A | B | C | D | E | F | G | H | I | |
---|---|---|---|---|---|---|---|---|---|
1 | Utah Department of Health | UT | 780000 | 03/10/2012-04/02/2012 | Hacking/IT Incident | Network Server | 5/10/2012 | ||
2 | Seacoast Radiology, PA | NH | 231400 | 11/12/2010 | Hacking/IT Incident | Network Server | |||
3 | Ankle & foot Center of Tampa Bay, Inc. | FL | 156000 | 11/10/2010 | Hacking/IT Incident | Network Server | |||
4 | WellPoint, Inc. | IN | 31700 | 11/3/2009 | Hacking/IT Incident | Network Server | 8/6/2010 | ||
5 | The University of Texas at Arlington | TX | 27000 | 2/19/2010 | Hacking/IT Incident | Network Server | 8/4/2010 | A file server at the Office of Health Services was compromised and impermissibly accessed. The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source. The protected health information involved in the breach included names, addresses diagnostic codes, name of medication prescribed, medication costs and some social security numbers. Following the discovery of the breach, UTA removed the server from the network, notified the affected individuals and notified local media. Following the breach, the covered entity also replaced the operating system and implemented additional technical safeguards. | |
6 | University of Oklahoma-Tulsa, Neurology Clinic | OK | 19264 | 7/25/2010 | Hacking/IT Incident | Computer | 10/1/2010 | ||
7 | Green River District Health Department | KY | 18871 | 1/12/2011 | Hacking/IT Incident | Network Server | |||
8 | Community Action Partnership of Natrona County | WY | 15000 | 2/23/2011 | Hacking/IT Incident | Computer | |||
9 | SW Seattle Orthopaedic and Sports Medicine | WA | 9493 | 9/4/2010 | Hacking/IT Incident | Network Server | 10/28/2010 | A database web server, containing the electronic protected health information (EPHI) of 9,493 individuals, was breached by an unknown, external person(s) for use as a game server. Although there was no indication of access to EPHI, the EPHI on the database web server included names, dates of birth, types of x-rays, and dates of x-rays. Following the breach, the covered entity relocated two servers to its more secure primary data center and removed the Internet access line that resulted in the breach. Additionally, OCR’s investigation resulted in the covered entity improving their administrative safeguards, such as incident response and reporting. | |
10 | New York Presbyterian Hospital and Columbia University Medical Center | NY | 6800 | 7/1/2010 | Hacking/IT Incident | Network Server | 10/1/2010 | ||
11 | Rhinebeck Health Center/Center for Progressive Medicine | NY | 6745 | 11/15/2011-12/14/2011 | Hacking/IT Incident | Desktop Computer, Network Server | 5/10/2012 | ||
12 | Keith & Fisher, DDS, PA | NC | 6000 | 2/16/2011 | Hacking/IT Incident | Network Server | |||
13 | State of South Carolina Budge and Control Board Employee Insurance Program (EIP) | SC | 5596 | 11/18/2010 | Hacking/IT Incident | Computer | |||
14 | Metro Community Provider Network | CO | 3200 | 12/5/2011 | Hacking/IT Incident | 3/19/2012 | |||
15 | NEA Baptist Clinic | AR | 3116 | 7/12/2011 | Hacking/IT Incident | Network Server | |||
16 | University of Wisconsin Oshkosh | WI | 3000 | 7/18/2011 | Hacking/IT Incident | Desktop Computer, | |||
17 | UNCG Speech and Hearing Center | NC | 2300 | 6/10/2010 | Hacking/IT Incident | Computer | 8/20/2010 | ||
18 | Beth Israel Deaconess Medical Center | MA | 2021 | 4/17/2011 | Hacking/IT Incident | Network Server | |||
19 | Keith W. Mann, DDS, PLLC | NC | 2000 | 12/8/2009 | Hacking/IT Incident | Computer, Network Server, Electronic Medical Record | 2/22/2010 | ||
20 | University of New Mexico Health Sciences Center | NM | 1898 | 2/8/2010 | Hacking/IT Incident | Computer | 3/9/2010 | Malware compromised two workstation hard drives. The compromise affected 1898 individuals. The protected health information involved in the breach included patient names, dates of birth, medical record numbers, names of the patients’ health plans and type of health services provided for the patients. Following the discovery of the breach, the CE removed and replaced the affected computers and audited workstations to ensure PHI was not stored on hard drives in violation of policy. Additionally, the CE notified the affected individuals and local media and retrained staff. | |
21 | St. Vincent Hospital - Indianapolis | IN | 1848 | 11/15/2010 | Hacking/IT Incident | Network Server/Email | |||
22 | Gary C. Spinks, DMD, PC | MD | 1000 | 9/29/2010 | Hacking/IT Incident | Computer, Network Server | 1/4/2011 | ||
23 | Saint Louis University | MO | 800 | 12/11/2010 | Hacking/IT Incident | Computer | |||
24 | Goshen Health System, Inc. | IN | 660 | 12/22/2011 | Hacking/IT Incident | Other | 3/19/2012 | ||
25 | University of California, San Francisco | CA | 610 | 9/22/2009 | Hacking/IT Incident | 2/22/2010 | |||
26 | Adult & Child Care Center | IN | 550 | 5/10/2012 | Hacking/IT Incident | Other | 7/27/2012 | ||
27 | Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan | IN | 506 | 8/9/2011 | Hacking/IT Incident | Network Server | |||
28 | Lebanon Internal Medicine Associates | PA | 55000 | 9/10/2011 | Improper Disposal | Network Server | 12/8/2011 | ||
29 | Holyoke Medical Center | MA | 24750 | 7/26/2010 | Improper Disposal | Paper | 9/1/2010 | ||
30 | Milford Regional Medical Center | MA | 19750 | 7/26/2010 | Improper Disposal | Paper | 10/1/2010 | ||
31 | Milton Pathology Associates, P.C. | MA | 11000 | 7/26/2010 | Improper Disposal | Paper | 10/5/2010 | ||
32 | University of Tennessee Medical Center | TN | 8200 | 9/23/2009 | Improper Disposal | Paper | 12/10/2010 | Following the breach, UTMC placed a shredding container in its Computer Services department to dispose of all paper documents with patient sensitive information. As a result of OCR’s investigation, UTMC reported taking the following corrective actions: UTMC provided OCR with a copy of its “Risk of Harm” analysis, which documented UTMC’s steps in determining whether a breach in unsecured PHI occurred as reported in its breach report; it provided OCR with a copy of its sanctions policy, and a description of the sanctions imposed against the Computer Services Operation Center Supervisor, which included a cited violation of “failure to monitor work activity in area and appropriately supervise employees to ensure proper disposal of report containing PHI,” and the sanctions imposed were a written reprimand in the workforce member’s personnel file, and suspension for three (3) days without pay (OCR notes that UTMC applied the appropriate sanctions for this type of offense and/or violation); and UTMC implemented a corrective action plan to prevent future occurrences of the same nature.. | |
33 | VA Caribbean Healthcare System | PR | 6006 | 3/30/2011 | Improper Disposal | Paper | |||
34 | VA North Texas Health Care System | TX | 4083 | 5/4/2010 | Improper Disposal | Paper | 5/25/2010 | A binder and clipboard containing patients’ protected health information were missing from a file room. Approximately 4,083 individuals were affected. The protected health information involved in the breach included names, social security numbers, and dates of birth. Following the breach, the covered entity has eliminated all hard copy logs by transferring them to an electronic database. The electronic database is accessible by authorized workforce members only. Additionally, OCR’s investigation resulted in the covered entity improving their physical safeguards and retraining employees. | |
35 | Iowa Department of Human Services | IA | 3000 | 02/06/2012 - 03/14/2012 | Improper Disposal | Paper | 6/8/2012 | ||
36 | South Carolina Department of Health and Environmental Control | SC | 2850 | 2/17/2010 | Improper Disposal | Paper | 5/4/2010 | The covered entity failed to adhere to its own policy to shred protected health information (PHI), and a third party found patient PHI in a paper recycling container behind the covered entity's building. The covered entity reported that approximately 2,850 individuals were affected. The PHI involved in the breach included names, addresses, dates of birth, Social Security numbers,payment information, and clinical information. Following the breach, the covered entity took several actions, including notifying affected individuals, revising and updating its policies for handling confidential information, educated staff, and terminated the courier that was responsible for taking the information to the recycling center. As a result of OCR’s investigation, the covered entity provided written assurance that it had revised its policies and procedures. | |
37 | Aiken Community Based Outpatient Clinic | SC | 2717 | 2/16/2011 | Improper Disposal | Paper | |||
38 | NYU Hospital for Joint Diseases Inventory Management Department | NY | 2600 | 6/23/2011 | Improper Disposal | Paper | |||
39 | Wright Patterson Air Force Base | OH | 2123 | 7/29/2010 | Improper Disposal | Paper | 10/7/2010 | ||
40 | Open MRI of Chicago | IL | 2000 | 9/6/2011 | Improper Disposal | Paper | 1/10/2012 | ||
41 | St. John's Mercy Medical Group | MO | 1907 | 6/6/2010 | Improper Disposal | Paper | 8/20/2010 | Covered entity improperly disposed of patients' Protected Health Information (PHI), by placing the PHI in a dumpster outside of a doctor's office. The PHI involved in the breach included demographic, financial, clinical, and other medical information. Following the breach, the covered entity notified all affected individuals of the breach, posted a notice about the incident on its website; attempted to retrieve and track all of the medical records that were inappropriately disposed of; offered all affected individuals identity theft protection; obtained a formal apology from and assumed direct office operations management of the physician involved; re-educated its workforce to reinforce policies relating to appropriate medical record protection and disposal requirements. | |
42 | Medina County OB/GYN Associates, Inc. | OH | 1200 | 6/13/2010 | Improper Disposal | Paper | 7/29/2010 | ||
43 | Imaging Center of Garland | TX | 1031 | 3/15/2011 | Improper Disposal | Other (X-ray films) | |||
44 | Riverside Mercy Hospital and Ohio/Mercy Diagnostics | OH | 1000 | 11/15/2010 | Improper Disposal | Paper | 1/4/2011 | ||
45 | DRD Management, Inc. D/B/A DRD Knoxville Medical Clinic - Central | TX | 1000 | 2/16/2012 | Improper Disposal | Paper | 5/10/2012 | ||
46 | IU Medical Group | IN | 1000 | 4/11/2012 | Improper Disposal | Paper | 6/8/2012 | ||
47 | St. James Hospital and Health Centers | IL | 967 | 8/10/2010 | Improper Disposal | Paper | 10/1/2010 | ||
48 | Anderson Air Force Base Guam | VA | 700 | 5/13/2011 | Improper Disposal | Paper | The protected health information for 700 individuals was mistakenly disposed of in a recycle bin and subsequently bundled, shredded. The information included patients' medical history, immunization records and appointment schedules. Despite evidence that there was no risk of disclosure the covered entity notified all affected individuals. All staff received retraining on safeguards of PHI and proper disposal of PHI. | ||
49 | VA Eastern Colorado Health Care System | CO | 649 | 1/19/2010 | Improper Disposal | Paper | 5/17/2010 | ||
50 | Knox Community Hospital | OH | 500 | 10/1/2010 | Improper Disposal | Other (X-ray film) | |||
51 | TRICARE Management Activity (TMA) | VA | 4901432 | 9/13/2011 | Loss | Other (Backup Tapes) | 11/4/2011 | ||
52 | The Nemours Foundation | FL | 1055489 | 8/10/2011 | Loss | Other (Backup Tapes) | 11/4/2011 | ||
53 | South Shore Hospital | MA | 800000 | 2/26/2010 | Loss | Other Portable Electronic Device, Electronic Medical Record, Other | 7/21/2010 | ||
54 | Lincoln Medical and Mental Health Center | NY | 130495 | 3/24/2010 | Loss | Other | 6/29/2010 | ||
55 | MidState Medical Center | CT | 93500 | 2/14/2011 | Loss | Other | |||
56 | Providence Hospital | MI | 83945 | 2/4/2010 | Loss | Other | 4/15/2010 | ||
57 | California Department of Healthcare Services | CA | 29808 | 4/29/2010 | Loss | Other Portable Electronic Device | 7/12/2010 | ||
58 | Pediatric and Adult Allergy, PC | IA | 19222 | 7/11/2010 | Loss | Other Portable Electronic Device | 9/20/2010 | ||
59 | Benefit Resources, Inc. | SC | 16200 | 11/22/2010 | Loss | Other Portable Electronic Device | |||
60 | University Hospital | GA | 14000 | 5/7/2010 | Loss | Other | 7/12/2010 | ||
61 | Walsh Pharmacy | MA | 11440 | 6/3/2010 | Loss | Other Portable Electronic Device | 8/18/2010 | ||
62 | The Neighborhood Christian Clinic | AZ | 9565 | 2/7/2012 | Loss | Other Portable Electronic Device | 5/10/2012 | ||
63 | Concordia Plan Services (CPS) | MO | 7059 | 3/17/2011 | Loss | Other | 11/18/2011 | ||
64 | VHS Genesis Lab Inc. | IL | 6800 | 1/10/2010 | Loss | Paper | 4/15/2010 | A month’s worth of client invoices went missing; evidence shows that the documents were never mailed, but despite a thorough search, the invoices were never located. The invoices contained the protected health information of over 500 individuals. The protected health information involved in the breach included names, dates of birth, and medical testing information. Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in the Chicago Tribune, arranged for a business associate to handle the mailing of invoices in the future, and provided OCR with documentation of these actions. | |
65 | Idaho Power Group Health Plan | ID | 5500 | 3/29/2010 | Loss | Other | 8/20/2010 | Idaho Power Group Health Plan's business associate, Mercer Health and Benefits, lost a backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Idaho Power was about 5,500 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Idaho Power notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer's Boise office now encrypts backup tapes. Following the incident, Idaho Power renegotiated its contract with Mercer and continues to evaluate its business relationship with Mercer. | |
66 | City of Charlotte Health Plan | NC | 5220 | 2/3/2010 | Loss | Other | 6/3/2010 | ||
67 | Baptist Memorial Hospital - Huntingdon | TN | 4800 | 11/27/2010 | Loss | Other | |||
68 | St. Mary Medical Center | CA | 3900 | 5/7/2012 | Loss | Other Portable Electronic Device | 6/8/2012 | ||
69 | Children's Medical Center of Dallas | TX | 3800 | 11/19/2009 | Loss | Other Portable Electronic Device | 2/22/2010 | ||
70 | Health Services for Children with Special Needs | DC | 3800 | 10/9/2009 | Loss | Laptop | 2/22/2010 | A laptop was lost by an employee while in transit on public transportation. The computer contained the protected health information of 3800 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity has installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and updated it risk assessment. In addition, all employees received additional security training. | |
71 | Saint Barnabas Medical Center | NJ | 3630 | 5/10/2010 | Loss | Other Portable Electronic Device | 9/10/2010 | ||
72 | Cancer Care Northwest P.S. | WA | 3100 | 1/7/2011 | Loss | Paper | |||
73 | Pamlico Medical Equipment LLC | NC | 2917 | 5/16/2012 | Loss | Other Portable Electronic Device | 7/27/2012 | ||
74 | Henry Ford Hospital | MI | 2777 | 1/31/2011 | Loss | Other Portable Electronic Device | |||
75 | NYU Hospital Center | NY | 2563 | 5/8/2010 | Loss | Other Portable Electronic Device | 7/19/2010 | ||
76 | Blue Island Radiology Consultants | IL | 2562 | 12/9/2009 | Loss | Other (Backup Tapes) | 2/22/2010 | The business associate mailed a package to the covered entity that was supposed to contain a backup data tape and compact disc (CD) containing protected health information, but the tape and the CD were not in the package. Approximately 2,000 individuals were affected by the breach. Individual demographic, financial and clinical information was included in the protected health information. The covered entity provided written notice and an apology to affected individuals, provided them with details of the incident, described ways for these individuals to protect themselves from identity theft and provided a toll-free telephone number for the individuals to call if they had additional questions. Following the breach, the covered entity continues to backup data on tapes, but it now stores the tapes in a safe deposit box instead of sending them via the mail. | |
77 | Mountain Vista Medical Center | AZ | 2284 | 10/13/2010 | Loss | Other Portable Electronic Device | 12/22/2010 | ||
78 | General Agencies Welfare Benefits Program | TN | 1874 | 2/5/2010 | Loss | Other | 5/5/2010 | ||
79 | St. Jude Children's Research Hospital | TN | 1745 | 4/19/2010 | Loss | Laptop | 6/10/2010 | ||
80 | Chattanooga Family Practice Associates, PC | TN | 1711 | 7/15/2010 | Loss | Other Portable Electronic Device | 9/1/2010 | ||
81 | United of Omaha Life Insurance Company | NE | 1631 | 7/28/2011 | Loss | Other Portable Electronic Device | |||
82 | Carolina Center for Development and Rehabilitation | NC | 1590 | 6/24/2010 | Loss | Paper | 8/18/2010 | The covered entity inadvertently sent 23 boxes containing protected health information to a recycling center. These boxes contained the names, addresses, Social Security numbers, insurance identification numbers, clinical information, and credit/debit card numbers of 1,590 individuals. Following the breach, the covered entity reviewed its policies and procedures, suspended several employees, and set up credit monitoring for those individuals affected. As a result of OCR’s investigation, the covered entity placed a record into its accounting of disclosure log for each member impacted, terminated the suspended employees, revised its policies and procedures, and retrained staff. | |
83 | Centerstone | TN | 1537 | 5/1/2010 | Loss | Computer, Paper | 7/12/2010 | ||
84 | Alliance HealthCare Services, Inc. | CA | 1474 | 8/5/2010 | Loss | Other Portable Electronic Device | 10/7/2010 | Two USB storage devices containing ePHI of 1,474 individuals was lost. The USB storage devices contained 1,474 individuals’ ePHI.The ePHI included first and last name, date of birth, and treatment information. As a result of the breach, the covered entity's email will now be password protected and encrypted. As a result of the loss, the CE has initiated an encryption project to encrypt external hard drives and related media. Additionally, the CE filed a police report, changed policies and procedures, and encrypted USB devices. | |
85 | Conway Regional Medical Center | AR | 1472 | 8/24/2011 | Loss | Other (CDs) | 11/18/2011 | ||
86 | Alliance HealthCare Services, Inc. | CA | 1469 | 7/31/2010 | Loss | Other Portable Electronic Device | 10/7/2010 | Two USB storage devices containing ePHI of 1,469 individuals was lost. The ePHI included first and last name, date of birth, and treatment information. As a result of the breach, the covered entity's email will now be password protected and encrypted. As a result of the loss, the CE has initiated an encryption project to encrypt external hard drives and related media. Additionally, the CE filed a police report, changed policies and procedures, and encrypted USB devices. | |
87 | Wright State Physicians | OH | 1309 | 6/11/2010 | Loss | Laptop | 8/18/2010 | On June 11, 2010, a laptop computer containing PHI was mistakenly discarded in the trash. The laptop computer contained the protected health information of approximately 1,309 individuals. The protected health information involved in the breach included patient full names or first initial and last name, dates of service, and in some cases, a brief description of medical condition or care. Following the breach, the covered entity submitted evidence of its progress in implementing encryption on its laptop computers in its various departments. | |
88 | Fairview Health Services | MN | 1215 | 2/19/2011 | Loss | Paper | |||
89 | NYU School of Medicine Aging and Dementia Clinical Research Center | NY | 1200 | 4/3/2010 | Loss | Other Portable Electronic Device | 9/10/2010 | ||
90 | Sutter Gould Medical Foundation (SGMF) | CA | 1192 | 5/23/2011 | Loss | Paper | |||
91 | Gene S. J. Liaw, MD. PS | WA | 1105 | 4/4/2011 | Loss | Other Portable Electronic Device | An unencrypted USB drive used to store patient information could not be found in the office. The device contained data for 1,105 patients, including names, addresses, phone numbers, dates of birth, diagnosis codes, insurance information, and Social Security numbers. To prevent such a loss in the future, the entity replaced the missing drive with encryption-capable USB drives; put in place secure, locked storage facilities for its mobile devices; implemented policies preventing removal of such devices from the office; and provided individual notice to each of the affected patients. | ||
92 | Volunteer State Health Plan, Inc. | TN | 1102 | 03/16/2012-04/20/2012 | Loss | Paper | 7/3/2012 | ||
93 | Trinity Health Corporation Welfare Benefit Plan | MI | 1073 | 3/29/2010 | Loss | Other | 8/4/2010 | Trinity Health Corporation Welfare Benefit Plan’s business associate, Mercer Health & Benefits (Mercer) lost a server backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Trinity Health was about 1,073 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Trinity Health notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer’s Boise office now encrypts backup tapes. Trinity Health has not had a business relationship with Mercer for many years and Mercer currently does not store any original PHI belonging to Trinity Health. | |
94 | Newark Beth Israel Medical Center | NJ | 956 | 5/10/2010 | Loss | Other Portable Electronic Device | 9/10/2010 | ||
95 | University of Kentucky UK HealthCare | KY | 878 | 9/25/2011 | Loss | Other Portable Electronic Device | 1/10/2012 | ||
96 | University of Rochester Medical Center and Affiliates | NY | 857 | 8/2/2010 | Loss | Other Portable Electronic Device | 9/21/2010 | ||
97 | Muskogee Regional Medical Center | OK | 844 | 12/5/2011 | Loss | Other | 1/31/2012 | ||
98 | Northridge Hospital Medical Center | CA | 837 | 10/16/2010 | Loss | Paper | 11/10/2010 | The entity mailed documents containing protected health information via Fed Ex and was later informed that the documents did not arrive at the desired destination. The entity conducted an investigation to determine the root cause of the breach; provided OCR with evidence that it had made significant efforts to contact the individuals reasonably believed to have been affected by the breach; and submitted its privacy procedures relevant to this investigation. The entity also took assertive action to prevent a future recurrence by modifying its standard procedures that require paper record submission and instead to accept a secure electronic transmission of all future documents containing PHI. Now all such records are sent only via secure electronic delivery. | |
99 | Charlie Norwood VA Medical Center | GA | 824 | 3/30/2012 | Loss | Other Portable Electronic Device | 7/27/2012 | ||
100 | Keystone/AmeriHealth Mercy Health Plans | PA | 808 | 9/20/2010 | Loss | Other Portable Electronic Device | 10/28/2010 |