When HITECH was passed as part of the stimulus bill, it introduced new data breach notification requirements, including a requirement that breaches of unsecured personal health information held by covered entities or their business associates affecting more than 500 individuals be reported to the U.S. Department of Health & Human Services.
The requirement was somewhat watered down in the final regulations that introduced a harm threshold for reporting, and it seems that HHS has decided that its obligation is to provide a summary of the reports filed by entities instead of uploading the actual reporting forms, but the web site for such reports is now displaying summary reports received by HHS since September 23, 2009.
Many of the incidents reported have never been revealed in the media even though affected individuals may have been notified: 24 of the 36 reports below were never previously reported on this site or DataBreaches.net.
It is not clear why HHS is seemingly shielding the name of private practitioners as if the whole purpose of this provision of the HITECH Act was to inform the public, shielding the names of doctors does not further that goal.
In the following list, breaches indicated by asterisks have not been reported in the media or included on this site previously.
The Methodist Hospital
State: Texas
Approx. # of Individuals Affected: 689
Date of Breach: 1/18/10
Type of Breach: Theft
Location of Breached Information: Computer
Carle Clinic Association
State: Illinois
Approx. # of Individuals Affected: 1,300
Date of Breach: 1/13/10
Type of Breach: Theft
Location of Breached Information: Paper Records and Films
** Ashley and Gray DDS
State: Missouri
Approx. # of Individuals Affected: 9,309
Date of Breach: 1/10/10
Type of Breach: Theft
Location of Breached Information: Desktop Computer
** Educators Mutual Insurance Association of Utah
State: Utah
Business Associate Involved: Health Behavior Innovations
Approx. # of Individuals Affected: 5,700
Date of Breach: 12/27/09
Type of Breach: Theft
Location of Breached Information: CDs
Goodwill Industries of Greater Grand Rapids, Inc.
State: Michigan
Approx. # of Individuals Affected: 10,000
Date of Breach: 12/15/09
Type of Breach: Theft
Location of Breached Information: Backup Tapes
** Private Practice Daniel J. Sigman MD, PC
City and State: Stoughton, MA
Approx. # of Individuals Affected: 1,860
Date of Breach: 12/11/09
Type of Breach: Theft
Location of Breached Information: Portable Electronic Device/Electronic Medical Record
AvMed, Inc.
State: Florida
Approx. # of Individuals Affected: 359,000
Date of Breach: 12/10/09
Type of Breach: Theft
Location of Breached Information: Laptop
** Blue Island Radiology Consultants
State: Illinois
Business Associate Involved: United Micro Data
Approx. # of Individuals Affected: 2,562
Date of Breach: 12/09/09
Type of Breach: Loss
Location of Breached Information: Backup Tapes
** Private Practice Keith W. Mann, DDS, PLLC
City and State: Wilmington, NC
Business Associate Involved: Rick Lawson, Professional Computer Services
Approx. # of Individuals Affected: 2,000
Date of Breach: 12/08/09
Type of Breach: Hacking/IT Incident
Location of Breached Information: Computer/Network Server/Electronic Medical Record
Kaiser Permanente Medical Care Program
State: California
Approx. # of Individuals Affected: 15,500
Date of Breach: 12/01/09
Type of Breach: Theft
Location of Breached Information: Portable Electronic Device
University of California, San Francisco
State: California
Approx. # of Individuals Affected: 7,300
Date of Breach: 11/30/09
Type of Breach: Theft
Location of Breached Information: Laptop
Detroit Department of Health and Wellness Promotion
State: Michigan
Approx. # of Individuals Affected: 646
Date of Breach: 11/26/09
Type of Breach: Theft
Location of Breached Information: Laptop, Desktop Computer
** Advocate Health Care
State: Illinois
Approx. # of Individuals Affected: 812
Date of Breach: 11/24/09
Type of Breach: Theft
Location of Breached Information: Laptop
** Concentra
State: Texas
Approx. # of Individuals Affected: 900
Date of Breach: 11/19/09
Type of Breach: Theft
Location of Breached Information: Laptop
** Children’s Medical Center of Dallas
State: Texas
Approx. # of Individuals Affected: 3,800
Date of Breach: 11/19/09
Type of Breach: Loss
Location of Breached Information: Portable Electronic Device
Universal American, Inc.
State: New York
Business Associate Involved: Democracy Data & Communications, LLC
Approx. # of Individuals Affected: 83,000
Date of Breach: 11/12/09
Type of Breach: Incorrect Mailing
Location of Breached Information: Postcards
Massachusetts Eye and Ear Infirmary
State: Massachusetts
Approx. # of Individuals Affected: 1,076
Date of Breach: 11/10/09
Type of Breach: Theft
Location of Breached Information: Other
Kern Medical Center
State: California
Approx. # of Individuals Affected: 596
Date of Breach: 10/31/09
Type of Breach: Theft
Location of Breached Information: Paper Records
** Blue Cross Blue Shield Association
State: District of Columbia
Business Associate Involved: Service Benefits Plan Administrative Services Corp.
Approx. # of Individuals Affected: 3,400
Date of Breach: 10/26/09
Type of Breach: Unauthorized Access
Location of Breached Information: Mailings
Detroit Department of Health and Wellness Promotion
State: Michigan
Approx. # of Individuals Affected: 10,000
Date of Breach: 10/22/09
Type of Breach: Theft
Location of Breached Information: Portable Electronic Device
The Children’s Hospital of Philadelphia
State: Pennsylvania
Approx. # of Individuals Affected: 943
Date of Breach: 10/20/09
Type of Breach: Theft
Location of Breached Information: Laptop
** Public Employee Health Insurance Plan (Kentucky Employees’ Health Plan)
State: Kentucky
Approx. # of Individuals Affected: 676
Date of Breach: 10/20/09
Type of Breach: Misdirected E-mail
Location of Breached Information: E-mail
** Brooke Army Medical Center
State: Texas
Approx. # of Individuals Affected: 1,000
Date of Breach: 10/16/09
Type of Breach: Theft
Location of Breached Information: Paper Records
** Alaska Department of Health and Social Services
State: Alaska
Approx. # of Individuals Affected: 501
Date of Breach: 10/12/09
Type of Breach: Theft
Location of Breached Information: Portable USB Device
** Cogent Healthcare of Wisconsin, S.C.
State: Tennessee
Business Associate Involved: Cogent Healthcare, Inc.
Approx. # of Individuals Affected: 6,400
Date of Breach: 10/11/09
Type of Breach: Theft
Location of Breached Information: Laptop
** Health Services for Children with Special Needs, Inc.
State: District of Columbia
Approx. # of Individuals Affected: 3,800
Date of Breach: 10/09/09
Type of Breach: Loss
Location of Breached Information: Laptop
** Blue Cross Blue Shield Association
State: District of Columbia
Business Associate Involved: Merkle Direct Marketing
Approx. # of Individuals Affected: 15,000
Date of Breach: 10/07/09
Type of Breach: Unauthorized Access
Location of Breached Information: Mailings
Blue Cross Blue Shield of Tennessee
State: Tennessee
Approx. # of Individuals Affected: 500,000
Date of Breach: 10/02/09
Type of Breach: Theft
Location of Breached Information: Hard Drives
** City of Hope National Medical Center
State: California
Approx. # of Individuals Affected: 5,900
Date of Breach: 9/27/09
Type of Breach: Theft
Location of Breached Information: Laptop
** Private Practice Michele Del Vicario, MD
City and State: Torrance, CA
Approx. # of Individuals Affected: 6,145
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer
** Private Practice Mark D. Lurie, MD
City and State: Torrance, CA
Approx. # of Individuals Affected: 5,166
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer
** Private Practice L. Douglas Carlson, M.D.
City and State: Torrance, CA
Approx. # of Individuals Affected: 5,257
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer
** Private Practice David I. Cohen, MD
City and State: Torrance, CA
Approx. # of Individuals Affected: 857
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer
HHS’s web site was updated to add name and details of incident:
A shared desktop computer that was used for backup was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite was unlocked and perhaps ajar. The desktop computer contained certain electronic protected health information (ePHI) of 857 patients. The ePHI involved in the breach included names, dates of birth, and clinical information. Following the breach, the covered entity notified all affected individuals and the media, added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer, added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor�s private office or in a secure filing cabinet, and added administrative safeguards by requiring annual refresher retraining staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place.
** Private Practice Joseph F. Lopez, MD
City and State: Torrance, CA
Approx. # of Individuals Affected: 952
Date of Breach: 9/27/09
Type of Breach: Theft, Unauthorized Access
Location of Breached Information: Desktop Computer
** University of California, San Francisco
State: California
Approx. # of Individuals Affected: 610
Date of Breach: 9/22/09
Type of Breach: Phishing Scam
Location of Breached Information: Email
** Mid America Kidney Stone Association, LLC
State: Missouri
Approx. # of Individuals Affected: 1,000
Date of Breach: 9/22/09
Type of Breach: Theft
Location of Breached Information: Network Server
[corrected to reflect that Universal American was previously known, although we didn’t know that PHI was involved. It seems that the numbers were Medicare Identification Numbers, not necessarily SSN as reported in the media.]
Updated 1-29-11 to add names
Here’s some additional statistics on what was published:
http://www.waynerino.com/wordpress/2010/02/statistics-hhs-hitech-breache/
Thanks! Much appreciated.