail 2014-01-23 2010-11-03 Our Lady of Peace Hospital KY 24600 Theft, Loss Other Portable Electronic Device, Other 2014-01-23 2010-03-31 International Union of Operating Engineers Health and Welfare Fund MD Zenith Administrators, Inc. 800 Theft Paper 2014-01-23 2010-10-25 Southern Perioperative Services, P.C. AL 2000 Theft Other Portable Electronic Device, Other 2014-01-23 2010-11-17 Keystone/AmeriHealth Mercy Health Plans PA 808 Loss Other Portable Electronic Device, Other 2014-01-23 2010-09-20 Ankle + Foot Center of Tampa Bay, Inc. FL 156000 Theft Network Server 2014-06-30 The covered entity's (CE) network server, containing the electronic protected health information (ePHI) of 136,000 patients, was hacked. The types of ePHI involved in the breach were demographic and clinical information, including diagnoses and other treatment data. Following the breach, the CE hired a third party vendor to resolve a data crash and to create a data back-up plan in order to restore office functioning. To implement adequate safeguards, the CE also employed a cloud service with increased security as the new network server. Additionally, the CE contacted the local FBI office to assist with the CE's internal investigation of the breach and provided breach notification to all affected individuals, the media, and HHS. As a result of OCR's investigation, the CE developed and implemented new protocols to comply with the Security Rule. In addition, the CE provided and initiated new trainings for its staff, completed hiring of a new network vendor, implemented a new electronic health records system, and accounted for the disclosures in the affected individuals' medical records. 2010-10-28 OhioHealth Corporation dba Grant Medical Center OH 501 Theft Laptop, Desktop Computer 2014-01-23 2008-01-01 Seacoast Radiology, PA NH 231400 Hacking/IT Incident Network Server 2014-01-23 2010-11-12 Friendship Center Dental Office FL 2200 Theft Laptop 2014-01-23 2010-12-19 Centra VA 11982 Theft Laptop 2014-01-23 2010-11-11 St.Vincent Hospital - Indianapolis IN 1848 Hacking/IT Incident Network Server, E-mail 2014-01-23 2010-11-12 Texas Health Harris Methodist Hospital Azle TX 9922 Theft, Loss Other Portable Electronic Device, Other 2014-01-23 2010-04-07 Franciscan Medical Group WA 1250 Theft Desktop Computer 2014-01-23 2010-11-18 State of South Carolina Budget and Control Board Employee Insurance Program (EIP) SC 5596 Hacking/IT Incident Desktop Computer 2014-01-23 2010-11-08 Lake Woods Nursing & Rehabilitation Center MI 656 Theft Laptop, Desktop Computer 2014-01-23 2010-12-28 Benefit Resources, Inc. SC Travis Software Corp. 16200 Loss Other Portable Electronic Device, Other 2014-01-23 2010-10-13 Baptist Memorial Hospital - Huntingdon TN J. A. Still Corporation 4800 Theft Other 2014-04-23 Two diskettes containing the electronic protected health information (ePHI) of approximately 4,754 individuals were lost by the Covered Entity's (CE) Business Associate (BA) after the package containing the diskettes was damaged by the mail carrier. Although one of the diskettes was eventually found, the other diskette was never recovered. The ePHI on the diskettes included names, addresses, dates of birth, social security numbers, and clinical information. Upon discovery of the breach, the CE obtained a copy of the information contained on the diskettes and notified all affected individuals, OCR and the media. Following OCR's investigation, the CE terminated its contract with the BA involved in the incident and provided evidence of the assurances in its BA agreement pertaining to the return or destruction of ePHI. Lastly, the CE entered an accounting of disclosures for each affected individual into its electronic database. 2010-11-27 Grays Harbor Pediatrics, PLLC WA 12009 Theft Other Portable Electronic Device, Other 2014-01-23 2010-11-23 Hanger Prosthetics & Orthotics, Inc. TX 4486 Theft Laptop 2014-01-23 "An unencrypted laptop was stolen from an employee offsite. The laptop contained the PHI of 4,486 patients. The protected health information involved in the breach contained names, addresses and procedure codes. Following the breach, the CE filed a police report, notified affected patients and notified the media. Following the discovery of the breach, the covered entity encrypted all existing laptops and implemented a policy requiring all future purchased laptops to be encrypted prior to being issued for use. " 2010-11-24 Baylor Heart and Vascular Center TX 8241 Theft Other Portable Electronic Device, Other 2014-04-23 A portable ultrasound machine containing electronic protected health information (ePHI) of approximately 8,241 individuals was stolen from the covered entity's (CE) facility. The ePHI involved in the breach included patient names, dates of birth, and limited health information. Upon discovery of the breach, the CE conducted a privacy and security assessment of its portable machines to identify vulnerabilities. Following OCR's investigation, the CE updated its privacy and security policies, retrained its employees, and increased physical security to ensure reasonable safeguards. 2010-12-02 CHC MEMPHIS CMHC, LLC TN 500 Theft Desktop Computer 2014-01-23 2010-12-04 Jefferson Center for Mental Health CO 546 Theft Paper 2014-01-23 2010-12-13 Green River District Health Department KY Integranetics 18871 Hacking/IT Incident Network Server 2014-01-23 2011-01-12 Ortho Montana, PSC MT 37000 Theft, Loss Laptop 2014-02-14 2011-01-08 Cancer Care Northwest P.S. WA 3100 Theft Paper 2014-06-30 The covered entity (CE) accidentally mailed the protected health information (PHI) of approximately 3,100 individuals to other individuals when a mail-merge process mismatched names and addresses. The PHI involved in the breach included names and indicated that the individuals were patients of the CE. Following the breach, the CE implemented additional safeguards, as well as policies and procedures to ensure mailing list accuracy. As a result of this incident, OCR required the CE to train its workforce members on its newly developed policies and procedures. Additionally, OCR provided technical assistance regarding substitute breach notification methods, including a conspicuous posting on the CE's website. 2011-01-07 Saint Louis University MO 800 Hacking/IT Incident Desktop Computer 2014-01-23 2010-12-11 New York City Health & Hospitals Corporation's North Bronx Healthcare Network NY GRM Information Management Services 1700000 Theft Other, Electronic Medical Record 2014-05-28 Unencrypted clinical system backup tapes that contained the electronic protected health information (ePHI) of 1,700,000 individuals were stolen from the unlocked vehicle of an employee of the covered entity's (CE) business associate (BA). The ePHI included names, medical record numbers, social security numbers, addresses, telephone numbers, health plan numbers, dates of birth, dates of admission, dates of treatment, dates of discharge, dates of death, mother's name, next of kin, clinical information related to diagnosis, treatment, prognosis, laboratory tests and results, and medications. Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE terminated its BA agreement and installed encryption software on backup media. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. 2010-12-23 Long Beach Memorial Medical Center CA 2250 Unauthorized Access/Disclosure Other 2014-01-23 2010-12-10 Walgreen Co. IL Business Express 2700 Theft Other Portable Electronic Device, Other 2014-06-10 2011-01-26 Charleston Area Medical Center, Inc WV Xforia Web Services 3655 Unauthorized Access/Disclosure Network Server 2014-01-23 2011-02-08 Mountain Vista Medical Center AZ 2291 Loss Other Portable Electronic Device, Other 2014-01-23 2010-10-13 Departamento de Salud de Puerto Rico PR 2621 Unknown Desktop Computer 2014-01-23 2010-03-14 Henry Ford Hospital MI 2777 Loss Other Portable Electronic Device, Other 2014-01-23 2011-01-31 Central Brooklyn Medical Group, PC NY 500 Theft Paper 2014-06-20 OCR opened an investigation of the covered entity (CE), Preferred Health Partners f/k/a Central Brooklyn Medical Group, after it reported appointment schedules, pathology reports and portions of medical records containing the protected health information (PHI) of 500 individuals were stolen from an office. The PHI included names, ages, telephone numbers, social security numbers, medical insurance information, pathology reports, and other clinical information. Upon discovery of the breach, the CE filed a police report and worked with law enforcement authorities to recover as much of the PHI as possible that was stolen. As a result of OCR's investigation, the CE removed PHI such as social security or medical insurance numbers from tracking logs. In addition, the CE improved safeguards by storing log binders in a locked area and shredding documents regularly. Further, the CE replaced the manual process of printing certain records with an electronic verification system. The CE also archived, stored off site, and locked up all paper records and retrained all staff on its HIPAA policies and procedures. 2010-08-03 TRICARE Management Activity CO 4500 Unauthorized Access/Disclosure Paper 2014-01-23 2010-06-25 Blue Cross and Blue Shield of Florida FL 7366 Unknown Other 2014-01-23 2010-10-16 University Health Services, University of Massachusetts, Amherst MA 942 Unauthorized Access/Disclosure Desktop Computer 2014-01-23 2010-09-29 Omnicare, Inc KY 8845 Theft Laptop 2014-01-23 2011-01-19 JEFFREY J. SMITH, MD OK 600 Loss Desktop Computer, Other Portable Electronic Device, Other 2014-01-23 2010-11-24 University of Missouri Health Plan MO Coventry Health Care, Inc. 765 Unauthorized Access/Disclosure Paper 2014-01-23 2011-01-10 Texas Health Arlington Memorial Hospital TX 654 Unknown Electronic Medical Record 2014-01-23 "The IT department turned on the switch to a BA HIE without notifying patients of the exchange or obtaining authorization. The interface transmitted the PHI of 654 individuals. The PHI disclosed included patient names, addresses, dates of birth, social security numbers, other identifiers, diagnosis/conditions, medications, lab results, other treatment information and financial information. Following the breach, the CE revised the IT process, created a checklist that included notifying the affected departments and provided additional training to IT and registration employees. " 2010-12-23 NYU School of Medicine Faculty Group Practice NY 670 Theft Desktop Computer 2014-06-19 An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 670 individuals was stolen from the covered entity (CE), NYU Langone Medical Center. The ePHI included names, diagnoses, the results of diagnostic tests, and clinical information. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE directed staff to store ePHI on network servers and not on desktops. In addition, the CE improved physical security by installing a locking device to secure the desktop computer and a latch guard on the office door. The CE retrained all staff on its policies and procedures for HIPAA and HITECH compliance. 2011-01-27 Rape & Brooks Orthodontics, P.C. AL 20744 Theft Desktop Computer, Network Server, Other Portable Electronic Device, Other 2014-01-23 2011-02-03 Clarksburg - Louis A. Johnson VA Medical Center WV 1470 Unauthorized Access/Disclosure Paper 2014-01-23 2010-10-26 County of Los Angeles CA 667 Theft Laptop 2014-01-23 2011-02-23 EISENHOWER MEDICAL CENTER CA 514330 Theft Desktop Computer 2014-01-23 2011-03-11 Catholic Social Services AK Trisha Elaine Cordova 1700 Theft Laptop 2014-06-30 A personal laptop computer containing the electronic protected health information (ePHI) of 1,700 individuals and approximately 493 adoption home studies was stolen from a contractor's vehicle. The ePHI involved included names, addresses, phone numbers, dates of birth, driver's license numbers, health information, and social security numbers. At the time of the breach, the covered entity (CE) did not have a business associate (BA) contract with the contractor. Following OCR's investigation, the CE developed policies and procedures for obtaining BA contracts as required by the Privacy Rule and verified that the contractor no longer had a business relationship with the CE. OCR obtained assurances that breach notification was provided to the affected individuals, HHS, and the media. 2011-02-01 Park Avenue Obstetrics & Gynecology, PC AZ 635 Theft Other Portable Electronic Device, Other 2014-01-23 2011-03-25 Brian J Daniels D.D.S.,Paul R Daniels D.D.S. AZ 10000 Theft Other Portable Electronic Device, Other 2014-01-23 2011-03-01 MidState Medical Center CT Hartford Hospital 93500 Loss Other 2014-01-23 2011-02-14 Patient Care Services at Saint Francis, Inc. OK 84000 Theft Network Server 2014-03-13 2011-01-13 Union Security Insurance Company MO 935 Unauthorized Access/Disclosure Other 2014-01-23 2011-02-18 Oklaholma State Dept. of Health OK 132940 Theft Laptop, Paper 2014-04-23 2011-04-06 Aiken Community Based Outpatient Clinic SC 2717 Improper Disposal Paper 2014-01-23 2011-02-16 Health Net, Inc. CA IBM 1900000 Unknown Other 2014-01-23 2011-01-21 SW General Inc AZ 566 Theft Paper 2014-01-23 2004-05-01 Fairview Health Services MN 1215 Loss Paper 2014-01-23 2011-02-19 Time Insurance Company WI Healthcare Solutions Team, LLC 675 Unauthorized Access/Disclosure Other 2014-04-23 2011-02-01 Community Action partnership of Natrona County WY 15000 Hacking/IT Incident Desktop Computer 2014-01-23 2011-02-23 Keith & Fisher, DDS, PA NC 6000 Hacking/IT Incident Network Server 2014-01-23 2011-02-16 MacNeal Hospital IL 845 Hacking/IT Incident Laptop, Desktop Computer, Network Server, E-mail 2014-03-24 2011-03-10 West Lake Hospital IL 686 Hacking/IT Incident Laptop, Desktop Computer, Network Server, E-mail 2014-03-24 2011-03-10 Phoenix Health Plan AZ 9393 Hacking/IT Incident Laptop, Desktop Computer, Network Server, E-mail 2014-04-23 2011-03-10 MacNeal Physician Group IL 532 Hacking/IT Incident Laptop, Desktop Computer, Network Server, E-mail 2014-03-24 2011-03-10 Genesis Clinical Laboratory IL 1070 Hacking/IT Incident Laptop, Desktop Computer, Network Server, E-mail 2014-03-24 2011-03-10 Knox Community Hospital OH 500 Improper Disposal Other 2014-01-23 2010-10-01 Speare Memorial Hospital NH 5960 Theft Laptop 2014-03-13 2011-04-02 Methodist Charlton Medical Center TX 1500 Theft Laptop 2014-01-23 "An unencrypted laptop was stolen from a locked office in the hospital. The laptop contained the PHI of 1523 patients. The protected health information involved in the breach contained demographic and clinical data. Following the breach, the CE filed a police report, notified affected patients and notified the media. Additionally, the CE expanded its encryption policy to include more laptops and implemented additional physical safeguards. " 2011-04-16 Drs Edalji and Komer MA 563 Theft Laptop 2014-01-23 2011-04-12 Reid Hospital & Health Care Services IN 22001 Theft Laptop 2014-01-23 2011-04-02 Union Security Insurance Company MO 850 Unauthorized Access/Disclosure Other 2014-01-23 2011-03-24 Indiana Regional Medical Center PA 1388 Theft Paper 2014-01-23 2010-09-28 MMM Healthcare, Inc. PR 32390 Theft Desktop Computer 2014-01-23 2011-03-08 PMC Medicare Choice PR 24361 Theft Desktop Computer 2014-01-23 2011-03-08 CVS CAREMARK AZ 654 Theft, Unauthorized Access/Disclosure Paper 2014-04-23 2011-01-17 CENTER FOR ARTHRITIS & RHEUMATIC DISEASES FL 8000 Theft Other, Paper 2014-01-23 2011-01-01 Robert B. Miller, MD CA 620 Theft Laptop 2014-01-23 2011-04-01 Imaging Center of Garland TX 1031 Improper Disposal Other 2014-01-23 2011-03-15 New York State Department of Health NY St. Mary's Hospital for Children 550 Theft Paper 2014-06-03 A bag containing 43 pages of protected health information (PHI) of 550 nursing home residents and an encrypted laptop computer were stolen from the vehicle of an employee of the covered entity's (CE) business associate (BA). The PHI included names, dates of birth, gender identities, names of the nursing homes, and Medicaid numbers. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and all affected individuals, as well as offering one year of free identity theft protection. Following OCR's investigation, the CE's BA terminated the employee and re-trained its staff on its privacy and security policies, including not leaving laptops in unoccupied vehicles. In addition, the CE reminded all contractors about the need to safeguard confidential information, and reviewed the BA's contractual obligations relating to safeguarding PHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. 2011-04-17 St. Mary's Hospital for Children NY 550 Theft Paper 2014-06-02 A laptop computer containing the protected health information (PHI) of approximately 550 individuals was stolen from the vehicle of the business associate's (BA) workforce member. The PHI included names, dates of birth, gender identities, names of nursing homes, and Medicaid numbers of the covered entity's (CE) patients. Following the breach, the BA terminated the employee who was involved in the breach and provided credit monitoring services to the affected individuals. The BA also re-trained its staff. Following OCR's investigation, the CE and the BA reviewed the BA's contractual obligations relating to PHI during an in-person meeting. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. 2011-04-17 Medicare Fee-for-Service Program MD Cahaba Government Benefit Administrators, LLC 13412 Unauthorized Access/Disclosure Paper 2014-01-23 2011-04-11 VA Caribbean Healthcare System PR 6006 Theft Paper 2014-06-19 An employee of the covered entity (CE), VA Caribbean Healthcare System, left documents containing the protected health information (PHI) of 6,006 individuals in an unsecure bag at a nursing station. The PHI included names, social security numbers, patient care assignments, patient counts and patient census lists. Upon discovery of the breach, the CE secured the PHI and provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE disciplined and retrained the employee and implemented a procedure that nursing leadership is required to conduct rounds on wards once vacated. The CE also retrained all staff on its privacy and security policies and procedures. 2011-03-30 Blue Cross Blue Shield of Michigan MI Agent Benefits Corporation 11387 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server 2014-01-23 2010-11-17 Spartanburg Regional Healthcare System SC 400000 Theft Desktop Computer 2014-01-23 2011-03-28 Saint Joseph - Berea KY 1986 Theft, Loss Other Portable Electronic Device, Other 2014-04-23 2011-04-14 Navos WA 2700 Unknown Paper 2014-01-23 2011-03-15 Dunes Family Health Care, P.C OR Lower Umpqua Hospital 17000 Theft Other Portable Electronic Device, Other 2014-02-14 2011-03-11 Metropolitan Community Health Services, Inc. NC 1263 Unknown E-mail 2014-04-23 2011-05-18 TUBA CITY REGIONAL HEALTH CARE CORPORATION AZ 2000 Loss, Improper Disposal Paper 2014-01-23 2011-04-01 FOOTHILLS NEPHROLOGY, PC SC 1280 Theft Other Portable Electronic Device, Other 2014-01-23 2011-04-28 Sutter Gould Medical Foundation (SGMF) CA Fidelity National Technology Imaging (FNTI) 1192 Loss Paper 2014-01-23 2011-05-23 Silverpop Systems Inc. Health and Welfare Plan GA 884 Theft Laptop 2014-01-23 2011-04-15 New River Health Association WV 950 Unauthorized Access/Disclosure Paper 2014-01-23 2011-04-01 HealthCare Partners CA 15677 Theft Desktop Computer 2014-01-23 2011-04-17 Gene S. J. Liaw, MD. PS WA 1105 Loss Other Portable Electronic Device, Other 2014-01-23 2011-04-04 Blue Cross and Blue Shield of Florida FL 3463 Unauthorized Access/Disclosure Other 2014-01-23 2011-04-11 NOL, LLC d/b/a Premier Radiology TN 810 Theft Laptop 2014-04-23 2011-05-07 Advanced Diagnostic Imaging, P.C. TN 705 Theft Laptop 2014-04-23 2011-05-07 University of Missouri Health Care MO 1288 Unknown Paper 2014-01-23 2011-06-14 Accendo AZ 175350 Unauthorized Access/Disclosure Paper 2014-01-23 2011-01-01 Ohio Health Plans OH Area Agency on Aging, Ohio District 5 78042 Theft Laptop 2014-01-23 2011-06-03 Gail Gillespie and Associates, LLC LA 2000 Theft Laptop, Desktop Computer, Network Server, E-mail, Other Portable Electronic Device, Other, Electronic Medical Record 2014-01-23 2011-06-25 Health Plan of San Mateo CA 694 Unauthorized Access/Disclosure Paper 2014-01-23 2011-04-25 Department of Health Care Policy and Financing CO Department of Personnel and Administration 3589 Loss Other 2014-02-14 2011-05-06 Yanez Dental Corporation CA 10190 Theft Desktop Computer, Network Server 2014-01-23 2011-05-22 Jackson Health System FL 1562 Unauthorized Access/Disclosure Other, Electronic Medical Record 2014-01-23 2008-10-01 The Mount Sinai Hospital NY 712 Theft Laptop 2014-06-02 Two unencrypted laptop computers containing the electronic protected health information (ePHI) of 712 individuals were stolen from the covered entity's (CE) office. The ePHI included names, dates of birth, social security numbers, diagnostic reports, and demographic information. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE improved physical security by installing an exit alarm lock and surveillance camera, and implementing a policy and procedure requiring managers to monitor inappropriate use of the facility's rear exit. The CE also inventoried its ePHI systems and adopted and implemented policies and procedures for workstation security, encryption, security awareness and training, electronic devices, and media controls. 2011-06-07 Troy Regional Medical Center AL 880 Unauthorized Access/Disclosure Paper 2014-01-23 2011-03-22 Lansing Community College MI AssureCare Risk Management 5000 Hacking/IT Incident Network Server 2014-03-24 2011-05-09 Dr Axel Velez PR 2800 Theft Desktop Computer 2014-03-13 2011-06-19 DeKalb Medical Center, Inc. d/b/a DeKalb Medical Hillandale GA 7500 Theft Paper 2014-01-23 2010-07-11 Beth Israel Deaconess Medical Center MA 2021 Hacking/IT Incident Network Server 2014-01-23 2011-04-17 Gypsum Management and Supply, Inc. Medical and Dental Plan GA Assurecare Risk Management, Inc. 25330 Unauthorized Access/Disclosure Network Server 2014-01-23 2011-05-09 Andersen Air Force Base, Guam VA 700 Improper Disposal Paper 2014-01-23 2011-05-13 Molina Medicare CA RxAmerica, a subsidiary of CVS Caremark 4573 Unauthorized Access/Disclosure Paper 2014-01-23 2011-01-01 Windsor Health Plan TN RxAmerica LLC 1378 Unauthorized Access/Disclosure Paper 2014-01-23 2011-03-01 Health Care Service Corporation IL 501 Theft Paper 2014-01-23 2011-06-28 University of Kentucky - UK HealthCare KY 3604 Theft Laptop 2014-04-23 2011-06-07 Austin Center for Therapy and Assessment, LLC TX 1870 Theft Laptop 2014-04-24 An unencrypted laptop, containing the electronic protected health information (ePHI) of 1,870 individuals, was stolen from the covered entity's (CE) office. The ePHI involved includes clinical evaluation reports, test results, patient names, addresses, phone numbers, and social security numbers. Upon discovery of the breach, the CE notified affected individuals, OCR and the media. Following OCR's investigation, the CE revised its HIPAA policies and procedures, implemented additional physical safeguards in its facility and installed encryption software. 2011-07-08 Treatment Services Northwest OR 1200 Theft Desktop Computer 2014-01-23 2011-07-08 Mills-Peninsula Health Services CA 1500 Unauthorized Access/Disclosure Paper 2014-01-23 2009-11-01 Brigham and Women's Hospital and Faulkner Hospital MA 638 Theft Other Portable Electronic Device 2014-06-30 A covered entity's (CE) workforce member lost an external hard drive containing the electronic protected health information (ePHI) of 638 individuals while traveling. The external hard drive included names, medical record numbers, dates of admission, medications, diagnoses, and treatment information. The CE notified HHS, the media, and all individuals affected regarding the breach and provided individuals with identity protection services. Following the breach, the CE sanctioned the workforce member involved and retrained the workforce member and division staff on safeguards for ePHI. In addition, the CE established a mitigation workgroup to review policies and procedures regarding the protection of ePHI and created a new external hard drive encryption policy. OCR obtained assurances that the CE implemented the corrective action listed above. 2011-06-21 Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan IN AssureCare Risk Management, Inc. 506 Hacking/IT Incident Network Server 2014-01-23 2011-05-09 Monmouth Medical Center NJ MedAssets 6443 Theft Other Portable Electronic Device, Other 2014-06-19 "An unencrypted hard drive containing the electronic protected health information (ePHI) of 6,443 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Monmouth Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-06-24 Clara Maass Medical Center NJ Med Assets 8795 Theft Other Portable Electronic Device, Other 2014-06-19 "An unencrypted hard drive containing the electronic protected health information (ePHI) of 8,795 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Clara Maass Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-06-24 Newark Beth Israel Medical Center NJ MedAssets 15015 Theft Other Portable Electronic Device, Other 2014-06-19 "An unencrypted hard drive containing the electronic protected health information (ePHI) of 15,015 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Newark Beth Israel Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-06-24 Saint Barnabas Medical Center NJ MedAssets 6179 Theft Other Portable Electronic Device, Other 2014-06-19 "An unencrypted hard drive containing the electronic protected health information (ePHI) of 6,179 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Saint Barnabas Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-06-24 Washington State Department of Social and Health Services WA 3950 Unauthorized Access/Disclosure Paper 2014-01-23 2011-07-01 St. Francis Hospital DE 948 Loss Other Portable Electronic Device, Other 2014-06-10 2011-06-01 Reznick Group, P.C. MD Assure Care Risk Management 2459 Hacking/IT Incident Network Server 2014-03-25 2011-05-09 The Neurological Institute of Savannah & Center for Spine GA 63425 Theft Other Portable Electronic Device, Other 2014-01-23 2011-07-02 Kimball Medical Center NJ MedAssets 6785 Theft Other Portable Electronic Device, Other 2014-06-19 "An unencrypted hard drive containing the electronic protected health information (ePHI) of 6,785 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Kimball Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-06-24 Community Medical Center NJ MedAssets 6950 Theft Other Portable Electronic Device, Other 2014-06-19 "An unencrypted hard drive containing the electronic protected health information (ePHI) of 6,950 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Community Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-06-24 American Health Medicare PR Accuprint 5848 Theft Other 2014-06-03 The covered entity's (CE) business associate (BA) erroneously sent explanation of benefits letters (EOBs) containing the protected health information (PHI) of 5,848 individuals to other individuals. The PHI included names, addresses, current procedural terminology codes (CPT), explanations of CPT codes, providers' names, and dates of service. Upon discovery of the breach, the CE provided notice to the individuals affected by the breach but did not notify the media. As a result of OCR's investigation, OCR provided technical assistance regarding the requirements of the Breach Notification Rule to the CE and the CE published a media notice. In addition, the CE developed policies and procedures requiring quality control checks on the BA. In addition, the BA adopted a new software system that validates the contents of the EOBs prior to mailing. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use of PHI and required the BA to safeguard all PHI. 2011-06-01 Texas Health Presbtyerian Hospital Flower Mound TX Texas Health Partners 10345 Theft Laptop 2014-01-23 2011-06-21 Capron Rescue Squad District IL 815 Unauthorized Access/Disclosure Laptop 2014-01-23 2011-02-05 Cook County Health & Hospitals System IL MedAssets 32008 Theft Other Portable Electronic Device, Other 2014-01-23 2011-06-24 Lexington VAMC KY 1432 Theft Laptop, Other Portable Electronic Device, Paper 2014-06-03 "The covered entity's (CE) workforce member impermissibly stored the protected health information (PHI) of 1,432 individuals in a personal computer and other portable electronic media in order to conduct research. The PHI included social security numbers, names, initials, ages, and diagnoses. Additional PHI was found in the workforce member's residence. The CE provided breach notification to a total of 1,890 affected individuals and HHS. Following the breach, the responsible workforce member is no longer employed by the CE. OCR opened a compliance review of VA Medical Centers and is consolidating the investigation of this incident into the compliance review. " 2011-05-23 Dr. Victoria Falcone, Falcone Cosmetic Services, PC, Falcone Cosmetic Services of NJ, PC PA SpaMed Solutions, LLC, Edward McMenamin President, 3000 Theft, Unauthorized Access/Disclosure Laptop, Desktop Computer, Network Server, E-mail, Other Portable Electronic Device, Other, Electronic Medical Record, Paper 2014-06-10 2011-08-14 HEALTH RESEARCH INSTITUTE, INC., PFEIFFER TREATMENT CENTER IL 2000 Theft Desktop Computer, Network Server 2014-01-23 2011-07-01 Stanford Hospital & Clinics CA Multi-Speciality Collection Services, LLC 19651 Unauthorized Access/Disclosure Other 2014-01-23 2010-09-09 Muir Orthopaedic Specialists, A Medical Group Inc. CA 1800 Theft Paper 2014-01-23 2011-07-27 NEA Baptist Clinic AR 3116 Hacking/IT Incident Network Server 2014-01-23 2011-07-12 Jonathan Noel MD IN 2059 Theft Other Portable Electronic Device, Other 2014-01-23 2011-07-13 Texas Health and Human Services Commission TX 1696 Theft Laptop 2014-01-23 "An unencrypted laptop was stolen from an employee's vehicle. The laptop contained the ePHI of 1,696 patients. The information at issue included patient names, dates of birth, gender, Medicaid identification numbers, procedure codes and diagnosis. Following discovery of the breach, the CE notified affected patients and notified the media. Following the breach, the CE confirmed encryption of laptops per CE's policy and sanctioned three involved employees. " 2011-03-10 University of Wisconsin Oshkosh WI Living Healthy Community Clinic 3000 Hacking/IT Incident Desktop Computer 2014-01-23 2011-07-18 Centro de Ortodoncia Inc. PR 2000 Theft Paper 2014-06-20 OCR opened an investigation of the covered entity (CE), Dr. Pedro Valentin, after it reported boxes containing the protected health information (PHI) of 2,000 individuals were moved from the CE's office. The PHI included names, account numbers, responsible party in charge of account, and method of payment. OCR's investigation revealed that the individual who removed the PHI was the CE's wife and business partner. The CE advised OCR that he knew his wife/partner was removing the boxes for the purpose of ascertaining the amount of monies the CE was receiving and that he is in the process of dissolving the partnership. OCR concluded that the actions alleged in the breach report did not amount to a breach. 2010-05-06 John T. Melvin, M.D.& Associates TX 2541 Theft Paper 2014-03-13 2011-08-09 Diversified Resources, Inc. GA 863 Theft Laptop 2014-01-23 2011-08-11 VA Gulf Coast Veterans Health Care System MS 1797 Theft Paper 2014-06-20 "The covered entity (CE), U.S. Department of Veterans Affairs (VA), Gulf Coast Veterans Health Care System, Biloxi Veterans Affairs Medical Center (Biloxi VAMC) reported that the office of an employee was vandalized. Paper files were found on the office floor, and the protected health information (PHI) of approximately 1,814 individuals was compromised. The PHI included full names, social security numbers, dates of birth, and medical diagnoses. The CE provided breach notification to HHS, the media and affected individuals. Following the breach, VA police at the facility reviewed procedures and continued foot patrols to ensure office doors are locked during non-business hours. The CE provided additional training to workforce members of the affected department on its physical security policies and procedures to improve safeguards for PHI. OCR obtained assurances that the CE implemented the corrective action listed above. " 2011-07-21 Freda J Bowman MD PA TX 1300 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server 2014-01-23 2011-09-20 Bonney Lake Medical Center and Mythili R. Ramachandran, MD WA 2367 Theft Laptop, Desktop Computer 2014-02-14 2011-08-12 United States Steel Corporation Plan for Active Employee Insurance Benefits and the United States Steel Corporation Plan for Retiree Insurance Benefits PA Benefits Administration Services, Inc. 4000 Loss Other Portable Electronic Device, Other 2014-03-24 2011-08-15 VA Illiana Health Care System IL 518 Loss Paper 2014-01-23 2011-07-14 Health Texas Provider Network TX 1259 Theft Laptop 2014-03-13 2011-07-27 Blue Cross of Northeastern Pennsylvania PA AllOne Health Management Solutions, Inc. 507 Theft, Unauthorized Access/Disclosure Laptop, Paper 2014-03-24 2011-09-09 NYU Hospital for Joint Diseases Inventory Management Department NY 2600 Theft Paper 2014-06-20 A box containing 2,600 paper records of tissue implants used in surgeries was discarded by a waste disposal contractor of the covered entity (CE), NYU Hospital for Joint Diseases Inventory Management Department, when the box was not property secured. The box contained the protected health information (PHI) of 2,239 individuals and included names, dates of birth, dates of surgery, surgeon names, procedures, and types and serial numbers of the tissues used in the surgeries. Upon discovery of the breach, the CE contacted the waste disposal contractor and determined that the documents were discarded and buried in a landfill out of state. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. As a result of OCR's investigation, the CE improved safeguards by storing all tissue records in a locked cabinet and requiring management to store the keys. In addition, the CE counseled the employees involved in the incident and retrained all staff on its policies and procedures for safeguarding PHI. The CE also implemented a plan to conduct reviews of HIPAA compliance, including both physical access and physical security risks. 2011-06-23 WAYNE HIGHLANDS SCHOOL DISTRICT PA FIRST PRIORITY LIFE INSURANCE COMPANY 579 Theft, Unauthorized Access/Disclosure Paper 2014-06-10 2011-09-09 Summit Medical Group, PLLC TN 731 Theft Paper 2014-01-23 2011-09-04 MAPFRE Life PR 2209 Theft Other 2014-03-13 2011-08-05 American Continental Insurance Company TN Futurity First Insurance Group 690 Theft Other Portable Electronic Device, Other 2014-01-23 2011-07-28 United of Omaha Life Insurance Company NE Futurity First Insurance Group 1631 Loss Other Portable Electronic Device, Other 2014-01-23 2011-07-28 Mutual of Omaha Insurance Company NE Futurity First Insurance Group 705 Theft Other Portable Electronic Device, Other 2014-01-23 2011-07-28 Henry Ford Health System MI 520 Theft Desktop Computer 2014-01-23 2011-08-08 Indiana University IN 3266 Theft Laptop 2014-01-23 2011-08-16 Adult & Pediatric Dermatology, PC MA 2200 Theft Other Portable Electronic Device, Other 2014-01-23 2011-09-14 The Nemours Foundation FL 1055489 Loss Other 2014-01-23 2011-08-10 California Industrial Medicine, Inc. CA Thomas J O'Laughlin, MD 700 Theft, Unauthorized Access/Disclosure Paper 2014-02-14 2011-09-28 InStep Foot Clinic, P.A. MN 2600 Theft Laptop, Electronic Medical Record 2014-01-23 2011-08-28 North Memorial MN Accretive Health, Inc 6697 Theft Laptop 2014-01-23 2011-07-25 Lahey Clinic Hospital, Inc. MA 599 Theft Laptop 2014-03-13 2011-08-12 UnitedHealth Group health plan single affiliated covered entity MN Futurity First Insurance Group 3994 Theft Other 2014-01-23 2011-07-28 Good Samaritan Hospital MD 1500 Theft Paper 2014-01-23 2011-09-09 Amerigroup Community Care of New Mexico, Inc NM 1537 Theft Paper 2014-01-23 2011-07-15 Florida Hospital FL 12784 Unauthorized Access/Disclosure Electronic Medical Record 2014-02-19 2011-08-10 Thomas Jefferson University Hospitals, Inc. PA 3150 Theft Other 2014-01-23 2011-09-06 Lankenau Medical Center PA 500 Theft Other 2014-01-23 2011-09-06 Spectrum Health Ssytems, Inc. MA 14750 Theft Desktop Computer 2014-03-13 2011-08-24 Conway Regional Medical Center AR 1472 Loss Other 2014-01-23 2011-08-24 Concordia Plan Services MO HITS Scanning Solutions, Inc. 7059 Loss Other 2014-01-23 2011-05-10 Stone Oak Urgent Care & Family Practice TX Stone Oak Urgent Care & Family Practice 6672 Theft, Loss Desktop Computer 2014-01-23 2011-10-23 Indiana University School of Optometry IN 757 Unauthorized Access/Disclosure Network Server 2014-01-23 2011-08-12 Brevard Emergency Services, P.A. FL 2200 Theft Paper 2014-04-23 2011-08-26 Georgetown University Hospital DC 1526 Loss Other Portable Electronic Device, Other 2014-03-24 2011-09-09 Morris Heights Health Center NY 927 Theft Laptop 2014-06-03 An unencrypted laptop computer containing the electronic protected health information (ePHI) of 927 individuals was stolen from the covered entity's (CE) school based health center. The ePHI included names, dates of birth, sex, ethnicities, height, weight, body mass index data, complete physical examination information such as asthma and obesity information, health action plans, and enrollment dates. Upon discovery of the breach, the CE filed a police report to recover the stolen laptop. As a result of OCR's investigation, the CE purchased locks to physically secure its' school health computers to the desks where the computers are located. In addition, the CE encrypted all portable devices' hard drives and installed software to track portable devices. The CE also retrained all staff on its policies and procedures for using and securing ePHI. 2011-08-27 network180 MI Thresholds Inc. 1100 Theft Paper 2014-03-24 2011-09-16 Premier Imaging NC 551 Unknown Paper 2014-01-23 "A newly hired employee impermissibly took patient registration documents home. The records taken included the protected health information of 551 patients. The information at issue included names, addresses, birth dates, social security numbers, and driver's license numbers. As a result, the CE terminated the employee, provided notice to the affected individuals, amended registration procedures, implemented additional safeguards for such information, and offered identity theft protection to the affected individuals. " 2011-09-14 The Good Samaritan Hospital of Cincinnati, Ohio OH Pitney Bowes Management Services, Inc. 1089 Theft Desktop Computer 2014-03-24 2011-09-03 Bethesda Hospital, Inc. OH Pitney Bowes Management Services, Inc. 946 Theft Desktop Computer 2014-03-24 2011-09-03 Julie A. Kennedy, D.M.D., P.A. FL 2900 Theft Network Server 2014-01-23 2011-09-30 KCI USA, Inc. TX 567 Theft Other Portable Electronic Device, Other 2014-01-23 2011-09-08 Lebanon Internal Medicine Associates PA 55000 Improper Disposal Network Server 2014-01-23 2011-09-10 St. Joseph Medical Center MD 5000 Theft Other, Paper 2014-03-24 2011-09-11 TRICARE Management Activity (TMA) VA Science Applications International Corporation (SA 4900000 Loss Other 2014-01-23 2011-09-13 UCLA Health System CA 2761 Theft Other Portable Electronic Device, Other 2014-01-23 2011-09-06 Logan County Emergeny Ambulance Service Authority WV 12563 Theft, Loss Laptop 2014-01-23 2011-10-01 Lawrence Memorial Hospital KS Mid Continent Credit Services, Inc. 8275 Unauthorized Access/Disclosure, Other Other 2014-04-23 2011-09-20 2011-10-28 Sutter Medical Foundation AL 943434 Theft Desktop Computer 2014-01-23 2011-10-15 Medcenter One ND 650 Theft Laptop 2014-01-23 2011-10-21 Dallas County Hospital District dba Parkland Health & Hospital System TX 2464 Unauthorized Access/Disclosure Electronic Medical Record, Paper 2014-01-23 2011-09-05 University of Kentucky UK HealthCare KY 878 Loss Other Portable Electronic Device 2014-01-23 2011-09-25 State of Tennessee Sponsored Group Health Plan TN 1770 Unauthorized Access/Disclosure Paper 2014-01-23 "An equipment operator at the state's postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope. The error affected approximately 1770 enrollees. The letters contained information such as names, addresses, birth dates, and social security numbers. As a result, the CE retrained the employee, submitted a breach report to HHS, provided notice to the affected individuals, notified the media, created a toll-free number for information regarding the incident, posted notice on its website, modified policies to remove the SSN on templates for future mailings, and offered identity theft protection to the affected individuals. Following the OCR investigation, the CE provided reviewed its policies and procedures to ensure adequate safeguards are in place. " 2011-10-06 Cleveland Clinic Florida FL 772 Loss Other 2014-04-23 2011-10-03 Jay C. Platt, DDS IN 10705 Theft Other 2014-03-24 2011-10-06 Rite Aid Corporation PA 2900 Other Paper 2014-01-23 2011-10-07 Advanced Occupational Medicine Specialists IL Blue Vantage Group 7226 Unauthorized Access/Disclosure Network Server 2014-01-23 2011-10-12 Open MRI of Chicago IL Nation Wise Machine Buyers 2000 Improper Disposal Paper 2014-01-23 2011-09-06 University of Nebraska Medical Center NE 611 Theft Paper 2014-04-23 2011-11-15 Roberts S. Smith M.D. Inc. GA 17000 Theft Laptop 2014-01-23 2011-10-17 Paul C. Brown, MD, PS WA 4693 Theft Other 2014-02-14 2011-10-14 2011-10-17 Molina Healthcare of California CA 11081 Other Paper 2014-01-23 2009-09-23 Aegis Sciences Corporation TN 2185 Theft Laptop, Other Portable Electronic Device 2014-04-23 OCR opened an investigation of the covered entity (CE), Aegis Science Corp., after the CE reported that a laptop computer and unencrypted external hard drive containing the electronic protected health information (ePHI) of 2,185 individuals were stolen from a workforce member's vehicle. The ePHI included social security numbers, driver's license numbers, and other demographic information, as well as bank account information of fourteen individuals and credit card information of three individuals. Upon discovering the breach, the CE filed a police report and hired a private investigator to recover the stolen items. The CE also initiated plans to encrypt laptops, revise security procedures, retrain employees, and offer credit monitoring to affected individuals. As a result of OCR's investigation, the CE completed a security risk analysis and risk management report and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI. The CE also provided media notification in the two localities with greater than 500 individuals affected. Additionally, the CE encrypted all employee computers and removable media containing ePHI and retrained employees on the CE's confidentiality and security policies. 2011-11-22 Soundpath Health, Inc WA 7581 Theft Laptop 2014-02-14 2011-11-22 Concentra Health TX 870 Theft Laptop 2014-01-23 2011-11-30 Sleep HealthCenters LLC MA 2988 Theft Laptop 2014-03-13 2011-11-23 Smile Designs FL 1670 Theft Desktop Computer, Network Server 2014-01-23 2011-12-01 PBH NC Alamance Caswell Local Management Entity 50000 Unauthorized Access/Disclosure, Other Network Server, E-mail 2014-01-23 2011-11-15 CardioNet, Inc PA 1300 Theft Laptop 2014-01-23 2011-11-10 MDwise, Inc. IN RightNow Technologies 2700 Unauthorized Access/Disclosure Other 2014-03-24 2011-02-10 Ford Motor Company MI WageWorks, Inc. 1700 Other Paper 2014-03-24 2012-01-03 Foundation Medical Partners NH 771 Theft Paper 2014-06-02 Without permission from the covered entity (CE), an employee provided a list of patient's names to a local counseling center as the employee was leaving the CE to begin employment at the new counseling center in an attempt to coordinate care of the patients she was treating. The list, containing the PHI of approximately 771 individuals, included names, dates of birth, addresses, phone numbers, names of the insurance carriers, and facility codes. Following the disclosure, the CE provided breach notification to HHS, the media, and all individuals affected and sanctioned the former employee for violating its policies and procedures. The CE also changed its procedures for list management. The CE sent a reminder to all of its health care providers regarding the handling of PHI and made plans to provide HIPAA compliance information in a quality assurance newsletter. 2011-11-19 2011-12-01 Kansas Department on Aging KS 7757 Theft Laptop 2014-01-23 2012-01-11 Delta Dental of California CA 11646 Other Paper 2014-01-23 2011-12-22 2011-12-23 Muskogee Regional Medical Center OK 844 Loss Other 2014-01-23 2011-12-05 Department of Medical Assistance Services VA ACS, Affiliated Computer Services, Inc., A Xerox Company 1444 Unauthorized Access/Disclosure, Other Paper 2014-01-23 2011-11-02 2011-11-16 Oldendorf Medical Services, PLLC NY 549 Theft Laptop 2014-06-02 OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 549 individuals. The ePHI included names, dates of birth, diagnostic test results, and social security numbers. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE installed security cameras and new door locks and changed the codes to the outside entrance keypad lock. The CE also encrypted laptop computers. 2012-01-17 St.Vincent Physician Network IN 1423 Theft, Unauthorized Access/Disclosure Paper 2014-03-24 2010-12-01 2011-11-21 Flex Physical Therapy WA 3100 Theft Desktop Computer 2014-01-23 2011-12-30 Metro Community Provider Network CO 3200 Hacking/IT Incident, Other E-mail 2014-01-23 2011-12-05 University of Miami FL 1219 Theft Other Portable Electronic Device 2014-01-23 2011-11-24 UnitedHealth Group health plan single affiliated covered entity MN 6678 Other Paper 2014-03-24 2011-12-15 Triumph, LLC NC 2000 Theft Laptop 2014-01-23 2011-12-13 Fairview Health Services MN Accretive Health 14000 Theft Laptop 2014-01-23 2011-07-25 Loma Linda University Medical Center (LLUMC) CA 1366 Other Paper 2014-01-23 2011-12-19 Ford Motor Company Salaried Health Reimbursement Arrangement (HRA) Plan MI Affiliated Computer Services, Inc. (ACS, Inc.) A Xerox Company 1700 Other Other 2014-03-24 2011-12-29 Medco Health Solutions, Inc. NJ 1287 Theft Paper 2014-06-20 " The covered entity (CE), Medco Health Solutions, mailed letters with incorrect addresses after a programming code in its mailing software caused corruption of its data. The mailing contained the protected health information (PHI) of 4,341 individuals and included names, medication name and prescription number. The CE provided breach notification to HHS, the media, and affected individuals. Upon discovery of the breach, the CE immediately ceased using the update to its mailing software system. As a result of OCR's investigation, the CE corrected the update to its mailing software system and established manual and automated quality control processes. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-11-30 Lakeview Medical Center WI 698 Theft Laptop 2014-01-23 2012-01-04 Goshen Health System, Inc. IN 660 Hacking/IT Incident Other 2014-01-23 2011-12-22 Georgetown University Hospital DC 1549 Unauthorized Access/Disclosure Paper 2014-01-23 2011-11-01 Motion Picture Industry Health Plans (MPI) CA 703 Other Other 2014-02-14 2009-09-23 2011-12-02 Ochsner Health System LA 2088 Loss Other Portable Electronic Device 2014-01-23 2012-01-19 Applegate Valley Family Medicine OR Dr. Trandinh 2300 Theft, Unauthorized Access/Disclosure Laptop 2014-01-23 2011-12-01 2011-12-17 CardioNet, Inc. PA 728 Theft Laptop 2014-01-23 2011-12-29 Presbyterian Healthcare Services NM Beth Barrett Consulting, LLC 7000 Theft Laptop 2014-03-13 2011-12-29 Alliant Health Plans, Inc. GA Catalyst Health Solutions, Inc. 632 Unauthorized Access/Disclosure Other 2014-01-23 2012-01-01 FIRST MEDICAL CENTER, INC. PR T&P CONSULTING, INC. D/B/A QUANTUM 7706 Theft Laptop 2014-06-13 An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 7,706 individuals were stolen from a staff member of the covered entity's (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and all individuals affected by the breach. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurances that the CE implemented the corrective action listed above and required two additional corrective actions. OCR identified the need for the CE to complete a risk assessment and implement certain security policies and procedures. 2012-01-11 Lee Miller Rehabilitation Associates MD 10480 Theft Network Server 2014-01-23 2012-01-15 Jeremaih J. Twomey, F.A.C.P., P.A. TX Jeremaih J. Twomey, F.A.C.P., P.A. 2559 Theft Other 2014-01-23 2011-12-31 Anchorage Community Mental Health Services Inc. AK 2743 Unauthorized Access/Disclosure Desktop Computer 2014-01-23 2011-12-20 2012-01-04 Robley Rex VA Medical Center KY 1182 Other Paper 2014-01-23 2012-01-09 Indiana Internal Medicine Consultants IN 20000 Theft Laptop 2014-06-24 A laptop computer that contained the electronic protected health information (ePHI) of approximately 20,000 individuals was stolen from the covered entity's (CE) laboratory manager's office. The ePHI involved in the breach included patients' names, dates of birth, clinic identification numbers, and laboratory results. Following the breach, the CE reported the theft to the building management company. The management company investigated the theft and determined that cleaning personnel had stolen the laptop. The company reported that the patient information was not compromised, as the database could not be accessed without propriety software and specialized assistance. As a result of OCR's investigation, physical security was improved by housing the replacement laptop in a locked drawer in a locked office with limited staff access. The CE also implemented a new policy prohibiting the storage of PHI on the laptop computer and updated additional policies and procedures to enhance safeguards for systems containing PHI. 2012-02-11 Policlinica La Familia IPA 343 PR T & P Consulting, Inc. d/b/a Quantum Health Consulting 5994 Theft Laptop 2014-06-03 "An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 5,994 individuals were stolen from a staff member of the covered entity's (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and all affected individuals. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurance that the CE implemented the corrective action listed above and required one additional corrective action. OCR identified the need for the CE to implement certain security policies, procedures and controls. " 2012-01-11 Servicios Medicos Integrados de Fajardo PR T & P Consulting, Inc. d/b/a Quantum Health Consulting 10000 Theft Laptop, Other Portable Electronic Device 2014-04-23 The covered entity (CE) filed a breach report with OCR after an external hard drive and laptop computer containing electronic protected health information (ePHI) of 39,609 individuals were stolen from the CE's Business Associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and the dates of the service. Immediately following the breach, the CE conducted a risk assessment, filed a breach report and provided OCR a copy of its BA agreement. Additionally, the CE notified all affected individuals of the breach and issued a press release. As a result of OCR's investigation, the CE required the BA to revise its security practices to include laptop encryption and restrictions on the use of portable media devices as outlined in the BA's newly developed security policies and procedures. 2012-01-11 Proveedores Aliados por tu SAlud PR Quantum Health Consulting 4645 Theft Laptop 2014-06-20 "OCR opened an investigation of the covered entity (CE), First Proveedores Aliados Por Tu Salud, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 4,645 individuals were stolen from a staff member of the CE's business associate (BA), Quantum Health. The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to all individuals affected by the breach, HHS, and the media. As a result of OCR's investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices. " 2012-01-12 Centro de Servicios de Cuidados Dirigidos, Inc. d/b/a Metro Salud grupo Profesional PR T&P Consulting, INC. d/b/a Quantum Health Consulting 27098 Theft Laptop 2014-06-20 OCR opened an investigation of the covered entity (CE), Centro De Servicios de Cuidados Dirigidos, Inc. d/b/a Metro Salud grupo Profesional, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 27,098 individuals were stolen from a staff member of the CE's business associate (BA), Quantum Health. The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service. Upon discovery of the breach, the BA filed a police report and provided breach notification to the media, and all affected individuals. The CE provided breach notice to HHS. As a result of OCR's investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices. The CE also terminated its BA agreement with the BA. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. 2012-01-11 Kern Medical Center CA 1431 Theft Paper 2014-01-23 2012-02-25 William F. DeLuca Jr., M.D. NY 577 Theft Laptop 2014-06-02 OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 577 individuals. The ePHI included names and pictures. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE encrypted its computers, changed the locks to a numbered key system, and installed a lock to secure portable devices in storage. In addition, the CE started using identification numbers instead of names on patients' files. The CE also revised its security policy and trained all staff on its policies. 2012-01-16 Grupo Medico IPA -341 PR Quantum Health Consulting 7923 Theft Laptop 2014-06-20 An unencrypted laptop computer and an external hard drive containing the electronic protected health information (ePHI) of 7,923 individuals were stolen from a staff member of the CE's business associate (BA). The ePHI included names, ages, gender, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items. The CE also provided breach notification to all affected individuals, HHS, and the media. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. The CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. 2012-01-11 Advanced Clinical Research Institute CA 875 Theft Paper 2014-01-23 2012-01-26 Access Medical Group -IPA 344 PR T&P Consulting, INC DBA Quantum HC 7606 Theft Laptop, Other Portable Electronic Device 2014-06-13 An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 39,609 individuals were stolen from a staff member of the covered entity's (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and all affected individuals. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurance that the CE implemented the corrective action listed above and required one additional corrective action. OCR identified the need for the CE to implement certain security policies, procedures and controls. 2012-01-11 Georgia Health Sciences University GA 513 Theft Laptop 2014-01-23 2012-01-18 Baylor Heart and Vascular Center, LLP TX 1972 Theft Other Portable Electronic Device 2014-01-23 2012-01-26 Chicago Musculoskeletal Institute/Metro Orthopedics IL 750 Other Network Server 2014-03-24 2011-12-31 Tufts Associated Health Maintenance Organization, Inc. and Tufts Insurance Company MA Caremark PCS Health, L.L.C. (formerly known as Caremark PCS Health, L.P.) 3482 Other Paper 2014-01-23 2012-01-17 2012-02-02 Duke University Health System NC 1370 Unauthorized Access/Disclosure Other 2014-04-23 2008-07-01 2011-11-30 St. Joseph's Medical Center CA 712 Theft Paper 2014-01-23 2012-02-02 UnitedHealth Group health plan single affiliated covered entity MN 3537 Unauthorized Access/Disclosure Other 2014-03-24 2011-06-28 CenterLight Healthcare NY 642 Unauthorized Access/Disclosure E-mail 2014-01-23 2012-01-27 Lake Granbury Medical Center TX 502 Theft Paper 2014-01-23 2012-02-13 County of Wayne Department of Personnel/Human Resources Benefits Administration Division MI 1229 Unauthorized Access/Disclosure E-mail 2014-06-10 2012-03-16 St. Elizabeth's Medical Center MA 6831 Loss Paper 2014-01-23 2012-02-01 The Neighborhood Christian Clinic AZ 9565 Loss Other Portable Electronic Device 2014-01-23 2012-02-07 AccentCare Home Health of California, Inc. Medicare # 057564 CA state License # 080000226 CA 1000 Unauthorized Access/Disclosure E-mail 2014-01-23 2012-04-20 2012-04-21 Seton Health Plan TX HealthLOGIX 555 Unauthorized Access/Disclosure Paper 2014-01-23 2012-03-09 awklein a med corp CA David Charles Rish 2000 Theft Other 2014-01-23 2011-02-01 Utah Department of Health UT Utah Department of Technology Services 780000 Hacking/IT Incident Network Server 2014-01-23 2012-03-10 2012-04-02 IU Medical Group IN 1000 Improper Disposal Paper 2014-01-23 2012-04-11 Rhinebeck Health Center/Center for Progressive Medicine NY 6745 Theft Desktop Computer, Network Server 2014-06-03 The CE's network server and two local computers were hacked and compromised by a computer virus which resulted in the disclosure of electronic protected health information (ePHI) of 6,745 individuals. The ePHI included names, insurance numbers, diagnoses, medical histories, dates of birth, telephone numbers, and social security numbers. Upon discovery of the breach, the CE shut down all computer and email systems to prevent unauthorized access to its network and core files. In addition, the CE decommissioned the previously used server, deactivated the network router, disabled network access to ePHI, and discontinued the previously utilized backup. As a result of OCR's investigation, the CE deployed a new real-time firewall and intrusion detection system and implemented new measures for software management. In addition, the CE installed a new network server, deployed a new router with security subscription to actively monitor internal network traffic and external threat patterns, and implemented a centralized antivirus software system. 2011-11-15 2011-12-14 Memorial Healthcare System FL 9497 Other Other 2014-01-23 2011-08-01 2012-02-12 Roy E. Gondo, M.D. WA 2100 Theft Desktop Computer, Electronic Medical Record 2014-01-23 2012-02-21 DRD Management, Inc. D/B/A DRD Knoxville Medical Clinic - Central TX 1000 Improper Disposal Paper 2014-01-23 2012-02-16 Emory Healthcare GA 315000 Unknown, Other Other 2014-01-23 2012-02-07 2012-02-20 Rex Smith, DPM -Rex Smith Podiatry OR 20915 Theft Desktop Computer 2014-01-23 2012-02-19 Desert AIDS Project CA 4400 Theft Desktop Computer 2014-01-23 2012-04-12 University of Arkansas for Medical Sciences AR 7121 Unauthorized Access/Disclosure Other 2014-01-23 2012-02-15 TLC DENTAL DANIA, LLC FL 750 Theft Paper 2014-02-20 2012-04-23 South Carolina Department of Health and Human Services SC 228435 Unauthorized Access/Disclosure E-mail 2014-01-23 2012-01-31 2012-04-02 Oregon Health Authority OR 550 Theft Paper 2014-04-23 2012-04-13 SHIELDS For Families CA 961 Theft Network Server 2014-01-23 2012-02-27 Safe Ride Services, Inc AZ 42000 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server 2014-01-23 2011-08-31 IntraCare North Hospital TX 750 Theft Paper 2014-01-23 2011-03-15 2011-08-18 Oakland Vision Services, PC MI 3000 Hacking/IT Incident Network Server 2014-03-24 2012-04-09 Stephen Haggard, DPM Podiatry WA 1597 Theft Network Server 2014-01-23 2012-03-04 Baptist Health System AL 1655 Improper Disposal Paper 2014-01-23 2012-03-08 University of Houston for UH College of Optometry TX 7000 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server 2014-01-23 2012-02-22 2012-02-23 Rite Aid Store 1343 WV 2905 Theft Paper 2014-03-24 2012-03-26 Iowa Department of Human Services IA 3000 Improper Disposal Paper 2014-01-23 2012-02-06 2012-03-14 Hogan Services Inc. Health Care Premium Plan MO 1134 Unauthorized Access/Disclosure E-mail 2014-01-23 2012-03-30 Family HealthServices Minnesota, P.A. MN 4000 Theft Laptop 2014-06-10 2012-03-30 St. Mary Medical Center CA 3900 Loss Other Portable Electronic Device 2014-01-23 2012-05-07 Fairview Health Services MN Accretive Health 623 Theft Laptop 2014-03-24 2011-07-25 Our Lady of the Lake Regional Medical Center LA 17000 Theft, Loss Laptop 2014-01-23 2012-03-16 UnitedHealth Group health plan single affiliated covered entity MN 19100 Unauthorized Access/Disclosure Other 2014-01-23 2011-06-28 2011-12-12 West Dermatology CA 1900 Theft Other 2014-01-23 2012-04-21 2012-04-22 Duke University Health System NC 591 Unauthorized Access/Disclosure Other 2014-01-23 2004-04-21 2012-02-16 Luz Colon, DPM Podiatry FL 1137 Theft, Loss Laptop 2014-01-23 2012-03-20 Ameritas Life Insurance Corp. NE 3000 Theft Laptop 2014-01-23 2012-03-21 Children's Hospital Boston MA 2159 Theft Laptop 2014-01-23 2012-03-25 Upper Valley Medical Center OH Data Image, Inc. 15000 Unauthorized Access/Disclosure Other 2014-01-23 2010-10-01 2012-03-21 Physician's Automated Laboratory CA 745 Theft Paper 2014-01-23 2012-03-23 2012-03-26 Phoebe Putney Memorial Hospital, Inc. GA 12937 Theft Electronic Medical Record, Paper 2014-02-20 2010-07-26 2012-03-29 Independence Physical Therapy CT 925 Theft Desktop Computer 2014-01-23 2011-08-01 Titus Regional Medical Center TX 5700 Loss, Unknown Laptop 2014-01-23 2012-03-27 Titus Regional Medical Center TX 500 Theft Other 2014-01-23 2012-03-29 Lutheran Community Services Northwest WA 756 Theft Desktop Computer, Other Portable Electronic Device 2014-01-23 2012-03-29 2012-03-30 Volunteer State Health Plan, Inc. TN 1102 Loss Paper 2014-01-23 2012-03-16 2012-04-20 Charlie Norwood VA Medical Center GA 824 Loss Other Portable Electronic Device 2014-01-23 2012-03-30 Mid America Health, Inc. IN PrevMED 1444 Theft Laptop 2014-01-23 2012-04-06 Metcare of Florida, Inc. FL 2557 Theft Other Portable Electronic Device 2014-01-23 2012-05-01 2012-05-02 Robert Witham, MD, FACP OR 11136 Theft Desktop Computer 2014-01-23 2012-04-16 Memorial Sloan-Kettering Cancer Center NY 568 Theft E-mail, Other 2014-06-03 The covered entity's (CE) staff member disclosed an unencrypted Microsoft Excel graph to a non-covered entity physician who re-disclosed it to a medical education organization to be used in a presentation. In addition, the medical education organization posted the presentation slides on its website. The graph contained the protected health information (PHI) of 569 individuals and included names, telephone numbers, social security numbers, ages, cities and states of residence, medical record numbers, and clinical information. Upon discovery of the breach, the CE ensured that the information was removed from the website and deleted, sanctioned the workforce member responsible, and retrained its workforce on the use of a data loss prevention tool and the risks of embedded PHI. As a result of OCR's investigation, the CE provided OCR with evidence of its technical safeguards and security awareness initiatives and provided assurance that it implemented the corrective action listed above. 2009-08-13 2012-04-12 Gessler Clinic, P.A. FL 1409 Theft Paper 2014-01-23 2012-05-03 2012-05-04 University of Kentucky HealthCare KY 4490 Theft Laptop 2014-01-23 2012-05-01 Wolf & Yun KY 824 Theft Laptop 2014-01-23 2012-04-24 Karen Kietzman MT 708 Theft Laptop, Other Portable Electronic Device 2014-03-21 2012-04-22 Bruce G. Peller, DMD, PA NC 9953 Unauthorized Access/Disclosure Desktop Computer 2014-01-23 2012-04-22 Sharon L. Rogers, Ph.D., ABPP TX 585 Theft Laptop 2014-01-23 2012-06-16 Health Texas Provider Network - Cardiovascular Consultants of North Texas TX 2462 Unauthorized Access/Disclosure Electronic Medical Record 2014-01-23 2012-03-16 2012-05-11 SwedishAmerican Health System IL 1500 Theft Paper 2014-03-24 2012-05-31 River Arch Dental CA Patterson Dental, Inc. 2533 Loss, Unauthorized Access/Disclosure, Unknown Other Portable Electronic Device 2014-01-23 2012-05-12 Hamner Square Dental CA Patterson Dental, Inc 1112 Theft, Loss, Unauthorized Access/Disclosure, Unknown Other Portable Electronic Device 2014-01-23 2012-05-12 Visiting Nurse Services of Iowa IA 1298 Theft Paper 2014-01-23 2012-05-27 Molalla Family Dental OR 4354 Unauthorized Access/Disclosure, Hacking/IT Incident, Other Network Server 2014-01-23 2012-05-17 Pamlico Medical Equipment LLC NC 2917 Loss Other Portable Electronic Device 2014-01-23 2012-05-16 Beth Israel Deaconess Medical Center MA 3900 Theft Laptop 2014-01-23 2012-05-22 NYU School of Medicine Faculty Group Practice NY 8488 Theft Desktop Computer 2014-01-23 2012-05-22 Adult & Child Center, Inc. IN Choices, Inc. 550 Hacking/IT Incident Other 2014-01-23 2012-05-10 The Surgeons of Lake County, LLC IL 7067 Other Network Server 2014-01-23 2012-06-22 2012-06-25 Kindred Healthcare Inc d/b/a Kindred Transitional Care and Rehabilitation-Sellersburg IN 1504 Theft Other 2014-01-23 2012-06-01 2012-06-04 Jeffrey Paul Edelstein M.D. AZ 4800 Theft Network Server 2014-01-23 2012-05-28 Northwestern Memorial Hospital IL 4211 Theft Laptop, Other Portable Electronic Device 2014-01-23 2012-06-11 Walgreen Co. IL 1240 Theft Paper 2014-01-23 2012-07-05 VNA HealthCare CT EMC 7461 Theft Laptop 2014-02-19 2012-06-25 Hartford Hospital CT EMC 2097 Theft Laptop 2014-04-23 2012-06-25 Diversified Support Services IN Choices, Inc. 505 Hacking/IT Incident Other 2014-01-23 2012-05-10 Oregon Health & Science University OR 702 Theft Other 2014-01-23 2012-07-04 Stanford Hospital & Clinics and School of Medicine CA 2300 Theft Desktop Computer 2014-01-23 2012-07-15 2012-07-16 Midtown Mental Health Center IN CHOICES, Inc 890 Hacking/IT Incident Other 2014-01-23 2012-05-10 Harris County Hospital District TX 2875 Theft Electronic Medical Record, Paper 2014-04-23 2008-04-14 2011-02-28 Howard University Hospital DC Siemens Medical Solutions, USA 66601 Theft Laptop 2014-01-23 2012-01-25 TEMPLE COMMUNITY HOSPITAL CA 603 Theft Desktop Computer 2014-01-23 2012-07-03 Memorial Healthcare System FL 105646 Theft Electronic Medical Record 2014-01-23 2011-01-01 2012-07-05 Liberty Resources, Inc. PA 3183 Theft Laptop 2014-06-24 "An employee's personal laptop computer that contained the unencrypted electronic protected health information (ePHI) of 3,183 individuals was stolen from his vehicle. The ePHI involved in the breach included consumer names, identification numbers, diagnosis codes, base service unit numbers, service start and end dates, service names, procedure codes, service location identifiers, units authorized, units utilized, units cost, total authorization amounts, total utilized amounts, authorization dates, funding sources, provider names, and master provider index numbers. The CE timely notified all affected individuals, the media, and HHS, and offered assistance to consumers who wished to place fraud alerts on their consumer credit files. Following the breach, the CE created and implemented a new policy and procedure to improve safeguards. This policy prohibits downloading any PHI to a home computer or portable device, prohibits forwarding emails containing PHI to a personal account, cloud service, or unauthorized user, and requires full-disk encryption of agency laptops. OCR obtained assurances that the CE implemented the corrective action listed above. " 2012-08-04 The University of Texas MD Anderson Cancer Center TX 2264 Loss Other Portable Electronic Device 2014-01-23 2012-07-13 Central States Southeast and Siouthwest Areas Health & Welfare Fund IL 754 Unauthorized Access/Disclosure, Other Paper 2014-01-23 2012-07-31 LANA MEDICAL CARE FL 500 Theft Laptop 2014-01-23 2012-08-18 Cancer Care Group, P.C. IN 55000 Theft Other Portable Electronic Device 2014-03-24 2012-07-19 Tricounty Behavioral Health Clinic GA 4000 Theft Laptop 2014-01-23 2012-08-26 Sierra Plastic Surgery NV 800 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server 2014-01-23 2011-08-19 2011-09-20 Charlotte Clark-Neitzel, MD WA 942 Theft Laptop 2014-01-23 2012-07-24 University of Miami FL 64846 Unauthorized Access/Disclosure, Other Paper 2014-01-23 2012-07-18 University of New Mexico Health Sciences Center NM 2365 Hacking/IT Incident Network Server 2014-01-23 2012-05-21 Valley Plastic Surgery, P.C. VA 4873 Theft Other Portable Electronic Device 2014-03-24 2012-07-15 Colon & Digestive Health Specialists AR Ecco Health, LLC 5713 Loss Other Portable Electronic Device 2014-01-23 2012-07-16 BHcare, Inc CT 5827 Theft Laptop, Other Portable Electronic Device 2014-02-19 2012-07-19 The Feinstein Institute for Medical Research NY 13000 Theft Laptop 2014-01-23 2012-09-02 St. Therese Medical Group, Inc CA 3031 Theft Desktop Computer 2014-01-23 2012-07-22 Cabinet for Health and Family Services, Department for Community Based Services (Protection and Permanency) KY 2500 Unauthorized Access/Disclosure E-mail 2014-01-23 2012-07-20 Litton & Giddings Radiological Associates, P.C. MO PST Services, Inc 13074 Improper Disposal Paper 2014-01-23 2012-07-31 2012-08-02 Apria Healthcare, Inc. CA 65700 Theft Laptop 2014-01-23 2012-06-14 Alexander J. Tikhtman, M.D. KY 2376 Loss Other Portable Electronic Device 2014-01-23 2012-08-15 Gulf Coast Health Care Services Inc FL 13000 Theft, Unauthorized Access/Disclosure, Hacking/IT Incident Network Server 2014-01-23 2012-08-17 Blount Memorial Hospital, Inc TN 27799 Theft Laptop 2014-01-23 2012-08-25 Alere Home Monitoring, Inc CA 116506 Theft Laptop 2014-01-23 2012-09-23 Coastal home Respiratory, LLP GA 3440 Theft Other 2014-01-23 2012-10-04 Philip P Corneliuson, DDS, INC. CA 980 Theft Desktop Computer 2014-01-23 2012-09-15 First Step Counseling, Inc. NJ 638 Theft Paper 2014-06-03 Two of the covered entity's (CE) employees photocopied documents containing 638 patients' protected health information (PHI) and disclosed the documents to their attorney. The PHI included names, insurance numbers, diagnoses, dates of birth, telephone numbers, and social security numbers. Upon discovery of the breach, the CE hired attorneys to seek immediate return of all photocopies that contained the PHI. The CE provided breach notification to the affected individuals, HHS and the media. As a result of OCR's investigation, the CE transferred to an electronic billing system that is password protected and secured patient files with a lock. Further, the front desk has been positioned by a protective window and policies have been implemented to prevent patients from standing beside the reception desk. The CE also reviewed and revised its consent forms and retrained all staff. 2011-05-01 2011-08-05 Logan Community Resources, Inc. IN 2900 Hacking/IT Incident Network Server 2014-01-23 2012-08-24 David DiGiallorenzo, D.M.D. PA 2600 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server, Electronic Medical Record 2014-01-23 2012-09-17 CVS Caremark RI 955 Theft Paper 2014-01-23 2012-08-13 Memorial Hospital OH 500 Improper Disposal Paper 2014-03-24 2012-08-29 SURGICAL ASSOCIATES OF UTICA, PC NY QUANTERION SOLUTIONS INC 1017 Theft Network Server 2014-06-20 "An unencrypted thumb drive that contained the electronic protected health information (ePHI) of 1,017 individuals was stolen by an employee of the covered entity's (CE) business associate (BA), Quanterion Solutions, Inc. The ePHI included names, addresses, dates of birth, driver's license numbers, social security numbers, claims information, clinical information, diagnosis/conditions, lab results, treatment information, and medications. Upon discovery of the breach, the CE, Surgical Associates of Utica, PC, filed a police report and the employee was arrested. The CE provided breach notification to HHS, the media, and affected individuals and provided credit monitoring services for these individuals. As a result of OCR's investigation, the CE executed a BA agreement. " 2012-09-18 Illinois Department of Healthcare and Family Services IL University of Illinois, College of Nursing 508 Theft Paper 2014-03-24 2012-08-31 Miami Beach Healthcare Group Ltd. dba Aventura Hospital and Medical Center FL 2560 Theft Electronic Medical Record 2014-01-23 2012-01-01 2012-09-12 WYATT DENTAL GROUP, LLC LA 10271 Theft, Unauthorized Access/Disclosure Electronic Medical Record 2014-01-23 2011-11-04 2012-04-15 Women & Infants Hospital of Rhode Island RI 14004 Loss Other 2014-01-23 2012-09-13 Memorial Health System CO 6262 Loss Paper 2014-01-23 2012-05-01 CHRISTUS St. John Hospital TX 5748 Loss Other Portable Electronic Device 2014-01-23 2012-09-25 L.A. Care Health Plan CA 18000 Other Other 2014-01-23 2012-09-17 2012-09-20 Hawaii State Department of Health, Adult Mental Health Division HI 674 Hacking/IT Incident Desktop Computer 2014-01-23 2012-09-25 Soundental Associates, PC CT 14511 Theft Other Portable Electronic Device 2014-02-19 2012-09-24 Original Medicine Acupuncture & Wellness, LLC NM 540 Theft Laptop 2014-01-23 2012-09-07 2012-09-09 Brigham and Women's Hospital MA 615 Theft Desktop Computer 2014-01-23 2012-10-16 St. Francis Health Network, aka Franciscan Alliance ACO IN Advantage Health Solutions, Inc. 2575 Other Other 2014-01-23 2012-10-19 James M. McGee, D.M.D., P.C. GA 1306 Theft Paper 2014-01-23 2012-09-19 2012-09-26 Robbins Eye Center PC CT 1749 Theft Desktop Computer 2014-01-23 2012-10-07 Advanced Data Processing, Inc. FL 10000 Theft Desktop Computer 2014-01-23 2012-06-15 2012-10-01 Cuyahoga County Board of Developmental Disabilities OH 613 Theft Laptop 2014-03-24 2012-11-02 Okaloosa County Public Safety FL Advanced Data Processing, Inc. 715 Theft Desktop Computer 2014-01-23 2012-06-15 2012-10-01 City of Covington Kentucky Fire Department KY Advanced Data Processing Inc 1548 Theft Desktop Computer 2014-01-23 2012-06-15 2012-10-01 Northern Trust IL Blue Cross Blue Shield 500 Unauthorized Access/Disclosure Network Server 2014-03-24 2012-09-13 Vidant Pungo Hospital NC 1100 Improper Disposal Paper 2014-01-23 2012-10-04 County of San Bernardino Department of Public Heatlh CA 1370 Unauthorized Access/Disclosure Paper 2014-01-23 2012-09-28 2012-09-30 City of Overland Park Fire Department FL Advanced Data Processing, Inc. 911 Theft Desktop Computer 2014-01-23 2012-06-15 2012-10-01 Sumner County Emergency Medical Services TN Advanced Data Processing, Inc 774 Theft Desktop Computer 2014-01-23 2012-06-15 2012-10-01 City of El Centro Fire Department CA ADPI-West 1500 Theft, Unauthorized Access/Disclosure Desktop Computer 2014-01-23 2012-10-01 Landmark Medical Center RI 683 Theft Laptop 2014-01-23 2012-10-01 City of Atlanta/ Atlanta Fire Rescue Department GA Advanced Data Processing Inc. 908 Theft Desktop Computer 2014-01-23 2012-06-15 2012-10-01 University of Virginia Medical Center VA 1846 Loss Other Portable Electronic Device 2014-02-14 2012-10-05 Osceola County EMS FL Advanced Data Processing Inc 949 Theft Desktop Computer 2014-01-23 2012-06-15 2012-10-01 Carolinas Medical Center - Randolph NC 5600 Hacking/IT Incident E-mail 2014-01-23 2012-03-11 2012-10-08 Coastal Behavioral Healthcare, Inc. FL 4907 Theft Paper 2014-01-23 2011-04-11 CCS Medical, Inc. TX 6601 Unauthorized Access/Disclosure Network Server, Other 2014-01-23 2012-05-01 2012-09-21 City of Gloucester, Fire Department MA Advanced Data Processing, Inc. 1286 Theft Desktop Computer 2014-01-23 2012-06-15 2012-10-01 Columbia University Medical Center and NewYork-Presbyterian Hospital NY 4929 Theft Desktop Computer 2014-01-23 2012-10-12 2012-10-15 Baptist Health System AR Health Advantage 811 Other Paper 2014-01-23 2012-10-13 2012-10-27 DFA, Employee Benefits Division AR Health Advantage 7039 Other Paper 2014-01-23 2012-10-13 2012-10-27 Health Advantage AR 2863 Other Paper 2014-01-23 2012-10-13 2012-10-27 University of Michigan Health System MI Omnicell, Inc. 3999 Theft Laptop 2014-01-23 2012-11-14 Westerville Dental Center OH 850 Theft Laptop, Network Server 2014-01-23 2012-12-02 OHP PHSP, Inc. NY HealthPlus, Amerigroup 28187 Unauthorized Access/Disclosure Other 2014-01-23 2012-08-31 2012-09-21 Center for Orthopedic Research and Education, Inc. AZ 35488 Theft Paper 2014-04-23 2012-10-20 2012-10-21 Calif. Dept. of Health Care Services (DHCS) CA 2643 Unauthorized Access/Disclosure Other 2014-01-23 2012-12-10 2012-12-18 Richard Switzer MD PC MI 4100 Other Laptop 2014-03-24 2011-11-29 Gibson General Hospital IN 28893 Theft Laptop 2014-03-24 2012-11-27 Sovereign Medical Group, LLC NJ 27800 Theft, Hacking/IT Incident Network Server 2014-01-23 2012-10-10 Cabinet for Health & Family Services, Department of Medicaid Services KY HP Enterprise Services 1090 Hacking/IT Incident Laptop 2014-01-23 2012-11-15 Harbor Medical Associates, P.C. MA Clearpoint Design, Inc. 4343 Hacking/IT Incident Network Server 2014-01-23 2012-10-18 2012-11-04 Sentara Healthcare VA Omnicell, Inc. 56820 Theft Laptop 2014-02-14 2012-11-14 St. Mark's Medical Center TX 2988 Hacking/IT Incident Desktop Computer 2014-01-23 2012-05-21 Group Health Incorporated NY 1771 Theft Paper 2014-06-20 "OCR opened an investigation of the covered entity (CE), Group Health Insurance, after it reported that postcard reminders were sent to 1,771 subscribers. The protected health information (PHI) involved included social security numbers within a series of other numbers inscribed on the outside of the postcard. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. Upon discovery of the breach, the CE suspended its mailing in order to verify subscriber information to ensure pending and completed projects did not contain social security numbers. As a result of OCR's investigation, the CE modified its mailing procedures to prevent similar disclosures from recurring in the future and retrained staff on its modified mailing procedure. The CE provided affected individuals with a free one year subscription for credit monitoring. " 2012-11-13 Calvin Schuster,MD CA 532 Theft Desktop Computer 2014-01-23 2012-11-04 Granite Medical Group, Inc. MA Clearpoint Design, Inc. 4125 Hacking/IT Incident Network Server 2014-02-19 2010-01-02 2012-11-15 University of Nevada School of Medicine NV 1483 Improper Disposal Paper 2014-01-23 2012-10-11 Dimensions Healthcare System MD WorkflowOne 635 Unauthorized Access/Disclosure Paper 2014-03-25 2012-11-16 SilverScript Insurance Company AZ 852 Unauthorized Access/Disclosure Paper 2014-01-23 2012-10-31 South Jersey Hospital Inc. NJ Omnicell Inc. 8555 Theft Laptop 2014-01-23 2012-11-14 Child & Family Psychological Services, Inc. MA Clearpoint Design, Inc. 7250 Hacking/IT Incident Network Server 2014-01-23 2012-10-18 2012-10-29 Pousson Family Dentistry LA 1400 Theft Laptop 2014-01-23 2012-12-03 South Shore Medical Center MA Clearpoint Design, Inc. 4100 Hacking/IT Incident Network Server 2014-01-23 2007-01-01 2012-11-15 Lee D. Pollan, DMD, PC NY 19178 Theft Laptop 2014-05-28 OCR opened an investigation of the covered entity (CE) after it reported an unencrypted laptop was stolen that contained the electronic protected health information (ePHI) of 19,178 individuals. The ePHI included names, addresses, zip codes, dates of birth, social security numbers, claims information, and diagnosis codes. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE encrypted the backup drive of the contents of the laptop computer. The CE also trained all staff on the use of encryption to safeguard data on personal computers and mobile devices. 2012-11-06 2012-11-15 Washington University School of Medicine MO 1105 Theft Laptop 2014-01-23 2012-11-28 Riderwood Village MD 3230 Theft Laptop 2014-01-23 2012-11-18 WAYNE MEMORIAL HOSPITAL PA 1184 Loss Other 2014-03-24 2012-12-03 Baptist Health System TX 678 Unauthorized Access/Disclosure Electronic Medical Record 2014-03-13 2011-08-14 Baillie Lumber Co. Group Health Plan NY BlueCross BlueShield of Western New York 725 Theft Paper 2014-06-20 OCR opened an investigation of the covered entity (CE), Baillie Lumber Co. Group Health Plan, after it reported its business associate (BA), Blue Cross Blue Shield, mailed a monthly premium notice with invoices that contained the protected health information (PHI) of 725 individuals which was never received by the CE. The PHI included names, member identification numbers, and social security numbers. The CE provided breach notification to HHS and affected individuals. Upon discovery of the breach, the BA contacted the U.S. Post Office to inquire about the package that contained the invoices that the CE never received. As a result of OCR's investigation, the BA revised its invoice process and removed social security numbers and member identification numbers from its invoices. The BA also improved safeguards by changing its mailing procedures to send invoices to the CE via secure email. The breach involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. 2012-11-27 The University of Texas MD Anderson Cancer Center TX 29021 Theft Laptop 2014-01-23 2012-04-30 Western Wisconsin Medical Association, S.C. - River Falls Medical Clinics WI 2400 Theft Paper 2014-03-24 2012-05-30 2012-08-31 Boy Scouts of America Employee Benefit Plan TX RR Donnelley (a sub-BA for UnitedHealth Group) 8911 Theft Desktop Computer 2014-01-23 2012-09-15 2012-11-30 Kmart Corporation IL Kmart Pharmacy #7623 16988 Improper Disposal Paper 2014-02-12 2013-01-02 Community Services NW AL 2400 Theft Desktop Computer 2014-04-23 2012-12-06 American HomePatient Inc. TN LifeGas 1103 Theft Laptop 2014-01-23 2012-10-11 Yadkinville Chiropractic DCPA NC Yadkinville Chiropractic DCPA 1000 Theft Desktop Computer 2014-02-12 2013-02-01 Intervention Services, Inc. FL 1200 Theft Laptop 2014-01-23 2013-01-19 West Georgia Ambulance GA 500 Loss Laptop 2014-01-23 2012-12-13 Center for Pain Management, LLC MD 5822 Theft Laptop 2014-01-23 2013-01-22 Multiple Health Plans CA Coast Healthcare Management, LLC 1368 Theft, Other Paper 2014-01-23 2013-12-07 Froedtert Health WI 43549 Unauthorized Access/Disclosure Other 2014-03-24 2012-10-27 2012-12-13 Jackson Health System FL 566 Other Paper 2014-01-23 2011-05-26 2012-02-18 Riderwood Village MD 5270 Theft Laptop 2014-01-23 2012-11-18 Kindred Healthcare, Inc. d/b/a Kindred Transitional Care and Rehabilitation - Marl MA 716 Theft Other Portable Electronic Device 2014-01-23 2012-12-15 2012-12-17 HomeCare of Mid-Missouri, Inc. MO 4027 Theft Laptop 2014-01-23 2012-12-14 Heyman HospiceCare at Floyd GA 1819 Theft Laptop 2014-01-23 2013-01-04 Agency for Health Care Administration FL DentaQuest of Florida, Inc. 1892 Unauthorized Access/Disclosure Paper 2014-01-23 2012-11-01 2012-12-20 ABQ HealthPartners NM 778 Theft Laptop 2014-01-23 2012-12-20 Terrell County Health Department GA 18000 Unauthorized Access/Disclosure Network Server 2014-01-23 2012-01-09 2012-04-17 Florida Healthy Kids Corporation FL DentaQuest of Florida, LLC 3667 Unauthorized Access/Disclosure Paper 2014-01-23 2012-11-01 2012-12-20 Stronghold Counseling Services Inc SD 8500 Theft Desktop Computer 2014-01-23 2012-12-24 Arizona Oncology AZ 501 Theft Laptop 2014-01-23 2012-11-21 Crescent Health Inc. - a Walgreens Company CA 109000 Theft Desktop Computer 2014-01-23 2012-12-28 County of San Bernardino, Department of Behavioral Health CA 686 Theft Paper 2014-01-23 2013-01-12 WOMENS HEALTH ENTERPRISE, INC. GA 3000 Theft Laptop 2014-01-23 2013-01-02 The Brookdale University Hospital and Medical Center NY Standard Register 2261 Theft Paper 2014-06-20 OCR opened an investigation of the covered entity (CE), The Brookdale University Hospital and Medical Center, after it reported its business associate (BA), Standard Register, inadvertently mailed statements to 2,261 individuals using another affiliated CE's envelopes. The protected health information (PHI) included names, addresses and financial information. OCR provided technical assistance to the CE regarding safeguarding PHI. 2012-08-11 The Brookdale University Hospital and Medical Center NY Health Plus Amerigroup 28187 Theft Other Portable Electronic Device 2014-06-20 The covered entity's (CE) business associate (BA), Health Plus Amerigroup, mailed an unencrypted compact disk that contained the electronic protected health information (ePHI) of 28,187 individuals to the CE, The Brookdale University Hospital and Medical Center. OCR closed this breach report and consolidated into an existing breach report filed by OHP PHSP, Inc. regarding the same issues. 2012-09-21 Ultra Stores, Inc. IL Plexus Group 500 Unauthorized Access/Disclosure Other 2014-03-24 2012-09-13 South Miami Hospital FL 834 Unauthorized Access/Disclosure Electronic Medical Record 2014-01-23 2011-06-01 Lancaster General Medical Group PA 527 Theft Paper 2014-01-23 2013-02-05 Maine Medical Center ME 1920 Other E-mail 2014-02-12 2013-02-27 State of California, Dept. of Developmental Services CA North Los Angeles County Regional Center 18162 Theft Laptop 2014-01-23 2012-11-10 Utah Department of Health UT Goold Health System (Goold) 6332 Loss Other Portable Electronic Device 2014-01-23 2013-01-10 2013-01-11 Sports Rehabilitation Consultants OH 1200 Theft Desktop Computer 2014-02-12 2013-02-01 University of Connecticut Health Center CT 1382 Unauthorized Access/Disclosure Network Server 2014-01-23 2010-06-07 2012-12-07 United HomeCare Services, Inc. FL 12299 Theft Laptop 2014-01-23 2013-01-08 United Home Care Services of Southwest Florida< LLC FL United HomeCare Services, Inc. 1318 Theft Laptop 2014-01-23 2013-01-08 catoctin Dental/Richard B. Love, DDS, PA MD Patterson Dental Supply/Patterson Companies 6400 Hacking/IT Incident Network Server 2014-01-23 2013-01-03 Empire Blue Cross Blue Shield IN Connextions c/o Empire BCBS 2608 Theft, Unauthorized Access/Disclosure Network Server 2014-01-23 2011-11-01 2012-10-01 Anthem Blue Cross Blue Shield (OH) IN Connextions c/o Anthem BCBS 1678 Theft, Unauthorized Access/Disclosure Network Server 2014-01-23 2011-11-01 2012-10-01 Anthem Blue Cross Blue Shield (IN) IN Connextions c/o Anthem BCBS 528 Theft, Unauthorized Access/Disclosure Network Server 2014-01-23 2011-11-01 2012-10-01 Mount Sinai Medical Center FL 628 Theft Desktop Computer, Paper 2014-01-23 2012-10-01 2013-02-18 Thomas L. Davis, Jr. DDS OR 3269 Theft Desktop Computer, Electronic Medical Record 2014-01-23 2013-02-12 HealthCare for Women, Inc. MA 8727 Hacking/IT Incident Network Server 2014-01-23 2013-01-18 2013-01-23 University of Mississippi Medical Center MS 500 Loss Laptop 2014-01-23 2012-11-01 2013-01-19 Granger Medical Clinic UT 2600 Theft, Loss, Other Paper 2014-02-12 2013-01-17 Texas Tech Unversity Health Sciences Center TX 697 Unauthorized Access/Disclosure Paper 2014-01-23 2013-02-18 Rite Aid #10217 RI 2082 Unknown, Other Paper 2014-02-12 2013-02-01 WA Department of Social and Health Services WA Sunil Kakar, Psy.D. 629 Theft Laptop 2014-01-23 2013-02-04 Carpenters Health & Welfare Trust Fund for California CA QuickRunner, Inc. (dba, RoadRunner Mailing Services) 2400 Unauthorized Access/Disclosure Paper 2014-01-23 2013-03-11 2013-03-12 Shands Jacksonville Medical Center, Inc. FL 1025 Theft, Unauthorized Access/Disclosure Electronic Medical Record 2014-01-23 2012-05-02 2012-06-22 University of Florida FL 14519 Theft, Unauthorized Access/Disclosure, Other Network Server 2014-01-23 2009-03-01 2012-10-25 Kmart Corporation IL 12542 Theft Electronic Medical Record 2014-02-12 2013-03-17 GLENS FALLS HOSPITAL NY PORTAL HEALTHCARE SOLUTIONS LLC 2360 Theft Network Server 2014-06-03 The covered entity's (CE) business associate (BA) operated a server containing the electronic protected health information (ePHI) of 2,360 individuals that was vulnerable to access by unauthorized persons for over four months. The ePHI included transcribed doctors' notes, which may have included medical diagnoses, clinical laboratory results, diagnostic imaging reports, emergency department records, and medication administration. Upon discovery of the breach, the CE engaged a computer forensic expert to investigate the incident and terminated the BA agreement. As a result of OCR's investigation, the CE ensured that its BA secured the server, verified that the server was no longer accessible from the Internet, and required the BA to return or destroy all of the CE's ePHI. 2012-11-02 2013-03-14 Hospice and Palliative Care Center of Alamance Caswell NC 5370 Theft, Unauthorized Access/Disclosure Laptop, Paper 2014-01-23 2013-02-24 Texas Health Care, P.L.L.C. TX 554 Theft Paper 2014-01-23 2013-03-10 Network Health Insurance Corporation WI TMG Health 3794 Unauthorized Access/Disclosure Paper 2014-03-24 2012-02-27 Wm. Jennings Bryan Dorn VAMC SC 7405 Loss Laptop 2014-01-23 2013-02-11 John J. Pershing VA Medical Center MO 589 Theft Paper 2014-06-20 "OCR opened an investigation of the covered entity (CE), John J. Pershing VA Medical Center, after the CE reported that its business associate (BA), Stress Laboratory, placed a box of unsecured protected health information (PHI) in an equipment storage room. The PHI included the names, social security numbers, diagnoses, and age of approximately 589 individuals. This breach incident involved a BA, and occurred prior to the September 23, 2013 compliance date. The BA employee involved in this matter separated from employment in 2012, and the BA was reorganized and has been incorporated into the CE. The CE provided breach notification to affected individuals, HHS, and the media. Substitute notification was provided through a posting on the CE's main website with a toll-free information number. The CE also offered one year of identity protection and credit monitoring services to affected individuals. As a result of this incident, the CE adopted a new policy that provides guidance to its staff regarding the handling of PHI. Additionally, the CE trained its employees on this new policy, and re-trained its employees on the Privacy, Security, and Breach Notification Rules. Finally, OCR obtained assurances that the CE implemented the corrective action listed above. " 2013-02-20 Oregon Health & Science University OR 1076 Theft Laptop 2014-01-23 2013-02-22 Schneck Medical Center IN 3131 Unauthorized Access/Disclosure Other 2014-02-12 2013-03-14 The Guidance Center of Westchester NY 1416 Theft Desktop Computer 2014-01-23 2013-02-21 Hope Hospice TX 818 Other E-mail 2014-01-23 2012-12-27 2013-02-22 IHC Health Services, Inc. dba Intermountain Life Flight UT 857 Unauthorized Access/Disclosure Other 2014-02-12 2013-03-28 Valley Mental Health UT 700 Theft Desktop Computer 2014-01-23 2013-02-27 Delta Dental of Pennsylvania PA ZDI 14829 Loss Paper 2014-01-23 2013-03-20 Raleigh Orthopaedic Clinic NC 17300 Theft, Improper Disposal, Unauthorized Access/Disclosure Paper 2014-01-23 2013-01-15 Laboratory Corporation of America NC 1580 Theft Desktop Computer 2014-02-12 2013-03-15 Arizona Counseling & Treatment Services, LLC AZ 3800 Theft Other Portable Electronic Device 2014-01-23 2013-03-18 2013-03-25 Wood County Hospital OH 2500 Theft Other 2014-01-23 2013-03-19 University of Rochester Medical Center & Affiliates NY 537 Loss Other Portable Electronic Device 2014-01-23 2013-02-15 Orthopedics & Adult Reconstructive Surgery TX AssuranceMD f/k/a Harbor Group 22000 Loss Other Portable Electronic Device 2014-01-23 2013-03-01 2013-03-13 El Centro Regional Medical Center CA Digital Archive Management 189489 Improper Disposal Paper 2014-01-23 2012-11-07 Seattle - King County Department of Public Health WA 750 Improper Disposal Paper 2014-01-23 2013-03-07 Regional Medical Center TN 1180 Unauthorized Access/Disclosure E-mail 2014-01-23 2013-02-04 Presbyterian Anesthesia Associates PA NC E-dreamz, Inc. 9988 Hacking/IT Incident Network Server 2014-01-23 2013-04-01 Integrity Oncology, an office of Baptist Medical Group TN North Atlantic Telecom, Inc. 539 Other Desktop Computer 2014-01-23 2013-03-05 Piedmont HealthCare, P.A. NC E-dreamz, Inc. 1924 Hacking/IT Incident Network Server 2014-01-23 2013-03-28 Indiana University Health Arnett IN 10350 Theft Laptop 2014-01-23 2013-04-09 Dent Neurologic Group, LLP NY 10000 Other E-mail 2014-01-23 2013-05-13 City of Norwood OH 9577 Loss Laptop 2014-01-23 2013-04-14 2013-04-19 Lutheran Social Services of South Central Pennsylvania PA 7803 Hacking/IT Incident Network Server 2014-01-23 2012-06-01 2013-03-07 Comfort Dental Marion and Kokomo IN Just the Connection Inc 5388 Improper Disposal Other 2014-01-23 2013-03-14 2013-03-18 Erskine Family Dentistry IN 2723 Hacking/IT Incident Desktop Computer 2014-02-12 2013-03-19 Health Resources of Arkansas AR 1900 Theft, Unauthorized Access/Disclosure Other 2014-01-23 2013-04-14 Various Health Plans AL SynerMed / Inland Valleys IPA 3164 Theft Laptop 2014-01-23 2013-04-14 2013-04-15 Independence Care System NY 2434 Theft Laptop 2014-01-23 2013-05-07 Sonoma Valley Hospital CA 1386 Other Other 2014-01-23 2013-02-14 University of Florida FL 5875 Theft, Unauthorized Access/Disclosure Electronic Medical Record 2014-01-23 2012-02-01 2013-04-11 Community Support Services, Inc. OH 1167 Theft E-mail 2014-02-12 2013-03-20 2013-03-26 UMASSAmherst MA 1670 Hacking/IT Incident Desktop Computer 2014-01-23 2012-10-22 Palm Beach County Health Department FL 877 Unauthorized Access/Disclosure Desktop Computer 2014-01-23 2013-01-07 Lucile Packard Children's Hospital CA 12900 Theft Laptop 2014-01-23 2013-05-08 Fayetteville VAMC NC 1093 Improper Disposal Paper 2014-01-23 2013-04-17 Lincoln County Health and Human Services/Lincoln Community Health Center OR 959 Unauthorized Access/Disclosure Paper 2014-01-23 2013-04-17 Union Security Insurance Company MO 1127 Improper Disposal E-mail 2014-01-23 2013-05-17 Gulf Breeze Family Eyecare, Inc FL 9626 Theft, Unauthorized Access/Disclosure Desktop Computer, Network Server, E-mail, Electronic Medical Record, Paper 2014-01-23 2013-03-08 2013-05-09 Jacksonville Spine Center FL 5200 Unauthorized Access/Disclosure Paper 2014-01-23 2013-04-25 Iowa Department of Human Services IA 7335 Loss, Unknown Other 2014-01-23 2013-04-30 James A. Fosnaugh NE 2125 Loss Other Portable Electronic Device 2014-01-23 2013-05-01 2013-05-03 Lone Star Circle of Care TX 1955 Theft Laptop 2014-01-23 2013-05-01 2013-05-02 Aflac GA Alberto Gerardo Vazquez Rivera 679 Theft Laptop 2014-01-23 2013-05-09 Indiana Family & Social Services Administration IN RCR Technology Corporation 187533 Other Paper 2014-01-23 2013-04-06 2013-05-21 Northrop Grumman Retiree Health Plan VA CVS Caremark 4305 Theft Paper 2014-06-24 Business associate (BA) employees erroneously sent 4,305 health plan members' protected health information (PHI) to other plan members. The PHI involved in the breach included names and prescribed medication(s). The covered entity, Northrop Grumman Retiree Health Plan, provided breach notification to HHS, and the BA, CVS Caremark, provided breach notification to affected individuals and the media. Following the breach, the BA revised its quality control policies for targeted mailings and retrained employees involved in the breach to prevent similar incidents in the future. OCR obtained assurances that the BA implemented the breach notification and policy revisions listed above. 2013-05-20 Health Net, Inc. CA 8331 Other Paper 2014-01-23 2013-04-01 2013-05-31 South Florida Neurology Associates, P.A. FL 900 Theft Laptop 2014-01-23 2013-05-25 2013-05-30 Samaritan Regional Health System OH 2203 Other Paper 2014-01-23 2013-05-29 MED-EL Coproration NC 609 Other E-mail 2014-01-23 2013-06-25 Sutter Health East Bay Region (Alta Bates Summit Medical Center; Sutter Delta Medical Center; Eden Medical Center) CA Nelson Family of Companies 4479 Unauthorized Access/Disclosure E-mail 2014-01-23 2011-03-01 Illinois Department of Healthcare and Familiy Services IL Family Health Network 3133 Other Paper 2014-01-23 2013-05-08 Delta Dental of Pennsylvania PA ZDI 4718 Loss Paper 2014-01-23 2013-05-13 Medtronic, Inc. MN 2764 Loss Paper 2014-01-23 2013-03-28 2013-03-29 Texas Health Harris Methodist Hospital Fort Worth TX Shred-it International Inc. 277014 Improper Disposal Other 2014-01-23 2013-05-11 Long Beach Memorial Medical Center CA 2864 Unauthorized Access/Disclosure Electronic Medical Record 2014-01-23 2012-09-01 2013-07-01 Hansen & Associates WY 2700 Theft Desktop Computer 2014-06-10 2013-05-21 2013-05-29 Sheet Metal Local 36 Welfare Fund MO People Resource Corporation 4560 Unauthorized Access/Disclosure Other 2014-01-23 2012-08-01 2013-07-08 Harris County TX 21000 Unauthorized Access/Disclosure Desktop Computer 2014-01-23 2005-08-15 2007-06-14 San Jose Medical Supply Co., Inc. CA Jesle Kuizon 800 Theft, Unauthorized Access/Disclosure, Hacking/IT Incident Desktop Computer, Network Server 2014-01-23 2011-10-01 GEO Care, LLC FL 710 Unauthorized Access/Disclosure Desktop Computer 2014-01-23 2013-04-16 The Brookdale Hospital and Medical Center NY 2700 Loss Other Portable Electronic Device 2014-01-23 2013-05-24 Louisiana State University Health Care Services Division LA 6994 Unauthorized Access/Disclosure Desktop Computer 2014-01-23 2011-12-01 Oregon Health & Science University OR 1361 Unauthorized Access/Disclosure Other 2014-01-31 2011-01-01 2013-07-03 Rocky Mountain Spine Clinic, P.C. CO 532 Theft, Unauthorized Access/Disclosure Network Server 2014-01-23 2013-06-11 Vitreo-Retinal Medical Group, Inc. CA 1837 Theft Laptop 2014-01-23 2013-06-05 Arkansas Department of Human Services AR Health Resources of Arkansas 1911 Theft Laptop 2014-02-12 2013-04-14 Baylor All Saints Medical Center at Fort Worth TX 940 Unauthorized Access/Disclosure Other Portable Electronic Device 2014-02-12 2013-05-07 2013-06-06 Cogent Healthcare, Inc. TN M2ComSys Inc. 32151 Unauthorized Access/Disclosure Network Server 2014-01-23 2013-05-05 2013-06-24 Young Family Medicine Inc. OH 2045 Theft Laptop 2014-01-23 2013-06-12 Hancock OB/GYN IN 1396 Unauthorized Access/Disclosure Electronic Medical Record 2014-01-23 2011-11-09 2013-06-17 Colfax IN Anthem BCBS of GA 5497 Other Other 2014-02-12 2013-04-11 Missouri Department of Social Services MO InfoCrossing, Inc. 1357 Unauthorized Access/Disclosure Paper 2014-01-23 2011-10-16 2013-06-07 Foundations Recovery Network TN 5690 Theft Laptop 2014-01-23 2013-06-15 California Correctional Health Care Services CA 1033 Other Paper 2014-01-23 2013-06-19 North Texas Comprehensive Spine & Pain Center TX 3200 Theft, Loss Other Portable Electronic Device 2014-02-12 2013-06-16 Minne-Tohe Health Center/Elbowoods Memorial Health Center ND 10000 Improper Disposal, Unauthorized Access/Disclosure Desktop Computer, Other 2014-01-23 2011-10-01 Jackson Health System FL 1471 Other Paper 2014-01-23 2013-01-08 2013-01-10 Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group IL 4029530 Theft Desktop Computer 2014-01-23 2013-07-15 Summit Community Care Clinic, Inc. CO 921 Hacking/IT Incident Desktop Computer 2014-01-23 2013-07-22 UT Physicians TX 596 Theft, Loss Laptop 2014-01-23 2013-07-22 2013-08-02 Parkview Community Hospital Medical Center CA Cogent Healthcare, Inc. 32000 Other Network Server 2014-01-23 2013-05-05 2013-06-24 Atlanta Center for Reproductive Medicine GA 654 Other E-mail 2014-01-23 2013-07-12 St. Anthony's Physician Organization MO 2600 Theft Laptop, Other Portable Electronic Device 2014-01-23 2013-07-29 Janna Benkelman LPC LLC CO 1500 Theft Laptop 2014-01-23 2013-08-01 Olson & White Orthodontics MO 10000 Theft Desktop Computer, Network Server 2014-01-23 2013-07-22 Kaiser Foundation Health Plan of the Northwest OR 647 Unauthorized Access/Disclosure Electronic Medical Record 2014-01-23 2013-03-15 Hankyu Chung, M.D. CA 2182 Theft Laptop 2014-01-23 2013-06-17 ICS Collection Service, Inc. on behalf of University of Chicago Physicians Group IL ICS Collection Service, Inc. 1290 Hacking/IT Incident Other 2014-01-23 2013-07-09 ACO of Puerto Rico PR PHMHS 5000 Theft Network Server 2014-06-20 Upon request, a subcontractor (PHM Software Solutions) of the covered entity's (CE) business associate (BA), PHM Healthcare Solutions, modified a software application the CE was utilizing which led to the disclosure of electronic protected health information (ePHI) of 5,000 individuals on the Internet. The ePHI included names, gender, member identification numbers, dates of birth, and consent forms. The CE provided breach notification to HHS, the media, and affected individuals and posted substitute notice on its website. Upon discovery of the breach, the BA removed the software application and placed it offline. As a result of OCR's investigation, the CE had its BA to conduct a risk analysis and create a risk management plan to address any vulnerabilities identified in the risk analysis. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR provided technical assistance to assist the CE understand its obligations under the Privacy and Security Rules regarding BA agreements. 2013-03-05 2013-07-16 NHC HealthCare, Oak Ridge TN 4268 Loss Other 2014-03-13 2013-05-10 NHC HealthCare, Mauldin SC 4204 Improper Disposal Other 2014-03-13 2013-05-15 Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group IL Blackhawk Consulting Group 2029 Hacking/IT Incident Network Server 2014-02-12 2013-06-30 2013-08-15 Dreyer Medical Clinic IL Blackhawk Consulting Group 998 Hacking/IT Incident Network Server 2014-01-23 2013-06-30 2013-08-15 South Shore Physicians, PC NY 8000 Theft Network Server 2014-01-23 2006-01-01 2012-01-12 Dermatology Associates of Tallahassee FL 916 Unknown Other 2014-01-23 2013-09-04 Sierra View District Hospital CA 1009 Unauthorized Access/Disclosure Electronic Medical Record 2014-01-23 2013-07-01 2013-08-02 Missouri Department of Social Services MO InfoCrossing, Inc. 25461 Unauthorized Access/Disclosure Paper 2014-02-12 2009-12-21 2013-06-07 Holy Cross Hospital, Inc. FL 9900 Theft, Unauthorized Access/Disclosure Desktop Computer, Network Server 2014-01-23 2013-08-14 Region Ten Community Services Board VA 10228 Hacking/IT Incident E-mail 2014-01-23 2013-07-29 Comprehensive Podiatry LLC OH 1360 Theft Laptop 2014-01-23 2013-08-03 Santa Clara Valley Medical Center CA 579 Theft Laptop 2014-01-23 2013-09-14 2013-09-15 Sarah Benjamin, DPM - Littleton Podiatry CO Not Applicable 3512 Theft Laptop 2014-01-23 2013-08-27 Carol L. Patrick, Ph.D. OH 517 Theft Network Server 2014-01-23 2013-08-08 2013-08-09 HOPE Family Health TN 6932 Theft Laptop 2014-01-23 2013-08-04 Paul G. Klein, DPM NJ 2500 Theft Laptop 2014-06-20 " OCR opened an investigation of the covered entity (CE), Paul G. Klein DPM, after it reported an encrypted and password protected laptop was stolen that contained the electronic protected health information (ePHI) of 2,500 individuals. The ePHI included names, addresses, dates of birth, social security numbers, diagnosis conditions, lab test results, medications, medical notes, and treatment plans. Upon discovery of the breach, the CE filed a police report to recover the stolen item. As a result of OCR's investigation, the CE provided confirmation that there was encryption software and multi-layered password protection software installed on the stolen laptop. OCR determined that the impermissible disclosure of ePHI did not constitute a breach under the Privacy Rule's breach notification rule and provided technical assistance to the CE regarding the requirements of the breach notification rule. " 2013-10-01 UnityPoint Health Affiliated Covered Entity (\UnityPoint\) IA 1825 Unauthorized Access/Disclosure Electronic Medical Record 2014-01-23 2013-02-01 2013-08-27 TSYS Employee Health Plan GA Paragon Benefits, Inc. 5232 Theft E-mail 2014-01-23 2013-09-05 University of California, San Francisco CA 3553 Theft Laptop, Paper 2014-01-23 2013-09-09 Reconstructive Orthopaedic Associates II, P.C. d/b/a Rothman Institute PA 2350 Theft, Unauthorized Access/Disclosure Paper 2014-01-23 2013-03-18 2013-05-13 Group Health Cooperative WA 1015 Other Paper 2014-01-23 2013-09-16 Schuylkill Health System PA 2810 Theft Laptop 2014-01-23 2013-08-07 CaroMont Medical Group NC 1310 Other E-mail 2014-01-23 2013-08-05 Mount SInai Medical Center NY 1586 Improper Disposal Paper 2014-01-23 2013-08-06 Memorial Hospital of Lafayette County WI Healthcare Management System 4330 Unauthorized Access/Disclosure Paper 2014-01-23 2013-08-03 Saint Louis University MO 3100 Unauthorized Access/Disclosure E-mail 2014-01-23 2013-07-25 MUSC Physicians & MUHA SC BlackHawk 7120 Hacking/IT Incident Network Server 2014-02-12 2013-06-30 Ferris State University - MI College of Optometry MI 3947 Hacking/IT Incident Network Server 2014-01-23 2011-12-01 Access Counseling, LLC IN 566 Theft Laptop 2014-01-23 2013-08-23 Rose Medical Center CO 606 Improper Disposal Paper 2014-01-23 2013-06-28 2013-07-16 BriovaRx IL 1067 Unauthorized Access/Disclosure E-mail 2014-01-23 2013-07-03 2013-07-11 North Country Hospital and Health Center, Inc VT 550 Theft Laptop 2014-01-23 2013-09-18 Hope Community Resources, Inc. AK 1556 Unauthorized Access/Disclosure E-mail 2014-01-23 2013-08-19 Broward Health Medical Center FL 960 Unauthorized Access/Disclosure Desktop Computer 2014-01-23 2012-10-01 2012-12-31 Sentara Healthcare VA 3645 Theft Electronic Medical Record, Paper 2014-01-23 2012-10-01 2013-07-11 Mount Sinai Medical Center NY 610 Loss Other Portable Electronic Device 2014-02-12 2013-08-01 Texas Health Presbyterian Dallas Hospital TX 949 Theft Desktop Computer 2014-02-12 2013-08-22 Seton Healthcare Family TX 5500 Theft Laptop 2014-01-23 2013-10-04 BRONX-LEBANON HOSPITAL CENTER NY PROFESSIONAL TRANSCRIPTION SERVICES 10930 Unauthorized Access/Disclosure Network Server 2014-01-23 2009-09-23 Martin Luther King Jr. Health Center, Inc. NY PROFESSIONAL TRANSCRIPTION SERVICES 37000 Unauthorized Access/Disclosure Network Server 2014-01-23 2009-09-23 SSM St. Mary's Health Center MO Saint Louis University 1300 Unauthorized Access/Disclosure E-mail 2014-01-23 2013-07-25 Good Samaritan Hospital CA 3833 Theft Laptop 2014-01-23 2013-07-08 SSM Health Care of Wisconsin DBA: St. Mary's Janesville Hospital WI 631 Theft Laptop 2014-01-23 2013-08-27 AHMC Healthcare Inc. and affiliated Hospitals CA 729000 Theft Laptop 2014-01-23 2013-10-12 Greater Dallas Orthopaedics, PLLC TX 5840 Theft Desktop Computer 2014-01-23 2013-08-30 Spirit Home Health Care, Corp FL Spirit Home Health Care, Corp 603 Improper Disposal Paper 2014-01-23 2013-09-19 Rotech Healthcare Inc. FL 10680 Unauthorized Access/Disclosure Laptop 2014-02-18 2010-11-26 2013-10-01 Reimbursement Technologies, Inc. PA 2300 Unauthorized Access/Disclosure Network Server 2014-01-23 2013-05-01 2013-07-26 Comprehensive Psychological Services LLC SC 3500 Theft Laptop 2014-01-23 2013-10-28 Superior HealthPlan, Inc. TX 6284 Other Paper 2014-01-23 2013-10-04 Genesis Rehabilitation Services PA 1167 Loss Other Portable Electronic Device 2014-01-23 2013-08-30 Colorado Health & Wellness, Inc. CO 651 Theft, Unauthorized Access/Disclosure Electronic Medical Record 2014-01-23 2013-09-04 Barnabas Health Medical Group NJ 1100 Theft Laptop 2014-01-23 2013-09-24 DaVita, a division of DaVita HealthCare Partners Inc CO 11500 Theft, Other Laptop 2014-01-23 2013-09-06 Blue Cross and Blue Shield of North Carolina NC 687 Unauthorized Access/Disclosure Paper 2014-01-23 2013-10-14 North Carolina Department of Health and Human Services - Division of State Operated Health Care Facilities NC 1315 Unauthorized Access/Disclosure Other 2014-01-23 2013-08-13 Puerto Rico Health Insurance Administration (PRHIA) PR Triple S Salud Inc. 13336 Unauthorized Access/Disclosure Paper 2014-01-23 2013-09-20 Triple-S Salud PR 70189 Unauthorized Access/Disclosure Paper 2014-01-23 2013-09-20 Associated Urologists of North Carolina NC 7300 Other Other 2014-01-23 2012-09-17 2013-09-17 Kemmet Dental Design ND 2000 Theft, Other Paper 2014-01-23 2013-11-10 Hospice of the Chesapeake MD 7606 Unauthorized Access/Disclosure E-mail 2014-01-23 2013-08-09 Scottsdale Dermatology, LTD AZ All Source Medical Management 1456 Theft Other 2014-01-23 2013-01-01 2013-10-04 Memorial Sloan-Kettering Cancer Center NY 2279 Loss Other Portable Electronic Device 2014-02-18 2013-08-01 Gerdau Ameristeel Health and Welfare Plan FL Health Fitness Corporation 3804 Theft Laptop 2014-02-18 2013-09-27 Gerdau Macsteel Health and Welfare Plan MI Health Fitness Corporation 4837 Theft Laptop 2014-02-18 2013-09-27 UHS-Pruitt Corporation GA 1300 Theft Laptop 2014-01-23 2013-09-26 United Dynacare, LLC dba Dynacare Laboratories WI 9328 Theft Other Portable Electronic Device 2014-01-23 2013-10-22 Redwood Memorial Hospital CA 1039 Loss Other Portable Electronic Device 2014-01-23 2013-11-06 Kaiser Foundation Hospital- Orange County CA 49000 Loss Other Portable Electronic Device 2014-01-23 2013-09-25 Jones Chiropractic and Maximum Health IN 1500 Theft Desktop Computer 2014-01-23 2013-10-13 Ronald Schubert MD PLLC WA 950 Theft Laptop 2014-01-23 2013-11-22 UPMC PA 1279 Unauthorized Access/Disclosure Electronic Medical Record 2014-02-18 2012-11-05 2013-11-06 UW Medicine WA 76183 Hacking/IT Incident Desktop Computer 2014-02-18 2013-10-02 City of Chicago IL 2080 Unauthorized Access/Disclosure Network Server 2014-01-23 2013-06-18 2013-10-07 CIty of Joliet IL Quality Health Claims Consultants, LLC 1573 Unauthorized Access/Disclosure E-mail 2014-01-23 2013-10-08 SIU HealthCare IL 1891 Theft, Loss Laptop 2014-01-23 2013-09-13 2013-10-15 The Good Samaritan Health Center GA 5000 Other Desktop Computer 2014-01-23 2013-11-06 UniHealth Source GA 4500 Theft Laptop 2014-01-23 2013-10-08 Walgreen Co. IL 17350 Other Paper 2014-01-23 2013-09-18 2013-10-04 Methodist Dallas Medical Center TX 44000 Unauthorized Access/Disclosure Other 2014-01-23 2005-09-01 2013-08-01 Florida Digestive Health Specialists FL 4400 Unauthorized Access/Disclosure Desktop Computer 2014-01-23 2013-03-06 2013-09-09 Northside Hospital, Inc. GA 4879 Loss Laptop 2014-01-23 2013-10-10 Health Help, Inc. KY 535 Theft Other Portable Electronic Device 2014-01-23 2013-10-15 L.A. Gay & Lesbian Center CA 59000 Hacking/IT Incident Network Server 2014-01-23 2013-09-17 2013-11-08 Mosaic NE 3857 Other E-mail 2014-01-23 2013-10-11 New Jersey Department of Human Services NJ Island Peer Review Organization 9642 Loss Other Portable Electronic Device 2014-01-23 2013-10-18 Fairfax County, Virginia VA Molina Healthcare In 1499 Unauthorized Access/Disclosure Network Server 2014-01-23 2013-09-09 2013-10-03 Wyoming Department of Health WY 11935 Unauthorized Access/Disclosure Network Server 2014-01-23 2013-10-16 Shiloh Medical Clinic MT 1900 Unauthorized Access/Disclosure Desktop Computer, E-mail 2014-01-23 2013-11-08 South Carolina Health Insurance Pool SC DeLoach & Williamson 3432 Theft Laptop 2014-01-23 2013-10-16 Tennova Cardiology TN Colby DeHart 2777 Theft Laptop 2014-01-23 2013-10-21 Delta Dental of Pennsylvania PA ZDI 1674 Loss Paper 2014-03-13 2013-10-16 Molina Healthcare of Texas, Inc. TX 2826 Other Paper 2014-01-23 2013-10-01 Rob Meaglia, DDS CA 1400 Theft Desktop Computer 2014-01-23 2013-12-16 Jeff Spiegel MA 832 Unauthorized Access/Disclosure E-mail 2014-03-13 2013-11-25 Tranquility Counseling Services NC 1683 Other Paper 2014-01-23 2013-11-01 Florida Department of Health FL 2354 Unauthorized Access/Disclosure Desktop Computer 2014-03-05 2013-10-30 New Mexico Oncology Hematology Consultants, LTD NM 12354 Theft Laptop 2014-01-23 2013-11-13 Department of Health Care Policy & Financing CO Colorado Community Health Alliance (CCHA)/Physicians Health Partners 1918 Unauthorized Access/Disclosure E-mail 2014-02-21 2013-11-21 Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates NJ 839711 Theft Laptop 2014-02-21 2013-11-01 Phoebe Putney Memorial Hospital GA 6989 Loss Desktop Computer 2014-02-11 2013-11-05 Coulee Medical Center WA 2500 Unauthorized Access/Disclosure Laptop, Network Server, E-mail 2014-02-11 2010-01-01 2013-11-30 University of Pennsylvania Health System PA RevSpring, Inc. 3000 Other Paper 2014-02-11 2013-11-26 North Carolina Department of Health and Human Services NC 48752 Unauthorized Access/Disclosure Other 2014-02-11 2013-12-30 101 FAMILY MEDICAL GROUP CA Phreesia, Inc 2500 Theft Laptop 2014-02-11 2013-11-23 Tri Lakes Medical Center MS 1489 Hacking/IT Incident Network Server 2014-02-11 2013-09-20 VA Dept. of Medical Assistance Services VA Virginia Premier Health Plan (VPHP) 25513 Unauthorized Access/Disclosure, Other Paper 2014-02-11 2013-11-15 Cook County Health & Hospitals System IL 22511 Other E-mail 2014-02-11 2013-11-12 Southwest General Health Center OH 953 Unknown Other 2014-05-30 2013-04-13 2013-10-31 Robert B. Neves, M.D., Inc CA 611 Theft Laptop 2014-01-24 2011-05-08 Triple-S Salud, Inc. PR Triple-C, Inc. 398000 Theft Network Server 2014-02-18 2010-09-09 Triple-S Salud, Inc. PR Triple-C, Inc. 8000 Theft, Unauthorized Access/Disclosure Network Server 2014-01-24 2008-10-03 Urology Centers of Alabama PC and Urology Health Foundation AL Birmingham Printing and Publishing, Inc dba Paper Airplane 1085 Other Other 2014-06-03 2013-08-22 Medical Mutual of Ohio OH 1420 Unauthorized Access/Disclosure Paper 2014-06-13 2013-10-16 Unity Health Plans Insurance Corporation WI University of Wisconsin-Madison School of Pharmacy 41437 Loss Other Portable Electronic Device 2014-02-21 2013-12-12 The University of Texas MD Anderson Cancer Center TX 3598 Loss Other Portable Electronic Device 2014-02-11 2013-12-02 Beebe Medical Center DE 1883 Other Laptop 2014-02-21 2013-09-02 St. Joseph Health System TX 405000 Hacking/IT Incident Network Server 2014-02-11 2013-12-16 Min Yi, M.D. CA 4676 Theft Other Portable Electronic Device 2014-02-21 2013-05-28 Easter Seal Society of Superior California CA 3026 Theft Laptop 2014-02-21 2013-12-10 PruittHealth Pharmacy Services GA 841 Theft Laptop 2014-02-25 2013-12-06 RGH Enterprises, Inc. OH 4230 Theft Network Server 2014-06-24 Computer hackers installed malware that intercepted the electronic protected health information (ePHI) of approximately 4,230 individuals using the covered entity's (CE's) website. The ePHI included names, dates of birth, phone numbers, shipping and billing addresses, email addresses, credit card issuers, expiration dates, the last 4 digits of credit card numbers, account numbers, primary physicians, diagnoses, order histories, and health insurers. Following the breach, the CE removed the malware from the affected computer servers, migrated the website to non-compromised 2013-03-09 2013-03-11 Network Pharmacy Knoxville TN 9602 Theft Laptop 2014-02-11 2013-11-18 Saint Francis Hospital and Medical Center CT 858 Theft Paper 2014-03-24 2013-12-27 Health Dimensions MI 5370 Theft Network Server 2014-02-11 2013-11-02 COMPLETE MEDICAL HOMECARE KS 1700 Unauthorized Access/Disclosure Other Portable Electronic Device 2014-02-11 2013-12-12 Hospital for Special Surgery NY 937 Theft Desktop Computer, Paper 2014-02-26 2013-03-19 The Brooklyn Hospital Center NY 2172 Loss Other Portable Electronic Device 2014-02-24 2013-12-02 Kmart Corporation IL 16446 Theft Other, Electronic Medical Record 2014-03-24 2014-01-04 WA State Department of Social & Health Services WA 3104 Unauthorized Access/Disclosure, Other Paper 2014-04-21 2013-08-19 Lewis J. Sims, DPM, PC dba Sims and Associates Podiatry NY 6475 Theft, Other Laptop 2014-04-21 2014-01-10 University of Miami FL 13074 Loss Paper 2014-04-21 2013-06-27 Supportive Concepts for Families, Inc. PA 593 Unauthorized Access/Disclosure Network Server 2014-02-24 2013-02-06 Health Care Solutions at Home Inc. OH 1139 Other Other 2014-03-12 2013-12-17 University of California Davis Medical Center CA 2269 Hacking/IT Incident E-mail 2014-04-21 2013-12-13 St. Vincent Hospital and Healthcare, Inc IN 1142 Theft Laptop 2014-03-12 2013-12-23 Missouri Consolidated Health Care Plan MO StayWell Health Management, LLC 10024 Unauthorized Access/Disclosure Network Server 2014-03-12 2012-03-23 The Clorox Company Group Insurance Plan CA StayWell Health Management, LLC 520 Unauthorized Access/Disclosure Network Server 2014-03-12 2012-04-16 Regents of the University of Minnesota MN StayWell Health Management, LLC 4786 Unauthorized Access/Disclosure Network Server 2014-03-24 2012-03-29 Inspira Health Network Inc. NJ 1411 Theft Desktop Computer 2014-03-12 2013-12-23 Nissan North America, Inc. TN StayWell Health Management, LLC 1511 Unauthorized Access/Disclosure Network Server 2014-03-12 2012-05-08 Care Advantage, Inc. VA 3458 Theft Laptop 2014-03-24 2013-01-01 HealthSource of Ohio Inc. OH Pair Networks Inc. 8845 Unauthorized Access/Disclosure, Other Other 2014-03-12 2013-11-18 The Kroger Co., for itself and its affiliates and subsidiaries OH 504 Other Electronic Medical Record 2014-04-21 2013-10-30 Cornerstone Health Care, PA NC 548 Theft, Loss Laptop 2014-03-12 2013-12-31 Joseph Michael Benson M.D TX 7500 Theft Desktop Computer 2014-03-24 2014-01-05 All for Kids Pediatric Clinic AR Data Media 600 Other Other 2014-03-24 2013-12-27 Eureka Internal Medicine CA 3534 Improper Disposal Paper 2014-03-24 2013-09-25 Brazos Valley Pathology TX St. Joseph Health System 3300 Hacking/IT Incident Network Server 2014-06-24 2013-12-16 Banner Health AZ 55207 Other Other 2014-03-24 2014-02-21 Monarch Women's Health AL PracMan, Inc. 1145 Hacking/IT Incident Network Server 2014-06-02 2013-08-22 Punuru J.M. Reddy, MD, Inc. AL PracMan, Inc. 1179 Hacking/IT Incident Network Server 2014-03-25 2013-08-22 Iowa Dept. of Human Services IA 2042 Other Laptop, E-mail, Other Portable Electronic Device 2014-04-21 2008-12-01 City of Hope CA Sutherland Healthcare Solutions, Inc. 5400 Theft Desktop Computer, E-mail 2014-03-25 2014-02-05 Mission City Community Network CA 7800 Theft E-mail 2014-04-21 2013-05-31 Partners In Nephrology & Endocrinology, P.C. PA 5000 Other Other 2014-03-24 2013-11-13 University of California, San Francisco CA 9861 Theft Desktop Computer 2014-03-31 2014-01-11 Detroit Medical Center - Harper University Hospital MI 1087 Theft, Unauthorized Access/Disclosure Paper 2014-05-06 2012-09-07 Todd M. Burton, M.D. TX 5000 Theft Other 2014-03-24 2014-01-13 Valley View Hospital Association CO 5415 Other Laptop, Desktop Computer 2014-04-21 2013-09-11 Hospitalists of Arizona AZ 1706 Theft Laptop 2014-03-24 2013-12-31 McBroom Clinic, PA TX TMA Practice Management Group 2260 Loss, Improper Disposal Other Portable Electronic Device 2014-04-21 2014-01-09 QBE Holdings, Inc. NY StayWell Health Management, LLC 1746 Unauthorized Access/Disclosure Network Server 2014-04-21 2012-05-09 Berea College KY 1000 Other Electronic Medical Record 2014-04-21 2012-01-24 HealthPartners, Inc. MN 27839 Loss, Unauthorized Access/Disclosure Laptop, Desktop Computer, Other Portable Electronic Device 2014-06-20 2008-01-07 Group Health Plan, Inc. Medical Benefit Plan MN HealthPartners Administrators, Inc. 796 Loss, Unauthorized Access/Disclosure Laptop, Desktop Computer, Other Portable Electronic Device 2014-04-21 2008-01-07 State Employee Group Insurance Plan MN HealthPartners Administrators, Inc. 1699 Loss, Unauthorized Access/Disclosure Laptop, Desktop Computer, Other Portable Electronic Device 2014-04-21 2008-01-07 University of Minnesota Employee Benefits MN HealthPartners Administrators, Inc. 715 Loss, Unauthorized Access/Disclosure Laptop, Desktop Computer, Other Portable Electronic Device 2014-04-21 2008-01-07 San Francisco General Hospital & Trauma Center CA Sutherland Healthcare Solutions 55900 Theft Desktop Computer 2014-05-30 2014-02-05 University of Kentucky UK HealthCare KY Talyst 1079 Theft Laptop 2014-04-21 2014-02-04 Yellowstone Boys and Girls Ranch MT 543 Theft Paper 2014-06-24 2013-07-11 Orlando Health, Inc. FL 586 Loss Other Portable Electronic Device 2014-04-21 2014-01-28 NOVA Chiropractic & Rehab Center VA 5534 Loss, Other Other Portable Electronic Device 2014-04-21 2014-01-30 Susquehanna Health PA 657 Unauthorized Access/Disclosure E-mail 2014-04-21 2013-12-05 Jewish Hospital KY 2992 Other E-mail 2014-04-21 2014-01-15 Franciscan Medical Group WA 8300 Other E-mail 2014-04-21 2014-01-15 Palomar Health CA 5499 Theft Other Portable Electronic Device 2014-04-21 2014-02-21 Myriad Genetic Laboratories, Inc. UT 643 Unauthorized Access/Disclosure E-mail 2014-06-03 2013-03-06 Medical Center of Plano TX RelayHealth, a division of McKesson 1000 Unauthorized Access/Disclosure Other 2014-06-03 2013-12-10 Florida Healthy Kids Corporation FL Policy Studies, Inc. / Postal Center International, Inc. 580 Unauthorized Access/Disclosure Paper 2014-04-21 2013-11-13 Midwest Orthopaedics at Rush, LLC IL 1256 Hacking/IT Incident E-mail 2014-04-21 2014-02-10 Texas Health and Human Services Commission TX EveryChild, Inc. 2934 Theft Laptop, Desktop Computer, Other Portable Electronic Device 2014-04-21 2014-02-02 Kaiser Permanente Northern CA Department of Research CA 5178 Hacking/IT Incident Network Server 2014-06-02 2011-10-18 Triple-S Salud PR 5795 Theft Other 2014-06-24 2013-01-01 American Health Inc. PR 17776 Theft Other 2014-06-27 2013-01-01 State Long Term Care Ombudsman's Office, Michigan Department of Community Health MI 2595 Theft Other Portable Electronic Device 2014-04-21 2014-01-30 County of Los Angeles CA Sutherland Healthcare Solutions, Inc. 338700 Theft Desktop Computer, E-mail 2014-04-21 2014-02-05 Presence St. Joseph's Medical Center IL 836 Other Paper 2014-06-03 2013-10-22 Clinical Reference Laboratory, Inc. KS 979 Loss Paper 2014-04-21 2014-02-06 Various Health Plans CT Cigna 527 Loss Paper 2014-06-27 2014-03-05 Amerigroup Texas, Inc. VA Amerigroup Texas, Inc. 75026 Theft Paper 2014-05-13 2012-04-01 BLUE CROSS AND BLUE SHIELD OF KANSAS CITY MO 2546 Unauthorized Access/Disclosure Other 2014-04-21 2013-08-16 University Urology, P.C. TN 1144 Unauthorized Access/Disclosure Paper 2014-05-13 2013-03-07 Healthy Connections, Inc CA 793 Loss Other Portable Electronic Device 2014-06-03 2014-03-25 Administracion de Seguros de Salud PR American Health Medicare 46473 Theft Other Portable Electronic Device 2014-06-03 2013-05-08 Greenwood Leflore Hospital MS 3750 Theft Other 2014-05-09 2014-02-23 Maryland Developmental Disabilities Administration MD Service Coordination, Inc. 10766 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server 2014-06-11 2013-11-27 Los Robles Hospital and Medical Center CA Courier Express/Atlanta, Courier Express/Charlotte & Courier Express US, Inc. 2523 Theft, Unauthorized Access/Disclosure Paper 2014-05-09 2014-02-14 Shaker Clinic OH 617 Loss Paper 2014-05-27 2014-02-18 VGM Homelink IA Tri State Adjustments 1400 Other Other 2014-05-27 2014-02-28 Larsen Dental Care LLC ID 6900 Theft Other Portable Electronic Device 2014-05-27 2014-03-04 The Union Labor Life Insurance Company MD 46771 Theft Laptop 2014-05-27 2014-02-17 Coordinated Health PA 733 Theft Laptop 2014-05-29 2014-02-21 CENTURA HEALTH CO 12286 Hacking/IT Incident E-mail 2014-05-29 2014-02-11 Ladies First Choice, Inc. FL 2365 Theft, Unauthorized Access/Disclosure Laptop 2014-05-29 2013-01-01 Tufts Associated Health Maintenance Organization, Inc. and Tufts Insurance Company MA 8830 Theft Other 2014-05-09 2014-04-10 Developmental Disabilities Administration MD Inclusion Research Institute 2200 Unauthorized Access/Disclosure Paper 2014-05-29 2014-03-03 Willis North America Inc. Medical Expense Benefit Plan NY 4830 Unauthorized Access/Disclosure E-mail 2014-05-29 2014-03-19 Sorenson Communications/CaptionCall Group Health Plan UT Sorenson Communications 9800 Hacking/IT Incident Network Server 2014-05-27 2014-02-20 Baylor Medical Center at McKinney TX 1253 Hacking/IT Incident E-mail 2014-05-09 2014-01-23 Baylor Medical Center at Irving TX 2308 Hacking/IT Incident E-mail 2014-05-09 2014-01-23 Baylor Regional Medical Center at Plano TX 1981 Hacking/IT Incident E-mail 2014-05-07 2014-01-23 HealthTexas Provider Network TX 2742 Hacking/IT Incident E-mail 2014-05-07 2014-01-23 DeKalb Health IN Ferguson Advertising, Inc. 1361 Hacking/IT Incident Network Server 2014-05-27 2014-02-09 Iowa Medicaid Enterprise IA 862 Unauthorized Access/Disclosure Paper 2014-05-29 2014-02-26 Flowers Hospital AL 629 Theft Paper 2014-06-20 2013-06-03 Reading Health System PA 1845 Loss Paper 2014-05-27 2012-03-02 City of Cincinnati OH OptumRx 5696 Other Paper 2014-05-07 2014-04-04 UMass Memorial Medical Center MA 2387 Unauthorized Access/Disclosure Electronic Medical Record, Paper 2014-05-27 2002-05-06 The City of Henderson KY KEYSTONE INSURERS GROUP 1008 Other E-mail 2014-05-27 2012-06-27 Options Counseling Center NJ 2828 Theft, Unauthorized Access/Disclosure Paper 2014-06-18 2011-05-01 Molina Healthcare of California Partner Plan, Inc. CA Creel Printing 4744 Other Paper 2014-05-27 2014-03-18 Howard L. Weinstein D.P.M. TX 1000 Theft Laptop 2014-05-27 2014-03-13 Bio-Reference Laboratories, Inc. NJ Xand Corporation 1749 Other Network Server 2014-06-18 2014-02-02 American Health Inc. PR 11531 Unauthorized Access/Disclosure Paper 2014-06-18 2013-09-20 Central City Concern OR 17914 Unauthorized Access/Disclosure Other 2014-06-18 2010-03-23 Blue Cross Blue Shield of Michigan/Blue Care Network MI Bloom Health 502 Unauthorized Access/Disclosure, Hacking/IT Incident E-mail 2014-06-18 2014-02-15 Elliot Health System NH 1208 Theft Desktop Computer 2014-06-18 2014-03-26 Humana Inc [case #15381] KY 2962 Theft Other Portable Electronic Device 2014-06-18 2014-04-02 Jamaica Hospital Medical Center NY 26162 Unauthorized Access/Disclosure Desktop Computer 2014-06-18 2011-08-01 Bay Park Hospital OH 594 Unauthorized Access/Disclosure Network Server, Electronic Medical Record 2014-06-18 2013-04-01 Triple-S Salud PR 56853 Unauthorized Access/Disclosure Paper 2014-06-18 2013-09-20 Aetna Life Insurance Company CT NFP Maschino, Hudelson & Associates 3814 Theft Laptop 2014-06-18 2014-04-02 Salina Health Education Foundation dba Salina Family Healthcare Center KS 9640 Unauthorized Access/Disclosure E-mail 2014-06-20 2014-04-08 Highmark Inc. PA 2589 Loss, Unauthorized Access/Disclosure Paper 2014-06-27 2014-04-19 Mark A. Gillispie CA 5845 Theft Desktop Computer 2014-06-27 2013-11-20 Penn State Milton S Hershey Medical Center PA 1801 Other E-mail, Other Portable Electronic Device 2014-06-27 2013-09-13 Walgreen Co. IL 540 Theft Desktop Computer, Paper 2014-06-20 2014-03-03 St. Francis Hospital GA 1175 Other E-mail 2014-06-18 2014-05-30 Puerto Rico Health Insurance PR American Health Inc 28413 Theft Other 2014-06-27 2013-09-20 Hospitalists of Brandon, LLC FL Doctors First Choice Billings, Inc. 1831 Hacking/IT Incident Other 2014-06-27 2014-02-11 Santa Rosa Memorial Hospital CA 33702 Theft, Loss Other Portable Electronic Device 2014-06-27 2014-06-02 Group Health Plan of Hurley Medical Center MI 2289 Unauthorized Access/Disclosure E-mail 2014-06-27 2014-05-13 Abrham Tekola, M.D.,INC CA 5471 Theft Desktop Computer 2014-06-27 2014-05-27