DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

FEATURED: HHS starts to reveal healthcare breaches reported to government (updated)

Posted on February 23, 2010 by Dissent

When HITECH was passed as part of the stimulus bill, it introduced new data breach notification requirements, including a requirement that breaches of unsecured personal health information held by covered entities or their business associates affecting more than 500 individuals be reported to the U.S. Department of Health & Human Services.

The requirement was somewhat watered down in the final regulations that introduced a harm threshold for reporting, and it seems that HHS has decided that its obligation is to provide a summary of the reports filed by entities instead of uploading the actual reporting forms, but the web site for such reports is now displaying summary reports received by HHS since September 23, 2009.

Many of the incidents reported have never been revealed in the media even though affected individuals may have been notified:  24 of the 36 reports below were never previously reported on this site or DataBreaches.net.

It is not clear why HHS is seemingly shielding the name of private practitioners as if the whole purpose of this provision of the HITECH Act was to inform the public, shielding the names of doctors does not further that goal.

In the following list, breaches indicated by  asterisks have not been reported in the media or included on this site previously.

The Methodist Hospital

State: Texas
Approx. # of Individuals Affected: 689
Date of Breach: 1/18/10
Type of Breach: Theft
Location of Breached Information: Computer

Carle Clinic Association

State: Illinois
Approx. # of Individuals Affected: 1,300
Date of Breach: 1/13/10
Type of Breach: Theft
Location of Breached Information: Paper Records and Films

** Ashley and Gray DDS

State: Missouri
Approx. # of Individuals Affected: 9,309
Date of Breach: 1/10/10
Type of Breach: Theft
Location of Breached Information: Desktop Computer

** Educators Mutual Insurance Association of Utah

State: Utah
Business Associate Involved: Health Behavior Innovations
Approx. # of Individuals Affected: 5,700
Date of Breach: 12/27/09
Type of Breach: Theft
Location of Breached Information: CDs

Goodwill Industries of Greater Grand Rapids, Inc.

State: Michigan
Approx. # of Individuals Affected: 10,000
Date of Breach: 12/15/09
Type of Breach: Theft
Location of Breached Information: Backup Tapes

** Private Practice Daniel J. Sigman MD, PC

City and State: Stoughton, MA
Approx. # of Individuals Affected: 1,860
Date of Breach: 12/11/09
Type of Breach: Theft
Location of Breached Information: Portable Electronic Device/Electronic Medical Record

AvMed, Inc.

State: Florida
Approx. # of Individuals Affected: 359,000
Date of Breach: 12/10/09
Type of Breach: Theft
Location of Breached Information: Laptop

** Blue Island Radiology Consultants

State: Illinois
Business Associate Involved: United Micro Data
Approx. # of Individuals Affected: 2,562
Date of Breach: 12/09/09
Type of Breach: Loss
Location of Breached Information: Backup Tapes

** Private Practice Keith W. Mann, DDS, PLLC

City and State: Wilmington, NC
Business Associate Involved: Rick Lawson, Professional Computer Services
Approx. # of Individuals Affected: 2,000
Date of Breach: 12/08/09
Type of Breach: Hacking/IT Incident
Location of Breached Information: Computer/Network Server/Electronic Medical Record

Kaiser Permanente Medical Care Program

State: California
Approx. # of Individuals Affected: 15,500
Date of Breach: 12/01/09
Type of Breach: Theft
Location of Breached Information: Portable Electronic Device

University of California, San Francisco

State: California
Approx. # of Individuals Affected: 7,300
Date of Breach: 11/30/09
Type of Breach: Theft
Location of Breached Information: Laptop

Detroit Department of Health and Wellness Promotion

State: Michigan
Approx. # of Individuals Affected: 646
Date of Breach: 11/26/09
Type of Breach: Theft
Location of Breached Information: Laptop, Desktop Computer

** Advocate Health Care

State: Illinois
Approx. # of Individuals Affected: 812
Date of Breach: 11/24/09
Type of Breach: Theft
Location of Breached Information: Laptop

** Concentra

State: Texas
Approx. # of Individuals Affected: 900
Date of Breach: 11/19/09
Type of Breach: Theft
Location of Breached Information: Laptop

** Children’s Medical Center of Dallas

State: Texas
Approx. # of Individuals Affected: 3,800
Date of Breach: 11/19/09
Type of Breach: Loss
Location of Breached Information: Portable Electronic Device

Universal American, Inc.

State: New York
Business Associate Involved: Democracy Data & Communications, LLC
Approx. # of Individuals Affected: 83,000
Date of Breach: 11/12/09
Type of Breach: Incorrect Mailing
Location of Breached Information: Postcards

Massachusetts Eye and Ear Infirmary

State: Massachusetts
Approx. # of Individuals Affected: 1,076
Date of Breach: 11/10/09
Type of Breach: Theft
Location of Breached Information: Other

Kern Medical Center

State: California
Approx. # of Individuals Affected: 596
Date of Breach: 10/31/09
Type of Breach: Theft
Location of Breached Information: Paper Records

** Blue Cross Blue Shield Association

State: District of Columbia
Business Associate Involved: Service Benefits Plan Administrative Services Corp.
Approx. # of Individuals Affected: 3,400
Date of Breach: 10/26/09
Type of Breach: Unauthorized Access
Location of Breached Information: Mailings

Detroit Department of Health and Wellness Promotion

State: Michigan
Approx. # of Individuals Affected: 10,000
Date of Breach: 10/22/09
Type of Breach: Theft
Location of Breached Information: Portable Electronic Device

The Children’s Hospital of Philadelphia

State: Pennsylvania
Approx. # of Individuals Affected: 943
Date of Breach: 10/20/09
Type of Breach: Theft
Location of Breached Information: Laptop

** Public Employee Health Insurance Plan (Kentucky Employees’ Health Plan)

State: Kentucky
Approx. # of Individuals Affected: 676
Date of Breach: 10/20/09
Type of Breach: Misdirected E-mail
Location of Breached Information: E-mail

** Brooke Army Medical Center

State: Texas
Approx. # of Individuals Affected: 1,000
Date of Breach: 10/16/09
Type of Breach: Theft
Location of Breached Information: Paper Records

** Alaska Department of Health and Social Services

State: Alaska
Approx. # of Individuals Affected: 501
Date of Breach: 10/12/09
Type of Breach: Theft
Location of Breached Information: Portable USB Device

** Cogent Healthcare of Wisconsin, S.C.

State: Tennessee
Business Associate Involved: Cogent Healthcare, Inc.
Approx. # of Individuals Affected: 6,400
Date of Breach: 10/11/09
Type of Breach: Theft
Location of Breached Information: Laptop

** Health Services for Children with Special Needs, Inc.

State: District of Columbia
Approx. # of Individuals Affected: 3,800
Date of Breach: 10/09/09
Type of Breach: Loss
Location of Breached Information: Laptop

** Blue Cross Blue Shield Association

State: District of Columbia
Business Associate Involved: Merkle Direct Marketing
Approx. # of Individuals Affected: 15,000
Date of Breach: 10/07/09
Type of Breach: Unauthorized Access
Location of Breached Information: Mailings

Blue Cross Blue Shield of Tennessee

State: Tennessee
Approx. # of Individuals Affected: 500,000
Date of Breach: 10/02/09
Type of Breach: Theft
Location of Breached Information: Hard Drives

** City of Hope National Medical Center

State: California
Approx. # of Individuals Affected: 5,900
Date of Breach: 9/27/09
Type of Breach: Theft
Location of Breached Information: Laptop

** Private Practice Michele Del Vicario, MD

City and State: Torrance, CA
Approx. # of Individuals Affected: 6,145
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer

** Private Practice Mark D. Lurie, MD

City and State: Torrance, CA
Approx. # of Individuals Affected: 5,166
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer

** Private Practice L. Douglas Carlson, M.D.

City and State: Torrance, CA
Approx. # of Individuals Affected: 5,257
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer

** Private Practice David I. Cohen, MD

City and State: Torrance, CA
Approx. # of Individuals Affected: 857
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer

HHS’s web site was updated to add name and details of incident:

A shared desktop computer that was used for backup was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite was unlocked and perhaps ajar.  The desktop computer contained certain electronic protected health information (ePHI) of 857 patients.  The ePHI involved in the breach included names, dates of birth, and clinical information.  Following the breach, the covered entity notified all affected individuals and the media, added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer, added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor�s private office or in a secure filing cabinet, and added administrative safeguards by requiring annual refresher retraining staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place.

** Private Practice Joseph F. Lopez, MD

City and State: Torrance, CA
Approx. # of Individuals Affected: 952
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer

** University of California, San Francisco

State: California
Approx. # of Individuals Affected: 610
Date of Breach: 9/22/09
Type of Breach: Phishing Scam
Location of Breached Information: Email

** Mid America Kidney Stone Association, LLC

State: Missouri
Approx. # of Individuals Affected: 1,000
Date of Breach: 9/22/09
Type of Breach: Theft
Location of Breached Information: Network Server

[corrected to reflect that Universal American was previously known, although we didn’t know that PHI was involved. It seems that the numbers were Medicare Identification Numbers, not necessarily SSN as reported in the media.]

Updated 1-29-11 to add names

Category: Uncategorized

Post navigation

← Nine Georgia defendents sentenced to prison for ID theft
Ca: Health records held for fee after doctor quits →

2 thoughts on “FEATURED: HHS starts to reveal healthcare breaches reported to government (updated)”

  1. Anonymous says:
    February 23, 2010 at 11:06 am

    Here’s some additional statistics on what was published:

    http://www.waynerino.com/wordpress/2010/02/statistics-hhs-hitech-breache/

    1. Anonymous says:
      February 23, 2010 at 11:41 am

      Thanks! Much appreciated.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.