ABCDEFGHI
1
Utah Department of HealthUT78000003/10/2012-04/02/2012Hacking/IT IncidentNetwork Server5/10/2012
2
Seacoast Radiology, PANH23140011/12/2010Hacking/IT IncidentNetwork Server
3
Ankle & foot Center of Tampa Bay, Inc.FL15600011/10/2010Hacking/IT IncidentNetwork Server
4
WellPoint, Inc.IN3170011/3/2009Hacking/IT IncidentNetwork Server8/6/2010
5
The University of Texas at ArlingtonTX270002/19/2010Hacking/IT IncidentNetwork Server8/4/2010A file server at the Office of Health Services was compromised and impermissibly accessed. The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source. The protected health information involved in the breach included names, addresses diagnostic codes, name of medication prescribed, medication costs and some social security numbers. Following the discovery of the breach, UTA removed the server from the network, notified the affected individuals and notified local media. Following the breach, the covered entity also replaced the operating system and implemented additional technical safeguards.
6
University of Oklahoma-Tulsa, Neurology ClinicOK192647/25/2010Hacking/IT IncidentComputer10/1/2010
7
Green River District Health DepartmentKY188711/12/2011Hacking/IT IncidentNetwork Server
8
Community Action Partnership of Natrona CountyWY150002/23/2011Hacking/IT IncidentComputer
9
SW Seattle Orthopaedic and Sports MedicineWA94939/4/2010Hacking/IT IncidentNetwork Server10/28/2010A database web server, containing the electronic protected health information (EPHI) of 9,493 individuals, was breached by an unknown, external person(s) for use as a game server. Although there was no indication of access to EPHI, the EPHI on the database web server included names, dates of birth, types of x-rays, and dates of x-rays. Following the breach, the covered entity relocated two servers to its more secure primary data center and removed the Internet access line that resulted in the breach. Additionally, OCR’s investigation resulted in the covered entity improving their administrative safeguards, such as incident response and reporting.
10
New York Presbyterian Hospital and Columbia University Medical CenterNY68007/1/2010Hacking/IT IncidentNetwork Server10/1/2010
11
Rhinebeck Health Center/Center for Progressive MedicineNY674511/15/2011-12/14/2011Hacking/IT IncidentDesktop Computer, Network Server5/10/2012
12
Keith & Fisher, DDS, PANC60002/16/2011Hacking/IT IncidentNetwork Server
13
State of South Carolina Budge and Control Board Employee Insurance Program (EIP)SC559611/18/2010Hacking/IT IncidentComputer
14
Metro Community Provider NetworkCO320012/5/2011Hacking/IT IncidentEmail3/19/2012
15
NEA Baptist ClinicAR31167/12/2011Hacking/IT IncidentNetwork Server
16
University of Wisconsin OshkoshWI30007/18/2011Hacking/IT IncidentDesktop Computer,
17
UNCG Speech and Hearing CenterNC23006/10/2010Hacking/IT IncidentComputer8/20/2010
18
Beth Israel Deaconess Medical CenterMA20214/17/2011Hacking/IT IncidentNetwork Server
19
Keith W. Mann, DDS, PLLCNC200012/8/2009Hacking/IT IncidentComputer, Network Server, Electronic Medical Record2/22/2010
20
University of New Mexico Health Sciences CenterNM18982/8/2010Hacking/IT IncidentComputer3/9/2010Malware compromised two workstation hard drives. The compromise affected 1898 individuals. The protected health information involved in the breach included patient names, dates of birth, medical record numbers, names of the patients’ health plans and type of health services provided for the patients. Following the discovery of the breach, the CE removed and replaced the affected computers and audited workstations to ensure PHI was not stored on hard drives in violation of policy. Additionally, the CE notified the affected individuals and local media and retrained staff.
21
St. Vincent Hospital - IndianapolisIN184811/15/2010Hacking/IT IncidentNetwork Server/Email
22
Gary C. Spinks, DMD, PCMD10009/29/2010Hacking/IT IncidentComputer, Network Server1/4/2011
23
Saint Louis UniversityMO80012/11/2010Hacking/IT IncidentComputer
24
Goshen Health System, Inc.IN66012/22/2011Hacking/IT IncidentOther3/19/2012
25
University of California, San FranciscoCA6109/22/2009Hacking/IT IncidentE-mail2/22/2010
26
Adult & Child Care CenterIN5505/10/2012Hacking/IT IncidentOther7/27/2012
27
Ashley Industrial Molding, Inc. Employee Welfare Benefit PlanIN5068/9/2011Hacking/IT IncidentNetwork Server
28
Lebanon Internal Medicine AssociatesPA550009/10/2011Improper DisposalNetwork Server12/8/2011
29
Holyoke Medical CenterMA247507/26/2010Improper DisposalPaper9/1/2010
30
Milford Regional Medical CenterMA197507/26/2010Improper DisposalPaper10/1/2010
31
Milton Pathology Associates, P.C.MA110007/26/2010Improper DisposalPaper10/5/2010
32
University of Tennessee Medical CenterTN82009/23/2009Improper DisposalPaper12/10/2010Following the breach, UTMC placed a shredding container in its Computer Services department to dispose of all paper documents with patient sensitive information. As a result of OCR’s investigation, UTMC reported taking the following corrective actions: UTMC provided OCR with a copy of its “Risk of Harm” analysis, which documented UTMC’s steps in determining whether a breach in unsecured PHI occurred as reported in its breach report; it provided OCR with a copy of its sanctions policy, and a description of the sanctions imposed against the Computer Services Operation Center Supervisor, which included a cited violation of “failure to monitor work activity in area and appropriately supervise employees to ensure proper disposal of report containing PHI,” and the sanctions imposed were a written reprimand in the workforce member’s personnel file, and suspension for three (3) days without pay (OCR notes that UTMC applied the appropriate sanctions for this type of offense and/or violation); and UTMC implemented a corrective action plan to prevent future occurrences of the same nature..
33
VA Caribbean Healthcare SystemPR60063/30/2011Improper DisposalPaper
34
VA North Texas Health Care SystemTX40835/4/2010Improper DisposalPaper5/25/2010A binder and clipboard containing patients’ protected health information were missing from a file room. Approximately 4,083 individuals were affected. The protected health information involved in the breach included names, social security numbers, and dates of birth. Following the breach, the covered entity has eliminated all hard copy logs by transferring them to an electronic database. The electronic database is accessible by authorized workforce members only. Additionally, OCR’s investigation resulted in the covered entity improving their physical safeguards and retraining employees.
35
Iowa Department of Human ServicesIA300002/06/2012 - 03/14/2012Improper DisposalPaper6/8/2012
36
South Carolina Department of Health and Environmental ControlSC28502/17/2010Improper DisposalPaper5/4/2010The covered entity failed to adhere to its own policy to shred protected health information (PHI), and a third party found patient PHI in a paper recycling container behind the covered entity's building. The covered entity reported that approximately 2,850 individuals were affected. The PHI involved in the breach included names, addresses, dates of birth, Social Security numbers,payment information, and clinical information. Following the breach, the covered entity took several actions, including notifying affected individuals, revising and updating its policies for handling confidential information, educated staff, and terminated the courier that was responsible for taking the information to the recycling center. As a result of OCR’s investigation, the covered entity provided written assurance that it had revised its policies and procedures.
37
Aiken Community Based Outpatient ClinicSC27172/16/2011Improper DisposalPaper
38
NYU Hospital for Joint Diseases Inventory Management DepartmentNY26006/23/2011Improper DisposalPaper
39
Wright Patterson Air Force BaseOH21237/29/2010Improper DisposalPaper10/7/2010
40
Open MRI of ChicagoIL20009/6/2011Improper DisposalPaper1/10/2012
41
St. John's Mercy Medical GroupMO19076/6/2010Improper DisposalPaper8/20/2010Covered entity improperly disposed of patients' Protected Health Information (PHI), by placing the PHI in a dumpster outside of a doctor's office. The PHI involved in the breach included demographic, financial, clinical, and other medical information. Following the breach, the covered entity notified all affected individuals of the breach, posted a notice about the incident on its website; attempted to retrieve and track all of the medical records that were inappropriately disposed of; offered all affected individuals identity theft protection; obtained a formal apology from and assumed direct office operations management of the physician involved; re-educated its workforce to reinforce policies relating to appropriate medical record protection and disposal requirements.
42
Medina County OB/GYN Associates, Inc.OH12006/13/2010Improper DisposalPaper7/29/2010
43
Imaging Center of GarlandTX10313/15/2011Improper DisposalOther (X-ray films)
44
Riverside Mercy Hospital and Ohio/Mercy DiagnosticsOH100011/15/2010Improper DisposalPaper1/4/2011
45
DRD Management, Inc. D/B/A DRD Knoxville Medical Clinic - CentralTX10002/16/2012Improper DisposalPaper5/10/2012
46
IU Medical GroupIN10004/11/2012Improper DisposalPaper6/8/2012
47
St. James Hospital and Health CentersIL9678/10/2010Improper DisposalPaper10/1/2010
48
Anderson Air Force Base GuamVA7005/13/2011Improper DisposalPaperThe protected health information for 700 individuals was mistakenly disposed of in a recycle bin and subsequently bundled, shredded. The information included patients' medical history, immunization records and appointment schedules. Despite evidence that there was no risk of disclosure the covered entity notified all affected individuals. All staff received retraining on safeguards of PHI and proper disposal of PHI.
49
VA Eastern Colorado Health Care SystemCO6491/19/2010Improper DisposalPaper5/17/2010
50
Knox Community HospitalOH50010/1/2010Improper DisposalOther (X-ray film)
51
TRICARE Management Activity (TMA)VA49014329/13/2011LossOther (Backup Tapes)11/4/2011
52
The Nemours FoundationFL10554898/10/2011LossOther (Backup Tapes)11/4/2011
53
South Shore HospitalMA8000002/26/2010LossOther Portable Electronic Device, Electronic Medical Record, Other7/21/2010
54
Lincoln Medical and Mental Health CenterNY1304953/24/2010LossOther6/29/2010
55
MidState Medical CenterCT935002/14/2011LossOther
56
Providence HospitalMI839452/4/2010LossOther4/15/2010
57
California Department of Healthcare ServicesCA298084/29/2010LossOther Portable Electronic Device7/12/2010
58
Pediatric and Adult Allergy, PCIA192227/11/2010LossOther Portable Electronic Device9/20/2010
59
Benefit Resources, Inc.SC1620011/22/2010LossOther Portable Electronic Device
60
University HospitalGA140005/7/2010LossOther7/12/2010
61
Walsh PharmacyMA114406/3/2010LossOther Portable Electronic Device8/18/2010
62
The Neighborhood Christian ClinicAZ95652/7/2012LossOther Portable Electronic Device5/10/2012
63
Concordia Plan Services (CPS)MO70593/17/2011LossOther11/18/2011
64
VHS Genesis Lab Inc.IL68001/10/2010LossPaper4/15/2010A month’s worth of client invoices went missing; evidence shows that the documents were never mailed, but despite a thorough search, the invoices were never located. The invoices contained the protected health information of over 500 individuals. The protected health information involved in the breach included names, dates of birth, and medical testing information. Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in the Chicago Tribune, arranged for a business associate to handle the mailing of invoices in the future, and provided OCR with documentation of these actions.
65
Idaho Power Group Health PlanID55003/29/2010LossOther8/20/2010Idaho Power Group Health Plan's business associate, Mercer Health and Benefits, lost a backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Idaho Power was about 5,500 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Idaho Power notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer's Boise office now encrypts backup tapes. Following the incident, Idaho Power renegotiated its contract with Mercer and continues to evaluate its business relationship with Mercer.
66
City of Charlotte Health PlanNC52202/3/2010LossOther6/3/2010
67
Baptist Memorial Hospital - HuntingdonTN480011/27/2010LossOther
68
St. Mary Medical CenterCA39005/7/2012LossOther Portable Electronic Device6/8/2012
69
Children's Medical Center of DallasTX380011/19/2009LossOther Portable Electronic Device2/22/2010
70
Health Services for Children with Special NeedsDC380010/9/2009LossLaptop2/22/2010A laptop was lost by an employee while in transit on public transportation. The computer contained the protected health information of 3800 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity has installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and updated it risk assessment. In addition, all employees received additional security training.
71
Saint Barnabas Medical CenterNJ36305/10/2010LossOther Portable Electronic Device9/10/2010
72
Cancer Care Northwest P.S.WA31001/7/2011LossPaper
73
Pamlico Medical Equipment LLCNC29175/16/2012LossOther Portable Electronic Device7/27/2012
74
Henry Ford HospitalMI27771/31/2011LossOther Portable Electronic Device
75
NYU Hospital CenterNY25635/8/2010LossOther Portable Electronic Device7/19/2010
76
Blue Island Radiology ConsultantsIL256212/9/2009LossOther (Backup Tapes)2/22/2010The business associate mailed a package to the covered entity that was supposed to contain a backup data tape and compact disc (CD) containing protected health information, but the tape and the CD were not in the package. Approximately 2,000 individuals were affected by the breach. Individual demographic, financial and clinical information was included in the protected health information. The covered entity provided written notice and an apology to affected individuals, provided them with details of the incident, described ways for these individuals to protect themselves from identity theft and provided a toll-free telephone number for the individuals to call if they had additional questions. Following the breach, the covered entity continues to backup data on tapes, but it now stores the tapes in a safe deposit box instead of sending them via the mail.
77
Mountain Vista Medical CenterAZ228410/13/2010LossOther Portable Electronic Device12/22/2010
78
General Agencies Welfare Benefits ProgramTN18742/5/2010LossOther5/5/2010
79
St. Jude Children's Research HospitalTN17454/19/2010LossLaptop6/10/2010
80
Chattanooga Family Practice Associates, PCTN17117/15/2010LossOther Portable Electronic Device9/1/2010
81
United of Omaha Life Insurance CompanyNE16317/28/2011LossOther Portable Electronic Device
82
Carolina Center for Development and RehabilitationNC15906/24/2010LossPaper8/18/2010The covered entity inadvertently sent 23 boxes containing protected health information to a recycling center. These boxes contained the names, addresses, Social Security numbers, insurance identification numbers, clinical information, and credit/debit card numbers of 1,590 individuals. Following the breach, the covered entity reviewed its policies and procedures, suspended several employees, and set up credit monitoring for those individuals affected. As a result of OCR’s investigation, the covered entity placed a record into its accounting of disclosure log for each member impacted, terminated the suspended employees, revised its policies and procedures, and retrained staff.
83
CenterstoneTN15375/1/2010LossComputer, Paper7/12/2010
84
Alliance HealthCare Services, Inc.CA14748/5/2010LossOther Portable Electronic Device10/7/2010Two USB storage devices containing ePHI of 1,474 individuals was lost. The USB storage devices contained 1,474 individuals’ ePHI.The ePHI included first and last name, date of birth, and treatment information. As a result of the breach, the covered entity's email will now be password protected and encrypted. As a result of the loss, the CE has initiated an encryption project to encrypt external hard drives and related media. Additionally, the CE filed a police report, changed policies and procedures, and encrypted USB devices.
85
Conway Regional Medical CenterAR14728/24/2011LossOther (CDs)11/18/2011
86
Alliance HealthCare Services, Inc.CA14697/31/2010LossOther Portable Electronic Device10/7/2010Two USB storage devices containing ePHI of 1,469 individuals was lost. The ePHI included first and last name, date of birth, and treatment information. As a result of the breach, the covered entity's email will now be password protected and encrypted. As a result of the loss, the CE has initiated an encryption project to encrypt external hard drives and related media. Additionally, the CE filed a police report, changed policies and procedures, and encrypted USB devices.
87
Wright State PhysiciansOH13096/11/2010LossLaptop8/18/2010On June 11, 2010, a laptop computer containing PHI was mistakenly discarded in the trash. The laptop computer contained the protected health information of approximately 1,309 individuals. The protected health information involved in the breach included patient full names or first initial and last name, dates of service, and in some cases, a brief description of medical condition or care. Following the breach, the covered entity submitted evidence of its progress in implementing encryption on its laptop computers in its various departments.
88
Fairview Health ServicesMN12152/19/2011LossPaper
89
NYU School of Medicine Aging and Dementia Clinical Research CenterNY12004/3/2010LossOther Portable Electronic Device9/10/2010
90
Sutter Gould Medical Foundation (SGMF)CA11925/23/2011LossPaper
91
Gene S. J. Liaw, MD. PSWA11054/4/2011LossOther Portable Electronic DeviceAn unencrypted USB drive used to store patient information could not be found in the office. The device contained data for 1,105 patients, including names, addresses, phone numbers, dates of birth, diagnosis codes, insurance information, and Social Security numbers. To prevent such a loss in the future, the entity replaced the missing drive with encryption-capable USB drives; put in place secure, locked storage facilities for its mobile devices; implemented policies preventing removal of such devices from the office; and provided individual notice to each of the affected patients.
92
Volunteer State Health Plan, Inc.TN110203/16/2012-04/20/2012LossPaper7/3/2012
93
Trinity Health Corporation Welfare Benefit PlanMI10733/29/2010LossOther8/4/2010Trinity Health Corporation Welfare Benefit Plan’s business associate, Mercer Health & Benefits (Mercer) lost a server backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Trinity Health was about 1,073 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Trinity Health notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer’s Boise office now encrypts backup tapes. Trinity Health has not had a business relationship with Mercer for many years and Mercer currently does not store any original PHI belonging to Trinity Health.
94
Newark Beth Israel Medical CenterNJ9565/10/2010LossOther Portable Electronic Device9/10/2010
95
University of Kentucky UK HealthCareKY8789/25/2011LossOther Portable Electronic Device1/10/2012
96
University of Rochester Medical Center and AffiliatesNY8578/2/2010LossOther Portable Electronic Device9/21/2010
97
Muskogee Regional Medical CenterOK84412/5/2011LossOther1/31/2012
98
Northridge Hospital Medical CenterCA83710/16/2010LossPaper11/10/2010The entity mailed documents containing protected health information via Fed Ex and was later informed that the documents did not arrive at the desired destination. The entity conducted an investigation to determine the root cause of the breach; provided OCR with evidence that it had made significant efforts to contact the individuals reasonably believed to have been affected by the breach; and submitted its privacy procedures relevant to this investigation. The entity also took assertive action to prevent a future recurrence by modifying its standard procedures that require paper record submission and instead to accept a secure electronic transmission of all future documents containing PHI. Now all such records are sent only via secure electronic delivery.
99
Charlie Norwood VA Medical CenterGA8243/30/2012LossOther Portable Electronic Device7/27/2012
100
Keystone/AmeriHealth Mercy Health PlansPA8089/20/2010LossOther Portable Electronic Device10/28/2010