| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | AC | AD | AE | AF | AG | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Breach Submission Date | Type of Breach | Location of Breached Information | Business Associate Present | Web Description | ransomware | Includes Financial information? | Includes Diagnoses? | Includes Addresses? | Includes Drivers’ license information? | Includes Names? | Includes Email? | Includes Phone numbers? | Includes Photos? | Includes Birthdates? | Includes Gender? | Includes Health insurance information? | Includes X-ray images? | Includes Ethnicity? | Includes Treatment information? | Includes Medical records? | Includes Identification numbers? | Includes Medication information? | Includes Employment information? | Includes Dental records? | Includes Vaccination status? | Includes Social security? | Includes Demographic information? | Includes Passport information? |
2 | Orlando VA Medical Center | FL | Healthcare Provider | 9,850 | 2024-03-05 | Unauthorized Access/Disclosure | No | The Orlando VA Medical Center, the covered entity (CE), reported that an employee emailed documents containing the protected health information (PHI) of 9,850 individuals to a personal email account. The PHI involved included names, addresses, telephone numbers, email addresses, Social Security numbers, and birthdates. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the CE provided complimentary credit monitoring services to affected individuals and obtained a court order requiring the safeguarding of PHI. | No | names, addresses, telephone numbers, email addresses, Social Security numbers | names | email addresses | telephone numbers | birthdates | Social Security numbers | Social Security numbers | |||||||||||||||||
3 | Bay Area Anesthesia, LLC | FL | Healthcare Provider | 15,196 | 2024-02-26 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), Bay Area Anesthesia, reported that its business associate (BA) experienced a cyber-attack that affected the protected health information (PHI) of 15,196 individuals. The PHI involved included names, addresses, dates of birth, and Social Security numbers. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards. Workforce members were retrained to better protect PHI. | No | names, addresses, dates of birth, and Social Security numbers | names | dates of birth | Social Security numbers | Social Security numbers | ||||||||||||||||||
4 | Human Affairs International of California | CA | Business Associate | 18,347 | 2024-02-16 | Unauthorized Access/Disclosure | Paper/Films | Yes | The covered entity (CE), Human Affairs International of California, reported that it experienced a programming issue which resulted in an employee mailing the protected health information (PHI) of 18,347 individuals to the wrong recipients. The PHI involved included names, dates of birth, addresses, diagnoses, claims and financial information, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards. Staff were retrained on the requirements to protect and secure sensitive data. | No | financial information, claims | diagnoses | addresses | names | dates of birth | other treatment information, treatment information | |||||||||||||||||
5 | Forward Healthcare, LLC | MD | Healthcare Provider | 3,999 | 2024-02-08 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), Forward Healthcare, reported that its business associate (BA) experienced a cybersecurity incident that affected the protected health information (PHI) of 3,999 individuals. The PHI involved included names, addresses, dates of birth, and treatment information. The CE notified HHS and the affected individuals. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards to better protect its PHI. | No | names, addresses, dates of birth | names | dates of birth | treatment information | |||||||||||||||||||
6 | Humana Inc. | KY | Health Plan | 6,440 | 2024-02-06 | Unauthorized Access/Disclosure | Paper/Films | No | The covered entity (CE), Humana, reported that an employee inadvertently mailed the protected health information (PHI) of 6,440 individuals to the wrong recipients. The PHI involved included names, addresses, medications, and diagnoses. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE implemented additional administrative, technical, and security safeguards to better protect its PHI. | No | names, addresses, medications, and diagnoses | names, addresses, medications, and diagnoses | names, addresses, medications, and diagnoses | ||||||||||||||||||||
7 | Kentucky Cabinet for Health and Family Services | KY | Health Plan | 857 | 2024-02-05 | Unauthorized Access/Disclosure | Paper/Films | Yes | Kentucky Cabinet for Health and Family Services, reported that an employee of its business associate (BA) inadvertently mailed the protected health information (PHI) of 857 individuals to the wrong recipients. The PHI involved included names, identification numbers, claims and financial information, and other treatment information. The BA notified HHS, affected individuals and the media. In its mitigation efforts, the BA implemented additional administrative safeguards and quality assurance procedures to prevent this issue from reoccurring. | No | claims and financial information | names | other treatment information | identification numbers | |||||||||||||||||||
8 | Coppola Physical Therapy and Fitness Gyms | NH | Healthcare Provider | 632 | 2024-01-31 | Unauthorized Access/Disclosure | Yes | No | |||||||||||||||||||||||||
9 | Humana Inc. | KY | Health Plan | 12,539 | 2024-01-22 | Unauthorized Access/Disclosure | Paper/Films | No | The covered entity (CE), Humana, reported that an employee inadvertently mailed the protected health information (PHI) of 12,539 individuals to the wrong recipients. The PHI involved included names, addresses, medications, and diagnoses. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE implemented additional administrative, technical, and security safeguards to better protect its PHI. | No | medications and diagnoses | addresses | names | medications | |||||||||||||||||||
10 | Mount Vernon Dental Smiles | VA | Healthcare Provider | 1,074 | 2024-01-19 | Unauthorized Access/Disclosure | No | Mount Vernon Dental Smiles, the covered entity (CE), reported that a workforce member inadvertently sent an email containing the protected health information (PHI) of 1,074 patients to an unauthorized individual. The PHI involved included names, dates of birth, addresses, email addresses, health insurance information, and other treatment information. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the CE strengthened its administrative safeguards to better protect sensitive data. OCR provided technical assistance regarding the HIPAA Rules. | No | addresses, email addresses | names | email addresses | dates of birth | health insurance information | other treatment information | ||||||||||||||||||
11 | North Kansas City Hospital | MO | Healthcare Provider | 502,438 | 2024-01-03 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), North Kansas City Hospital, reported that its business associate (BA) experienced a cyber-attack that affected the protected health information (PHI) of 502,438 individuals. The PHI involved included names, dates of birth, addresses, claims information, diagnoses, and other treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE terminated its business relationship with the BA and implemented additional administrative safeguards to better protect PHI. | No | diagnoses, other treatment information | addresses | names | treatment information | |||||||||||||||||||
12 | Transformative Healthcare, on behalf of Fallon Ambulance Services | MA | Healthcare Provider | 911,757 | 2023-12-31 | Hacking/IT Incident | Electronic Medical Record, Network Server | No | Fallon Ambulance Services (Fallon), a former subsidiary of Transformative Healthcare, the covered entity (CE), reported that it experienced a ransomware attack that compromised the protected health information (PHI) of 911,757 individuals. The PHI involved included names, addresses, birthdates, drivers’ license and Social Security numbers, diagnoses, lab results, medications, and claims and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In its mitigation efforts, the CE provided complimentary identity protection services to affected individuals. Fallon ceased medical transportation operations; therefore, OCR closed the case. | Yes | diagnoses, lab results, medications | addresses | drivers’ license numbers | names | birthdates | claims and other treatment information | Social Security numbers | medications | |||||||||||||||
13 | RevSpring, Inc. | TN | Business Associate | 1,053 | 2023-12-22 | Unauthorized Access/Disclosure | Network Server | Yes | The business associate (BA), RevSpring, reported that a software coding error allowed the protected health information (PHI) of 1,053 individuals to be viewable by others. The PHI involved included names, addresses, diagnoses and other treatment information. The BA notified HHS, affected individuals, and the media. In response to the breach, the BA implemented additional administrative, technical, and security safeguards. Workforce members were also retrained on the requirements to protect and secure sensitive data. | No | diagnoses and other treatment information | addresses | names | ||||||||||||||||||||
14 | Lone Peak Physical Therapy, Inc. | MT | Healthcare Provider | 5,809 | 2023-12-21 | Theft | Paper/Films | No | No | ||||||||||||||||||||||||
15 | Rush System for Health | IL | Healthcare Provider | 4,961 | 2023-12-21 | Unauthorized Access/Disclosure | No | The covered entity (CE), Rush System for Health, reported that an employee mailed the protected health information (PHI) of 4,961 individuals in a manner in which PHI was inadvertently disclosed. The PHI involved included names only. The CE notified HHS, affected individuals, and the media. In response to the incident, the CE sanctioned the responsible individual and strengthened its administrative safeguards to better protect PHI. Staff were retrained. | No | names only | |||||||||||||||||||||||
16 | BlueCross BlueShield of Tennessee, Inc. | TN | Health Plan | 1,676 | 2023-12-19 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), BlueCross BlueShield of Tennessee, reported that a vendor of its business associate (BA) experienced a cyber-attack that compromised the protected health information (PHI) of 1,676 individuals. The PHI involved included names, birthdates, claims and financial information, and health insurance and other treatment information. The CE notified HHS, affected individuals, and the media. | No | claims and financial information | names | birthdates | health insurance and other treatment information | health insurance and other treatment information | ||||||||||||||||||
17 | BELLIN HEALTH | WI | Healthcare Provider | 20,790 | 2023-12-19 | Hacking/IT Incident | Network Server | No | The covered entity (CE), Bellin Health, reported that it experienced a cyberattack that compromised the protected health information (PHI) of 20,790 individuals. The PHI involved included names, addresses, dates of birth, phone numbers, Social Security numbers, health insurance information, diagnoses, and other treatment information. The CE notified HHS, the affected individuals, and the media. In its mitigation efforts, the CE provided complimentary credit monitoring services and strengthened its administrative and technical safeguards to better protect sensitive data. | No | diagnoses, other treatment information | addresses | names | phone numbers | dates of birth | health insurance information | other treatment information | Social Security numbers | Social Security numbers | ||||||||||||||
18 | AccessOne Medcard, Inc. | SC | Business Associate | 8,049 | 2023-12-15 | Hacking/IT Incident | Network Server | Yes | The business associate (BA), AccessOne Medcard, reported that it experienced a cyber-attack that affected the protected health information (PHI) of 8,049 individuals. The PHI involved included names, dates of birth, addresses, and financial information. The BA notified HHS, affected individuals, and the media. In response to the breach, the BA implemented additional administrative, technical, and security safeguards to better protect its PHI. | No | financial information | addresses | names | ||||||||||||||||||||
19 | Independent Vision Group, LTD | WI | Healthcare Provider | 2,931 | 2023-12-13 | Hacking/IT Incident | No | The covered entity (CE), Independent Vision Group, reported that an employee was the victim of an email phishing scheme that compromised the protected health information (PHI) of approximately 2,931 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license and Social Security numbers, claims and financial information, diagnoses, and health insurance information. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the CE offered complimentary credit monitoring services and implemented additional administrative and technical safeguards to protect PHI. Staff were retrained on email security precautions. OCR provided technical assistance regarding the HIPAA Rules. | No | claims and financial information | diagnoses | addresses | drivers’ license and Social Security numbers | names | dates of birth | health insurance information | |||||||||||||||||
20 | Yorkshire Wellness Group, Corp. | NM | Healthcare Provider | 1,000 | 2023-12-12 | Unauthorized Access/Disclosure | Paper/Films | No | 2Yorkshire Wellness Group report that a storage facility containing the medical records of 1,000 individuals were sold at auction. OCR determined that Yorkshire does not meet the definition of a covered entity or a business associate and therefore, has no jurisdiction to investigate further. | No | |||||||||||||||||||||||
21 | EMS Management and Consultants Inc. | NC | Business Associate | 2,654 | 2023-12-01 | Unauthorized Access/Disclosure | Paper/Films | Yes | EMS Management and Consultants, a business associate (BA), reported that an employee mailed the protected health information (PHI) of 2,564 individuals to the wrong recipients. The PHI involved included names, addresses, treatment information, and financial information. The BA notified HHS, affected individuals, the media, and provided substitute notice. In its mitigation efforts, the CE implemented additional administrative safeguards to better protect PHI. | No | financial information | addresses | names | treatment information | |||||||||||||||||||
22 | Neuromusculoskeletal Center of the Cascades, PC | OR | Healthcare Provider | 19,373 | 2023-12-01 | Hacking/IT Incident | No | The covered entity (CE), Neuromusculoskeletal Center of the Cascades, reported that several employees were the subjects of an email phishing scheme that affected the protected health information (PHI) of 19,373 individuals. The PHI involved included names, Social Security numbers, addresses, drivers’ license numbers, dates of birth, diagnoses, medications, treatment information, and financial and claims information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards to better protect its PHI. | No | financial and claims information | diagnoses | addresses | drivers’ license numbers | names | treatment information | ||||||||||||||||||
23 | West Anaheim Medical Center | CA | Healthcare Provider | 1,166 | 2023-11-29 | Hacking/IT Incident | Network Server | Yes | West Anaheim Medical Center, the covered entity (CE), reported that its business associate (BA) experienced a cyber-attack that compromised the protected health information (PHI) of 1,166 individuals. The PHI involved included names, Social Security numbers, addresses, birthdates, and other treatment information. In its mitigation efforts, the CE provided complimentary credit monitoring services and the CE and BA implemented additional administrative, technical, and security safeguards. | No | addresses, Social Security numbers | names | birthdates | other treatment information | |||||||||||||||||||
24 | Fenway Community Health Center, Inc. | MA | Healthcare Provider | 599 | 2023-11-29 | Unauthorized Access/Disclosure | Paper/Films | Yes | The covered entity (CE), Fenway Community Health Center, reported that an employee of its business associate (BA) inadvertently sent the protected health information (PHI) of 599 individuals to the wrong recipients. The PHI involved included names, addresses, and treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE implemented additional administrative and technical safeguards to better protect PHI. Staff were retrained. OCR provided technical assistance regarding the HIPAA Rules. | No | names, addresses, and treatment information | names, addresses, and treatment information | names, addresses, and treatment information | ||||||||||||||||||||
25 | Lakeview Healthcare System, LLC | FL | Healthcare Provider | 2,495 | 2023-11-27 | Theft | Other Portable Electronic Device, Paper/Films | No | The covered entity (CE), Lakeview Healthcare System, reported that it someone broke into its office and stole three mobile device and paper medical records. This breach affected the protected health information (PHI) of approximately 2,495 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license and Social Security numbers, financial and claims information, diagnoses, lab results, and medications. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE provided complimentary credit monitoring and theft protection services, implemented new policies and procedures, and strengthened its physical safeguards to protect and safeguard PHI. | No | financial and claims information | diagnoses | addresses | drivers’ license and Social Security numbers | names | dates of birth | lab results, and medications | medications | |||||||||||||||
26 | California Physicians’ Service d/b/a Blue Shield of California | CA | Health Plan | 636,849 | 2023-11-17 | Hacking/IT Incident | Network Server | Yes | California Physicians’ Service dba Blue Shield of California, the covered entity (CE), reported that its business associate (BA) experienced a cyber-attack that compromised the protected health information (PHI) of 636,849 individuals. The PHI involved included names, Social Security numbers, diagnoses, addresses, birthdates, and claims information. In its mitigation efforts, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards. | No | diagnoses | addresses | names | birthdates | |||||||||||||||||||
27 | Blue Shield of California OR Blue Shield of California Promise Health Plan | CA | Business Associate | 27,832 | 2023-11-17 | Hacking/IT Incident | Network Server | Yes | Blue Shield of California OR Blue Shield of California Promise Health Plan, the covered entity (CE), reported that its business associate (BA) experienced a cyber-attack that compromised the protected health information (PHI) of 27,832 individuals. The PHI involved included names, Social Security numbers, diagnoses, addresses, birthdates, and claims information. In its mitigation efforts, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards. | No | diagnoses | addresses | names | birthdates | |||||||||||||||||||
28 | Medical College of Wisconsin | WI | Healthcare Provider | 240,667 | 2023-11-14 | Hacking/IT Incident | Network Server | No | The covered entity (CE), Medical College of Wisconsin, reported that its third-party vendor experienced a cybersecurity incident that allowed unauthorized access to its server and compromised the protected health information (PHI) of 240,667 individuals. The PHI involved included names, addresses, Social Security numbers, dates of birth, claims information, diagnoses, lab results, and medications. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the CE provided credit monitoring services and terminated its business relationship with the vendor. | No | diagnoses, lab results | addresses | names | dates of birth | Social Security numbers | medications | |||||||||||||||||
29 | Medical University of South Carolina | SC | Healthcare Provider | 1,758 | 2023-11-13 | Unauthorized Access/Disclosure | Network Server | No | The covered entity (CE), Medical University of South Carolina, reported that its business associate (BA) sent an email that contained the protected health information (PHI) of 1,758 individuals to the wrong recipients. The PHI involved included names only. The CE notified HHS, affected individuals, and the media. The employee involved was retrained. | No | names only | ||||||||||||||||||||||
30 | Boomerang Healthcare | CA | Healthcare Provider | 1,204 | 2023-11-07 | Unauthorized Access/Disclosure | No | Boomerang Healthcare, the covered entity (CE), reported that an employee inadvertently emailed an Excel spreadsheet containing the protected health information (PHI) of 1,204 patients to unauthorized individuals. The PHI involved included names, addresses, email addresses, dates of birth, phone numbers, and diagnoses. The CE notified HHS, affected individuals, and the media. In response to the breach and OCR’s investigation, the CE sanctioned the responsible employee and strengthened its administrative and technical safeguards. | No | diagnoses | addresses | names | email addresses | phone numbers | dates of birth | ||||||||||||||||||
31 | Sutter Health | CA | Healthcare Provider | 845,441 | 2023-11-03 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), Sutter Health, reported that its business associate (BA) experienced a malware attack that affected the protected health information (PHI) of 845,441 individuals. The PHI involved included names, addresses, dates of birth, diagnoses, and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and the CE and BA implemented additional administrative, technical, and security safeguards. Staff were retrained to better protect PHI. | No | diagnoses, other treatment information | addresses | names | dates of birth | other treatment information | ||||||||||||||||||
32 | Life Generations Healthcare LLC | CA | Healthcare Provider | 5,832 | 2023-11-03 | Hacking/IT Incident | No | The covered entity (CE), Life Generations Healthcare, reported that multiple employees were the subjects of an email phishing scheme that compromised the protected health information (PHI) of 5,832 individuals. The PHI involved included names, birthdates, addresses, drivers’ license and Social Security numbers, diagnoses, and financial and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards. Staff were retrained on email security. | No | financial and other treatment information | diagnoses | addresses | drivers’ license and Social Security numbers | names | birthdates | ||||||||||||||||||
33 | Rebekah Children’s Services | CA | Healthcare Provider | 2,033 | 2023-11-03 | Hacking/IT Incident | Network Server | No | The covered entity (CE), Rebekah Children’s Services, reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 2,033 individuals. The PHI involved included names, birthdates, diagnoses, lab results, medications, email addresses, phone numbers, Social Security and drivers’ license numbers, and other treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE updated its administrative and technical safeguards to better protect sensitive data. OCR provided technical assistance regarding the HIPAA Rules. | No | diagnoses, lab results, medications | drivers’ license numbers | names | email addresses | phone numbers | birthdates | other treatment information | Social Security | Social Security | ||||||||||||||
34 | Mayo Clinic | MN | Healthcare Provider | 1,152 | 2023-11-03 | Unauthorized Access/Disclosure | Network Server | No | Mayo Clinic, the covered entity (CE), reported that an employee inadvertently submitted the protected health information (PHI) of 1,152 individuals to an academic journal; the data was then published via the Internet. The PHI involved included names, dates of birth, lab results, medical records numbers, gender, race, and treatment information. The CE notified HHS and affected individuals. In its mitigation efforts, the CE implemented additional administrative safeguards to better protect PHI. Staff were retrained. | No | names, dates of birth, gender, race | dates of birth | gender | race | treatment information | medical records numbers | |||||||||||||||||
35 | Cadence Bank | MS | Business Associate | 13,862 | 2023-10-27 | Hacking/IT Incident | Network Server | Yes | Cadence Bank, the covered entity (CE), reported that its business associate (BA) experienced a cyber-attack that compromised the protected health information (PHI) of 13,862 individuals. The PHI involved included names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, health insurance information, claims and financial information, and other treatment information. In its mitigation efforts, the BA implemented additional technical safeguards and provided complimentary credit monitoring services. | No | claims and financial information | addresses | drivers’ license numbers | names | dates of birth | health insurance information | other treatment information | Social Security numbers | |||||||||||||||
36 | Pacific Clear Vision Institute | OR | Healthcare Provider | 626 | 2023-10-15 | Unauthorized Access/Disclosure | No | Pacific Clear Vision Institute, the covered entity (CE), reported that an employee impermissibly forwarded the protected health information (PHI) of 626 individuals to her personal email account. The PHI involved included names, addresses, dates of birth, health insurance information, diagnoses, Social Security numbers, and other treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE sanctioned the employee responsible and provided complimentary credit monitoring services. | No | diagnoses | addresses | names | health insurance information | treatment information | Social Security numbers | ||||||||||||||||||
37 | Brooklyn Premier Orthopedics | NY | Healthcare Provider | 48,459 | 2023-10-06 | Hacking/IT Incident | Network Server | No | No | ||||||||||||||||||||||||
38 | Responsive Care Solutions | FL | Business Associate | 5,200 | 2023-10-05 | Unauthorized Access/Disclosure | Paper/Films | Yes | The business associate (BA), Responsive Care Solutions, reported that an employee inadvertently mailed the protected health information (PHI) of 5,200 individuals. The PHI involved included names, addresses, and other treatment information. The BA notified HHS, affected individuals, and the media. In its mitigation efforts, the BA strengthened its administrative, technical, and security safeguards. Staff were retrained on the requirements to protect and secure PHI. | No | names, addresses, and other treatment information | names, addresses, and other treatment information | names, addresses, and other treatment information | ||||||||||||||||||||
39 | Walmart Associates Health and Welfare Plan | AR | Health Plan | 85,952 | 2023-10-04 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), Walmart Associates Health and Welfare Plan, reported that a vender of its business associates (BA) experienced a cybersecurity incident that compromised the protected health information (PHI) of approximately 85,952 individuals. The PHI involved included names, addresses, dates of birth, and health insurance information. The CE notified HHS, affected individuals, the media, and provided substitute notice. The BA and its vendor strengthened its technical safeguards to better protect sensitive data. | No | names, addresses, dates of birth | names | dates of birth | health insurance information | |||||||||||||||||||
40 | Prospect Medical Holdings, Inc. | CA | Business Associate | 1,309,096 | 2023-09-29 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), Prospect Medical Holdings, reported that it experienced a ransomware incident that affected the protected health information (PHI) of 1,309,096 individuals. The PHI involved included names, dates of birth, drivers’ license and Social Security numbers, addresses, diagnoses, lab results, medications, claims and financial information, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE offered free credit monitoring and identity theft protection services and implemented new administrative and technical safeguards. | Yes | financial information, claims | diagnoses | addresses | drivers’ license | names | other treatment information | Social Security numbers | medications | |||||||||||||||
41 | Gillette Children's Specialty Healthcare | MN | Healthcare Provider | 542 | 2023-09-29 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), Gillette Children's Specialty Healthcare, reported that its business associate (BA) was the subject of a cybersecurity incident that compromised the protected health information (PHI) of 542 individuals. The PHI involved included names, medical record numbers, and other treatment information. Steps were taken to mitigate harm and protect PHI. | No | other treatment information | names, medical record numbers | other treatment information | ||||||||||||||||||||
42 | H3- Hope, Healing, Health Inc. | MI | Healthcare Provider | 1,586 | 2023-09-29 | Hacking/IT Incident | No | The covered entity (CE), H3 - Hope, Healing, Health, reported that an employee was subjected to an email phishing scheme that compromised the protected health information (PHI) of 1,586 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license and Social Security Numbers, diagnoses, lab results, medications, and health insurance information. The CE notified HHS, affected individuals, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative and technical safeguards to better protect its PHI. | No | diagnoses, lab results, medications | addresses | drivers’ license | names | dates of birth | health insurance information | Social Security Numbers | medications | ||||||||||||||||
43 | Mt. Graham Regional Medical Center | AZ | Healthcare Provider | 35,688 | 2023-09-29 | Hacking/IT Incident | Network Server | No | Mount Graham Regional Medical Center, the covered entity (CE), reported that it experienced a ransomware attack that compromised the protected health information (PHI) of 35,688 individuals. The PHI involved included names, addresses, Social Security and drivers’ license numbers, birthdates, financial information, and treatment information. In its mitigation efforts, the CE implemented additional administrative, technical, and security safeguards to better protect sensitive data. | Yes | financial information | addresses | drivers’ license numbers | names | birthdates | treatment information | Social Security | ||||||||||||||||
44 | Blue Cross Blue Shield of Texas | IL | Business Associate | 3,708 | 2023-09-22 | Unauthorized Access/Disclosure | Paper/Films | Yes | The business associate (BA), Blue Cross Blue Shield of Texas, reported that an employee inadvertently mailed the protected health information (PHI) of 3,708 individuals to the wrong addresses. The PHI involved included names and health insurance information. The BA notified HHS, affected individuals, and the media In response to the breach, the BA implemented additional administrative safeguards to better protect PHI. | No | names | health insurance information | |||||||||||||||||||||
45 | Allegheny County, Pennsylvania | PA | Business Associate | 1,505 | 2023-09-22 | Hacking/IT Incident | Network Server | Yes | Allegheny County, the business associate (BA), reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 1,505 individuals. The PHI involved included names, birthdates, health insurance information, and other treatment information. The BA notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the BA implemented additional administrative and technical safeguards to better protect PHI. | No | names | birthdates | health insurance information | other treatment information | |||||||||||||||||||
46 | Virginia Department of Medical Assistance Services | VA | Health Plan | 1,229,333 | 2023-09-18 | Hacking/IT Incident | Network Server | Yes | The Virginia Department of Medical Assistance Services, the covered entity (CE), reported that its business associate (BA) experienced a cyber-attack that compromised the protected health information (PHI) of 1,229,333 individuals. The PHI involved included names, birthdates, Social Security and drivers’ license numbers, claims and financial information, and other treatment information. The CE notified HHS and the media. In its mitigation efforts, the CE and BA implemented additional administrative and technical safeguards to better protect PHI. | No | claims and financial information | drivers’ license numbers | names | birthdates | other treatment information | Social Security | |||||||||||||||||
47 | Oak Valley Hospital District | CA | Healthcare Provider | 284,629 | 2023-09-15 | Hacking/IT Incident | Network Server | No | Oak Valley Hospital District, the covered entity (CE), reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 284,629 individuals. The PHI involved included names, addresses, dates of birth, Social Security numbers, health insurance information, diagnoses, lab results, medications, and claims information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach and OCR’s investigation, the CE revised its policies and procedures, retrained its workforce members, and implemented additional technical safeguards. | No | diagnoses, lab results | addresses | names | dates of birth | health insurance information | medications, claims information | Social Security numbers | medications | |||||||||||||||
48 | Nuance Communications, Inc. | MA | Business Associate | 1,225,054 | 2023-09-15 | Hacking/IT Incident | Network Server | Yes | Nuance Communications, the business associate (BA), reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 1,225,054 individuals. The PHI involved included names, addresses, dates of birth, diagnoses, medications, and Social Security numbers. The BA notified HHS, affected individuals, the media, and provided substitute notice. In its mitigation efforts, the BA strengthened its administrative, technical, and security safeguards to better protect PHI. | No | diagnoses, medications | addresses | names | dates of birth | Social Security numbers | medications | Social Security numbers | ||||||||||||||||
49 | Omnicell Specialty Pharmacy Services (OSPS) | TX | Business Associate | 661 | 2023-09-15 | Hacking/IT Incident | Yes | The business associate (BA), Omnicell Specialty Pharmacy Services, reported that an employee was the subject of an email phishing scheme that compromised the protected health information (PHI) of 661 individuals. The PHI involved included names, dates of birth, drivers’ license numbers, addresses, Social Security numbers, medications, and other treatment information. The BA notified HHS and the affected individuals. The BA disabled the affected email account and provided complimentary credit monitoring services to the affected individuals. The BA also strengthened its administrative and technical safeguards to better protect PHI. | No | addresses, Social Security numbers | drivers’ license numbers | names | dates of birth | medications, other treatment information | Social Security numbers | medications | Social Security numbers | ||||||||||||||||
50 | Coos Health & Wellness | OR | Healthcare Provider | 22,115 | 2023-09-07 | Hacking/IT Incident | Network Server | No | The covered entity (CE), Coos Health and Wellness, reported that it experienced a cybersecurity incident that compromised the protected health information (PHI) of 22,115 individuals. The PHI involved includes names, Social Security and drivers’ license numbers, birthdates, addresses, and health insurance information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE updated its administrative and technical safeguards. OCR provided technical assistance regarding the HIPAA Rules. | No | addresses | drivers’ license numbers | names | birthdates | health insurance information | Social Security numbers, drivers’ license numbers | |||||||||||||||||
51 | Roseman University of Health Sciences | NV | Healthcare Provider | 4,622 | 2023-09-06 | Hacking/IT Incident | Network Server | No | The covered entity (CE), Roseman University of Health Sciences, reported that it experienced a cybersecurity attack that compromised the protected health information (PHI) of 4,622 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license information, Social Security numbers, diagnoses, medications, lab results, and other treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach the CE implemented additional administrative and technical safeguards to better protect its PHI. OCR provided technical assistance regarding the HIPAA Rules. | No | diagnoses, medications, lab results, and other treatment information | addresses | drivers’ license information | names | dates of birth | diagnoses, medications, lab results, and other treatment information | Social Security numbers | medications | Social Security numbers | ||||||||||||||
52 | Bienville Orthopaedic Specialists LLC | MS | Healthcare Provider | 242,986 | 2023-09-05 | Hacking/IT Incident | Network Server | No | The covered entity (CE), Bienville Orthopaedic Specialists, reported that it experienced a ransomware that compromised the protected health information (PHI) of 242,986 individuals. The PHI involved included names, addresses, telephone numbers, dates of birth, drivers’ license and Social Security numbers, and claims and financial information. The CE notified HHS, affected individuals, the media, and provided substitute notice on its website. In its mitigation efforts, the CE implemented additional administrative, technical, and security safeguards to better protect its PHI. Staff were retrained on the requirement to protect and secure sensitive data. OCR provided technical assistance regarding the timeliness requirements of the HIPAA Breach Notification Rule. | Yes | claims and financial information | names, addresses, telephone numbers | drivers’ license and Social Security numbers | names | telephone numbers | dates of birth | |||||||||||||||||
53 | Indiana University Health | IN | Health Plan | 1,191 | 2023-08-31 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), Indiana University Health, reported that a vendor of its business associate (BA) experienced a cyber-attack that compromised the protected health information (PHI) of 1,191 individuals. The PHI involved included names, Social Security numbers, addresses, birthdates, claims information, and other treatment information. The CE and BA notified HHS, affected individuals, the media, and provided substitute notice. In its mitigation efforts, the CE and BA strengthened its administrative and technical safeguards and provided complimentary credit monitoring services. | No | addresses, postal addresses, physical addresses, home addresses, mailing addresses, postal addresses | names | birthdates | other treatment information, treatment | |||||||||||||||||||
54 | O'Neil Digital Solutions, LLC | CA | Business Associate | 1,722 | 2023-08-30 | Unauthorized Access/Disclosure | Paper/Films | Yes | The business associate (BA), O’Neil Digital Solutions, reported that a workforce member mailed the protected health information (PHI) of 1,722 individuals to the wrong recipients. The PHI involved included names, dates of birth, and health insurance information. The BA notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the BA sanctioned the workforce member and strengthened its administrative safeguards. OCR provided technical assistance to the CE regarding the HIPAA Rules. | No | names, dates of birth | dates of birth | health insurance information | ||||||||||||||||||||
55 | TTEC Healthcare Solutions | CO | Business Associate | 2,953 | 2023-08-30 | Unauthorized Access/Disclosure | Network Server | Yes | The business associate (BA), TTEC Healthcare Solutions, reported that one of its employees impermissibly shared access to the protected health information (PHI) of 2,953 individuals with an unauthorized individual. The PHI involved included names, Social Security numbers, addresses, drivers’ license numbers, and dates of birth. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the BA provided complimentary credit monitoring services and implemented additional administrative and technical safeguards to better protect PHI. | No | addresses, Social Security numbers | drivers’ license numbers | names | dates of birth | Social Security numbers | ||||||||||||||||||
56 | IEC Group, Inc. dba AmeriBen | ID | Business Associate | 74,884 | 2023-08-24 | Unauthorized Access/Disclosure | Yes | IEC Group dba AmeriBen, the covered entity (CE), reported that an employee inadvertently sent an email to patients that contained the protected health information (PHI) of 74,884 individuals. The PHI involved included names, financial information, and other treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE sanctioned and retrained the employee responsible for the breach and implemented new administrative safeguards. | No | financial information | names | other treatment information | |||||||||||||||||||||
57 | The University of Massachusetts Chan Medical School | MA | Business Associate | 135,394 | 2023-08-21 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), The University of Massachusetts Chan Medical School, reported that it was the subject of a cyber-attack that affected the protected health information (PHI) of 135,974 individuals. The PHI involved included names, dates of births, addresses, Social Security numbers, diagnoses, medications, financial and claims information, and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards to better protect its PHI. | No | financial and claims information | diagnoses | addresses | names | dates of births | other treatment information | Social Security numbers | medications | |||||||||||||||
58 | Health Care Service Corporation | IL | Health Plan | 220,913 | 2023-08-21 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), Health Care Service Corporation, reported that its business associate (BA) experienced a cyber-attack that compromised the protected health information (PHI) of 220,913 individuals. The PHI involved included names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, claims and financial information, and other treatment information. The CE notified HHS, affected individuals, and the media. OCR provided technical assistance regarding the HIPAA Privacy Rule. | No | claims and financial information | names, addresses | names | email addresses | phone numbers | dates of birth | other treatment information | Social Security numbers | Social Security numbers | ||||||||||||||
59 | Illinois Department of Public Health | IL | Healthcare Provider | 126,000 | 2023-08-18 | Hacking/IT Incident | Network Server | No | The covered entity (CE), Sutter Health, reported that its business associate (BA) experienced a malware attack that affected the protected health information (PHI) of 845,441 individuals. The PHI involved included names, addresses, dates of birth, diagnoses, and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and the CE and BA implemented additional administrative, technical, and security safeguards. Staff were retrained to better protect PHI. | No | diagnoses, other treatment information | addresses | names | dates of birth | other treatment information | ||||||||||||||||||
60 | Blue Cross Blue Shield of Arizona | AZ | Health Plan | 47,485 | 2023-08-17 | Hacking/IT Incident | Network Server | Yes | Blue Cross Blue Shield of Arizona, the covered entity (CE), reported that a vendor of its business associate (BA) was the subject of a cybersecurity incident that compromised the protected health information (PHI) of 47,485 individuals. The PHI involved included names, dates of birth, addresses, Social Security numbers, and financial information. The CE notified HHS; the BA notified affected individuals and the media. In its mitigation efforts, the BA and vendor implemented new technical safeguards, provided affected individuals with free credit monitoring, and revised its policies and procedures. The CE implemented new security measures to prevent similar attacks from occurring in the future. | No | financial information | addresses | names | dates of birth | Social Security numbers | ||||||||||||||||||
61 | A-Family Dental Care Center PC | PA | Healthcare Provider | 2,800 | 2023-08-16 | Unauthorized Access/Disclosure | Network Server | No | The covered entity (CE), Medical University of South Carolina, reported that its business associate (BA) sent an email that contained the protected health information (PHI) of 1,758 individuals to the wrong recipients. The PHI involved included names only. The CE notified HHS, affected individuals, and the media. The employee involved was retrained. | No | names only | ||||||||||||||||||||||
62 | Performance Health Technology | OR | Business Associate | 1,752,076 | 2023-08-15 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), Performance Health Technology, reported that it was the victim of a hacking attack affecting the protected health information (PHI) of 1,752,076 individuals. The PHI involved include names, dates of birth, addresses, Social Security numbers, diagnoses, and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE implemented additional administrative and technical safeguards and provided complimentary credit monitoring services to affected individuals. | No | diagnoses, other treatment information | addresses | names | dates of birth | other treatment information | Social Security numbers | Social Security numbers | ||||||||||||||||
63 | Three Crowns Park | IL | Healthcare Provider | 516 | 2023-08-11 | Hacking/IT Incident | No | The covered entity (CE), Three Crowns Park, reported that an employee was the subject of an email phishing scheme that affected the protected health information (PHI) of 516 individuals. The PHI involved included names, Social Security numbers, addresses, dates of birth, diagnoses, financial information, and other treatment information. The CE notified HHS, affected individuals, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring and implemented additional administrative and technical safeguards. Staff were retrained on email security. | No | financial information | diagnoses | addresses | names | other treatment information | |||||||||||||||||||
64 | United Bankshares, Inc. | DC | Business Associate | 8,801 | 2023-08-11 | Hacking/IT Incident | Network Server | Yes | The business associate (BA), United Bankshares, reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 8,801 individuals. The PHI involved included names, addresses, dates of birth, telephone numbers, Social Security numbers, driver's license numbers, diagnoses, lab results, medications, claims and financial information, and other treatment information. The BA notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the BA installed manufacturer-provided software patches and implemented additional technical safeguards to better protect its sensitive data. | No | financial information, claims | diagnoses, lab results | addresses | driver's license numbers | names | telephone numbers | dates of birth | medications, other treatment information | Social Security numbers | medications | Social Security numbers | ||||||||||||
65 | iTrust Wellness Group | SC | Healthcare Provider | 981 | 2023-08-10 | Hacking/IT Incident | No | The covered entity (CE), iTrust Wellness Group, reported that an employee was the subject of an email phishing scheme that affected the protected health information (PHI) of 981 individuals. The PHI involved included names, phone numbers, email addresses, dates of service, claims information, and other treatment information. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the CE implemented additional administrative, technical, and security safeguards. The CE also retrained its workforce members on email security precautions. | No | names, phone numbers, email addresses | email addresses | phone numbers | other treatment information | ||||||||||||||||||||
66 | EMS Management and Consultants Inc | NC | Business Associate | 223,598 | 2023-08-10 | Hacking/IT Incident | Network Server | Yes | The business associate (BA), EMS Management and Consultants, reported that it experienced a ransomware attack that compromised the protected health information (PHI) of 223,598 individuals. The PHI involved included names, addresses, dates of birth, Social Security numbers, and financial and other treatment information. The BA notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the BA implemented additional administrative, technical, and security safeguards to better protect PHI. | Yes | financial and other treatment information | names, addresses | names | dates of birth | financial and other treatment information | Social Security numbers | Social Security numbers | ||||||||||||||||
67 | Madera County | CA | Health Plan | 1,446 | 2023-08-09 | Unauthorized Access/Disclosure | No | The covered entity (CE) Madera County, reported that an employee of its business associate’s (BA) vendor emailed the protected health information (PHI) of 1,446 individuals to the wrong recipient. The PHI involved included names, dates of birth, health insurance information, financial information, and other identifying information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the vendor retrained its employees and implemented additional security and technical safeguards. OCR provided technical assistance regarding the HIPAA Rules. | No | financial information | names | dates of birth | health insurance information | ||||||||||||||||||||
68 | Virginia Dept. of Medical Assistance Services | VA | Health Plan | 423,824 | 2023-08-09 | Hacking/IT Incident | Network Server | Yes | No | ||||||||||||||||||||||||
69 | PCC Pediatric EHR Solutions | VT | Business Associate | 520 | 2023-08-09 | Unauthorized Access/Disclosure | Yes | The business associate (BA), PCC Pediatric EHR Solutions, reported that an employee accidently emailed the protected health information (PHI) of 520 individuals to an unauthorized recipient. The PHI involved included names, Social Security numbers, addresses, drivers’ license numbers, dates of birth, and claims information. The BA notified HHS and affected individuals. In response to the breach, the BA implemented additional administrative safeguards and retrained its employees. OCR provided the BA with technical assistance regarding its HIPAA Breach Notification Rule requirements. | No | addresses, Social Security numbers | drivers’ license numbers | names | dates of birth | Social Security numbers | |||||||||||||||||||
70 | Sovos Compliance LLC | MA | Business Associate | 18,261 | 2023-08-08 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), Sovos Compliance, reported that a vulnerability was detected in its business associate’s (BA) software application that impacted the protected health information (PHI) of 18,261 individuals. The PHI involved included names, Social Security numbers, addresses, dates of birth, email addresses, and financial and claims information. The CE notified HHS, affected individuals, the media, and posted substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and the CE and BA implemented additional administrative, technical, and security safeguards to better protect PHI. | No | financial and claims information | addresses | names | email addresses | dates of birth | Social Security numbers | |||||||||||||||||
71 | Redwood Coast Regional Center | CA | Healthcare Provider | 1,345 | 2023-08-07 | Unauthorized Access/Disclosure | No | Redwood Coast Regional Center, the covered entity (CE), reported that emails that contained the protected health information (PHI) of 1,345 individuals were sent without encryption during a network outage. The PHI involved included names, addresses, dates of birth, and other identifiers. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the CE revised its policies and procedures, retrained its workforce members, and implemented additional technical safeguards. | No | names, addresses, dates of birth, and other identifiers | names | dates of birth | |||||||||||||||||||||
72 | Brigham and Women's Hospital | MA | Healthcare Provider | 987 | 2023-08-04 | Unauthorized Access/Disclosure | Network Server | No | The covered entity (CE), Brigham and Women’s Hospital, reported that graphs posted to the Internet contained a link that could expose the protected health information (PHI) of 987 individuals. The PHI involved included names, birthdates, addresses, diagnoses, lab results, medications, and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE implemented additional administrative, technical, and security safeguards. Staff were retrained to better protect PHI. | No | diagnoses, lab results | addresses | names | birthdates | other treatment information | medical records | medications | ||||||||||||||||
73 | Indiana University Health | IN | Health Plan | 21,383 | 2023-08-04 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), Indiana University Health, reported that its business associate (BA) experienced a cyber-attack affecting the protected health information (PHI) of 21,383 individuals. The PHI involved included names, and health insurance and financial information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative and technical safeguards to better protect its PHI. | No | financial information | names | health insurance information | ||||||||||||||||||||
74 | Cognizant Technologies Solutions U.S. Corporation | TX | Business Associate | 7,313 | 2023-08-03 | Hacking/IT Incident | Network Server | Yes | No | ||||||||||||||||||||||||
75 | The Health Plan of West Virginia, Inc. | WV | Health Plan | 1,292 | 2023-08-01 | Hacking/IT Incident | Network Server | No | The Health Plan of West Virginia, the covered entity (CE), reported that its business associate (BA) experienced a cybersecurity incident that compromised the protected health information (PHI) of 1,292 individuals. The PHI involved included names, addresses, phone numbers, and health insurance and financial information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the BA implemented additional technical safeguards and provided complimentary credit monitoring services. | No | financial information | addresses | names | phone numbers | health insurance information | ||||||||||||||||||
76 | Allegheny County | PA | Healthcare Provider | 689,686 | 2023-07-28 | Hacking/IT Incident | Network Server | No | Allegheny County, the covered entity (CE), reported that its business associate (BA) experienced a cyber-attack that compromised the protected health information (PHI) of 689,686 individuals. The PHI involved included names, addresses, phone numbers, Social Security numbers, dates of birth, drivers’ license numbers, diagnoses, claims information, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the incident, the CE and BA strengthened its administrative, technical, and security safeguards to better protect PHI. | No | diagnoses, claims information, and other treatment information | names, addresses, phone numbers | drivers’ license numbers | names | phone numbers | dates of birth | diagnoses, claims information, and other treatment information | Social Security numbers | Social Security numbers | ||||||||||||||
77 | Baylor College of Medicine | TX | Healthcare Provider | 505 | 2023-07-28 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), Baylor College of Medicine, reported that its business associate (BA) was the victim of a cybersecurity incident that affected the protected health information (PHI) of approximately 505 individuals. The PHI involved included names, dates of birth, Social Security numbers, and lab results. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE and BA implemented additional technical safeguards and provided complimentary credit monitoring services to affected individuals. | No | names, dates of birth, Social Security numbers | dates of birth | lab results | Social Security numbers | Social Security numbers | ||||||||||||||||||
78 | Gladden Farms Family Dentistry | AZ | Healthcare Provider | 3,085 | 2023-07-27 | Hacking/IT Incident | Network Server | No | The covered entity (CE), Gladden Farms Family Dentistry, reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 3,085 individuals. The PHI involved included names, dates of birth, Social Security numbers, medication information, lab results, diagnoses, and health insurance information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE strengthened its policies and procedures, implemented additional technical safeguards, and retrained its staff. OCR provided technical assistance regarding the HIPAA Rules. | No | diagnoses, lab results | names | dates of birth | health insurance information | Social Security numbers | medication information | |||||||||||||||||
79 | Saint Francis Health System | OK | Healthcare Provider | 18,911 | 2023-07-26 | Hacking/IT Incident | Network Server | No | No | ||||||||||||||||||||||||
80 | BlueCross BlueShield of Tennessee, Inc. | TN | Business Associate | 2,688 | 2023-07-25 | Unauthorized Access/Disclosure | Paper/Films | Yes | The covered entity (CE), BlueCross BlueShield of Tennessee, reported that due to a computer error an employee inadvertently mailed the protected health information (PHI) of 2,688 individuals to the wrong recipients. The PHI involved included names, addresses, health insurance information, claims information, and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In its mitigation efforts, the CE strengthened its administrative and technical safeguards. | No | names, addresses, health insurance information, claims information, and other treatment information | names, addresses, health insurance information, claims information, and other treatment information | names, addresses, health insurance information, claims information, and other treatment information | names, addresses, health insurance information, claims information, and other treatment information | |||||||||||||||||||
81 | Rite Aid Corporation | PA | Healthcare Provider | 23,433 | 2023-07-19 | Hacking/IT Incident | Network Server | No | The covered entity (CE), Rite Aid Corporation, reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 23,433 individuals. The PHI involved included names, dates of birth, addresses, medications, and health insurance information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE installed manufacturer-provided software patches and implemented additional technical safeguards to better protect sensitive data. | No | addresses, medications | names | dates of birth | health insurance information | |||||||||||||||||||
82 | Physicians Insurance A Mutual Company | WA | Business Associate | 1,852 | 2023-07-19 | Hacking/IT Incident | Yes | The business associate (BA), Physician Insurance A Mutual Company, reported that an employee was the victim of an email phishing scheme that compromised the protected health information (PHI) of 1,852 individuals. The PHI involved included names, Social Security numbers, dates of birth, health insurance information, and other treatment information. The BA notified HHS, affected individuals, and the media. In response to the breach the BA provided complimentary credit monitoring services and implemented new administrative and technical safeguards. | No | names | dates of birth | health insurance information | other treatment information | Social Security numbers | |||||||||||||||||||
83 | Stephen Harkins, DDS, PC, dba: Harkins Pain & Sleep Management Group | AZ | Healthcare Provider | 6,411 | 2023-07-18 | Hacking/IT Incident | Network Server | No | The covered entity (CE), Stephen Harkins, DDS dba Harkins Pain & Sleep Management Group, reported that it experienced a ransomware attack affecting the protected health information (PHI) of 6,411 individuals. The PHI involved included names and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice on its website. In response to the breach, the CE implemented additional technical and administrative safeguards. | Yes | other treatment information | names | other treatment information | ||||||||||||||||||||
84 | Tahoe Forest Hospital District | CA | Healthcare Provider | 1,119 | 2023-07-17 | Unauthorized Access/Disclosure | Paper/Films | Yes | The covered entity (CE), Tahoe Forest Hospital District, reported that an employee of its business associate (BA) inadvertently mailed the protected health information (PHI) of 1,119 individuals to the wrong recipients. The PHI involved included names, addresses, dates of birth, health insurance information, and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE updated its policies and retrained its employees. | No | names, addresses, dates of birth, health insurance information, and other treatment information | names, addresses, dates of birth, health insurance information, and other treatment information | names, addresses, dates of birth, health insurance information, and other treatment information | names, addresses, dates of birth, health insurance information, and other treatment information | names, addresses, dates of birth, health insurance information, and other treatment information | ||||||||||||||||||
85 | Pension Benefit Information, LLC | MN | Business Associate | 1,866,694 | 2023-07-14 | Hacking/IT Incident | Network Server | Yes | The business associate (BA), Pension Benefit Information, reported that its third-party vendor experienced a cyber incident that affected the protected health information (PHI) of 1,866,694 individuals. The PHI involved included names, Social Security numbers, addresses, dates of birth, and health insurance and financial information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards to better protect PHI. | No | financial information | addresses | names | health insurance information | |||||||||||||||||||
86 | Care N' Care Insurance Company, Inc. | TX | Health Plan | 33,032 | 2023-07-14 | Hacking/IT Incident | Network Server | Yes | Care N' Care Insurance Company, the covered entity (CE), reported that a software application used by its business associate (BA) exposed the protected health information (PHI) of 33,032 individuals. The PHI involved included names, dates of birth, addresses, Social Security numbers, and claims and financial information. The CE notified HHS, affected individuals, and the media. | No | claims and financial information | addresses | names | dates of birth | Social Security numbers | ||||||||||||||||||
87 | Hines Interests Limited Partnership | TX | Health Plan | 3,000 | 2023-07-13 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), Hines Interests Limited Partnership, reported that its business associate (BA) experienced a cybersecurity attack that compromised the protected health information (PHI) of approximately 3,000 individuals. The PHI involved included names, addresses, dates of birth, diagnoses, and other treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach the CE provided complimentary credit monitoring services to affected individuals. | No | names, addresses, dates of birth, diagnoses, and other treatment information | names, addresses, dates of birth, diagnoses, and other treatment information | names, addresses, dates of birth, diagnoses, and other treatment information | names, addresses, dates of birth, diagnoses, and other treatment information | names, addresses, dates of birth, diagnoses, and other treatment information | ||||||||||||||||||
88 | Molina Healthcare | CA | Health Plan | 7,702 | 2023-07-11 | Hacking/IT Incident | Network Server | Yes | Molina Healthcare, the covered entity (CE), reported that its business associate (BA) experienced a hacking attack that compromised the protected health information (PHI) of 7,702 individuals. The PHI involved included names, dates of birth, and health insurance information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE provided complimentary identity theft protection to affected individuals. OCR provided technical assistance regarding the HIPAA Rules. | No | names | dates of birth | health insurance information | ||||||||||||||||||||
89 | Arizona State Urological Institute | AZ | Healthcare Provider | 1,626 | 2023-07-10 | Unauthorized Access/Disclosure | No | The covered entity (CE), Arizona State Urological Institute, reported that an employee impermissibly sent an email containing the protected health information (PHI) of 1,626 individuals to her personal email account. The PHI involved included names, dates of birth, and treatment information. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the CE sanctioned the employee, worked with local law enforcement, conducted retraining, and added administrative safeguards. OCR provided technical assistance regarding the HIPAA Rules. | No | names, dates of birth | dates of birth | treatment information | treatment information | ||||||||||||||||||||
90 | Mountain View Hospital | ID | Healthcare Provider | 441,903 | 2023-07-03 | Hacking/IT Incident | Network Server | No | Mountain View Hospital, the covered entity (CE), reported that it experienced a ransomware attack that compromised the protected health information (PHI) of 441,903 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license and Social Security numbers, health insurance Information, lab results, medications, diagnoses, and additional treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the CE retrained its workforce members and implemented additional administrative and technical safeguards. | Yes | diagnoses, lab results | addresses | drivers’ license | names | dates of birth | health insurance Information | additional treatment information | Social Security numbers | medications | ||||||||||||||
91 | Eastern Connecticut Health Network | CT | Healthcare Provider | 912 | 2023-07-02 | Unauthorized Access/Disclosure | No | The covered entity (CE), Eastern Connecticut Health Network, reported that a workforce member sent an email disclosing the protected health information (PHI) of 912 individuals without utilizing the blind carbon copy function. The PHI involved included names and email addresses. The CE notified HHS, affected individuals, and the media. In response to the breach the CE retrained the workforce member on email protocol and the requirement to protect and secure sensitive data. | No | names and email addresses | names and email addresses | ||||||||||||||||||||||
92 | Health First Health Plans | FL | Health Plan | 701 | 2023-06-30 | Unauthorized Access/Disclosure | Paper/Films | No | No | ||||||||||||||||||||||||
93 | Deanco Healthcare LLC dba Mission Community Hospital | CA | Healthcare Provider | 269,847 | 2023-06-30 | Hacking/IT Incident | Network Server | No | The covered entity (CE), Deanco Healthcare dba Mission Community Hospital, reported that it experienced a ransomware incident that affected the protected health information (PHI) of 269,847 individuals. The PHI involved included names, dates of birth, drivers’ license information, Social Security numbers, claims information, diagnoses, medications, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE offered free credit monitoring to affected individuals and implemented additional technical safeguards to better protect its PHI. OCR provided technical assistance regarding the HIPAA Rules. | Yes | diagnoses, medications, and other treatment information | drivers’ license information | names | dates of birth | diagnoses, medications, and other treatment information | Social Security numbers | medications | Social Security numbers | |||||||||||||||
94 | Orrick, Herrington & Sutcliffe LLP | CA | Business Associate | 342,176 | 2023-06-30 | Hacking/IT Incident | Network Server | Yes | The business associate (BA), Orrick, Herrington, and Sutcliffe, reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 342,176 individuals. The PHI involved included names, health insurance information, diagnoses, email addresses, phone numbers Social Security numbers, birthdates, and home addresses. The BA notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the BA provided complimentary credit monitoring services and implemented additional administrative and technical safeguards to better protect PHI. | No | diagnoses | home addresses | names | email addresses | phone numbers | birthdates | health insurance information | Social Security numbers | |||||||||||||||
95 | Arizona Health Care Cost Containment System | AZ | Health Plan | 2,632 | 2023-06-30 | Unauthorized Access/Disclosure | Network Server | No | The covered entity (CE), the Arizona Health Care Cost Containment System, reported that a computer programming error allowed individuals to view the protected health information (PHI) of 2,632 individuals via the Internet. The PHI involved included names, addresses, dates of birth, Social Security numbers, and other identifiers. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the strengthened its technical safeguards to better protect sensitive data. OCR provided technical assistance regarding the HIPAA Rules. | No | names, addresses, dates of birth, Social Security numbers, and other identifiers | names | dates of birth | Social Security numbers, and other identifiers | Social Security numbers | ||||||||||||||||||
96 | Imagine360 | PA | Business Associate | 132,807 | 2023-06-30 | Hacking/IT Incident | Network Server | Yes | The business associate (BA), Imagine360, reported that two of its vendors experienced a cyber-attack that compromised the protected health information (PHI) of 132,807 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license and Social Security numbers, financial information, and diagnoses. The BA notified HHS, affected individuals, the media, and provided substitute notice on its website. In response to the breach, the BA offered identity protection services and the BA implemented additional technical safeguards. | No | financial information | diagnoses | addresses | drivers’ license and Social Security numbers | names | ||||||||||||||||||
97 | Recovery Centers of America | PA | Healthcare Provider | 2,220 | 2023-06-30 | Hacking/IT Incident | Network Server | No | The covered entity (CE), Recovery Centers of America, reported that its business associate (BA) was the victim of a ransomware attack affecting the protected health information (PHI) of 2,220 individuals. The PHI involved included names, addresses, and dates of birth. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the BA implemented additional technical safeguards. | Yes | names, addresses, and dates of birth | names, addresses, and dates of birth | names, addresses, and dates of birth | ||||||||||||||||||||
98 | Itasca County Health & Human Services | MN | Healthcare Provider | 1,413 | 2023-06-27 | Hacking/IT Incident | No | The covered entity (CE), Itasca County Health & Human Services, reported that an employee experienced an email phishing incident that affected the protected health information (PHI) of 1,413 individuals. The PHI involved included names, Social Security and drivers’ license numbers, diagnoses, lab results, medications, addresses, birthdates, and claims and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the CE provided free credit monitoring services and created a toll-free number for questions or concerns. In addition, the CE implemented additional administrative and technical safeguards to better protect its PHI. Staff were retrained on email security. | No | diagnoses, lab results, medications | drivers’ license numbers | names | birthdates | claims and other treatment information | |||||||||||||||||||
99 | Tidewater Diagnostic Imaging, Ltd. | MA | Healthcare Provider | 40,195 | 2023-06-26 | Hacking/IT Incident | Network Server | No | The covered entity (CE), Tidewater Diagnostic Imaging, reported that its business associate (BA) was the victim of a hacking attack affecting the protected health information (PHI) of 40,195 individuals. The PHI involved included names, Social Security numbers, dates of service, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the CE and BA implemented additional administrative, technical and security safeguards to better protect its sensitive data. | No | other treatment information | names | dates of service | other treatment information | Social Security numbers | Social Security numbers | |||||||||||||||||
100 | University of Pittsburgh Medical Center | PA | Healthcare Provider | 1,533 | 2023-06-26 | Hacking/IT Incident | Network Server | Yes | The covered entity (CE), University of Pittsburgh Medical Center, reported that its business associate (BA) was the victim of a ransomware attack affecting the protected health information (PHI) of 1,533 individuals. The PHI involved included names, dates of birth, addresses, and Social Security numbers. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE strengthened its technical safeguards and provided complimentary credit monitoring services to affected individuals. | Yes | names, dates of birth, addresses, and Social Security numbers | names, dates of birth, addresses, and Social Security numbers | names, dates of birth, addresses, and Social Security numbers | names, dates of birth, addresses, and Social Security numbers |