"Location" "CoveredEntityName" "CoveredEntityType" "IndividualsAffected" "BreachSubmissionDate" "BreachType" "BreachedInformationLocation" "BusinessAssociatePresent" "WebDescription" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Brooke Army Medical Center" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2009, 10, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A binder containing the protected health information (PHI) of up to 1,272 individuals was stolen from a staff member's vehicle.The PHI included names, telephone numbers, detailed treatment notes, and possibly social security numbers.In response to the breach, the covered entity (CE) sanctioned the workforce member and developed a new policy requiring on-call staff members to submit any information created during their shifts to the main office instead of adding it to the binder.Following OCR's investigation, the CE notified the local media about the breach." "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Mid America Kidney Stone Association, LLC" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2009, 10, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Five desktop computers containing unencrypted electronic protected health information (e-PHI) were stolen from the covered entity (CE).Originally, the CE reported that over 500 persons were involved, but subsequent investigation showed that about 260 persons were involved.The ePHI included demographic and financial information. The CE provided breach notification to affected individuals and HHS.Following the breach, the CE improved physical security by installing motion detectors and alarm systems security monitoring.It improved technical safeguards by installing enhanced antivirus and encryption software.As a result of OCR's investigation the CE updated its computer password policy." "Entity[""AdministrativeDivision"", {""Alaska"", ""UnitedStates""}]" "Alaska Department of Health and Social Services" "Healthcare Provider" "Quantity[501, ""People""]" "DateObject[{2009, 10, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""DistrictOfColumbia"", ""UnitedStates""}]" "Health Services for Children with Special Needs, Inc." "Health Plan" "Quantity[3800, ""People""]" "DateObject[{2009, 11, 17}, ""Day"", ""Gregorian"", -5.]" "Loss" "Laptop" "False" "A laptop was lost by an employee while in transit on public transportation.The computer contained the protected health information of 3800 individuals.The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians.In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules.The covered entity has installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and updated it risk assessment.In addition, all employees received additional security training." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Mark D. Lurie, MD" "Healthcare Provider" "Quantity[5166, ""People""]" "DateObject[{2009, 11, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity.The Computer contained certain electronic protected health information (ePHI) of 5,166 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 5,166 affected indiv's and the appropriate media;added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "L. Douglas Carlson, M.D." "Healthcare Provider" "Quantity[5257, ""People""]" "DateObject[{2009, 11, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,257 individuals who were patients of the CE.The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the covered entity notified all 5,257 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "David I. Cohen, MD" "Healthcare Provider" "Quantity[857, ""People""]" "DateObject[{2009, 11, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "A shared Computer that was used for backup was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite was unlocked and perhaps ajar.The Computer contained certain electronic protected health information (ePHI) of 857 patients.The ePHI involved in the breach included names, dates of birth, and clinical information.Following the breach, the covered entity notified all affected individuals and the media, added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer, added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet, and added administrative safeguards by requiring annual refresher retraining staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Michele Del Vicario, MD" "Healthcare Provider" "Quantity[6145, ""People""]" "DateObject[{2009, 11, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity.The Computer contained certain electronic protected health information (ePHI) of 6,145 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all6,145 affected individuals and the appropriate media;added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Joseph F. Lopez, MD" "Healthcare Provider" "Quantity[952, ""People""]" "DateObject[{2009, 11, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "A shared Computer that was used for backup was stolen on 9/27/09. The Computer contained certain electronic protected health information (ePHI) of 952 patients. Following the breach, the covered entity notified all 952 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of staff for Privacy and Security Rules. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "City of Hope National Medical Center" "Healthcare Provider" "Quantity[5900, ""People""]" "DateObject[{2009, 11, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop computer was stolen from a workforce member's car. The laptop computer contained the protected health information of approximately 5,900 individuals. Following the breach, the covered entity encrypted all protected health information stored on lap tops.Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and retraining employees." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "The Children's Hospital of Philadelphia" "Healthcare Provider" "Quantity[943, ""People""]" "DateObject[{2009, 11, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop computer was stolen from a hospital employee’s vehicle.The computer contained the protected health information (PHI) of 943 individuals and included names, contact information, dates of birth, social security numbers, medical record numbers, and health insurance information including diagnosis codes and billing code descriptions.The CE provided breach notification to HHS, affected individuals, and the media.In response to this incident, the CE accelerated and completed implementation of a pre-existing plan to encrypt all hospital laptops.Additionally, the CE revised its information security policies and retrained its workforce.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Cogent Healthcare, Inc." "Business Associate" "Quantity[6400, ""People""]" "DateObject[{2009, 11, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "A laptop was stolen from a locked office at the Aurora St. Lukes Medical Center.The laptop contained protected health information pertaining to 6,400 individuals.The information included patient names, dates of birth, social security numbers, medical record numbers, and in some cases diagnosis codes.In response to the theft, the hospital implemented several corrective action measures, including accelerated efforts to encrypt all laptop hard drives, improved physical locks on the office where the theft occurred, staff training regarding the appropriate use and storage of devices containing ePHI, and encryption of portable flash drives and Blackberry devices." "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Democracy Data & Communications, LLC (" "Business Associate" "Quantity[83000, ""People""]" "DateObject[{2009, 12, 8}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "True" "In its breach report and during the course of OCR's investigation, the covered entity advised that it took various corrective actions to prevent a reoccurrence of the breach.Specifically, the covered entity conducted a risk assessment which revealed that the breach posed a significant risk of financial, reputational, or other harm to the 83,000 members.The covered entity sent notification letters to 83,000 members apologizing for the breach and offered a year of free credit monitoring and a $25,000 insurance policy against identity theft ($10,000 for New York residents).The covered entity also provided training to its call centers on November 29, 2009 to answer inquiries from callers concerned about the breach.In addition, media outlets were contacted to alert of a breach in states in which more than 500 members were impacted by the breach.The covered entity advised that media outlets were identified based on location of membership impacted, as well as ensuring it was a major media outlet and press releases were sent to 21 major media outlets on December 18, 2009.The covered entity also created and implemented a new policy titled 'Personal Health Information and Personal Identifiable Information Data Security and Handling Policy Acknowledgement Form' that centralized all data requests through a 'Team Track' which is an internal electronic submission request that ensures all PHI requested data receives the sign off of the Privacy Officer and Security Officer prior to release.Further, the covered entity also provided a mandatory annual computer-based training to all staff in May 2010." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Kern Medical Center" "Healthcare Provider" "Quantity[596, ""People""]" "DateObject[{2009, 12, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Rick Lawson, Professional Computer Services" "Business Associate" "Quantity[2000, ""People""]" "DateObject[{2009, 12, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Electronic Medical Record, Network Server" "True" "The covered entity (CE) changed the business associate (BA) it used as its information technology vendor.During the transition, a workforce member of the outgoing BA entered the CE's computer system, changed the passwords, disabled all accounts, and removed drive mappings on the computer server for all of the workstations. The BA also removed the CE's backup program and deactivated all of its antivirus software.The breach affected approximately 2,000 individuals.The protected health information (PHI) involved in the breach included patients' names, addresses, dates of birth, social security numbers, appointments, insurance information, and dental records.The CE provided breach notification to affected individuals, HHS, and the media.Following the breach, the CE implemented security measures in its computer system to ensure that its information technology associates do not have access to the CE's master system and enabled direct controls for the CE.A new server was installed with no ties to the previous BA.The new BA corrected the CE's passwords and settings, mitigating the issues caused by the previous vendor.The CE provided OCR with copies of its HIPAA security and privacy policies and procedures, and its signed BA agreements that included the appropriate HIPAA assurances required by the Security Rule.As a result of OCR's investigation, the CE improved its physical safeguards and retrained employees." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Detroit Department of Health and Wellness Promotion" "Healthcare Provider" "Quantity[646, ""People""]" "DateObject[{2009, 12, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Laptop" "False" "A desktop and four laptop computers were stolen from the covered entity's locked facility.The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, types of services received, and Medicare/Medicaid numbers.Following the breach, the covered entity installed new office door locks with assigned keys, installed security cameras with alarms, and physically secured computers to desks.The covered entity now stores billing information in its patient management system, and it ensured that no electronic protected health information was stored locally. Additionally, OCR's investigation resulted in the covered entity providing training to workforce members regarding the incident" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Detroit Department of Health and Wellness Promotion" "Healthcare Provider" "Quantity[10000, ""People""]" "DateObject[{2009, 12, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "University of California, San Francisco" "Healthcare Provider" "Quantity[610, ""People""]" "DateObject[{2009, 12, 15}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Daniel J. Sigman MD PC" "Business Associate" "Quantity[1860, ""People""]" "DateObject[{2010, 1, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record, Other, Other Portable Electronic Device" "True" "Computer backup tapes containing EPHI for the office practice management program including electronic medical records were stolen from the home of the practice manager on December 11, 2009. The breach affected approximately 1,860 patients. The protected health information on the tapes contained patients' names, addresses, telephone numbers, dates of birth, insurance information, social security numbers and medical record information.Following the breach, Sigman took the following voluntary corrective actions: (1) upgraded software application for backup security; implemented a new external backup system in case the server goes down; (2) encryption software was implemented for data contained on both its backup tapes and network storage device; (3) revised its security policy for transporting backup media; backup tapes must now be stored in a lockbox within a locked office in its facility; the revised policy also prohibits the movement of backup tapes from the facility as well as restricts access to the tapes to designated workforce; (4) employees were retrained on the policies and procedures in place and received training on the new policies and procedures for safeguarding backup tapes; (5) notified affected individuals and the media. " "Entity[""AdministrativeDivision"", {""DistrictOfColumbia"", ""UnitedStates""}]" "Service Benefits Plan Administrative Services Corp" "Business Associate" "Quantity[3400, ""People""]" "DateObject[{2010, 1, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "The covered entity's (CE) business associate (BA) incorrectly updated contract holders' addresses and mailed protected health information (PHI) to the wrong address of approximately 3,400 individuals.The PHI involved included demographic information, explanations of benefits, clinical information, and diagnoses.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.Upon discovery of the breach, the CE obtained assurances that the BA took steps to enforce the requirements of the BA agreement.Specifically, the BA updated its processes and created an incident tracking report.In addition, a contract was executed for a new vendor to handle mail address verification. Following OCR's investigation, the BA improved its code review process to catch the system error that caused this incident and instituted a manual quality review process.OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Massachusetts Eye and Ear Infirmary" "Healthcare Provider" "Quantity[1076, ""People""]" "DateObject[{2010, 1, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Two employees of the covered entity (CE) misused credit card information from several different departments that served approximately 1,076 individuals. The protected health information (PHI) involved in the breach included names, addresses, and credit card information. Following the breach, the CE notified the affected individuals, the media, and HHS and offered one free year of credit monitoring to all affected individuals.The CE also terminated the employees involved, revised its data breach prevention policy, and reviewed the physical processes involved when payment is made in person using a credit card.OCR reviewed the CE's breach notification policies to assure that they contained the required elements and obtained assurances that the CE provided breach notification." "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Merkle Direct Marketing" "Business Associate" "Quantity[15000, ""People""]" "DateObject[{2010, 1, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "The covered entity's (CE) business associate (BA) mailed protected health information (PHI) of approximately 15,000 individuals to incorrect addresses due to an error in its quarterly address update process.The mailing contained demographic information, explanations of benefits, clinical information, and diagnoses. Upon discovery of the breach, the CE collected the returned mail and verified that it had not been delivered, and updated its HIPAA policies and procedures. Following OCR's investigation, the CE was able to recover all or nearly all of the misdirected envelopes. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Kaiser Permanente Medical Care Program" "Healthcare Provider" "Quantity[15500, ""People""]" "DateObject[{2010, 1, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "An unencrypted portable hard drive containing the electronic protected health information (ePHI) of approximately 15,500 individuals was stolen from the vehicle of the covered entity's (CE) employee.The ePHI involved in the breach included names, medical record numbers, and treatment information.A subset of records may also have included dates of birth, age, gender, and phone numbers.Following the breach, the responsible employee was terminated for violating the CE's policies.OCR obtained assurances of the CE's policies and procedures for safeguarding ePHI and verification that the CE provided breach notification to affected individuals, the media, and HHS.In addition, the CE deployed encryption software for removable media." "Entity[""AdministrativeDivision"", {""Idaho"", ""UnitedStates""}]" "United Micro Data" "Business Associate" "Quantity[2562, ""People""]" "DateObject[{2010, 1, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "The covered entity's (CE's) business associate (BA) mailed a package to the CE that was supposed to contain a backup data tape and compact disc containing protected health information (PHI); however, the tape was not in the package when delivered.Approximately 2,000 individuals were affected by the breach. The PHI included demographic, financial, and clinical information.The CE provided breach notification to affected individuals, HHS, and the media.Following the breach, the CE revised its procedures for back up data storage instead of sending tapes via the mail.Following OCR's investigation, the CE continued to reevaluate ways to enhance administrative, physical, and technical safeguards." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Goodwill Industries of Greater Grand Rapids, Inc." "Healthcare Provider" "Quantity[10000, ""People""]" "DateObject[{2010, 1, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "On December 15, 2009, a safe was stolen from Goodwill's off-site facility, which contained five unencrypted back-up tapes.The breach affected approximately 10,000 individuals.The protected health information involved in the breach included full names, addresses, dates of birth, reasons for referral, dates of service, miscellaneous demographics, and, in some cases, Social Security numbers.The covered entity moved the off-site storage of back-up tapes to a new site controlled by Goodwill.The tapes are now kept in a commercial grade safe with a combination lock.The actions taken by Goodwill prior to OCR's formal investigation brought the covered entity into compliance." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Children's Medical Center of Dallas" "Healthcare Provider" "Quantity[3800, ""People""]" "DateObject[{2010, 1, 18}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Ashley and Gray DDS" "Healthcare Provider" "Quantity[9309, ""People""]" "DateObject[{2010, 1, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Concentra" "Healthcare Provider" "Quantity[900, ""People""]" "DateObject[{2010, 1, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop computer containing the electronic protected health information (ePHI) of approximately 900 patients was stolen from one of the covered entity's (CE) facilities.The ePHIincluded demographic and clinical data.Following the breach, the CE filed a police report and notified affected patients, HHS and the media.Following OCR's investigation, the CE required all business units to identify any devices that contain PHI and revised procedures for future computer purchases.The CE also implemented physical and technical safeguards for all testing devices that contain ePHI andreplacedoutdated machines that could not be encrypted.Additionally, the CE revised existing physician agreements to disallow the use of equipment containing ePHI that is not encrypted.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Advocate Health Care" "Healthcare Provider" "Quantity[812, ""People""]" "DateObject[{2010, 1, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On November 24, 2009, an Advocate nurse's laptop computer was stolen.The missing laptop computer contained the protected health information of approximately 812 individuals.The protected health information involved in the breach included name, address, dates of birth, social security numbers, insurance information, medication, and diagnoses. Following the breach, Advocate specifically addressed mobile device security and accepted use. Additionally, OCR's investigation resulted in Advocate workforce members that use mobile devices are now required to fill out and submit an acknowledgment form that establish proper administrative, technical, and physical security safeguards." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "The Methodist Hospital" "Healthcare Provider" "Quantity[689, ""People""]" "DateObject[{2010, 1, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "An unencrypted laptop computer was stolen from the covered entity's unlocked testing office.The laptop computer contained the protected health information of approximately 689 individuals.The protected health information involved in the breach included names, dates of birth, Social Security numbers, and the age, gender, race, and medication information of affected individuals.Following the breach, the covered entity restricted the storage of electronic protected health information to network drives.Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and in retraining employees." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "University of California, San Francisco" "Healthcare Provider" "Quantity[7300, ""People""]" "DateObject[{2010, 1, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Carle Clinic Association" "Healthcare Provider" "Quantity[1300, ""People""]" "DateObject[{2010, 1, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Utah"", ""UnitedStates""}]" "Health Behavior Innovations (HBI)" "Business Associate" "Quantity[5700, ""People""]" "DateObject[{2010, 2, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "A laptop computer containing the protected health information (PHI) of 3,500 individuals was stolen from the covered entity's (CE) locked medical office.The PHI involved in the breach included names, addresses, dates of birth, social security numbers, and medication information. As a result of this incident, the CE encrypted all PHI stored on the medical office computers.Following OCR's investigation, the CE improved its physical safeguards and retrained employees." "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Center for Neurosciences" "Healthcare Provider" "Quantity[1100, ""People""]" "DateObject[{2010, 2, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""RhodeIsland"", ""UnitedStates""}]" "Blue Cross Blue Shield of RI" "Business Associate" "Quantity[528, ""People""]" "DateObject[{2010, 2, 16}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "True" "On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown University's health plan was impermissibly disclosed to two other BCBSRI agents.The reports contained the PHI of approximately 528 individuals.The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers.Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected members' claim history to ensure no fraud." "Entity[""Country"", ""PuertoRico""]" "MSO of Puerto Rico" "Business Associate" "Quantity[605, ""People""]" "DateObject[{2010, 2, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "The covered entity's (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 605 individuals.The PHI included names, internal identification numbers, and the number of emergency room visits.Upon discovery of the breach, the CE's BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail.As a result of OCR's investigation, the CE created and implemented additional policies and procedures for quality control of mailings.The CE also provided training to all staff on its revised privacy and security policies and procedures." "Entity[""Country"", ""PuertoRico""]" "MSO of Puerto Rico, Inc. " "Business Associate" "Quantity[1907, ""People""]" "DateObject[{2010, 2, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "The covered entity's (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 1,907 individuals.The PHI included names, internal identification numbers, and the number of emergency room visits.Upon discovery of the breach, the CE's BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail.As a result of OCR's investigation, the CE created and implemented additional policies and procedures for quality control of mailings.The CE also provided training to all staff on its revised privacy and security policies and procedures." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Cardiology Consultants/Baptist Health Care Corporation" "Healthcare Provider" "Quantity[8000, ""People""]" "DateObject[{2010, 2, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "A desktop computer that contained the e-PHI of approximately 8,000 individuals was stolen from the covered entity's (CE) locked medical suite.The PHI involved in the breach included names, dates of birth, medical record numbers, ultrasound information, exam dates, and reasons for the ultrasound.The computer that was stolen used proprietary software and a special electronic key to access the PHI.The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notification on its website.Following the breach, the CE worked with law enforcement to identify the possible suspect.The CE upgraded its facility access controls to include proximity card readers for every location that stores PHI.As a result of OCR's investigation the CE updated its risk analysis and carried out additional risk management activities." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "State of TN, Bureau of TennCare" "Health Plan" "Quantity[3900, ""People""]" "DateObject[{2010, 2, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE) mailed the wrong information to 3,900 individuals based on a corrupted data file it received from a state agency.The types of PHI involved were names, dates of birth, social security numbers, member identification numbers, and in some cases, diagnoses, treatments, conditions, and medications.Following the breach, the CE immediately fixed the corrupted file and mailed corrected letters.The CE provided breach notification to HHS, the media, and affected individuals and provided substitute notification by posting on its website.It also offered affected individuals one year of free credit monitoring and comprehensive credit services.The CE also worked with the state agency to implement a new procedure to improve safeguards for PHI.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Lucille Packard Children's Hospital" "Healthcare Provider" "Quantity[532, ""People""]" "DateObject[{2010, 2, 21}, ""Day"", ""Gregorian"", -5.]" "Other" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "University of New Mexico Health Sciences Center" "Healthcare Provider" "Quantity[1900, ""People""]" "DateObject[{2010, 2, 23}, ""Day"", ""Gregorian"", -5.]" "Other" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Advanced NeuroSpinal Care" "Healthcare Provider" "Quantity[3500, ""People""]" "DateObject[{2010, 2, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "A computer containing the electronic protected health information (ePHI) of 3,500 individuals was stolen from the office of a covered entity (CE).The ePHI included patient names, addresses, dates of birth, social security numbers, driver's licenses, claims information, diagnoses, and conditions. As a result of the loss, the CE upgraded the alarm system and replaced the server housing and storage security lock-up.The CE also notified affected individuals, the media, appropriate government agencies, and law enforcement.In addition, the CE established an office-based hotline to assist affected individuals.As a result of OCR's investigation, the CE has implemented regularly scheduled security risk analyses and has installed window bars, roll down shutters, four video surveillance cameras, and other physical security measures to prevent theft." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Central Brooklyn Medical Group, PC" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2010, 2, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "OCR opened an investigation of the covered entity (CE), Preferred Health Partners f/k/a Central Brooklyn Medical Group, after it reported appointment schedules, pathology reports and portions of medical records containing the protected health information (PHI) of 500 individuals were stolen from an office.The PHI included names, ages, telephone numbers, social security numbers, medical insurance information, pathology reports, and other clinical information.Upon discovery of the breach, the CE filed a police report and worked with law enforcement authorities to recover as much of the PHI as possible that was stolen.As a result of OCR's investigation, the CE removed PHI such as social security or medical insurance numbers from tracking logs.In addition, the CE improved safeguards by storing log binders in a locked area and shredding documents regularly.Further, the CE replaced the manual process of printing certain records with an electronic verification system.The CE also archived, stored off site, and locked up all paper records and retrained all staff on its HIPAA policies and procedures. " "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Shands at UF" "Healthcare Provider" "Quantity[12580, ""People""]" "DateObject[{2010, 3, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop containing certain information collected on approximately 12,580 individuals referred to Shands at UF GI Clinical Services was stolen from the private residence of an employee.The stolen information included patient names, social security numbers, and medical record numbers.As a result of the incident, the employee was counseled by her supervisor, issued written corrective action with a 3-day suspension, and provided additional HIPAA training.OCR reviewed Shands at UF's most recent Risk Analysis and Risk Management Plans and they revealed no high risk findings related to encryption, workstation use, or physical security.OCR's investigation found that Shands at UF has implemented appropriate technical safeguards, such as secure VPN network connections and network storage for workforce usage, encrypted USB portable flash drives, and PGP whole disk encryption." "Entity[""AdministrativeDivision"", {""Wyoming"", ""UnitedStates""}]" "Wyoming Department of Health" "Health Plan" "Quantity[9023, ""People""]" "DateObject[{2010, 3, 2}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "Thrivent Financial for Lutherans" "Health Plan" "Quantity[9500, ""People""]" "DateObject[{2010, 3, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On January 29, 2010, there was a break-in at one of the Thrivent's offices and five laptop computers were stolen; four of the five laptops were recovered.The missing laptop computer contained the protected health information of approximately 9,400 individuals.The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation.The actions taken by the CE prior to OCR's formal investigation brought the CE into compliance. " "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "North Carolina Baptist Hospital" "Healthcare Provider" "Quantity[554, ""People""]" "DateObject[{2010, 3, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "An employee’s car was broken into and a tote bag, which had a paper spreadsheet containing protected health information (PHI), was stolen.The spreadsheet contained PHI pertaining to 554 patients and included patients’ names, ages, weight, race, social security numbers, and blood and tissue typing.The covered entity (CE), North Carolina Baptist Hospital, provided breach notification to HHS, affected individuals, and the media, and offered affected individuals a year of credit monitoring services along with a toll-free number to contact.Following the breach, the CE reviewed the applicable policies and procedures with the clinic responsible, revised the spreadsheet to no longer include patients’ social security numbers, and counseled and warned the involved employee about the requirements for properly safeguarding PHI.Additionally, the Chief Executive Officer of the Medical Center emailed all employees to re-educate them about the importance of properly safeguarding PHI and the expectations for compliance and commitment to adhering to federal and state privacy and security laws.As a result of OCR’s investigation, the CE provided an alternate, secure way to electronically access the clinic spreadsheet, installed video cameras in the parking dock, and externally inspected employee vehicles to assure no PHI was visible.The CE established a Privacy and Information Security Council to help identify ways to improve and strengthen privacy and security policies and practices." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Montefiore Medical Center" "Healthcare Provider" "Quantity[625, ""People""]" "DateObject[{2010, 3, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop computer containing the electronic protected health information (ePHI) of 625 individuals was stolen from the covered entity's (CE) mobile dental van.The ePHI included names, dates of birth, medical record numbers and dental x-rays.Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and affected individuals.As a result of OCR's investigation, the CE revised its procedures so that all ePHI is stored in a data center, rather than the mobile dental van laptop.In addition, the CE encrypted all mobile dental van laptops and improved physical security for the van.The CE developed a new policy on ePHI security and retrained all staff.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Ernest T. Bice, Jr. DDS, P.A." "Healthcare Provider" "Quantity[21000, ""People""]" "DateObject[{2010, 3, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "Three unencrypted external back-up drives were stolen from a safe in the covered entity's locked office.The laptop computer contained the protected health information of approximately 21,000 individuals.The protected health information involved in the breach included names, addresses phone numbers, dates of birth, social security numbers, insurance information, and treatment histories.Following the breach, the covered entity moved back-up data offsite and encrypted all workstations.Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and in retraining employees." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Lee Memorial Health System" "Healthcare Provider" "Quantity[3800, ""People""]" "DateObject[{2010, 3, 17}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "The covered entity sent postcards to approximately 3,800 patients, which listed the patients' demographic information, and a statement that read, 'Your Physician Has Moved,' with a name and description of the practice, Infectious Disease Specialist. The types of PHI involved were demographic and clinical information. Voluntary actions taken prior to OCR's investigation include the issuance of sanctions and review of policies and procedures." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Laboratory Corporation of America/Dynacare Northwest, Inc." "Healthcare Provider" "Quantity[5080, ""People""]" "DateObject[{2010, 3, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop computer was stolen from a workforce member's car.The laptop computer contained the protected health information of approximately 5080 individuals.The protected health information involved in the breach included names, addresses, dates of birth, Social Security numbers, and lab results.Following the breach, the covered entity encrypted all laptop computers." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Mount Sinai Medical Center" "Healthcare Provider" "Quantity[2600, ""People""]" "DateObject[{2010, 3, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Griffin Hospital" "Healthcare Provider" "Quantity[957, ""People""]" "DateObject[{2010, 3, 26}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Hypertension, Nephrology, Dialysis and Transplantation, PC" "Healthcare Provider" "Quantity[2465, ""People""]" "DateObject[{2010, 3, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Computer Program and Systems, Inc. (CPSI)" "Business Associate" "Quantity[768, ""People""]" "DateObject[{2010, 3, 30}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "Email" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Laboratory Corporation of America / US LABS / Dianon Systems, Inc" "Healthcare Provider" "Quantity[2773, ""People""]" "DateObject[{2010, 4, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "An external hard drive containing ePHI of 2,773 individuals was stolen.The ePHI included first and last name, medical record number, date of birth, laboratory test information data, and some social security numbers.CE advises OCR that notice to the individuals went out April 13 and 14, 2010.The media (St. Petersburg Times) was notified.CE added emails will now be password protected and encrypted. As a result of the loss, CE has initiated an encryption project to encrypt external hard drives and related media." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "University of Pittsburgh Student Health Center" "Healthcare Provider" "Quantity[8000, ""People""]" "DateObject[{2010, 4, 2}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "VHS Genesis Lab Inc. " "Healthcare Provider" "Quantity[6800, ""People""]" "DateObject[{2010, 4, 5}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "The covered entity (CE), VHS Genesis Lab, Inc., misplaced a month’s worth of client invoices which were never located. The invoices contained the protected health information (PHI) of over 500 individuals and included names, dates of birth, and medical testing information.The CE provided breach notification to HHS, affected individuals and the media, and placed notice on its website.Following the breach, the CE arranged for a business associate to handle the mailing of invoices.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Providence Hospital" "Healthcare Provider" "Quantity[83945, ""People""]" "DateObject[{2010, 4, 5}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Pediatric Sports and Spine Associates" "Healthcare Provider" "Quantity[955, ""People""]" "DateObject[{2010, 4, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop was stolen from an employee's vehicle.The laptop contained the protected health information of approximately 955 individuals.The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses, medications and other treatment information.Following the discovery of the breach, the covered entity revised policies, retrained staff and implemented additional physical and technical safeguards including encryption software.The covered entity also removed the stolen laptop's access to the server, sanctioned the involved employee, notified the affected individuals and notified the local media." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "McKesson Information Solutions, LLC" "Business Associate" "Quantity[660, ""People""]" "DateObject[{2010, 4, 9}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Affinity Health Plan, Inc." "Health Plan" "Quantity[344579, ""People""]" "DateObject[{2010, 4, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780. Affinity Health Plan is a not-for-profit managed care plan serving the New York metropolitan area.Affinity filed a breach report with the HHS Office for Civil Rights (OCR) on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.Affinity estimated that up to 344,579 individuals may have been affected by this breach. OCR's investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents. This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it's recycled, thrown away or sent back to a leasing agent, said OCR Director Leon Rodriguez. 'HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals' data, and have appropriate safeguards in place to protect this information.'In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI." "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "Tomah Memorial Hospital" "Healthcare Provider" "Quantity[600, ""People""]" "DateObject[{2010, 4, 16}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "False" "A nurse impermissibly used the protected health information (PHI) of approximately 600 patients to obtain narcotics from the covered entity (CE), Tomah Memorial Hospital, for her own use.The PHI involved in the breach included patients’ names and account numbers.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE improved safeguards by creating a monthly audit of Schedule II narcotics, matched to the dispense log, medical order, and bill. OCR obtained assurances that the CE implemented the corrective actions listed above.The CE also terminated the involved employee’s employment." "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Praxair Healthcare Services, Inc. (Home Care Supply in NY)" "Healthcare Provider" "Quantity[54165, ""People""]" "DateObject[{2010, 4, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop computer was stolen from the covered entity's office by a former employee after it had been damaged. The laptop computer contained the PHI of approximately 54,165 individuals.The computer contained a limited amount of PHI, including client names and one or more of the following: addresses, phone numbers, social security numbers, insurance provider names and policy numbers, medical diagnostic codes or medical equipment.Following the breach, the covered entity notified all affected individuals, the media, and HHS of the breach. Additionally, the covered entity completed its laptop encryption project to cover all PHI stored on computers in the office.Additionally, OCR's investigation resulted in the covered entity reinforcing the requirements of HIPAA to its employees." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Massachusetts Eye and Ear Infirmary" "Healthcare Provider" "Quantity[3594, ""People""]" "DateObject[{2010, 4, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""RhodeIsland"", ""UnitedStates""}]" "Blue Cross & Blue Shield of Rhode Island" "Health Plan" "Quantity[12000, ""People""]" "DateObject[{2010, 4, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A covered entity (CE) donated a file cabinet containing the protected health information (PHI) of 12,000 individuals before cleaning it out.The PHI included members' names, addresses, telephone numbers, social security numbers, and Medicare identification numbers.The covered entity (CE) provided breach notification to HHS, the affected individuals, and media, and offered all affected individuals free credit monitoring for a period of one year.Following the breach, the CE sanctioned the employees involved in the incident and held a mandatory training regarding the HIPAA Privacy and Security Rule for all departments involved in the breach. The CE also revised the policy for office moves.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "South Carolina Department of Health and Environmental Control" "Health Plan" "Quantity[2850, ""People""]" "DateObject[{2010, 4, 22}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "St. Joseph Heritage Healthcare" "Healthcare Provider" "Quantity[22012, ""People""]" "DateObject[{2010, 4, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "22 computers were stolen from Clinical Management Service office.Five of the stolen computers contained the protected health information of approximately 22,012 individuals. The protected health information involved in the breach included name, date of birth, social security number, referral number, encounter number, facility, member ID, diagnosis, procedure, and/or diagnosis code. As a result of this incident, St. Joseph notified the potentially affected individuals, notified the local media, installed security cameras, re-trained employees, and installed encryption software on all laptops and Computers enterprise-wide. OCR's investigation resulted in the covered entity improving their physical and technological safeguards and retraining employees." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "John Muir Physician Network" "Healthcare Provider" "Quantity[5450, ""People""]" "DateObject[{2010, 4, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Two laptop computers containing the electronic protected health information (ePHI) of approximately 5,450 individuals were stolen from the CE.The ePHI included patient names, dates of birth, and social security numbers.The CE provided breach notification to all affected individuals, HHS, and the media.As a result of OCR's investigation, the CE installed encryption software and increased physical security." "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Medical Center At Bowling Green" "Healthcare Provider" "Quantity[5148, ""People""]" "DateObject[{2010, 4, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "UnitedHealth Group health plan single affiliated covered entity" "Health Plan" "Quantity[735, ""People""]" "DateObject[{2010, 4, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Paper/Films" "False" "On March 2, 2010, the covered entity (CE), UnitedHealth Group, discovered that remittance forms containing member information which accompany paper checks were stolen.The invoices contained the protected health information (PHI) of over 735 individuals.The types of PHI included demographic and claims information.The CE provided breach notification to HHS, affected individuals, and the media, and provided affected individuals with credit monitoring services.Following the breach, the CE reviewed its payment and remittance information controls and notified its provider call centers to remain on a high level alert to monitor all remittance payments.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "TOWERS WATSON" "Business Associate" "Quantity[1874, ""People""]" "DateObject[{2010, 4, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "A business associate (BA), Towers Watson, of the covered entity (CE), General Agencies Welfare Benefits Program, lost two electronic media disks containing protected health information (PHI)while transporting the disks between two BA offices.The disks contained the names, health plan numbers, and social security numbers of 1,874 individuals.The BA notified all affected individuals and provided two years of enhanced credit services.The CE notified HHS and the media and posted substitute notice on its website.The CE had the BA destroy any of its PHI that had been retained by the BA and executed a new BA agreement for any remaining PHI that the BA was unable to destroy because they were archival files.After OCR's investigation, the CE updated its privacy and breach notification policies and procedures." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "South Texas Veterans Health Care System" "Healthcare Provider" "Quantity[1430, ""People""]" "DateObject[{2010, 4, 28}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal, Loss" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Rockbridge Area Community Services" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2010, 4, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Millennium Medical Management Resources, Inc." "Business Associate" "Quantity[180111, ""People""]" "DateObject[{2010, 4, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Miami VA Healthcare System" "Healthcare Provider" "Quantity[568, ""People""]" "DateObject[{2010, 5, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A covered entity's (CE) pharmacy log book, containing the protected health information (PHI) of 568 individuals, was misplaced and never recovered.The PHI affected by the breach included names and partial social security numbers.Following the breach, the CE provided breach notification as required by the HIPAA Breach Notification Rule and instructed employees to cease the practice of keeping log books.Following OCR's investigation, the CE revised and/or updated its policies and procedures with respect to safeguarding PHI.Regarding logbooks, it established a written employee agreement, implemented an employee authorization process, and established safeguards.Additionally, the CE provided training to all staff in the pharmacy department regarding the use of logbooks and accounted for the disclosures in each of the affected individuals' accounting log." "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "VA Eastern Colorado Health Care System" "Healthcare Provider" "Quantity[649, ""People""]" "DateObject[{2010, 5, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A covered entity's (CE's) employee placed paper records containing protected health information (PHI) in an unsecured box that was left undiscovered in a public parking garage for four days.The box contained the PHI of 649 patients.The PHI included treatment records, productivity reports, coding information, names, medical treatments, conditions, diagnoses, and social security numbers.Upon discovery of the breach, the CE notified the affected individuals and provided credit protection to those whose social security numbers had been breached.The CE provided OCR with copies of its breach prevention policies and procedures. Following OCR's investigation, the employee who left the records resigned from her position and the CE improved its breach response procedures. " "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Heriberto Rodriguez-Ayala, M.D." "Healthcare Provider" "Quantity[4200, ""People""]" "DateObject[{2010, 5, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop computer containing the protected health information (PHI) of approximately 4,200 individuals was stolen from a personal vehicle.The PHI included names, addresses, phone numbers, dates of birth, social security numbers, treatment histories, and driver license numbers.The covered entity (CE) provided breach notification to the affected individuals, HHS, and the media.As a result of OCR's investigation the covered entity implemented new policies and procedures, retrained staff, and installed encryption software on all workstations." "Entity[""AdministrativeDivision"", {""DistrictOfColumbia"", ""UnitedStates""}]" "Georgetown University Hospital" "Healthcare Provider" "Quantity[2416, ""People""]" "DateObject[{2010, 5, 13}, ""Day"", ""Gregorian"", -5.]" "Other, Theft" "Email, Other Portable Electronic Device" "False" "An employee of the covered entity emailed protected health information (PHI) to an offsite research office (which is not itself a covered entity) in violation of the review preparatory to research protocol.The research office stored the electronic information on an external hard drive that was later stolen.The device contained the PHI of 2,416 individuals.The PHI involved in the breach included names, dates of birth, and clinical information.In response to this incident, the covered entity terminated transmission of the PHI to this research office and gave the responsible employee a verbal warning and counseling.Additionally, the covered entity undertook a review of all research affiliations involving PHI of hospital patients to confirm that appropriate documentation and procedures are in place." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Silicon Valley Eyecare Optometry and Contact Lenses" "Healthcare Provider" "Quantity[40000, ""People""]" "DateObject[{2010, 5, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "A computer network server and a television were stolen from the covered entity (CE), Silicon Valley Eyecare.The CE’s network sever contained the electronic protected health information (ePHI) of approximately 40,000 individuals and included demographic information, social security numbers, diagnoses, and insurance information.The CE investigated the incident and provided breach notification to HHS, affected individuals, and media.As a result of OCR’s investigation, the CE provided its most recent risk analysis, risk management plan, security training program, and policies and procedures regarding administrative, physical and technical safeguards. " "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Heritage Health Solutions" "Business Associate" "Quantity[656, ""People""]" "DateObject[{2010, 5, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "Oconee Physician Practices" "Healthcare Provider" "Quantity[653, ""People""]" "DateObject[{2010, 5, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On May 9, 2010, the covered entity (CE), Oconee Physician Practices, discovered that a password-protected, unencrypted laptop computer used for EKG testing was missing from its facility.The loss potentially exposed the demographic and clinical information of 653 individuals.The CE provided breach notification to HHS, affected individuals, and the media.The CE improved safeguards by changing access codes and physical locks to the building and retrained its workforce on the importance of password protection and laptop security.The CE developed a plan to create a stronger policy for asset tracking, accountability, and activity monitoring and upgrade its procedures for password strength, automatic log-off capabilities, and limiting the number of sign-on attempts.The CE also developed a plan to encrypt laptops and other portable media containing electronic protected health information (ePHI).OCR reviewed the CE’s policies and procedures and supporting documents." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "University of Rochester Medical Center and Affiliates" "Healthcare Provider" "Quantity[2628, ""People""]" "DateObject[{2010, 5, 20}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "The covered entity (CE), University of Rochester Medical Center and Affiliates, reported that on April 19, 2010, 2,628 patient billing statements for Strong Memorial Hospital were sent to the wrong patients.The statements contained patients’ names, addresses, guarantors’ names, guarantors’ addresses, dollar amounts owed, health insurance plans, subscriber numbers, social security numbers, general descriptions of services rendered (such as inpatient room charge, outpatient visit charge, physical therapy, laboratory, pharmacy, radiology, etc.) and dates of service.The CE provided breach notification to HHS, affected individuals, and the media.As a result of the breach, the CE established a numerical counter to ensure that the numbers of statements that run through the folding machine are matching the numbers of statements that are printing.In addition, a report was added to the statement bundles distributed by the printing center that identifies the number of pages printed for each statement run. Further, a quality control process was put into place where a second staff member manually inspects stuffed envelopes on a random basis to ensure that the correct number of pages are inserted as well as verifying that the contents are all for the same patient.As a result of OCR investigation, OCR reviewed a copy of the CE’s risk assessment and policies and procedures relating to uses and disclosures of protected health information (PHI) and safeguarding PHI." "Entity[""AdministrativeDivision"", {""Nebraska"", ""UnitedStates""}]" "Omaha Construction Industry , Privacy Manager Breach" "" "Quantity[800, ""People""]" "DateObject[{2010, 5, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "City of Charlotte, NC (Health Plan)" "Health Plan" "Quantity[5220, ""People""]" "DateObject[{2010, 5, 24}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "VA North Texas Health Care System" "Healthcare Provider" "Quantity[4083, ""People""]" "DateObject[{2010, 5, 25}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Rainbow Hospice and Palliative Care" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2010, 5, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An employee's laptop was stolen out of her bag while she was making an admission visit in a patient's home.The evidence showed that although the covered entity had a policy of encrypting and password-protecting its computers, this particular computer did not require a password most of the time.The invoices contained the protected health information (PHI) of approximately 1,000 individuals.The PHI stored on the laptop included names, addresses, dates of birth, phone numbers, Social Security numbers, Medicare numbers, electronic health records and commercial insurance information.Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in The Daily Herald, sanctioned the employee for changing the security settings on the laptop in question, and established stringent computer security guidelines, and retrained its staff in the new requirements, with the intention of preventing a similar event from occurring again." "Entity[""AdministrativeDivision"", {""Kansas"", ""UnitedStates""}]" "Occupational Health Partners" "Healthcare Provider" "Quantity[1105, ""People""]" "DateObject[{2010, 6, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "University of Louisville Research Foundation, Inc., DBA The Kidney Disease Program" "Healthcare Provider" "Quantity[708, ""People""]" "DateObject[{2010, 6, 1}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "An outside computer’s unique numerical code (Internet Protocol address) accessed the covered entity’s (CE) website which contained a database containing the protected health information of 708 patients.The types of PHI involved in the breach included names, social security numbers, and treatment information.The CE provided breach notification to HHS and affected individuals.Following the breach, the CE disabled the website containing the breached PHI.As a result of OCR’s investigation, the CE removed social security numbers from its site, added a time out feature, retrained staff, and completed a risk assessment." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Cincinnati Childrens Hospital Medical Center " "Healthcare Provider" "Quantity[60998, ""People""]" "DateObject[{2010, 6, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop computer containing the electronic protected health information (ePHI) of 60,998 individuals was stolen out of a workforce member's car.The ePHI stored on the laptop included names, medical record numbers, and services received.The covered entity (CE) provided breach notification to affected individuals, HHS, and the media.Following the breach, the CE established a new internal procedure to encrypt all new computers before they are given to employees.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "AvMed, Inc." "Health Plan" "Quantity[1220000, ""People""]" "DateObject[{2010, 6, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Two laptop computers with questionable encryption (each containing the electronic protected health information (ePHI) of 350,000 individuals) were stolen from the covered entity's (CE) premises.The types of ePHI involved included demographic and clinical information, diagnoses/conditions, medications, lab results, and other treatment data.After discovering the breach, the CE reported the theft to law enforcement and worked with the local police to recover the laptops.As a result of OCR's investigation, the CE developed and implemented new policies and procedures to comply with the Security Rule.The CE also provided breach notification to all affected individuals, HHS, and the media and placed an accounting of disclosures in the medical records of all affected individuals." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Nihal Saran, MD " "Healthcare Provider" "Quantity[2300, ""People""]" "DateObject[{2010, 6, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A password protected laptop computer containing protected health information (PHI) was stolen from Dr. Saran's personal residence.The laptop contained the PHI of approximately 2,300 individuals.The PHI stored on the laptop included patients' names, addresses, dates of birth, Social Security numbers, insurance information, and diagnoses.Following the breach, Dr. Saran notified the Northville Township Police Department of the theft, contacted the individuals reasonably believed to have been affected by the breach, sent a notice of the breach to the Detroit Free Press and the Monroe News, and installed encryption software for its billing software." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Siemens Medical Solutions, USA, Inc" "Business Associate" "Quantity[130495, ""People""]" "DateObject[{2010, 6, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "The covered entity's business associate (BA), Siemens Medical Solutions USA, Inc., shipped seven unencrypted compact disks (CDs) that contained the electronic protected health information (ePHI) of 130,495 individuals to the covered entity (CE), Lincoln Medical and Mental Health Center.The CD's, containing back-up data, were lost in transit.The ePHI included names, addresses, social security numbers, medical record numbers, health plan information, dates of birth, dates of admission and discharge, diagnostic and procedural codes, and driver's license numbers.The CE provided breach notification to affected individuals, HHS, and the media.Upon discovery of the breach, the CE directed the BA to cease using the shipping service as a means of transporting the CDs.As a result of OCR's investigation, the BA adopted a procedure to encrypt CDs.The CE also implemented a procedure for a senior employee of the BA to physically deliver the encrypted CDs to the CE.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "UnitedHealth Group health plan single affiliated covered entity" "Health Plan" "Quantity[16291, ""People""]" "DateObject[{2010, 6, 4}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Paper correspondence to certain members in UnitedHealth's prescription drug plans were in advertently sent to the incorrect temporary address due to a database administration error.Approximately 16,291 individuals were affected by the breach. UnitedHealth member's name, plan number and in some instances, date of birth and/or limited medical information. United Health reported that it stopped using PDI's proprietary database for address updates and made outbound verifications calls to members to get accurate temporary addresses. United Health reported that it revised its address update process. " "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "St. Jude Children's Research Hospital" "Healthcare Provider" "Quantity[1745, ""People""]" "DateObject[{2010, 6, 8}, ""Day"", ""Gregorian"", -5.]" "Loss" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "DentaQuest" "Business Associate" "Quantity[10515, ""People""]" "DateObject[{2010, 6, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "A car containing an unencrypted laptop computer was stolen from West Monroe Partners, a contractor for the covered entity's (CE) business associate (BA), DentaQuest.The laptop stored a database containing the electronic protected health information (ePHI) of approximately 76,000 individuals, including data on 10,515 of the CE's members.The types of PHI involved in the breach included names, social security numbers, dates, and certain provider identification numbers.The CE and BA worked together to provide breach notification to affected individuals and the media, and offered free credit monitoring and enhanced credit services to affected individuals for one year. The CE reported the breach to HHS and provided substitute notification on its website.The BA implemented procedures to ensure that any third party laptops connecting to its network employ disk encryption.Further, the BA established a policy to prohibit contractors from storing PHI on laptops.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Comprehensive Care Management Corporation" "Health Plan" "Quantity[1020, ""People""]" "DateObject[{2010, 6, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Email, Laptop, Network Server" "False" "OCR opened an investigation of the covered entity (CE), Comprehensive Care Management Corporation, after it reported two former employees sent emails that contained the electronic protected health information (ePHI) of 1,020 individuals to their personal email accounts to open a competitor organization.The ePHI included names, addresses, and enrollment information.Upon discovery of the breach, the CE conducted an internal inquiry and found that the former employees disclosed the ePHI to its competitor.As a result of OCR's investigation, the CE replaced and strengthened external firewalls, restricted access to email websites, restricted the use of portable devices, limited the ability to upload data to external websites, and evaluated new monitor and control software for network information.In addition, the CE provided training to all staff on its HIPAA policies and procedures.The CE also entered into an agreement with its competitor who hired the former employees to return or destroy the ePHI." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "The Children's Medical Center of Dayton" "Healthcare Provider" "Quantity[1001, ""People""]" "DateObject[{2010, 6, 14}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "University of Kentucky" "Healthcare Provider" "Quantity[2027, ""People""]" "DateObject[{2010, 6, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop computer containing the protected health information (PHI) of approximately 2,027 individuals was stolen from the covered entity (CE), University of Kentucky, Department of Pediatrics.The information was part of the New Born Screening Program sent to that department by the state screening program.The types of PHI involved in the breach included demographic information, specifically, names, addresses, dates of birth, social security numbers, and other identifiers, and clinical information.As a result of OCR’s investigation the CE provided OCR with an updated status report of its encryption project that it had previously reported as one of its corrective measures. It also trained workforce members on encryption of computing devices and provided reminders to workforce members about its facility locking procedures.Additionally, the CE provided a report of its information security assessment with details of security gaps as evidence of its risk analysis, along with recommendations for remediation of the gaps identified in the assessment.The CE also improved physical safeguards.The CE provided documentation of compliance with the applicable notification provisions of the Breach Notification Rule.It also updated its accounting of disclosures policy, and drafted a new policy relating to accounting of disclosures regarding breach incidents. " "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "alma aguado md pa" "Healthcare Provider" "Quantity[600, ""People""]" "DateObject[{2010, 6, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "OCR investigated the covered entity (CE) following a report that its main server and desktop computers containing the electronic protected health information (ePHI) of 600 individuals were taken from the CE's office.The ePHI involved in the breach included patient names, addresses, dates of birth, and social security numbers.As a result of OCR's investigation, the CE changed its privacy and security policies, retrained its employees and provided additional physical security to better safeguard patient ePHI." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Augusta Data Storage, Inc" "Business Associate" "Quantity[14000, ""People""]" "DateObject[{2010, 6, 21}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Nevada"", ""UnitedStates""}]" "University Health System" "Healthcare Provider" "Quantity[7526, ""People""]" "DateObject[{2010, 6, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Aramark Healthcare Support Services, LLC" "Business Associate" "Quantity[937, ""People""]" "DateObject[{2010, 6, 24}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "True" "A business associate employee sent an email to multiple patients without concealing patient email addresses.The message concerned a dietary program in which the names and email addresses were visible to all recipients.The breach affected 937 individuals.In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with Aramark.The business associate counseled the employee responsible for the breach and retrained all employees who may communicate with patients via email on the requirements of the Privacy and Security Rules as well as related policies and procedures." "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Mary M. Desch,MD/PathHealer, LTD" "Healthcare Provider" "Quantity[5893, ""People""]" "DateObject[{2010, 6, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Children's Hospital & Research Center at Oakland" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2010, 6, 29}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Centerstone" "Healthcare Provider" "Quantity[1537, ""People""]" "DateObject[{2010, 7, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Paper/Films" "False" "A major flooding event damaged a building where the CE operated its school-based program offices.The flooding was so significant that the area was deemed a federal disaster area.An estimated 1,537 individuals were affected by the loss of data due to flood damage.The types of PHI involved were names, addresses, dates of birth, and social security numbers.After the flood, the CE attempted to collect as much PHI as it could from the site but access was limited by authorities because the building was deemed toxic and salvage cleanup commenced prior to the CE's ability to access the building.PHI in paper format was either washed away or disposed of during salvage procedures.Computers and equipment in the building were destroyed by water damage.Because the CE relied primarily on their electronic health records stored on an offsite server, medical data was still intact for continuity of care purposes.The CE provided breach notification to individuals, HHS, and the media, and posted substitute notice on its website.The CE has since moved its school-based operations to a CE owned facility.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Care 1st Health Plan" "Business Associate" "Quantity[29000, ""People""]" "DateObject[{2010, 7, 6}, ""Day"", ""Gregorian"", -5.]" "Loss, Other" "Other, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "NYU Hospitals Center" "Healthcare Provider" "Quantity[2563, ""People""]" "DateObject[{2010, 7, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "The covered entity (CE) misplaced an unencrypted USB drive that contained the electronic protected health information (ePHI) of 2,563 individuals.The ePHI included names, medical record numbers, ages, genders, procedures, attending physicians' names, anesthesiologists' names, types of anesthesia, times of arrival in the recovery room, and times of discharge.Upon discovery of the breach, the CE reported the incident to internal security as a possible theft and conducted a thorough search of the perimeter.The CE provided breach notification to HHS, the media, and affected individuals.As a result of OCR's investigation, the CE stopped using USB drives and local desktop computers for data storage.In addition, the CE updated physical security in the recovery room and installed data prevention software to monitor, block or encrypt mobile media used in the CE.Further, the CE purchased encrypted USB drives for workforce members with an identified need to download and store ePHI.The CE also revised its mobile device and portable storage media policy and retrained all workforce members on its policies." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Long Island Consultation Center" "Healthcare Provider" "Quantity[800, ""People""]" "DateObject[{2010, 7, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals.The ePHI included names, dates of birth, diagnoses, and other treatment information.Upon discovery of the breach, the CE conducted a search for the portable device.The CE provided breach notification to HHS, the media, and affected individuals.As a result of OCR's investigation, the CE improved physical security. The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. " "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "SunBridge Healthcare Corporation" "Healthcare Provider" "Quantity[3830, ""People""]" "DateObject[{2010, 7, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop computer containing the electronic protected health information (EPHI) of 3,830 individuals was stolen out of a workforce member’s vehicle.The types of ePHI included names, birthdates, social security numbers, claims information, financial information, diagnoses/conditions, medications, lab results, and other treatment information. The covered entity (CE), SunBridge Healthcare Corporation, provided breach notification to HHS, affected individuals, and the media, and provided individuals with identity theft protection services. As a result of OCR’s investigation the CE updated its risk analysis, re-educated its workforce members on proper laptop security protocols, and installed encryption software to protect ePHI." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "University of Florida" "Healthcare Provider" "Quantity[2047, ""People""]" "DateObject[{2010, 7, 8}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "The covered entity (CE), University of Florida Department of Epidemiology and Health Policy Research, mailed approximately 2,047 letters that contained an identifier on the address label that was an adaptation of either a child’s social security number or Medicaid identification number.The types of protected health information (PHI) involved in the breach included names, social security numbers, or Florida Medicaid numbers of the patients.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE recalled the faulty files from the printing company and the medical survey company and updated its procedures and forms to ensure that data is handled in accordance with the Privacy Rule.The CE provided OCR with its 2011 Training Schedule for Research Coordinators at the Institute of Child Health Policy (ICHP).Included in this year-long training is a section dedicated to Regulatory Compliance, including the importance of HIPAA and data security.The CE also sanctioned the employees involved in the breach.OCR’s investigation resulted in the CE improving its physical safeguards and retraining employees." "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Governor's Office of Information Technology" "Business Associate" "Quantity[105470, ""People""]" "DateObject[{2010, 7, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Prince William County Community Services (CS)" "Healthcare Provider" "Quantity[669, ""People""]" "DateObject[{2010, 7, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "UnitedHealthcare Insurance Company " "Business Associate" "Quantity[1097, ""People""]" "DateObject[{2010, 7, 17}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Iron Mountain Data Products, Inc. (now known as " "Business Associate" "Quantity[800000, ""People""]" "DateObject[{2010, 7, 19}, ""Day"", ""Gregorian"", -5.]" "Loss" "Electronic Medical Record, Other, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Montefiore Medical Center" "Healthcare Provider" "Quantity[23753, ""People""]" "DateObject[{2010, 7, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "OCR opened an investigation of the covered entity (CE), Montefiore Medical Center, after it reported three unencrypted desktop computers were stolen that contained the electronic protected health information (ePHI) of 23,753 individuals.The ePHI included names, medical record numbers, dates of birth, parent or guardian contact numbers, asthma diagnoses, vaccination information, and number of visits to the school health clinic.Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media.As a result of OCR's investigation, the CE updated its building alarm to include additional motion sensors and installed surveillance cameras.Further, the CE encrypted all of its computers, advised that no ePHI is stored on desktop hard drives, removed all ePHI from its computers, and stored ePHI on the centralized secured network servers.The CE also revised its policy and procedure on password management and provided training to all staff on its new policy." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Medina OB/GYN Associates, Inc" "Business Associate" "Quantity[1200, ""People""]" "DateObject[{2010, 7, 23}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "The University of Texas at Arlington" "Healthcare Provider" "Quantity[27000, ""People""]" "DateObject[{2010, 7, 23}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "A file server at the Office of Health Services was compromised and impermissibly accessed.The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source.The protected health information involved in the breach included names, addresses diagnostic codes, name of medication prescribed, medication costs and some social security numbers.Following the discovery of the breach, UTA removed the server from the network, notified the affected individuals and notified local media.Following the breach, the covered entity also replaced the operating system and implemented additional technical safeguards." "Entity[""AdministrativeDivision"", {""DistrictOfColumbia"", ""UnitedStates""}]" "DC Chartered Health Plan, Inc" "Health Plan" "Quantity[540, ""People""]" "DateObject[{2010, 7, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Montefiore Medical Center" "Healthcare Provider" "Quantity[16820, ""People""]" "DateObject[{2010, 7, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Two unencrypted desktop computers containing the electronic protected health information (ePHI) of 16,820 individuals were stolen from the covered entity (CE).The ePHI included medical record numbers, dates of birth, admission /discharge dates, billing codes, and social security numbers.Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals.It also provide substitute notification by posting on its website.As a result of OCR's investigation, the CE replaced its building alarm and installed bars on the windows.In addition, the CE directed its staff to save patient data only on a centralized network drive, moved all ePHI stored on desktop hard drives to centralized secured network servers, and encrypted all of its computers. The CE also revised its policy and procedure on password management and provided training to all staff on its new policy." "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Aetna" "Health Plan" "Quantity[6372, ""People""]" "DateObject[{2010, 7, 27}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Charles Mitchell MD" "Healthcare Provider" "Quantity[6873, ""People""]" "DateObject[{2010, 7, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "A burglary occurred at the covered entity's (CE) facility and two desktop computers containing protected health information (PHI) were stolen.Approximately 6873 individuals were affected.The PHI involved included names, addresses, dates of birth, social security numbers, diagnoses and conditions, medications, and other treatment information.OCR closed this investigation after determining that the individual who reported the breach worked for a CE no longer in existence." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Baylor College of Medicine" "Healthcare Provider" "Quantity[1646, ""People""]" "DateObject[{2010, 7, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop computer was stolen from an administrative office.The laptop contained the protected health information (PHI) of approximately 1,618 patients (originally reported as 1,646).The types of PHI involved in the breach included the demographic and clinical information of pediatric cardiology patients, including names, medical record numbers, dates of service, diagnoses, and dates of birth.Following the breach, the covered entity (CE), Texas Children’s Hospital, and Baylor College of Medicine (which filed a separate breach report) jointly notified the affected individuals and the local media after a delay due to a law enforcement request.As a result of OCR’s investigation, the CE revised several information technology policies and modified physical safeguards." "Missing[""NoInput""]" "Mercer" "Business Associate" "Quantity[1073, ""People""]" "DateObject[{2010, 7, 30}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Matrix Imaging" "Business Associate" "Quantity[2631, ""People""]" "DateObject[{2010, 7, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "The covered entity's (CE) business associate (BA) sent coverage determination letters to incorrect addresses, affecting 2,631 individuals.The protected health information (PHI) included names, addresses, unique CE identification numbers, and prescription drug information.Following the breach, the CE reprinted all erroneous coverage determination letters with an apology notice and provided breach notification to all affected individuals and HHS.The CE implemented additional policies and procedures to ensure mailing list accuracy.Specifically, the CE implemented a multiple-step quality assurance process and established verification with the BA.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.As a result of OCR's investigation, the CE placed a record into its accounting of disclosure records for each individual impacted." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Carolina Center for Development and Rehabilitation" "Healthcare Provider" "Quantity[1590, ""People""]" "DateObject[{2010, 7, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity's (CE) staff inadvertently sent twenty-three boxes containing the protected health information (PHI) of 1,590 patients to a recycling center.The PHI included patients' full names, addresses, dates of birth, social security numbers, insurance identification numbers, driver's license numbers, diagnoses, medication information, checking and savings account numbers, credit and debit card numbers, and photographs of the patients.Following the breach, the CE immediately took steps for the records to be returned.The CE notified HHS, the media, and all individuals affected by the breach, and established a toll free number for patients to call for more information.The CE cooperated with the state attorney general's investigation and suspended the responsible staff members.Following OCR's investigation, the CE placed a record into its accounting of disclosure log for each individual affected and terminated the employment of the staff involved in the breach.In addition, the CE revised its policies and procedures regarding the rights of individuals and safeguards for PHI, and re-trained staff." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "WellPoint, Inc." "Health Plan" "Quantity[31700, ""People""]" "DateObject[{2010, 7, 30}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Texas Children's Hospital" "Healthcare Provider" "Quantity[694, ""People""]" "DateObject[{2010, 7, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Wright State Physicians" "Healthcare Provider" "Quantity[1309, ""People""]" "DateObject[{2010, 8, 3}, ""Day"", ""Gregorian"", -5.]" "Other" "Laptop" "False" "On June 11, 2010, a laptop computer containing PHI was mistakenly discarded in the trash. The laptop computer contained the protected health information of approximately 1,309 individuals. The protected health information involved in the breach included patient full names or first initial and last name, dates of service, and in some cases, a brief description of medical condition or care. Following the breach, the covered entity submitted evidence of its progress in implementing encryption on its laptop computers in its various departments. " "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Penn Treaty Network America Insurance Company " "Health Plan" "Quantity[560, ""People""]" "DateObject[{2010, 8, 3}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "False" "Social security numbers were inadvertently printed on the address labels in a newsletter mailing.The mailing had 560 recipients.The covered entity acted to mitigate the disclosure by verifying that the all mail was correctly delivered.It also counseled the responsible employee and updated its policies and procedures." "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Jewish Hospital" "Healthcare Provider" "Quantity[2089, ""People""]" "DateObject[{2010, 8, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "McKesson Pharmacy Systems LLC" "Business Associate" "Quantity[11440, ""People""]" "DateObject[{2010, 8, 5}, ""Day"", ""Gregorian"", -5.]" "Other" "Other, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Beauty Dental, Inc." "Healthcare Provider" "Quantity[657, ""People""]" "DateObject[{2010, 8, 5}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Paper/Films" "False" "Following the breach, the covered entity notified its clients by letter of the incident, submitted a press release that outlined the circumstances of the breach to the Chicago Tribune and the Chicago Sun Times, required the individual who allegedly stole the documents to return all physical patient PHI in her possession and sign a statement swearing that she no longer possessed any patient documents, would not use or disclose the PHI in any manner and would erase an excel spreadsheet she had in her possession, installed a new security system for the office that requires the input of a code specific to each employee, and implemented new technical safeguards that limited employee access to ePHI according to the employee's position and rank." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Fort Worth Allergy and Asthma Associates" "Healthcare Provider" "Quantity[25000, ""People""]" "DateObject[{2010, 8, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Several computers, including a server, were stolen during a burglary at the covered entity's (CE) premises. The breach affected approximately 25,000 individuals and included names, addresses, dates of birth, social security numbers, driver license numbers, diagnoses, and conditions. Following the breach, the CE provided breach notification to affected individuals, the media, and HHS.It also improved physical security and began using a new model for its management practices with an off-site encrypted database.After the initiation of OCR'S investigation, the CE amended its business associate agreement." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Aultman Hospital" "Healthcare Provider" "Quantity[13867, ""People""]" "DateObject[{2010, 8, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A password-protected laptop, which was maintained by the covered entity (CE), Aultman Hospital, was stolen from an employee’s car, which contained the electronic protected health information (ePHI) of approximately 13,867 individuals, including patients’ names, dates of birth, telephone numbers, social security numbers, insurance identification, and health information related to home health services.The CE provided breach notification to HHS, affected individuals, and the media, posted notification of the breach on its website, and reported the theft to the local police department.The CE also offered one year of free credit monitoring services to affected individuals. Following the breach, the CE revised its HIPAA policies and procedures, enhanced encryption and updated software on its laptops, sanctioned employee(s) involved in the breach incident, and retrained its workforce on the revised policies and procedures. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. " "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "UNCG Speech and Hearing Center" "Healthcare Provider" "Quantity[2300, ""People""]" "DateObject[{2010, 8, 9}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "Computer malware was detected on the covered entity’s (CE) unencrypted billing software program, “Therapist Helper.”The CE did not know when the malware entered its system.Approximately 2,300 individuals were potentially affected by this malware virus.The types of protected health information (PHI) involved included demographic, financial (claims information), and clinical information (diagnoses/conditions, medications, lab results, and other treatment information).Following the breach, the CE applied security and privacy safeguards, mitigated harm, and implemented sanctions.The CE also reported working and cooperating with the local law enforcement.As a result of OCR’s investigation, the CE implementing processes and deployed software to detect, prevent, and mitigate malware on its computers, installed new computers and systems to segregate electronic PHI, and implemented additional procedures to increase awareness of and ensure compliance with technical and physical safeguards.The CE also placed an accounting of disclosures in the medical records of the affected individuals, and complied with the applicable notification provisions of the Breach Notification Rule." "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "St. John's Mercy Medical Group" "Healthcare Provider" "Quantity[1907, ""People""]" "DateObject[{2010, 8, 9}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Covered entity improperly disposed of patients' Protected Health Information (PHI), by placing the PHI in a dumpster outside of a doctor's office. The PHI involved in the breach included demographic, financial, clinical, and other medical information. Following the breach, the covered entity notified all affected individuals of the breach, posted a notice about the incident on its website; attempted to retrieve and track all of the medical records that were inappropriately disposed of; offered all affected individuals identity theft protection; obtained a formal apology from and assumed direct office operations management of the physician involved; re-educated its workforce to reinforce policies relating to appropriate medical record protection and disposal requirements." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Thomas Jefferson University Hospitals, Inc." "Healthcare Provider" "Quantity[21000, ""People""]" "DateObject[{2010, 8, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Idaho"", ""UnitedStates""}]" "Mercer Health & Benefits" "Business Associate" "Quantity[5500, ""People""]" "DateObject[{2010, 8, 10}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "True" "Idaho Power Group Health Plan's business associate, Mercer Health and Benefits, lost a backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Idaho Power was about 5,500 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Idaho Power notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer's Boise office now encrypts backup tapes. Following the incident, Idaho Power renegotiated its contract with Mercer and continues to evaluate its business relationship with Mercer." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Ward A. Morris, DDS" "Healthcare Provider" "Quantity[2698, ""People""]" "DateObject[{2010, 8, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "The covered entity’s (CE), computer server containing the electronic protected health information (ePHI) of 2,698 patients was stolen during an office burglary. The server was password-protected but not encrypted. The types of ePHI involved in the breach included names, addresses, dates of birth, social security numbers, and medical information.The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice.Following the breach, the CE encrypted all ePHI on computer workstations and servers. As a result of OCR’s investigation, the CE improved its physical safeguards and retrained employees." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Loma Linda University School of Dentistry" "Healthcare Provider" "Quantity[10100, ""People""]" "DateObject[{2010, 8, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Three password protected desktop computers and an auxiliary hard drive containing electronic protected health information (ePHI) was stolen from the covered entity (CE), Redlands Periodontal Group, Loma Linda University School of Dentistry.The ePHI involved in the breach included the demographic information of 10,100 individuals.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, The CE conducted an on-site audit of the periodontal clinic and conducted a risk assessment of the 16 clinics under the purview of the School of Dentistry.The CE improved safeguards by replacing the clinic’s computers with computers that do not contain local hard drive storage, issuing remote access credentials, relocating paper patient charts, and deactivating access to network resources from the periodontal facility.It also decommissioned associated equipment and networks, and disposed of computing equipment used in conjunction with daily operations at the periodontal facility.In addition, the CE retrained staff regarding its HIPAA policies and procedures.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Chattanooga Family Practice Associates, P.C." "Healthcare Provider" "Quantity[1711, ""People""]" "DateObject[{2010, 8, 16}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other, Other Portable Electronic Device" "False" "A physician of the CE lost a flash drive which he routinely used for data backup and remote access to patient data.The flash drive contained names, dates of birth and treatment notes for approximately 1,711 patients.Following the breach, the CE notified affected individuals.The CE retrained the physician who lost the flash drive and implemented an organization-wide decision to prohibit storage of protected health information on any removable electronic devices.As a result of OCR’s investigation, the CE notified the media and posting substitute notification on its website. " "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Yale University" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2010, 8, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unsecured laptop computer containing sensitive protected health information (PHI) involving the Ryan White Part A program, involving approximately 1,000 individuals, was stolen from an office building on Yale’s premises.The types of PHI contained on the laptop consisted of names, dates of birth, diagnoses/conditions, medications, lab results, and other treatment information.The covered entity (CE) provided breach notification to HHS, the media and affected individuals.Following the breach, the CE installed access card readers for entry to the office suite, inspected the facility’s alarm system, replaced custodial staff, and limited cleaning to office hours.The CE also accelerated the implementation of safeguards created prior to the theft,implemented mandatory encryption for all mobile devices, and created a new system to ensure all employees complete mandatory Privacy and Security Awareness training.The CE also revised several policies and procedures on ePHI security.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Eastmoreland Surgical Clinic, William Graham, DO" "Healthcare Provider" "Quantity[4328, ""People""]" "DateObject[{2010, 8, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Laptop, Other, Other Portable Electronic Device" "False" "Three desktop computers, one laptop computer, and a backup drive, containing the electronic protected health information (EPHI) of 4,328 individuals, were stolen on July 5, 2010.The EPHI involved in the breach included names, addresses, phone numbers, dates of birth, Social Security numbers, reason for visits, and insurance information.Following the breach, the covered entity implemented backup and whole disk encryption on electronic information systems that maintain EPHI and improved their physical safeguards.Additionally, OCR's investigation resulted in the covered entity improving their administrative safeguards, such as password complexity requirements and data backup protocols." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Cook County Health & Hospitals System" "Healthcare Provider" "Quantity[7081, ""People""]" "DateObject[{2010, 8, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An employee's laptop was stolen out of a locked office; evidence shows that the laptop was password protected but not encrypted.The laptop contained the protected health information (PHI) of approximately 7,000 individuals.The PHI stored on the laptop included names, dates of birth, Social Security numbers, internal encounter numbers, and other administrative codes.Following the breach, the covered entity notified those individuals reasonably believed to have been affected by the breach, placed notice on its website and with a local news center; established stringent computer security guidelines, and retrained its staff in the new requirements with the intention of preventing a similar event from occurring again." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Pioneer Valley Pathology" "Business Associate" "Quantity[24750, ""People""]" "DateObject[{2010, 8, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "A Boston Globe employee discovered the unsecured paper medical records of Pioneer Valley Pathology, a group practice with offices inside Holyoke Medical Center (HMC), at a trash transfer station.The breach affected approximately 24,750 individuals.The PHI involved in the breach included names, addresses, dates of birth, social security numbers, insurance information, and medical information.HMC is not the covered entity (CE) responsible for this breach and it field the breach report in error.OCR provided HMC with technical assistance related to breach notification.OCR opened a compliance review against the CE responsible for this breach. " "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "SunBridge Healthcare Corporation" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2010, 8, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "A BlackBerry personal digital assistant device, which stored the protected health information (PHI) of 1,000 patients, was stolen from a workforce member.The types of PHI involved in the breach included names, birthdates, diagnoses/conditions, and other treatment information.The CE provided breach notification to HHS, affected individuals, and the media, and offered identity theft protection services to the individuals.Following the breach, the CE encrypted and password protected all its Blackberry devices.As a result of OCR’s investigation, the CE changed its Blackberry encryption policy." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "KPMG LLP" "Business Associate" "Quantity[956, ""People""]" "DateObject[{2010, 8, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "True" "OCR opened an investigation of the covered entity (CE), Newark Beth Israel Medical Center, after it reported an employee of the CE's business associate (BA), KPMG LLP, lost an unencrypted USB drive that contained the electronic protected health information (ePHI) of 956 individuals.The ePHI included names and clinical information.Upon discovery of the breach, the CE's BA conducted a search of the area.The CE provided breach notification to HHS, the Media and affected individuals.As a result of OCR's investigation, the BA installed and implemented encryption software to its electronic equipment and devices.In addition, the BA encrypted and password protected all equipment and devices that could contain the CE's data.The BA also reprimanded and retrained the employee and retrained all employees on safeguarding ePHI.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "KPMG LLP" "Business Associate" "Quantity[3630, ""People""]" "DateObject[{2010, 8, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "True" "The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals.The ePHI included names, dates of birth, diagnoses, and other treatment information.Upon discovery of the breach, the CE conducted a search for the portable device.The CE provided breach notification to HHS, the media, and affected individuals.As a result of OCR's investigation, the CE improved physical security. The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. " "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "NYU School of Medicine--Aging and Dementia Clinical Research Center " "Healthcare Provider" "Quantity[1200, ""People""]" "DateObject[{2010, 8, 27}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Aon Consulting" "Business Associate" "Quantity[22642, ""People""]" "DateObject[{2010, 9, 7}, ""Day"", ""Gregorian"", -5.]" "Other" "Network Server" "True" "The business associate prepared a document as part of a request for proposal for the covered entity's vision benefit program which mistakenly included protected health information of 22,642 individuals.The document was posted online for five days.The protected health information involved in the breach included social security numbers, dates of birth, gender, zip codes, and vision plan enrollment information.In response to this incident, the covered entity implemented additional safeguards to prevent this type of impermissible disclosure of protected health information.In particular, the covered entity will now require several layers of review before allowing public disclosure of documents prepared by the business associate.The covered entity also took steps to enforce the requirements of its business associate agreement with Aon Consulting.Aon will provide affected individuals with free credit monitoring, fraud resolution resources, and identity theft insurance.Additionally, the business associate has provided assurances to the covered entity that it has taken steps to prevent this type of impermissible disclosure in the future." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "University of Rochester Medical Center and Affiliates" "Healthcare Provider" "Quantity[857, ""People""]" "DateObject[{2010, 9, 7}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Mayo Clinic" "Healthcare Provider" "Quantity[1740, ""People""]" "DateObject[{2010, 9, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record" "False" "An employee of the covered entity (CE) impermissibly accessed medical records containing the protected health information (PHI) of 1,740 patients for a period of 4 �� years. The PHI affected by the breach included the demographic information of 691 individuals, and both demographic and clinical information of 1,049 individuals.Following the breach, the CE conducted an investigation, terminated the involved employee, re-trained its employees regarding patient privacy and access to PHI, and enhanced its supervision and monitoring of employees' PHI access activities. It also provided breach notification to the affected individuals, HHS, and the media, as well as substitute notice on its website.OCR obtained assurances that the CE completed the voluntary compliance action described above." "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Curtis R. Bryan, M.D." "Healthcare Provider" "Quantity[2739, ""People""]" "DateObject[{2010, 9, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""RhodeIsland"", ""UnitedStates""}]" "The Kent Center " "Healthcare Provider" "Quantity[1361, ""People""]" "DateObject[{2010, 9, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A briefcase containing paper documents including the protected health information (PHI) of approximately 1,361 individuals was stolen from an employee’s car. The types of PHI involved in the breach included clients’ names, dates of birth, and for a small number of clients, limited clinical information.The covered entity (CE), The Kent Center, provided breach notification to affected individuals, the media, and HHS.Following the breach, the CE sanctioned the employee involved, revised its confidentiality policy related to safeguarding client lists, and re-trained its employees. Additionally, as a result of OCR’s investigation the CE revised and updated its breach notification policies and reinforced the requirements of the Privacy and Breach Rules to its employees." "Entity[""AdministrativeDivision"", {""Nevada"", ""UnitedStates""}]" "LabCorp Patient Service Center" "Healthcare Provider" "Quantity[507, ""People""]" "DateObject[{2010, 9, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Iowa"", ""UnitedStates""}]" "Pediatric and Adult Allergy, PC" "Healthcare Provider" "Quantity[19222, ""People""]" "DateObject[{2010, 9, 11}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Ault Chiropractic Center" "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2010, 9, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Laptop" "False" "Two unencrypted desktop computers and one unencrypted laptop computer storing electronic protected health information (ePHI) of approximately 2,000 individuals were stolen from the covered entity’s (CE) premises during a break-in on September 15, 2010.The ePHI involved in the breach included patients’ names, thermal imaging scans, patients’ contact information, insurance information, and social Security numbers.The CE investigated the incident and reported the theft to the local police department.It also provided breach notification to HHS, the media, and affected individuals. Following the breach, the CE moved to a new facility with a security system.As a result of OCR’s investigation, the CE developed and implemented a policy and procedure related to compliance with the Breach Notification Rule." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "County of Los Angeles" "Healthcare Provider" "Quantity[33000, ""People""]" "DateObject[{2010, 9, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kansas"", ""UnitedStates""}]" "Matthew H. Conrad, M.D., P.A." "Healthcare Provider" "Quantity[1200, ""People""]" "DateObject[{2010, 9, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "CareCore National" "Business Associate" "Quantity[1270, ""People""]" "DateObject[{2010, 9, 20}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Counseling and Psychotherapy of Throggs Neck" "Healthcare Provider" "Quantity[9000, ""People""]" "DateObject[{2010, 9, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "OCR opened an investigation of the covered entity (CE), Counseling and Psychotherapy of Throggs Neck, after it reported that a password protected, unencrypted desktop computer was stolen which contained the protected health information (PHI) of 9,000 individuals.The PHI involved in the breach included names, addresses, dates of birth, social security numbers, diagnosis, patient notes and demographics.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE encrypted all of its patient databases and word processing programs on all computers.The CE improved physical safeguards by changing locks and fixing one of the entrance doors to the building to ensure that it automatically closes.The CE also placed security guards at all five entrances to the building and installed a video surveillance system.The CE also implemented internal safeguards and a policy to ensure that the last person in the office ensures rooms are vacant and the suite doors are locked upon leaving.As a result of OCR’s investigation the CE agreed to include effective dates and revision dates on its policies and to include documentation on the front page of its manual regarding annual reviews of the policies." "Entity[""AdministrativeDivision"", {""Alaska"", ""UnitedStates""}]" "Alaskan AIDS Assistance Association" "Business Associate" "Quantity[2000, ""People""]" "DateObject[{2010, 9, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "St. Vincent Hospital and Health Care Center, Inc." "Healthcare Provider" "Quantity[1199, ""People""]" "DateObject[{2010, 9, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Oroville Hospital" "Business Associate" "Quantity[1474, ""People""]" "DateObject[{2010, 9, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "True" "The covered entity (CE) filed a breach report with OCR after two USB storage devices containing electronic protected health information (ePHI) of 1,474 individuals were lost.The ePHI included names, dates of birth, and treatment information.Upon discovery of the breach, the CE notified individuals, OCR and the media.Additionally, the CE initiated an encryption project to encrypt emails, external hard drives, and related media.Following OCR's investigation, the CE filed a police report, updated its policies and procedures in an effort to better safeguard ePHI, and encrypted USB devices." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Eden Medical Center" "Business Associate" "Quantity[1474, ""People""]" "DateObject[{2010, 9, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "True" "The covered entity (CE) lost two portable electronic storage devices containing the electronic protected health information (ePHI) of 1,474 individuals.The ePHI included patients' names, dates of birth, and treatment information.Upon discovery of the breach, the covered entity (CE) notified individuals, HHS, and the media.Additionally, the CE initiated a project to encrypt emails, external hard drives, and related electronic media.Following OCR's investigation, the CE filed a police report, updated its policies and procedures in order to better safeguard patients' ePHI, and encrypted portable electronic computer devices." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "NewYork-Presbyterian Hospital and Columbia University Medical Center" "Healthcare Provider" "Quantity[6800, ""People""]" "DateObject[{2010, 9, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Data breach results in $4.8 million HIPAA settlementsTwo health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients' electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date.The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results. NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as 'New York Presbyterian Hospital/Columbia University Medical Center.' NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet.In addition to the impermissible disclosure of ePHI on the internet, OCR's investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.'When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,' said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. 'Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.'NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "St. James Hospital and Health Centers" "Healthcare Provider" "Quantity[967, ""People""]" "DateObject[{2010, 9, 24}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "University of Oklahoma - Tulsa, Neurology Clinic" "Healthcare Provider" "Quantity[19200, ""People""]" "DateObject[{2010, 9, 27}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "LORENZO BROWN, MD INC." "Healthcare Provider" "Quantity[928, ""People""]" "DateObject[{2010, 9, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Joseph A. Gagnon d/b/a Goldthwait Associates" "Business Associate" "Quantity[11000, ""People""]" "DateObject[{2010, 10, 1}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Debra C. Duffy, DDS" "Healthcare Provider" "Quantity[4700, ""People""]" "DateObject[{2010, 10, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Network Server" "False" "An unencrypted laptop and network server were stolen during a burglary of the office.The breach affected approximately 4700 individuals.The protected health information involved in the breach included treatment information for pediatric dental patients and social security numbers, insurance identification numbers and driver's license numbers. Following the discovery of the breach, the CE relocated the practice servers, secured the laptops and installed steel doors at the front entrance of the facility. Additionally, the CE notified the affected individuals and local media and retrained staff." "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Cumberland Gastroenterology, P.S.C." "Healthcare Provider" "Quantity[2200, ""People""]" "DateObject[{2010, 10, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity's (CE) medical records storage facility was burglarized, resulting in the theft of protected health information (PHI) of 2,207 individuals.The PHI included names, birth dates, social security numbers, addresses, phone numbers, primary care providers, diagnosis codes, presenting complaints, exam findings, insurance information, dates of visits, services performed, and referring providers.The CE filed a police report and provided breach notification to affected individuals, HHS, and the media. The CE also conducted an inventory of stolen items and created an accounting of affected individuals. Following the breach, the CE increased physical security, limited the amount of stored PHI, and expedited the adoption ofelectronic medical records.As a result of OCR's investigation the CE executed BA agreements with the storage facility and with a document shredding company.Additionally, it re-trained workforce members on its revised HIPAA policies and procedures with respect to safeguards for PHI, and placed an accounting of disclosures of PHI in each of the affected individuals' medical records.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "WESTMED Medical Group" "Healthcare Provider" "Quantity[578, ""People""]" "DateObject[{2010, 10, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop computer that contained the electronic protected health information (ePHI) of 578 individuals was stolen from the covered entity (CE), WestMed Medical Group.The ePHI included names, dates of birth and test results.Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS and the media.As a result of OCR's investigation, the CE improved physical security by locking all laptops during the day and storing all laptops in a locked cabinet overnight.In addition, the CE reconfigured all laptops with strong passwords and implemented a new procedure to save data to a secure file server.Further, the CE encrypted all laptop hard drives.The CE also retrained staff on safeguarding ePHI." "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Johns Hopkins University Applied Physics Laboratory (JHU/APL) Medical and Dental Insurance Plan" "Health Plan" "Quantity[692, ""People""]" "DateObject[{2010, 10, 6}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "False" "Protected health information was attached to an email addressed to 85 employees by a benefits staff member. Within 5 days, all recipients were notified, and the email was deleted.Approximately 692 individuals were affected by this breach.The email included names, dates of birth, social security numbers, and marital and disability status.To prevent a similar breach from happening in the future, the covered entity instituted a policy to encrypt emails containing protected health information before it is sent out from the benefits department.Following OCR's investigation, the covered entity updated its policies and procedures establishing a new business process to require that all emails sent by the benefits office to 5 or more staff members that includes an attachment be reviewed by another team member to ensure the proper document is attached and took personnel action with the responsible employee. Further, the benefits office will use an encryption specialist to train all benefits office staff in the proper methods of encryption, explore future capability of automated flagging of any electronic communications sent by benefits office staff containing potentially sensitive data such as 9-digit numbers, and obtain additional HIPAA training." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "LoneStar Audiology Group" "Healthcare Provider" "Quantity[585, ""People""]" "DateObject[{2010, 10, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop was stolen from a workforce member's home. Approximately 585 individuals were affected.The PHI included addresses, dates of birth, diagnosis and conditions, medications and other treatment information. Following the breach, the covered entity encrypted all its laptops. After the initiation of OCR's investigation, the encryption of the laptops was completed." "Entity[""AdministrativeDivision"", {""Utah"", ""UnitedStates""}]" "Utah Department of Workforce Services" "Business Associate" "Quantity[1298, ""People""]" "DateObject[{2010, 10, 13}, ""Day"", ""Gregorian"", -5.]" "Other" "Desktop Computer, Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "SW Seattle Orthopaedic and Sports Medicine" "Healthcare Provider" "Quantity[9493, ""People""]" "DateObject[{2010, 10, 15}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "A database web server, containing the electronic protected health information (EPHI) of 9,493 individuals, was breached by an unknown, external person(s) for use as a game server.Although there was no indication of access to EPHI, the EPHI on the database web server included names, dates of birth, types of x-rays, and dates of x-rays.Following the breach, the covered entity relocated two servers to its more secure primary data center and removed the Internet access line that resulted in the breach.Additionally, OCR's investigation resulted in the covered entity improving their administrative safeguards, such as incident response and reporting." "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "University of Arkansas for Medical Sciences" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2010, 10, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Aspen Dental Care P.C." "Healthcare Provider" "Quantity[2500, ""People""]" "DateObject[{2010, 10, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "A computer hard drive containing encrypted patient records was stolen from the covered entity's (CE) safe.The hard drive contained clinical and demographic information of approximately 2,500 patients.Following the breach, the CE provided additional training to its staff.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "BlueCross BlueShield of Tennessee, Inc." "Health Plan" "Quantity[1023209, ""People""]" "DateObject[{2010, 11, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Northridge Hospital Medical Center" "Healthcare Provider" "Quantity[716, ""People""]" "DateObject[{2010, 11, 2}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "Missing[""NotAvailable""]" "Missing[""NoInput""]" "Puerto Rico Department of Health - Triple S Management Corp." "Health Plan" "Quantity[475000, ""People""]" "DateObject[{2010, 11, 4}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "On November 5, 2010, the Puerto Rico Department of Health (DOH), a hybrid entity, reported on behalf of the covered entity (CE), Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico, that it discovered that two former staff members of the business associates (BAs) Triple-S Salud (TSS) and Triple-C, improperly accessed restricted areas of TSS’ proprietary internet IPA database managed by Triple-C, Inc.The staff members, who were employed by a competitor, were able to gain access to the database because their access rights were not terminated upon leaving the employment of TSS.As a result, the electronic protected health information in the database, including 400,000 of the CE’s members’ names, contract numbers, home addresses, diagnostic codes, and treatment codes, was accessed.DOH provided breach notification to HHS, and TSS provided breach notification to affected individuals, and the media.Due to OCR’s investigation, the CE committed to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and retrain its staff within a specified period." "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Aetna, Inc." "Health Plan" "Quantity[2345, ""People""]" "DateObject[{2010, 11, 7}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "Aetna notified all possibly affected individuals of the breach, filed a breach report with OCR, commenced an investigation to identify and correct the root cause of the issue; the coding changes that were causing the breach were removed from IPS via Aetna's emergency Change Management procedures to prevent any further exposure while the problem was analyzed; once the specific code that conflicted with its proxy server settings was identified as the root cause of the breach, it was removed. Also, in an effort to mitigate any harm as a result of the breach, Aetna offered all affected individuals one year of free credit monitoring, and the notification letters included a toll-free number which was established specifically to answer questions related to this incident. " "Entity[""AdministrativeDivision"", {""Mississippi"", ""UnitedStates""}]" "Sta-home Health & Hospice" "Healthcare Provider" "Quantity[1104, ""People""]" "DateObject[{2010, 11, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""Country"", ""PuertoRico""]" "Medical Card System/MCS-HMO/MCS Advantage/MCS Life" "Business Associate" "Quantity[115000, ""People""]" "DateObject[{2010, 11, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "VNA of Southeastern Ct." "Healthcare Provider" "Quantity[12000, ""People""]" "DateObject[{2010, 11, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Nebraska"", ""UnitedStates""}]" "Prime Home Care, LLC" "Healthcare Provider" "Quantity[1550, ""People""]" "DateObject[{2010, 11, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Manor Care Indy (South), LLC." "Healthcare Provider" "Quantity[845, ""People""]" "DateObject[{2010, 11, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Visiting Nurse Service Association of Schenectady County" "Healthcare Provider" "Quantity[535, ""People""]" "DateObject[{2010, 11, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An encrypted laptop computer that contained the electronic protected health information (ePHI) of 535 individuals was stolen from the covered entity (CE).The ePHI included names, addresses, and dates of birth.Upon discovery of the breach, the CE filed a police report to recover the stolen item.Following OCR's investigation, the CE disabled the involved staff member's account, verbally counseled the staff member, and retrained the staff member.The CE also adopted and implemented security policies and procedures for laptops/tablet devices and provided training to all staff." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Henry Ford Hospital" "Healthcare Provider" "Quantity[3700, ""People""]" "DateObject[{2010, 11, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Robert Wheatley, DDS, PC" "Healthcare Provider" "Quantity[1400, ""People""]" "DateObject[{2010, 11, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Holy Cross Hospital" "Healthcare Provider" "Quantity[1500, ""People""]" "DateObject[{2010, 11, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A covered entity's (CE) employee impermissibly obtained copies of patient data sheets containing protected health information (PHI) and sold the PHI to a third party.The PHI included names, addresses, dates of birth, social security numbers, insurance information, and diagnoses affecting 38 individuals; however, the initial investigation addressed a report of approximately 1,500 affected individuals.The CE provided breach notification to 44,000 individuals (including those who were potentially affected), HHS and the media.In addition, free credit monitoring was offered.Following the breach, the CE cooperated with federal authorities, law enforcement, and the state health administration agency, and provided a report to a national accreditation organization.As a result of this incident, the CE convened a high level work group to oversee privacy and security issues and hired an expert forensic investigator to perform a risk assessment.The CE updated its privacy and security policies and procedures, developed a plan to adopt electronic health records and initiated a continuous review process including random HIPAA compliance audits.The CE also expanded its HIPAA training program for employees.OCR obtained written assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Professional Transcription Company, Inc." "Business Associate" "Quantity[1744, ""People""]" "DateObject[{2010, 11, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "True" "The covered entity's (CE) business associate (BA), Professional Transcription Company, posted the electronic protected health information (ePHI) of 1,744 individuals on a website portal of the BA.The ePHI included names, dates of birth, diagnosis, and other clinical information.Upon discovery of the breach, the BA shut down the applicable server.The CE, Newark Beth Israel Medical Center, provided breach notification to HHS, the media, and affected individuals and also posted substitute notice on its website.As a result of OCR's investigation, the BA located the ePHI online and contacted Google to block files that contained ePHI.In addition, the BA retrained all employees regarding its security policies.The CE terminated its BA agreement with the BA.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Memorial Hospital of Gardena" "Healthcare Provider" "Quantity[771, ""People""]" "DateObject[{2010, 11, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "Oklahoma City VA Medical Center" "Healthcare Provider" "Quantity[1950, ""People""]" "DateObject[{2010, 11, 29}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal, Loss, Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Kings County Hospital Center" "Healthcare Provider" "Quantity[542, ""People""]" "DateObject[{2010, 11, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 542 individuals was stolen from the covered entity (CE), Kings County Hospital Center.The ePHI included names, medical record numbers, admission and treatment dates, diagnostic treatment, pathology and/or medication information, telephone numbers and ages.Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media.As a result of OCR's investigation, the CE installed an encryption system for all internal and external computers and laptops.The CE implemented a new policy that prohibits staff from storing ePHI on their local computer hard drives or Windows desktop." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Albert Einstein Healthcare Network" "Healthcare Provider" "Quantity[613, ""People""]" "DateObject[{2010, 11, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "University of Tennessee Medical Center" "Healthcare Provider" "Quantity[8200, ""People""]" "DateObject[{2010, 11, 30}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "H.E.L.P. Financial Corporation" "Business Associate" "Quantity[9475, ""People""]" "DateObject[{2010, 12, 3}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "A programming error in a business associate's IT system caused the PHI of patients to be printed on letters sent to other patients. The printing error affected approximately 9475 individuals.The protected health information involved in the breach included patient names, medical record numbers and account balances. Following the discovery of the breach, the BA corrected the programming error and implemented additional quality checks. Additionally, the BA notified the affected individuals and the CE notified the local media." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "zarzamora family dental care" "Healthcare Provider" "Quantity[800, ""People""]" "DateObject[{2010, 12, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Gary C. Spinks, DMD, PC" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2010, 12, 13}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Network Server" "False" "Missing[""NotAvailable""]" "Missing[""NoInput""]" "Hospital Auxilio Mutuo" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2010, 12, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Laptop" "False" "The covered entity (CE), Hospital Auxilio Mutuo de Puerto Rico, Inc., reported that on November 9, 2010, an employee resigned his position and removed two computer hard drives and a laptop computer that contained electronic protected health information (ePHI), potentially affecting over 30,000 individuals.The CE initially reported that the breached ePHI included names, addresses, zip codes, dates of births, social security numbers, diagnostic conditions and other treatment information.During the investigation, the CE retrieved the hard drives and laptop and determined that the hard drives contained confidential financial information and business making decisions by the CE, and did not include the types of identifiers (e.g. patient names, Social Security numbers, home addresses, etc.) that could be used to re-identify an individual.Thus, the CE determined that the theft did not constitute a breach of ePHI.Further, the CE determined that the laptop was an information technology department laptop that only contained financial data and upper management e-mails.As of the result of OCR’s investigation, OCR has required the CE to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and re-train its staff." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Gair Medical Transcription Services, Inc." "Business Associate" "Quantity[1085, ""People""]" "DateObject[{2010, 12, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "Pinnacle Health Systems was notified that a business associate, a medical transcription service, had a server compromised in which reports of Pinnacle patients could be viewed online.The server compromise involved the protected health information of 1085 individuals.The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians.In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules.The covered entity immediately discontinued its relationship with the business associate and engaged another medical transcription service.The covered entity also contracted with forensic consultants to ensure that the cause of the compromise was found that that all traces of breached medical reports were removed from online and inaccessible in the future." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Cook County Health & Hospitals System" "Healthcare Provider" "Quantity[556, ""People""]" "DateObject[{2010, 12, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "Dean Health Systems, Inc.; St. Mary's Hospital; St. Marys Dean Ventures, Incorporated" "Healthcare Provider" "Quantity[3288, ""People""]" "DateObject[{2010, 12, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Riverside Mercy Hospital and Ohio/Mercy Diagnostics" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2010, 12, 21}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "California Therapy Solutions" "Healthcare Provider" "Quantity[1250, ""People""]" "DateObject[{2010, 12, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "The Southwestern Indiana Regional Council on Aging" "Business Associate" "Quantity[757, ""People""]" "DateObject[{2010, 12, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Hils Transcription" "Business Associate" "Quantity[585, ""People""]" "DateObject[{2010, 12, 27}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Geisinger Wyoming Valley Medical Center" "Healthcare Provider" "Quantity[2928, ""People""]" "DateObject[{2010, 12, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Email" "False" "The covered entity's (CE) staff physician emailed the protected health information (PHI) of approximately 2,900 individuals to his home email account while working on an analysis.The PHI included names, addresses, dates of birth, social security numbers, and medication information.Following the breach, the CE sanctioned the physician and implemented a plan to auto-encrypt all PHI sent through email.As a result of OCR's investigation, the CE improved its physical safeguards and retrained employees. " "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Mankato Clinic" "Healthcare Provider" "Quantity[3159, ""People""]" "DateObject[{2010, 12, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Zenith Administrators, Inc." "Business Associate" "Quantity[800, ""People""]" "DateObject[{2010, 12, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Our Lady of Peace Hospital" "Healthcare Provider" "Quantity[24600, ""People""]" "DateObject[{2010, 12, 29}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Keystone/AmeriHealth Mercy Health Plans" "Health Plan" "Quantity[808, ""People""]" "DateObject[{2010, 12, 30}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Southern Perioperative Services, P.C." "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2010, 12, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "A bag containing a compact disk - read only memory (CD-ROM) was stolen from the vehicle of a physician associated with the covered entity (CE).The CD-ROM involved in the breach contained names, dates of birth, social security numbers, medical histories, and the treatment information of approximately 2,046 individuals.Following the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media.The CE sanctioned and retrained the physician whose bag was stolen and implemented organization wide improvements to its compliance with the Privacy and Security Rules.As a result of OCR's investigation the covered entity posted substitute notification of the breach in the local paper and confirmed that corrective actions steps were taken. " "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Ankle + Foot Center of Tampa Bay, Inc." "Healthcare Provider" "Quantity[156000, ""People""]" "DateObject[{2011, 1, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "The covered entity's (CE) network server, containing the electronic protected health information (ePHI) of 136,000 patients, was hacked.The types of ePHI involved in the breach were demographic and clinical information, including diagnoses and other treatment data.Following the breach, the CE hired a third party vendor to resolve a data crash and to create a data back-up plan in order to restore office functioning.To implement adequate safeguards, the CE also employed a cloud service with increased security as the new network server.Additionally, the CE contacted the local FBI office to assist with the CE's internal investigation of the breach and provided breach notification to all affected individuals, the media, and HHS.As a result of OCR's investigation, the CE developed and implemented new protocols to comply with the Security Rule.In addition, the CE provided and initiated new trainings for its staff, completed hiring of a new network vendor, implemented a new electronic health records system, and accounted for the disclosures in the affected individuals' medical records." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "OhioHealth Corporation dba Grant Medical Center" "Healthcare Provider" "Quantity[501, ""People""]" "DateObject[{2011, 1, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewHampshire"", ""UnitedStates""}]" "Seacoast Radiology, PA" "Healthcare Provider" "Quantity[231400, ""People""]" "DateObject[{2011, 1, 10}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Friendship Center Dental Office" "Healthcare Provider" "Quantity[2200, ""People""]" "DateObject[{2011, 1, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On December 19, 2010, the covered entity’s (CE) facility was broken into and an unencrypted laptop was stolen, affecting the demographic information of approximately 2,200 individuals, including names, addresses, dates of birth and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media.The CE increased physical security by installing a security system with motion detectors as well as motion sensor lighting outside the building.The CE also updated its HIPAA policies and procedures to reflect Security Rule requirements, including password protection requirements and the encryption of ePHI in transit.OCR obtained assurances that the corrective actions listed above were taken." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "St.Vincent Hospital - Indianapolis" "Healthcare Provider" "Quantity[1848, ""People""]" "DateObject[{2011, 1, 12}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email, Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Centra" "Healthcare Provider" "Quantity[11982, ""People""]" "DateObject[{2011, 1, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Franciscan Medical Group" "Healthcare Clearing House" "Quantity[1250, ""People""]" "DateObject[{2011, 1, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "State of South Carolina Budget and Control Board Employee Insurance Program (EIP)" "Health Plan" "Quantity[5596, ""People""]" "DateObject[{2011, 1, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "A workstation in the covered entity's (CE) finance department was infected with malware that recorded keystrokes and captured screenshots.The CE reported 5,596 individuals as being potentially affected by the malware.The types of PHI involved in the breach included names, addresses, dates of birth, benefits identification numbers, social security numbers, and in some cases, banking information.The CE provided breach notification to affected individuals, HHS, and the media.Following the breach, the CE disconnected the workstation from the network and provided the affected employee with new login credentials, a new hard drive, and additional training.The CE updated its Privacy and Security Rule policies and procedures and initiated mandatory annual supplemental training for all of its employees.The CE improved safeguards by implementing additional network security monitoring programs to actively protect workstation environments and limit the proliferation of malware infections on its network.OCR obtained assurances that the appropriate notifications were made and that the corrective actions listed above were completed. " "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Lake Woods Nursing & Rehabilitation Center" "Healthcare Provider" "Quantity[656, ""People""]" "DateObject[{2011, 1, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Travis Software Corp." "Business Associate" "Quantity[16200, ""People""]" "DateObject[{2011, 1, 18}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "J. A. Still Corporation" "Business Associate" "Quantity[4800, ""People""]" "DateObject[{2011, 1, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "Two diskettes containing the electronic protected health information (ePHI) of approximately 4,754 individuals were lost by the Covered Entity's (CE) Business Associate (BA) after the package containing the diskettes was damaged by the mail carrier.Although one of the diskettes was eventually found, the other diskette was never recovered.The ePHI on the diskettes included names, addresses, dates of birth, social security numbers, and clinical information.Upon discovery of the breach, the CE obtained a copy of the information contained on the diskettes and notified all affected individuals, OCR and the media.Following OCR's investigation, the CE terminated its contract with the BA involved in the incident and provided evidence of the assurances in its BA agreement pertaining to the return or destruction of ePHI.Lastly, the CE entered an accounting of disclosures for each affected individual into its electronic database." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Grays Harbor Pediatrics, PLLC" "Healthcare Provider" "Quantity[12009, ""People""]" "DateObject[{2011, 1, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Hanger Prosthetics & Orthotics, Inc." "Healthcare Provider" "Quantity[4486, ""People""]" "DateObject[{2011, 1, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop was stolen from an employee offsite.The laptop contained the PHI of 4,486 patients. The protected health information involved in the breach contained names, addresses and procedure codes. Following the breach, the CE filed a police report, notified affected patients and notified the media. Following the discovery of the breach, the covered entity encrypted all existing laptops and implemented a policy requiring all future purchased laptops to be encrypted prior to being issued for use." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Baylor Heart and Vascular Center" "Healthcare Provider" "Quantity[8241, ""People""]" "DateObject[{2011, 1, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "A portable ultrasound machine containing electronic protected health information (ePHI) of approximately 8,241 individuals was stolen from the covered entity's (CE) facility.The ePHI involved in the breach included patient names, dates of birth, and limited health information.Upon discovery of the breach, the CE conducted a privacy and security assessment of its portable machines to identify vulnerabilities.Following OCR's investigation, the CE updated its privacy and security policies, retrained its employees, and increased physical security to ensure reasonable safeguards." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "CHC MEMPHIS CMHC, LLC" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2011, 1, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Integranetics" "Business Associate" "Quantity[18871, ""People""]" "DateObject[{2011, 2, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Jefferson Center for Mental Health" "Healthcare Provider" "Quantity[546, ""People""]" "DateObject[{2011, 2, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A list containing the protected health information (PHI) of 546 patients was stolen from the vehicle of the covered entity's (CE) employee.The breached PHI included names, dates of birth, social security numbers, and Medicaid information.Following the breach, the CE changed its practices and procedures to safeguard PHI and trained staff on its new policies.As a result of OCR's investigation, the CE improved its process for reporting breaches and mitigating harm." "Entity[""AdministrativeDivision"", {""Montana"", ""UnitedStates""}]" "Ortho Montana, PSC" "Healthcare Provider" "Quantity[37000, ""People""]" "DateObject[{2011, 2, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop containing the electronic protected health information (ePHI) of approximately 37,000 patients was lost or stolen when the laptop was taken to an event by a workforce member.Following the breach, the covered entity (CE) sanctioned the workforce member who responsible for handling the laptop.As a result of OCR's investigation, the CE conducted a risk analysis and developed a risk management plan.The CE also removed ePHI from laptops and encrypted laptops, tablets, and cellular smart phones. Additionally, the CE developed new procedures and revised existing procedures in order to safeguard ePHI." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Cancer Care Northwest P.S." "Healthcare Provider" "Quantity[3100, ""People""]" "DateObject[{2011, 2, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE) accidentally mailed the protected health information (PHI) of approximately 3,100 individuals to other individuals when a mail-merge process mismatched names and addresses.The PHI involved in the breach included names and indicated that the individuals were patients of the CE.Following the breach, the CE implemented additional safeguards, as well as policies and procedures to ensure mailing list accuracy.As a result of this incident, OCR required the CE to train its workforce members on its newly developed policies and procedures.Additionally, OCR provided technical assistance regarding substitute breach notification methods, including a conspicuous posting on the CE's website." "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Saint Louis University" "Healthcare Provider" "Quantity[800, ""People""]" "DateObject[{2011, 2, 10}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "GRM Information Management Services" "Business Associate" "Quantity[1700000, ""People""]" "DateObject[{2011, 2, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record, Other" "True" "Unencrypted clinical system backup tapes that contained the electronic protected health information (ePHI) of 1,700,000 individuals were stolen from the unlocked vehicle of an employee of the covered entity's (CE) business associate (BA).The ePHI included names, medical record numbers, social security numbers, addresses, telephone numbers, health plan numbers, dates of birth, dates of admission, dates of treatment, dates of discharge, dates of death, mother's name, next of kin, clinical information related to diagnosis, treatment, prognosis, laboratory tests and results, and medications.Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and affected individuals.As a result of OCR's investigation, the CE terminated its BA agreement and installed encryption software on backup media.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Long Beach Memorial Medical Center" "Healthcare Provider" "Quantity[2250, ""People""]" "DateObject[{2011, 2, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Texas Health Harris Methodist Hospital Azle" "Healthcare Provider" "Quantity[9922, ""People""]" "DateObject[{2011, 2, 13}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Business Express" "Business Associate" "Quantity[2700, ""People""]" "DateObject[{2011, 2, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""WestVirginia"", ""UnitedStates""}]" "Xforia Web Services" "Business Associate" "Quantity[3655, ""People""]" "DateObject[{2011, 2, 16}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Mountain Vista Medical Center" "Healthcare Provider" "Quantity[2291, ""People""]" "DateObject[{2011, 2, 21}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Missing[""NoInput""]" "Departamento de Salud de Puerto Rico" "Healthcare Provider" "Quantity[2621, ""People""]" "DateObject[{2011, 2, 22}, ""Day"", ""Gregorian"", -5.]" "Loss" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Henry Ford Hospital" "Healthcare Provider" "Quantity[2777, ""People""]" "DateObject[{2011, 2, 23}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "TriWest Healthcare Alliance Corp." "Business Associate" "Quantity[4500, ""People""]" "DateObject[{2011, 3, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Blue Cross and Blue Shield of Florida " "Health Plan" "Quantity[7366, ""People""]" "DateObject[{2011, 3, 3}, ""Day"", ""Gregorian"", -5.]" "Unknown" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "University Health Services, University of Massachusetts, Amherst" "Healthcare Provider" "Quantity[942, ""People""]" "DateObject[{2011, 3, 7}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Omnicare, Inc" "Healthcare Provider" "Quantity[8845, ""People""]" "DateObject[{2011, 3, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "JEFFREY J. SMITH, MD" "Healthcare Provider" "Quantity[600, ""People""]" "DateObject[{2011, 3, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Other, Other Portable Electronic Device" "False" "The covered entity (CE) shipped a skin analysis machine containing the electronic protected health information (ePHI) of approximately 600 individuals to the manufacturer for repairs via UPS.The machine was damaged and discarded by UPS.The ePHI included names, dates of birth and facial photographs.The CE posted breach notification on its website.As a result of OCR's investigation, the CE revised its policy regarding the security of hardware containing PHI so that all work on hardware will be performed on-site.The policy also requires that all ePHI is to be backed up and erased from the hardware prior to any unavoidable off-site maintenance." "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Coventry Health Care, Inc." "Business Associate" "Quantity[765, ""People""]" "DateObject[{2011, 3, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Texas Health Arlington Memorial Hospital" "Healthcare Provider" "Quantity[654, ""People""]" "DateObject[{2011, 3, 23}, ""Day"", ""Gregorian"", -5.]" "Unknown" "Electronic Medical Record" "False" "The IT department turned on the switch to a BA HIE without notifying patients of the exchange or obtaining authorization.The interface transmitted the PHI of 654 individuals. The PHI disclosed included patient names, addresses, dates of birth, social security numbers, other identifiers, diagnosis/conditions, medications, lab results, other treatment information and financial information. Following the breach, the CE revised the IT process, created a checklist that included notifying the affected departments and providedadditional training to IT and registration employees." "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Rape & Brooks Orthodontics, P.C." "Healthcare Provider" "Quantity[20744, ""People""]" "DateObject[{2011, 3, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Network Server, Other, Other Portable Electronic Device" "False" "On February 4, 2011, covered entity’s (CE) facility was broken into and a computer server, three desktop computers, and an external hard drive were stolen, affecting the demographic, clinical and financial information of approximately 20,744 individuals.The CE, Rape & Brooks Orthodontics, P.C., provided breach notification to HHS, affected individuals, and the media.As a result of this incident, the CE increased physical security by upgrading its alarm system, changing and installing additional locks, and storing its server in a locked data closet.The CE also improved technical safeguards by implementing double-layered password protection on its computers and encrypting data on external hard drives.OCR obtained and reviewed the CE’s relevant HIPAA policies and procedures. " "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "NYU School of Medicine Faculty Group Practice" "Healthcare Provider" "Quantity[670, ""People""]" "DateObject[{2011, 3, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 670 individuals was stolen from the covered entity (CE), NYU Langone Medical Center.The ePHI included names, diagnoses, the results of diagnostic tests, and clinical information.Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals.As a result of OCR's investigation, the CE directed staff to store ePHI on network servers and not on desktops.In addition, the CE improved physical security by installing a locking device to secure the desktop computer and a latch guard on the office door.The CE retrained all staff on its policies and procedures for HIPAA and HITECH compliance." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "EISENHOWER MEDICAL CENTER" "Healthcare Provider" "Quantity[514330, ""People""]" "DateObject[{2011, 3, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""WestVirginia"", ""UnitedStates""}]" "Clarksburg - Louis A. Johnson VA Medical Center" "Healthcare Provider" "Quantity[1470, ""People""]" "DateObject[{2011, 3, 30}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "County of Los Angeles" "Healthcare Provider" "Quantity[667, ""People""]" "DateObject[{2011, 3, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Alaska"", ""UnitedStates""}]" "Trisha Elaine Cordova" "Business Associate" "Quantity[1700, ""People""]" "DateObject[{2011, 3, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "A personal laptop computer containing the electronic protected health information (ePHI) of 1,700 individuals and approximately 493 adoption home studies was stolen from a contractor's vehicle.The ePHI involved included names, addresses, phone numbers, dates of birth, driver's license numbers, health information, and social security numbers.At the time of the breach, the covered entity (CE) did not have a business associate (BA) contract with the contractor.Following OCR's investigation, the CE developed policies and procedures for obtaining BA contracts as required by the Privacy Rule and verified that the contractor no longer had a business relationship with the CE.OCR obtained assurances that breach notification was provided to the affected individuals, HHS, and the media." "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Park Avenue Obstetrics & Gynecology, PC" "Healthcare Provider" "Quantity[635, ""People""]" "DateObject[{2011, 3, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Brian J Daniels D.D.S.,Paul R Daniels D.D.S." "Healthcare Provider" "Quantity[10000, ""People""]" "DateObject[{2011, 4, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Hartford Hospital" "Business Associate" "Quantity[93500, ""People""]" "DateObject[{2011, 4, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "A workforce member of the covered entity's (CE) business associate (BA) saved the electronic protected health information (ePHI) of approximately 93,500 patients on an unsecured computer drive in order to do work from home, and subsequently lost the hard drive.The PHI included names, addresses, dates of birth, marital status, social security numbers and medical record numbers.Following the breach, the workforce member involved was sanctioned for violating the CE's policies.The CE provided breach notification to the media, HHS, and all affected individuals.It also offered all affected individuals 2 years of free identity protection services.In addition, the CE disabled the ability for all of its computing devices to download ePHI via USB connection ports.Further, it began implementing malicious software prevention utilities as well as data encryption controls to supplement its portable computing devices.OCR obtained assurances that the CE implemented the corrective action listed above.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "Patient Care Services at Saint Francis, Inc." "Healthcare Provider" "Quantity[84000, ""People""]" "DateObject[{2011, 4, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Union Security Insurance Company" "Health Plan" "Quantity[935, ""People""]" "DateObject[{2011, 4, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "On February 18, 2011, a Union Security Insurance Co. policy holder notified the covered entity (CE) that while accessing their online account, they were also able to access the accounts of other policy holders.Approximately 1,500 individuals were affected by this breach.These accounts included names, dates of birth, social security numbers, and other identifiers.In addition, on May 17, 2013, an employee of the CE impermissibly emailed a spreadsheet which included identifiable data belonging to a customer group of the CE.Approximately 1,127 group members were affected by this breach.The email included names and social security numbers.The CE provided breach notification to HHS, affected individuals, and the media.To prevent similar breaches from happening in the future, the CE disabled its website, reversed the problematic coding, and increased the number of vulnerability scans of the CE’s website.The CE also retrained employees, to include distribution of its revised policy and procedure for safeguarding social security numbers. Following OCR’s investigation, the CE prohibited social security numbers on any document being sent to any customer. The CE provided OCR documentation that substantiates all its actions taken in response to the two breach incidents." "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "Oklaholma State Dept. of Health" "Healthcare Provider" "Quantity[132940, ""People""]" "DateObject[{2011, 4, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "Aiken Community Based Outpatient Clinic" "Healthcare Provider" "Quantity[2717, ""People""]" "DateObject[{2011, 4, 12}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Fairview Health Services" "Healthcare Provider" "Quantity[1215, ""People""]" "DateObject[{2011, 4, 14}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "IBM" "Business Associate" "Quantity[1900000, ""People""]" "DateObject[{2011, 4, 14}, ""Day"", ""Gregorian"", -5.]" "Unknown" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "SW General Inc" "Healthcare Provider" "Quantity[566, ""People""]" "DateObject[{2011, 4, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Healthcare Solutions Team, LLC" "Business Associate" "Quantity[675, ""People""]" "DateObject[{2011, 4, 19}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Wyoming"", ""UnitedStates""}]" "Community Action partnership of Natrona County" "Healthcare Provider" "Quantity[15000, ""People""]" "DateObject[{2011, 4, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "The covered entity (CE), Community Action Partnership of Natrona County, reported a breach affecting approximately 15,000 individuals, wherein it asserted that a virus had infected a computer and exported data. The CE provided breach notification to HHS and the media. Upon investigation, the CE determined that no protected health information was exported or breached. As a result of OCR's compliance review, the CE improved safeguards to protect its computers from viruses and malware, conducted a risk analysis, drafted a risk management plan, and revised or developed its HIPAA policies and procedures." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Keith & Fisher, DDS, PA" "Healthcare Provider" "Quantity[6000, ""People""]" "DateObject[{2011, 4, 21}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "The covered entity (CE), Keith & Fisher DDS PA, discovered on March 7, 2011, that its server had been hacked, potentially exposing the clinical and demographic data for 6,000 individuals.The CE provided breach notification to HHS, to affected individuals, and published notice on its website and to the media.In response to the breach, the CE increased its information systems security, improved its password policy, implemented logging procedures to track access failures and changed access to its servers so it is only accessible through an existing firewall and a virtual private network tunnel.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Genesis Clinical Laboratory" "Healthcare Provider" "Quantity[1070, ""People""]" "DateObject[{2011, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Email, Laptop, Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "MacNeal Hospital" "Healthcare Provider" "Quantity[845, ""People""]" "DateObject[{2011, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Email, Laptop, Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "West Lake Hospital " "Healthcare Provider" "Quantity[686, ""People""]" "DateObject[{2011, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Email, Laptop, Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Phoenix Health Plan" "Health Plan" "Quantity[9393, ""People""]" "DateObject[{2011, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Email, Laptop, Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "MacNeal Physician Group" "Healthcare Provider" "Quantity[532, ""People""]" "DateObject[{2011, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Email, Laptop, Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Knox Community Hospital" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2011, 4, 28}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewHampshire"", ""UnitedStates""}]" "Speare Memorial Hospital" "Healthcare Provider" "Quantity[5960, ""People""]" "DateObject[{2011, 5, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Methodist Charlton Medical Center" "Healthcare Provider" "Quantity[1500, ""People""]" "DateObject[{2011, 5, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop was stolen from a locked office in the hospital.The laptop contained the PHI of 1523 patients. The protected health information involved in the breach contained demographic and clinical data. Following the breach, the CE filed a police report, notified affected patients and notified the media. Additionally, the CE expanded its encryption policy to include more laptops and implemented additional physical safeguards." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Reid Hospital & Health Care Services" "Healthcare Provider" "Quantity[22001, ""People""]" "DateObject[{2011, 5, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted, password protected laptop computer was stolen from an employee’s home on April 2, 2011.The covered entity (CE), Reid Hospital & Health Care Services, reported that this breach affected 22,001 individuals and that the laptop contained names, social security numbers, Medicare numbers, and some reports entitled “psychiatric services.”The CE investigated the breach and provided breach notification to HHS, affected individuals, and the media.As a result of OCR’s investigation, the CE completed encryption of its laptop and desktop computers, implemented safeguards for its email system and smartphones, and updated its mobile media policy.It also completed a new risk analysis and implemented action steps in its risk management plan.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Drs Edalji and Komer" "Healthcare Provider" "Quantity[563, ""People""]" "DateObject[{2011, 5, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unsecured laptop containing the electronic protected health information (ePHI) of approximately 563 individuals was stolen from the car of a business associate's (BA) subcontractor.The PHI included names, addresses, dates of birth, and social security numbers.Following the breach, the covered entity (CE) notified affected individuals, HHS, and the media, and offered all affected individuals one year of free credit monitoring services.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." "Entity[""Country"", ""PuertoRico""]" "PMC Medicare Choice" "Health Plan" "Quantity[24361, ""People""]" "DateObject[{2011, 5, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Union Security Insurance Company" "Health Plan" "Quantity[850, ""People""]" "DateObject[{2011, 5, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Indiana Regional Medical Center" "Healthcare Provider" "Quantity[1388, ""People""]" "DateObject[{2011, 5, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Missing[""NoInput""]" "MMM Healthcare, Inc." "Healthcare Provider" "Quantity[32390, ""People""]" "DateObject[{2011, 5, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "CENTER FOR ARTHRITIS & RHEUMATIC DISEASES" "Healthcare Provider" "Quantity[8000, ""People""]" "DateObject[{2011, 5, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "CVS CAREMARK" "Healthcare Provider" "Quantity[654, ""People""]" "DateObject[{2011, 5, 11}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Paper/Films" "False" "An employee of the covered entity (CE), CVS Caremark, with access to patients’ protected health information (PHI) impermissibly accessed and printed patient drug transfer reports as part of a scheme to fill fraudulent prescriptions.The prescription drug reports were then disclosed to a third party, the employee’s boyfriend, who was a former employee of another CVS store.Law enforcement notified the CE about the breach on March 16, 2011 following a raid of the perpetrators’ home, in which law enforcement confiscated paper documents belonging to the CE.The PHI involved in the breach included the names, addresses, birthdates, prescription numbers, telephone numbers, and prescription names of approximately 654 individuals.The CE provided breach notification to HHS and affected individuals and also offered free credit monitoring.In response to this incident, the CE immediately terminated the employee and retrained pharmacy staff on its HIPAA policies.The CE also provided evidence that both individuals have since had their pharmacy licenses suspended by the state licensing board.As a result of OCR’s investigation, OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Robert B. Miller, MD" "Healthcare Provider" "Quantity[620, ""People""]" "DateObject[{2011, 5, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "St. Mary's Hospital for Children" "Business Associate" "Quantity[550, ""People""]" "DateObject[{2011, 5, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "A bag containing 43 pages of protected health information (PHI) of 550 nursing home residents and an encrypted laptop computer were stolen from the vehicle of an employee of the covered entity's (CE) business associate (BA).The PHI included names, dates of birth, gender identities, names of the nursing homes, and Medicaid numbers.Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and all affected individuals, as well as offering one year of free identity theft protection.Following OCR's investigation, the CE's BA terminated the employee and re-trained its staff on its privacy and security policies, including not leaving laptops in unoccupied vehicles.In addition, the CE reminded all contractors about the need to safeguard confidential information, and reviewed the BA's contractual obligations relating to safeguarding PHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Imaging Center of Garland" "Healthcare Provider" "Quantity[1031, ""People""]" "DateObject[{2011, 5, 19}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Cahaba Government Benefit Administrators, LLC" "Business Associate" "Quantity[13412, ""People""]" "DateObject[{2011, 5, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Agent Benefits Corporation" "Business Associate" "Quantity[11387, ""People""]" "DateObject[{2011, 5, 26}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Unauthorized Access/Disclosure" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""Country"", ""PuertoRico""]" "VA Caribbean Healthcare System" "Healthcare Provider" "Quantity[6006, ""People""]" "DateObject[{2011, 5, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "An employee of the covered entity (CE), VA Caribbean Healthcare System, left documents containing the protected health information (PHI) of 6,006 individuals in an unsecure bag at a nursing station.The PHI included names, social security numbers, patient care assignments, patient counts and patient census lists.Upon discovery of the breach, the CE secured the PHI and provided breach notification to HHS, the media, and affected individuals.As a result of OCR's investigation, the CE disciplined and retrained the employee and implemented a procedure that nursing leadership is required to conduct rounds on wards once vacated.The CE also retrained all staff on its privacy and security policies and procedures." "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "Spartanburg Regional Healthcare System" "Healthcare Provider" "Quantity[400000, ""People""]" "DateObject[{2011, 5, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Three unencrypted desktop computers and one unencrypted laptop computer in need of repair were stolen from an IT employee’s vehicle when he stopped at his home when transporting the equipment from an offsite location to the main hospital.The home stop was against the CE’s internal policies and procedures and exposed the protected health information (PHI) of 402,647 patients, including names, addresses, dates of birth and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media and also offered affected individuals one year of free credit monitoring. In response to the breach, the CE revised its new employee and upper management orientation materials to reflect updated HIPAA revisions.The CE encrypted all of the hard drives on its computers. It also updated policies and procedures regarding electronic data and use of company vehicles.Additionally, the CE began distributing an information security newsletter to employees. The CE sanctioned the involved employee for violating the CE’s handling of computer equipment policy.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Saint Joseph - Berea" "Healthcare Provider" "Quantity[1986, ""People""]" "DateObject[{2011, 6, 2}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Other, Other Portable Electronic Device" "False" "The covered entity (CE), St. Joseph-Berea discovered that an external back-up hard drive attached to a workstation was missing. The external hard drive included the protected health information of 1,986 individuals, including patients’ names, dates of birth and information related to bone density scans.The CE provided breach notification to HHS, affected individuals, and the media and performed substitute notice by posting on its website.Following the breach, the CE updated its procedures to limit the use of external hard drives,encrypted all laptops, desktops, servers, and portable media devices, and improvedsafeguards by monitoring physical workstation access and maintaining observation cameras. As a result of OCR’s investigation, OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Navos" "Health Plan" "Quantity[2700, ""People""]" "DateObject[{2011, 6, 8}, ""Day"", ""Gregorian"", -5.]" "Unknown" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Lower Umpqua Hospital" "Business Associate" "Quantity[17000, ""People""]" "DateObject[{2011, 6, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Metropolitan Community Health Services, Inc." "Healthcare Provider" "Quantity[1263, ""People""]" "DateObject[{2011, 6, 9}, ""Day"", ""Gregorian"", -5.]" "Unknown" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "FOOTHILLS NEPHROLOGY, PC" "Healthcare Provider" "Quantity[1280, ""People""]" "DateObject[{2011, 6, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "A company-issued laptop computer containing the protected health information (PHI) of approximately 1,280 individuals was stolen from the vehicle of a covered entity's (CE) employee.The PHI included demographic and clinical information.The CE provided breach notification to the affected individuals, HHS, and the media and created a toll-free number for information regarding the incident.As a result of this incident, the CE contacted law enforcement, retrained staff on the use of portable media, and initiated a risk analysis.Following the OCR investigation, the CE reviewed and updated its policies and procedures to ensure adequate safeguards, instituted a new electronic medical records system which encrypts medical information, updated password requirements for computers, and retrained employees." "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "TUBA CITY REGIONAL HEALTH CARE CORPORATION" "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2011, 6, 9}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal, Loss" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Fidelity National Technology Imaging (FNTI)" "Business Associate" "Quantity[1192, ""People""]" "DateObject[{2011, 6, 10}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "HealthCare Partners" "Healthcare Provider" "Quantity[15677, ""People""]" "DateObject[{2011, 6, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""WestVirginia"", ""UnitedStates""}]" "New River Health Association" "Healthcare Provider" "Quantity[950, ""People""]" "DateObject[{2011, 6, 16}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Gene S. J. Liaw, MD. PS" "Healthcare Provider" "Quantity[1105, ""People""]" "DateObject[{2011, 6, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "An unencrypted portable computer drive (a USB) containing the electronic protected health information (ePHI) of 1,105 patients was misplaced and could not be found in the entity's office. The ePHI included names, addresses, phone numbers, dates of birth, diagnosis codes, insurance information, and social security numbers.The entity provided breach notification to affected individuals and HHS. Following the breach, the entity replaced the missing drive with encryption-capable USB drives, provided secure, locked storage facilities for its mobile devices, and implemented policies preventing removal of such devices from the office. OCR's investigation found that the entity in fact is not a covered entity under the Privacy and Security Rules." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Blue Cross and Blue Shield of Florida " "Health Plan" "Quantity[3463, ""People""]" "DateObject[{2011, 6, 17}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Advanced Diagnostic Imaging, P.C." "Healthcare Provider" "Quantity[705, ""People""]" "DateObject[{2011, 6, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "NOL, LLC d/b/a Premier Radiology" "Healthcare Provider" "Quantity[810, ""People""]" "DateObject[{2011, 6, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "University of Missouri Health Care" "Healthcare Provider" "Quantity[1288, ""People""]" "DateObject[{2011, 6, 23}, ""Day"", ""Gregorian"", -5.]" "Unknown" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Area Agency on Aging, Ohio District 5" "Business Associate" "Quantity[78042, ""People""]" "DateObject[{2011, 6, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "Gail Gillespie and Associates, LLC" "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2011, 6, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other, Other Portable Electronic Device" "False" "An unecrypted laptop computer and an unecrypted desktop computer, jointly containing the electronic protected health information (ePHI) of 2,334 individuals, were stolen during a burglary.The computers contained patient names, parent names of minor patients, dates of service, addresses, phone numbers, dates of birth, social security numbers, diagnoses, prognoses, reports/evaluations/interventions, observations, recommendations, goals, medications, and confidential information relayed by parents and/or children and verbal information received from schools/doctors/agencies involved with the patient.The CE provided breach notification to HHS and affected individuals.It improved physical safeguards by purchasing a monitored alarm system.As a result of OCR’s investigation, the CE conducted a risk analysis, deployed encryption on workstations, retrained employees, and notified the media of the breach." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Health Plan of San Mateo" "Health Plan" "Quantity[694, ""People""]" "DateObject[{2011, 6, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Department of Personnel and Administration" "Business Associate" "Quantity[3589, ""People""]" "DateObject[{2011, 6, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "The covered entity's (CE) business associate (BA) mailed a compact disk (CD) containing electronic protected health information (ePHI) through the inter-office mail system for delivery in another city.The CD, containing ePHI of 3,589 individuals, was lost en route.The PHI included state Medicaid and children's health plan data.Immediately following the breach, the CE completed a risk analysis to identify additional concerns and developed a risk management plan.The CE provided breach notification to the affected individuals, HHS, and the media and provided substitute notification on its website. To prevent a similar breach from happening in the future, the CE required all future ePHI to be encrypted prior to shipment.OCR obtained assurances that the CEimplemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Yanez Dental Corporation" "Healthcare Provider" "Quantity[10190, ""People""]" "DateObject[{2011, 7, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Jackson Health System" "Healthcare Provider" "Quantity[1562, ""People""]" "DateObject[{2011, 7, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record, Other" "False" "The CE’s employee removed protected health information of 1,562 patients from the CE’s premises over a period of 18 months in order to commit identity theft.The types of PHI involved in the breach included names, addresses, dates of birth, and social Security numbers.The CE notified affected individuals, HHS, and the media about the breach.It offered a year of credit monitoring to those affected.Following the breach, the CE terminated the employee and initiated an auditing program to automatically detect excessive accesses to PHI on its electronic health record system.OCR’s investigation confirmed that the appropriate notifications were made and that corrective actions steps were taken. " "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Troy Regional Medical Center" "Healthcare Provider" "Quantity[880, ""People""]" "DateObject[{2011, 7, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "On March 22, 2011, during a house raid, the Secret Service discovered the protected health information (PHI) of approximately 880 patients of the covered entity (CE), Troy Regional Medical Center, in the form of admission “face sheets.”The PHI involved in the breach included demographic information, such as patients’ names, dates of birth, social security numbers, and medical record numbers.The CE could not accurately identify the person responsible for breaching its electronic medical record (EMR) system due to a software error which erroneously recorded multiple occasions of systems access when workforce members were accessing the system for legitimate business purposes.Due to this software error, the CE could not effectively assist in the criminal investigation being conducted by local law enforcement and the Secret Service.The CE provided breach notification to HHS, the media, and affected individuals and posted substitute notice on its website.It also provided a toll-free information number and offered credit monitoring for one year.In response to the incident, the CE worked with its IT vendor to increase data security monitoring and implement automatic log-out for its EMR system.The CE also updated and added to its policies and procedures, improved system review documentation, implemented verification of user access rights, and developed sample audit logs.The CE also retrained employees on its HIPAA security policies.OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "The Mount Sinai Hospital" "Healthcare Provider" "Quantity[712, ""People""]" "DateObject[{2011, 7, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Two unencrypted laptop computers containing the electronic protected health information (ePHI) of 712 individuals were stolen from the covered entity's (CE) office.The ePHI included names, dates of birth, social security numbers, diagnostic reports, and demographic information.Upon discovery of the breach, the CE filed a police report to recover the stolen items.As a result of OCR's investigation, the CE improved physical security by installing an exit alarm lock and surveillance camera, and implementing a policy and procedure requiring managers to monitor inappropriate use of the facility's rear exit.The CE also inventoried its ePHI systems and adopted and implemented policies and procedures for workstation security, encryption, security awareness and training, electronic devices, and media controls." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Lansing Community College" "" "Quantity[5000, ""People""]" "DateObject[{2011, 7, 11}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "An unknown assailant associated with a foreign IP address attempted to bypass the security mechanisms of a computer server of a former third party administrator and business associate (BA), AssureCare Risk Management, of the covered entity (CE), Lansing Community College Dental Care Plan.Approximately 5,000 individuals were affected by the breach.The server contained protected health information (PHI) regarding some of the CE’s participants such as names, addresses, social security numbers and clinical information, including information regarding healthcare providers and types of service.The BA provided breach notification to HHS, affected individuals, and the media.Following the breach, the BA shut down the unsecured server and hired Kroll Background America, a forensic computer security service, to investigate the nature and extent of the unauthorized access.Kroll’s findings indicated that it was unlikely that any of the CE’s member data was taken.The BA also reviewed and reevaluated its security policies and related BA agreements.OCR obtained written documentation that the BA implemented the corrective actions listed above. " "Entity[""Country"", ""PuertoRico""]" "Dr Axel Velez" "Healthcare Provider" "Quantity[2800, ""People""]" "DateObject[{2011, 7, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Four computers containing the electronic protected health information (ePHI) of 2,143 patients were stolen from the covered entity (CE), Dr. Axel Velez.The PHI involved in the breach included patients’ names, addresses, contact numbers, partial social security numbers, dates of birth, diagnostic information, dates of visits, patient numbers, referring physicians, physicians’ telephone numbers, and insurance information.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE improved physical security by repairing the backdoor entrance to the office, installing an alarm system and video surveillance equipment, attaching cable locks to the workstation computers, servers and portable media devices, and moving inventoried equipment off-site.OCR provided technical assistance to the CE regarding risk analysis, risk management planning, and policies and procedures required under the Security Rule." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "DeKalb Medical Center, Inc. d/b/a DeKalb Medical Hillandale" "Healthcare Provider" "Quantity[7500, ""People""]" "DateObject[{2011, 7, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "An employee working for the covered entity (CE) took protected health information (PHI) off premises for purposes of identity theft.Over a period of three months, the employee impermissibly accessed the PHI of 7,500 patients.The types of PHI involved in the breach included names, dates of birth, medical record and account numbers, admission or visit dates, primary diagnoses, treating physicians and in some cases social security numbers.The CE notified affected individuals, HHS, and the media about the breach.It offered a year of enhanced credit services to those affected.Upon full investigation of the breach, the CE terminated the employee.As a result of this incident, the CE initiated a corrective action plan that included revising or creating policies and procedures to prevent such incidents in the future as well as retraining of staff on its HIPAA policies and procedures.OCR’s investigation confirmed that the appropriate notifications were made and that corrective actions steps were taken. " "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Memorial Health Systems" "" "Quantity["""", ""People""]" "DateObject[{2011, 7, 15}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "" "False" "" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Beth Israel Deaconess Medical Center" "Healthcare Provider" "Quantity[2021, ""People""]" "DateObject[{2011, 7, 19}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Assurecare Risk Management, Inc." "Business Associate" "Quantity[25330, ""People""]" "DateObject[{2011, 7, 21}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "The covered entity (CE), Gypsum Management & Supply, Inc. Medical and Dental Plan, is a management company for a network of drywall supply yards that offers group health plans for its employees.On May 9, 2011, the computer server of the CE’s former business associate (BA), Assurecare Risk Management, Inc., was hacked, exposing the demographic, clinical, and health insurance information for 25,330 of the CE’s employees, many of whom no longer worked with the CE at the time of the breach.The CE provided breach notification to HHS, to affected individuals, and to the media. Because the breach incident involved a BA and occurred prior to the September 23, 2013, compliance date, OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of protected health information (PHI) and required the BA to safeguard all PHI.The CE’s internal investigation revealed little activity on the server as a result of the hack.In addition, no reports of misuse of information have been reported.OCR obtained assurances that the CE took the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Windsor Health Plan" "" "Quantity[1378, ""People""]" "DateObject[{2011, 7, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "A third-line sub-contractor of Windsor Health Plan’s business associate (BA), CVS Caremark, changed the printing format on letters mailed to the covered entity’s (CE) members, potentially causing protected health information (PHI) to be visible through the envelope window.The letters included the names, addresses, and some clinical information of 1,378 individuals.RxAmerica, an operating subsidiary of CVS Caremark, subcontracted its mailing services to Accendo, who in turn subcontracted printing services to Progressive Direct Mail (PDM).The CE provided breach notification to HHS and affected individuals; media notification did not occur because the impacted members did not exceed 500 in any single state or geographic area. However, CVS issued a media release regarding the incident.In response to the incident, Accendo conducted a full review of the incident, notified PDM of the formatting error, and ensured it was corrected.Accendo also conducted an onsite visit at the PDM facility and implemented new quality assurance protocols and internal validation steps.OCR obtained written assurances the CE provided the breach notification as indicated above." "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Andersen Air Force Base, Guam" "Healthcare Provider" "Quantity[700, ""People""]" "DateObject[{2011, 7, 22}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "RxAmerica, a subsidiary of CVS Caremark" "Business Associate" "Quantity[4573, ""People""]" "DateObject[{2011, 7, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Austin Center for Therapy and Assessment, LLC" "Healthcare Provider" "Quantity[1870, ""People""]" "DateObject[{2011, 7, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop, containing the electronic protected health information (ePHI) of 1,870 individuals, was stolen from the covered entity's (CE) office.The ePHI involved includes clinical evaluation reports, test results, patient names, addresses, phone numbers, and social security numbers.Upon discovery of the breach, the CE notified affected individuals, OCR and the media.Following OCR's investigation, the CE revised its HIPAA policies and procedures, implemented additional physical safeguards in its facility and installed encryption software." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Health Care Service Corporation" "Health Plan" "Quantity[501, ""People""]" "DateObject[{2011, 7, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "University of Kentucky - UK HealthCare" "Healthcare Provider" "Quantity[3604, ""People""]" "DateObject[{2011, 7, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted company laptop computer was stolen from the car of an employee of the covered entity (CE).The laptop contained the protected health information (PHI) of 3,604 individuals and included names, dates of birth, social security numbers, medical record numbers, and diagnoses.The CE provided breach notification to HHS, the media, and affected individuals.In response to this incident, the CE implemented a policy requiring encryption on all laptops containing PHI.The CE also provided employee training regarding mobile device encryption and refresher training on HIPAA.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Treatment Services Northwest" "Healthcare Provider" "Quantity[1200, ""People""]" "DateObject[{2011, 7, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Mills-Peninsula Health Services" "Healthcare Provider" "Quantity[1500, ""People""]" "DateObject[{2011, 7, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Brigham and Women's Hospital and Faulkner Hospital " "Healthcare Provider" "Quantity[638, ""People""]" "DateObject[{2011, 8, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "A covered entity's (CE) workforce member lost an external hard drive containing the electronic protected health information (ePHI) of 638 individuals while traveling.The external hard drive included names, medical record numbers, dates of admission, medications, diagnoses, and treatment information.The CE notified HHS, the media, and all individuals affected regarding the breach and provided individuals with identity protection services.Following the breach, the CE sanctioned the workforce member involved and retrained the workforce member and division staff onsafeguards for ePHI.In addition, the CE established a mitigation workgroup to review policies and procedures regarding the protection of ePHI and created a new external hard drive encryption policy.OCR obtained assurances that the CEimplemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan" "" "Quantity[506, ""People""]" "DateObject[{2011, 8, 8}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "A computer server belonging to a former business associate (BA) and third party administrator, AssureCare Risk Management, Inc., was hacked.The server contained social security numbers, birth dates, names, addresses, gender, and physician and hospital/facility names linked with benefit payment information which could include type of service (i.e. office visit, inpatient stay, lab and x-ray, physical therapy, etc.).The breach affected 506 individuals.The relationship between the BA and the covered entity, Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan, ended in 2006, but the BA continued to retain possession of protected health information (PHI) relating to the Plan’s participants because it was required to do so by law.The CE provided breach notification to HHS, affected individuals, and the media.OCR reviewed the BA agreement between the BA and CE which contained provisions regarding the use, disclosure, and safeguarding of PHI that ended in 2006, but also contained language requiring the BA to extend the protections of the agreement to the CE’s PHI after the agreement terminated. The CE obtained assurances that the BA shut down the server in question following the breach and does not maintain unsecured PHI on any other server.OCR obtained written assurances that the CE implemented the corrective actions noted above." "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Med Assets" "Business Associate" "Quantity[8795, ""People""]" "DateObject[{2011, 8, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "True" "An unencrypted hard drive containing the electronic protected health information (ePHI) of 8,795 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets.The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs.Upon discovery of the breach, the CE, Clara Maass Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website.As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI.In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers.The BA also hired an IT security analyst to supplement its security program.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Washington State Department of Social and Health Services" "Health Plan" "Quantity[3950, ""People""]" "DateObject[{2011, 8, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "The Neurological Institute of Savannah & Center for Spine" "Healthcare Provider" "Quantity[63425, ""People""]" "DateObject[{2011, 8, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""Country"", ""PuertoRico""]" "Accuprint " "Business Associate" "Quantity[5848, ""People""]" "DateObject[{2011, 8, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "The covered entity's (CE) business associate (BA) erroneously sent explanation of benefits letters (EOBs) containing the protected health information (PHI) of 5,848 individuals to other individuals.The PHI included names, addresses, current procedural terminology codes (CPT), explanations of CPT codes, providers' names, and dates of service.Upon discovery of the breach, the CE provided notice to the individuals affected by the breach but did not notify the media.As a result of OCR's investigation, OCR provided technical assistance regarding the requirements of the Breach Notification Rule to the CE and the CE published a media notice.In addition, the CE developed policies and procedures requiring quality control checks on the BA.In addition, the BA adopted a new software system that validates the contents of the EOBs prior to mailing.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA's use of PHI and required the BA to safeguard all PHI." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Texas Health Partners" "Business Associate" "Quantity[10345, ""People""]" "DateObject[{2011, 8, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Capron Rescue Squad District" "Healthcare Provider" "Quantity[815, ""People""]" "DateObject[{2011, 8, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Laptop" "False" "A trustee of the covered entity (CE), Capron Rescue Squad District, removed a laptop computer containing the unencrypted electronic protected health information (ePHI) of 815 individuals from its facility under the mistaken belief that the laptop was no longer used by the CE in its provision of health care services and gave the laptop to his adult grandson.The ePHI on the laptop included individuals’ full names, social security numbers, dates of birth, home addresses, and medical histories.The CE recovered the laptop which was the subject of the breach and obtained written assurances from the individuals involved in the breach that they did not use, disclose, or retain any ePHI stored on the laptop.The CE provided breach notification to HHS, the media, and affected individuals. The CE improved safeguards by encrypting ePHI stored on its computers, including laptops.OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "MedAssets" "Business Associate" "Quantity[32008, ""People""]" "DateObject[{2011, 8, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Lexington VAMC" "Healthcare Provider" "Quantity[1432, ""People""]" "DateObject[{2011, 8, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device, Paper/Films" "False" "The covered entity's (CE) workforce member impermissibly stored the protected health information (PHI) of 1,432 individuals in a personal computer and other portable electronic media in order to conduct research. The PHI included social security numbers, names, initials, ages, and diagnoses.Additional PHI was found in the workforce member's residence.The CE provided breach notification to a total of 1,890 affected individuals and HHS.Following the breach, the responsible workforce member is no longer employed by the CE.OCR opened a compliance review of VA Medical Centers and is consolidating the investigation of this incident into the compliance review." "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "SpaMed Solutions, LLC, Edward McMenamin President," "Business Associate" "Quantity[3000, ""People""]" "DateObject[{2011, 8, 28}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other, Other Portable Electronic Device, Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "HEALTH RESEARCH INSTITUTE, INC., PFEIFFER TREATMENT CENTER" "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2011, 8, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Multi-Speciality Collection Services, LLC" "Business Associate" "Quantity[19651, ""People""]" "DateObject[{2011, 8, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "NEA Baptist Clinic" "Healthcare Provider" "Quantity[3116, ""People""]" "DateObject[{2011, 9, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "An unknown individual hacked into a database that contained electronic protected health information (ePHI) of individuals who had registered online with the covered entity (CE) in the last eight years.The PHI involved in the breach, which affected approximately 3,116 patients, included names, addresses and dates of birth.The CE provided breach notification to HHS and affected individuals.Following this breach, the CE shut down its “old” website and replaced it with a “new” website with improved safeguards such as blocking of specific IP addresses, strong authentication for areas that are not available to the general public, and secure web browsers.As a result of OCR’s investigation, the CE created new procedures to protect ePHI, including procedures for inventory and asset management, as well as tracking encrypted devices." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Muir Orthopaedic Specialists, A Medical Group Inc." "Healthcare Provider" "Quantity[1800, ""People""]" "DateObject[{2011, 9, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Jonathan Noel MD" "Healthcare Provider" "Quantity[2059, ""People""]" "DateObject[{2011, 9, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Texas Health and Human Services Commission" "Health Plan" "Quantity[1696, ""People""]" "DateObject[{2011, 9, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop was stolen from an employee's vehicle.The laptop contained the ePHI of 1,696 patients.The information at issue included patient names, dates of birth, gender, Medicaid identification numbers, procedure codes and diagnosis. Following discovery of the breach, the CE notified affected patients and notified the media. Following the breach, the CE confirmed encryption of laptops per CE's policy and sanctioned three involved employees. " "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "Living Healthy Community Clinic" "Business Associate" "Quantity[3000, ""People""]" "DateObject[{2011, 9, 13}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "True" "Missing[""NotAvailable""]" "Entity[""Country"", ""PuertoRico""]" "Centro de Ortodoncia Inc." "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2011, 9, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "OCR opened an investigation of the covered entity (CE), Dr. Pedro Valentin, after it reported boxes containing the protected health information (PHI) of 2,000 individuals were moved from the CE's office.The PHI included names, account numbers, responsible party in charge of account, and method of payment.OCR's investigation revealed that the individual who removed the PHI was the CE's wife and business partner.The CE advised OCR that he knew his wife/partner was removing the boxes for the purpose of ascertaining the amount of monies the CE was receiving and that he is in the process of dissolving the partnership.OCR concluded that the actions alleged in the breach report did not amount to a breach." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "John T. Melvin, M.D.& Associates" "Healthcare Provider" "Quantity[2541, ""People""]" "DateObject[{2011, 9, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Medical records were stolen from an off-site storage facility of the covered entity (CE), John T. Melvin & Associates.The protected health information (PHI) involved in the breach included names, dates of birth, social security numbers, claim information, diagnoses/conditions, medications, lab results, and other treatment information for approximately 2,541 individuals.The CE provided breach notification to HHS, affected individuals, and the media.As a result of OCR’s investigation the CE changed its policies, so that all records are now kept on-site and all records are immediately shredded once the required retention time has elapsed, according to applicable state law." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Diversified Resources, Inc." "Healthcare Provider" "Quantity[863, ""People""]" "DateObject[{2011, 9, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On August 11, 2011, a password protected, but unencrypted laptop computer was stolen from a nurse’s car.The laptop contained the electronic protected health information (ePHI) of 863 individuals. The ePHI on the laptop included names, addresses, phone numbers, primary care physicians, caregiver contacts, and social security numbers.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, CE reviewed its policies and procedures, applied employee sanctions, retrained its workforce, and implemented file-level encryption.Pursuant to technical assistance provided by OCR, CE implemented additional administrative safeguards, including a new policy prohibiting employees from leaving laptops unattended in a vehicle." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Freda J BowmanMD PA" "Healthcare Provider" "Quantity[1300, ""People""]" "DateObject[{2011, 9, 20}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Unauthorized Access/Disclosure" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Mississippi"", ""UnitedStates""}]" "VA Gulf Coast Veterans Health Care System" "Healthcare Provider" "Quantity[1797, ""People""]" "DateObject[{2011, 9, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE), U.S. Department of Veterans Affairs (VA), Gulf Coast Veterans Health Care System, Biloxi Veterans Affairs Medical Center (Biloxi VAMC) reported that the office of an employee was vandalized.Paper files were found on the office floor, and the protected health information (PHI) of approximately 1,814 individuals was compromised.The PHI included full names, social security numbers, dates of birth, and medical diagnoses.The CE provided breach notification to HHS, the media and affected individuals.Following the breach, VA police at the facility reviewed procedures and continued foot patrols to ensure office doors are locked during non-business hours.The CE provided additional training to workforce members of the affected department on its physical security policies and procedures to improve safeguards for PHI.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Bonney Lake Medical Center and Mythili R. Ramachandran, MD" "Healthcare Provider" "Quantity[2367, ""People""]" "DateObject[{2011, 9, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Benefits Administration Services, Inc." "Business Associate" "Quantity[4000, ""People""]" "DateObject[{2011, 9, 22}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "AllOne Health Management Solutions, Inc." "Business Associate" "Quantity[507, ""People""]" "DateObject[{2011, 9, 23}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Laptop, Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "VA Illiana Health Care System" "Healthcare Provider" "Quantity[518, ""People""]" "DateObject[{2011, 9, 23}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Health Texas Provider Network" "Healthcare Provider" "Quantity[1259, ""People""]" "DateObject[{2011, 9, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop possibly containing the electronic protected health information (ePHI) of 1,259 patients was stolen from an employee’s personal vehicle.The ePHI that was potentially involved in the breach included patients’ names, contact information, social security numbers, dates of birth, diagnoses, account numbers, physician names, types of procedures and services, dates of service, and health insurance information.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach the CE terminated the employee.As a result of OCR’s investigation, the CE updated its encryption policies and procedures to require and verify the encryption of computers before use, and conducted mandatory annual computer safety training." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "NYU Hospital for Joint Diseases Inventory Management Department" "Healthcare Provider" "Quantity[2600, ""People""]" "DateObject[{2011, 9, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A box containing 2,600 paper records of tissue implants used in surgeries was discarded by a waste disposal contractor of the covered entity (CE), NYU Hospital for Joint Diseases Inventory Management Department, when the box was not property secured.The box contained the protected health information (PHI) of 2,239 individuals and included names, dates of birth, dates of surgery, surgeon names, procedures, and types and serial numbers of the tissues used in the surgeries.Upon discovery of the breach, the CE contacted the waste disposal contractor and determined that the documents were discarded and buried in a landfill out of state.The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website.As a result of OCR's investigation, the CE improved safeguards by storing all tissue records in a locked cabinet and requiring management to store the keys.In addition, the CE counseled the employees involved in the incident and retrained all staff on its policies and procedures for safeguarding PHI.The CE also implemented a plan to conduct reviews of HIPAA compliance, including both physical access and physical security risks." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "North Memorial Health Care" "Healthcare Provider" "Quantity[9497, ""People""]" "DateObject[{2011, 9, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities. “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.” OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals. OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial. The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure -- including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Fairview Health Services" "Healthcare Provider" "Quantity[14623, ""People""]" "DateObject[{2011, 9, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop computer storing the electronic protected health information (ePHI) of approximately 14,623 individuals was stolen from the locked vehicle of a workforce member of Accretive Health, a business associate (BA) of the covered entity (CE), Fairview Health Services.The ePHI included individuals’ names, addresses, dates of birth, social security numbers, financial information, and clinical information.The CE provided breach notification to HHS, affected individuals, and the media. It also provided complimentary credit monitoring services to affected individuals.Following the breach, the CE investigated the root cause of the breach, developed a new policy which addresses the risks associated with sharing sensitive data with third parties, and obtained assurances from the BA that it would undertake appropriate corrective actions. OCR obtained a copy of the BA agreement between the CE and the BA at the time of the breach.OCR also obtained evidence and assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Summit Medical Group, PLLC" "Healthcare Provider" "Quantity[731, ""People""]" "DateObject[{2011, 9, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "On September 4, 2011, a Summit Medical Group (SMG) employee’s car was burglarized, resulting in the theft of paper reports containing the protected health information (PHI) of approximately 731 of the covered entity’s (CE) patients.The PHI involved in the breach included account numbers, patients’ names, physicians’ names, names of hospitals, dates of discharge, dates of birth, names of insurance providers, and discharge diagnoses.The CE provided breach notification to HHS, the media, and affected individuals.It also offered credit monitoring services and created a customer service center to handle questions.Following the breach, the CE initiated an internal investigation, filed a police report, notified the affected physician sites of the breach, conducted a risk assessment, and adopted additional identification verification measures for affected individuals.As a result of OCR’s investigation, the CE updated its HIPAA policies and procedures and improved safeguards by encrypting laptop computers." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "FIRST PRIORITY LIFE INSURANCE COMPANY" "Business Associate" "Quantity[579, ""People""]" "DateObject[{2011, 9, 28}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Missing[""NoInput""]" "MAPFRE Life" "" "Quantity[2209, ""People""]" "DateObject[{2011, 9, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Henry Ford Health System" "Healthcare Provider" "Quantity[520, ""People""]" "DateObject[{2011, 10, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Futurity First Insurance Group" "Business Associate" "Quantity[1631, ""People""]" "DateObject[{2011, 10, 3}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Indiana University" "Healthcare Provider" "Quantity[3266, ""People""]" "DateObject[{2011, 10, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted and password protected laptop computer was stolen from the car of an employee (medical resident) of the covered entity (CE).The laptop contained the electronic protected health information (ePHI) of approximately 3,266 individuals.The types of ePHI in the breach included names, medical record numbers, birth dates, diagnosis codes, and social security numbers.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE audited the employee’s department and equipment, retrained the involved employee and other staff, updated its HIPAA policies and procedures, and encrypted its laptop computers. OCR obtained written assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Thomas J O'Laughlin, MD" "Business Associate" "Quantity[700, ""People""]" "DateObject[{2011, 10, 7}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Adult & Pediatric Dermatology, PC" "Healthcare Provider" "Quantity[2200, ""People""]" "DateObject[{2011, 10, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy,Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program.APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members. 'As we say in health care, an ounce of prevention is worth a pound of cure,' said OCR Director Leon Rodriguez. 'That is what a good risk management process is all about ' identifying and mitigating the risk before a bad thing happens.Covered entities of all sizes need to give priority to securing electronic protected health information.'In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "The Nemours Foundation" "Healthcare Provider" "Quantity[1055489, ""People""]" "DateObject[{2011, 10, 7}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "False" "A locked cabinet was removed from an IT service desk area at the Wilmington, Delaware facility of the covered entity (CE), The Nemours Foundation during an August 2011 remodeling project.The cabinet housed three unencrypted backup tapes containing the electronic protected health information (ePHI) of 1,055,489 individuals.The ePHI involved in the breach included patients’ names, addresses, social security numbers, diagnoses and procedure codes. The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of free credit monitoring to affected individuals.Following the incident, the CE hired a private investigator to assist in locating the missing backup tapes; however, they were not recovered.Additionally, the CE retained Navigant Consulting to assess the recoverability of the information and to conduct a validation review of CE’s internal analyses.In response to the incident, the CE improved safeguards by encrypting all backup tapes, storage devices, and electronic media that may contain e-PHI, moving backup tapes to a secure off-site facility, installing non-movable storage cabinets in its data centers, and implementingtwo-factor authentication for access to ePHI.It also hired a system administrator to manage and audit backup procedures, retrained staff, and updated and created HIPAA policies and procedures, including role-based access to cabinets containing backup data.OCR obtained assurances that the corrective actions listed above were carried out." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "InStep Foot Clinic, P.A." "Healthcare Provider" "Quantity[2600, ""People""]" "DateObject[{2011, 10, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record, Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Futurity First Insurance Group" "Business Associate" "Quantity[3994, ""People""]" "DateObject[{2011, 10, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Privacy Manager Breach Lahey Clinic" "Healthcare Provider" "Quantity[599, ""People""]" "DateObject[{2011, 10, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Lahey Hospital and Medical Center (Lahey)has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).Lahey will pay $850,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program.Lahey is a nonprofit teaching hospital affiliated with Tufts Medical School, providing primary and specialty care in Burlington, Massachusetts.Lahey notified OCR that a laptop was stolen from an unlocked treatment room during the overnight hours on August 11, 2011.The laptop was on a stand that accompanied a portable CT scanner; the laptop operated the scanner and produced images for viewing through Lahey’s Radiology Information System and Picture Archiving and Communication System.The laptop hard drive contained the protected health information (PHI) of 599 individuals.Evidence obtained through OCR’s subsequent investigation indicated widespread non-compliance with the HIPAA rules, including:•Failure to conduct a thorough risk analysis of all of its ePHI;•Failure to physically safeguard a workstation that accessed ePHI;•Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;•Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident;•Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and•Impermissible disclosure of 599 individuals’ PHI.“It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment,” said OCR Director Jocelyn Samuels. “Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”In addition to the $850,000 settlement, Lahey must address its history of noncompliance with the HIPAA Rules by providing OCR with a comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as reporting certain events and providing evidence of compliance.The Resolution Agreement and Corrective Action Plan can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/LAHEY" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Florida Hospital" "Healthcare Provider" "Quantity[12784, ""People""]" "DateObject[{2011, 10, 13}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Thomas Jefferson University Hospitals, Inc." "Healthcare Provider" "Quantity[3150, ""People""]" "DateObject[{2011, 10, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Lankenau Medical Center" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2011, 10, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Spectrum Health Ssytems, Inc." "Healthcare Provider" "Quantity[14750, ""People""]" "DateObject[{2011, 10, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "Conway Regional Medical Center" "Healthcare Provider" "Quantity[1472, ""People""]" "DateObject[{2011, 10, 21}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "False" "A business associate (BA) of the covered entity (CE), Conway Regional Medical Center, sent the CE two compact disks containing scanned medical records which were mislaid following receipt.The protected health information (PHI) involved in the breach included the demographic and financial information of 1,472 individuals.The CE provided breach notification to HHS, the media, and affected individuals.Following this breach, the CE instructed its BA to encrypt any removable media that contains PHI and hand deliver the removable media to the CE’s Medical Records Department.Further, the CE improved administrative safeguards by updating its policy and procedures, which now requires a signature of an employee in the receiving department when packages are delivered.Also, all workforce members in the department involved in the breach attended additional HIPAA training.As a result of OCR’s investigation, the CE no longer routinely sends PHI off site for scanning." "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "HITS Scanning Solutions, Inc." "Business Associate" "Quantity[7059, ""People""]" "DateObject[{2011, 10, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "The covered entity's (CE) business associate (BA) shipped microfilm records containing protected health information (PHI) of 7,059 workforce members.The microfilm was lost in transit and not recovered. The PHI included clinical information, diagnoses, names, addresses, zip codes, date of births, social security numbers, driver's license numbers, and other identifiers.Following the breach, the CE changed its procedures, requiring PHI to be shipped via a new mail carrier that requires a confirmation signature upon receipt and allows for the tracking of packages.As a result of OCR's investigation the CE retrained its employees on its HIPAA policies and procedures." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Stone Oak Urgent Care & Family Practice" "Business Associate" "Quantity[6672, ""People""]" "DateObject[{2011, 10, 24}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Desktop Computer" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Indiana University School of Optometry" "Healthcare Provider" "Quantity[757, ""People""]" "DateObject[{2011, 10, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "A doctor's letters and reports were exposed on the Internet for one month after the security configuration of the covered entity's (CE) computer server was changed. The electronic protected health information (ePHI) of 757 individuals appearing on the Internet included patient names, birth dates, medical histories, diagnoses, and treatment plans.Following the breach, the CE identified and blocked the internet protocol (IP) address that was allowing access to ePHI over the Internet, removed the web portal that was facilitating access, and restored the affected server to its previous security configuration. As a result of OCR's investigation, the CE implemented monitoring and reporting of electronic information systems that transmit ePHI.OCR obtained assurances that breach notification was provided to affected individuals, the media, and HHS." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Brevard Emergency Services, P.A." "Healthcare Provider" "Quantity[2200, ""People""]" "DateObject[{2011, 10, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Morris Heights Health Center" "Healthcare Provider" "Quantity[927, ""People""]" "DateObject[{2011, 10, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop computer containing the electronic protected health information (ePHI) of 927 individuals was stolen from the covered entity's (CE) school based health center.The ePHI included names, dates of birth, sex, ethnicities, height, weight, body mass index data, complete physical examination information such as asthma and obesity information, health action plans, and enrollment dates.Upon discovery of the breach, the CE filed a police report to recover the stolen laptop.As a result of OCR's investigation, the CE purchased locks to physically secure its' school health computers to the desks where the computers are located.In addition, the CE encrypted all portable devices' hard drives and installed software to track portable devices. The CE also retrained all staff on its policies and procedures for using and securing ePHI. " "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Pitney Bowes Management Services, Inc." "Business Associate" "Quantity[1089, ""People""]" "DateObject[{2011, 10, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Thresholds Inc." "Business Associate" "Quantity[1100, ""People""]" "DateObject[{2011, 10, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Premier Imaging" "Healthcare Provider" "Quantity[551, ""People""]" "DateObject[{2011, 10, 28}, ""Day"", ""Gregorian"", -5.]" "Unknown" "Paper/Films" "False" "A newly hired employee impermissibly took patient registration documents home. The records taken included the protected health information of 551 patients.The information at issue included names, addresses, birth dates, social security numbers, and driver's license numbers. As a result, the CE terminated the employee, provided notice to the affected individuals, amended registration procedures, implemented additional safeguards for such information, and offered identity theft protection to the affected individuals." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Julie A. Kennedy, D.M.D., P.A." "Healthcare Provider" "Quantity[2900, ""People""]" "DateObject[{2011, 10, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Two laptop computers containing the electronic protected health information (ePHI) of approximately 5,450 individuals were stolen from the CE.The ePHI included patient names, dates of birth, and social security numbers.The CE provided breach notification to all affected individuals, HHS, and the media.As a result of OCR's investigation, the CE installed encryption software and increased physical security." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "KCI USA, Inc." "Healthcare Provider" "Quantity[567, ""People""]" "DateObject[{2011, 10, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Lebanon Internal Medicine Associates" "Healthcare Provider" "Quantity[55000, ""People""]" "DateObject[{2011, 11, 2}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "St. Joseph Medical Center" "Healthcare Provider" "Quantity[5000, ""People""]" "DateObject[{2011, 11, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "UCLA Health System" "" "Quantity[2761, ""People""]" "DateObject[{2011, 11, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Science Applications International Corporation (SA" "Business Associate" "Quantity[4900000, ""People""]" "DateObject[{2011, 11, 4}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""WestVirginia"", ""UnitedStates""}]" "Logan County Emergeny Ambulance Service Authority" "Healthcare Provider" "Quantity[12563, ""People""]" "DateObject[{2011, 11, 8}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "Amerigroup Community Care of New Mexico, Inc" "Health Plan" "Quantity[1537, ""People""]" "DateObject[{2011, 11, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A workforce member of the covered entity (CE), Amerigroup Community Care of New Mexico, accessed the company data system to compile a list of members’ names, dates of birth, and social security numbers.The protected health information (PHI) of approximately 1,526 individuals was involved in the breach. The workforce member did not have a job specific purpose for accessing and downloading the information.Following this breach, the CE terminated the workforce member involved.Further, the CE conducted an internal review of its procedures to determine whether additional security controls are needed.As a result of OCR’s investigation, the CE provided additional training, through email reminders, about workforce members’ responsibilities to protect member information and to report incidents when observed." "Entity[""AdministrativeDivision"", {""Kansas"", ""UnitedStates""}]" "Mid Continent Credit Services, Inc." "Business Associate" "Quantity[8275, ""People""]" "DateObject[{2011, 11, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "The covered entity's (CE), Lawrence Memorial Hospital, business associate (BA), performed a security update to the CE's website that potentially allowed the impermissible disclosure of 8,275 individuals' electronic protected health information (ePHI).The ePHI consisted of names, addresses, other demographic information, and credit card/bank account numbers.Upon discovering the breach, CE shut down its website, removed all identified cached pages containing ePHI, started actions to terminate the relationship with the BA, and updated its breach notification policy.CE also provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website.It offered credit monitoring service to affected individuals.As a result of OCR's investigation, CE finalized its new breach notification policy, updated its BA contracts, and re-trained staff on its privacy, security, and breach notification polices." "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Sutter Medical Foundation" "Healthcare Provider" "Quantity[943434, ""People""]" "DateObject[{2011, 11, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthDakota"", ""UnitedStates""}]" "Medcenter One" "Healthcare Provider" "Quantity[650, ""People""]" "DateObject[{2011, 11, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On or about October 21, 2011, the covered entity (CE), MedCenter One, Inc., which merged with Sanford Health on July 3, 2012, failed to safeguard the electronic protected health information (ePHI) of approximately 650 patients when an unencrypted, password-protected laptop computer and a bag containing 11 patient charge tickets were stolen from an employee’s vehicle.The type of ePHI involved in the breach included demographic information.The CE provided breach notification to HHS, affected individuals, and the media.The CE encrypted all of its laptop computers, implemented new information technology security policies and procedures, retrained staff on its new policies, and sanctioned the responsible employee.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Dallas County Hospital District dba Parkland Health & Hospital System" "Healthcare Provider" "Quantity[2464, ""People""]" "DateObject[{2011, 11, 17}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record, Paper/Films" "False" "OCR opened an investigation of the covered entity (CE), Dallas County Hospital District dba Parkland Health & Hospital System, after it reported that a former workforce member, while still employed, downloaded the names and certain personal information of its patients.The electronic protected health information (ePHI) involved in the breach included names, social security numbers, dates of birth, and other demographic information of approximately 2,464 individuals.The downloaded information was used to solicit potential clients in the workforce member’s personal business, a home health agency.The CE provided breach notification to HHS and affected individuals and offered free credit monitoring services for a year.Further, the CE terminated the workforce member who was involved in the incident and pursued criminal charges against him.As a result of OCR’s investigation, the CE developed a program to track anomalies to detect inappropriate use or access.Further, the CE revised its code of conduct and ethics to increase focus on conflicts of interest and confidentiality of PHI." "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "University of Kentucky UK HealthCare" "Healthcare Provider" "Quantity[878, ""People""]" "DateObject[{2011, 11, 23}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "State of Tennessee Sponsored Group Health Plan" "Health Plan" "Quantity[1770, ""People""]" "DateObject[{2011, 11, 28}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "An equipment operator at the state's postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope.The error affected approximately 1770 enrollees. The letters contained information such as names, addresses, birth dates, and social security numbers. As a result, the CE retrained the employee, submitted a breach report to HHS, provided notice to the affected individuals, notified the media, created a toll-free number for information regarding the incident, posted notice on its website, modified policies to remove the SSN on templates for future mailings, and offered identity theft protection to the affected individuals. Following the OCR investigation, the CE provided reviewed its policies and procedures to ensure adequate safeguards are in place. " "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Cleveland Clinic Florida" "Healthcare Provider" "Quantity[772, ""People""]" "DateObject[{2011, 12, 1}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Jay C. Platt, DDS" "Healthcare Provider" "Quantity[10705, ""People""]" "DateObject[{2011, 12, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Rite Aid Corporation " "Healthcare Provider" "Quantity[2900, ""People""]" "DateObject[{2011, 12, 7}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Blue Vantage Group" "Business Associate" "Quantity[7226, ""People""]" "DateObject[{2011, 12, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Nation Wise Machine Buyers" "Business Associate" "Quantity[2000, ""People""]" "DateObject[{2011, 12, 9}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Nebraska"", ""UnitedStates""}]" "University of Nebraska Medical Center" "Healthcare Provider" "Quantity[611, ""People""]" "DateObject[{2011, 12, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Roberts S. Smith M.D. Inc." "Healthcare Provider" "Quantity[17000, ""People""]" "DateObject[{2011, 12, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Paul C. Brown, MD, PS" "Healthcare Provider" "Quantity[4693, ""People""]" "DateObject[{2011, 12, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Molina Healthcare of California" "Health Plan" "Quantity[11081, ""People""]" "DateObject[{2011, 12, 17}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Aegis Sciences Corporation" "Healthcare Provider" "Quantity[2185, ""People""]" "DateObject[{2011, 12, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "False" "OCR opened an investigation of the covered entity (CE), Aegis Science Corp., after the CE reported that a laptop computer and unencrypted external hard drive containing the electronic protected health information (ePHI) of 2,185 individuals were stolen from a workforce member's vehicle.The ePHI included social security numbers, driver's license numbers, and other demographic information, as well as bank account information of fourteen individuals and credit card information of three individuals.Upon discovering the breach, the CE filed a police report and hired a private investigator to recover the stolen items.The CE also initiated plans to encrypt laptops, revise security procedures, retrain employees, and offer credit monitoring to affected individuals.As a result of OCR's investigation, the CE completed a security risk analysis and risk management report and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI.The CE also provided media notification in the two localities with greater than 500 individuals affected.Additionally, the CE encrypted all employee computers and removable media containing ePHI and retrained employees on the CE's confidentiality and security policies." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Soundpath Health, Inc" "Health Plan" "Quantity[7581, ""People""]" "DateObject[{2011, 12, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop containing the protected health information (PHI) of approximately 7,581 clients was stolen out a workforce member's vehicle and subsequently used to access the covered entity's (CE) company server.The laptop contained clients' demographic information.After the incident, the CE performed a risk analysis of the specific breach occurrence.The CE provided OCR with a copy of its risk analysis, as well as its privacy, breach notification, and security policies and procedures. Following OCR's investigation, the CE performed a broader security risk assessment and encrypted all mobile media.The CE also developed and provided computer security training to its staff members." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Concentra Health" "Healthcare Provider" "Quantity[870, ""People""]" "DateObject[{2011, 12, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Sleep HealthCenters LLC" "Healthcare Provider" "Quantity[2988, ""People""]" "DateObject[{2011, 12, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Smile Designs" "Healthcare Provider" "Quantity[1670, ""People""]" "DateObject[{2012, 1, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Alamance Caswell Local Management Entity" "Business Associate" "Quantity[50000, ""People""]" "DateObject[{2012, 1, 10}, ""Day"", ""Gregorian"", -5.]" "Other, Unauthorized Access/Disclosure" "Email, Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "CardioNet, Inc" "Healthcare Provider" "Quantity[1300, ""People""]" "DateObject[{2012, 1, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Montana"", ""UnitedStates""}]" "RightNow Technologies" "Business Associate" "Quantity[2700, ""People""]" "DateObject[{2012, 1, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "True" "RightNow Technologies, the software vendor and business associate (BA) for the covered entity (CE), MDwise, failed to disable a software switch, which allowed Google to index files on the CE’s hosted website containing the electronic protected health information (ePHI) of approximately 2,700 individuals.The ePHI included individuals’ names, addresses, zip codes, Medicaid numbers, and primary care physicians’ names and addresses.Following the breach, the CE took down the files in issue, disallowed the indexing and searching of the CE’s files by Internet search engines, and added restrictions.The CE also requested that Google remove the indexing on the affected files and obtained confirmation that Google cooperated within 24 hours. The CE provided breach notification to HHS, affected individuals, and the media.Finally, the CE improved technical safeguards pursuant to the HIPAA Security Rule.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "WageWorks, Inc." "Business Associate" "Quantity[1700, ""People""]" "DateObject[{2012, 1, 13}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewHampshire"", ""UnitedStates""}]" "Foundation Medical Partners" "Healthcare Provider" "Quantity[771, ""People""]" "DateObject[{2012, 1, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Without permission from the covered entity (CE), an employee provided a list of patient's names to a local counseling center as the employee was leaving the CE to begin employment at the new counseling center in an attempt to coordinate care of the patients she was treating.The list, containing the PHI of approximately 771 individuals, included names, dates of birth, addresses, phone numbers, names of the insurance carriers, and facility codes.Following the disclosure, the CE provided breach notification to HHS, the media, and all individuals affected and sanctioned the former employee for violating its policies and procedures. The CE also changed its procedures for list management.The CE sent a reminder to all of its health care providers regarding the handling of PHI and made plans to provide HIPAA compliance information in a quality assurance newsletter." "Entity[""AdministrativeDivision"", {""Kansas"", ""UnitedStates""}]" "Kansas Department on Aging" "Healthcare Provider" "Quantity[7757, ""People""]" "DateObject[{2012, 1, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On January 13, 2012, a laptop computer was from stolen from an employee’s vehicle. The laptop contained the electronic protected health information (ePHI) of approximately 7,757 Kansas Department on Aging customers.The ePHI included customers’ names, addresses, dates of birth, types of services, case managers and their telephone numbers, dates of quality reviews, and names of quality review staff.KDOA filed a police report, provided breach notification to HHS, affected individuals, and the media, and issued substitute notice.Following the breach, KDOA retrained its workforce and encrypted all its laptops and thumb/flash drives.OCR obtained assurances that KDOA implemented the corrective action listed above, and upon investigation, OCR determined that KDOA does not meet the definition of a covered entity. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Delta Dental of California" "Health Plan" "Quantity[11646, ""People""]" "DateObject[{2012, 1, 19}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "Muskogee Regional Medical Center" "Health Plan" "Quantity[844, ""People""]" "DateObject[{2012, 1, 20}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "False" "A binder containing flu test results went missing from the lab of the covered entity (CE), Muskogee Regional Medical Center, on or about December 5, 2011.The binder contained the protected health information (PHI) of approximately 844 individuals, including patients’ names, account numbers, genders, medical record numbers, dates of birth, ages, test dates, and flu test results.Although the CE’s investigation could not confirm that the information had been impermissibly disclosed, it provided breach notification to the potentially affected individuals, HHS and the media.Following discovery of the incident, the CE retrained laboratory workforce members regarding proper handling and disposal procedures for PHI.It also determined to eliminate such paper records and to store future similar records electronically.OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "ACS, Affiliated Computer Services, Inc., A Xerox Company" "Business Associate" "Quantity[1444, ""People""]" "DateObject[{2012, 1, 23}, ""Day"", ""Gregorian"", -5.]" "Other, Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Oldendorf Medical Services, PLLC" "Healthcare Provider" "Quantity[549, ""People""]" "DateObject[{2012, 1, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 549 individuals.The ePHI included names, dates of birth, diagnostic test results, and social security numbers.Upon discovery of the breach, the CE filed a police report to recover the stolen items.As a result of OCR's investigation, the CE installed security cameras and new door locks and changed the codes to the outside entrance keypad lock.The CE also encrypted laptop computers. " "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "St.Vincent Physician Network" "Healthcare Provider" "Quantity[1423, ""People""]" "DateObject[{2012, 1, 26}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Flex Physical Therapy" "Healthcare Provider" "Quantity[3100, ""People""]" "DateObject[{2012, 1, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "On 12/30/2011, three password protected desktop computers were stolen as a result of a break-in.The electronic protected health information (ePHI) involved in the breach may have contained the names, social security numbers, addresses, dates of birth, claims information, diagnosis and treatment information of 3,100 individuals.The CE provided breach notification to HHS, affected individuals, and the media, and also provided substitute notice.Following the breach, the CE upgraded its software and addressed facility access controls.OCR provided technical assistance regarding encryption standards and breach notification requirements." "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Metro Community Provider Network" "Healthcare Provider" "Quantity[3200, ""People""]" "DateObject[{2012, 1, 27}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Other" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "University of Miami " "Healthcare Provider" "Quantity[1219, ""People""]" "DateObject[{2012, 1, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "An unencrypted USB drive was stolen from the vehicle of a University of Miami pathologist. The drive contained the electronic protected health information (ePHI) of 1,219 patients, including names, ages, diagnoses, and treatment information.The covered entity (CE) provided breach notification to HHS, affected individuals, and the media.It also established a website related to the breach and offered credit monitoring to affected individuals.Following the breach, the CE implemented sanctions by ceasing relations with the pathologist (an independent contractor) and retrained personnel on safeguards, notably encryption, data protection and security awareness.OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "UnitedHealth Group health plan single affiliated covered entity" "Health Plan" "Quantity[6678, ""People""]" "DateObject[{2012, 2, 1}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Triumph, LLC" "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2012, 2, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Accretive Health" "Business Associate" "Quantity[14000, ""People""]" "DateObject[{2012, 2, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Loma Linda University Medical Center (LLUMC)" "Healthcare Provider" "Quantity[1366, ""People""]" "DateObject[{2012, 2, 8}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Affiliated Computer Services, Inc.(ACS, Inc.) A Xerox Company" "Business Associate" "Quantity[1700, ""People""]" "DateObject[{2012, 2, 8}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Medco Health Solutions, Inc." "Healthcare Provider" "Quantity[1287, ""People""]" "DateObject[{2012, 2, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE), Medco Health Solutions, Inc., reported that it mailed letters that contained the protected health information (PHI) of 4,341 individuals to incorrect addresses due to a corruption of data in the mailing software programming code.After conducting a risk assessment, the CE determined that the actual number of affected individuals was 1,287.The PHI included names, medication names, and prescription numbers.The CE provided breach notification to HHS and affected individuals.Upon discovery of the breach, the CE immediately ceased using the update to its mailing software system.As a result of OCR's investigation, the CE corrected the update to its mailing software system and established a manual quality check process.The CE also implemented the use of a daily automated surveillance system for its mailing software." "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "Lakeview Medical Center" "Healthcare Provider" "Quantity[698, ""People""]" "DateObject[{2012, 2, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Goshen Health System, Inc." "Healthcare Provider" "Quantity[660, ""People""]" "DateObject[{2012, 2, 14}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Other" "False" "Computer servers of Goshen Health System’s business associate (BA), Silver Tech, may have been injected with a virus on December 22, 2011.The BA operates a consumer website on behalf of the covered entity (CE) for employment and pre-registration for screenings and diagnostic testing.The BA’s servers contained the electronic protected health information (ePHI) of approximately 660 individuals, including patients’ names, social security numbers, addresses, insurance carriers, and testing information, and financial information.The CE provided breach notification to HHS, affected individuals, the media.It also notified the Indiana Attorney General’s office and the FBI and offered one year of free credit monitoring services to affected individuals.Following the breach, the CE terminated its relationship with the BA, engaged an outside forensic security firm to conduct an internal investigation, and updated its website.The CE revised its HIPAA policies and procedures and updated its practices to ensure the proper execution of Business Associate Agreements with all vendors and other parties who may have access to PHI.The CE trained its employees on its policies and procedures and documented its most recent risk analysis and corresponding risk management plan.OCR obtained documentation evidencing that the CE implemented the corrective actions listed. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "St. Joseph Health System" "" "Quantity["""", ""People""]" "DateObject[{2012, 2, 15}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "" "False" "" "Entity[""AdministrativeDivision"", {""DistrictOfColumbia"", ""UnitedStates""}]" "Georgetown University Hospital" "Healthcare Provider" "Quantity[1549, ""People""]" "DateObject[{2012, 2, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Motion Picture Industry Health Plans (MPI)" "Health Plan" "Quantity[703, ""People""]" "DateObject[{2012, 2, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "The covered entity (CE), Motion Picture Industry Health Plans (MPIHP), mistakenly sent mailings containing protected health information (PHI) to the prior address of approximately 700 individuals due to a computer error.The PHI involved in the breach included names, claim numbers, dates of service, and provider names.The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website.Following the breach, the CE instituted additional safeguards including automatic suppression of documents when conflicting addresses are contained in multiple computer systems.As a result of OCR's investigation, the CE updated its policies, conducted a new risk analysis, and developed a new risk management plan." "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "Ochsner Health System" "Healthcare Provider" "Quantity[2088, ""People""]" "DateObject[{2012, 2, 20}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "An external hard drive was stolen from the radiology department of the covered entity (CE), Ochsner Health System.The electronic protected health information (ePHI) on the hard drive included the names, addresses, dates of birth, and medical record numbers of approximately 2,088 individuals.The CE provided breach notification to HHS, affected individuals, and the media.As a result of the breach, the CE improved technical safeguards and updated its policies and procedures.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Dr. Trandinh" "Business Associate" "Quantity[2300, ""People""]" "DateObject[{2012, 2, 20}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Laptop" "True" "The CE reported that a physician’s personally-owned, unencrypted laptop was stolen from her residence.The laptop contained the medical records of 2,306 patients who had been seen by the physician in her solo private practice, not the CE.The medical records contained demographic information, including home addresses, social Security numbers, and clinical information, including diagnoses, treatment information, and medical history.Prior to the theft, the physician had closed her private practice and provided an electronic copy of her patient records to the CE.The CE, as custodian of the records, provided breach notification to HHS, affected individuals and the media.Following additional technical assistance provided by OCR, the CE developed a written breach policy and procedure." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "CardioNet, Inc." "Healthcare Provider" "Quantity[728, ""People""]" "DateObject[{2012, 2, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "Beth Barrett Consulting, LLC" "Business Associate" "Quantity[7000, ""People""]" "DateObject[{2012, 2, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Catalyst Health Solutions, Inc." "Business Associate" "Quantity[632, ""People""]" "DateObject[{2012, 2, 28}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "True" "Missing[""NotAvailable""]" "Entity[""Country"", ""PuertoRico""]" "T&P CONSULTING, INC. D/B/A QUANTUM" "Business Associate" "Quantity[7706, ""People""]" "DateObject[{2012, 2, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 7,706 individuals were stolen from a staff member of the covered entity's (CE) business associate (BA).The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service.Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and all individuals affected by the breach.As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees.In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices.OCR obtained assurances that the CE implemented the corrective action listed above and required two additional corrective actions.OCR identified the need for the CE to complete a risk assessment and implement certain security policies and procedures." "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Lee Miller Rehabilitation Associates" "Healthcare Provider" "Quantity[10480, ""People""]" "DateObject[{2012, 2, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Jeremaih J. Twomey, F.A.C.P., P.A." "Business Associate" "Quantity[2559, ""People""]" "DateObject[{2012, 3, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "Jeremaih J. Twomey, F.A.C.P., P.A. filed a breach notification report on March 2, 2012, as a business associate (BA), stating its office building and suite were ransacked and vandalized during the weekend of December 31, 2011.An external hard drive was stolen containing patient names, addresses, medical condition(s), diagnoses and, in some instances, social security numbers and dates of birth.The number of patients affected was 2,559.The BA provided breach notification to HHS, affected individuals, and the media.OCR initiated an investigation and, subsequently, learned that Jeremaih J. Twomey, F.A.C.P., P.A. is no longer a business associate (or covered entity).Dr. Twomey retired and closed his practice." "Entity[""AdministrativeDivision"", {""Alaska"", ""UnitedStates""}]" "Anchorage Community Mental Health Services Inc." "Healthcare Provider" "Quantity[2743, ""People""]" "DateObject[{2012, 3, 3}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Robley Rex VA Medical Center " "Healthcare Provider" "Quantity[1182, ""People""]" "DateObject[{2012, 3, 6}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "A workforce member of the covered entity (CE), Robley Rex VA Medical Center, lost or had stolen a binder of coding reports, which contained the protected health information (PHI) of 1,182 individuals.The binder was left unattended outside the entrance of the facility and returned soon thereafter to a workforce member by an inpatient at the facility who discovered the log book.The PHI involved in the breach included PHI of approximately 1,182 individuals, including names, social security numbers, and discharge dates.The CE provided breach notification to HHS, affected individuals, and the media, and offered free credit protection to all affected individuals.Following the breach, the CE suspended the employee, sent a bulletin to all employees indicating that they were not permitted to maintain log books or transport PHI outside the facility without authorization.As a result of OCR’s investigation, the CE reviewed its policies and procedures to ensure the adequacy of safeguards." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Indiana Internal Medicine Consultants" "Healthcare Provider" "Quantity[20000, ""People""]" "DateObject[{2012, 3, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop computer that contained the electronic protected health information (ePHI) of approximately 20,000 individuals was stolen from the covered entity's (CE) laboratory manager's office.The ePHI involved in the breach included patients' names, dates of birth, clinic identification numbers, and laboratory results.Following the breach, the CE reported the theft to the building management company.The management company investigated the theft and determined that cleaning personnel had stolen the laptop.The company reported that the patient information was not compromised, as the database could not be accessed without propriety software and specialized assistance. As a result of OCR's investigation, physical security was improved by housing the replacement laptop in a locked drawer in a locked office with limited staff access.The CE also implemented a new policy prohibiting the storage of PHI on the laptop computer and updated additional policies and procedures to enhance safeguards for systems containing PHI." "Entity[""Country"", ""PuertoRico""]" "T & P Consulting, Inc. d/b/a Quantum Health Consulting" "Business Associate" "Quantity[10000, ""People""]" "DateObject[{2012, 3, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "True" "The covered entity (CE) filed a breach report with OCR after an external hard drive and laptop computer containing electronic protected health information (ePHI) of 39,609 individuals were stolen from the CE's Business Associate (BA).The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and the dates of the service.Immediately following the breach, the CE conducted a risk assessment, filed a breach report and provided OCR a copy of its BA agreement.Additionally, the CE notified all affected individuals of the breach and issued a press release.As a result of OCR's investigation, the CE required the BA to revise its security practices to include laptop encryption and restrictions on the use of portable media devices as outlined in the BA's newly developed security policies and procedures." "Entity[""Country"", ""PuertoRico""]" "Quantum Health Consulting" "Business Associate" "Quantity[4645, ""People""]" "DateObject[{2012, 3, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "OCR opened an investigation of the covered entity (CE), First Proveedores Aliados Por Tu Salud, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 4,645 individuals were stolen from a staff member of the CE's business associate (BA), Quantum Health.The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service.Upon discovery of the breach, the CE filed a police report and provided breach notification to all individuals affected by the breach, HHS, and the media.As a result of OCR's investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retrain its employees.In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices." "Entity[""Country"", ""PuertoRico""]" "T&P Consulting, INC. d/b/a Quantum Health Consulting" "Business Associate" "Quantity[27098, ""People""]" "DateObject[{2012, 3, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "OCR opened an investigation of the covered entity (CE), Centro De Servicios de Cuidados Dirigidos, Inc. d/b/a Metro Salud grupo Profesional, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 27,098 individuals were stolen from a staff member of the CE’s business associate (BA), Quantum Health. The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR’s investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices. Lastly, the CE also provided media notification and notification to all individuals affected by the breach." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Kern Medical Center " "Healthcare Provider" "Quantity[1431, ""People""]" "DateObject[{2012, 3, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "William F. DeLuca Jr., M.D." "Healthcare Provider" "Quantity[577, ""People""]" "DateObject[{2012, 3, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 577 individuals.The ePHI included names and pictures.Upon discovery of the breach, the CE filed a police report to recover the stolen items.As a result of OCR's investigation, the CE encrypted its computers, changed the locks to a numbered key system, and installed a lock to secure portable devices in storage.In addition, the CE started using identification numbers instead of names on patients' files.The CE also revised its security policy and trained all staff on its policies." "Entity[""Country"", ""PuertoRico""]" "Quantum Health Consulting" "Business Associate" "Quantity[7923, ""People""]" "DateObject[{2012, 3, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "An unencrypted laptop computer and an external hard drive containing the electronic protected health information (ePHI) of 7,923 individuals were stolen from a staff member of the CE's business associate (BA).The ePHI included names, ages, gender, social security numbers, medical services provided, diagnosis codes, and dates of service.Upon discovery of the breach, the CE filed a police report to recover the stolen items.The CE also provided breach notification to all affected individuals, HHS, and the media. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. The CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Advanced Clinical Research Institute" "Health Plan" "Quantity[875, ""People""]" "DateObject[{2012, 3, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""Country"", ""PuertoRico""]" "T&P Consulting, INC DBA Quantum HC" "Business Associate" "Quantity[7606, ""People""]" "DateObject[{2012, 3, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "True" "An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 39,609 individuals were stolen from a staff member of the covered entity's (CE) business associate (BA).The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service.Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and all affected individuals.As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees.In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurance that the CE implemented the corrective action listed above and required one additional corrective action.OCR identified the need for the CE to implement certain security policies, procedures and controls." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Georgia Health Sciences University" "Healthcare Provider" "Quantity[513, ""People""]" "DateObject[{2012, 3, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On January 19, 2012, the covered entity’s (CE) employee discovered that her laptop computer was stolen from the front porch of her home.The laptop contained the electronic protected health information (ePHI) of 513 patients, including names, dates of birth, and health data.The laptop lacked virtual private network connectivity and the data was password protected but not encrypted.The CE provided breach notification to HHS, affected individuals, and the media.In response to the breach, the CE encrypted all employee laptops, implemented a mobile device and remote access policy and updated its electronic data backup policy.The CE also trained staff on its HIPAA Privacy and Security policies.Additionally, the CE counseled the employee for failure to maintain physical security of the CE’s property.OCR obtained assurances that the CE implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Baylor Heart and Vascular Center, LLP" "Healthcare Provider" "Quantity[1972, ""People""]" "DateObject[{2012, 3, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "An unsecured tablet computer was stolen from an employee’s vehicle on January 6, 2012.The protected health information (PHI) involved in the breach included names, addresses, dates of birth, treating physicians’ names and health screening results for 1,972 individuals.The covered entity (CE) provided breach notification to HHS, affected individuals, and the media. As a result of OCR’s investigation, OCR reviewed the CE’s HIPAA policies, documentation of workforce training related to safeguarding mobile devices, and its risk analysis related to mobile devices.Following the incident, the CE implemented additional technical safeguards, including encryption solutions, as part of its mobile device management program." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Chicago Muscoskeletal Institute" "Healthcare Provider" "Quantity[750, ""People""]" "DateObject[{2012, 3, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "On December 31, 2011, the names, dates of birth, medical record numbers, and clinic notes for 750 of the covered entity’s (CE) patients were available on its network server and website.The CE disabled the website and removed the 750 patients’ demographic and clinical information from its network server.The CE provided breach notification to HHS, affected individuals, and the media.As a result of OCR’s investigation, the CE provided fraud and credit monitoring to affected individuals and retrained its staff on technical safeguards." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Caremark PCS Health, L.L.C. (formerly known as Caremark PCS Health, L.P.)" "Business Associate" "Quantity[3482, ""People""]" "DateObject[{2012, 3, 23}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Duke University Health System" "Healthcare Provider" "Quantity[1370, ""People""]" "DateObject[{2012, 3, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "St. Joseph's Medical Center" "Healthcare Provider" "Quantity[712, ""People""]" "DateObject[{2012, 3, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "CenterLight Healthcare" "Health Plan" "Quantity[642, ""People""]" "DateObject[{2012, 4, 3}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "A workforce member emailed to his personal email address files containing the protected health information (PHI) of 642 individuals, including their names, Medicare numbers, Medicaid numbers, enrollment status, and some health plan names.The workforce member was a temporary worker who had intended to show his work product to potential employers to demonstrate his experience with such work.The covered entity (CE), CenterLight Healthcare, provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE ensured that the temporary worker deleted the email at issue from his personal email account and personal mobile device.The CE also attempted to secure the temporary worker’s written acknowledgment that confirmed that he either (i) did not save the files to his home desktop computer or (ii) deleted the files from his home desktop computer.The CE also sanctioned the worker.Additionally, the CE stopped using temporary workers, implemented an email encryption solution, and revised its HIPAA training.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Lake Granbury Medicl Ceter" "Healthcare Provider" "Quantity[502, ""People""]" "DateObject[{2012, 4, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "County of Wayne Department of Personnel/Human Resources Benefits Administration Division" "Health Plan" "Quantity[1229, ""People""]" "DateObject[{2012, 4, 6}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "St. Elizabeth's Medical Center" "Healthcare Provider" "Quantity[6831, ""People""]" "DateObject[{2012, 4, 6}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "The Neighborhood Christian Clinic" "Healthcare Provider" "Quantity[9565, ""People""]" "DateObject[{2012, 4, 9}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "AccentCare Home Health of California, Inc. Medicare # 057564CA state License # 080000226" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2012, 4, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "A former workforce member of the covered entity (CE), AccentCare Home Health Care of CA, downloaded and forwarded the electronic protected health information (ePHI) of approximately 1,000 individuals via a personal email account to other ex-workforce members.The ePHI included names, addresses, zip codes, social security numbers, diagnoses and conditions.This was discovered nearly a year after the incident during a deposition.The intended recipients denied requesting or receiving the ePHI. The CE provided breach notification to HHS, affected individuals, and the media.Following discovery of the breach, the CE hired a third party to conduct a risk assessment, followed through with recommended risk management processes and began working toward obtaining a HITRUST Certification.As a result of OCR’s investigation, the CE improved its understanding of the risk analysis and risk management process." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "HealthLOGIX" "Business Associate" "Quantity[555, ""People""]" "DateObject[{2012, 4, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "David Charles Rish" "Business Associate" "Quantity[2000, ""People""]" "DateObject[{2012, 4, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Utah"", ""UnitedStates""}]" "Utah Department of Technology Services" "Business Associate" "Quantity[780000, ""People""]" "DateObject[{2012, 4, 11}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "IU Medical Group" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2012, 4, 12}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Rhinebeck Health Center/Center for Progressive Medicine" "Healthcare Provider" "Quantity[6745, ""People""]" "DateObject[{2012, 4, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Network Server" "False" "The CE's network server and two local computers were hacked and compromised by a computer virus which resulted in the disclosure of electronic protected health information (ePHI) of 6,745 individuals.The ePHI included names, insurance numbers, diagnoses, medical histories, dates of birth, telephone numbers, and social security numbers.Upon discovery of the breach, the CE shut down all computer and email systems to prevent unauthorized access to its network and core files.In addition, the CE decommissioned the previously used server, deactivated the network router, disabled network access to ePHI, and discontinued the previously utilized backup.As a result of OCR's investigation, the CE deployed a new real-time firewall and intrusion detection system and implemented new measures for software management.In addition, the CE installed a new network server, deployed a new router with security subscription to actively monitor internal network traffic and external threat patterns, and implemented a centralized antivirus software system." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Memorial Healthcare System" "Health Plan" "Quantity[9497, ""People""]" "DateObject[{2012, 4, 13}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Roy E. Gondo, M.D." "Healthcare Provider" "Quantity[2100, ""People""]" "DateObject[{2012, 4, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "DRD Management, Inc. D/B/A DRD Knoxville Medical Clinic - Central" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2012, 4, 16}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "After an extensive investigation, OCR determined that DRD Knoxville was not a HIPAA covered entity at the time that the incident occurred." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Emory Healthcare" "Healthcare Provider" "Quantity[315000, ""People""]" "DateObject[{2012, 4, 18}, ""Day"", ""Gregorian"", -5.]" "Other, Unknown" "Other" "False" "On February 20, 2012, the covered entity (CE), Emory Healthcare, discovered that ten unencrypted back-up compact disks (CDs) containing electronic protected health information (ePHI) were missing. The types of ePHI involved in the breach included clinical and demographic data for 315,000 surgical patients treated at three locations between September 1990 and April 2007.The information on the CDs could only easily be read using decommissioned software.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE required every department to inventory and properly store or destroy PHI.It also distributed educational material to all staff. OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Desert AIDS Project" "Healthcare Provider" "Quantity[4400, ""People""]" "DateObject[{2012, 4, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "University of Arkansas for Medical Sciences" "Healthcare Provider" "Quantity[7121, ""People""]" "DateObject[{2012, 4, 20}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "TLC Dental Dania, LLC" "Healthcare Provider" "Quantity[750, ""People""]" "DateObject[{2012, 4, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A laptop computer and 750 paper medical records were stolen from the covered entity (CE), TLC Dental Dania, LLC, during a break-in.The CE reported the theft to the law enforcement.The CE provided timely breach notification to affected individuals and HHS, and posted notice on its website.OCR provided technical assistance to CE about the requirements for media notice.In response to the breach, the CE adopted and implemented new HIPAA policies that addressed the Security, Privacy and Breach Notification Rules.OCR obtained assurances from the CE that its staff would be trained on these new policies." "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "South Carolina Department of Health and Human Services" "Health Plan" "Quantity[228435, ""People""]" "DateObject[{2012, 4, 24}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "The covered entity (CE), South Carolina Department of Health and Human Services, discovered that an employee sent Medicaid reports to her personal email from January 31, 2012, through April 4, 2012.The breach affected 228,435 individuals and the types of protected health information (PHI) involved in the breach included names, addresses, phone numbers, social security numbers and for 22,648 individuals, their Medicaid identification numbers.The CE provided timely breach notification to HHS, affected individuals, and the media.CE also posted notification about the breach on its website.In response to the breach, CE suspended access to most of its ad hoc electronic reporting, initiated a comprehensive review of its privacy and security safeguards, contacted local and federal law enforcement, and sanctioned the responsible employee.The CE also revised its security policies to restrict employee access to PHI to only that necessary for the individual’s job function and implemented an automated monitoring system to track user activity in its computer system.CE also implemented annual privacy and security training.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Oregon Health Authority" "Healthcare Provider" "Quantity[550, ""People""]" "DateObject[{2012, 4, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "SHIELDS For Families " "Healthcare Provider" "Quantity[961, ""People""]" "DateObject[{2012, 4, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "On February 27, 2012, a computer server was stolen from the covered entity (CE),Shields for Families.The server contained the electronic protected health information (ePHI) of 961 individuals and included names, addresses, zip codes, birth dates and referral information.The CE provided breach notification to HHS, affected individuals, and the media.The CE improved physical safeguards by relocating the new server to a locked office and securing it within the room.The CE initiated major improvements to its IT infrastructure, revised its security program, and retrained workforce members on its revised policies and procedures.OCR obtained assurances that the CE implemented the corrective actions noted above." "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Safe Ride Services, Inc" "Healthcare Provider" "Quantity[42000, ""People""]" "DateObject[{2012, 5, 1}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Unauthorized Access/Disclosure" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "IntraCare North Hospital" "Healthcare Provider" "Quantity[750, ""People""]" "DateObject[{2012, 5, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A former employee of the covered entity (CE), Intracare North Hospital, stole computers, monitors, and the CE’s billing software.The protected health information (PHI) involved in the breach included names, addresses, phone numbers, dates of birth, insurance information, and social security numbers.The District Attorney’s Office has not provided the CE with the PHI nor have they provided the CE with the number of patients that were affected.The CE provided breach notification to HHS, the media, and affected individuals.Individual notification included a toll-free number and the Harris County District Attorney’s contact number.Following OCR’s investigation, the CE improved safeguards by upgrading its system to allow for more specific monitoring of the activity of users and creating user codes to track copier use.The CE also improved administrative safeguards by revising workforce clearance procedures for certain jobs, and improved physical safeguards by installing surveillance cameras.In addition, staff was re-trained on the HIPAA Rules." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Oakland Vision Services, PC" "Healthcare Provider" "Quantity[3000, ""People""]" "DateObject[{2012, 5, 3}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Stephen Haggard, DPM Podiatry " "Healthcare Provider" "Quantity[1597, ""People""]" "DateObject[{2012, 5, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Computer equipment and a safe containing unencrypted the electronic protected health information (ePHI) of 1,597 individuals were stolen from the covered entitiy’s (CE) office on March 4, 2012.The ePHI involved in the breach included names, addresses, dates of birth, social security numbers, claims information, diagnoses, and medication information.Following the breach, the covered entity purchased a new door and locks, a new alarm system, and alarm monitoring.As a result of OCR’s investigation, the CE conducted a risk analysis and developed breach notification policies and procedures.The CE also encrypted its computer server." "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Baptist Health System" "Healthcare Provider" "Quantity[1655, ""People""]" "DateObject[{2012, 5, 4}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "On March 8, 2012, a trash bag containing discarded appointment schedules was inadvertently removed from a “shred bin” at Baptist Health System’s Talladega clinic by the office cleaning service and disposed of in a dumpster without being shredded.The protected health information (PHI) involved in the breach included patients’ names, dates of birth, dates of service, account numbers, and chart numbers for approximately 2,000 individuals.The CE provided breach notification to affected individuals, the media, and HHS.Following the breach, the CE initiated an internal investigation, conducted a risk assessment, and updated its policies and procedures regarding access to shred bins.As a result of OCR’s investigation, the CE reviewed its policies and procedures with staff to ensure the adequacy of safeguards." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "University of Houston for UH College of Optometry" "Healthcare Provider" "Quantity[7000, ""People""]" "DateObject[{2012, 5, 8}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Unauthorized Access/Disclosure" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""WestVirginia"", ""UnitedStates""}]" "Rite Aid Store 1343" "Healthcare Provider" "Quantity[2905, ""People""]" "DateObject[{2012, 5, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "On March 29, 2012, the covered entity (CE), Rite Aid Store 1343, discovered that hard copy prescriptions from 2004 were stolen from a storage building in Oceana, West Virginia.The prescriptions contained the protected health information (PHI), of approximately 2,905 individuals, and included names and prescription information.After the breach was discovered, the CE removed two remaining boxes of prescriptions from the storage unit and secured them.The CE also improved physical safeguards by placing a new lock on the outside of the storage facility.The CE reported the incident to the authorities.As several staff members violated company policy by not ensuring that the storage area was properly secured, the CE issued final written warnings to all responsible staff members.The CE provided breach notification to HHS, affected individuals, and the media, and also offered each affected individual free identity theft protection services for one year.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Iowa"", ""UnitedStates""}]" "Iowa Department of Human Services" "Health Plan" "Quantity[3000, ""People""]" "DateObject[{2012, 5, 11}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Hogan Services Inc. Health Care Premium Plan" "Health Plan" "Quantity[1134, ""People""]" "DateObject[{2012, 5, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "On March 30, 2012, Hogan Services Inc. (HSI), the sponsor of a fully insured employee health plan, erroneously distributed an email to 287 employees containing the electronic protected health information (ePHI) of approximately 1,134 individuals.The ePHI included names, social security numbers, dates of birth, gender, group health plan identification numbers, member identifications, enrollment dates, and types of coverage for employees and names, dates of birth, and relationship information for employees’ spouses and dependents enrolled in the group health insurance plan.Upon discovering the breach, HSI directed its email vendor to shut down its email server, and constructed an incident response team that went to each workstation and deleted the ePHI from employees’ computers, and shredded any copies of the email that had been printed.HSI provided breach notification to HHS and affected individuals.As a result of OCR’s investigation, HSI made a decision not to accept, store, or transmit ePHI, and it retrained its workforce regarding the HIPAA Rules.HSI also added encryption software to employees’ accounts that have access to ePHI.OCR obtained assurances that HSI implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Family Health Services Minnesota PA" "Healthcare Provider" "Quantity[4000, ""People""]" "DateObject[{2012, 5, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "St. Mary Medical Center" "Healthcare Provider" "Quantity[3900, ""People""]" "DateObject[{2012, 5, 14}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "Our Lady of the Lake Regional Medical Center" "Healthcare Provider" "Quantity[17000, ""People""]" "DateObject[{2012, 5, 18}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Laptop" "False" "A physician’s personally owned laptop computer, which was used to conduct business on behalf of the covered entity (CE), Our Lady of the Lake Regional Medical Center, was either misplaced or stolen.The laptop contained the electronic protected health information (ePHI) of 17,339 individuals and included patients’ names, ages, dates and times of admission/discharge, race, health coverage, medical history, and results of ICU treatments.The CE provided breach notification to HHS, affected individuals, established a call center, and employed a service to provide identity protection services.As a result of OCR’s investigation, the CE established and finalized controls and policies on personally owned devices used on behalf of the CE." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "UnitedHealth Group health plan single affiliated covered entity" "Health Plan" "Quantity[19100, ""People""]" "DateObject[{2012, 5, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "West Dermatology" "Healthcare Provider" "Quantity[1900, ""People""]" "DateObject[{2012, 5, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Duke University Health System" "Healthcare Provider" "Quantity[591, ""People""]" "DateObject[{2012, 5, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Luz Colon, DPMPodiatry " "Healthcare Provider" "Quantity[1137, ""People""]" "DateObject[{2012, 5, 19}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Laptop" "False" "On March 20, 2012, an unencrypted laptop computer containing patient information was lost or stolen.The laptop contained the demographic, clinical and financial information of 1,137 individuals.The covered entity (CE), Absolute Foot and Ankle Specialists Inc., provided breach notification to HHS, affected individuals, and English and Spanish media. In response to the breach, the CE disallowed removal of equipment from the premises and began using cloud-based electronic medical record software.OCR obtained assurances that the CE implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""Nebraska"", ""UnitedStates""}]" "Ameritas Life Insurance Corp. " "Health Plan" "Quantity[3000, ""People""]" "DateObject[{2012, 5, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Children's Hospital Boston" "Healthcare Provider" "Quantity[2159, ""People""]" "DateObject[{2012, 5, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Data Image, Inc." "Business Associate" "Quantity[15000, ""People""]" "DateObject[{2012, 5, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Physician's Automated Laboratory" "Healthcare Provider" "Quantity[745, ""People""]" "DateObject[{2012, 5, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Phoebe Putney Memorial Hospital, Inc. " "Healthcare Provider" "Quantity[12937, ""People""]" "DateObject[{2012, 5, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Independence Physical Therapy" "Healthcare Provider" "Quantity[925, ""People""]" "DateObject[{2012, 5, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Titus Regional Medical Center" "Healthcare Provider" "Quantity[5700, ""People""]" "DateObject[{2012, 5, 26}, ""Day"", ""Gregorian"", -5.]" "Loss" "Laptop" "False" "OCR opened an investigation of the covered entity (CE), Titus Regional Medical Center, after it reported that its EMS laptop computer that contained the protected health information (PHI) of 5,840 patients was missing upon returning from the EMS's last transport to Titus.It is thought that the laptop was left on the fender of the vehicle and fell off.Although the laptop was encrypted, the CE could not confirm if the laptop was opened or closed when it dropped from the vehicle.If the laptop was open when it dropped, then patients’ PHI (names, social security numbers, addresses, and dates of birth) may have been accessible to others.The CE proved breach notification to HHS, affected individuals, and the media.Following the breach the CE conducted an internal audit and determined that there was a glitch in the software parameter that permitted the download and storage of all 5,840 patients’ records on the laptops regardless of the parameter setting.As a result of OCR’s investigation the settings on the laptops were changed, including a reduction in the time for automatic shut–off when laptops are not in use.The CE applied sanctions to the EMT personnel involved and re-trained them on its privacy policies.In November 2013, the CE conducted a system wide risk analysis that included all of its systems and revised and implemented its security policies." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Titus Regional Medical Center" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2012, 5, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Titus Regional Medical Center, the covered entity (CE), reported the theft of the protected health information (PHI) of an undetermined number of individuals from an offsite storage location. The PHI involved in the breach included first and last names, medical record numbers, account numbers, and in some cases, doctor’s reports. The CE filed a police report and provided breach notification to HHS, affected individuals, and the media. The CE also provided additional training to the involved employees. As a result of OCR’s investigation, the CE conducted a risk assessment and implemented additional safeguards for records contained in the storage location." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Lutheran Community Services Northwest" "Healthcare Provider" "Quantity[756, ""People""]" "DateObject[{2012, 5, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Other Portable Electronic Device" "False" "Two desktop computers and a USB drive were stolen during a break-in at the CE’s premises.The devices contained the electronic protected health information (ePHI) of approximately 757 individuals.The ePHI involved in the breach included phone numbers, email addresses, state identification card information, demographic, financial, clinical, diagnostic, and treatment information.The CE installed new locks, added HIPAA policies and procedures, and encrypted all mobile devices.As a result of OCR’s technical assistance, the CE revised policies and procedures, moved the back-up server offsite to a secure storage facility, and stopped saving ePHI to local computer drives." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Volunteer State Health Plan, Inc. " "Health Plan" "Quantity[1102, ""People""]" "DateObject[{2012, 5, 31}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "The covered entity (CE), Volunteer State Health Plan, mailed three envelopes containing the protected health information (PHI) that arrived at the contracted provider’s address damaged, with the contents missing.The envelopes were damaged at the U.S. postal facility where they were processed and contained member claim information of 1,102 individuals, including members’ names, identification numbers, claim numbers, dates of service, procedure codes, charges, and provider information. In response to this incident, an investigator for the CE visited the mail facility where the damage occurred in an attempt to determine that the documentation was appropriately shredded under USPS policy for damaged mail.Additionally, the CE’s mailroom began using tear resistant envelopes for oversized mailings, and the CE trained its mailroom employees on the new envelope policy.Finally, the CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Charlie Norwood VA Medical Center" "Healthcare Provider" "Quantity[824, ""People""]" "DateObject[{2012, 6, 4}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "PrevMED" "Business Associate" "Quantity[1444, ""People""]" "DateObject[{2012, 6, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Metcare of Florida, Inc." "Healthcare Provider" "Quantity[2557, ""People""]" "DateObject[{2012, 6, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "The covered entity (CE), Metcare of Florida, discovered on May 2, 2012, that its facility had been broken into and a tablet computer was stolen.The tablet was password protected but not encrypted and contained the following types of protected health information (PHI):patients’ name, dates of birth, patient identification numbers, and clinical information. The theft affected 2,557 individuals. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. In response to the breach, the CE encrypted its portable devices, implemented written policies requiring the physical safeguard of portable devices, and provided specialized training to its workforce.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Robert Witham, MD, FACP" "Healthcare Provider" "Quantity[11136, ""People""]" "DateObject[{2012, 6, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Memorial Sloan-Kettering Cancer Center" "Healthcare Provider" "Quantity[568, ""People""]" "DateObject[{2012, 6, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Email, Other" "False" "The covered entity's (CE) staff member disclosed an unencrypted Microsoft Excel graph to a non-covered entity physician who re-disclosed it to a medical education organization to be usedin a presentation.In addition, the medical education organization posted the presentation slides on its website.The graph contained the protected health information (PHI) of 569 individuals and included names, telephone numbers, social security numbers, ages, cities and states of residence, medical record numbers, and clinical information.Upon discovery of the breach, the CE ensured that the information was removed from the website and deleted, sanctioned the workforce member responsible, and retrained its workforce on the use of a data loss prevention tool and the risks of embedded PHI.As a result of OCR's investigation, the CE provided OCR with evidence of its technical safeguards and security awareness initiatives and provided assurance that it implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Gessler Clinic, P.A." "Healthcare Provider" "Quantity[1409, ""People""]" "DateObject[{2012, 6, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "University of Kentucky HealthCare" "Healthcare Provider" "Quantity[4490, ""People""]" "DateObject[{2012, 6, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On May 1, 2012, an unencrypted laptop of a University of Kentucky Health Care employee with the protected health information (PHI) of approximately 4,488 individuals was stolen from a workforce member’s son, who borrowed the laptop without permission and knew the computer’s password.The PHI involved in the breach included medical record numbers, dates of visits, and chief complaints.The covered entity (CE) provided breach notification to HHS, the media, and affected individuals, set up a toll-free number for questions, and posted substitute notice on its website.The responsible workforce member was suspended pending an investigation and ultimately resigned.The CE created and revised its HIPAA policies and procedures, including its mobile device policy, and implemented additional security measures to address high and moderate risks identified in its risk analysis.Finally, the CE provided evidence of employee training and security reminders.OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Wolf & Yun" "Healthcare Provider" "Quantity[824, ""People""]" "DateObject[{2012, 6, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On April 24, 2012, a password protected laptop computer containing patient demographic information and auditory diagnostic testing data was stolen during office hours from a back laboratory testing room of the covered entity (CE), Wolf and Yun.The breach affected approximately 824 individuals.The electronic protected health information (ePHI) on the laptop included patients’ names, addresses, dates of birth, and raw auditory testing data.The CE provided breach notification to HHS, affected individuals and the media.Following the breach, the CE filed a police report, reviewed its policies and procedures and improved physical safeguards.As a result of OCR’s investigation, the CE performed a risk analysis, installed a secure router, increased transmission security, revised its HIPAA policies, updated its computer operating system, created formal incident response and reporting procedures, and retrained its workforce." "Entity[""AdministrativeDivision"", {""Montana"", ""UnitedStates""}]" "Karen Kietzman" "Healthcare Provider" "Quantity[708, ""People""]" "DateObject[{2012, 6, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "False" "A laptop, iPad, and portable memory drive were stolen from the office of Dr. Karen Kietzman, the covered entity (CE), affecting approximately 708 individuals.The electronic protected health information (ePHI) contained on the devices included patients’ demographic and mental health information.The CE provided breach notification to HHS, affected individuals, and media.As a result of the breach, and to prevent a recurrence, the CE improved physical safeguards, encrypted her laptop, and stopped storing ePHI on any other electronic media. As a result of OCR’s investigation and technical assistance, the CE developed a risk analysis and risk management plan and developed policies and procedures to implement the Privacy, Security, and Breach Notification Rules." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Bruce G. Peller, DMD, PA" "Healthcare Provider" "Quantity[9953, ""People""]" "DateObject[{2012, 6, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "The covered entity (CE), Dr. Bruce Peller DMD, PA, discovered on April 27, 2012, that an unauthorized individual gained access to patients' protected health information (PHI) and compiled a list of such information. The CE determined that 9,953 individuals may have been affected and the following information may have been accessed: patients' names, legal guardians (if applicable), dates of birth, addresses, phone numbers, email addresses, treatment dates, internal identification numbers and account balances. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE obtained an injunction that required the destruction or return of PHI, implemented a stronger training program for its workforce, and improved its privacy and security policies. OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Sharon L. Rogers, Ph.D., ABPP" "Healthcare Provider" "Quantity[585, ""People""]" "DateObject[{2012, 7, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Health Texas Provider Network - Cardiovascular Consultants of North Texas" "Healthcare Provider" "Quantity[2462, ""People""]" "DateObject[{2012, 7, 5}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "A former employee of the covered entity (CE), Baylor Health Care System and Health Texas Provider Network – Cardiovascular Consultants of North Texas, continued to access its appointment reminder system for nearly two months after employment ended.The former employee accessed the protected health information (PHI) of 2,462 individuals, including patients’ names, phone numbers, appointment times and dates, reason for appointments, physicians’ names and facility names.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE terminated the former employee’s system access, modified its access termination protocol, and sanctioned and retrained involved staff.As a result of OCR’s investigation, OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "SwedishAmerican Health System" "Healthcare Provider" "Quantity[1500, ""People""]" "DateObject[{2012, 7, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "An individual misrepresented himself as an employee of a vendor contracted with the covered entity (CE) to dispose of x-ray films, obtained access to a storage area that contained films to be destroyed, and stole approximately 1,500 x-ray films from the CE.The CE strongly believes that the films were stolen due to silver content rather than patient information.The protected health information (PHI) involved in the breach included names, addresses, dates of birth, medical record numbers, account numbers and x-ray types.The CE provided breach notification to HHS and the media and posted substitute notice online.Following the breach, the CE examined its policies and procedures, established a committee to oversee PHI destruction processes, reviewed physical security on campuses, and issued email notices to all workforce members regarding vendor security.OCR reviewed the CE’s policies and procedures." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Patterson Dental, Inc." "Business Associate" "Quantity[2533, ""People""]" "DateObject[{2012, 7, 13}, ""Day"", ""Gregorian"", -5.]" "Loss, Unauthorized Access/Disclosure, Unknown" "Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Iowa"", ""UnitedStates""}]" "Visiting Nurse Services of Iowa" "Healthcare Provider" "Quantity[1298, ""People""]" "DateObject[{2012, 7, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Molalla Family Dental" "Healthcare Provider" "Quantity[4354, ""People""]" "DateObject[{2012, 7, 16}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Other, Unauthorized Access/Disclosure" "Network Server" "False" "The CE did not control access to the electronic protected health information (ePHI) of 4,354 individuals which was contained in the CE’s network-attached storage.Specifically, the CE’s firewall was set to allow access to a port that permitted anyone outside of CE’s firewall to access patient information.The ePHI involved in the breach included names, addresses, email addresses, dates of birth, patient intake sheets, invoices, dental charts, photos, x-rays, insurance information, credit card numbers, dates of birth, and social security numbers.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE closed access to the unsecured port, encrypted ePHI, upgraded operating system software on all workstations, implemented new firewall rules, installed a new server, set up automatic software patching and spyware removal, and deployed new virus and spam filters.The CE also retrained employees and implemented extensive policies and procedures, including new backup procedures for ePHI.OCR obtained assurances that the corrective actions were taken." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Pamlico Medical Equipment LLC" "Healthcare Provider" "Quantity[2917, ""People""]" "DateObject[{2012, 7, 17}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Beth Israel Deaconess Medical Center" "Healthcare Provider" "Quantity[3900, ""People""]" "DateObject[{2012, 7, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A physician’s unencrypted personal laptop computer, which he used for business purposes, was stolen from his office on the campus of the covered entity (CE), Beth Israel Deaconess Medical Center.The laptop contained the PHI of approximately 3,900 individuals, including short summaries of medical information and the names and social security numbers of two individuals.After discovering the breach, the CE notified the police and hired an independent forensic firm.The CE provided breach notification to HHS, affected individuals, and the media.The CE also offered affected individuals one year of free credit monitoring and access to a dedicated call center to contact with questions regarding the incident. As a result of this incident, the CE retrained staff, enhanced its data security policy, and initiated an awareness campaign to educate and alert its workforce of security and privacy issues. The CE improved technical safeguards by encrypting or disabling all of its laptops. The CE counseled the physician whose laptop was stolen and assured that his replacement laptop was secured to the desk and encrypted.OCR’s investigation occurred simultaneously with the Massachusetts Attorney General’s Office (AGO) investigation into the same incident. Pursuant to an information sharing agreement, OCR and the AGO worked in collaboration to ensure the corrective action and future compliance of this CE. " "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "NYU School of Medicine Faculty Group Practice" "Healthcare Provider" "Quantity[8488, ""People""]" "DateObject[{2012, 7, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "The Surgeons of Lake County, LLC" "Healthcare Provider" "Quantity[7067, ""People""]" "DateObject[{2012, 7, 25}, ""Day"", ""Gregorian"", -5.]" "Other" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Kindred Healthcare Inc d/b/a Kindred Transitional Care and Rehabilitation-Sellersburg" "Healthcare Provider" "Quantity[1504, ""People""]" "DateObject[{2012, 7, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Jeffrey Paul Edelstein M.D." "Healthcare Provider" "Quantity[4800, ""People""]" "DateObject[{2012, 7, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Northwestern Memorial Hospital" "Healthcare Provider" "Quantity[4211, ""People""]" "DateObject[{2012, 7, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Walgreen Co." "Healthcare Provider" "Quantity[1240, ""People""]" "DateObject[{2012, 7, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "EMC" "Business Associate" "Quantity[7461, ""People""]" "DateObject[{2012, 7, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Oregon Health & Science University" "Healthcare Provider" "Quantity[702, ""People""]" "DateObject[{2012, 7, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Stanford Hospital & Clinics and School of Medicine" "Healthcare Provider" "Quantity[2300, ""People""]" "DateObject[{2012, 8, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Harris County Hospital District" "Healthcare Provider" "Quantity[2875, ""People""]" "DateObject[{2012, 8, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Siemens Medical Solutions, USA" "Business Associate" "Quantity[66601, ""People""]" "DateObject[{2012, 8, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "TEMPLE COMMUNITY HOSPITAL" "Healthcare Provider" "Quantity[603, ""People""]" "DateObject[{2012, 8, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Heartland Pathology Associates, P.A." "Healthcare Provider" "Quantity[1175, ""People""]" "DateObject[{2012, 8, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Apria Healthcare, Inc., Privacy Manager Breach" "Healthcare Provider" "Quantity["""", ""People""]" "DateObject[{2012, 8, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On August 13, 2012, the covered entity (CE), Apria Healthcare, Inc., reported that an unencrypted laptop computer was stolen from a workforce member’s locked vehicle. The laptop contained the electronic protected health information (ePHI) of 65,700 individuals.The PHI involved in the breach included names, addresses, birth dates, social security numbers, and isolated instances of driver’s licenses, financial and medical information.The CE provided breach notification to HHS, the affected individuals and the media.The CE sanctioned the workforce member,encrypted all laptop and desktop computers, and retrained workforce members.OCR obtained assurances that the CE implemented the corrective actions noted above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Memorial Healthcare System" "Healthcare Provider" "Quantity[105646, ""People""]" "DateObject[{2012, 8, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Liberty Resources, Inc." "Healthcare Provider" "Quantity[3183, ""People""]" "DateObject[{2012, 8, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An employee's personal laptop computer that contained the unencrypted electronic protected health information (ePHI) of 3,183 individuals was stolen from his vehicle.The ePHI involved in the breach included consumer names, identification numbers, diagnosis codes,base service unit numbers, service start and end dates, service names, procedure codes, service location identifiers, units authorized, units utilized, units cost, total authorization amounts, total utilized amounts, authorization dates, funding sources, provider names, and master provider index numbers.The CE timely notified all affected individuals, the media, and HHS, and offered assistance to consumers who wished to place fraud alerts on their consumer credit files.Following the breach, the CE created and implemented a new policy and procedure to improve safeguards.This policy prohibits downloading any PHI to a home computer or portable device, prohibits forwarding emails containing PHI to a personal account, cloud service, or unauthorized user, and requires full-disk encryption of agency laptops.OCR obtained assurances that the CE implemented the corrective action listed above. " "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "The University of Texas MD Anderson Cancer Center" "Healthcare Provider" "Quantity[2264, ""People""]" "DateObject[{2012, 8, 17}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Central States Southeast and Siouthwest Areas Health & Welfare Fund" "Health Plan" "Quantity[754, ""People""]" "DateObject[{2012, 8, 21}, ""Day"", ""Gregorian"", -5.]" "Other, Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "LANA MEDICAL CARE" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2012, 8, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Cancer Care Group, P.C." "Healthcare Provider" "Quantity[55000, ""People""]" "DateObject[{2012, 8, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policiesCancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cancer Care paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Cancer Care Group is a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics throughout Indiana.On August 29, 2012, OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients.OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”Cancer Care has taken corrective action with regard to the specific requirements of the Privacy and Security Rules that are at the core of this enforcement action, as well as actions to come into compliance with the other provisions of the HIPAA Rules. The Resolution Agreement and Corrective Action Plan (CAP) can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cancercare.htmlHHS offers guidance on how your organization can conduct a HIPAA Risk Analysis: http://www.healthit.gov/providers-professionals/security-risk-assessmentTo learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/ocr/office.###" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Tricounty Behavioral Health Clinic" "Healthcare Provider" "Quantity[4000, ""People""]" "DateObject[{2012, 8, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Nevada"", ""UnitedStates""}]" "Sierra Plastic Surgery" "Healthcare Provider" "Quantity[800, ""People""]" "DateObject[{2012, 9, 5}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Unauthorized Access/Disclosure" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Charlotte Clark-Neitzel, MD" "Healthcare Provider" "Quantity[942, ""People""]" "DateObject[{2012, 9, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "University of Miami" "Healthcare Provider" "Quantity[64846, ""People""]" "DateObject[{2012, 9, 7}, ""Day"", ""Gregorian"", -5.]" "Other, Unauthorized Access/Disclosure" "Paper/Films" "False" "Two employees of the covered entity (CE), University of Miami Hospital, printed patients’ face sheets in excess of their job duties and sold them over a period of 19 months before the activity was discovered by police while on an unrelated house raid.Following notification by the police, the CE conducted an internal investigation and determined that the breach potentially involved the protected health information (PHI) of 64,846 individuals.The PHI involved in the breach included demographic and clinical information.The CE provided breach notification to HHS, affected individuals, and the media.It also applied sanctions to the involved employees.Following the breach, the CE disseminated educational material to the workforce and reviewed its HIPAA policies and procedures. It also deployed a program which monitors its electronic systems to safeguard against inappropriate use.OCR obtained assurance that the CE took the corrective actions listed above.The CE also confirmed its plan to continue to perform frequent access reviews, periodic audit trail reviews, and to create and retain audit logs for routine analysis." "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "University of New Mexico Health Sciences Center" "Healthcare Provider" "Quantity[2365, ""People""]" "DateObject[{2012, 9, 12}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Anomalous activity occurred on a single computer server utilized to support clinical trial programs at the covered entity (CE), the University of New Mexico Cancer Center.The University of new Mexico is a component of the University of New Mexico Health Sciences Center.The electronic protected health information (ePHI) included the names, addresses, dates of birth, phone numbers, patient identification numbers, and/or social security numbers of approximately 2,365 individuals.Upon discovering the breach, the CE followed its investigative procedures.The CE provided breach notifications to HHS, affected individuals, and the media. The CE improved physical security and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Valley Plastic Surgery, P.C." "Healthcare Provider" "Quantity[4873, ""People""]" "DateObject[{2012, 9, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "The covered entity’s (CE) backup hard drive was stolen from the physician’s car, along with a camera and prescription pads. All the items were thrown aside except for the hard drive.The PHI involved in the breach consisted mainly of names and clinic notes of 4,873 individuals, while dates of birth were involved in some instances. Some photos of patients’ hands were also involved.Following the breach, the CE filed a police report. As a result of OCR’s investigation, the CE updated HIPAA policies, re-trained staff at all levels, and contracted with a third party to provide record storage service and encryption." "Entity[""AdministrativeDivision"", {""Nevada"", ""UnitedStates""}]" "Ecco Health, LLC" "Business Associate" "Quantity[5713, ""People""]" "DateObject[{2012, 9, 14}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "BHcare, Inc" "Healthcare Provider" "Quantity[5827, ""People""]" "DateObject[{2012, 9, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "False" "OCR opened an investigation of the covered entity (CE), BHcare, Inc. after it reported that a laptop computer and unencrypted back-up tape containing the electronic protected health information (ePHI) of 5,827 individuals were stolen from a workforce member's vehicle.The ePHI included names, date of birth, social security numbers, health insurance numbers, and some patients' assessments and diagnosis information. Upon discovering the breach, the CE filed a police report with the Connecticut State Police. The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notice on its website.The CE offered one year of free credit monitoring services to affected individuals.As a result of OCR's investigation, the CE completed a risk analysis and risk management plan, retrained employees, and implemented new security policies and procedures to ensure adequate safeguards of ePHI." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "The Feinstein Institute for Medical Reserch" "Healthcare Provider" "Quantity[13000, ""People""]" "DateObject[{2012, 9, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Feinstein Institute for Medical Research (Feinstein) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Feinstein will pay $3.9 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program; an effort it has already begun.Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels.“For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation and is sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices.After receiving a breach notification from Feinstein involving unsecured electronic protected health information (ePHI), OCR initiated an investigation to ascertain the entity’s compliance with HIPAA Rules. OCR’s investigation indicated that the following occurred:• Feinstein impermissibly disclosed the ePHI of 13,000 individuals when an Feinstein-owned laptop computer containing ePHI was left unsecured in the back seat of an employee’s car; • Feinstein failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI held by Feinstein, including the ePHI on the aforementioned laptop computer; • Feinstein failed to implement policies and procedures for granting access to ePHI by its workforce members;• Feinstein failed to implement physical safeguards for a laptop that contained ePHI to restrict access to unauthorized users; • Feinstein failed to implement policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility; and,• Feinstein failed to implement a mechanism to encrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption to safeguard ePHI. The settlement requires Feinstein to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of ePHI that includes:• A risk analysis and a risk management plan;• A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;• Policies and procedures to facilitate compliance with requirements of the HIPAA Rules;• A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "St. Therese Medical Group, Inc" "Healthcare Provider" "Quantity[3031, ""People""]" "DateObject[{2012, 9, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Cabinet for Health and Family Services, Department for Community Based Services" "Healthcare Provider" "Quantity[2500, ""People""]" "DateObject[{2012, 9, 19}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "An employee’s email account generated spam email which may have caused an unintentional release of protected health information (PHI) held by the Kentucky Cabinet for Health and Family Services (CFHS),Department for Community Based Services, the covered entity (CE).The CE provided breach notification to HHS, affected individuals, and the media, and posted a copy of its press release on the CHFS website with a toll-free number.As a result of OCR’s investigation, the CE required workforce members to sign an agreement to ensure that they understand their role in safeguarding PHI, including safeguarding from phishing attacks.The CE created a security video that all new hires are required to view and that is used for re-training of current staff.In addition, OCR obtained the CE’s HIPAA policies and procedures which complied with the requirements of the Privacy and Security Rules as well as the Breach Notification Rule." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "PST Services, Inc" "Business Associate" "Quantity[13074, ""People""]" "DateObject[{2012, 10, 8}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Apria Healthcare, Inc." "Healthcare Provider" "Quantity[65700, ""People""]" "DateObject[{2012, 10, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Alexander J. Tikhtman, M.D." "Healthcare Provider" "Quantity[2376, ""People""]" "DateObject[{2012, 10, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "The covered entity (CE), offices of Alexander J. Tikhtman, M.D., lost an unencrypted flash drive containing the electronic protected health information (ePHI) of 2,376 individuals. The flash drive was not recovered.The ePHI included patient's names, treatment and diagnostic information, and in some instances, dates of birth and social security numbers.The CE provided breach notification to the affected individuals, HHS, and the media.It also established a dedicated call center for questions related to the breach and offered free credit monitoring and identity theft services to individuals whose social security numbers were breached.The CE updated its privacy and security policies and procedures relating to the use, storage, and transmission of PHI.OCR obtained assurances that the CE completed the corrective action listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Gulf Coast Health Care Services Inc" "Healthcare Provider" "Quantity[13000, ""People""]" "DateObject[{2012, 10, 15}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Theft, Unauthorized Access/Disclosure" "Network Server" "False" "Two former employees of the covered entity (CE) took a list of patient information to a competitor’s office.The list contained the names, dates of birth, addresses and phone numbers of 13,000 patients—every active and inactive patient treated by the CE.The CE ceased operations on October 31, 2013, and eventually filed for voluntary dissolution with the Florida Secretary of State effective July 27, 2015.OCR obtained assurances that the CE is no longer in business." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Blount Memorial Hospital, Inc" "Healthcare Provider" "Quantity[27799, ""People""]" "DateObject[{2012, 10, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "The covered entity (CE), Blount Memorial Hospital, reported that a laptop computer containing the electronic protected health information (ePHI) of 27,799 individuals was stolen from a workforce member's home.The ePHI involved in the breach included demographic and other financial information.The CE provided breach notification to affected individuals, HHS, and the media.Following the breach, the CE reviewed its privacy and security policies and procedures, encrypted all of its laptops, and improved its HIPAA training.As a result of OCR's investigation, OCR provided technical assistance regarding the CE's security incident procedures and risk management plan.OCR also reviewed the CE's HIPAA policies and procedures that were created or revised in response to the breach." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Alere Home Monitoring, Inc" "Healthcare Provider" "Quantity[116506, ""People""]" "DateObject[{2012, 10, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Coastal home Respiratory, LLP" "Healthcare Provider" "Quantity[3440, ""People""]" "DateObject[{2012, 10, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Computers containing the electronic protected health information (ePHI) of 3,440 patients were stolen from the covered entity (CE), Coastal Home Respiratory, during a burglary.The ePHI included names, addresses, phone numbers, insurance identification numbers, social security numbers, and diagnoses.The computers were password protected and the data was encoded. The CE promptly notified law enforcement and provided breach notification to affected individuals, HHS, and the media.Following the breach, the CE cancelled access passwords for patient data, and changed patient data software to a server based system that is password protected and encrypted.The CE's billing software vendor changed the CE's account numbers to prevent unauthorized access to the ePHI.The CE improved physical safeguards by installing a new alarm system.Following OCR's investigation, the CE also improved safeguards for PHI by implementing new procedures for activity reports, audit logs, and security reports." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Philip P Corneliuson, DDS, INC." "Healthcare Provider" "Quantity[980, ""People""]" "DateObject[{2012, 10, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "L.A. Care Health Plan" "Health Plan" "Quantity[18000, ""People""]" "DateObject[{2012, 10, 22}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "The covered entity (CE), L.A. Care Health Plan, reported that an accidental mailing error caused member identification (ID) cards to be mailed to the wrong addresses during its annual member mailing process.The mailing error potentially affected 18,000 individuals and included names, dates of birth, addresses, and zip codes. The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE edited the case numbering and address verification process for print and mail jobs with its vendor. The CE revised its policies and procedures to exclude ID cards from the annual member mailing.As a result of OCR’s investigation it provided technical assistance regarding a covered entity’s obligation to conduct an accurate and thorough risk analysis and implement security measures sufficient to reduce those risks and vulnerabilities identified in the analysis." "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "First Step Counseling, Inc." "Healthcare Provider" "Quantity[638, ""People""]" "DateObject[{2012, 10, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "From May 1, 2011, to August 5, 2011, two employees of the covered entity (CE), First Step Counseling, Inc., made photocopies of documents containing 638 patients' protected health information (PHI) and disclosed the documents to their attorney. The PHI included names, insurance numbers, diagnosis information, dates of birth, telephone numbers and social security numbers. Upon discovery of the breach, the CE hired attorneys to seek immediate return of all photocopies that contained CE's patients' PHI. The CE provided breach notification to HHS, affected individuals, and the media.As a result of OCR's investigation, the CE transferred to an electronic billing system which is password protected.In addition, the CE improved safeguards so that all patient files are locked and unlocked by the office manager, the front desk is protected by a window, and patients are not allowed to stand beside the receptionist desk.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Logan Community Resources, Inc." "Healthcare Provider" "Quantity[2900, ""People""]" "DateObject[{2012, 10, 23}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Health Care Service Corporation" "Health Plan" "Quantity["""", ""People""]" "DateObject[{2012, 10, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "On July 28, 2011, the covered entity (CE) reported paper documents containing protected health information (PHI) were stolen from an employee's locked car that was parked in front of the employee’s home. The documents included the names, member identification numbers, birthdates, group numbers, group names, and diagnostic information for about 511 individuals, 498 of them residing in Texas, and 13 in New Mexico.Following the breach, the CE counseled the employee who was responsible for the breach, revised its policies and procedures on safeguards, and sent out an email to all staff, reminding them of the importance of safeguarding PHI in their possession at all times. OCR obtained documentation evidencing that the CE implemented the corrective actions listed. " "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "SwedishAmerican Health System" "Healthcare Provider" "Quantity[1500, ""People""]" "DateObject[{2012, 10, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "No web description - case is a duplicate.The duplicate is posted on the webpage with a summary. " "Entity[""AdministrativeDivision"", {""RhodeIsland"", ""UnitedStates""}]" "CVS Caremark" "Healthcare Provider" "Quantity[955, ""People""]" "DateObject[{2012, 10, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Memorial Hospital" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2012, 10, 29}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Hawaii"", ""UnitedStates""}]" "Waipahu Aloha Clubhouse, Privacy Manager Breach" "Healthcare Provider" "Quantity["""", ""People""]" "DateObject[{2012, 10, 31}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "The covered entity (CE) reported unauthorized remote access into one of its desktop computers containing the protected health information (PHI) of 674 people. The CE later determined that the computer stored the PHI of 170 individuals.The PHI involved included names, addresses, dates of birth, and social security numbers. Following the breach, the CE updated its security policies and procedures, encrypted computers, updated its passwords, and retrained its employees.OCR provided technical assistance." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "QUANTERION SOLUTIONS INC" "Business Associate" "Quantity[1017, ""People""]" "DateObject[{2012, 11, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "True" "An unencrypted thumb drive that contained the electronic protected health information (ePHI) of 1,017 individuals was stolen by an employee of the covered entity's (CE) business associate (BA), Quanterion Solutions, Inc.The ePHI included names, addresses, dates of birth, driver's license numbers, social security numbers, claims information, clinical information, diagnosis/conditions, lab results, treatment information, and medications.Upon discovery of the breach, the CE, Surgical Associates of Utica, PC, filed a police report and the employee was arrested.The CE provided breach notification to HHS, the media, and affected individuals and provided credit monitoring services for these individuals.As a result of OCR's investigation, the CE executed a BA agreement. " "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "University of Illinois, College of Nursing" "Business Associate" "Quantity[508, ""People""]" "DateObject[{2012, 11, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Henry Ford Health System" "" "Quantity[2777, ""People""]" "DateObject[{2012, 11, 5}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other, Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Union County Board of Developmental Disabilities" "Health Plan" "Quantity["""", ""People""]" "DateObject[{2012, 11, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Indiana University" "" "Quantity["""", ""People""]" "DateObject[{2012, 11, 5}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "" "False" "An unencrypted and password protected laptop computer was stolen from the car of an employee (medical resident) of the covered entity (CE).The laptop contained the electronic protected health information (ePHI) of approximately 3,266 individuals.The types of ePHI in the breach included names, medical record numbers, birth dates, diagnosis codes, and social security numbers.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE audited the employee’s department and equipment, retrained the involved employee and other staff, updated its HIPAA policies and procedures, and encrypted its laptop computers. OCR obtained written assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Miami Beach Healthcare Group Ltd. dba Aventura Hospital and Medical Center" "Healthcare Provider" "Quantity[2560, ""People""]" "DateObject[{2012, 11, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record" "False" "This case has been consolidated with another review of the same covered entity." "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "WYATT DENTAL GROUP, LLC" "Healthcare Provider" "Quantity[10271, ""People""]" "DateObject[{2012, 11, 5}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "The Louisiana State Police and the FBI notified the covered entity (CE) that a former employee was involved in identify theft affecting the protected health information (PHI) of the CE’s patients. Approximately 10,271 patients’ PHI was involved in the breach; however, the CE’s investigation concluded that after the Dept. of Public Safety and Corrections investigation, only 10 patients were affected.The PHI involved in the breach included names, addresses, and social security numbers.The CE provided breach notification to HHS, the media, and all patients whose names were included in their business associate’s (BA) information system. To prevent a similar breach from happening in the future, the BA reviewed its system and assured the CE and OCR that its system was designed to comply with the regulations under HIPAA.As a result of OCR’s investigation, the CE provided OCR with a copy of its HIPAA policies and procedures. " "Entity[""AdministrativeDivision"", {""RhodeIsland"", ""UnitedStates""}]" "Women & Infants Hospital of Rhode Island" "Healthcare Provider" "Quantity[14004, ""People""]" "DateObject[{2012, 11, 5}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Memorial Health System" "Healthcare Provider" "Quantity[6262, ""People""]" "DateObject[{2012, 11, 7}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Maryville Academy" "Healthcare Provider" "Quantity[3897, ""People""]" "DateObject[{2012, 11, 8}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Three secondary back-up portable hard drives, which were maintained by the covered entity (CE), Maryville Academy, were removed from a locked room used as a secure area to maintain a secondary back-up copy of some electronic records for the CE’s services programs.The drives contained the electronic protected health information (ePHI) of approximately 3,897 individuals, including patients’ names, dates of birth, telephone numbers, social security numbers, addresses, diagnosis/conditions, financial claims information, medications, lab results, and other treatment information.The CE provided breach notification to HHS, affected individuals, and the media, and posted notification of the breach on its website.The CE also offered one year of free credit monitoring services to affected individuals. Following the breach, the CE revised its HIPAA policies and procedures and encrypted its back-up portable hard drives and other portable electronic devices.It also updated its practices regarding the physical storage of its back-up portable hard drives to include the use of a third party, off-site vendor and contracted with a third party vendor for long term offsite archive storage, and trained its workforce on any revised or newly implemented policies and procedures.OCR obtained documentation evidencing that the CE implemented the corrective actions listed. " "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "CHRISTUS St. John Hospital" "Healthcare Provider" "Quantity[5748, ""People""]" "DateObject[{2012, 11, 16}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "On September 25, 2012, an employee lost an unsecured flash drive which contained the electronic protected health information (ePHI) of 5,748 individuals.The types of ePHI involved in the breach included financial, demographic, and clinical information.The hospital provided breach notification to HHS, affected individuals, and the media.Following the discovery of the incident, the hospital revised its HIPAA policy, implemented an encryption solution for media storage devices, and retrained the involved employee.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "L.A. Care Health Plan" "Health Plan" "Quantity[18000, ""People""]" "DateObject[{2012, 11, 17}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Hawaii"", ""UnitedStates""}]" "Hawaii State Department of Health, Adult Mental Health Division" "Healthcare Provider" "Quantity[674, ""People""]" "DateObject[{2012, 11, 20}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "Original Medicine Acupuncture & Wellness, LLC" "Healthcare Provider" "Quantity["""", ""People""]" "DateObject[{2012, 11, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Two laptop computers containing the protected health information (PHI) of approximately 540 individuals were stolen during a break-in at the offices ofthe covered entity (CE), Original Medicine Acupuncture & Wellness.The CE provided breach notification to HHS, affected individuals, and the media.Following the incident, the CE upgraded its security system and reduced the number of computers that maintains PHI.OCR reviewed copies of the CE’s relevant HIPAA policies and procedures." "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Soundental Associates, PC" "Healthcare Provider" "Quantity[14511, ""People""]" "DateObject[{2012, 11, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "Original Medicine Acupuncture & Wellness, LLC" "Healthcare Provider" "Quantity[540, ""People""]" "DateObject[{2012, 11, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Digital Archive Management" "Business Associate" "Quantity[501, ""People""]" "DateObject[{2012, 11, 21}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal, Theft" "Network Server, Paper/Films" "True" "On or about July 26, 2012, the covered entity (CE), El Centro Regional Medical Center, learned that its business associate (BA), Digital Archive Management, abandoned the CE’s hard copy “jackets” for radiology films (x-rays) and radiology reports at a locked El Centro facility, instead of digitizing and destroying the records in accordance with the Business Associate Agreement.The CE recovered the jackets and radiology reports.On March 22, 2013, the CE learned from the FBI that the missing radiology films and hard copy paper documents were discovered in an abandoned commercial facility in Nevada.The breach involved the protected health information (PHI) of approximately 501 individuals and included demographic Information, including names and dates of birth and clinical information, including diagnoses and conditions.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE sanctioned certain employees, reviewed and updated its HIPAA policies and procedures, and implemented security measures to reduce risks and vulnerabilities to PHI and ePHI.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance deadline.OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI.OCR also reviewed the CE’s policies and procedures, risk analysis, risk management plan, and incident report." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Brigham and Women's Hospital" "Healthcare Provider" "Quantity[615, ""People""]" "DateObject[{2012, 11, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Advantage Health Solutions, Inc." "Business Associate" "Quantity[2575, ""People""]" "DateObject[{2012, 11, 26}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "James M. McGee, D.M.D., P.C." "Healthcare Provider" "Quantity[1306, ""People""]" "DateObject[{2012, 11, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity’s (CE) locked storage unit was broken into and hard copies of 1,306 patients’ medical records were stolen.The types of protected health information (PHI) in records included patients’ full names, social security numbers, home addresses, telephone numbers, dental charts, insurance information, and payment information.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE repaired the door to the storage unit, added a professional lock, and destroyed outdated patient records.The CE retrained staff, deployed new practice management software for storage of electronic patient records, and transferred storage of paper records on-site.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Robbins Eye Center PC" "Healthcare Provider" "Quantity[1749, ""People""]" "DateObject[{2012, 11, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Advanced Data Processing, Inc." "Healthcare Clearing House" "Quantity[10000, ""People""]" "DateObject[{2012, 11, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "On or around June 15, 2012, an employee of the covered entity (CE), Advanced Data Processing, Inc. (ADP), dba Intermedix, who hadaccess to patients’ protected health information (PHI) as part of her job, inappropriately accessed the PHI of approximately 10,000 individuals and sold the information to third parties.An addendum to the initial breach report, submitted on April 3, 2015, expanded the breach to an additional 2,360 individuals.The PHI involved in the breach included patient names, social security numbers, addresses, dates of birth, claims, and other financial information.The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice.Following the breach, the CE engaged a third party to review its network environment and make recommendations for security enhancements.It implemented data loss prevention technology to identify electronic PHI and block transmittal of sensitive information and a log management and analysis solution to automate collection, analysis, archival and recovery of log data. The CE implemented policies and procedures for disposal and reuse of mobile devices, as well as for the secure transport of sensitive information to, from, and between data centers.The CE also created an information security team and appointed a committee to address compliance.Additionally, the CE improved its employee training program and launched a vendor management program to ensure the safeguarding of ePHI by its business associates.OCR obtained assurances that the CE implemented the correction actions listed above.The CE also initiated upgrades to its data center security and workstation antivirus technology." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Cuyahoga County Board of Developmental Disabilities" "Healthcare Provider" "Quantity[613, ""People""]" "DateObject[{2012, 11, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Blue Cross Blue Shield" "Business Associate" "Quantity[500, ""People""]" "DateObject[{2012, 11, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Vidant Pungo Hospital" "Healthcare Provider" "Quantity[1100, ""People""]" "DateObject[{2012, 11, 29}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "County of San Bernardino Department of Public Heatlh" "Healthcare Provider" "Quantity[1370, ""People""]" "DateObject[{2012, 11, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "ADPI-West" "Business Associate" "Quantity[1500, ""People""]" "DateObject[{2012, 11, 29}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Desktop Computer" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""RhodeIsland"", ""UnitedStates""}]" "Landmark Medical Center" "Healthcare Provider" "Quantity[683, ""People""]" "DateObject[{2012, 11, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "University of Virginia Medical Center" "Healthcare Provider" "Quantity[1846, ""People""]" "DateObject[{2012, 11, 30}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Carolinas Medical Center - Randolph" "Healthcare Provider" "Quantity[5600, ""People""]" "DateObject[{2012, 12, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "The covered entity (CE), Carolina’s Medical Center, discovered that a physician had responded to a phishing email and provided her password to a third party, causing all of the physician’s emails to be forwarded to a third party.The forwarded emails included protected health information (PHI) regarding 5,600 individuals.The PHI in the emails included names, dates of birth, medications, treatment information, social security numbers (for 5 patients), dates of service, addresses, names of providers, admission/discharge dispositions and dates, and internal medical record and account numbers.Following the breach, CE improved administrative and technical safeguards by terminating auto-forwarding capabilities and implementing an alert for remote system accesses that originate from a foreign country.The CE also trained employees on identifying social engineering schemes.OCR obtained assurances that the corrective actions were taken." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Coastal Behavioral Healthcare, Inc." "Healthcare Provider" "Quantity[4907, ""People""]" "DateObject[{2012, 12, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "OCR opened an investigation of the covered entity (CE), Coastal Behavioral Healthcare, Inc., after it reported that four pages containing protected health information (PHI) were recovered by local law enforcement during a motor vehicle traffic stop.The CE indicated the four pages were likely part of a larger report and may have containing the PHI of 4,907 individuals.The PHI involved in the breach included names, social security numbers, dates of birth, and other identifiers.The CE provided breach notification to the affected individuals, HHS, and the media.Following the breach, the CE hired a cybersecurity firm to perform a network audit and to conduct a security risk assessment.The CE also improved safeguards by restricting physical access to its information technology department, implementing a new electronic health record system, and disabling the ability to print reports from its database containing data similar to the report that was the subject of the breach.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "CCS Medical, Inc." "Healthcare Provider" "Quantity[6601, ""People""]" "DateObject[{2012, 12, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server, Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Columbia University Medical Center and NewYork-Presbyterian Hospital" "Healthcare Provider" "Quantity[4929, ""People""]" "DateObject[{2012, 12, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "Health Advantage" "Health Plan" "Quantity[2863, ""People""]" "DateObject[{2012, 12, 20}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "The covered entity (CE), Health Advantage, mailed Personal Health Statements to approximately 2,863 plan members’ previous addresses due to an internal programming error.This incident affected additional patients (addressed in separate breach reports) in that the covered entity hadcontracted with other covered entities, BCBS of Arkansas, the State of Arkansas Department of Finance and Administration Employee Benefits Division health plan and Baptist Health System’s health plan.The protected health information (PHI) involved in the breach included patients’ demographic information, health insurance identification numbers, descriptions of treatment or services received, and names of treating facilities or providers.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE corrected the programming error, purged outdated information from its system, and implemented new quality control procedures for mailings.As a result of OCR’s investigation, Health Advantage also revised or entered into multiple business associate agreements." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Westerville Dental Center" "Healthcare Provider" "Quantity[850, ""People""]" "DateObject[{2012, 12, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "OHP PHSP, Inc." "" "Quantity[28187, ""People""]" "DateObject[{2012, 12, 21}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Center for Orthopedic Research and Education, Inc." "Healthcare Provider" "Quantity[35488, ""People""]" "DateObject[{2012, 12, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Calif. Dept. of Health Care Services (DHCS)" "Health Plan" "Quantity[2643, ""People""]" "DateObject[{2012, 12, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "The covered entity (CE), California Department of Health Care Services reported that 2,705 member identification cards were mailed to the wrong households.Due to a computer programming error in the electronic file for multiple beneficiaries living in the same household, some cards for these beneficiaries were sent to the wrong households.The types of protected health information (PHI) on the cards included names, dates of birth, genders, dates of issue, and Medi-Cal-assigned numbers.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE put an immediate hold on additional mailings and conducted a quality assurance check.The CE deactivated the cards that were mailed to the wrong addresses, requested the return of the deactivated cards, and issued replacements.The CE implemented a new internal data transfer policy and updated related procedures.It also instituted new processes for mailings. OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Richard Switzer MD PC" "Healthcare Provider" "Quantity[4100, ""People""]" "DateObject[{2012, 12, 23}, ""Day"", ""Gregorian"", -5.]" "Other" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Gibson General Hospital" "Healthcare Provider" "Quantity[28893, ""People""]" "DateObject[{2012, 12, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop computer containing the electronic protected health information (ePHI) of 28,893 individuals was stolen from the home of one of the covered entity’s (CE) employee’s during a burglary.The ePHI included names, addresses, telephone numbers, social security numbers, medical record numbers, plan beneficiary numbers, and clinical information.The CE, Gibson General Hospital, provided breach notification to HHS, affected individuals, and the media, as well as substitute notice.Following the breach, the CE offered one year of free credit monitoring services to affected individuals.The CE also improved safeguards by encrypting all its laptop computers.As a result of OCR’s investigation, the CE implemented new security policies and procedures related to safeguarding ePHI. " "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Sovereign Medical Group, LLC" "Healthcare Provider" "Quantity[27800, ""People""]" "DateObject[{2012, 12, 27}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Theft" "Network Server" "False" "OCR opened an investigation of the covered entity (CE), Sovereign Medical Group, LLC, after it reported that its data files were corrupted and were inaccessible on its network server.The CE received a ransom note from a hacker advising that if it paid the specified amount the CE could regain access to its files.The breach affected 27,800 individuals and the types of electronic protected health information (ePHI) included demographic information, social security numbers, driver’s license numbers, insurance information, dates of services, claims information,diagnoses, and procedure codes.Upon discovering the breach, the CE filed reports with the police department, the county prosecutor’s office, and the Federal Bureau of Investigations.The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of free credit monitoring services to the affected individuals.As a result of the breach, the CE closed inbound communication ports to the contaminated server, deployed a web-filtering mechanism to scan and monitor all outbound traffic, and disabled all wireless networks. OCR provided the CE with technical assistance regarding the HIPAA Security Rule." "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "HP Enterprise Services" "Business Associate" "Quantity[1090, ""People""]" "DateObject[{2012, 12, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "An employee of a subcontractor for the covered entity's (CE) Business Associate (BA), responded to a telephone phishing attack and permitted a hacker to remotely access the laptop computer of the subcontractor.In violation of the subcontractor BA's policies, the laptop contained the protected health information (PHI) of 1,090 individuals, including names, dates of birth, diagnosis codes, and diagnosis code descriptions and some social security numbers and treatment descriptions.The CE, through its BA, provided breach notification to HHS, affected individuals, and the media, and provided substitute notice.The BA also offered a year of credit monitoring to those affected.In response to the incident, the subcontractor improved safeguards by initiating laptop audits to ensure PHI is not stored on them, re-trained employees, and applied employee sanctions by terminating the employee who failed to follow its policy. OCR obtained assurances that the corrective action listed above was completed. " "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Clearpoint Design, Inc." "Business Associate" "Quantity[4343, ""People""]" "DateObject[{2012, 12, 28}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Omnicell, Inc." "Business Associate" "Quantity[56820, ""People""]" "DateObject[{2012, 12, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "An electronic medication dispensing device was stolen from the locked car of an Omnicell employee.Omnicell is a business associate (BA) of the covered entity (CE), Sentara.The protected health information that was involved in the breach included patient names, birth dates, patient numbers, medical record numbers, and clinical information of 56,820 of the CE's patients.Breach notification was provided to HHS, the media and affected individuals. The BA represented to the CE that they had recently completed a risk analysis containing details of implemented administrative, physical and technical safeguards.The BA informed the CE that they have in place a security awareness and training program and provided information regarding its education of workforce members.As a result of OCR's investigation, OCR obtained an executive summary of the BA's risk analysis and a copy of the CE's most recent risk analysis.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "St. Mark's Medical Center" "Healthcare Provider" "Quantity[2988, ""People""]" "DateObject[{2012, 12, 31}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Group Health Incorporated" "Health Plan" "Quantity[1771, ""People""]" "DateObject[{2013, 1, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "OCR opened an investigation of the covered entity (CE), Group Health Insurance, after it reported that postcard reminders were sent to 1,771 subscribers.The protected health information (PHI) involved included social security numbers within a series of other numbers inscribed on the outside of the postcard. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website.Upon discovery of the breach, the CE suspended its mailing in order to verify subscriber information to ensure pending and completed projects did not contain social security numbers.As a result of OCR's investigation, the CE modified its mailing procedures to prevent similar disclosures from recurring in the future and retrained staff on its modified mailing procedure.The CE provided affected individuals with a free one year subscription for credit monitoring." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Calvin Schuster,MD" "Healthcare Provider" "Quantity[532, ""People""]" "DateObject[{2013, 1, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Clearpoint Design, Inc." "Business Associate" "Quantity[4125, ""People""]" "DateObject[{2013, 1, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Nevada"", ""UnitedStates""}]" "University of Nevada School of Medicine" "Healthcare Provider" "Quantity[1483, ""People""]" "DateObject[{2013, 1, 8}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "WorkflowOne" "Business Associate" "Quantity[635, ""People""]" "DateObject[{2013, 1, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Due to a malfunction in processing benefit confirmation statements, employee information was comingled and statements were mailed to the wrong employees and dependents.The breach included the protected health information (PHI) of 635 individuals.The PHI involved in the breach included names and social security numbers.The covered entity (CE), Dimensions Healthcare System, provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE revised its correspondence handling procedures.As a result of OCR’s investigation, the CE reviewed its business associate (BA) relationships to ensure that appropriate BA agreements were in place." "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "SilverScript Insurance Company" "Health Plan" "Quantity[852, ""People""]" "DateObject[{2013, 1, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Letters for 852 prospective new members of the covered entity (CE), SilverScript Insurance Company Part D plan, were misdirected to incorrect addresses.SilverScript is a wholly-owned subsidiary of CVS Health, formerly CVS Caremark.The CE reported that the root cause of the incident was that the eligibility data file received from Northgate Arinso, a third party vendor of Energy Future Holdings, was inaccurate. The data file contained multiple, incorrect addresses, resulting in protected health information (PHI) being disclosed to other members.The letters contained members’ names, addresses, identification numbers, and group numbers and informed the members that such information could be taken to a pharmacy and used to process pharmacy claims.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, CVS Health implemented additional quality control measures to verify information received from third parties.OCR obtained and reviewed documentation regarding the implementation of those additional quality control measures." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Clearpoint Design, Inc." "Business Associate" "Quantity[7250, ""People""]" "DateObject[{2013, 1, 10}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "Pousson Family Dentistry" "Healthcare Provider" "Quantity[1400, ""People""]" "DateObject[{2013, 1, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Clearpoint Design, Inc." "Business Associate" "Quantity[4100, ""People""]" "DateObject[{2013, 1, 10}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Lee D. Pollan, DMD, PC" "Healthcare Provider" "Quantity[19178, ""People""]" "DateObject[{2013, 1, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "OCR opened an investigation of the covered entity (CE) after it reported an unencrypted laptop was stolen that contained the electronic protected health information (ePHI) of 19,178 individuals.The ePHI included names, addresses, zip codes, dates of birth, social security numbers, claims information, and diagnosis codes.Upon discovery of the breach, the CE filed a police report to recover the stolen items.As a result of OCR's investigation, the CE encrypted the backup drive of the contents of the laptop computer.The CE also trained all staff on the use of encryption to safeguard data on personal computers and mobile devices." "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Washington University School of Medicine" "Healthcare Provider" "Quantity[1105, ""People""]" "DateObject[{2013, 1, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Riderwood Village" "Healthcare Provider" "Quantity[3230, ""People""]" "DateObject[{2013, 1, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "OCR opened an investigation of the covered entity (CE), Riderwood Senior Living Community, after it reported that five laptop computers (four of which were unencrypted) containing the electronic protected health information (ePHI) of 8,507 individuals were stolen from the facility's physical therapy department.The ePHI included names, dates of birth, addresses, Health plan ID numbers, and discussions of therapy treatments.Upon discovering the breach, the CE filed a police report, mailed individual notice of the breach to all current and former Riderwood residents and affected health plan members, issued a press release to seven media outlets, posted substitute notice on its website for 90 days, and reported the breach to HHS.Following this breach, the CE encrypted laptops, revised security procedures, and retrained employees.OCR obtained written assurance that the CE implemented the corrective action listed above as well as new security policies and procedures to ensure adequate safeguards of ePHI." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "WAYNE MEMORIAL HOSPITAL" "Healthcare Provider" "Quantity[1184, ""People""]" "DateObject[{2013, 1, 18}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "False" "The covered entity (CE), Wayne Memorial Hospital, lost an unencrypted compact disk (CD) containing the electronic protected health information (ePHI) of approximately 1182 individuals in the U.S. mail. The types ofePHI involved in the breach included patients’ names, account balances and Medicare numbers (which contain social security numbers).The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE attempted to locate the CD.The CE also encrypted a CD that contains similar data, to be used for the same purpose.As a result of OCR’s investigation, the CE retrained employees and evaluated ePHI maintained on computers in its most recent risk analysis." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Baptist Health System" "Healthcare Provider" "Quantity[678, ""People""]" "DateObject[{2013, 1, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "BlueCross BlueShield of Western New York" "Business Associate" "Quantity[725, ""People""]" "DateObject[{2013, 1, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "The covered entity’s (CE) business associate (BA), Blue Cross Blue Shield, mailed a monthly premium notice with invoices that contained the protected health information (PHI) of 725 individuals which was never received by the CE.The PHI included names, member identification numbers, and social security numbers.Upon discovery of the breach, the BA contacted the U.S. Post Office regarding the undelivered mailing.The CE provided breach notification to HHS and the BA notified affected individuals.The BA revised its invoice procedures to assure the removal of social security numbers and member identification numbers, and send invoices via secure email.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "StandfordSchoolMedicine& LP Children Hosp, Privacy Manager Breach" "" "Quantity["""", ""People""]" "DateObject[{2013, 1, 23}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "The University of Texas MD Anderson Cancer Center" "Healthcare Provider" "Quantity[29021, ""People""]" "DateObject[{2013, 1, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "Western Wisconsin Medical Association, S.C. - River Falls Medical Clinics" "Healthcare Provider" "Quantity[2400, ""People""]" "DateObject[{2013, 1, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE), Western Wisconsin Medical Associates, discovered that, during the summer of 2012, an employee of a cleaning service used by River Falls Medical Clinic (“Clinic”) stole paper-based protected health information (PHI) of approximately 2,400 individuals, which was stored in unsecured bins for pick-up by a shredding company.The PHI involved in the breach included patients’ names and at least one of the following for each affected patient:date of birth, insurance account number, address, phone numbers, social security number, or medical number.The CE provided breach notification to HHS, the media, and affected individuals.The CE arranged for the provision of secure bins in which Clinic staff may dispose of paper PHI, developed new policies and procedures related to the disposal of PHI, and retrained relevant workforce members on the newly implemented policy and procedures." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "RR Donnelley (a sub-BA for UnitedHealth Group)" "Business Associate" "Quantity[8911, ""People""]" "DateObject[{2013, 1, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "Kmart Pharmacy #7623" "Business Associate" "Quantity[16988, ""People""]" "DateObject[{2013, 1, 31}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Community Services NW" "Healthcare Provider" "Quantity[2400, ""People""]" "DateObject[{2013, 2, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "A computer was stolen from the covered entity’s (CE) locked medical office.The computer contained the protected health information (PHI) of approximately 2,400 individuals.The PHI involved in the breach included names, addresses, dates of birth, social security numbers, and clinician information.Following the breach, the CE encrypted all PHI in transit as well as at rest, upgraded their facility access controls, and updated their device inventory system.Additionally, OCR’s investigation resulted in the CE creating an acceptable risk analysis and risk management plan.The entity also contracted with a third party to overhaul their privacy and security policies and procedures." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "LifeGas" "Business Associate" "Quantity[1103, ""People""]" "DateObject[{2013, 2, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "On October 11, 2012, an employee of LifeGas , a business associate (BA) of the covered entity (CE), American Home Patient Inc., lost or misplaced an unencrypted laptop computer containing the electronic protected health information (ePHI) of 1,103 of the CE’s clients across 13 states.The ePHI stored in the laptop included patients’ names, addresses, and an indicator showing that the patient received oxygen supplies.The CE determined that a thumb drive that was misplaced in the same incident did not contain PHI.The CE conducted an internal investigation, and provided breach notification to HHS and affected individuals.In addition, the CE negotiated a new agreement with the BA, including stringent provisions regarding the timeframes allowed for future breach notifications.OCR obtained assurances the CE completed the corrective actions listed." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Yadkinville Chiropractic DCPA" "Business Associate" "Quantity[1000, ""People""]" "DateObject[{2013, 2, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "True" "On February 1, 2013, the back door to the covered entity’s (CE) facility was pried open and its unencrypted desktop computer was stolen.Due to the theft, the protected health information (PHI) of 1,000 individuals was potentially exposed, including names, dates of birth, and social security numbers. The CE provided timely breach notification to HHS, affected individuals, and the media, and posted substitute notice in the lobby of its facility.In response to the breach, the CE replaced the back door, upgraded its security system, and installed cameras.The CE updated its billing software and on October 30, 2014, the CE was sold and effectively ceased operations. OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Intervention Services, Inc." "" "Quantity[1200, ""People""]" "DateObject[{2013, 2, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "A laptop from the covered entity (CE), Intervention Services, was stolen from a workforce member’s vehicle.The electronic protected health information (ePHI) on the laptop included patient names, dates of birth, Medicaid numbers, and the names of the patients’ funding source for approximately 1,200 individuals.Upon discovering the breach, the CE filed a police report.The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security, sanctioned the involved workforce member, and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Intervention Services, Inc." "Healthcare Provider" "Quantity[1200, ""People""]" "DateObject[{2013, 2, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop from the covered entity (CE), Intervention Services, was stolen from a workforce member’s vehicle.The electronic protected health information (ePHI) on the laptop included patient names, dates of birth, Medicaid numbers, and the names of the patients’ funding source for approximately 1,200 individuals.Upon discovering the breach, the CE filed a police report.The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security, sanctioned the involved workforce member, and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "West Georgia Ambulance" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2013, 2, 11}, ""Day"", ""Gregorian"", -5.]" "Loss" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Center for Pain Management, LLC" "Healthcare Provider" "Quantity[5822, ""People""]" "DateObject[{2013, 2, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Three laptop computers were stolen from the Rockville, MD office of the covered entity (CE), Center for Pain Management.The laptops were unencrypted and two of the devices contained the electronic protected health information (ePHI) of 5,822 individuals.The CE retained Identity Force, a firm specializing in providing mitigation services in cases of security breaches. Identity Force mailed notification letters to all affected individuals and provided identity theft insurance and credit monitoring services for one year.The CE also posted the breach notification on its website and notified the media.The CE engaged the services of an information technology firm to update its devices and computer network.OCR obtained assurances that the corrective action listed above was completed." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Coast Healthcare Management, LLC" "Business Associate" "Quantity[1368, ""People""]" "DateObject[{2013, 2, 12}, ""Day"", ""Gregorian"", -5.]" "Other, Theft" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "Froedtert Health" "Healthcare Provider" "Quantity[43549, ""People""]" "DateObject[{2013, 2, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Jackson Health System" "Healthcare Provider" "Quantity[566, ""People""]" "DateObject[{2013, 2, 13}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Federal law enforcement notified Federal law enforcement the covered entity (CE), Jackson Health System, on March 21, 2012, that a volunteer at Jackson North Medical Center photographed paper documents containing the protected health information (PHI) of 566 patients, allegedly for use in an identity theft scheme. The type of PHI involved in the breach included patients’ names, social security numbers, addresses, and birthdates.The Ce provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website.It also offered one year of free credit monitoring.In response to the incident, the CE revised its HIPAA policies and procedures.The CEupdated its volunteer program to prohibit the use of smartphones in patient care areas, require volunteers to agree in writing to conform to its privacy policies and procedures, and provide nursing staff with a list of volunteers’ permitted job duties.The CE also changed the leadership of the volunteer program and increased the supervision of the volunteers.OCR obtained assurances that the CE implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Kindred Transitional Care and Rehabilitation - Marl" "Healthcare Provider" "Quantity[716, ""People""]" "DateObject[{2013, 2, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "Backup tapes containing the protected health information (PHI) of 716 individuals were stolen from the covered entity (CE), Kindred Transitional Care and Rehabilitation – Marlborough, during the theft of the safe where the tapes were stored.The types of PHI involved in the breach included patients’ names, diagnoses, social security numbers, medications and Medicare numbers.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE revised its process for encrypting backup tapes.Additionally, as a result of OCR’s investigation the CE stopped using tapes to backup information at individual sites." "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "HomeCare of Mid-Missouri, Inc." "Healthcare Provider" "Quantity[4027, ""People""]" "DateObject[{2013, 2, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Heyman HospiceCare at Floyd" "Healthcare Provider" "Quantity[1819, ""People""]" "DateObject[{2013, 2, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "ABQ HealthPartners" "Healthcare Provider" "Quantity[778, ""People""]" "DateObject[{2013, 2, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop computer was stolen from the covered entity (CE), ABQ Health Partners.The laptop contained the electronic protected health information (ePHI) of approximately 778 patients, although the CE was unable to conclusively determine which patients’ names were still on the laptop.The ePHI involved in the breach included names, dates of birth, age, sex, referring physicians’ names, and raw numeric test data of less than 778 individuals.Following the breach, the CE encrypted ePHI stored on laptops and tablet computers.As a result of OCR’s investigation, the CE obtained more information about the outdated system which held the ePHI.In addition, the CE provided OCR with a copy of their IT Security Policy in which the CE focused on compliance with the HIPAA Security Rule and HITECH Act requirements. " "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Terrell County Health Department" "Healthcare Provider" "Quantity[18000, ""People""]" "DateObject[{2013, 2, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "On December 6, 2012, the Dawson Police Department notified the covered entity (CE), Terrell County Health Department, that an employee was suspected of the identity theft of at least two of the CE’s patients.All patients that the employee had access to records for during her employment were potentially affected, totaling 18,000 individuals. The protected health information (PHI) involved in the breach included demographic, clinical, financial, and health insurance information.The CE provided breach notification to HHS, affected individuals, and the media.The CE terminated the offending employee and re-educated the workforce on its HIPAA policies.The CE also improved its HIPAA training materials, risk analysis procedure, operation software, and auditing methods.OCR obtained assurances that the corrective actions were taken." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Florida Healthy Kids Corporation" "" "Quantity[3667, ""People""]" "DateObject[{2013, 2, 19}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "A vendor, OneTouchPoint CCI, incorrectly printed and mailed 3,667 identification cards for the business associate (BA), DentaQuest of Florida.The types of protected health information (PHI) involved in the breach included names, identification numbers, and dates of coverage.The covered entity (CE) provided breach notification to HHS, affected individuals, and the media.Following the incident, the CE re-programmed the software to compare names and addresses, and conducted quality assurance tests to ensure accuracy.The BA re-issued identification cards and provided self-addressed, stamped envelopes and requested that the members return the previously sent cards.OCR reviewed copies of the CE’s policies and procedures related to the incident." "Entity[""AdministrativeDivision"", {""SouthDakota"", ""UnitedStates""}]" "Stronghold Counseling Services, Inc." "Healthcare Provider" "Quantity[8500, ""People""]" "DateObject[{2013, 2, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Arizona Oncology" "Healthcare Provider" "Quantity[501, ""People""]" "DateObject[{2013, 2, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Crescent Health Inc. - a Walgreens Company" "Healthcare Provider" "Quantity[109000, ""People""]" "DateObject[{2013, 2, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "County of San Bernardino, Department of Behavioral Health" "Health Plan" "Quantity[686, ""People""]" "DateObject[{2013, 2, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "WOMENS HEALTH ENTERPRISE, INC." "Healthcare Provider" "Quantity[3000, ""People""]" "DateObject[{2013, 2, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Standard Register" "Business Associate" "Quantity[2261, ""People""]" "DateObject[{2013, 3, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "OCR opened an investigation of the covered entity (CE), The Brookdale University Hospital and Medical Center, after it reported its business associate (BA), Standard Register, inadvertently mailed statements to 2,261 individuals using another affiliated CE's envelopes.The protected health information (PHI) included names, addresses and financial information.OCR provided technical assistance to the CE regarding safeguarding PHI." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Health Plus Amerigroup" "Business Associate" "Quantity[28187, ""People""]" "DateObject[{2013, 3, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "True" "The covered entity's (CE) business associate (BA), Health Plus Amerigroup, mailed an unencrypted compact disk that contained the electronic protected health information (ePHI) of 28,187 individuals to the CE, The Brookdale University Hospital and Medical Center.OCR closed this breach report and consolidated into an existing breach report filed by OHP PHSP, Inc. regarding the same issues." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Plexus Group" "Business Associate" "Quantity[500, ""People""]" "DateObject[{2013, 3, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "True" "Prime Therapeutics, a business associate (BA) and pharmacy benefit manager for the covered entity (CE), Ultra Stores, Inc.’s health plan, electronically submitted a file containing the eligibility information for plan members to the Illinois Department of Healthcare and Family Services (IDHFS), as required by law for Medicaid subrogation. Due to a system error during the file generation process, the electronic protected health information (ePHI) of at least 500 plan members who do not reside in Illinois were also included in the file. The ePHI in the mailing included full names, social security numbers, dates of birth, and home addresses.During the investigation, OCR learned that Signet Jewelers had acquired Ultra and, consequently, Ultra’s health plan no longer exists.Additionally, Sterling Jewelers (Sterling), a business unit of Signet, informed OCR that it believes that Ultra had erroneously reported the September 13, 2012 incident to OCR, as Prime had conducted a risk assessment and had determined that the incident was not a breach, as the file in issue was not accessed or viewed by anyone at IDHFS. OCR obtained and reviewed documentation indicating that, in response to the incident, the BA obtained confirmation from IDHFS that it destroyed the file and that it did not further disclose the file.The BA also corrected the system error and implemented changes to the file generation process to prevent the same error from recurring" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "South Miami Hospital" "Healthcare Provider" "Quantity[834, ""People""]" "DateObject[{2013, 3, 2}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Lancaster General Medical Group" "Healthcare Provider" "Quantity[527, ""People""]" "DateObject[{2013, 3, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A spreadsheet containing the protected health information (PHI) of 527 individuals was stolen from one of the covered entity's (CE) locations.The PHI involved in the breach included names and dates of birth.Following the breach, the CE notified the local police, provided breach notification to HHS, the media, and the affected individuals, and offered identity protection services to the individuals.The CE attempted to retrieve the PHI.As a result of OCR's investigation, the CE reviewed its policies to prevent a similar incident from occurring in the future. " "Entity[""AdministrativeDivision"", {""Maine"", ""UnitedStates""}]" "Maine Medical Center" "Healthcare Provider" "Quantity[1920, ""People""]" "DateObject[{2013, 3, 4}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "North Los Angeles County Regional Center " "Business Associate" "Quantity[18162, ""People""]" "DateObject[{2013, 3, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Goold Health System (Goold)" "Business Associate" "Quantity[6332, ""People""]" "DateObject[{2013, 3, 6}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "True" "An employee of the covered entity’s business associate (BA) lost a portable thumb drive containing the electronic protected health information (ePHI) of over 6,000 individuals.The ePHI included demographic information, Medicaid identification numbers, and prescription information.The covered entity (CE), Utah Department of Health, provided breach notification to HHS, affected individuals, and the media.The CE took corrective action to mitigate the situation and implemented a new agreement with its BA to include additional security measures.As a result of OCR’s investigation, OCR obtained assurances that the corrective actions listed above were completed.OCR opened a separate investigation of the BA." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Sports Rehabilitation Consultants" "Healthcare Provider" "Quantity[1200, ""People""]" "DateObject[{2013, 3, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "University of Connecticut Health Center" "Healthcare Provider" "Quantity[1382, ""People""]" "DateObject[{2013, 3, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "United HomeCare Services, Inc." "Healthcare Provider" "Quantity[12299, ""People""]" "DateObject[{2013, 3, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On January 8, 2013, an employee’s unencrypted laptop (owned by the covered entity (CE), United HomeCare Services, Inc.,) was stolen from her locked vehicle. The laptop contained demographic data, including names, dates of birth, addresses, and social security numbers, as well as clinical and health insurance information affecting 12,299 patients of the CE and 1,318 clients of its subsidiary, United Home Care Services of Southwest Florida, LLC. The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website.In response to the breach, the CE encrypted its portable devices and provided specialized training to its workforce.OCR obtained assurances that the CE implemented the corrective actions listed above.The employee at fault was suspended without pay for 5 days and resigned shortly thereafter. " "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Patterson Dental Supply/Patterson Companies" "Business Associate" "Quantity[6400, ""People""]" "DateObject[{2013, 3, 12}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "An unknown individual hacked into the covered entity’s (CE) server which contained the electronic protected health information (ePHI) of approximately 6,400 individuals.The ePHI involved in the breach included names, addresses, dates of birth, social security numbers, payment information, and treatment information.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE improved safeguards by installing a new firewall and filtering technology.Additionally, OCR’s investigation resulted in the CE retraining its employees." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Connextions c/o Anthem BCBS" "Business Associate" "Quantity[1678, ""People""]" "DateObject[{2013, 3, 14}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Network Server" "True" "From November 11, 2011 through October 1, 2012, an employee of the covered entity’s (CE) business associate (BA), Connextions, improperly accessed the protected health information (PHI) of the CE's Medicare members, and the employee may have disclosed their social security numbers to a third party. This breach affected approximately 528 Indiana members. The PHI involved in the breach included demographic information and social security numbers.The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website.Following the breach, the BA completed a security risk assessment, phased out the call center where the at-fault employee worked, and engaged in an independent, external audit.OCR reviewed the BA agreement in place between the CE and BA and obtained assurances that the CE and BA implemented corrective actions in this matter.In addition, the involved individual’s employment was terminated." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Mount Sinai Medical Center" "Healthcare Provider" "Quantity[628, ""People""]" "DateObject[{2013, 3, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Thomas L. Davis, Jr. DDS" "Healthcare Provider" "Quantity[3269, ""People""]" "DateObject[{2013, 3, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "M&C Children's Clinic PA" "" "Quantity["""", ""People""]" "DateObject[{2013, 3, 19}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "" "False" "On March 19, 2013, the covered entity (CE), M & C Children’s Clinic, reported a breach when a hacker infected its network and encrypted patients’ electronic medical records.The hacker contacted the CE and demanded money in return for allowing access to patients’ records.The breach involved the clinical, financial, and demographic information of 3,667 individuals.The CE provided breach notification to HHS, affected individuals, and the media.Following the incident, the CE improved safeguards by adding enhanced firewalls and antivirus software.It also closed all electronic access ports and revised its data backup and recovery/restoration plan.Additionally, the CE trained staff on privacy and security.OCR provided technical assistance to the CE on the requirements for conducting a thorough assessment of the potential risks and vulnerabilities to ePHI." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "HealthCare for Women, Inc." "Healthcare Provider" "Quantity[8727, ""People""]" "DateObject[{2013, 3, 20}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Mississippi"", ""UnitedStates""}]" "University of Mississippi Medical Center" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2013, 3, 21}, ""Day"", ""Gregorian"", -5.]" "Loss" "Laptop" "False" "The University of Mississippi Medical Center (UMMC) has agreed to settle multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).OCR’s investigation of UMMC was triggered by a breach of unsecured electronic protected health information (“ePHI”) affecting approximately 10,000 individuals.During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.UMMC will pay a resolution amount of $2,750,000 and adopt a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules. “In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame,” said OCR Director Jocelyn Samuels.“We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.”On March 21, 2013, OCR was notified of a breach after UMMC’s privacy officer discovered that a password-protected laptop was missing from UMMC’s Medical Intensive Care Unit (MICU).UMMC's investigation concluded that it had likely been stolen by a visitor to the MICU who had inquired about borrowing one of the laptops.OCR’s investigation revealed that ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password.The directory included 328 files containing the ePHI of an estimated 10,000 patients dating back to 2008.Further, OCR’s investigation revealed that UMMC failed to:•implement its policies and procedures to prevent, detect, contain, and correct security violations;•implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;•assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI; and•notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.University of Mississippi is the state’s sole public academic health science center with education and research functions.In addition it provides patient care in four specialized hospitals on the Jackson campus and at clinics throughout Jackson and the state. Its designated health care component, UMMC, includes University Hospital, the site of the breach in this case, located on the main UMMC campus in Jackson." "Entity[""AdministrativeDivision"", {""Utah"", ""UnitedStates""}]" "Granger Medical Clinic" "Healthcare Provider" "Quantity[2600, ""People""]" "DateObject[{2013, 3, 22}, ""Day"", ""Gregorian"", -5.]" "Loss, Other, Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Texas Tech Unversity Health Sciences Center" "Healthcare Provider" "Quantity[697, ""People""]" "DateObject[{2013, 3, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Oregon Health & Science University" "Healthcare Provider" "Quantity["""", ""People""]" "DateObject[{2013, 3, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Oregon Health & Science University (OHSU) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following an investigation by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) that found widespread and diverse problems at OHSU, which will be addressed through a comprehensive three-year corrective action plan.The settlement includes a monetary payment by OHSU to the Department for $2,700,000. OCR’s investigation began after OHSU submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive.These incidents each garnered significant local and national press coverage.OCR’s investigation uncovered evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program, including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement.OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses.OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule.While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level. OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.“From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient.Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI,” said OCR Director Jocelyn Samuels.“This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”OHSU is a large public academic health center and research university centered in Portland, Oregon, comprising two hospitals, and multiple general and specialty clinics throughout Portland and throughout the State of Oregon." "Entity[""AdministrativeDivision"", {""RhodeIsland"", ""UnitedStates""}]" "Rite Aid #10217" "Healthcare Provider" "Quantity[2082, ""People""]" "DateObject[{2013, 3, 29}, ""Day"", ""Gregorian"", -5.]" "Other, Unknown" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Sunil Kakar, Psy.D." "Business Associate" "Quantity[629, ""People""]" "DateObject[{2013, 3, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "On February 4, 2013, a personal laptop computer used to store medical reports and information about the covered entity’s (CE) clients was lost by, or stolen from, a provider formerly contracted by the CE. The computer's hard drive was wiped before it could be determined what information it contained, but the CE treated it as a breach affecting 629 individuals. The protected health information (PHI) involved in the breach may have included names, dates of birth, social security numbers, and clinical information, such as diagnoses or conditions. Following the breach, the CE updated contract language with business associates and contractors to include data security requirements and additional physical controls, as well as a self-assessment tool and monitoring plan. The CE added provisions to require contracted providers to provide proof of annual completion of a self-assessment tool and verification of encryption software use.OCR provided technical assistance on the Security Rule requirements and obtained assurances that breach notification was provided in accordance with the Breach Notification Rule requirements." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "QuickRunner, Inc. (dba, RoadRunner Mailing Services)" "Business Associate" "Quantity[2400, ""People""]" "DateObject[{2013, 3, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Shands Jacksonville Medical Center, Inc." "Healthcare Provider" "Quantity[1025, ""People""]" "DateObject[{2013, 4, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record" "False" "A clinical intern at the covered entity (CE), University of Florida Health Jacksonville (UFHJ) (formerly Shands Jacksonville Medical Center), took photographs of protected health information (PHI) and emailed the PHI to an unauthorized third person for the purpose of filing fraudulent tax returns.The PHI included the names, addresses, social security numbers, dates of birth, and treatment information of 1,025 individuals.Law enforcement agencies that learned of the breach informed the CE and requested delays of breach notification.The CE later provided breach notification to affected individuals, HHS, and the media, and offered affected individuals one year of free identity theft protection. Following the breach, the CE sanctioned two workforce members who had allowed the intern, who was no longer at the CE, to use their credentials to access the electronic medical records in violation of its policies.The CE also retrained workforce members on its privacy policies; increased access restrictions to social security numbers; and ended its clinic-based internships. OCR provided technical assistance and obtained assurances of the CE's plan to update its breach notification policies and procedures." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "University of Florida" "Healthcare Provider" "Quantity[14519, ""People""]" "DateObject[{2013, 4, 3}, ""Day"", ""Gregorian"", -5.]" "Other, Theft, Unauthorized Access/Disclosure" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Kmart Corporation" "Healthcare Provider" "Quantity[12542, ""People""]" "DateObject[{2013, 4, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "PORTAL HEALTHCARE SOLUTIONS LLC" "Business Associate" "Quantity[2360, ""People""]" "DateObject[{2013, 4, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "True" "The covered entity's (CE) business associate (BA) operated a server containing the electronic protected health information (ePHI) of 2,360 individuals that was vulnerable to access by unauthorized persons for over four months.The ePHI included transcribed doctors' notes, which may have included medical diagnoses, clinical laboratory results, diagnostic imaging reports, emergency department records, and medication administration.Upon discovery of the breach, the CE engaged a computer forensic expert to investigate the incident and terminated the BA agreement.As a result of OCR's investigation, the CE ensured that its BA secured the server, verified that the server was no longer accessible from the Internet, and required the BA to return or destroy all of the CE's ePHI." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Hospice and Palliative Care Center of Alamance Caswell" "Healthcare Provider" "Quantity[5370, ""People""]" "DateObject[{2013, 4, 4}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Laptop, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Texas Health Care, P.L.L.C." "Healthcare Provider" "Quantity[554, ""People""]" "DateObject[{2013, 4, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "TMG Health " "Business Associate" "Quantity[3794, ""People""]" "DateObject[{2013, 4, 5}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "Wm. Jennings Bryan Dorn VAMC" "Healthcare Provider" "Quantity[7405, ""People""]" "DateObject[{2013, 4, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On February 11, 2013, a laptop was stolen from the William Jennings Bryan Dorn VAMC’s Pulmonary Testing Unit.The laptop contained the protected health information (PHI) of approximately 7,405 individuals, including names, dates of birth, and clinical information.The covered entity (CE) provided breach notification to HHS, the media, and affected individuals, and issued substitute notice by placing a notice on its website.It also offered credit monitoring, including identity theft protection for one year.The CE opened a report with the VA police and VA Office of Inspector General (OIG).To prevent future occurrences, the CE improved physical safeguards for all laptops attached to medical testing devices.Additionally, procedures were implemented for secure storage and removal of all personally identifiable information from such medical devices.OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "John J. Pershing VA Medical Center" "Healthcare Provider" "Quantity[589, ""People""]" "DateObject[{2013, 4, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "OCR opened an investigation of the covered entity (CE), John J. Pershing VA Medical Center, after the CE reported that its business associate (BA), Stress Laboratory, placed a box of unsecured protected health information (PHI) in an equipment storage room.The PHI included the names, social security numbers, diagnoses, and age of approximately 589 individuals.This breach incident involved a BA, and occurred prior to the September 23, 2013 compliance date.The BA employee involved in this matter separated from employment in 2012, and the BA was reorganized and has been incorporated into the CE.The CE provided breach notification to affected individuals, HHS, and the media.Substitute notification was provided through a posting on the CE's main website with a toll-free information number.The CE also offered one year of identity protection and credit monitoring services to affected individuals.As a result of this incident, the CE adopted a new policy that provides guidance to its staff regarding the handling of PHI.Additionally, the CE trained its employees on this new policy, and re-trained its employees on the Privacy, Security, and Breach Notification Rules.Finally, OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Oregon Health & Science University" "Healthcare Provider" "Quantity[1076, ""People""]" "DateObject[{2013, 4, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Schneck Medical Center" "Healthcare Provider" "Quantity[3131, ""People""]" "DateObject[{2013, 4, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "The Guidance Center of Westchester" "Healthcare Provider" "Quantity[1416, ""People""]" "DateObject[{2013, 4, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Hope Hospice" "Healthcare Provider" "Quantity[818, ""People""]" "DateObject[{2013, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "False" "An email containing electronic protected health information (ePHI) was sent from a work email address to a home email address by a workforce member of the covered entity (CE), Hope Hospice.The ePHI in the email contained the names, referral sources, admission dates, and health insurers of approximately 818 individuals.Upon discovering the breach, the CE implemented sanctions against the involved workforce member.The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security and retrained staff.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Utah"", ""UnitedStates""}]" "IHC Health Services, Inc. dba Intermountain Life Flight" "Healthcare Provider" "Quantity[857, ""People""]" "DateObject[{2013, 4, 26}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Utah"", ""UnitedStates""}]" "Valley Mental Health" "Healthcare Provider" "Quantity[700, ""People""]" "DateObject[{2013, 4, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "ZDI" "Business Associate" "Quantity[14829, ""People""]" "DateObject[{2013, 4, 29}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "True" "This case, along with two companion cases , involved data lost due to damage and/or opening of priority mail during processing and transit through the United States Post Office.In this case, potentially 15,000 individuals may have been affected.The types of protected health information (PHI) involved in the breach included names, social security numbers, group names, and group numbers.The data was not recovered.The covered entity (CE), Delta Dental, provided breach notification to HHS, affected individuals, and the media.It also took immediate and appropriate steps to mitigate potential damages to individuals and to reduce the likelihood of recurrence.From December 2013 to case closure in September 2015, no further incidents occurred, and OCR determined that the CE’s corrective actions were effective." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Raleigh Orthopaedic Clinic" "Healthcare Provider" "Quantity[17300, ""People""]" "DateObject[{2013, 4, 30}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal, Theft, Unauthorized Access/Disclosure" "Paper/Films" "False" "Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure.Raleigh Orthopaedic is a provider group practice that operates clinics and an orthopaedic surgery center in the Raleigh, North Carolina area.OCR initiated its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013.OCR’s investigation indicated that Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.Raleigh Orthopedic failed to execute a business associate agreement with this entity prior to turning over the x-rays (and PHI).“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Laboratory Corporation of America" "Healthcare Provider" "Quantity[1580, ""People""]" "DateObject[{2013, 5, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "A desktop computer tagged for destruction was stolen after hours from a facility of the covered entity (CE), Laboratory Corporation of America (LabCorp).The computer contained the electronic protected health information (ePHI)) of approximately 1,580 individuals, including clinical and demographic information, such as diagnoses, names, social security numbers, and dates of birth.The CE provided breach notification to HHS and affected individuals.The CE also notified law enforcement and initiated an internal investigation.In coordination with OCR’s investigation, the CE retrained its employees, changed the storage location of mobile devices and computers, and updated the encryption for its desktop computers. " "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Arizona Counseling & Treatment Services, LLC" "Healthcare Provider" "Quantity[3800, ""People""]" "DateObject[{2013, 5, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Wood County Hospital" "Healthcare Provider" "Quantity[2500, ""People""]" "DateObject[{2013, 5, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "University of Rochester Medical Center & Affiliates" "Healthcare Provider" "Quantity[537, ""People""]" "DateObject[{2013, 5, 6}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "AssuranceMD f/k/a Harbor Group" "Business Associate" "Quantity[22000, ""People""]" "DateObject[{2013, 5, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "True" "An unsecured hard drive containing the electronic protected health information (ePHI) of up to 22,000 individuals was lost in transit between Dr. Andrew F. Brooker's business associate, AssuranceMD,and a subcontracted electronic medical records storage company.The ePHI involved in the breach included patients' names, diagnoses/conditions, lab results, other clinical information and for some patients, addresses, dates of birth and/or social security numbers.Dr. Brooker provided breach notification to HHS and affected individuals.Following the breach he updated his HIPAA policies and procedures.OCR obtained assurances that the corrective action steps listed above were completed.Prior to completion of additional corrective actions, Dr. Brooker notified OCR that he had sold his private practice." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Digital Archive Management" "Business Associate" "Quantity[189489, ""People""]" "DateObject[{2013, 5, 7}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Seattle - King County Department of Public Health" "Healthcare Provider" "Quantity[750, ""People""]" "DateObject[{2013, 5, 7}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "The covered entity (CE), Public Health, Seattle & King County, discovered that the protected health information (PHI) of 450 to 750 clients was inadvertently disposed of improperly by being put in the regular recycling.The PHI involved in the breach included treatment or medical condition information, and may have included the social security numbers of five individuals.The CE provided breach notification to HHS, the media, and 2,300 individuals who had an appointment at the subject clinic during the four weeks prior to the incident.It also provided substitute notification. The CE improved safeguards by updating its PHI disposal policies and procedures.OCR’s investigation confirmed that the appropriate notifications were made, that corrective actions steps were taken, and required that the CE retrain all staff on its revised disposal policy. " "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Regional Medical Center" "Healthcare Provider" "Quantity[1180, ""People""]" "DateObject[{2013, 5, 7}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "E-dreamz, Inc." "Business Associate" "Quantity[9988, ""People""]" "DateObject[{2013, 5, 8}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "The credit card information of 9,988 patients of the covered entity (CE), Presbyterian Anesthesia Associates, P.A. (now known as Providence Anesthesia Associates, P.A.), was compromised when an unauthorized person gained access to the servers of E-dreamz, the CE’s website hosting business associate (BA).The protected health information (PHI) involved in the breach included patients’ names, addresses, phone numbers, email addresses, and credit card information.The CE provided breach notification to HHS, the media, and affected individuals, and offered them a year of free credit monitoring and identity theft protection.The CE also notified the FBI, North Carolina’s Attorney General, and all major credit card companies.In response to the breach, the CE hired an outside forensic computer specialist to investigate.Additionally, the CE terminated its service agreement with the BA and entered into a satisfactory BA agreement with a new website hosting vendor.The BA agreement prohibits storage of any PHI on the vendor’s servers.The CE also reviewed and updated its HIPAA policies and procedures.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "North Atlantic Telecom, Inc." "Business Associate" "Quantity[539, ""People""]" "DateObject[{2013, 5, 8}, ""Day"", ""Gregorian"", -5.]" "Other" "Desktop Computer" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "E-dreamz, Inc." "Business Associate" "Quantity[1924, ""People""]" "DateObject[{2013, 5, 10}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "On April 19, 2013, the credit card information of 1,924 patients of the covered entity (CE), Piedmont HealthCare, P.A., was compromised via a breach of a website hosted by one of the CE’s vendors, E-dreamz.An unauthorized person gained access to E-dreamz’s servers and obtained payment information of the CE’s patients.The protected health information (PHI) involved in the breach included patients’ names, addresses, phone numbers, email addresses, and credit card information.The CE provided breach notification to HHS, the media, and affected individuals, and offered them a year of free credit monitoring and identity theft protection. Following the breach, the CE terminated its agreement with E-dreamz and entered into a business associate (BA) agreement with a new website hosting vendor.The CE also initiated legal proceedings against E-dreamz regarding its breach of contract for storing credit card information on its server and other issues related to this incident.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Indiana University Health Arnett" "Healthcare Provider" "Quantity[10350, ""People""]" "DateObject[{2013, 5, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Dent Neurologic Institute" "Healthcare Provider" "Quantity[10000, ""People""]" "DateObject[{2013, 5, 14}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "City of Norwood" "Healthcare Provider" "Quantity[9577, ""People""]" "DateObject[{2013, 5, 20}, ""Day"", ""Gregorian"", -5.]" "Loss" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Lutheran Social Services of South Central Pennsylvania" "Healthcare Provider" "Quantity[7803, ""People""]" "DateObject[{2013, 5, 20}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "This case involved a hacking incident on the covered entity’s (CE) network server.A Trojan virus was discovered running under an administrative account on a remote access server.No data loss was actually discovered, but potentially 7,300 records may have been vulnerable.The types of protected health information (PHI) potentially breached included demographic, financial, and clinical information.The CE engaged a forensic consulting team to verify the scope and impact of the malware and to clean the system.The CEinstalled more effective virus detection software, trained and educated users regarding data security, and made adjustments to data storage policies.OCR confirmed that the CE took all appropriate corrective action." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Just the Connection Inc" "Business Associate" "Quantity[5388, ""People""]" "DateObject[{2013, 5, 20}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Erskine Family Dentistry" "Healthcare Provider" "Quantity[2723, ""People""]" "DateObject[{2013, 5, 21}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "An email was opened on an Erskine Family Dentistry computer that contained a virus; it affected the computers which stored the protected health information (PHI) of2,723 individuals.The types of PHI involved in the breach included patients’ names, addresses, dates of birth, social security numbers, credit card numbers, claims information, and treatment information.The covered entity (CE) investigated and ensured that the virus did not penetrate any of its programing containing PHI.The CE also ensured that it was only storing PHI in its encrypted programs, installed a new antivirus tool, and assured that every potentially affected computer was examined and wiped of the virus.The CE provided breach notification to HHS, the media, and affected individuals. The CE also retrained staff.OCR obtained written documentation that the CE implemented the corrective actions listed. " "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "Health Resources of Arkansas" "Healthcare Provider" "Quantity[1900, ""People""]" "DateObject[{2013, 5, 23}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "SynerMed / Inland Valleys IPA" "Business Associate" "Quantity[3164, ""People""]" "DateObject[{2013, 5, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "On April 14, 2013, a SynerMed employee’s laptop computer was stolen out of her vehicle while parked in front of her home. The laptop contained the protected health information (PHI) of 3,164 individuals, and included patients’ names, member identification, dates of service, reasons for visits, and procedure codes. The laptop was password protected, but was not encrypted.The covered entity (CE) provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website.In response to this incident, the CE improved physical security, encrypted all computers, counseled the employee involved, and trained staff.It also reviewed its policies and implemented an encryption policy.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Independence Care System" "Health Plan" "Quantity[2434, ""People""]" "DateObject[{2013, 5, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Sonoma Valley Hospital" "Healthcare Provider" "Quantity[1386, ""People""]" "DateObject[{2013, 5, 24}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Bon Secours Mary Immaculate Hospital" "Healthcare Provider" "Quantity[5764, ""People""]" "DateObject[{2013, 5, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record" "False" "The covered entity (CE), Bon Secours Health System, discovered that two Certified Nursing Assistants (CNAs) impermissibly electronically accessed the medical records of approximately 5,764 patients during the prior 12 months.The protected health information (PHI) contained in the breach included patients' names, social security numbers, dates of birth, addresses, clinical information, and other identifiers.The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE conducted a full investigation, sanctioned the two CNAs, revoked their access to the electronic medical record system and subsequently terminated both employees for their actions.Following the CE's reports to law enforcement and the state department of health professions, the two former employees plead guilty to Federal misdemeanor charges and had their professional certifications revoked.OCR reviewed the CE's most recent risk assessment and confirmed that all identified risks are to be addressed by December 2014 according to the CE's Risk Management Plan.As a result of OCR's investigation, the CE pursued prosecution of the CNAs and provided credit monitoring services to the affected individuals." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "University of Florida" "Healthcare Provider" "Quantity[5875, ""People""]" "DateObject[{2013, 5, 30}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Community Support Services, Inc." "Healthcare Provider" "Quantity[1167, ""People""]" "DateObject[{2013, 6, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "UMASSAmherst" "Healthcare Provider" "Quantity[1670, ""People""]" "DateObject[{2013, 6, 5}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Palm Beach County Health Department" "Healthcare Provider" "Quantity[877, ""People""]" "DateObject[{2013, 6, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Lucile Packard Children's Hospital" "Healthcare Provider" "Quantity[12900, ""People""]" "DateObject[{2013, 6, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Fayetteville VAMC" "Healthcare Provider" "Quantity[1093, ""People""]" "DateObject[{2013, 6, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE), Fayetteville VA Medical Clinic Optical Shop, impermissibly disclosed the protected health information (PHI) of approximately 1,094 individuals by placing consultation reports in the recycling bin rather than the shred bin from January to April 2013.The PHI involved in the breach included patients’ names, social security numbers, birthdates, addresses, and phone numbers.The CE provided breach notification to HHS, the media, and all potentially affected patients and also offered credit monitoring.The CE investigated the incident, removed and shredded all identified documents from the recycle bin, and provided a document shredder on-site. Additionally, the CE retrained employees regarding security and disposal methods for documents containing PHI.Moreover, the responsible staff member was sanctioned according to the CE’s policy.OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Lincoln County Health and Human Services/Lincoln Community Health Center" "Healthcare Provider" "Quantity[959, ""People""]" "DateObject[{2013, 6, 14}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity’s (CE) locked building was burglarized and a locked medical chart room containing protected health information (PHI) in paper form was broken into and accessed by an unknown person(s).No PHI was removed and forensics determined there were no attempts to access electronic PHI on the CE’s computers.The medical charts potentially accessed included names, dates of birth, addresses, social security numbers, financial information, medications, treatment information, and lab results for 956 individuals.The CE improved physical safeguards by repairing or replacing the broken locks and adding a security camera.OCR’s investigation confirmed that the appropriate breach notifications were made and that corrective actions steps were taken.OCR also required the CE to update its breach notification policies and procedures, and retrain its staff on its revised policies. " "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Union Security Insurance Company" "Health Plan" "Quantity[1127, ""People""]" "DateObject[{2013, 6, 17}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Gulf Breeze Family Eyecare, Inc" "Healthcare Provider" "Quantity[9626, ""People""]" "DateObject[{2013, 6, 17}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Desktop Computer, Electronic Medical Record, Email, Network Server, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Jacksonville Spine Center" "Healthcare Provider" "Quantity[5200, ""People""]" "DateObject[{2013, 6, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE), Jacksonville Spine Center, impermissibly disclosed the protected health information (PHI) of approximately 5,200 individuals when a workforce member misaddressed some envelopes due to a spreadsheet error.The mailing resulted in some individuals receiving correspondence with another patient's name on the envelope.The only PHI involved in the breach was patients' names. The CE provided breach notification to HHS, the media and affected individuals.The notice to individuals requested that patients either return the envelope to the CE or destroy the envelope.As a result of this incident, the CE issued a written warning to the responsible workforce member pursuant to the CE's sanction policy. Moreover, the CE implemented additional safeguards including the checking of data file integrity prior to sending mailings. OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Iowa"", ""UnitedStates""}]" "Iowa Department of Human Services" "Healthcare Provider" "Quantity[7335, ""People""]" "DateObject[{2013, 6, 26}, ""Day"", ""Gregorian"", -5.]" "Loss, Unknown" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Nebraska"", ""UnitedStates""}]" "James A. Fosnaugh" "Healthcare Provider" "Quantity[2125, ""People""]" "DateObject[{2013, 6, 26}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "OCR opened an investigation of the covered entity (CE), Dr. James A. Fosnaugh, after he reported that the computer chip in his thumb drive had fallen out of its casing at some point in May 2013.The thumb-drive contained the names, dates of birth, addresses, phone numbers, and in some cases, names of family members listed on family medical histories. The incident affected approximately 2,125 of the CE’s patients.The CE provided breach notification to HHS, affected individuals, and the media. To prevent similar breaches from happening in the future, the CE established a team responsible for identifying security issues as they arise.The CE also retrained employees on its policies and procedures regarding the Privacy and Security Rules.As a result of OCR’s investigation, the CE completed a risk analysis to ensure adequate safeguards of electronic protected health information." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Lone Star Circle of Care" "Healthcare Provider" "Quantity[1955, ""People""]" "DateObject[{2013, 6, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On June 28, 2013, the covered entity (CE), Lone Star Circle of Care, reported a breach when a work force member’s car was broken into and an unencrypted, password-protected laptop computer was stolen.The protected health information (PHI) involved in the breach included the financial and clinical information of 1,955 individuals.The CE provided breach notification to HHS, affected individuals, and the media.Following the incident, the CE encrypted all of its laptops and revised its policies for storing PHI on hard drives and other mobile devices.Additionally, the CE retrained staff on its privacy and security policies.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""Country"", ""PuertoRico""]" "Alberto Gerardo Vazquez Rivera" "Business Associate" "Quantity[679, ""People""]" "DateObject[{2013, 6, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "An encrypted laptop computer was stolen from an AFLAC associate's vehicle in Puerto Rico.The laptop contained PHI of approximately 679 individuals and contained demographic, financial and clinical information, including patient names, addresses, birthdates, social security numbers, claims information, and diagnoses.The covered entity filed a police report and provided breach notification to all affected individuals, HHS, and the media.The responsible workforce member was sanctioned.OCR acknowledges that the incident does not constitute a reportable breach under the Breach Notification Rule because the laptop was sufficiently encrypted." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "RCR Technology Corporation" "Business Associate" "Quantity[187533, ""People""]" "DateObject[{2013, 7, 1}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "CVS Caremark" "Business Associate" "Quantity[4305, ""People""]" "DateObject[{2013, 7, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "Business associate (BA) employees erroneously sent 4,305 health plan members' protected health information (PHI) to other plan members.The PHI involved in the breach included names and prescribed medication(s).The covered entity, Northrop Grumman Retiree Health Plan, provided breach notification to HHS, and the BA, CVS Caremark, provided breach notification to affected individuals and the media.Following the breach, the BA revised its quality control policies for targeted mailings and retrained employees involved in the breach to prevent similar incidents in the future.OCR obtained assurances that the BA implemented the breach notification and policy revisions listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Health Net, Inc." "Health Plan" "Quantity[8331, ""People""]" "DateObject[{2013, 7, 2}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "South Florida Neurology Associates, P.A." "Healthcare Provider" "Quantity[900, ""People""]" "DateObject[{2013, 7, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop computer was stolen after hours from a lab of the covered entity (CE), South Florida Neurology Associates.The laptop contained the protected health information (PHI) of approximately 900 patients and contained demographic and clinical information, including patients’ names, dates of birth, and diagnoses. The CE notified law enforcement which initiated an investigation.Additionally, the CE provided breach notification to HHS, the affected individuals, and the media, and posted substitute notice on its website. The CE improved physical safeguards and improved administrative safeguards by imposing more restrictive access policies for the lab. " "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Samaritan Regional Health System" "Healthcare Provider" "Quantity[2203, ""People""]" "DateObject[{2013, 7, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE), Samaritan Regional Health System, mismatched names and addresses in a mailing to former patients of a recently deceased physician.The protected health information (PHI) included the names and addresses of approximately 2,203 individuals.The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website.Following the breach, the CE re-trained staff on proper address validation techniques and implemented new audit procedures for mailings.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "MED-EL Coproration" "Healthcare Provider" "Quantity[609, ""People""]" "DateObject[{2013, 7, 5}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Sutter Health East Bay Region" "" "Quantity[4479, ""People""]" "DateObject[{2013, 7, 5}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "True" "The Alameda County Sheriff’s office found a list of protected health information (PHI) belonging to 4,491 individuals during an unrelated investigation and provided it to the covered entity (CE), Sutter Health East Bay Region. The list contained demographic information such as names, addresses, dates of birth, social security numbers, and other identifiers. The CE determined that the PHI was stolen by a workforce member of its business associate (BA).The PHI belonged to patients of the following CE hosptials: Alta Bates Summit Medical Center, Sutter Delta Medical Center, and Eden Medical Center.The CE provided breach notification to HHS, the media, and affected individuals, and provided the affected individuals one year of free credit monitoring.Following the breach, the CE conducted an internal forensics investigation, hired an external forensics firm, and fully implemented data loss prevention technology.OCR obtained assurances that the CE implemented the corrective actions listed above.Additionally, the workforce member responsible for the breach is no longer employed by the BA." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Family Health Network" "Business Associate" "Quantity[3133, ""People""]" "DateObject[{2013, 7, 8}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "ZDI" "Business Associate" "Quantity[4718, ""People""]" "DateObject[{2013, 7, 10}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Children's Medical Center of Dallas" "Healthcare Provider" "Quantity[2462, ""People""]" "DateObject[{2013, 7, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Medtronic, Inc." "Healthcare Provider" "Quantity[2764, ""People""]" "DateObject[{2013, 7, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE), Medtronic, misplaced a box of paper records containing the protected health information (PHI) of approximately 2,764 individuals.The box contained patient pump training records, including a checklist of training received, patients' names, device serial numbers, phone numbers, and, in some cases, email addresses. Some of the records may also have included social security numbers, medical necessity forms, physician orders, and copies of documents from one patient's medical record.The CE provided breach notification to affected individuals and HHS.Following the breach, the CE improved safeguards by redesigning its records tracking procedures and installing software with additional box tracking capabilities.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Shred-it International Inc." "Business Associate" "Quantity[277014, ""People""]" "DateObject[{2013, 7, 11}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Long Beach Memorial Medical Center" "Healthcare Provider" "Quantity[2864, ""People""]" "DateObject[{2013, 7, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Illinois Department of Healthcare and Family Services" "" "Quantity["""", ""People""]" "DateObject[{2013, 7, 15}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "" "False" "" "Entity[""AdministrativeDivision"", {""Wyoming"", ""UnitedStates""}]" "Hansen and Associates" "" "Quantity[2700, ""People""]" "DateObject[{2013, 7, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "True" "" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Sheet Metal Local 36 Welfare Fund" "" "Quantity[4560, ""People""]" "DateObject[{2013, 7, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "True" "The covered entity (CE), Sheet Metal Local 36 Welfare Fund, reported that an employee of its business associate (BA), People Resources Corporation, inadvertently uploaded Excel spreadsheets containing the CE’s Member Assistance Program (MAP) eligibility data onto an unsecure website maintained by the BA.An unknown individual or entity believed to be in China uploaded the data to two additional websites.In addition, two other websites contained links to the BA’s unsecure website.The spreadsheets contained the names, addresses, dates of birth, and social security numbers of 4,560 members (but not dependents). The BA was purchased by E4 Health, Inc. in September 2013.The CE provided breach notification to HHS, affected individuals, and the media.The BA immediately removed the protected health information (PHI) from the unsecure website, confirmed that the PHI was no longer available on its websites or through internet search engines, and confirmed that only one spreadsheet was accessed by unauthorized parties and the other spreadsheets had not been viewed or compromised.The BA adopted additional protections to prevent future unauthorized disclosures (including management level review of any documents posted to its websites).Additionally, the CE met with each of its vendors to review the vendors’ security procedures and protocols and instituted a review program, as well as reviewed its own internal procedures.OCR obtained assurances that the CE and BA implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Harris County" "Health Plan" "Quantity[21000, ""People""]" "DateObject[{2013, 7, 16}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Jesle Kuizon" "Business Associate" "Quantity[800, ""People""]" "DateObject[{2013, 7, 18}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Theft, Unauthorized Access/Disclosure" "Desktop Computer, Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "GEO Care, LLC" "Healthcare Provider" "Quantity[710, ""People""]" "DateObject[{2013, 7, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "The FBI notified the covered entity (CE), GEO Care, that a GEO Care employee, inappropriately accessed the patient admission reports of approximately 710 patients at South Florida State Hospital and provided them to a third party, the employee's cousin, without authorization. The employee's cousin then attempted to sell the reports for an illegal purpose.The protected health information (PHI) involved in the breach included names, dates of birth, social security numbers, admission dates, discharge dates, and patients' unit names.The CE provided breach notification to HHS, the media, and posted substitute notice on its website.It also offered identity theft protection to the affected individuals.The responsible staff member was terminated according to the CE's policy and has also been criminally indicted.Following the breach, the CE improved safeguards by limiting the use of full social security numbers, restricting access to documents, and performing weekly audits of those workforce members who access documents with full social security numbers.Additionally, the CE updated its privacy and security policies and procedures and developed new policies and procedures.It also revised its policies for employee access to electronic PHI based on job title and function, and provided retraining to employees regarding access and disclosure of PHI.OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "The Brookdale Hospital and Medical Center" "Healthcare Provider" "Quantity[2700, ""People""]" "DateObject[{2013, 7, 20}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "Louisiana State University Health Care Services Division" "Healthcare Provider" "Quantity[6994, ""People""]" "DateObject[{2013, 7, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "Louisiana State University Health Care Services Division" "" "Quantity["""", ""People""]" "DateObject[{2013, 7, 25}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "" "False" "Electronic protected health information (ePHI) was used and disclosed by a workforce member of the covered entity (CE), Louisiana State University Health Care Services Division, to produce fraudulent checks and steal cash.The ePHI included the checking accounts, driver’s licenses, social security numbers, and other demographic information for approximately 6,994 individuals.The CE provided breach notification to HHS, affected individuals, and the media.Upon discovering the breach, the CE sanctioned the involved workforce member.The CE improved physical security by adopting new security procedures. OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Oregon Health & Science University" "Healthcare Provider" "Quantity[1361, ""People""]" "DateObject[{2013, 7, 28}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Oregon Health & Science University (OHSU) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following an investigation by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) that found widespread and diverse problems at OHSU, which will be addressed through a comprehensive three-year corrective action plan.The settlement includes a monetary payment by OHSU to the Department for $2,700,000. OCR’s investigation began after OHSU submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive.These incidents each garnered significant local and national press coverage. OCR’s investigation uncovered evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program, including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement.OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses.OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule.While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level. OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.“From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient.Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI,” said OCR Director Jocelyn Samuels.“This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”OHSU is a large public academic health center and research university centered in Portland, Oregon, comprising two hospitals, and multiple general and specialty clinics throughout Portland and throughout the State of Oregon." "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Rocky Mountain Spine Clinic" "Healthcare Provider" "Quantity[532, ""People""]" "DateObject[{2013, 7, 31}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Vitreo-Retinal Medical Group, Inc. " "Healthcare Provider" "Quantity[1837, ""People""]" "DateObject[{2013, 8, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "Health Resources of Arkansas" "Business Associate" "Quantity[1911, ""People""]" "DateObject[{2013, 8, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "A break-in and burglary took place at the Office of Health Resources (HRA), a business associate (BA) of the covered entity (CE), the Arkansas Department of Humans Services (DHS). Two laptop computers which contained client files and the protected health information (PHI) of approximately 1,911 individuals were stolen.Following the breach, the CE improved physical safeguards, retrained workforce members, revised its HIPAA training for all employees on incident reporting procedures, and revised the Arkansas Business Associate Agreement (BAA) provisions on reporting breach incidents. Additionally, OCR’s investigation resulted in the CE’s development of a plan to survey its BAAs to assess HIPAA compliance and conduct on-site inspections." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Baylor All Saints Medical Center at Fort Worth" "Healthcare Provider" "Quantity[940, ""People""]" "DateObject[{2013, 8, 5}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other Portable Electronic Device" "False" "A former employee the covered entity (CE), Baylor All Saints Medical Center at Fort Worth, breached protected health information (PHI) via text messages forwarded from a pager of the CE.The PHI involved in the breach included the names, demographic information, patients’ bed locations in the emergency department, and ER admission notifications of approximately 940 individuals.Breach notification was provided to HHS, affected individuals, and the media. Following the breach, the CE disabled the copy forward feature on all pagers receiving messages from the pager vendor, and revised pager procedures.As a result of OCR’s investigation, the vendor’s software and paging server configuration was changed, and the CE revised its pager requisition form to reflect prohibited device settings. " "Entity[""AdministrativeDivision"", {""Nevada"", ""UnitedStates""}]" "M2ComSys Inc." "Business Associate" "Quantity[32151, ""People""]" "DateObject[{2013, 8, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Young Family Medicine Inc." "Healthcare Provider" "Quantity[2045, ""People""]" "DateObject[{2013, 8, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Hancock OB/GYN" "Healthcare Provider" "Quantity[1396, ""People""]" "DateObject[{2013, 8, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "An employee of the covered entity (CE), Hancock OB/GYN impermissibly accessedthe electronic protected health information (ePHI) of 1,396 individuals without a necessary business reason to do so.The ePHI included names, dates of service, medical record numbers, and clinical information.The CE provided breach notification to HHS, affected individuals, and the media.Upon discovering the breach, the CE terminated the responsible individuals’ employment.As a result of OCR’s investigation, the CE revised its policies and procedures related to safeguarding ePHI and implemented routine audits of employee access to ePHI." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Anthem BCBS of GA" "Business Associate" "Quantity[5497, ""People""]" "DateObject[{2013, 8, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "The covered entity's (CE) sales representative used an incorrect group number based on an erroneous membership and data file, resulting in an impermissible disclosure of protected health information (PHI) to the CE's business associate (BA).This breach affected approximately 5,497 individuals and included demographic information. Following the breach, the CE obtained certification that the BA destroyed the PHI and determined that there was a low risk of harm to the affected individuals.The CE also sent a memorandum and its corrective action/sanction policy to the account manager's staff regarding quality control procedures, instituted an additional quality control procedure, and counseled the involved sales representative.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "InfoCrossing, Inc." "Business Associate" "Quantity[1357, ""People""]" "DateObject[{2013, 8, 13}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Foundations Recovery Network" "Healthcare Provider" "Quantity[5690, ""People""]" "DateObject[{2013, 8, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Laptop" "False" "A password-word protected, unencrypted laptop was stolen from the covered entity’s (CE) employee’s car in her neighborhood.The laptop contained the protected health information (PHI) of 5,690 individuals and included patient names, dates of birth, addresses, telephone numbers, social security numbers, diagnoses, level of care, dates of service, and health insurance identifiers.The CE conducted an investigation and filed a police report. The CE provided breach notifications to HHS and affected individuals.Following the breach, the CE disabled the laptop’s access to its internal systems and changed the passwords.The employee was formally reprimanded and retrained.The CE hired experts to perform a risk assessment and gap analysis of its existing privacy and security practices, policies, and procedures and instituted a policy prohibiting workforce members from removing unencrypted company laptops from the premises.The CE retrained employees at all levels on its HIPAA policies and procedures and provided company-wide email reminders to all workforce members regarding privacy and security protections. The CE established roles to address compliance, including a compliance committee and a compliance director.OCR obtained assurances that the corrective actions listed above were taken.Two of the three individuals involved in the theft of the laptop were arrested." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "California Correctional Health Care Services" "Healthcare Provider" "Quantity[1033, ""People""]" "DateObject[{2013, 8, 16}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "North Texas Comprehensive Spine & Pain Center" "Healthcare Provider" "Quantity[3200, ""People""]" "DateObject[{2013, 8, 19}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Other Portable Electronic Device" "False" "On August 19, 2013, the covered entity (CE), North Texas Comprehensive Spine & Pain Center, reported a breach when an employee’s car was broken into and an external hard drive was stolen.The hard drive contained the demographic and clinical information of 3,200 individuals.The CE provided breach notification to HHS, affected individuals, and the media.The employee was authorized to take protected health information (PHI) home as part of her job duties.Following the breach, the CE sanctioned the involved employee, encrypted its hard drives, and changed its policies to prohibit employees from remotely accessing PHI.OCR verified the corrective action taken by the CE." "Entity[""AdministrativeDivision"", {""NorthDakota"", ""UnitedStates""}]" "Elbowoods Memorial Health Center" "Health Plan" "Quantity[10000, ""People""]" "DateObject[{2013, 8, 21}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Desktop Computer, Other, Other Portable Electronic Device, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Jackson Health System" "Healthcare Provider" "Quantity[1471, ""People""]" "DateObject[{2013, 8, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group" "Healthcare Provider" "Quantity[4029530, ""People""]" "DateObject[{2013, 8, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Summit Community Care Clinic, Inc." "Healthcare Provider" "Quantity[921, ""People""]" "DateObject[{2013, 8, 27}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "UT Physicians" "Healthcare Provider" "Quantity[596, ""People""]" "DateObject[{2013, 8, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted laptop computer containing the electronic protected health information (ePHI) of approximately 596 individuals was stolen from the covered entity's (CE), UT Physicians, facility.The laptop was stored in a locked closet, in an area secured by a key card.The laptop had been attached to an electromyography (EMG) nerve device and had been inventoried as a medical device.The ePHI included patients' names, dates of birth, and medical record numbers along with the values from the EMG machine.The CE provided breach notification to HHS, affected individuals and the media.Following the breach, the CE replaced the stolen laptop with an encrypted laptop and improved physical safeguards for the new laptop.Additionally, it inventoried and assessed devices and equipment containing ePHI and brought them into compliance with the CE’s policies, including encryption requirements.OCR obtained a copy of the CE's current risk analysis and risk management plan with evidence of implementation for security measures, including evidence of security measures to reduce the risk of computer theft." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Cogent Healthcare, Inc." "Business Associate" "Quantity[32000, ""People""]" "DateObject[{2013, 8, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "True" "Cogent Healthcare, Inc., a business associate (BA) providing management services for 24 providers of hospitalist services, submitted a breach report to HHS on behalf of these covered entities.The BA's privacy officer found that protected health information (PHI) for which the BA was responsible was accessible on a File Transfer Protocol (FTP) Internet site.The PHI involved in the breach affected approximately 32,151 individuals and included patients' names, physicians' names, dates of birth, diagnoses, treatment summaries, medical histories, medical record numbers and related information.OCR determined that the reporting entity is a BA and the incident occurred prior to the September 23, 2013, enforcement date.OCR provided the BA with technical assistance regarding current HIPAA Privacy and Security Rule BA requirements." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Atlanta Center for Reproductive Medicine" "Healthcare Provider" "Quantity[654, ""People""]" "DateObject[{2013, 8, 30}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "St. Anthony's Physician Organization" "Healthcare Provider" "Quantity[2600, ""People""]" "DateObject[{2013, 8, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Valperaiso Fire Department" "Health Plan" "Quantity["""", ""People""]" "DateObject[{2013, 9, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "This case has been consolidated with another review for this covered entity." "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Janna Benkelman LPC LLC" "Healthcare Provider" "Quantity[1500, ""People""]" "DateObject[{2013, 9, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On August 1, 2013, the covered entity (CE), Dr. Benkelman, discovered that her unencrypted office laptop computer had been stolen from her unlocked office.The resulting breach affected approximately 1,500 patients, and the electronic protected health information (ePHI) included demographic and mental health information (diagnoses/conditions).The CE reported the theft to the police, and provided breach notification to HHS, the media, and affected individuals.The CE also offered credit monitoring to affected individuals.The CE closed the practice in the fall of 2013 due to the breach." "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Olson & White Orthodontics" "Healthcare Provider" "Quantity[10000, ""People""]" "DateObject[{2013, 9, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Network Server" "False" "On July 22, 2013, two desktop computers that contained protected health information (PHI) were stolen from the covered entity (CE), Olson & White Orthodontics, during a break-in.The names, addresses, dates of birth, social security numbers, claims information, diagnoses, and treatment information affecting 10,000 were reportedly disclosed. The CE utilized a system for encryption to protect its PHI; however, a software oversight may have resulted in some PHI being stored in an unencrypted manner on the stolen computers.The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website.Following the breach, the CE reported the theft to the proper authorities, added offsite data backup storage, and improved physical safeguards.Additionally, it retrained staff and eliminating office procedures that resulted in the storage of unencrypted PHI.As a result of OCR’s investigation, the CE updated its uses and disclosures policy and provided training on the updated policy. The CE also provided OCR documentation of its corrective actions." "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Kaiser Foundation Health Plan of the Northwest" "Health Plan" "Quantity[647, ""People""]" "DateObject[{2013, 9, 3}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "Over a period of about three and half years, an employee of Kaiser Foundation Health Plan of the Northwest, the covered entity (CE), accessed patient records either without a business need to know or beyond the minimum necessary for her job.The impermissible access by the employee totaled 647 individuals. The type of protected health information involved in the breach included names and treatment information.The CE provided breach notification to HHS and affected individuals.Following the discovery of the breach the CE retrained employees.After an intensive investigation, it terminated the employee and disciplined four others for related misconduct.OCR obtained written assurances that the corrective actions were taken." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Hankyu Chung, M.D." "Healthcare Provider" "Quantity[2182, ""People""]" "DateObject[{2013, 9, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "ICS Collection Service, Inc." "Business Associate" "Quantity[1290, ""People""]" "DateObject[{2013, 9, 6}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Other" "True" "Missing[""NotAvailable""]" "Entity[""Country"", ""PuertoRico""]" "PHMHS" "Business Associate" "Quantity[5000, ""People""]" "DateObject[{2013, 9, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "True" "Upon request, a subcontractor (PHM Software Solutions) of the covered entity's (CE) business associate (BA), PHM Healthcare Solutions, modified a software application the CE was utilizingwhich led to the disclosure of electronic protected health information (ePHI) of 5,000 individuals on the Internet.The ePHI included names, gender, member identification numbers, dates of birth, and consent forms.The CE provided breach notification to HHS, the media, and affected individuals and posted substitute notice on its website.Upon discovery of the breach, the BA removed the software application and placed it offline.As a result of OCR's investigation, the CE had its BA to conduct a risk analysis and create a risk management plan to address any vulnerabilities identified in the risk analysis.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR provided technical assistance to assist the CE understand its obligations under the Privacy and Security Rules regarding BA agreements." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Dermatology Associates of Tallahassee" "Healthcare Provider" "Quantity[915, ""People""]" "DateObject[{2013, 9, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "NHC HealthCare, Oak Ridge" "Healthcare Provider" "Quantity[4268, ""People""]" "DateObject[{2013, 9, 13}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "NHC HealthCare, Mauldin" "Healthcare Clearing House" "Quantity[4204, ""People""]" "DateObject[{2013, 9, 13}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group" "" "Quantity[2029, ""People""]" "DateObject[{2013, 9, 13}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Dreyer Medical Clinic" "" "Quantity[998, ""People""]" "DateObject[{2013, 9, 13}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "South Shore Physicians, PC" "Healthcare Provider" "Quantity[8000, ""People""]" "DateObject[{2013, 9, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "The protected health information (PHI) of approximately 8000 individuals was purposely taken by an employee for identity theft purposes.The employee took copies of patients’ names, dates of birth, mailing addresses, social security numbers, bank account numbers, credit card numbers and medical information.The covered entity (CE) had to wait in order to report the breach to OCR due to the criminal investigation by the New York City police and district attorney’s office. The CE hired a consultant to conduct an investigation, risk analysis, risk management plan. Additionally, the CE’s consultant reviewed its Privacy and Security Rule policies and procedures and retrained staff. Lastly, the CE notified the patients regarding this incident as required by the Breach Notification Rule.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Dermatology Associates of Tallahassee" "Healthcare Provider" "Quantity[915, ""People""]" "DateObject[{2013, 9, 16}, ""Day"", ""Gregorian"", -5.]" "Unknown" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Sierra View District Hospital" "Healthcare Provider" "Quantity[1009, ""People""]" "DateObject[{2013, 9, 20}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "A workforce member of the covered entity (CE), Sierra View Medical Center, impermissibly accessed an internal hospital roster covering different departments over a period of several days between July and August 2013, which potentially affected the electronic protected health information (ePHI) of approximately one thousand nine (1,009) individuals. The ePHI included patients' names, room numbers, treating physicians' information, diagnoses, and medical record data, including treatment notes. The CE provided breach notification to HHS, affected individuals, and the media.The CE investigated and determined that the employee had not used the information, despite impermissibly accessing it. The CE sanctioned the employee, implemented compliance actions to meet workforce security standards, including log-in monitoring. The CE also revised policies and procedures and conducted training on the security awareness standard.OCR provided substantive technical assistance and identified corrective actions that the CE must complete to comply with the Security Rule, which includes the following: conduct and monitor a comprehensive, enterprise-wide risk analysis, update and monitor its risk management plan, and monitor its information access management to ensure adequate safeguards of ePHI." "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "InfoCrossing, Inc." "Business Associate" "Quantity[25461, ""People""]" "DateObject[{2013, 9, 20}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Holy Cross Hospital, Inc." "Healthcare Provider" "Quantity[9900, ""People""]" "DateObject[{2013, 9, 24}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Desktop Computer, Network Server" "False" "An employee accessed and used protected health information (PHI) outside of her job duties to file fraudulent tax returns.The PHI involved in the breach included the names, addresses and social security numbers of 9,900 individuals.The covered entity (CE), Holy Cross Hospital, provided breach notification to HHS, affected individuals, and the media.The CE retrained staff, disseminated educational material, and implemented an extensive risk management plan to bolster procedures for auditing and monitoring PHI use and access.OCR obtained assurances that the CE implemented the corrective actions listed above.The CE also terminated the employment of the involved employee." "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Region Ten Community Services Board" "Healthcare Provider" "Quantity[10228, ""People""]" "DateObject[{2013, 9, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Email" "False" "The covered entity (CE), Region Ten Community Services Board, reported that multiple employees had responded to an email, appearing to come from an internal sender, informing them that their mailboxes had exceeded limits and instructing them to follow a link to enter username and password.A forensic investigation was conducted which did not show that any sensitive client information was compromised.However, in an effort to mitigate any potential harm the CE sent notification to over 10,000 individuals, sent a press release to a local news station and also posted information about the occurrence on its website.The CE engaged the services of a technology consulting firm and has provided OCR written assurance that it has implemented updates to its computer network including an additional firewall" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Comprehensive Podiatry LLC" "Healthcare Provider" "Quantity[1360, ""People""]" "DateObject[{2013, 9, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Santa Clara Valley Medical Center" "Healthcare Provider" "Quantity[579, ""People""]" "DateObject[{2013, 9, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Sarah Benjamin, DPM - Littleton Podiatry" "" "Quantity[3512, ""People""]" "DateObject[{2013, 9, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "On August 27, 2013, an unencrypted laptop computer containing the protected health information (PHI) of 3,512 individuals was stolen from a locked supply closet at the covered entity’s (CE) facility.The types of PHI involved in the breach likely included patients’ names, genders, addresses, telephone numbers, dates of birth, health insurance information, and medical records, including, appointment notes, diagnosis, treatments, surgery notes, lab test results, prescriptions, instructions, and other information relating to podiatric care.The CE provided breach notification to HHS, affected individuals, and the media, and also contacted the police.Following the breach, the CE conducted an enterprise-wide risk analysis, implemented a risk management plan, encrypted its workstations and devices, and improved physical safeguards.The CE also implemented several other administrative and technical safeguards to ensure its compliance with the Security Rule.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Carol L Patrick Ph. D." "Healthcare Provider" "Quantity[517, ""People""]" "DateObject[{2013, 9, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Network Server" "False" "On August 9, 2013, the covered entity (CE), Dr. Carol L. Patrick, discovered that her office was broken into and all the operational computers, network servers, and work stations were stolen. The stolen equipment contained the electronic protected health information (ePHI) of approximately 517 individuals and included clinical information, specifically psychological assessments, evaluations, letters, reports, and evaluations written on behalf of clients.The CE provided breach notification to HHS, affected individuals, and the media, and filed a police report.Following the breach, the CE improved physical safeguards by installing a security system with motion and fire protection and internal alarms.The CE also installed encryption software and updated its privacy policy.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "HOPE Family Health" "Healthcare Provider" "Quantity[6932, ""People""]" "DateObject[{2013, 9, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Paul G. Klein, DPM" "Healthcare Provider" "Quantity[2500, ""People""]" "DateObject[{2013, 10, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "OCR opened an investigation of the covered entity (CE), Paul G. Klein DPM, after it reported that an encrypted and password protected laptop was stolen that contained the electronic protected health information (ePHI) of 2,500 individuals. The ePHI included names, addresses, dates of birth, social security numbers, diagnoses, lab test results, medications, medical notes, and treatment plans.Upon discovery of the breach, the CE filed a police report to recover the stolen item. As a result of OCR’s investigation, the CE provided confirmation that there was encryption software and multi-layered password protection software installed on the stolen laptop.OCR determined that the impermissible disclosure of ePHI did not constitute a breach under the HIPAA Rules and provided technical assistance to the CE regarding the requirements of the Breach Notification Rule." "Entity[""AdministrativeDivision"", {""Iowa"", ""UnitedStates""}]" "UnityPoint Health Affiliated" "Healthcare Provider" "Quantity[1825, ""People""]" "DateObject[{2013, 10, 2}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "The covered entity (CE), UnityPoint Health, discovered that an office manager (from an independent private practice) was using physicians’ passwords to access patients’ protected health information (PHI).The types of PHI involved in the breach included names, social security numbers, addresses, driver’s license numbers, dates of birth, diagnoses, lab results, and medications affecting approximately 1,825 individuals.The CE provided breach notification to HHS, affected individuals, and the media, and contacted the proper authorities to investigate any possible criminal infractions.The CE investigated the breach, which resulted in the office manager’s resignation from her job.The CE also retrained the physicians who shared their passwords with the office manager and obtained written assurances they would no longer share passwords.OCR obtained and reviewed the CE’s HIPAA compliance documentation." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "TSYS Employee Health Plan" "" "Quantity[5232, ""People""]" "DateObject[{2013, 10, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Email" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "University of California, San Francisco" "Healthcare Provider" "Quantity[3553, ""People""]" "DateObject[{2013, 10, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Reconstructive Orthopaedic Associates II, P.C. d/b/a Rothman Institute" "Healthcare Provider" "Quantity[2350, ""People""]" "DateObject[{2013, 10, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "An employee removed paper copies of daily patient schedules and two medical reports from the covered entity's (CE) transcription processing department without authorization upon her termination from employment.Approximately 2,300 individuals were affected by the breach.The protected health information (PHI) involved in the breach included patient names, telephone numbers, appointment dates and times, dates of birth, reasons for visits, visit sites, assigned staff/physician, chart numbers, insurance company codes and copays, encounter numbers, and treatment information.The CE provided breach notification to HHS, the media and affected individuals and provided one year of free credit monitoring to those requested it.Following the breach, the CE cooperated with local authorities in their arrest and prosecution of the involved employee.The CE updated its privacy policies and procedures, organized the policies into a HIPAA manual, and retrained 687 employees on its privacy policies and procedures.In response to OCR's investigation, the CE decided to replace its electronic medical records and practice management systems to improve safeguards for electronic PHI." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Group Health Cooperative" "Healthcare Provider" "Quantity[1015, ""People""]" "DateObject[{2013, 10, 3}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "The CE sent an erroneous mailing to 1,105 individuals which displayed protected health information (PHI) in the address window of the envelope.The PHI involved in the breach included patients’ names, medical record numbers, diagnoses, and addresses.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE reviewed, updated and implemented applicable procedures to correct the causes of this incident.In response to OCR’s investigation, CE provided documentation of the corrective actions taken." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Schuylkill Health System" "Healthcare Provider" "Quantity[2810, ""People""]" "DateObject[{2013, 10, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "CaroMont Medical Group" "Healthcare Provider" "Quantity[1310, ""People""]" "DateObject[{2013, 10, 4}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "On August 8, 2013, the covered entity (CE), CaroMont Medical Group, performed an internal audit that found an unencrypted email was sent by an employee on August 5, 2013. The employee emailed a spreadsheet to her personal email containing the following protected health information (PHI) for 1,310 individuals: patients’ names, dates of birth, medical record numbers, insurance providers, insurance numbers, diagnoses, and two Medicaid/Medicare numbers.The CE provided breach notification to HHS, affected individuals, and the media.In response to this incident, the CE reviewed its policies, updated its secure email policy, and required employees to attest to reviewing the new policy.The CE trained staff on data privacy and information security, and it implemented security controls for the encryption of all external emails containing an attachment.OCR obtained assurances that the CE implemented the corrective actions noted above." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Mount SInai Medical Center" "Healthcare Provider" "Quantity[1586, ""People""]" "DateObject[{2013, 10, 4}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "OCR opened an investigation of the covered entity (CE), Mt. Sinai Medical Center, after it reported that a trash vendor placed two garbage bags in an open box containing the protected health information (PHI) of 1,586 patients outside the Mt. Sinai’s Department of Preventive Medicine’s facility with the regular trash.The PHI involved in the breach included names, dates of service, payer information, patients’ clinical information, mental health information and social security numbers.As a result of the breach, the CE retrieved the two trash bags and the box that contained PHI, provided training to its staff regarding appropriate disposal of PHI including paper files, and sanctioned the supervisor for failing to follow its policy regarding confidential waste.OCR provided TA to the CE regarding accounting of disclosures.CE assured OCR that the disclosures would be documented." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Healthcare Management System " "Business Associate" "Quantity[4330, ""People""]" "DateObject[{2013, 10, 4}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Saint Louis University" "Healthcare Provider" "Quantity[3100, ""People""]" "DateObject[{2013, 10, 7}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "BlackHawk" "Business Associate" "Quantity[7120, ""People""]" "DateObject[{2013, 10, 9}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "The covered entity (CE), MUSC Physicians & MUHA, learned on August 22, 2013, that the payment portal of its business associate (BA), Blackhawk Statement Group, had been hacked on June 30, 2013.The breach exposed the names, addresses, email addresses, and credit care information for 7,120 individuals. The CE provided breach notification to HHS, affected individuals, and the media and posted notice on its website. In response to the breach, the CE changed its payment procedures to circumvent the BA and process credit card transactions directly with the processor. The BA patched the vulnerability in the software that was targeted by the hack and improved its network security.The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of protected health information (PHI) and required the BA to safeguard all PHI.OCR obtained assurances that the CE implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Ferris State University - MI College of Optometry" "Healthcare Provider" "Quantity[3947, ""People""]" "DateObject[{2013, 10, 11}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Access Counseling, LLC" "Healthcare Provider" "Quantity[566, ""People""]" "DateObject[{2013, 10, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Rose Medical Center" "Healthcare Provider" "Quantity[606, ""People""]" "DateObject[{2013, 10, 14}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "A newly hired janitorial service mistakenly disposed of information face sheets awaiting removal from the covered entity’s (CE) Breach Center to shredding bins before the face sheets could be shredded.The face sheets belonged to the CE, Rose Medical Center, a Hospital Corporation of America facility, and contained protected health information (PHI), including demographic information, social security numbers, insurance information, physician information and next of kin contact information for approximately 606 individuals. The CE provided timely written notice to affected individuals, HHS, and the media.As a result of OCR’s investigation, the CE instituted a new procedure whereby all documents containing PHI must be disposed of directly into secured shredding bins, rather than recycling bins.The CE also launched a company-wide initiative to implement improved procedures to safeguard social security numbers, such as removing the numbers from documents where possible, and minimizing the printing of documents containing such PHI.The CE also retrained staff on the HIPAA Privacy Rule.Finally, the CE’s Breast Center ceased printing duplicate face sheets and full social security numbers on face sheets." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "BriovaRx" "Healthcare Provider" "Quantity[1067, ""People""]" "DateObject[{2013, 10, 14}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "An employee of the covered entity (CE) who later resigned effective July 17, 2013, emailed confidential documents from his company-issued laptop computer to his personal email account without authorization.The emailed data contained the protected health information (PHI) of approximately 1,067 individuals.The protected health information involved in the breach included first and last names, diagnoses, and medication names.The CE provided breach notification to HHS, affected individuals, and the media.Upon discovery of the breach, the CE’s outside legal counsel the CE contacted the employee and the employee’s new employer for assurances and affidavits prohibiting the involved employee or the employee’s new employer from transferring and/or disclosing sensitive confidential information and PHI, and later obtained a preliminary injunction motion.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Vermont"", ""UnitedStates""}]" "North Country Hospital and Health Center, Inc" "Healthcare Provider" "Quantity[550, ""People""]" "DateObject[{2013, 10, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A former employee of the covered entity (CE), North Country Hospital and Health Center, retained possession of a retired unencrypted laptop computer that contained protected health information (PHI) following his termination on July 15, 2013.The types of PHI involved in the breach included electronically signed physician orders with dates and ordering providers’ names, as well as patient names, demographic information and clinical information, including diagnoses.The CE provided breach notification to HHS, affected individuals, and the media.As a result of OCR’s investigation, the CE installed removable disk encryption on all of its laptops as well as desktop computers that store PHI.It also revised the computer system and risk management policy.The CE also implemented a termination checklist and a termination procedure.OCR provided technical assistance to the CE regarding risk analysis. " "Entity[""AdministrativeDivision"", {""Alaska"", ""UnitedStates""}]" "Hope Community Resources, Inc." "Healthcare Provider" "Quantity[1556, ""People""]" "DateObject[{2013, 10, 16}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "A client contact list was inadvertently attached to a group email to parents and guardians of clients by an employee of the covered entity (CE), Hope Community Resources, affecting 1,556 individuals.The protected health information (PHI) involved in the breach included client names, contact information for client support persons, dates of birth, and internal identification numbers issued by the CE.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE sanctioned the responsible employee and improved safeguards by instituting new quality measure for large mailings.Following OCR’s investigation, the CE updated its risk analysis through an outside vendor. " "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Broward Health Medical Center" "Healthcare Provider" "Quantity[960, ""People""]" "DateObject[{2013, 10, 17}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Mount Sinai Medical Center" "Healthcare Provider" "Quantity[610, ""People""]" "DateObject[{2013, 10, 21}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Texas Health Presbyterian Dallas Hospital" "Healthcare Provider" "Quantity[949, ""People""]" "DateObject[{2013, 10, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Ferris State University MI College of Optometry" "Healthcare Provider" "Quantity[3947, ""People""]" "DateObject[{2013, 10, 23}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "An unauthorized person evaded the network security of Ferris State University Michigan College of Optometry on December 1, 2011, and placed a malware program on the computer Ferris uses to operate its website, which had the technical ability to access its electronic files on certain network servers.The breach of electronic protected health information (ePHI) affected approximately 3,947 individuals and included patients' names, dates of birth, Social Security numbers, addresses, diagnoses/conditions, financial claims information, clinical information, and other treatment information.The covered entity (CE) provided breach notification to HHS, affected individuals, and the media and posted substitute notification of the breach incident on its website.The CE created a dedicated call center regarding the breach and also offered one year of free credit monitoring to individuals whose social security number was involved in the breach.Following the breach, the CE engaged an outside forensic security firm to conduct an internal investigation, installed the latest operating systems and patches to its network asset and web server, and applyed the latest version of antivirus and malware on its servers.The CE verified the removal of ePHI from the application and archive files, worked with its customers to remove sensitive data, and blocked specific internet addresses from its networks.The CE also revised its policies and procedures addressing how it administratively, technically, and physically safeguards patients’ PHI.Additionally, the CE trained employees on its policies and procedures and documented its most recent risk analysis and corresponding risk management plan.OCR obtained documentation evidencing that the CE implemented the corrective actions listed. " "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "none, Seton Healthcare Family" "Healthcare Provider" "Quantity[5500, ""People""]" "DateObject[{2013, 10, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "OCR opened an investigation of the covered entity (CE), Seton Healthcare Familyafter it reported that on October 4, 2013, an unencrypted laptop computer that contained the electronic protected health information (ePHI) of 5,500 patients was stolen from a clinic.The ePHI included patients' names, medical record numbers, account numbers, social security numbers, dates of birth, diagnoses, immunizations, and insurance information.The CE notified HHS, affected individuals, and the media in accordance with the Breach Notification Rule and provided free credit monitoring services for one year.The CE took a number of corrective actions to prevent future breaches.It implemented a full disk encryption policy to be applied prior to deployment of new computers, updated internal processes, and retrained staff on its updated processes.The CE also sanctioned and re-trained the workforce member involved in the breach, and confirmed the same was applied to the Dell IT technician involved with system upgrades, including encryption.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Bronx Lebanon Hospital Center" "" "Quantity[10930, ""People""]" "DateObject[{2013, 10, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "A transcription company’s subcontractor misconfigured its server, such that search engines, such as Google, were able to locate the server and index the records on that machine, including names, dates of service, medical record number, dates of birth and types of procedures/diagnoses for patients of the covered entity (CE), Bronx Lebanon Hospital Center. The CE that had retained the transcription company, Professional Transaction Services (PTC), provided breach notification to HHS, affected individuals, and the media.Once the CE learned of the breach, it initiated an investigation and learned that PTC’s subcontractor immediately disabled the server, destroyed the hard drive that stored the PHI, and worked with Google to remove the protected health information (PHI) from the Google caches.The CE also engaged a technical consultant to conduct forensic analyses and work to ensure that affected patients’ records could no longer be found by commonly used internet search engines.The CE also terminated its relationship with PTC and engaged a new transcription company.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Martin Luther King Jr. Health Center, Inc." "" "Quantity[37000, ""People""]" "DateObject[{2013, 10, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "A transcription company’s subcontractor misconfigured its server, such that search engines, such as Google, were able to locate the server and index the records on that machine, including names, dates of service, medical record number, dates of birth and types of procedures/diagnoses).Martin Luther King Jr. Health Center, the covered entity (CE) who had retained the transcription company, Professional Transaction Services (PTC), provided breach notification to HHS, affected individuals, and the media.Once the CE learned of the breach, it initiated an investigation and learned that PTC’s subcontractor immediately disabled the server, destroyed the hard drive that stored the PHI, and worked with Google to remove the PHI from the Google caches.The CE also engaged a technical consultant to conduct forensic analyses and work to ensure that affected patients’ records could no longer be found by the most commonly used internet search engines.The CE also terminated its relationship with PTC and engaged a new transcription company.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Good Samaritan Hospital" "Healthcare Provider" "Quantity[3833, ""People""]" "DateObject[{2013, 10, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "The covered entity (CE), Samaritan Regional Health System, mismatched names and addresses in a mailing to former patients of a recently deceased physician.The protected health information (PHI) included the names and addresses of approximately 2,203 individuals.The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website.Following the breach, the CE re-trained staff on proper address validation techniques and implemented new audit procedures for mailings.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "SSM Health Care of Wisconsin DBA: St. Mary���s Janesville Hospital" "Healthcare Provider" "Quantity[631, ""People""]" "DateObject[{2013, 10, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop computer containing protected health information (PHI) was stolen from the vehicle of a covered entity's (CE) workforce member.Approximately 633 individuals were affected by the breach.The PHI included patients' names, dates of birth, medical records, and account numbers.The CE immediately reported the laptop theft to the police.In response to the breach, the CE provided notice to HHS, the affected individuals, and the media.In addition, the CE encrypted all company laptops, re-trained each provider and employee in possession of a company laptop, and applied disciplinary policies to the employees involved in the incident.OCR obtained assurances that the covered entity implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "AHMC Healthcare Inc. and affiliated Hospitals" "Healthcare Provider" "Quantity[729000, ""People""]" "DateObject[{2013, 10, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Two unencrypted laptop computers containing the protected health information (PHI) of 729,000 individuals were stolen from a secure office on October 23, 2013.The types of PHI involved in the breach included financial information, diagnoses, conditions, treatment information, and demographic information.The covered entity (CE), AHMC, provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE implemented and maintained an encryption plan.It also developed policies and procedures regarding access toand receipt and removal of electronic PHI (ePHI).It also improved safeguards to reduce risks and vulnerabilities to ePHI.As a result of this investigation, OCR provided technical assistance to the CE regarding its obligations to implement and maintain policies and procedures that comply with the Privacy and Security Rules, conduct an accurate and thorough risk analysis, and implement a risk management plan.OCR also provided technical assistance regarding encryption." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Greater Dallas Orthopaedics, PLLC" "Healthcare Provider" "Quantity[5840, ""People""]" "DateObject[{2013, 10, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Two computers containing files with dictated letters were stolen from the covered entity (CE), Greater Dallas Orthopaedics, PLLC.The protected health information (PHI) on the audio files included the names and medical information of approximately 5,840 individuals.Upon discovering the breach, the CE filed a police report.The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Spirit Home Health Care, Corp" "Business Associate" "Quantity[603, ""People""]" "DateObject[{2013, 10, 29}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Rotech Healthcare Inc." "Healthcare Provider" "Quantity[10680, ""People""]" "DateObject[{2013, 10, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Laptop" "False" "A former employee of the covered entity (CE), Rotech, removed and retained electronic files from a company computer, some of which contained the protected health information (PHI) of employees in relation to the CE’s group health plan.The demographic, clinical and financial information of 10,680 individuals was affected by the breach.The CE provided breach notification to HHS, affected individuals, and the media.In response to the breach, the CE updated its policies and procedures regarding downloading of information from company-issued computers to external devices, retrieval of company-issued removable media from departing employees, and destruction of PHI and ePHI.The CE improved safeguards by disabling USB ports on most computers and encrypting all company laptops.Additionally, the CE conducted a HIPAA gap analysis, implemented a process for periodic analysis, and updated and secured the methods used to back up data.Finally, the CE obtained outside experts to assist in reviewing and enhancing HIPAA training and retrained employees.OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Reimbursement Technologies, Inc." "Healthcare Clearing House" "Quantity[2300, ""People""]" "DateObject[{2013, 10, 31}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "An employee of the covered entity (CE), Reimbursement Technologies, Inc., impermissibly accessed the check images of approximately 2,300 patients.The protected health information (PHI) involved in the breach included personal check information, including bank routing numbers, names and addresses.Following the breach, the CE terminated the employee and reported the breach to the FBI for further investigation. The CE reviewed all the check images accessed and notified the guarantors and offered credit monitoring.The CE monitored employee check viewing, further identified vulnerabilities, and updated its HIPAA policies and procedures, including requiring the check imaging vendor to truncate bank routing numbers.The CE also improved safeguards by installing a new firewall.OCR obtained assurance that the covered actions listed above were completed." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Advocate Health and Hospitals Corporation" "Healthcare Provider" "Quantity[2237, ""People""]" "DateObject[{2013, 11, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "Comprehensive Psychological Services LLC" "Healthcare Provider" "Quantity[3500, ""People""]" "DateObject[{2013, 11, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On October 28, 2013, the covered entity’s (CE) facility was broken into and an unencrypted laptop was stolen, affecting the demographic and clinical information of approximately 3,500 individuals.The CE provided breach notification to HHS, affected individuals, and the media.The CE increased its facility’s physical security.The CE also upgraded its technology and improved safeguards by encrypting equipment and communication containing ePHI, implementing a networked file server and domain, and backing up client data to an encrypted cloud-based storage service.Pursuant to OCR’s recommendations, the CE modified its policies and training procedures." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Superior HealthPlan, Inc." "Health Plan" "Quantity[6284, ""People""]" "DateObject[{2013, 11, 1}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "The covered entity (CE), Superior HealthPlan, Inc., mistakenly sent mail containing protected health information (PHI) to unrelated members. Approximately 6,284 individuals were affected. The PHI involved in the breach included names, addresses, and identification numbers. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website.It also offered credit and identity theft protection to the affected parties.As a result of OCR’s investigation, the CE implemented procedures to improve accuracy of mailings.In addition, the CE improved safeguards by implementing a periodic audit to assure that IDs are matched to mailing addresses. " "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Genesis Rehabilitation Services" "Healthcare Provider" "Quantity[1167, ""People""]" "DateObject[{2013, 11, 1}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Two unencrypted flash drives containing the electronic protected health information (ePHI) of 1,167 individuals were stolen from a staff member’s office.The ePHI involved in the breach included names, dates of birth, treatment and diagnosis information, medical insurance identification numbers, and, in some instances, social security numbers.The covered entity (CE), Genesis Rehabilitation Services, provided breach notification to HHS, affected individuals, the media, and provided free credit monitoring.The CE retrained all staff members on its policies regarding encryption of flash drives.Additionally, OCR’s investigation resulted in the CE revising its HIPAA policies." "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Colorado Health & Wellness, Inc." "Healthcare Provider" "Quantity[651, ""People""]" "DateObject[{2013, 11, 2}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "Colorado Health and Wellness reported an alleged impermissible use of protected health information by an employee, affecting up to 651 individuals. OCR determined that a breach had not occurred and provided technical assistance to the covered entity." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Allina Health" "Healthcare Provider" "Quantity[3807, ""People""]" "DateObject[{2013, 11, 4}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Barnabas Health Medical Group" "Healthcare Provider" "Quantity[1100, ""People""]" "DateObject[{2013, 11, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "DaVita" "Healthcare Provider" "Quantity[11500, ""People""]" "DateObject[{2013, 11, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Blue Cross and Blue Shield of North Carolina" "Health Plan" "Quantity[687, ""People""]" "DateObject[{2013, 11, 7}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "On October 14, 2013, the covered entity (CE), Blue Cross Blue Shield of North Carolina, impermissibly disclosed the protected health information (PHI) of 687 individuals when an employee inadvertently mailed notices regarding policy changes to incorrect addresses.The PHI involved in the breach included names.The CE provided breach notification to HHS and affected individuals.Following the breach the CE sanctioned the responsible workforce member.As a result of OCR’s investigation, the CE provided media notice and established a toll-free number for affected individuals.Additionally, the CE improved safeguards by retraining employees and initiating a regular review of mailing procedures." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "North Carolina Department of Health and Human Services - Division of State Operated Health Care Facilities" "Healthcare Provider" "Quantity[1315, ""People""]" "DateObject[{2013, 11, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "The covered entity (CE), North Carolina Department of Health and Human Services Division of State Operated Health Care Facilities, impermissibly disclosed the protected health information (PHI) of 1,315 individuals by exposing their PHI on its website, NC Open Book, without authorizations.The PHI involved in the breach included patient payment information, names, addresses, and facility names, which were erroneously posted as vendor payments on the website.The CE removed the information from the website immediately upon discovery.The CE also provided breach notification to HHS, affected individuals, and the media, and placed substitute notice on its website. In addition, the CE provided a toll-free phone number for affected individuals to obtain additional information.Following the breach the CE implemented procedures limiting the types of personally identifiable information that are disclosed in the accounting system. Additionally, the CE improved safeguards for all HIPAA-related documents and email correspondence containing PHI.Finally, the CE implemented a procedure that requires prior review of any data being released to the public and redaction of confidential information.OCR obtained assurances that the corrective actions listed above were completed." "Entity[""Country"", ""PuertoRico""]" "Triple S Salud Inc." "Business Associate" "Quantity[13336, ""People""]" "DateObject[{2013, 11, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "On November 8, 2013, the covered entity (CE), Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico reported to HHS that on September 23, 2013, they became aware that a vendor doing business with its business associate (BA), Triple-S Salud, disclosed protected health information (PHI) on the outside of a pamphlet mailed to beneficiaries on September 20, 2013. The PHI disclosed in the breach included the names, mailing addresses, and the health insurance claim numbers of 13,336 of the CE’s members.The CE and BA each provided breach notification to affected individuals and the CE provided breach notification to the media.As a result of OCR’s investigation, the CE committed to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and retrain its staff within a specified time." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Associated Urologists of North Carolina" "Healthcare Provider" "Quantity[7300, ""People""]" "DateObject[{2013, 11, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "On September 11, 2013, a patient of the covered entity (CE), Associated Urologists of North Carolina (AUNC), notified the CE that when he did an internet search for his name he was able to see a list identifying him as an AUNC patient. The CE investigated and discovered that protected health information (PHI) was accessible on the internet from September 17, 2012, to September 11, 2013, and that the breach was due to the way medical notes had been transcribed. Anemployee uploaded audio files and lists of patients’ names through a file transfer protocol (FTP) site to assist with transcription. The files included the names, dates of birth, phone numbers, referring physicians, chart numbers, and reasons for visits for 7,297 patients.In response to the incident, the CE immediately discontinued use of the FTP site, removed all of its files from the unsecure website, and contacted Google to have all cached copies of the files removed. The CE also provided breach notification to HHS, affected individuals, and the mediaand offered free credit monitoring and a toll free number to answer questions.The CE also reviewed its policies and retrained all staff on it data privacy and information security policies.Additionally, theCE partnered with a security contractor to develop and implement new policies and procedures to safeguard electronic PHI.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""NorthDakota"", ""UnitedStates""}]" "Kemmet Dental Design" "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2013, 11, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Hospice of the Chesapeake" "Healthcare Provider" "Quantity[7606, ""People""]" "DateObject[{2013, 11, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Email" "False" "Contrary to the covered entity's (CE) established policy, an employee emailed spreadsheets containing the electronic protected health information (ePHI) of 7,035 patients to a personal email account, and a third party may have viewed the spreadsheets.The PHI included names, addresses, conditions, and diagnoses.Following the breach, the CE hired an independent computer forensics firm which conducted an independent investigation. The investigation uncovered another spreadsheet containing the PHI of 571 additional patients in the employee's personal email account.The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website.The CE applied sanctions for violating its policy and terminated the responsible employee. As a result of OCR's investigation, OCR obtained assurances that the CE has periodically conducted risk assessments to assess vulnerabilities to ePHI in its computer systems." "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "All Source Medical Management" "Business Associate" "Quantity[1456, ""People""]" "DateObject[{2013, 11, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Memorial Sloan-Kettering Cancer Center" "Healthcare Provider" "Quantity[2279, ""People""]" "DateObject[{2013, 11, 13}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Health Fitness Corporation" "Business Associate" "Quantity[3804, ""People""]" "DateObject[{2013, 11, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "An unencrypted company laptop was stolen from the car of the business associate’s (BA) employee.The laptop contained the protected health information (PHI) of 3,804 individuals and included employees and/or spouses names, birthdates, health plan election, and social security numbers. The covered entity (CE) provided breach notification to HHS and the BA provided breach notification to affected individuals and the media.In response to this incident, the CE implemented a policy requiring encryption on all laptops containing PHI.The CE trained employees and provided refresher training regarding mobile device encryption.The BA implemented a new certification process to ensure client owned mobile devices are encrypted.OCR obtained assurances that the corrective actions listed above were taken." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Health Fitness Corporation" "Business Associate" "Quantity[4837, ""People""]" "DateObject[{2013, 11, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "UHS-Pruitt Corporation" "Healthcare Provider" "Quantity[1300, ""People""]" "DateObject[{2013, 11, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A manager's unencrypted laptop computer was stolen from a hotel parking lot which also included the employee's login and system password and the covered entity's (CE) long term care software application.The laptop contained 1,300 individuals' protected health information (PHI) and included names, social security numbers, addresses, dates of birth, bank account numbers, Medicare numbers, possible diagnoses, and patient locations. Following the breach, the CE changed the employee's password and performed an analysis to ensure no attempts had been made to access the system and long term care application using the prior account and password.The CE improved safeguards by encrypting electronic devices and employing devices that do not allow local storage.The CE has also re-trained employees.OCR has consolidated this review into a compliance review that involves the same corporate entity and another stolen unencrypted laptop. " "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "United Dynacare, LLC dba Dynacare Laboratories" "Healthcare Provider" "Quantity[9328, ""People""]" "DateObject[{2013, 11, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "On October 22, 2013, the covered entity (CE) learned that one of its employee’s car was stolen with a mobile data drive (“flash drive”) that stored a database with protected health information (PHI).The unencrypted flash drive contained the electronic PHI of approximately 9,328 individuals.The types of ePHI involved in the breach included patients’ names, addresses, birth dates, social security numbers, and gender.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE sanctioned employees, improved safeguards related to encryption and mobile devices, updated and implemented policies and procedures, and retrained its workforce. The flash drive was recovered after the breach notifications were mailed.The forensic analysis of the recovered flash drive indicated that there was no evidence of unauthorized access of information.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Redwood Memorial Hospital" "Healthcare Provider" "Quantity[1039, ""People""]" "DateObject[{2013, 11, 19}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "University of California, San Francisco" "Healthcare Provider" "Quantity[8294, ""People""]" "DateObject[{2013, 11, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "New Jersey Department of Human Services" "Health Plan" "Quantity[9825, ""People""]" "DateObject[{2013, 11, 22}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Kaiser Foundation Hospital- Orange County" "Healthcare Provider" "Quantity[49000, ""People""]" "DateObject[{2013, 11, 22}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Molina Healthcare of Texas, Inc." "Health Plan" "Quantity["""", ""People""]" "DateObject[{2013, 11, 26}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "The covered entity (CE), Molina Healthcare of Texas, Inc., inadvertently mailed Children Health Insurance Plan (CHIP) identification (ID) cards to the wrong households, affecting 2,826 individuals.This occurred due to a mismatch between program ID numbers in the CE’s system after the ID numbers were changed.The types of protected health information involved in the breach included names, addresses and other identifiers.The CE provided breach notification to HHS, affected individuals, and the media.Following the incident, the CE re-programmed its software and re-issued ID Cards to the affected individuals.Additionally, the CE offered 12 months of free identity theft protection services.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Jones Chiropractic and Maximum Health" "Healthcare Provider" "Quantity[1500, ""People""]" "DateObject[{2013, 11, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Ronald Schubert MD PLLC" "Healthcare Provider" "Quantity[950, ""People""]" "DateObject[{2013, 11, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A covered entity (CE) physician’s car was broken into while parked in a public non-work location and an unencrypted laptop computer under the seat was stolen. The electronic protected health information (ePHI) involved in the breach included addresses, birth dates, social security numbers and clinical information in password-protected electronic medical record software and affected 950 individuals.The CE filed a police report and notified practice partners.Breach notification was provided to HHS, affected individuals, and the media. Following the breach, the CE improved safeguards by encrypting all devices and media that store, access or transmit ePHI. As a result of OCR’s investigation, OCR provided technical assistance and the CE implemented a policy to formalize the procedures for safeguarding mobile devices. " "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "UPMC" "Healthcare Provider" "Quantity[1279, ""People""]" "DateObject[{2013, 11, 27}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "UW Medicine, Privacy Manager - Breach" "Healthcare Provider" "Quantity[76183, ""People""]" "DateObject[{2013, 11, 27}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "The University of Washington Medicine (UWM) has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations.UWM is an affiliated covered entity, which includes designated health care components and other entities under the control of the University of Washington, including University of Washington Medical Center, the primary teaching hospital of the University of Washington School of Medicine.Affiliated covered entities must have in place appropriate policies and processes to assure HIPAA compliance with respect to each of the entities that are part of the affiliated group.The settlement includes a monetary payment of $750,000, a corrective action plan, and annual reports on the organization’s compliance efforts.The U.S. Department of Health and Human Services Office for Civil Rights (OCR) initiated its investigation of the UWM following receipt of a breach report on November 27, 2013, which indicated that the electronic protected health information (e-PHI) of approximately 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organization’s IT system, affecting the data of two different groups of patients:1) approximately 76,000 patients involving a combination of patient names, medical record numbers, dates of service, and/or charges or bill balances; and 2) approximately 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, social security numbers, insurance identification or Medicare numbers.OCR’s investigation indicated UWM’s security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the Security Rule.However, UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” said OCR Director Jocelyn Samuels.“An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”The Resolution Agreement and Corrective Action Plan can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uwm/index.htmlHHS offers guidance on how your organization can conduct a HIPAA Risk Analysis:http://www.healthit.gov/providers-professionals/security-risk-assessment" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "City of Chicago" "Healthcare Provider" "Quantity[2080, ""People""]" "DateObject[{2013, 11, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "The covered entity (CE) mistakenly permitted protected health information (PHI) to be viewable on the Internet when users uploaded files without changing the default permission settings for the folders containing the files.As a result, Google was able to detect and cache the PHI in the uploaded folders. Approximately 2,080 individuals were affected by this breach.The types of PHI involved in the breach included students’ names, birthdates, genders, identification numbers, vision exam dates, diagnoses, and schools.The CE provided breach notification to HHS, the parents and guardians of affected individuals, and the media.It also posted notice on its website.The CE took action to remove the files containing PHI from its network and compiled a list of files along with the associated unique record locator numbers (URLs) and cached URLs.The CE contacted Google to request removal of the data from the cache and the archives, and Google confirmed that the data was removed.OCR obtained assurances that the CE implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "American Anesthesiology, Inc." "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2013, 12, 4}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity’s (CE) business associate (BA), Financial Imaging, LLC, erroneously mailed 1,000 patient invoices to the wrong patients.The types of protected health information (PHI) involved in the breach included patients’ names, dates of service, and procedures performed.The BA sent breach notification letters to affected individuals and reimbursed the CE for all costs associated with breach notification it provided to the media.Following the breach, the BA revised its quality assurance process to ensure the accuracy of future print jobs and counseled and retrained the staff involved in the breach.The CE had a BA agreement in place and policies that were in compliance with the HIPAA Rules.OCR obtained assurances that CE and BA implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Medical Mutual of Ohio" "Health Plan" "Quantity[643, ""People""]" "DateObject[{2013, 12, 6}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Quality Health Claims Consultants, LLC" "Business Associate" "Quantity[1573, ""People""]" "DateObject[{2013, 12, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Email" "True" "The Covered Entity's (CE) Business Associate (BA) mailed letters to their clients to request certain documents containing identifying information. An erroneous fax number listing caused some clients to fax their information to the wrong number.Approximately 1,573 individuals were affected by the breach.The protected health information (PHI) involved included names, addresses, dates of birth, and social security numbers.Following the breach, the BA confirmed that any faxes sent to the incorrect fax number were destroyed. The BA also standardized all company literature to require manual data entry of client-specific contact information to assure quality control.OCRprovided information to assist the CE to revise its BA agreement." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "SIU HealthCare" "Healthcare Provider" "Quantity[1891, ""People""]" "DateObject[{2013, 12, 6}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "The Good Samaritan Health Center" "Healthcare Provider" "Quantity[5000, ""People""]" "DateObject[{2013, 12, 6}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "One of the covered entity's (CE) computers was infected with malware and as a result, data on the infected computer was encrypted and made inaccessible. The CE subsequently restored the infected data.The type of protected health information (PHI) involved in the breach was clinical information and included diagnoses/conditions, lab results, medications, and other treatment information for approximately 5,000 individuals.The CE provided breach notification to HHS,affected individuals, and the media.Following the breach, the CE retrained staff, implemented additional safeguards for secure file backup, and upgraded its antivirus software. In response to OCR’s investigation, the CE provided substitute notice of the breach. OCR provided the CE with technical assistance regarding the Security Rule including risk analysis and risk management." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "PruittHealth Corporation" "Healthcare Provider" "Quantity[4500, ""People""]" "DateObject[{2013, 12, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Walgreen Co." "Healthcare Provider" "Quantity[17350, ""People""]" "DateObject[{2013, 12, 6}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Methodist Dallas Medical Center" "Healthcare Provider" "Quantity[44000, ""People""]" "DateObject[{2013, 12, 6}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Florida Digestive Health Specialists" "Healthcare Provider" "Quantity[4400, ""People""]" "DateObject[{2013, 12, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "A patient scheduler at one of the covered entity’s (CE) small subsidiary offices impermissibly accessed the electronic health record (EHR) system via a virtual private network (VPN) and took photographic images of patient data, which she tried to download for printing at Wal-Mart. She accessed the records of about 4,400 patients and photographed those of 430. The protected health information (PHI) involved in the breach included names, addresses, dates of birth, social security numbers, and telephone numbers. The suspect behavior at Wal-Mart was investigated by the County Sheriff, who informed the CE of the breach. The CE provided partial breach notification to affected individuals, HHS, the media, and provided substitute notice on its website. Following the breach, the CE discharged the workforce member and terminated her access to the EHR. The CE updated its privacy and security plan and employee handbook.In addition, the CE improved safeguards by limiting access to its VPN to providers and administrators, and instituted routine weekly audits of EHR system use. After OCR began its review, the covered entity retrained the office manager and the provider who had been at the office where the breach occurred. As a result of OCR’s investigation the CE received technical assistance on the complete requirements for breach notifications." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Northside Hospital, Inc." "Healthcare Provider" "Quantity[4879, ""People""]" "DateObject[{2013, 12, 10}, ""Day"", ""Gregorian"", -5.]" "Loss" "Laptop" "False" "A password-protected, unencrypted laptop was lost or stolen when a Northside Hospital (NSH) workforce member inadvertently left it on the hood of her car while parked. The laptop contained the electronic protected health information (ePHI) of 4,879 individuals. The ePHI involved in the breach included patients’ names, account numbers, billing dates, diagnoses and/or diagnosis codes, and lab results. The covered entity (CE), NSH, provided breach notification to HHS, affected individuals, and the media and provided substitute notification.Following the breach, the CE encrypted all its ePHI.As a result of OCR’s investigation, the CE also revised its HIPAA policies reguarding mobile devices and breach notification, and implemented other safeguards. " "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Health Help, Inc." "Healthcare Provider" "Quantity[535, ""People""]" "DateObject[{2013, 12, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "An unencrypted portable computer drive containing the electronic protected health information (ePHI) of 535 individuals was stolen from a workforce member's unlocked personal vehicle parked at home.The ePHI involved in the breach included names and birthdates.Upon discovering the breach, the covered entity (CE) provided notice to HHS, affected individuals and the media.Following the breach, the CE reminded employees of its safeguards policy, provided additional training to workforce members who are authorized to take laptops and mobile devices home, and improved safeguards by instituting random audits to ensure that unencrypted ePHI is not stored on computers and mobile devices.The CE also updated the computer usage agreement for employees and sanctioned the workforce member for violating its policy.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "L.A. Gay & Lesbian Center" "Healthcare Provider" "Quantity[59000, ""People""]" "DateObject[{2013, 12, 10}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Nebraska"", ""UnitedStates""}]" "Mosaic" "Healthcare Provider" "Quantity[3857, ""People""]" "DateObject[{2013, 12, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "The covered entity (CE), Mosaic, discovered multiple employee email accounts that had fallen victim to a phishing attack.The affected e-mail accounts contained the following types of protected health information (PHI): clients’ names, dates of birth, addresses, telephone numbers, government–issued identification numbers, medical record numbers, insurance identification numbers, payment information, Medicaid and Medicare numbers, and in some instances social security numbers. This breach affected approximately 3,857 individuals.The CE provided breach notification to HHS, affected individuals, and the media.The CE responded to the breach by blocking the IP address which was the source of the phishing scam, contacting the proper authorities to investigate possible criminal infractions, providing phishing scam awareness training, and changing its email practices. As a result of OCR’s investigation, the CE updated its HIPAA policies, created additional training material, and changed its training practices." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Island Peer Review Organization" "Business Associate" "Quantity[9642, ""People""]" "DateObject[{2013, 12, 12}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Molina Healthcare In" "Business Associate" "Quantity[1499, ""People""]" "DateObject[{2013, 12, 16}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "A business associate (BA), Molina Healthcare of Virginia, for the covered entity (CE), Fairfax County, Virginia, used a subcontractor, Health Business Systems, Inc. (HBS), a subsidiary of Catamaran/HBS.An employee of HBS placed a pharmacy claims report containing the protected health information (PHI) of 1,499 individuals in a non-secured file transfer protocol (FTP) site when troubleshooting issues during a systems conversion.Upon discovering the breach, Catamaran/HBS notified the BA, conducted a thorough investigation and removed the file from the non-secure server.A copy of the file was encrypted and password protected. The CE provided breach notification to HHS.Affected individuals were offered free identify theft protection.Following this breach, Catamaran/HBS retrained employees, updated its security software and enabled an alert feature when files containing potential PHI are saved on an FTP server. OCR obtained written assurance that the CE implemented the corrective action listed above. " "Entity[""AdministrativeDivision"", {""Wyoming"", ""UnitedStates""}]" "Wyoming Department of Health" "Health Plan" "Quantity[11935, ""People""]" "DateObject[{2013, 12, 16}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Montana"", ""UnitedStates""}]" "Shiloh Medical Clinic" "Healthcare Provider" "Quantity[1900, ""People""]" "DateObject[{2013, 12, 17}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer, Email" "False" "The covered entity (CE) reported an alleged impermissible use of protected health information (PHI), affecting approximately 1,900 individuals, by an employee.The PHI involved included patients’ demographic information.OCR determined that a breach had not occurred and provided technical assistance to the CE on the minimum necessary standard and reasonable safeguards." "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "DeLoach & Williamson" "Business Associate" "Quantity[3432, ""People""]" "DateObject[{2013, 12, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "DeLoach & Williamson's (a business associate (BA) for South Carolina Health Insurance Pool) employee's car was broken into and her password-protected company laptop computer was stolen which contained the electronic protected health information (ePHI) of 3,432 individuals. The ePHI involved in the breach included social security numbers, names, dates of service, and provider identification numbers.The BA provided breach notification to the covered entity, affected individuals, and HHS.The covered entity provided breach notification to the media.Following the breach, the BA immediately launched an internal investigation and retrained the subject employee on the company'spolicies on privacy and security of electronic information.Prior to the incident, the BA had decided to dissolve the company and it ceased operations by December 2013.The BA intends to legally file for dissolution in December 2014. " "Entity[""AdministrativeDivision"", {""Wyoming"", ""UnitedStates""}]" "Wyoming Department of Health" "Health Plan" "Quantity[11935, ""People""]" "DateObject[{2013, 12, 19}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Colby DeHart" "Business Associate" "Quantity[2777, ""People""]" "DateObject[{2013, 12, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "On October 21, 2013, an unencrypted laptop computer belonging to a Tennova Cardiology business associate (BA) was stolen from a vehicle. The laptop contained the protected health information (PHI) of 2,777 individuals, and included patient names, dates of birth, dates of service, names of referring physicians, and health information about treatment and diagnostic procedures. The CE provided breach notification to HHS, affected individuals, and the media.In response to this breach, the covered entity (CE) conducted an encryption assessment of laptop computers with user system access to PHI and then encrypted all laptop computers.The CE reviewed its policies, retrained staff, and implemented an encryption policy. The CE also terminated the BA agreement and moved the work in-house.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "ZDI" "Business Associate" "Quantity[1674, ""People""]" "DateObject[{2013, 12, 20}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "True" "This case, along with two companion cases, involved data lost due to damage and/or opening of priority mail during processing and transit through the United States Post Office.In this case, potentially 1,700 individuals may have been affected.The types of protected health information (PHI) involved in the breach included names, social security numbers, group names, and group numbers.The data was not recovered.The covered entity (CE), Delta Dental of Pennsylvania, provided breach notification to HHS, affected individuals, and the media.It also took immediate and appropriate steps to mitigate potential damages to individuals and to reduce the likelihood of recurrence.From December 2013 to case closure in September 2015, no further incidents occurred, and OCR determined that the CE’s corrective actions were effective." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Molina Healthcare of Texas, Inc." "Health Plan" "Quantity[2826, ""People""]" "DateObject[{2013, 12, 21}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Rob Meaglia, DDS" "Healthcare Provider" "Quantity[1400, ""People""]" "DateObject[{2013, 12, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Jeff Spiegel" "Healthcare Provider" "Quantity[832, ""People""]" "DateObject[{2013, 12, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Dr. Jeffrey Spiegel’s practice, the covered entity (CE), mistakenly sent a promotional email to approximately 500 patients with an attachment that included the email addresses of 832 patients. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE instituted a new procedure that requires two employees to proof promotional emails prior to sending.OCR obtained assurances that corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Tranquility Counseling Services" "Healthcare Provider" "Quantity[1683, ""People""]" "DateObject[{2013, 12, 23}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Florida Department of Health" "Healthcare Provider" "Quantity[2354, ""People""]" "DateObject[{2013, 12, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Barry University" "Healthcare Provider" "Quantity[9017, ""People""]" "DateObject[{2013, 12, 31}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Laptop, Network Server" "False" "Barry University, the covered entity (CE), discovered on May 13, 2013, that a laptop was infected with malware.The protected health information (PHI) for 8,741 individuals was potentially exposed, including names, dates of birth, social security numbers, driver’s license numbers, banking/credit card information, medical record numbers, health insurance information, diagnoses, and treatment information.Due to a lengthy investigation, the CE performed its breach notification obligations outside of the 60 day timeframe required by the Breach Notification Rule.OCR provided technical assistance to the CE on this topic.Although late, the CE provided breach notification to HHS, affected individuals, and the media, as well as on its website.In response to the breach, the CE retained a compliance consultant, performed a risk assessment, revised its policies and procedures, improved its training program and implemented additional technical safeguards.OCR obtained assurances that it has implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "New Mexico Oncology Hematology Consultants, LTD" "Healthcare Provider" "Quantity[12354, ""People""]" "DateObject[{2013, 12, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "The covered entity (CE), New Mexico Oncology Hematology Consultants, reported the November 13, 2013, theft of a laptop computer from its Albuquerque office.The unencrypted laptop contained the protected health information (PHI) of 12,354 individuals including patients' names, medical record numbers, dates of birth, addresses, telephone numbers, clinical testing results, diagnoses, treatment information, and insurance information.Following discovery of the breach, the CE strengthened its security program by conducting a new risk analysis, implementing additional physical safeguards, and encrypting mobile devices.It also revised administrative policies and retrained staff.The CE provided breach notification to HHS, the media, and affected individuals.OCR obtained assurances that the CE implemented the corrective actions noted above." "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Colorado Community Health Alliance (CCHA)/Physicians Health Partners" "Business Associate" "Quantity[1918, ""People""]" "DateObject[{2014, 1, 2}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates" "Business Associate" "Quantity[839711, ""People""]" "DateObject[{2014, 1, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Phoebe Putney Memorial Hospital" "Healthcare Provider" "Quantity[6989, ""People""]" "DateObject[{2014, 1, 3}, ""Day"", ""Gregorian"", -5.]" "Loss" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Coulee Medical Center" "Healthcare Provider" "Quantity[2500, ""People""]" "DateObject[{2014, 1, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Email, Laptop, Network Server" "False" "The covered entity (CE), Coulee Medical Center, reported that a CE-employed physician disclosed electronic protected health information (ePHI) to his wife without authorization.The ePHI involved in the breach included names, hospital account numbers, dates of service, CPT codes, and service descriptions for approximately 2,500 individuals.The CE provided breach notification to HHS and affected individuals.Upon discovering the breach, the CE sanctioned the physician, required the physician to complete comprehensive HIPAA training, and required all workforce members to complete annual HIPAA training.As a result of OCR's investigation, the CE implemented new information security policies and procedures to better safeguard its ePHI.OCR provided the CE with technical assistance regarding what constitutes an adequate Security Rule risk analysis and risk management plan, as well as what constitutes adequate notice to the media pursuant to the Breach Notification Rule." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "RevSpring, Inc." "Business Associate" "Quantity[3000, ""People""]" "DateObject[{2014, 1, 6}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "True" "Due to a printing error at the covered entity’s (CE) business associate (BA), RevSpring, Inc., patients received billing statements containing other patients’ protected health information (PHI).The breach affected approximately 3,000 individuals.The types of PHI involved in the breach included names, account numbers, balances owed, procedure codes, procedure descriptions, providers’ names, and dates of services.Following the breach, the CE obtained assurances from the BA that additional safeguards would be implemented to prevent future disclosures. OCR reviewed the CE’s policies and procedures to ensure compliance with the Privacy and Security Rules." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "North Carolina Department of Health and Human Services " "Health Plan" "Quantity[48752, ""People""]" "DateObject[{2014, 1, 6}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "101 Family Medical Group, Privacy Manager Breach" "" "Quantity[2500, ""People""]" "DateObject[{2014, 1, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "A laptop computer owned by Phressia, Inc., a business associate (BA) of the covered entity (CE), Family Medical Group, was stolen from the parked car of a Phreesia workforce member.In violation of the BA’s policies and procedures, both the hard drive of the laptop, and the workforce member’s Dropbox account, which was accessible through the laptop, contained the electronic protected health information (ePHI) of approximately 2,500 patients. The types of PHI involved in the breach included patients’ names, addresses, identification numbers, phone numbers, email addresses, dates of birth, social security numbers, and insurance identification numbers.Following the breach, the BA sanctioned the responsible workforce member and retrained workforce members on its privacy and security policies and procedures. The CE provided breach notification HHS, affected individuals, and the media. In response to OCR's investigation, the BA updated its policies and procedures on device and media controls and employee sanctions." "Entity[""AdministrativeDivision"", {""Mississippi"", ""UnitedStates""}]" "Tri Lakes Medical Center" "Healthcare Provider" "Quantity[1489, ""People""]" "DateObject[{2014, 1, 10}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Virginia Premier Health Plan (VPHP)" "Business Associate" "Quantity[25513, ""People""]" "DateObject[{2014, 1, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "Virginia Premier Health Plan, a business associate (BA) of the covered entity (CE), Virginia Department of Medical Assistance Services (VA-DMAS), mailed incorrect postcards to Virginia Medicaid members.The breach included 13,357 postcards that were mailed to the wrong address and 12,156 postcards that contained incorrect services information.The information did not include social security numbers or financial information.The BA provided breach notification to HHS, the media, and to affected individuals in English and Spanish.Following this breach, the BA improved safeguards by retraining employees on safeguards for protected health information, updating procedures for mailings, and implementing additional quality control checks. OCR obtained assurances that the BA implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Cook County Health & Hospitals System" "Healthcare Provider" "Quantity[22511, ""People""]" "DateObject[{2014, 1, 11}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "False" "The covered entity (CE), Cook County Health and Hospital Systems, reported that on November 12, 2013, as part of a public health project between the CE and another academic medical center, a physician at the CE sent an unencrypted email with an excel attachment to a collaborator outside the CE’s firewall.The attachment contained the protected health information (PHI) of 22,511 individuals.The attachment was not encrypted as required by organizational policy.The types of PHI involved in the breach included demographic information and lab results. The CE provided breach notification to HHS, affected individuals, and the media. The CE disciplined the employee with a 14 day suspension, implemented a new email security program, and retrained its employees and staff on the program. OCR obtained documentation from the CE that it implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Southwest General Health Center" "Healthcare Provider" "Quantity[953, ""People""]" "DateObject[{2014, 1, 13}, ""Day"", ""Gregorian"", -5.]" "Unknown" "Other" "False" "The covered entity (CE) misplaced a binder containing the protected health information (PHI) of approximately 953 individuals from its Maternity Unit.The PHI involved in the breach included names, dates of birth, medical record numbers and limited clinical information.The CE provided breach notification to affected individuals, HHS, and the media.To prevent a similar breach from occurring in the future, the covered entity strengthened its physical safeguards and retrained employees on safeguarding PHI.OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "RGH Enterprises, Inc." "Health Plan" "Quantity[4230, ""People""]" "DateObject[{2014, 1, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Computer hackers installed malware that intercepted the electronic protected health information (ePHI) of approximately 4,230 individuals using the covered entity's (CE's) website.The ePHI included names, dates of birth, phone numbers, shipping and billing addresses, email addresses, credit card issuers, expiration dates, the last 4 digits of credit card numbers, account numbers, primary physicians, diagnoses, order histories, and health insurers.Following the breach, the CE removed the malware from the affected computer servers, migrated the website to non-compromised " "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Network Pharmacy Knoxville" "Healthcare Provider" "Quantity[9602, ""People""]" "DateObject[{2014, 1, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Alamo Consumer Direct, LLC" "" "Quantity["""", ""People""]" "DateObject[{2014, 1, 16}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "" "False" "" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Saint Francis Hospital and Medical Center" "Healthcare Provider" "Quantity[858, ""People""]" "DateObject[{2014, 1, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Sentara Healthcare" "Healthcare Provider" "Quantity[3861, ""People""]" "DateObject[{2014, 1, 16}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "Two former employees of the covered entity (CE), Sentara Healthcare, accessed protected health information (PHI) outside of their normal job duties and used this information to process fraudulent tax returns.The US Attorney’s office investigated the matter and both individuals received prison sentences. The breach report indicated that the PHI of approximately 3,645 individuals was involved in the breach; however, the CE verified that the final count of affected individuals was 3,891. The CE provided breach notification to HHS, affected individuals, and the media. The CE also offered complimentary credit monitoring and identity theft protection services to all eligible individuals.Following this incident, the CE increased safeguards by installing a new software system to help monitor and detect inappropriate access to its electronic medical records system, updated its security policies and procedures, re-trained employees, and initiated steps to address and mitigate the issues identified in its 2014 risk analysis.OCR obtained assurances that the corrective actions listed above were completed and/or initiated as described." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Health Dimensions" "Healthcare Provider" "Quantity[5370, ""People""]" "DateObject[{2014, 1, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kansas"", ""UnitedStates""}]" "COMPLETE MEDICAL HOMECARE" "Healthcare Provider" "Quantity[1700, ""People""]" "DateObject[{2014, 1, 21}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Hospital for Special Surgery" "Healthcare Provider" "Quantity[937, ""People""]" "DateObject[{2014, 1, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "The Brooklyn Hospital Center" "Healthcare Provider" "Quantity[2172, ""People""]" "DateObject[{2014, 1, 22}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Geisinger Bloomsburg Hospital" "Healthcare Provider" "Quantity[3101, ""People""]" "DateObject[{2014, 1, 23}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "Archived protected health information (PHI) for 3,101 individuals could not be located by the CE, Geisinger Bloomsburg Hospital, after it was acquired by Geisinger, although copies of the PHI were available.There was no evidence that the PHI had been impermissibly disclosed or stolen.OCR provided the CE with information on what constitutes a breach under the Breach Notification Rule.The CE posted notice on its website and notified the media and patients although there was no indication that PHI had been accessed, used, or disclosed.The CE also re-trained staff on safeguards and proper disposal of PHI and stated that additional corrective steps would be taken to reinforce privacy practices in its new facility. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Robert B. Neves, M.D." "Business Associate" "Quantity[611, ""People""]" "DateObject[{2014, 1, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "" "Missing[""NoInput""]" "Triple-S Salud, Inc. - Breach Case#2" "Health Plan" "Quantity[398000, ""People""]" "DateObject[{2014, 1, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "True" "Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun.“OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries.TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement.After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;Use or Disclosure of more PHI than was necessary to carry out mailings;Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; andFailure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:A risk analysis and a risk management plan;A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; andA training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises.Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA.“Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz.“We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.”" "Entity[""Country"", ""PuertoRico""]" "Triple-C, Inc." "Business Associate" "Quantity[8000, ""People""]" "DateObject[{2014, 1, 24}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Birmingham Printing and Publishing, Inc dba Paper Airplane" "Business Associate" "Quantity[1085, ""People""]" "DateObject[{2014, 1, 24}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "True" "On September 6, 2013, the covered entity (CE), discovered that its business associate (BA) had mislabeled invitations for an event for cancer survivor patients.While the address was correct, the name on the envelope was incorrect for 1,085 individuals.The BA re-sent the invitations to the correct names and addresses with a letter explaining the mistake to the affected individuals.In response to the breach, the CE terminated its business relationship with the BA and changed to processing bulk mailings in-house.Although the CE had a policy in place before the breach that clearly outlined breach notification requirements, the CE did not perform media notification after this breach.OCR provided technical assistance on this topic.In addition, OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Medical Mutual of Ohio" "Business Associate" "Quantity[1420, ""People""]" "DateObject[{2014, 1, 27}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "University of Wisconsin-Madison School of Pharmacy" "Business Associate" "Quantity[41437, ""People""]" "DateObject[{2014, 1, 30}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "The University of Texas MD Anderson Cancer Center" "Healthcare Provider" "Quantity[3598, ""People""]" "DateObject[{2014, 1, 31}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Presence Health " "Healthcare Provider" "Quantity[836, ""People""]" "DateObject[{2014, 1, 31}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Delaware"", ""UnitedStates""}]" "Beebe Medical Center" "Healthcare Provider" "Quantity[1883, ""People""]" "DateObject[{2014, 1, 31}, ""Day"", ""Gregorian"", -5.]" "Other" "Laptop" "False" "The covered entity (CE), Beebe Physician Network, learned that a temporary contractor handling the electronic protected health information (ePHI) of 1,883 individuals had previously been arrested for identity theft.The ePHI included social security numbers, driver’s license numbers, and other demographic information.Although no inappropriate access was identified, the CE learned that the contractor had been convicted of 5 counts of identity theft in the state of Pennsylvania in 2009, while working in a physician practice.The CE provided substitute notice and provided breach notification to HHS and the media.The CE offered one year of free identity theft monitoring and insurance to affected individuals.Following this breach, the CE reviewed its policies and procedures, worked with electronic medical record vendors to enhance its reports mechanisms, and re-assessed its requirements for staffing agencies. As a result of OCR’s investigation, the CE revised its procedures regarding backgrounds checks for newly employed staff." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "St Joseph Health System" "Healthcare Provider" "Quantity[405000, ""People""]" "DateObject[{2014, 2, 5}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "A computer server containing the records of 405,124 patients of the covered entity (CE), St. Joseph Health System, was hacked during a power surge.The electronic protected health information (ePHI) on the server included names, dates of birth, social security numbers, medical information, bank account information, and addresses.The CE provided breach notification to HHS, affected individuals, and the media. The CE improved administrative and technical security and developed and revised policies and procedures addressing the breach. OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Min Yi, M.D." "Healthcare Provider" "Quantity[4676, ""People""]" "DateObject[{2014, 2, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "A desktop computer hard drive and a backup external hard drive containing the electronic protected health information (ePHI) of 4,676 individuals were stolen from the office of the covered entity (CE), Dr. K. Min Yi.The ePHI on the external hard drive included names, addresses, phone numbers, insurance identification numbers, social security numbers, checking account information, medical and surgical information, diagnosis and procedure codes, and dates of birth.The CE provided breach notification to HHS, the media, and affected individuals, and provided credit monitoring to patients who contacted her with privacy concerns.In response to the breach the CE improved physical safeguards, implemented revised administrative policies and encrypted ePHI.OCR’s investigation resulted in the CE improving its HIPAA practices." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Easter Seal Society of Superior California, Privacy Manager Breach" "" "Quantity[3026, ""People""]" "DateObject[{2014, 2, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A work-issued laptop computer containing 3,026 clients’ protected health information (ePHI) was stolen out of an employee’s locked car.The types of ePHI involved in the breach included financial, demographic, and clinical information.The covered entity’s (CE) investigation revealed that, although the computer was powered off, password protected and not connected to the internet at the time of the theft, e-mails containing the respective e-PHI could still be accessed.The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website.It also provided affected individuals with one free year of credit monitoring and restoration, tips on protecting against ID theft, and a confidential privacy line to call with questions or concerns.Upon learning of the theft, the CE launched an internal investigation, hired specialized data security counsel to assist in responding to the incident, and retained external forensic experts to assist in determining the scope of the breach.The CE improved safeguards by reviewing its privacy and security policies and procedures, implementing a risk mitigation plan that reflects the current work environment, encrypting its laptop computers, and updating its policies and procedures on portable/mobile devices.It also retrained workforce members.OCR provided technical assistance regarding the HIPAA Security Rule requirements and obtained written documentation that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "PruittHealth Pharmacy Services" "Healthcare Provider" "Quantity[841, ""People""]" "DateObject[{2014, 2, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A manager's unencrypted laptop computer was stolen from the back seat of an employee's car.The laptop contained the protected health information (PHI) of 841 individuals and included names, possible diagnoses, prescription names, dates of service, and service locations.The covered entity (CE) has improved safeguards by encrypting devices and employing devices that do not allow local storage.The CE has also revised its privacy and security policies and re-trained employees.OCR has consolidated this review into a compliance review that involves the same corporate entity and another stolen unencrypted laptop. " "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Kmart Corporation" "Healthcare Provider" "Quantity[16446, ""People""]" "DateObject[{2014, 2, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record, Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "WA State Department of Social & Health Services" "Health Plan" "Quantity[3104, ""People""]" "DateObject[{2014, 2, 11}, ""Day"", ""Gregorian"", -5.]" "Other, Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE) erroneously sent mail to 3,104 clients at incorrect addresses due to a coding error in an internal database.The protected health information (PHI) contained in the mailing may have included clients’ names, addresses, and client identification numbers, and some letters also included dates of birth, social security numbers, diagnoses, and financial information.The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website.Following the breach, the CE hired a firm to conduct an independent evaluation of the data breach to identify and correct the root causes of this incident.The CE formed a Quality Improvement Team to increase oversight of production and ensure that quality assurance processes are strictly followed.As a result of OCR’s investigation, OCR provided technical assistance on the timeliness of notifications and incident reporting and obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Lewis J. Sims, DPM, PC dba Sims and Associates Podiatry " "Healthcare Provider" "Quantity[6475, ""People""]" "DateObject[{2014, 2, 12}, ""Day"", ""Gregorian"", -5.]" "Other, Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "University of Miami" "Healthcare Provider" "Quantity[13074, ""People""]" "DateObject[{2014, 2, 12}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Supportive Concepts for Families, Inc." "Healthcare Provider" "Quantity[593, ""People""]" "DateObject[{2014, 2, 13}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "The CE inadvertently made an internal database containing the electronic protected health information (ePHI) of 593 individuals accessible on the Internet.The ePHI involved in the breach included names, dates of birth, social security numbers, addresses, dates of services, and customer service notes. The CE immediately removed the database from the Internet and secured it against further unauthorized disclosures.The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice online.Following the breach, the CE provided further HIPAA training to its staff and sanctioned the responsible employees.The CE also took measures to reduce the vulnerabilities identified its most recent risk analysis. As a result of OCR’s " "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Health Care Solutions at Home Inc." "Health Plan" "Quantity[1139, ""People""]" "DateObject[{2014, 2, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "The covered entity (CE) mistakenly mailed protected health information (PHI) to the wrong addresses of approximately 1,139 individuals following a computer error at the business associate (BA).The PHI involved in the breach included names, addresses, dates of birth, dates of service, claims information, and diagnoses.The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website.To prevent a similar breach from happening in the future, the CE and BA improved safeguards by updating policies to require multiple reviews of PHI in mailings.Following OCR's investigation, the CE updated its policies and procedures relating to the minimum necessary standard." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "University of California Davis Medical Center" "Healthcare Provider" "Quantity[2269, ""People""]" "DateObject[{2014, 2, 14}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "St. Vincent Hospital and Healthcare, Inc" "Healthcare Provider" "Quantity[1142, ""People""]" "DateObject[{2014, 2, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "StayWell Health Management, LLC" "Business Associate" "Quantity[10024, ""People""]" "DateObject[{2014, 2, 21}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "On February 21, 2014, StayWell Health Management, LLC, a business associate (BA) of the covered entity (CE), Missouri Consolidated Health Care Plan, erroneously made a spreadsheet accessible via an electronic link on the internet.The spreadsheet included participants’ complete names, email addresses, unique internal identification numbers, current status in the wellness program, information regarding email notifications, and whether a participant had completed two program surveys.Approximately 10,024 individuals were affected by the breach.The BA provided breach notification to affected individuals and the media.The CE provided breach notification to HHS.Following the breach, the CE ensured that the BA removed the spreadsheet from public accessibility via the internet and implemented the use of a legacy system in order to safeguard electronic protected health information (ePHI) in transit.The CE also updated its Privacy and Security Policy, to include encryption standards for safeguarding data in process, in transit, and at rest.OCR obtained documented assurances that the CE and BA implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "StayWell Health Management, LLC" "Business Associate" "Quantity[520, ""People""]" "DateObject[{2014, 2, 21}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "StayWell Health Management, LLC" "Business Associate" "Quantity[4786, ""People""]" "DateObject[{2014, 2, 21}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "StayWell Health Management, a business associate (BA) for multiple covered entities (CE), reported that, from March 29, 2012, until January 21, 2014, spreadsheets containing the protected health information (PHI) of 19,474 individuals who participated in wellness programs were unintentionally available online when an internal administrative tool generated reports and placed those reports in a public facing folder.The types of PHI on the spreadsheets included the participants’ names, email addresses, unique BA identification numbers, and information about participation in the program.The BA provided breach notification to HHS, affected individuals, and the media on behalf of the CEs affected by the breach:Regents of the University of Minnesota, Missouri Consolidated health Care Plan, Clorox Company Group Insurance Plan, Nissan North America, Inc., and QBE Holdings, Inc.Upon discovery of the breach, the BA upgraded its platform and revised and implemented its policies and procedures.OCR obtained assurances that the BA implemented the corrective actions listed above.Steps were also taken to restrict access to and to remove the data entirely from Google, Bing, Yahoo, and other search engines.Separate breach cases have been opened for each of the affected CEs. " "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Inspira Health Network Inc." "Healthcare Provider" "Quantity[1411, ""People""]" "DateObject[{2014, 2, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "StayWell Health Management, LLC" "Business Associate" "Quantity[1511, ""People""]" "DateObject[{2014, 2, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Care Advantage, Inc." "Healthcare Provider" "Quantity[3458, ""People""]" "DateObject[{2014, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "The covered entity (CE), Care Advantage, Inc., experienced a break-in at a satellite office and the theft of 4 laptops.The laptops, which were password protected, contained the electronic protected health information (ePHI) relating to information used in a web based scheduling program. The breach report indicated that 3458 individuals were affected. Upon discovering the breach, the CE’s investigation revealed that the actual number of affected individuals was 420.The CE provided breach notification to HHS, and affected individuals and also posted notice of the incident on its website.Following the breach, the CE assessed and updated its HIPAA security policy, and conducted employee training. As a result of OCR’s investigation, OCR obtained written assurance that the CE has implemented the corrective action steps listed above." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Pair Networks Inc." "Business Associate" "Quantity[8845, ""People""]" "DateObject[{2014, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Other, Unauthorized Access/Disclosure" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "The Kroger Co., for itself and its affiliates and subsidiaries" "Healthcare Provider" "Quantity[504, ""People""]" "DateObject[{2014, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Other" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Cornerstone Health Care, PA" "Healthcare Provider" "Quantity[548, ""People""]" "DateObject[{2014, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Joseph Michael Benson M.D" "Healthcare Provider" "Quantity[7500, ""People""]" "DateObject[{2014, 2, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Data Media" "Business Associate" "Quantity[600, ""People""]" "DateObject[{2014, 2, 28}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Eureka Internal Medicine" "Healthcare Provider" "Quantity[3534, ""People""]" "DateObject[{2014, 3, 4}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "St. Joseph Health System" "Business Associate" "Quantity[3300, ""People""]" "DateObject[{2014, 3, 5}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Banner Health" "Healthcare Provider" "Quantity[55207, ""People""]" "DateObject[{2014, 3, 5}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "PracMan, Inc." "Business Associate" "Quantity[1145, ""People""]" "DateObject[{2014, 3, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "On January 10, 2014, a business associate (BA), PracMan, Inc., of two covered entities (CE), Monarch Women’s Health (Monarch) and Punuru J.M. Reddy, M.D., Inc. (Dr. Reddy), impermissibly disclosed the protected health information (PHI) of the CEs’ patients when the BA’s technology subcontractor, MASHNet, copied and stored computer files in error on an unsecured server.The PHI included demographic, clinical, and financial information, including names, account numbers, insurance providers, procedures, diagnoses, social security numbers (SSN), and account balances affecting approximately 1,179 of Dr. Reddy’s patients and approximately 1,145 of Monarch’s patients.The BA provided breach notification to HHS, affected individuals, and the media.It also established a toll-free number and website dedicated to providing information regarding the breach, and offered one year of free credit monitoring to individuals whose SSN was potentially exposed online.In response to the breach, the BA engaged a third party to perform a risk analysis of its operations and updated its privacy and security policies.The BA ensured that the data was removed from the unsecured server and all cached copies of links to the PHI were removed.OCR obtained assurances that the BA implemented the corrective actions listed above.Additionally, the BA terminated its relationship with the subcontractor and restructured its corporate network." "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "PracMan, Inc." "Business Associate" "Quantity[1179, ""People""]" "DateObject[{2014, 3, 10}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Iowa"", ""UnitedStates""}]" "Iowa Dept. of Human Services" "Health Plan" "Quantity[2042, ""People""]" "DateObject[{2014, 3, 10}, ""Day"", ""Gregorian"", -5.]" "Other" "Email, Laptop, Other Portable Electronic Device" "False" "Employees of the covered entity (CE), Iowa Department of Human Services, used personal email accounts, personal online storage accounts and personal electronic devices for work purposes. From February 5, 2010 to January 17, 2014, the protected health information (PHI) of 2,042 individuals was transferred outside of the CE’s secure network in this manner.The types of information included names, mailing addresses, social security numbers, state ID numbers, dates of birth, PHI obtained during case assessment, and incident information.The CE stated that it notified affected individuals and media and also offered free credit monitoring to the affected individuals.OCR has consolidated this breach with another breach involving this CE." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Mission City Community Network" "Healthcare Provider" "Quantity[7800, ""People""]" "DateObject[{2014, 3, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Email" "False" "In violation of the employer’s policies, a workforce member of the covered entity (CE), Mission City Community Network, Inc., sent an unsecured email to a business associate (BA) containing the protected health information (PHI) of 7,800 individuals.The PHI included names, addresses, dates of birth, and insurance information.During the investigation, OCR determined that the disclosure to the BA for payment purposes was permissible, as the email reached the intended BA, and there was no evidence that PHI was impermissibly disclosed to any other party.OCR provided technical assistance to the CE. As a result of OCR’s investigation, the CE initiated a review and improvements to its HIPAA practices." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "University of California, San Francisco" "Healthcare Provider" "Quantity[9861, ""People""]" "DateObject[{2014, 3, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Detroit Medical Center - Harper University Hospital" "Healthcare Provider" "Quantity[1087, ""People""]" "DateObject[{2014, 3, 13}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Paper/Films" "False" "Patients’ medical information was found in the possession of an employee who had worked for the covered entity, Detroit Medical Center Harper University.The protected health information (PHI) included the names, dates of birth, age, gender and reasons for visits for approximately 1,087 individuals. The CE provided breachnotification to HHS, affected individuals, and the media, and offered one year of credit protection and monitoring service at no cost to all affected patients.OCR obtained documentation which showed that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Todd M. Burton, M.D." "Healthcare Provider" "Quantity[5000, ""People""]" "DateObject[{2014, 3, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Valley View Hospital Association" "Healthcare Provider" "Quantity[5415, ""People""]" "DateObject[{2014, 3, 14}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Hospitalists of Arizona" "Healthcare Provider" "Quantity[1706, ""People""]" "DateObject[{2014, 3, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "TMA Practice Management Group" "Business Associate" "Quantity[2260, ""People""]" "DateObject[{2014, 3, 17}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal, Loss" "Other Portable Electronic Device" "True" "The covered entity (CE), McBroom Clinic, PA, signed a business associate (BA) agreement with TMA Practice Management Group to provide an operational assessment/audit. As part of the assessment the BA requested, and the CE provided, certain health information about patients. The protected health information (PHI) included clinical and insurance/payment information about patients. The CE copied some of the PHI to an unencrypted portable USB flash drive and sent it to the BA with other information in a package on January 7, 2014. Upon receipt of the empty package, the BA subsequently discarded it in the recycling receptacle.On or around February 21, 2014, the Clinic contracted with AllClear ID to assist with the patient notification and mitigation efforts.As a result of the breach, the CE instituted new procedures for extracting and sending PHI via portable media, including encryption. Due to OCR’s investigation, the CE was made aware of the following areas of improvement: risk analysis and staff training on policies and procedures. " "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "StayWell Health Management, LLC" "Business Associate" "Quantity[1746, ""People""]" "DateObject[{2014, 3, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "The covered entity (CE), QBE Holdings, Inc. reported that its business associate (BA), StayWell Health Management LLC, disclosed 1,746 individual’s protected health information on the internet.The PHI included names, email addresses, unique StayWell identification numbers, and information about participation in a wellness program.The BA provided breach notification to HHS and affected individuals.The BA also filed a separate breach report which was investigated by OCR.As a result of the breach, the BA implemented procedures to address the data compromise issue which included the performance of an initial analysis and risk assessment.Further, the BA implemented policies and procedures to safeguard PHI and trained its employees.OCR obtained assurances that the BA implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Berea College" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2014, 3, 20}, ""Day"", ""Gregorian"", -5.]" "Other" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "HealthPartners Inc" "Health Plan" "Quantity[27839, ""People""]" "DateObject[{2014, 3, 21}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer, Laptop, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "HealthPartners Administrators, Inc." "Business Associate" "Quantity[796, ""People""]" "DateObject[{2014, 3, 21}, ""Day"", ""Gregorian"", -5.]" "Loss, Unauthorized Access/Disclosure" "Desktop Computer, Laptop, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "HealthPartners Administrators, Inc." "Business Associate" "Quantity[1699, ""People""]" "DateObject[{2014, 3, 21}, ""Day"", ""Gregorian"", -5.]" "Loss, Unauthorized Access/Disclosure" "Desktop Computer, Laptop, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "HealthPartners Administrators, Inc." "Business Associate" "Quantity[715, ""People""]" "DateObject[{2014, 3, 21}, ""Day"", ""Gregorian"", -5.]" "Loss, Unauthorized Access/Disclosure" "Desktop Computer, Laptop, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "San Francisco General Hospital & Trauma Center, Privacy Manager Breach" "" "Quantity[55900, ""People""]" "DateObject[{2014, 3, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "True" "On March 21, 2014, the covered entity (CE), San Francisco General Hospital & Trauma Center reported that eight desktop computers were stolen from Southerland Healthcare Solutions, Inc., the CE’s business associate (BA).The computers contained the electronic protected health information (ePHI) of 27,676 individuals.The ePHI involved in the breach included names, addresses, birth dates, social security numbers, admission and discharge information, treatment location, diagnosis and billing information.The CE provided breach notification to HHS, affected individuals and the media.The CE trained its workforce members on the policies and procedures for responding and reporting security incidents.OCR obtained assurances that the CE implemented the corrective actions noted above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Sutherland Healthcare Solutions" "Business Associate" "Quantity[55900, ""People""]" "DateObject[{2014, 3, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "True" "On March 21, 2014, the covered entity (CE), San Francisco General Hospital & Trauma Center reported that eight desktop computers were stolen from Southerland Healthcare Solutions, Inc., the CE’s business associate (BA).The computers contained the electronic protected health information (ePHI) of 27,676 individuals.The ePHI involved in the breach included names, addresses, birth dates, social security numbers, admission and discharge information, treatment location, diagnosis and billing information.The CE provided breach notification to HHS, affected individuals and the media.The CE trained its workforce members on the policies and procedures for responding and reporting security incidents.OCR obtained assurances that the CE implemented the corrective actions noted above." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Talyst" "Business Associate" "Quantity[1079, ""People""]" "DateObject[{2014, 3, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Montana"", ""UnitedStates""}]" "Yellowstone Boys and Girls Ranch" "Healthcare Provider" "Quantity[543, ""People""]" "DateObject[{2014, 3, 24}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "Sometime between July 11, 2013, and January 27, 2014, the covered entity (CE), Yellowstone Boys and Girls Ranch, lost a resource notebook for on-call staff in its Lewiston office.The notebook included documents containing the protected health information (PHI) of 543 individuals including clients’ names, addresses, dates of birth, schools, treatment providers, and community-based program information.The CE provided breach notification to HHS, affected individuals, and the media.The CE immediately stopped storing PHI in the on-call resource book and sanctioned the responsible personnel.As a result of OCR’s investigation, and with substantial technical assistance from OCR, the CE began developing and revising necessary policies and procedures governing the storage, transportation, and handling of PHI.Additionally, the CE provided OCR with written assurance that it will train its staff on the new policies and procedures." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Orlando Health, Inc." "Healthcare Provider" "Quantity[586, ""People""]" "DateObject[{2014, 3, 24}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "An unencrypted portable data drive was lost by a pharmacy resident of the Arnold Palmer Hospital, a part of the covered entity (CE).The drive contained the protected health information (PHI) of 586 individuals, including names, birth weights, gestational age, admission and discharge dates, medical record numbers, and some transfer dates.The missing drive also stored personal items, a research study proposal, and two spreadsheets containing limited information on 586 babies who were part of a study.The CE provided breach notification to HHS, the media, and to the parents of the affected individuals because they were all minors.Substitute notice was posted on the CE’s website.The CE updated its policies and procedures for its data loss prevention system and added controls.The CE retrained the resident involved in the loss of data and provided additional information to all employees and medical staff members regarding the use of portable data devices through education and published articles.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Stoetzel's Planet Chiropractic" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2014, 3, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "False" "An unauthorized individual broke into the covered entity's (CE) facility and stole a laptop computer containing the electronic protected health information (ePHI) of approximately 1,000 individuals, including names, credit card numbers, bank account numbers, treatment information, and x-ray images.The CE provided breach notification to HHS, affected individuals, and prominent media outlets in Illinois.Following the breach, the CE reported the theft to the local police department, relocated to a new facility, and implemented facility security measures, including a security alarm system.It also enhanced its policies and procedures implementing the Privacy and Security Rules.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "NOVA Chiropractic & Rehab Center" "Healthcare Provider" "Quantity[5534, ""People""]" "DateObject[{2014, 3, 27}, ""Day"", ""Gregorian"", -5.]" "Loss, Other" "Other Portable Electronic Device" "False" "The covered entity (CE), NOVA Chiropractic and Rehabilitation Center, misplaced a mobile device within its office.The device contained the electronic protected health information (ePHI) of approximately 5,534 patients, including names, dates of birth, and addresses. The CE found no evidence that the ePHI was inappropriately used outside of the CE’s office. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. As a result of OCR’s investigation, the CE cleared and encrypted its thumb drives that contained ePHI.The CE improved physical safeguards by installing a new security alarm system, and updated its policy for removal of PHI from the office. OCR obtained assurances that the CE has executed business associate agreements for its email and cloud system providers." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Susquehanna Health" "Healthcare Provider" "Quantity[657, ""People""]" "DateObject[{2014, 3, 27}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "In response to an insurer’s routine claims request, an employee provided more protected health information (PHI) than was necessary to complete the intended purpose.Approximately 657 patients were affected.The impermissible disclosure included patients’ names, addresses, social security numbers, dates of birth, health insurance information, payment information, encounter identification, physicians’ names, diagnosis codes, and patients’ employers.The covered entity (CE), Susquehanna Health, provided breach notification to HHS and affected individuals.The CE also offered one year of free identity theft protection and credit monitoring to affected individuals.Following the breach, the CE immediately ensured that all recipients of the PHI deleted the data from their computers and shredded all hard copies. OCR obtained and reviewed copies of the CE’s policies and procedures related to the issues raised in this complaint, as well as a copy of its current risk assessment.As a result of OCR’s investigation, the CE sanctioned the staff member, retrained the entire department, and revised its email policies." "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Jewish Hospital" "Healthcare Provider" "Quantity[2992, ""People""]" "DateObject[{2014, 3, 28}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "False" "A small number of employees of the covered entity (CE), Jewish Hospital, responded to “phishing” emails that appeared legitimate and disclosed the demographic and clinical protected health information (PHI) of approximately 2,992 individuals.The PHI involved in the breach included names, addresses, birthdates, diagnoses, treatments received, health insurance information and the social security numbers of a few individuals.In response to the incident, the CE secured the affected email accounts and arranged for a forensic investigation.While the CE has no evidence that the electronic PHI in the employees’ mailboxes was accessed or otherwise infiltrated by the phishing scheme, it nonetheless sent breach notification letters and offered one year of free credit monitoring and identity theft protection services to all potentially affected individuals.It also provided breach notification to HHS and the media and provided substitute notice.Following the breach, the CE deployed anti-phishing software, accelerated its employee phishing education campaign, established a quick reaction team for proactively blocking phishing or other web-based threats, and enhanced its auditing and logging controls.OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Franciscan Medical Group" "Healthcare Provider" "Quantity[8300, ""People""]" "DateObject[{2014, 3, 28}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "False" "Numerous employees of the CE responded to an email phishing attack which requested the employee’s email username and password to authenticate their accounts.As a result, a number of employee direct deposit paychecks were diverted without notification and any electronic protected health information (ePHI) stored on the affected email accounts was made accessible.The affected email accounts contained the combined ePHI of 8,311 individuals.The ePHI involved in the breach included patients’ demographic, clinical and health insurance information and in some cases, social security numbers.In response to the incident, the affected users changed their passwords and the CE adjusted web filters.The CE improved technical safeguards to prevent future phishing attacks of this nature and accelerated the time table for its existing phishing education campaign for all employees.The CE provided a year of free credit monitoring and identity theft protection services to affected individuals.OCR’s investigation confirmed that the appropriate notifications were made and that corrective actions steps were taken. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Palomar Health" "Healthcare Provider" "Quantity[5499, ""People""]" "DateObject[{2014, 3, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Utah"", ""UnitedStates""}]" "Myriad Genetic Laboratories, Inc." "Healthcare Provider" "Quantity[643, ""People""]" "DateObject[{2014, 3, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Medical Center of Plano" "" "Quantity[1000, ""People""]" "DateObject[{2014, 3, 31}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "True" "The covered entity (CE), Medical Center of Plano, reported that the business associate (BA), Relay-Health, inadvertently sent an incorrect mailing affecting 1,000 individuals.The CE learned that the actual number of individuals affected by the breach was one patient and filed an addendum to reflect the correct number of patients affected by the breach.The protected health information (PHI) involved in the breach included the individual’s name, address, account number, admission and discharge dates, and payment information.Following the breach, the BA reviewed the standard operating procedure with the entire project management team and modified its mailing process.It also contacted the affected individual and provided contact information if needed to address concerns and questions in reference to the incident." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Policy Studies, Inc. / Postal Center International, Inc." "Business Associate" "Quantity[580, ""People""]" "DateObject[{2014, 3, 31}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Midwest Orthopaedics at Rush, LLC" "Healthcare Provider" "Quantity[1256, ""People""]" "DateObject[{2014, 3, 31}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Indian Health Service" "Health Plan" "Quantity[214000, ""People""]" "DateObject[{2014, 4, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "KP Northern CA Department of Research" "Healthcare Provider" "Quantity[5178, ""People""]" "DateObject[{2014, 4, 2}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""Country"", ""PuertoRico""]" "Triple-S Salud " "Health Plan" "Quantity[5795, ""People""]" "DateObject[{2014, 4, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun.“OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries.TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement.After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;Use or Disclosure of more PHI than was necessary to carry out mailings;Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; andFailure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:A risk analysis and a risk management plan;A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; andA training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises.Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA.“Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz.“We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.”" "Entity[""Country"", ""PuertoRico""]" "American Health Inc. " "Health Plan" "Quantity[17776, ""People""]" "DateObject[{2014, 4, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun.“OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries.TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement.After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;Use or Disclosure of more PHI than was necessary to carry out mailings;Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; andFailure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:A risk analysis and a risk management plan;A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; andA training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises.Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA.“Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz.“We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.”" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "State Long Term Care Ombudsmans Office, Michigan Department of Community Health" "Healthcare Provider" "Quantity[2595, ""People""]" "DateObject[{2014, 4, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Presence St. Joseph's Medical Center" "Healthcare Provider" "Quantity[836, ""People""]" "DateObject[{2014, 4, 4}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kansas"", ""UnitedStates""}]" "Clinical Reference Laboratory, Inc." "Healthcare Provider" "Quantity[979, ""People""]" "DateObject[{2014, 4, 9}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "The covered entity (CE), Clinical Reference Laboratory, Inc., sent a parcel which was damaged and opened during the mailing process by the United States Postal Services (USPS).The protected health information (PHI) involved in the breach included the names, dates of birth, partial social security numbers, and lab test types of approximately 979 individuals residing in multiple states.The CE provided breach notification to HHS and affected individuals.Since multiple breach reports have been received involving the same CE and fact pattern, this investigation was consolidated into one investigation." "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Cigna" "Business Associate" "Quantity[527, ""People""]" "DateObject[{2014, 4, 9}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Amerigroup Texas, Inc. " "Business Associate" "Quantity[75026, ""People""]" "DateObject[{2014, 4, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "BLUE CROSS AND BLUE SHIELD OF KANSAS CITY" "Health Plan" "Quantity[2546, ""People""]" "DateObject[{2014, 4, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "In February 2014, two members of the covered entity (CE), Blue Cross Blue Shield of Kansas City Plan, reported unauthorized charges on credit cards they used to make payments by phone to the CE.The CE determined that an employee violated its policies and procedures and may have put the financial information of 2,546 individuals at risk.The breach affected members that spoke with this employee regarding payment of premiums.The CE provided breach notification to HHS, affected individuals, and the media, and reported the matter to the FBI and local law enforcement.The CE reported that its background check contractor, Verifications Inc. (VI) provided an inaccurate criminal background check, which resulted in the hiring of the involved employee although the employee had been convicted of felony identity theft in April 2012.To prevent similar breaches from happening in the future, the CE terminated its contract with VI and established a relationship with a new background check vendor.The CE provided training to its workforce on its policies and procedures regarding HIPAA Security.OCR obtained documented evidence demonstrating that the CE implemented the corrective action listed above. The CE also ended the involved employee’s employment." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "University Urology, P.C." "Healthcare Provider" "Quantity[1144, ""People""]" "DateObject[{2014, 4, 14}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "A nurse practitioner (“NP”) of the covered entity (CE), University Urology, left the practice to start her own clinic.An administrative assistant of the CE provided the NP with lists of patient information in June 2013 and January 2014 that contained the names, addresses, gender, age, and first and last dates of service for 1,144 individuals.The CE provided breach notification to HHS, affected individuals, and the media.In response to the breach, the CE terminated the administrative assistant’s employment and sent a “cease and desist” letter to the NP.The CE also ensured that the lists were destroyed. Finally, the CE reviewed and revised its policies and re-trained its workforce.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Healthy Connections, Inc" "Healthcare Provider" "Quantity[793, ""People""]" "DateObject[{2014, 4, 14}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "IHS" "Health Plan" "Quantity[5000, ""People""]" "DateObject[{2014, 4, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "An employee of the covered entity’s (CE) network penetration testing team discovered protected health information (PHI) on open shares in a network attached storage device that could have affected 5,000 individuals if the IT department had not caught the problem in time.There was no indication of a breach and the CE immediately secured the website and notified the facility to delete all emails.The CE implemented a mandatory monthly training for all site managers to include a discussion of all site incidents. " "Entity[""Country"", ""PuertoRico""]" "Triple S Salud Inc." "Business Associate" "Quantity[7911, ""People""]" "DateObject[{2014, 4, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "True" "" "Missing[""NoInput""]" "Administracion de Seguros de Salud - Triple S Salud Inc (BA)" "" "Quantity[46473, ""People""]" "DateObject[{2014, 4, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "True" "On March 27, 2014, the covered entity (CE), Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico, reported that on January 14, 2014, it became aware that sometime before October 9, 2013, a former employee ofTriple-S Salud’s business associate (BA),Triple-S Advantage Solutions, copied beneficiaries’ electronic protected health information (ePHI) onto a compact disk which he took home for an unspecified period of time and which he subsequently downloaded onto a computer at his new employer.The ePHI included beneficiary enrollment information, including names, dates of births, contract numbers, health insurance claim number, home addresses, and social security numbers of 54,384 of the CE’s beneficiaries.The CE provided breach notification to HHS, affected individuals, and the media.Due to OCR’s investigation, the CE committed to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and re-train its staff within a specified period." "Entity[""AdministrativeDivision"", {""Mississippi"", ""UnitedStates""}]" "Greenwood Leflore Hospital" "Healthcare Provider" "Quantity[3750, ""People""]" "DateObject[{2014, 4, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "The covered entity (CE), Greenwood Leflore Hospital, discovered that an ex-employee of a business associate (BA) the CE used to recycle and destroy old x-ray films, stole x-ray films which contained the names, dates of birth and x-ray images of 3,750 patients. This individual’s employment had been terminated by the BA prior to the breach, and therefore he was not authorized to take possession of these x-ray films.The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice.In response to the breach, the CE filed a police report, attempted to recover the x-ray films, and sanctioned and re-trained the employees involved.The CE also filed a civil lawsuit against the individual who took the films.The individual was later arrested and found guilty of petit larceny and was ordered to pay restitution to the CE.The CE provided additional training to its entire workforce regarding its BA access and breach policies, and terminated its business relationship with the BA. OCR obtained the CE’s policies and procedures related to the cited Privacy Rule provisions, as well as documentation related to employee training on the Privacy and Security Rules. " "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Service Coordination, Inc." "Business Associate" "Quantity[10766, ""People""]" "DateObject[{2014, 4, 17}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Unauthorized Access/Disclosure" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Courier Express/Atlanta, Courier Express/Charlotte & Courier Express US, Inc." "Business Associate" "Quantity[2523, ""People""]" "DateObject[{2014, 4, 17}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Shaker Clinic" "Healthcare Provider" "Quantity[617, ""People""]" "DateObject[{2014, 4, 18}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Iowa"", ""UnitedStates""}]" "VGM Homelink" "" "Quantity[1400, ""People""]" "DateObject[{2014, 4, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "A business associate (BA), Tri State Adjustments, of the covered entity (CE), VGM Homelink, committed a programing error which resulted in individuals receiving the wrong billing statements. This breach affected approximately 1,400 individuals and included patients’ names, addresses, insurance information, and the medical equipment provided to them.The CE provided breach notification to HHS, affected individuals, and the media, and placed a notification about the breach on its website.The CE required its BA to implement new safeguards to prevent a similar breach from occurring. As a result of OCR’s investigation, the CE had its BA update its policy and procedures for Breach Rule notification." "Entity[""AdministrativeDivision"", {""Idaho"", ""UnitedStates""}]" "Larsen Dental Care LLC" "Healthcare Provider" "Quantity[6900, ""People""]" "DateObject[{2014, 4, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "An unencrypted external hard drive containing the electronic protected health information (ePHI) of 6,900 individuals was stolen from a workforce member’s vehicle. The ePHI involved in the breach included names, addresses, dates of birth, email addresses, telephone numbers, dental records, medical history, health insurance numbers, and social security numbers.The covered entity (CE), Larson Dental Care LLC, provided breach notification to HHS, affected individuals and the media, and also posted notice online. Following the breach, the CE terminated the employment of the responsible workforce member.It also conducted a new risk assessment, implemented new security and privacy policies, including device and media control policies, and retrained staff. The CE improved safeguards by encrypting all computers and mobile devices containing ePHI and installing comprehensive security upgrades to its computer network.OCR obtained assurances that the CE implemented these corrective actions. " "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Centura Health" "Healthcare Provider" "Quantity[12286, ""People""]" "DateObject[{2014, 4, 22}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Ladies First Choice, Inc." "Healthcare Provider" "Quantity[2365, ""People""]" "DateObject[{2014, 4, 23}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Laptop" "False" "In January, 2014, the covered entity (CE), Ladies First Choice Inc., learned that a former employee took and misappropriated a confidential computer program that contained customers’ demographic and healthcare information.The computer program contained the electronic protected health information (ePHI) of 2,365 individuals and included names, dates of birth, social security numbers, addresses, and identifying codes.The CE provided breach notification to HHS, affected individuals, and the media.As a result of the breach, the CE identified the vulnerabilities that contributed to the theft, re-trained its staff, reviewed all of its safeguards policies and internal procedures, including its incident reporting policies, and performed a new risk analysis.OCR obtained assurances that the CE implemented the corrective actions listed above.The CE also created new security features for its computer systems, including encryption and secure back up of PHI stored on hard drives.Additionally, the CE filed a civil action against the former employee to enjoin her from using the PHI she obtained." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Tufts Associated Health Maintenance Organization, Inc. and Tufts Insurance Company " "Health Plan" "Quantity[8830, ""People""]" "DateObject[{2014, 4, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""DistrictOfColumbia"", ""UnitedStates""}]" "Inclusion Research Institute" "Business Associate" "Quantity[2200, ""People""]" "DateObject[{2014, 4, 24}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "The covered entity’s (CE) subcontractor, on behalf of the CE’s business associate (BA), Inclusion Research Institute, sent postcards to 2,200 individuals indicating they were receiving services at the CE, Developmental Disabilities Administration, Maryland Department of Health and Mental Hygiene.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE directed the subcontractor to cease and desist sending the postcards.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Willis North America Inc. Medical Expense Benefit Plan" "Health Plan" "Quantity[4830, ""People""]" "DateObject[{2014, 4, 24}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Utah"", ""UnitedStates""}]" "Sorenson Communications/CaptionCall Group Health Plan" "Health Plan" "Quantity[9800, ""People""]" "DateObject[{2014, 4, 24}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Sorenson Communications filed a breach report on behalf of its CaptionCall Group Health Plan indicating that, between February 20 and March 3, 2014, an unknown third party hacked into the CaptionCall account with Sorenson’s payroll vendor which compromised employment-related information gathered by Sorenson from and about its employees, their dependents, beneficiaries, and/or emergency contacts.The breach affected approximately 9,800 individuals.Sorenson provided notice to HHS, affected individuals, and the media.After verifying the circumstances of the breach and the character of the breached information, OCR closed the breach upon determining that the hacked data constituted employment records, which are excluded from the definition of PHI." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Baylor Medical Center at McKinney" "Healthcare Provider" "Quantity[1253, ""People""]" "DateObject[{2014, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Baylor Medical Center at Irving" "Healthcare Provider" "Quantity[2308, ""People""]" "DateObject[{2014, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Baylor Regional Medical Center at Plano" "Healthcare Provider" "Quantity[1981, ""People""]" "DateObject[{2014, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "HealthTexas Provider Network" "Healthcare Provider" "Quantity[2742, ""People""]" "DateObject[{2014, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Ferguson Advertising, Inc." "Business Associate" "Quantity[1361, ""People""]" "DateObject[{2014, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Iowa"", ""UnitedStates""}]" "Iowa Medicaid Enterprise" "Health Plan" "Quantity[862, ""People""]" "DateObject[{2014, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), Iowa Medicaid Enterprise, erroneously mailed a patient listing of 862 individuals to a provider on February 26, 2014.The protected health information (PHI) involved in the breach included names and addresses.The CE stated that it discovered this breach was due to an error in its mailing process.The CE stated that it notified the affected individuals and the media.The CE also stated that it shall no longer mail patient listings to providers.OCR has consolidated this breach with another breach involving the Iowa Department of Human Services." "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Flowers Hospital" "Healthcare Provider" "Quantity[629, ""People""]" "DateObject[{2014, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE), Flowers Hospital was informed by law enforcement on February 27, 2014, that while one of its employees was being arrested, the CE’s paper facesheets were found in his possession.An internal investigation revealed that the employee may have accessed or allowed another individual access to the clinical and demographic information of 1,208 individuals.The CE provided breach notification to HHS, to affected individuals, and to the media. In response to the breach, the CE implemented procedures to further restrict access to paper records and improved its maintenance and storage procedures.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Reading Health System" "Healthcare Provider" "Quantity[1845, ""People""]" "DateObject[{2014, 4, 29}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "A medical practice moved and a vendor/patient stored three boxes of paper medical billing records in the vendor’s crawl space from March 2012 until March 2014. The boxes contained the protected health information (PHI) of approximately 1,845 individuals.The types of PHI involved in the breach included names, addresses, dates of birth, social security numbers, insurance information, medical practice billing codes, and diagnoses.Following the breach, the covered entity (CE), Reading Health System, interviewed the vendor/patient and determined no disclosures had occurred.The CE provided breach notification to HHS and affected individuals and offered all living patients a year of free credit monitoring.The CE established a professionally staffed call " "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "MDF Transcription Services" "Business Associate" "Quantity[15265, ""People""]" "DateObject[{2014, 4, 29}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "OptumRx" "Business Associate" "Quantity[5696, ""People""]" "DateObject[{2014, 4, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "An employee of the covered entity's (CE) business associate (BA) mistakenly mailed protected health information (PHI) to other individuals due to a human error in sorting the data contained in an Excel spreadsheet.The mailing affected 5,696 individuals and included names and prescription drug names.The BA provided breach notification to the affected individuals, HHS, and the media.As a result of OCR's investigation, OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.OCR obtained assurances that the BA completed the corrective actions noted above.The BA also stated that it has developed a plan to improve safeguards by implementing additional quality checks and controls for mailings." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "UMass Memorial Medical Center" "Healthcare Provider" "Quantity[2387, ""People""]" "DateObject[{2014, 5, 5}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Utah"", ""UnitedStates""}]" "Porter, MD, Steven" "Healthcare Provider" "Quantity["""", ""People""]" "DateObject[{2014, 5, 6}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "KEYSTONE INSURERS GROUP" "Business Associate" "Quantity[1008, ""People""]" "DateObject[{2014, 5, 6}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "True" "The covered entity (CE), City of Henderson, discovered that on several occasions between January 23, 2013, and March 3, 2013, its business associate (BA) broker, Keystone Insurers Group, disclosed more than the minimum necessary information to several health care providers who were being considered as a possible partner with the City in development of a City-run healthcare clinic.The BA had been hired to assist in the evaluation process of determining whether a City-operated health clinic would reduce health care costs.The types of protected health information (PHI) involved in the breach included demographic information such as names, insurance numbers, addresses, birthdates, and clinical information, such as diagnoses, treatment, prescriptions, and expenses.The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. In response to the incident, the CE obtained certificates of deletion and destruction from the recipients of the PHI and it terminated its agreement with the BA.The CE also revised its request for proposals process to include information about potential brokers’ HIPAA training and any prior HIPAA breaches.In response to OCR’s investigation, the CE created and implemented privacy policies and procedures, and trained staff on its HIPAA policies." "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Options Counseling Center" "Healthcare Provider" "Quantity[2828, ""People""]" "DateObject[{2014, 5, 9}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Paper/Films" "False" "OCR opened an investigation of the covered entity (CE), Options Counseling Center, after the CE reported that, between May 1, 2011 and July 29, 2011, an employee made photocopies of documents and printed documents from the computer system containing 2,828 patients’ protected health information (PHI) and disclosed the documents to his attorney.The types of PHI involved in the breach included, variously for different individuals, patients’ names, counseling session attendance verifications, internal CE account codes, charges, payments, addresses, telephone numbers, dates of birth, health insurance account information, and account balances, as well as 46 social security numbers.Upon discovery of the breach, the CE ensured the destruction of the PHI possessed by the (then former) employee and/or his attorney, and retrained staff.The CE also implemented new safeguards, including restricting the number of personnel who hold keys to the rooms and file cabinets that contain PHI, and converting its paper billing system to an electronic billing system, which establishes password-protected role-based access rights to varying levels of information.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "Molina Healthcare of New Mexico, Inc." "" "Quantity[4744, ""People""]" "DateObject[{2014, 5, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "On behalf of the covered entity (CE), Molina Healthcare of California Partner Plan, Inc., a business associate (BA) subcontractor, printed and mailed postcards to the CE’s former members addressed generically to “Resident” and containing a tracking number, that in some cases, was the member’s social security number.Approximately 4,744 individuals were affected by this breach.The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notification on its website.It also offered affected individuals one year of free identity theft protection services.As a result of the incident, the CE revised and developed HIPAA policies and procedures to better safeguard protected health information (PHI) during mailing projects.It also counseled the workforce members involved in the incident pursuant to its policies.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Howard L. Weinstein D.P.M." "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2014, 5, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Four encrypted laptop computers and the back-up system containing the electronic protected health information (ePHI) of approximately 1,000 individuals were stolen as a result of a break-in at the office of the covered entity (CE), Howard L. Weinstein, D.P.M.The CE immediately reported the incident to police and an investigation ensued.The ePHI involved in the theft was encrypted and the CE determined that a breach of ePHI was unlikely.However, the CE responded to the incident as though a breach had occurred and personnel notified the potential affected parties through mailing, media notification, and website notification.They also followed the procedure to file a Breach Notification Report with HHS.The CE implemented additional physical, technical, and administrative safeguards to ensure the security of ePHI.In addition, the CE immediately acted on the recovery plan, and has moved data to a cloud encrypted storage system." "Entity[""Country"", ""PuertoRico""]" "American Health Inc. " "Health Plan" "Quantity[11531, ""People""]" "DateObject[{2014, 5, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun.“OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries.TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement.After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;Use or Disclosure of more PHI than was necessary to carry out mailings;Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; andFailure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:A risk analysis and a risk management plan;A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; andA training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises.Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA.“Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz.“We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.”" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Central City Concern" "Healthcare Provider" "Quantity[17914, ""People""]" "DateObject[{2014, 5, 19}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Law enforcement investigated a former employee of the covered entity (CE), Central City Concern, for identity theft and notified the CE that the former employee admitted to misusing approximately 15 Employment Access Center (EAC) clients’ information.The personal information involved in the breach included names, social security numbers, addresses, dates of birth and other identifiers, but no data from the CE’s health care component.The CE provided breach notification to HHS, the media, and all 17,914 clients whose information was accessible by the former employee, as well as posting substitute notice on its website.It also provided a year of free credit monitoring for affected individuals.As a result of the incident, the CE improved safeguards for the EAC database.The CE also contracted with a third party to complete a security risk assessment of all its locations and updated its privacy and security policies and procedures.OCR’s investigation confirmed that the appropriate notifications were made and that corrective actions steps were taken. " "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Blue Cross Blue Shield of Michigan Blue Care Network" "" "Quantity[502, ""People""]" "DateObject[{2014, 5, 19}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewHampshire"", ""UnitedStates""}]" "Elliot Health System" "Healthcare Provider" "Quantity[1208, ""People""]" "DateObject[{2014, 5, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Sutherland Healthcare Solutions, Inc." "Business Associate" "Quantity[342197, ""People""]" "DateObject[{2014, 5, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Email, Laptop" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Humana Inc [case #15381]" "Health Plan" "Quantity[2962, ""People""]" "DateObject[{2014, 5, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "On April 2, 2014, an unencrypted portable media device containing electronic protected health information (ePHI) was stolen from an employee’s locked vehicle. The portable media device contained the demographic data (including some social security numbers), clinical, and health insurance information of 2,962 individuals.The CE provided breach notification to HHS, affected individuals, and the media.The offending employee was terminated as a direct result of violating the CE’s policy prohibiting the use of unencrypted devices to store and transport PHI.In addition, the CE re-educated employees about this policy and instructed management teams to ensure that proper procedures were being followed.OCR obtained assurances that the corrective actions were taken." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Jamaica Hospital Medical Center" "Healthcare Provider" "Quantity[26162, ""People""]" "DateObject[{2014, 5, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Bay Park Hospital" "Healthcare Provider" "Quantity[594, ""People""]" "DateObject[{2014, 5, 28}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record, Network Server" "False" "An employee of the covered entity (CE), Bay Park Hospital, accessed the electronic protected health information (ePHI) of 594 individuals without a necessary business reason to do so.The ePHI included names, dates of birth, diagnoses and other clinical information.The CE provided breach notification to HHS, affected individuals, and the media.Upon discovering the breach, the CE questioned the responsible workforce member, who immediately resigned, and retrained its workforce members on its HIPAA policies and procedures.OCR obtained assurances that the corrective actions listed above were completed." "Entity[""Country"", ""PuertoRico""]" "Triple-S Salud " "Health Plan" "Quantity[56853, ""People""]" "DateObject[{2014, 5, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun.“OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries.TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement.After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;Use or Disclosure of more PHI than was necessary to carry out mailings;Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; andFailure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:A risk analysis and a risk management plan;A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; andA training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises.Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA.“Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz.“We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.”" "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "NFP Maschino, Hudelson & Associates" "Business Associate" "Quantity[3814, ""People""]" "DateObject[{2014, 5, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "An unencrypted laptop was stolen from the vehicle of an employee of Maschino, Hudelson & Associates, a broker and business associate (BA) of the covered entity (CE), Aetna.The laptop contained the protected health information (PHI) of 3,814 of the CE's customers.The types of PHI involved in the breach included names, dates of birth, addresses, social security numbers and account information.The BA provided breach notification to affected individuals and the media.OCR provided technical assistance to the CE regarding the requirements for notification to HHS.OCR verified that the CE had a proper BA agreement in place at the time of this breach." "Entity[""AdministrativeDivision"", {""Kansas"", ""UnitedStates""}]" "Salina Health Education dba Salina Healthcare Center" "Healthcare Provider" "Quantity[9640, ""People""]" "DateObject[{2014, 6, 5}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "An employee of the covered entity (CE), Salina Family Healthcare Center, sent an email containing electronic protected health information (ePHI) to a third party as part of a research case study.The types of PHI involved in the breach included names, dates of birth, addresses, chart numbers, and procedure codes affecting approximately 9,640 individuals.The CE provided breach notification to HHS, affected individuals, and the media.The CE responded to the breach by obtaining assurances that the email was destroyed by the third party, and sanctioning the responsible employee.As a result of OCR’s investigation, the CE updated and trained staff on its policies relating to the e-mailing of PHI and uses and disclosures of PHI. " "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Open Cities Health Center " "Healthcare Provider" "Quantity[1304, ""People""]" "DateObject[{2014, 6, 5}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Mark A. Gillispie" "Healthcare Provider" "Quantity[5845, ""People""]" "DateObject[{2014, 6, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Penn State Milton S. Hershey Medical Center" "Healthcare Provider" "Quantity[1801, ""People""]" "DateObject[{2014, 6, 6}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email, Other Portable Electronic Device" "False" "An employee of the covered entity (CE), Penn State Milton S. Hershey Medical Center, downloaded protected health information (PHI) onto an unsecured flash drive and used the device in his personal computer to complete work which he then emailed to the CE using his personal email account.The types of PHI involved in the breach included the demographic and clinical information for 1,801 individuals.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE performed a risk assessment and updated encryption measures.The CE also reminded all clinical laboratory staff and faculty of expected practices pertaining to safeguarding PHI, and provided staff a listing of the relevant policies concerning encryption and electronic messaging and links to the corresponding policies.As a result of OCR's investigation, the CE submitted to OCR copies of its policies regarding use of personal devices and emails, storing PHI on third party owned or managed media and use of approved electronic connections, systems and/or services.OCR verified that appropriate policy was in place at the time of the incident and the employee did not follow the policy.OCR obtained assurances that the CE has implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Walgreen Co." "Healthcare Provider" "Quantity[540, ""People""]" "DateObject[{2014, 6, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "St. Francis Hospital" "Healthcare Provider" "Quantity[1175, ""People""]" "DateObject[{2014, 6, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "On May 30, 2014, a staff member sent an email to approximately 1,175 patients that erroneously permitted them to see the email addresses of all recipients.The covered entity (CE), St. Francis Hospital, investigated the incident, replaced its information technology department leadership and its security officer, and counseled the employee involved.Additionally, the CE updated its HIPAA policies and trained the entire workforce on its updated policies.The CE also began upgrading its equipment to better prevent security incidents.The CE provided breach notification to the affected individuals via e-mail message, sent notification to the media, and placed a conspicuous notice on its website.In response to OCR’s provision of technical assistance, the CE provided written notification to the affected individuals." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Doctors First Choice Billings, Inc" "Business Associate" "Quantity[9255, ""People""]" "DateObject[{2014, 6, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Doctors First Choice Billings, Inc." "Business Associate" "Quantity[1831, ""People""]" "DateObject[{2014, 6, 12}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Santa Rosa Memorial Hospital " "Healthcare Provider" "Quantity[33702, ""People""]" "DateObject[{2014, 6, 13}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Baylor Medical Center at Carrollton" "Healthcare Provider" "Quantity[2874, ""People""]" "DateObject[{2014, 6, 13}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Group Health Plan of Hurley Medical Center" "Health Plan" "Quantity[2289, ""People""]" "DateObject[{2014, 6, 16}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "IHS" "Health Plan" "Quantity[620, ""People""]" "DateObject[{2014, 6, 19}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "David DiGiallorenzo, D.M.D." "Healthcare Provider" "Quantity[11000, ""People""]" "DateObject[{2014, 6, 19}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Unauthorized Access/Disclosure" "Other" "False" "An individual hacked into the Dentrix software of the covered entity (CE), Lanap & Implant Center of Pennsylvania (David DiGiallorenzo), and posted patients’ protected health information (PHI) on a “BitTorrent” website (which distributes files over the Internet), piratebay.com.The breach involved the PHI of 11,000 individuals and included names, as well as dates of birth and social security numbers for some of the individuals.The CE provided breach notification to HHS, affected individuals whose PHI was compromised, and the media, as well as substitute notification.Following the breach, the CE received security updates from Dentrix.As a result of OCR’s investigation, the CE increased safeguards by implementing security measures on its electronic systems." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "NRAD Medical Associates, P.C." "Healthcare Provider" "Quantity[97000, ""People""]" "DateObject[{2014, 6, 20}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Unauthorized Access/Disclosure" "Desktop Computer, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "NYU Hospitals Center" "Healthcare Provider" "Quantity[872, ""People""]" "DateObject[{2014, 6, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Abrham Tekola, M.D.,INC" "Healthcare Provider" "Quantity[5471, ""People""]" "DateObject[{2014, 6, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Two unencrypted desktop computers and one unencrypted laptop computer were stolen during a burglary.The breach affected 5,471 individuals and the types of protected health information (PHI) involved included patients’ names, social security numbers, addresses, dates of births, and medical information. Upon learning of the theft, the covered entity (CE) hired a legal firm to assist with responding and notifying all individuals affected.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE hired specialized data security personnel, conducted a Security Rule risk analysis, and implemented a risk mitigation plan that reflects the current work environment.Additionally, the CE improved safeguards by updating its policies and procedures on portable/mobile devices and encrypting its electronic equipment.The CE completed security awareness training of its workforce members.OCR obtained documentation that the CE implemented the corrective actions noted above and provided technical assistance regarding the HIPAA Security Rule." "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Colorado Neurodiagnostics, PLLC" "Healthcare Provider" "Quantity[750, ""People""]" "DateObject[{2014, 6, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Sloane Stecker Physical Therapy, PC" "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2014, 6, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Riverside County Regional Medical Center" "Healthcare Provider" "Quantity[563, ""People""]" "DateObject[{2014, 6, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Rady Children's Hospital - San Diego" "Healthcare Provider" "Quantity[14121, ""People""]" "DateObject[{2014, 6, 24}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Rady Children's Hospital - San Diego" "Healthcare Provider" "Quantity[6307, ""People""]" "DateObject[{2014, 6, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email, Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Alabama Department of Public Health" "Healthcare Provider" "Quantity[1200, ""People""]" "DateObject[{2014, 6, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record" "False" "An employee of the covered entity (CE), Alabama Department of Public Health, disclosed the protected health information (PHI) of approximately 1,200 individuals to a third party, potentially for tax fraud purposes.Federal law enforcement informed the CE of the breach on March 21, 2014.The U.S. District Court, Middle District of Alabama indicted the workforce member responsible for the breach for her criminal activities related to the breach, and she is no longer employed by the CE.Following the breach, the CE implemented additional safeguards. " "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "The Union Labor Life Insurance Company" "Healthcare Provider" "Quantity[42713, ""People""]" "DateObject[{2014, 6, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "VA Long Beach Healthcare System" "Healthcare Provider" "Quantity[592, ""People""]" "DateObject[{2014, 7, 4}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "D&J Optical Inc. " "Health Plan" "Quantity[1100, ""People""]" "DateObject[{2014, 7, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "In June 2014, the covered entity (CE), D&J Optical, suspected that a former independently contracted optometrist had created credentials for herself and accessed electronic protected health information (ePHI) without authorization.This inappropriate access would have exposed the demographic and clinical information of 1,100 individuals.The CE filed a breach report with HHS and met the requirements of the Breach Notification Rule.In response to this suspected incident, the CE increased security for access to its server and software, eliminated wireless internet capabilities in its office, and strengthened procedures for password access.OCR reviewed evidence of the subsequent investigation by a computer forensic expert which revealed that no inappropriate access had occurred and no ePHI was disclosed. " "Entity[""AdministrativeDivision"", {""Montana"", ""UnitedStates""}]" "Montana Department of Public Health & Human Services" "Health Plan" "Quantity[1062509, ""People""]" "DateObject[{2014, 7, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Highmark Inc." "Business Associate" "Quantity[2589, ""People""]" "DateObject[{2014, 7, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "Health profile and care summaries and corresponding cover letters were incorrectly mailed to senior members of the covered entity (CE), Highmark Health, and their physicians.The protected health information involved in the breach included the names, addresses, telephone numbers, dates of birth, unique medical identifiers (UMI), gender, medications, and health information of 2,589 individuals. The CE provided breach notification to HHS, the media, and affected individuals.Following the breach, the CE issued a new UMI to each member impacted by the incident.The CE determined that a process failure by an employee was the root cause for the incorrect mailing and subsequently terminated the employee. As a result of OCR's investigation, the CE instituted new quality review procedures for mailings and retrained employees on its privacy practices and departmental policies, processes and procedures.OCR obtained details of the CE's revised policies on its health profiles to assure they include only the minimum necessary information." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Haley Chiropractic Clinic" "Healthcare Provider" "Quantity[6000, ""People""]" "DateObject[{2014, 7, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Laptop" "False" "One laptop and two desktop computers containing the electronic protected health information (ePHI) of about 6,000 patients were stolen during a break-in at the covered entity (CE), Haley Chiropractic Clinic. The machines and the clinic’s electronic health record (EHR) application were password-protected, but the devices were not encrypted. One of the desktop computers provided access to the web-based EHR system that included names, treatment notes, addresses, phone numbers, dates of birth, insurance information, and social security numbers. The stolen laptop contained patients’ names, social security numbers, height and weight, and range of motion data.The CE filed a police report, provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. Following the breach, the CE improved safeguards by installing a new physical security alarm and video surveillance system, changing all computer passwords, and encrypting computers.OCR’s review found that the media notice did not comply with the content requirements of the Breach Notification Rule. Based on OCR’s technical assistance, the CE provided a compliant notice to regional media. " "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "St. Vincent Hospital and Health Care Center, Inc." "Business Associate" "Quantity[63325, ""People""]" "DateObject[{2014, 7, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "InSync Computer Solutions, Inc." "Business Associate" "Quantity[50918, ""People""]" "DateObject[{2014, 7, 11}, ""Day"", ""Gregorian"", -5.]" "Other" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Nevada"", ""UnitedStates""}]" "Western Regional Center for Brain and Spine Surgery" "Healthcare Provider" "Quantity[12000, ""People""]" "DateObject[{2014, 7, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Indian Health Service -Rosebud" "Healthcare Provider" "Quantity[620, ""People""]" "DateObject[{2014, 7, 15}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "University of Pennsylvania Health System" "Healthcare Provider" "Quantity[661, ""People""]" "DateObject[{2014, 7, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A bag containing a compact disk - read only memory (CD-ROM) was stolen from the vehicle of a physician associated with the covered entity (CE).The CD-ROM involved in the breach contained names, dates of birth, social security numbers, medical histories, and the treatment information of approximately 2,046 individuals.Following the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media.The CE sanctioned and retrained the physician whose bag was stolen and implemented organization wide improvements to its compliance with the Privacy and Security Rules.As a result of OCR's investigation the covered entity posted substitute notification of the breach in the local paper and confirmed that corrective actions steps were taken. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Bay Area Pain Medical Associates " "Healthcare Provider" "Quantity[2780, ""People""]" "DateObject[{2014, 7, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "The offices of the covered entity (CE), Bay Area Pain Management Associates, were broken into and three desktop computers were stolen.One unencrypted document on a stolen computer contained the names, and dates of service of 2,780 individuals.In response to the breach the CE improved physical safeguards by adding a security alarm system, and increasing security features on doors. The CE improved technical safeguards by implementing an encryption file management program.As a result of OCR’s investigation the CE improved its HIPAA practices." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Minneapolis VA Health Care System" "Health Plan" "Quantity[500, ""People""]" "DateObject[{2014, 7, 17}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE) sent a batch of 500 generic letters to its members informing them of a new community based outpatient clinic opening that erroneously caused another member’s full name and address to appear on the back side of the document.The CE provided breach notification to HHS, affected individuals, and the media, and it also posted a notice on its website.To prevent a similar breach from happening in the future, the CE implemented a quality assurance check for batch mail. OCR obtained assurances that the CE implemented the corrective actions listed above." "Missing[""NoInput""]" "Administracion de Seguros de Salud - Triple S Salud Inc (BA)" "Health Plan" "Quantity[7911, ""People""]" "DateObject[{2014, 7, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other Portable Electronic Device" "False" "On April 15, 2014, the covered entity (CE), Puerto Rico Health Insurance Administration, also known as the Administracion de Seguros Salud de Puerto Rico reported to HHS that on January 14, 2014, they became aware that sometime before October 9, 2013, a former employee of American Health Medicare’s (AHM) business associate (BA), Triple-S Advantage Solutions, copied beneficiaries’ electronic protected health information (ePHI) onto a compact disk which he took home for an unknown period of time and which he subsequently downloaded onto a computer at his new employer.The ePHI included the enrollment information of 7,911 of the CE’s beneficiaries, including names, dates of births, contract numbers, health insurance claim numbers, home addresses, and social security numbers.AHM, which was acting as both a CE and a BA, provided breach notification to affected individuals and the media.As a result of OCR’s investigation, the CE committed to conduct a risk analysis, implement a risk management plan, revise its policies and procedures, and re-train staff within a specified period." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Midwest Orthopaedic Center SC" "" "Quantity[680, ""People""]" "DateObject[{2014, 7, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "A former affiliate of the covered entity’s (CE) former business associate(BA), McKesson Corporation, that provided specialized billing services, unintentionally made records containing patient information potentially accessible on the Internet. The protected health information (PHI) of approximately 680 individuals was accessible using very specific Google search terms between December 1, 2013 and April 17, 2014.The former BA immediately safeguarded the information and made it inaccessible on the Internet. The former BA confirmed that the web server was properly removed from public Internet access, confirmed from its former affiliate that the data at issue was destroyed, contacted Google to ensure all caches pages were destroyed, and confirmed the information could not be accessed through any web search.The former BA also confirmed with its former affiliate that no other information was available via the computer server at issue or any other server.The CE confirmed that the former BA’s policies related to data security were in compliance with the CE’s data security requirements.The CE provided breach notification to HHS, affected individuals, and the media, and offered credit monitoring to the affected individuals.OCR obtained written assurances that the CE and BA implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Xand Corporation" "Business Associate" "Quantity[3334, ""People""]" "DateObject[{2014, 7, 23}, ""Day"", ""Gregorian"", -5.]" "Other" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "Self Regional Healthcare " "Healthcare Provider" "Quantity[38906, ""People""]" "DateObject[{2014, 7, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On May 25, 2014, a password-protected, unencrypted laptop computer containing the protected health information (PHI) of 38,906 patients was stolen from the covered entity’s (CE) administrative offices during a break-in.The PHI involved in the breach included patients’ names, social security numbers, driver license numbers, treating physician names, insurance policy numbers, patient account numbers, service dates, diagnosis/procedure information, payment card information, financial account information, and possibly addresses.The CE provided breach notification to HHS, the media, and affected individuals, and offered credit monitoring.The CE also contacted the local police department and conducted an internal investigation.Following the breach the CE revised its HIPAA policies and procedures and retrained its entire workforce on its policies and procedures.The CE also improved facility access safeguards and encrypted computers.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Urological Associates of Southern Arizona, P.C." "Healthcare Provider" "Quantity[3529, ""People""]" "DateObject[{2014, 7, 25}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Dr. Veronica Joann Barber" "Business Associate" "Quantity[4000, ""People""]" "DateObject[{2014, 7, 28}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "Another provider, Veronica Joann Barber, O.D., (VB) copied the covered entity’s (CE) entire data base and used the electronic protected health information (ePHI) to solicitpatients for her own practice.VB worked at the CE’s office under a space-sharing agreement until the CE terminated the agreement. The CE requested that VB cease and desist using the PHI, but she did not agree.The theft occurred on December 15, 2013, and affected 4,000 individuals. The ePHI involved in the breach included individuals’ names, social security numbers, addresses, driver’s licenses, dates of births, other identifiers, credit card and bank account numbers, claims information, other financial information, diagnoses and medical conditions, medications, and other treatment information.The CE provided breach notification to HHS and affected individuals.Following the breach the CE installed computer firewalls.Based on OCR’s provision of technical assistance, the CE notified the media and completed a risk assessment.It also improved safeguards by denying access by unlicensed persons to its computer systems and updating its policies and procedures regarding computer user names and passwords. The CE improved physical safeguards by moving the computer with the ePHI behind a 5-foot tall counter." "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "PRN Medical Services, LLC dba Symbius Medical, LLC" "Healthcare Provider" "Quantity[13877, ""People""]" "DateObject[{2014, 7, 29}, ""Day"", ""Gregorian"", -5.]" "Other, Theft, Unauthorized Access/Disclosure" "Email, Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Midwest Urological Group" "Healthcare Provider" "Quantity[982, ""People""]" "DateObject[{2014, 7, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On May 30, 2014, an unencrypted laptop computer was stolen from a company closet.The laptop contained the protected health information (PHI) of approximately 982 individuals, including names and data from medical tests.The covered entity (CE) provided breach notification to HHS, affected individuals, and the media and also notified police.Following the breach, the CE sanctioned and retrained the employee responsible for securing the computer and implemented new policies and procedures to improve safeguards to PHI.OCR obtained written assurances that the CE implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Rite Aid Store 5256" "Healthcare Provider" "Quantity[522, ""People""]" "DateObject[{2014, 7, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A box containing paper prescription records was removed from the backroom at the covered entity’s (CE) Milton, WA location.The box contained the protected health information (PHI) of approximately 522 individuals and included names, addresses, and dates of birth.The CE provided breach notification to affected individuals, HHS, and the media.The CE offered one year of free identity theft protection to affected individuals.Following the breach, the CE improved physical safeguards by moving all remaining hard copy prescription records to a more secure area.The CE contacted all other stores in the region to ensure that prescription records were being appropriately secured.As a result of OCR’s investigation, the CE clarified its PHI storage policies to store managers in Washington State, and implemented new security procedures at the affected location.OCR provided the CE with technical assistance regarding adequate safeguards to PHI, as well as what constitutes adequate notice to the media pursuant to the Breach Notification Rule." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "StayWell Health Management, LLC" "Business Associate" "Quantity[4487, ""People""]" "DateObject[{2014, 7, 31}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Cancer Specialists of Tidewater" "Healthcare Provider" "Quantity[2318, ""People""]" "DateObject[{2014, 7, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record, Other" "False" "The covered entity (CE), Cancer Specialists of Tidewater, was notified by the Chesapeake Virginia Police Department that an employee was arrested and charged with taking credit card information from patients’ belongings during office visits.The breach report indicated that over 500 individuals were affected and the types of protected health information (PHI) involved in the breach included demographic and financial information.Following the CE’s investigation and electronic audit, it provided breach notification to a total of 2,318 patients, HHS, and the media, and posted substitute notice on its website.Following the breach, the CE conducted a risk assessment, upgraded breach detection software, and increased its auditing capabilities.It also conducted employee training.OCR obtained written assurance that the CE implemented the corrective actions listed above.Additionally, the CE terminated the employment of the involved employee." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "MobilexUSA" "Healthcare Provider" "Quantity[605, ""People""]" "DateObject[{2014, 8, 6}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Jersey City Medical Center - Barnabas Health" "Healthcare Provider" "Quantity[36400, ""People""]" "DateObject[{2014, 8, 7}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Diamond Computing Company" "Business Associate" "Quantity[7016, ""People""]" "DateObject[{2014, 8, 7}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "OCR notified the covered entity, Diatherix, that electronic protected health information (ePHI) of its patients was potentially accessible online.The CE conducted an internal investigation and determined that its business associate (BA), Diamond Computing Company, Inc., was maintaining an insecure file transfer protocol (FTP) site containing the ePHI of approximately 7,016 individuals.The ePHI involved in the breach included names, social security numbers, dates of birth, addresses, diagnoses, and billing information, as well as other data.In response to this incident, the CE engaged a data forensic firm to determine the scope and cause of the breach.The CE provided breach notification to HHS, the media, and affected individuals, and offered one year of identity theft protection.In addition, the CE performed a risk assessment, took steps to remove cached copies of ePHI from the Internet, and revised its existing policies to ensure its vendors enforce appropriate security measures to protect ePHI.As a result of OCR’s investigation, OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""Utah"", ""UnitedStates""}]" "Central Utah Clinic" "Healthcare Provider" "Quantity[31677, ""People""]" "DateObject[{2014, 8, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "PST Services Inc, a McKesson Co." "Business Associate" "Quantity[10104, ""People""]" "DateObject[{2014, 8, 8}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Onsite Health Diagnostics (OHD)" "Business Associate" "Quantity[60582, ""People""]" "DateObject[{2014, 8, 8}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Apple Valley Care Center" "Healthcare Provider" "Quantity[1251, ""People""]" "DateObject[{2014, 8, 12}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Kaiser Foundation Health Plan of Colorado" "Health Plan" "Quantity[11551, ""People""]" "DateObject[{2014, 8, 12}, ""Day"", ""Gregorian"", -5.]" "Other, Unauthorized Access/Disclosure" "Other" "False" "The covered entity (CE), Kaiser Foundation Health Plan of Colorado, reported that on July 24, 2014, it erroneously mailed letters containing protected health information (PHI) to incorrect recipients, affecting 11,551 individuals. Each letter contained the name of another program member in a chronic condition management program.The CE provided breach notification to HHS, affected individuals, and the media.As a result of OCR's investigation, the CE sanctioned and retrained the responsible employee." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "CareAll Management, LLC" "Healthcare Provider" "Quantity[28300, ""People""]" "DateObject[{2014, 8, 12}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Iron Mountain Records Management" "Business Associate" "Quantity[1674, ""People""]" "DateObject[{2014, 8, 13}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal, Loss, Theft" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "24 ON Physicians, PC/In Compass Health,Inc." "Business Associate" "Quantity[520, ""People""]" "DateObject[{2014, 8, 14}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident, Other" "Network Server" "True" "On December 1, 2013, a subcontractor of 20 ON Physicians PC/ In Compass Health Inc., Williamson Medical Center’s former business associate (BA), unintentionally made a computer server containing protected health information (PHI) potentially available for access on the internet.The PHI that was potentially available on the internet included the names, dates of service, charge amounts, and billing codes of 520 patients.The CE investigated and verified that its BA and its subcontractor had taken all necessary corrective steps to mitigate the breach.Specifically, the subject server was removed from public internet access, all data provided to the subcontractor was destroyed, and all cached pages were removed.Additionally, the CE worked with the BA to provide breach notification to HHS, affected individuals, and the media, and also posted substitute notice on its website.Additionally, the CE reviewed and confirmed that all of its BA agreements contain provisions addressing subcontractors and data security and conducted an in-depth review of its risk analysis.A separate breach investigation was opened for the BA, 20 ON Physicians PC/In Compass Health Inc.OCR reviewed the BA agreement and Breach Notification Rule policy and determined that they were sufficient." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Iron Mountain Incorporated" "Business Associate" "Quantity[10000, ""People""]" "DateObject[{2014, 8, 15}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Iron Mountain" "Business Associate" "Quantity[49714, ""People""]" "DateObject[{2014, 8, 15}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal, Loss, Theft" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Children's Mercy Hospital" "" "Quantity[4067, ""People""]" "DateObject[{2014, 8, 15}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "The covered entity (CE), Children's Mercy Hospital, reported that the protected health information (PHI) of 4,067 individuals stored in an online registration system by the subcontractor, Onsite Health Diagnostics, of its business associate (BA), StayWell Health Management, was hacked.The hacked information included names, encrypted passwords, email addresses, physical addresses, phone numbers, genders, and dates of birth.Because the subcontractor-generated passwords were encrypted/hashed, they were rendered unusable.The CE provided breach notification to HHS, affected individuals, and the media.The CE reported that the subcontractor moved all data from the affected scheduling application, moved all of its clients to a new scheduling platform, and completely decommissioned the vulnerable platform.The subcontractor also conducted a comprehensive security audit and found no other improper uses of protected health information or vulnerabilities.As a result of OCR's investigation, the CE provided documentation substantiating all actions taken." "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "University Health" "Healthcare Provider" "Quantity[6073, ""People""]" "DateObject[{2014, 8, 15}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "On August 15, 2014, the covered entity (CE), University Health, reported a breach when a professor from City College of San Francisco notified them by email of security issues.Protected health information (PHI) from the E.A. Conway Medical Center was contained on an unsecured server that was accessible online.The types of PHI involved in the breach included financial and medical information and affected 6,075 individuals.The CE immediately took the server off-line, which discontinued any unauthorized access.The CE provided breach notification to HHS, affected individuals, and the media.Following the incident, the CE hired a third-party company to conduct and assess a thorough external penetration test.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Tri-City Medical Center" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2014, 8, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "On August 7, 2014, an employee who was being terminated for cause took emergency department (ED) logs for 500 patients of the covered entity (CE), Tri-City Medical Center, and gave them to the California Department of Public Health (DPH) and the North County Newspaper.Upon learning of the theft, the CE contacted DPH which advised that it had the logs and would give them to the local police department once the CE filed a report for theft. The CE contacted the local police department and created a report of the 500 patients’ electronic protected health information (ePHI).The CE provided breach notification to HHS, affected individuals, and the media and created an 800-number to provide information for affected patients.The CE improved safeguards by reformatting the ED logs required for Emergency Medical Treatment and Labor Act (EMTALA) to be handled only electronically, placing all ED paper logs in a locked/secured cabinet, converted locks, and relocated all its printers and faxes to secure areas.The CE also retrieved the ED logs from the police department, retrained its entire workforce, and developed a facility policy for tracking the check-in and check-out of facility logs.OCR obtained written assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Dennis Flynn MD" "Healthcare Provider" "Quantity[13646, ""People""]" "DateObject[{2014, 8, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Community Health Systems Professional Services Corporation" "Business Associate" "Quantity[4500000, ""People""]" "DateObject[{2014, 8, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "True" "" "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "Oklahoma City Indian Clinic" "Healthcare Provider" "Quantity[6000, ""People""]" "DateObject[{2014, 8, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "A staff member of the covered entity (CE), Oklahoma City Indian Clinic, sent an email to 412 recipients that erroneously included an attachment that contained the electronic protected health information (ePHI) of 6,044 individuals.Following an attempted recall of the message, a corrected email without the attachment was sent, asking the recipients to delete the erroneous email and the attachment.The ePHI involved in the breach included patients’ names, chart numbers, and email addresses.The CE provided breach notification to HHS, affected individuals, and the media, and provided substitute notice.Following the breach, the CE re-trained staff on its encryption policy.In addition, the CE improved safeguards by developing a policy regarding electronic transmission of patient information.The policy limits identifying patient information contained in electronic communications within the CE’s network, and requires password protection for electronic files including ePHI. As a result of OCR’s investigation, OCR obtained assurances that the corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Steven A. Goldman, MD Inc." "Healthcare Provider" "Quantity[6141, ""People""]" "DateObject[{2014, 8, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Specialty Clinics Of Georgia - Orthopaedics" "Healthcare Provider" "Quantity[2350, ""People""]" "DateObject[{2014, 8, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "St. Elizabeth's Medical Center" "Healthcare Provider" "Quantity[595, ""People""]" "DateObject[{2014, 8, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Aventura Hospital and Medical Center" "Healthcare Provider" "Quantity[948, ""People""]" "DateObject[{2014, 8, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Midwest Womens Healthcare Specialist" "Healthcare Provider" "Quantity[1376, ""People""]" "DateObject[{2014, 8, 26}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Group Health Incorporated" "Health Plan" "Quantity[802, ""People""]" "DateObject[{2014, 8, 27}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "The Longstreet Clinic, P. C." "Healthcare Provider" "Quantity[720, ""People""]" "DateObject[{2014, 8, 28}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Metropolitan Government of Nashville and Davidson County (Metro) Public Health Department" "Health Plan" "Quantity[1717, ""People""]" "DateObject[{2014, 8, 29}, ""Day"", ""Gregorian"", -5.]" "Other" "Other" "False" "The covered entity (CE), Metropolitan Government of Nashville and Davidson County Public Health Department, reported that on July 18, 2014, during the relocation of the Children's Special Services Clinic, two small metal filing units, holding standard sized paper index cards on patients seen in the CSS clinic, were inadvertently tipped over and the index cards fell out of the filing units.The index cards contained full names, addresses, dates of birth, social security numbers, and diagnosis codes of 1,717 patients.The CE provided breach notification to HHS, affected individuals, and the media, placed a conspicuous notice on its website, and offered credit monitoring and identity theft protection to all affected individuals.In response to the incident, the CE investigated, interviewed all relevant staff and the contractor’s employees, and reviewed surveillance recordings.As a result of its investigation, the CE eliminated the index card system, re-evaluated its process on retention and use of paper records, created and implemented additional HIPAA policies and procedures, and retrained staff.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Duke University Health System" "Healthcare Provider" "Quantity[10993, ""People""]" "DateObject[{2014, 8, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Memorial Hermann Health System" "Healthcare Provider" "Quantity[10604, ""People""]" "DateObject[{2014, 8, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "On July 7, 2014, Memorial Hermann Health System's audit program identified that a workforce member had inappropriately accessed the protected health information (PHI) of approximately 10,600 individuals.The covered entity (CE) provided breach notification to HHS, affected individuals, and the media.It also promptly terminated the involved workforce member.OCR reviewed copies of the CE's policies and procedures related to the incident and information related to its HIPAA training program and audit protocols in place at the time of the incident.Following the incident, the CE took corrective actions including expanding its IT audit program and hiring additional audit staff. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "AltaMed Health Services Corporation" "Healthcare Provider" "Quantity[3206, ""People""]" "DateObject[{2014, 8, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Network Server, Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Bulloch Pediatric Group, LLC" "Healthcare Provider" "Quantity[10000, ""People""]" "DateObject[{2014, 9, 4}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), Bullock Pediatric Group, LLC, rented two locked storage units from a facility that was burglarized for its metal shelves.Boxes containing the protected health information (PHI) of approximately 10,000 individuals were strewn about on the floor along with the documents in the boxes.The documents contained demographic, financial, and clinical information, including Explanation of Benefits (EOB) forms from insurance companies, cleared checks, credit card information, balance sheets, end of day reports, some social security numbers, and possibly names and addresses.The CE provided breach notification to HHS, affected individuals, and the media, and posted notification on its website.It also offered one year of free credit monitoring.Following the breach, the CE moved its documents to another storage facility with improved safeguards.In addition, the CE destroyed documents pursuant to the state medical record retention laws.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Emdeon" "Business Associate" "Quantity[566, ""People""]" "DateObject[{2014, 9, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Temple University Physicians" "Healthcare Provider" "Quantity[3780, ""People""]" "DateObject[{2014, 9, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "The WellPoint Affiliated Covered Entities" "Health Plan" "Quantity[1464, ""People""]" "DateObject[{2014, 9, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Thomas Cristello, Chiropractor PC" "Healthcare Provider" "Quantity[914, ""People""]" "DateObject[{2014, 9, 9}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "ENT Partners of Texas (legally known as Irving-Coppell Ear, Nose and Throat) " "Healthcare Provider" "Quantity[789, ""People""]" "DateObject[{2014, 9, 9}, ""Day"", ""Gregorian"", -5.]" "Loss, Theft" "Laptop, Other Portable Electronic Device" "False" "As the result of a burglary, a computer, two laptops, and a camera were stolen from the covered entity (CE), ENT Partners of Texas. These systems contained the electronic protected health information (ePHI) of 659 individuals.The PHI involved in the breach, included variously, names, audiology tests, dates of birth, CT scans, and clinical photographs of skin. The laptops and computer were password protected.The CE notified law enforcement as soon as the break-in was discovered. Breach notification was provided to HHS, affected individuals, and the media, and substitute notice was posted on the CE’s website and at the CE’s office.Following the breach, the CE changed the access passwords for ePHI, and the CE’s information technology (IT) provider initiated monitoring to detect whether the stolen the laptops are connected to the Internet, so that the IT provider may attempt to remotely erase the breached ePHI.Since the break-in, the CE improved physical security.The CE improved technical safeguards by installing remote wiping software on all laptops and phones and moving patient data software to a password protected and encrypted server.In addition, the CE updated its policies and procedure to prohibit public access on the CE’s wireless network and empty the contents of cameras daily.Following OCR’s investigation, the CE implemented a process for tracking security incidents and updating electronic systems." "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Bon Secours Kentucky" "Healthcare Provider" "Quantity[697, ""People""]" "DateObject[{2014, 9, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "The covered entity (CE), Bon Secours Kentucky, discovered suspicious activity on its billing software from the user account of a former employee. The CE found it had not properly deactivated access, putting at risk the demographic and clinical information of 697 individuals. The CE provided breach notification to HHS, affected individuals, and posted substitute notice on its website. Media notice was not performed because the number of affected individuals in each state was less than 500.In response to the breach, the CE revised its access monitoring policy and centralized its access allowance procedures.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Valesco Ventures" "Business Associate" "Quantity[82601, ""People""]" "DateObject[{2014, 9, 9}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Electronic Medical Record" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "Wm. Jennings Bryan Dorn VA Medical Center" "Healthcare Provider" "Quantity[3637, ""People""]" "DateObject[{2014, 9, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Kmart Corporation" "Healthcare Provider" "Quantity[1866, ""People""]" "DateObject[{2014, 9, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Printed pharmacy reports containing protected health information (PHI) about patients’ prescriptions was disclosed to an acquaintance of a former pharmacy employee in Sebring, Florida.The PHI involved in the breach included the names, addresses, prescribers, and medications for approximately 1,866 individuals.The CE provided breach notification to HHS, affected individuals, and the media.The CE also contacted law enforcement and reinforced with the pharmacy staff the CE’s HIPAA policies and procedures pertaining to the appropriate use, disclosure, and the safeguarding of PHI. OCR obtained written assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Xerox State Healthcare, LLC" "Business Associate" "Quantity[2000000, ""People""]" "DateObject[{2014, 9, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer, Email, Laptop, Network Server, Other, Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Cedars-Sinai Health System" "Healthcare Provider" "Quantity[33136, ""People""]" "DateObject[{2014, 9, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "The covered entity (CE), Cedars-Sinai Health System, reported that an employee’s unencrypted laptop computer was stolen during a residential burglary.Although the computer was used primarily for troubleshooting pathology software, some electronic protected health information (ePHI) of approximately 33,136 individuals was potentially stored in temporary files on the laptop’s hard drive. The CE terminated the laptop’s remote access capabilities and conducted an internal investigation.Although the CE’s laptops are encrypted as per its policy, the encryption for this laptop was disabled by a helpdesk service provider when providing assistance.The CE provided breach notification to HHS, affected individuals, and the media, and posted notice of the incident on its website.The CE has not learned of any identity theft or other misuse of the potentially affected information resulting from this incident.Following OCR’s investigation, the CE updated its policies and procedures related to the storage, transmission and encryption of ePHI, as well as the enforcement of its employees’ adherence to these policies and procedures." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Tampa General Hospital" "Healthcare Provider" "Quantity[675, ""People""]" "DateObject[{2014, 9, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "Santa Fe Medical Group" "Healthcare Provider" "Quantity[843, ""People""]" "DateObject[{2014, 9, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "On March 2, 2016, Santa Fe Medical Group/Atrinea Health filed for a Chapter 7 bankruptcy petition and provided OCR documentation of such petition.Under these circumstances Santa Fe Medical Group/Atrinea Health is no longer a covered entity and is not subject to the requirements of HIPAA." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Emdeon" "Business Associate" "Quantity[800, ""People""]" "DateObject[{2014, 9, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "South Suburban HIV/AIDS Regional Clinics" "Business Associate" "Quantity[767, ""People""]" "DateObject[{2014, 9, 17}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "New Mexico VA Health Care System" "Healthcare Provider" "Quantity[2657, ""People""]" "DateObject[{2014, 9, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Research Integrity, LLC" "Business Associate" "Quantity[4077, ""People""]" "DateObject[{2014, 9, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other Portable Electronic Device" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Madison Street Provider Network" "Healthcare Provider" "Quantity[523, ""People""]" "DateObject[{2014, 9, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "Compassionate Care Hospice of Central Louisiana, LLC" "Healthcare Provider" "Quantity[707, ""People""]" "DateObject[{2014, 9, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other" "False" "Ten encrypted laptop computers and one external hard drive containing the electronic protected health information (ePHI) of approximately 707 individuals were stolen from the covered entity (CE), Compassionate Care Hospice of Central Louisiana.The laptops contained two reports. The first report listed the names, ages, admitting and discharge dates, location, medication class and other items related to 120 patients. The second report contained the names of 97 patients. The hard drive contained one file, a bereavement report listing the names, addresses, phone numbers and date of death of deceased patients. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE remotely wiped the stolen laptops. Additionally, it inventoried and assessed devices and equipment containing ePHI and brought them into compliance with the CE’s policies, including encryption requirements. OCR obtained a copy of the CE's current risk analysis and risk management plan with evidence of implementation for security measures, including evidence of security measures to reduce the risk of computer theft." "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "American Family Care, Inc." "Healthcare Provider" "Quantity[2588, ""People""]" "DateObject[{2014, 9, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On July 17, 2014, two password-protected, unencrypted laptop computers belonging to the covered entity (CE), American Family Care, were stolen from an employee’s vehicle while he was on business travel.The laptops contained the electronic protected health information (ePHI) of 2,500 individuals, and included different types of data for different individuals, such as patients’ names, dates of visits, patient identification numbers, social security numbers, dates of birth, and specific health information.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE contacted the local police department and conducted an internal investigation.The CE also revised its HIPAA policies and procedures, retrained its workforce, and encrypted all of its laptops." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "U.S. Health Holdings, Ltd. o/b/o Macomb County, Michigan" "Health Plan" "Quantity[6302, ""People""]" "DateObject[{2014, 10, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Mount Sinai Beth Israel" "Healthcare Provider" "Quantity[10793, ""People""]" "DateObject[{2014, 10, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Touchstone Medical Imaging, LLC" "Healthcare Provider" "Quantity[307528, ""People""]" "DateObject[{2014, 10, 3}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Albertina Kerr Centers" "Healthcare Provider" "Quantity[1320, ""People""]" "DateObject[{2014, 10, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Thieves took two notebook computers belonging to the covered entity (CE), Albertina Kerr Centers, which contained the electronic protected health information (ePHI) of 1,320 patients.The CE reported the burglary to the local law enforcement, but neither computer was recovered.The computers were encrypted, but certain cache files for email were unencrypted.The types of ePHI involved in the breach included names, addresses, dates of birth, social security numbers, phone numbers, medications, and treatments.The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website.To prevent a similar breach from happening in the future, the CE enhanced mobile device security and encryption, improved the physical security of its facility, revised its policies and procedures, and retrained its workforce members.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Vcarve LLC d/b/a MD Manage" "Business Associate" "Quantity[585, ""People""]" "DateObject[{2014, 10, 6}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "VARO Healthcare" "Business Associate" "Quantity[1667, ""People""]" "DateObject[{2014, 10, 7}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "vonica chau DDS PA" "Healthcare Provider" "Quantity[810, ""People""]" "Failure[""ConnectionFailure"", <|""MessageTemplate"" :> Interpreter::noconnection, ""MessageParameters"" -> <|""Input"" -> ""10/08/2014""|>, ""Input"" -> ""10/08/2014"", ""Type"" -> ""Date""|>]" "Theft" "Desktop Computer" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "University of California Davis Medical Center" "Healthcare Provider" "Quantity[1326, ""People""]" "Failure[""ConnectionFailure"", <|""MessageTemplate"" :> Interpreter::noconnection, ""MessageParameters"" -> <|""Input"" -> ""10/08/2014""|>, ""Input"" -> ""10/08/2014"", ""Type"" -> ""Date""|>]" "Hacking/IT Incident" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "South Texas Veterans Health Care System" "Healthcare Provider" "Quantity[4000, ""People""]" "DateObject[{2014, 10, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), South Texas Veterans Health Care System, incorrectly mailed 2,000 letters with another veteran’s protected health information (PHI) printed on the other side. The types of PHI involved in the breach included patients’ names, addresses, and medication information.The CE provided breach notification to HHS, affected individuals, and the media.As a result of OCR’s investigation, the CE updated its procedures for fulfilling mailing requests and issued a memorandum to the print shop staff with the revised procedures and forms. " "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Cone Health Medical Group" "Healthcare Provider" "Quantity[1872, ""People""]" "DateObject[{2014, 10, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Region Six of the Georgia Department of Behavioral Health and Developmental Disabilities" "Healthcare Provider" "Quantity[3397, ""People""]" "DateObject[{2014, 10, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "NYU Urology Associates" "Healthcare Provider" "Quantity[835, ""People""]" "DateObject[{2014, 10, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other Portable Electronic Device" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Colorado Department of Health Care Policy & Financing" "Health Plan" "Quantity[15380, ""People""]" "DateObject[{2014, 10, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "M&M Computer Services" "Business Associate" "Quantity[4500, ""People""]" "DateObject[{2014, 10, 10}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "New York City Health & Hospitals Corporation" "Healthcare Provider" "Quantity[10058, ""People""]" "DateObject[{2014, 10, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Southwest Virginia Physicians for Women" "Healthcare Provider" "Quantity[568, ""People""]" "DateObject[{2014, 10, 10}, ""Day"", ""Gregorian"", -5.]" "Theft, Unauthorized Access/Disclosure" "Paper/Films" "False" "An employee’s husband, who was also a contractor of the covered entity (CE), Southwest Virginia Physicians for Women, stole protected health information (PHI) from its office, obtaining access to paper charts and other records. The PHI involved in the breach included clinical information affecting approximately 568 individuals.The CE, with the help of the Virginia State Police, retrieved the PHI the day after it was stolen.The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notification on its website.Following the breach, the CE transitioned from paper to electronic charts and updated its login, logoff, and password policies and procedures for authorized users of its online record management system.The CE also updated its policies regarding required business associate agreements.As a result of OCR’s investigation, the CE completed a risk analysis, implemented new physical security procedures, and retrained its staff regarding the changes" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "City of Dallas Fire-Rescue Department" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2014, 10, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Multiple laptop computers containing EKG strips were lost, stolen, or unaccounted for from the covered entity (CE), City of Dallas Fire-Rescue Department.The electronic protected health information (ePHI) on the laptops included EKG strips in addition to the names, addresses, medical history, diagnoses, dates of birth, and the social security numbers of approximately 1,000 individuals.Upon discovering the breach, the CE formed a breach assessment team to review and address investigation findings.The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical security to address deficiencies within its system.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Graybill Medical Group" "Healthcare Provider" "Quantity[1863, ""People""]" "DateObject[{2014, 10, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "A group of x-rays of poor quality were placed in the covered entity’s (CE) trash container for destruction. The cleaning personnel mistook the x-rays for regular trash and disposed of them in the usual manner. The CE, Graybill Medical Center, initiated an immediate search but the x-rays had already been taken to the landfill.The breach occurred on September 9, 2014, and affected 1,863 patients. The protected health information (PHI) contained patients’ names, addresses, dates of birth, physician/medical provider information, and, possibly, images of some areas of patients’ bodies.The CE provided breach notification to HHS, affected individuals and the media, and offered credit monitoring. Following the breach, the CE improved safeguards by ordering locked bins for x-rays that are to be destroyed, ordering covers for the PHI being transported, and implementing procedures requiring x-rays to be recycled weekly so as to more easily distinguish them from regular trash.The CE also retrained its workforce on its HIPAA policies.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "MD Manage (Vcarve LLC)" "Business Associate" "Quantity[35357, ""People""]" "DateObject[{2014, 10, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Seven Counties Services, Inc." "Healthcare Provider" "Quantity[727, ""People""]" "DateObject[{2014, 10, 22}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal, Unauthorized Access/Disclosure" "Paper/Films" "False" "A former employee mistakenly took home a basket of items, including documents containing the protected health information (PHI) of 727 patients, which were flagged for shredding.The documents were taken to an elementary school with other materials that had been stored at the employee's home for the summer. The PHI included social security numbers, diagnosis codes, guardians’ names and phone numbers, supervisor recommendations concerning treatment, and insurance identification codes.The covered entity (CE), Seven Counties Services, provided breach notification to HHS, affected individuals, and the media, placed a conspicuous notice on its website, and set up a toll free information number.The CE investigated the breach and interviewed all involved individuals.As a result of OCR’s investigation, the CE developed new HIPAA awareness training focused on protecting paper records, revised its HIPAA policies and procedures regarding the disposal of documents containing PHI, and retrained staff on the new policies and procedures. " "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Quraishi, Nisar A " "Healthcare Provider" "Quantity[20000, ""People""]" "DateObject[{2014, 10, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE), Tribeca Medical Center, reported that on October 21, 2014, patients’ medical records stored in the CE’s storage shed were stolen.The breach affected potentially 20,000 patients and the protected health information (PHI) included names, addresses, zip codes, telephone numbers, dates of birth, social security numbers, health plan information, diagnoses, medical and clinical histories.The CE provided breach notification to HHS, affected individuals, and the media.As a result of OCR’s investigation, the CE has ceased storing PHI in the storage unit." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Multilingual Psychotherapy Centers, Inc" "Healthcare Provider" "Quantity[3500, ""People""]" "DateObject[{2014, 10, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "An encrypted server was stolen from the covered entity (CE), Multilingual Psychotherapy Centers, Inc., on October 20, 2014, as a result of a break-in.The server contained the protected health information (PHI) of 3,500 individuals and included patients’ names, dates of birth, social security numbers, addresses, and Medicaid ID numbers.The CE provided notice to HHS and individuals whose information was contained in the stolen server.Following this incident, the CE increased its physical safeguards, modified its policies, and developed a plan to train its workforce specifically regarding data security breaches. OCR determined the CE had adequate policies and procedures in place for securing electronic information via encryption.Under OCR’s guidance, the CE provided media notice and altered its procedures to ensure such notification is performed in the event of a breach affecting more than 500 individuals." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Burlington Northern Santa Fe Group Benefits Plan" "Health Plan" "Quantity[507, ""People""]" "DateObject[{2014, 10, 28}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "On October 27, 2014, the covered entity (CE), Burlington Northern Santa Fe Group Benefits Plan, reported a breach when a workforce member that was on a business trip lost an unsecured flash drive that contained employees’ protected health information (PHI).The flash drive contained the demographic and clinical information of 507 individuals.The CE provided breach notification to HHS, affected individuals, and the media.Following the incident, the CE sanctioned the workforce member, revised its policy limiting the ability of employees to transfer PHI to portable devices, installed encryption software, and retrained staff on its privacy and security policies.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Portland VA Medical Center" "Healthcare Provider" "Quantity[1740, ""People""]" "DateObject[{2014, 10, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "An employee of the covered entity (CE), Veterans Health Administration Portland VA Medical Center, took home paper lists of patients’ protected health information (PHI) to work on over the weekend and forgot to return the information.The employee’s husband subsequently found the lists in their garage six months later.The lists included names, social security numbers, provider names, eligibility codes, and diagnostic, clinical and demographic information for about 1,740 individuals.The employee’s husband who found the lists returned the PHI and signed a statement that he made no copies of the documents and that he knew of no others that had viewed the lists.The CE retrained the employee who took the lists home.The CE provided breach notification to HHS, the media, and affected individuals, and offered free credit monitoring for a year.OCR’s investigation confirmed that the CE took the corrective action steps listed and provided substitute notification. " "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Memorial Healthcare System" "Healthcare Provider" "Quantity[1782, ""People""]" "DateObject[{2014, 10, 30}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Coordinated Health " "Healthcare Provider" "Quantity[13907, ""People""]" "DateObject[{2014, 10, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Jessie Trice Community Health Center, Inc." "Healthcare Provider" "Quantity[7888, ""People""]" "DateObject[{2014, 11, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Central Dermatology Center, P.A." "Healthcare Provider" "Quantity[76258, ""People""]" "DateObject[{2014, 11, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Weill Cornell Medical College" "Healthcare Provider" "Quantity[3936, ""People""]" "DateObject[{2014, 11, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record, Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Visionworks Inc." "Health Plan" "Quantity[74944, ""People""]" "DateObject[{2014, 11, 10}, ""Day"", ""Gregorian"", -5.]" "Loss" "Network Server" "False" "The covered entity (CE), Visionworks Inc., mislaid a partially encrypted, decommissioned computer server from its in-store lab in Annapolis, Maryland which was not recovered.The server’s hard drive contained the unencrypted protected health information (PHI) of approximately 74,000 individuals.The PHI on the server contained demographic, financial, and clinical information.Following the breach, the CE fully encrypted all servers at all of their locations and replaced servers.The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of free credit monitoring.The CE also sent letters to each State Attorney General and posted information on the CE’s website regarding the server incident.In addition, the CE re-trained workforce members, instituted new training requirements on privacy and security awareness, and provided refresher training on incident management.Following OCR’s investigation, the CE secured servers with cable locks and tested and installed a maximum security system that encrypts all hard drives on each server.Additionally, the CE completed a company-wide server inventory and hard drive destruction and performed a physical audit of all servers’ boxes.In addition, the CE created a comprehensive system disposal plan." "Entity[""AdministrativeDivision"", {""SouthDakota"", ""UnitedStates""}]" "Indian Health Service, Aberdeen Area Office" "" "Quantity["""", ""People""]" "DateObject[{2014, 11, 13}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Loi Luu" "Healthcare Provider" "Quantity[13177, ""People""]" "DateObject[{2014, 11, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Iron Mountain" "Business Associate" "Quantity[2691, ""People""]" "DateObject[{2014, 11, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Colorado River Indian Tribes" "Healthcare Provider" "Quantity[1296, ""People""]" "DateObject[{2014, 11, 14}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "REEVE-WOODS EYE CENTER" "Healthcare Provider" "Quantity[30000, ""People""]" "DateObject[{2014, 11, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Brigham and Women's Hospital" "Healthcare Provider" "Quantity[999, ""People""]" "DateObject[{2014, 11, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "False" "An employee of the covered entity (CE), Brigham & Women’s Hospital, had an encrypted laptop and cell phone stolen during an armed robbery and was forced to disclose password and encryption keys during the robbery.The devices contained the protected health information PHI) of 999 individuals.The types of PHI involved in the breach included names, medical records numbers, age, and diagnostic information.In response to OCR’s investigation, the CE initiated a new enterprise wide risk analysis." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Kirkbride Center" "Healthcare Provider" "Quantity[860, ""People""]" "DateObject[{2014, 11, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "In August 2014, an Assistant U.S. Attorney contacted the CE, Kirkbride Center, to advise that an individual was arrested in Florida and would be tried for identity theft.This individual had hard copies of the CE’s daily census reports containing patients’ names, dates of birth, and some social security numbers, affecting approximately 869 individuals.The arrestee was not known to have direct ties to the CE’s facility and was convicted of identity theft.The CE’s internal investigation determined that a rogue employee stole the reports and the CE continued the investigation in hopes of determining which employee was responsible for the theft.The CE provided breach notification HHS, the media, and affected individuals, and posted notice on its website.The CE also offered affected individuals one year of free identity theft protection.Due to OCR’s investigation, the CE began using a new billing software system, which allows it to revise the daily census report to exclude patients’ dates of birth and social security numbers.Furthermore, the CE revised the report distribution process to limit the distribution of the report to specific unit personnel." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "MetroPlus Health Plan, Inc." "Health Plan" "Quantity[31980, ""People""]" "DateObject[{2014, 11, 20}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Baptist Primary Care, Inc." "Healthcare Provider" "Quantity[1449, ""People""]" "DateObject[{2014, 11, 20}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Visionworks Inc." "Health Plan" "Quantity[47683, ""People""]" "DateObject[{2014, 11, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "The covered entity (CE), Visionworks Inc., mislaid a partially encrypted, decommissioned computer server from its in-store lab in Jacksonville, Florida which was not recovered.The server’s hard drive contained the unencrypted protected health information (PHI) of approximately 47,638 individuals.The PHI on the server contained demographic, financial, and clinical information.Following the breach, the CE fully encrypted all servers at all of their locations and replaced servers.The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of free credit monitoring.The CE also sent letters to each State Attorney General and posted information on the CE’s website regarding the server incident.In addition, the CE re-trained workforce members, instituted new training requirements on privacy and security awareness, and provided refresher training on incident management.Following OCR’s investigation, the CE secured servers with cable locks and tested and installed a maximum security system that encrypts all hard drives on each server.Additionally, the CE completed a company-wide server inventory and hard drive destruction and performed a physical audit of all servers’ boxes.In addition, the CE created a comprehensive system disposal plan." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "True Vision Eyecare" "Healthcare Provider" "Quantity[542, ""People""]" "DateObject[{2014, 11, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A burglar stole two laptop computers from the covered entity’s (CE) office.One of the stolen laptops contained the protected health information (PHI) of 542 individuals that included first and last names and eyeglass prescriptions.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE purchased new laptops that are password protected with automatic shut-off features, and also retrained staff on security.OCR obtained documentation that the CE implemented the corrective actions it took in this matter." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "AdminisTEP" "Business Associate" "Quantity[4469, ""People""]" "DateObject[{2014, 11, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "The covered entity’s (CE) print and mail sorting vendor, Administep, improperly stuffed and mailed letters which contained other enrollees’ names, addresses, subscriber identifications, claims amounts, and service descriptions.The breach affected approximately 4,469 of the CE’s enrollees.The CE provided breach notification to HHS, the media, and affected individuals, and offered individuals free one-year identity theft protection services.In response to the incident, the CE provided evidence that it placed the business associate (BA) responsible for the breach on a corrective action plan which required the BA to complete a documented quality assurance check for each new implementation or modification of a mailing project.This includes administrative sign- offs and ongoing, random audits on a sample of envelopes for each project.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Northfield Hospital & Clinics" "Healthcare Provider" "Quantity[1778, ""People""]" "DateObject[{2014, 11, 25}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Computer Programs and Systems, Inc. " "Business Associate" "Quantity[25764, ""People""]" "DateObject[{2014, 11, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "True" "" "Entity[""AdministrativeDivision"", {""Wyoming"", ""UnitedStates""}]" "North Big Horn Hospital" "Healthcare Provider" "Quantity[1607, ""People""]" "DateObject[{2014, 12, 1}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "The covered entity (CE), North Big Horn Hospital, reported that on October 2, 2014, it discovered that an Emergency Department (ED) logbook containing protected health information (PHI) was lost, affecting 1,607 individuals. The logbook contained the demographic and clinical information of patients seen in the ED from May 2012 through October 2013.The CE provided breach notification to HHS, affected individuals, and the media.OCR obtained and reviewed the CE's relevant HIPAA policies and procedures and provided technical assistance. On August 25, 2015, the CE reported that during a recent re-organization it found the reported logbook in a locked office on a shelf behind several binders. Accordingly, OCR has closed the investigation." "Entity[""AdministrativeDivision"", {""Utah"", ""UnitedStates""}]" "The Hearing Zone" "Healthcare Provider" "Quantity[623, ""People""]" "DateObject[{2014, 12, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Florida Department of Health" "Healthcare Provider" "Quantity[2477, ""People""]" "DateObject[{2014, 12, 8}, ""Day"", ""Gregorian"", -5.]" "Other" "Email" "False" "An employee of the covered entity (CE), Florida Department of Health, sent an unencrypted email with an attachment containing the electronic protected health information (ePHI) of 2,477 patients to four physicians who were the intended recipients of the email.The ePHI in the attachment included patients’ dates of birth, social security numbers, screening test results, and diagnoses.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE contacted the recipients of the emails and verified that the emails were deleted and that the ePHI was not further used or disclosed.The responsible workforce member submitted her resignation before CE’s investigation was completed.The CE also reviewed its privacy and security policies and procedures and retrained staff.OCR obtained and reviewed copies of the CE’s policies and procedures and documentation of staff training." "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "ReachOut Home Care [Case #16687]" "Healthcare Provider" "Quantity[4500, ""People""]" "DateObject[{2014, 12, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Sony Pictures Entertainment Health and Welfare Benefits Plan (the Plan)" "Health Plan" "Quantity[30000, ""People""]" "DateObject[{2014, 12, 12}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Laptop, Network Server" "False" "OCR determined that no breach occurred in this case." "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "District Medical Group, Privacy Manager Breach" "Healthcare Provider" "Quantity[616, ""People""]" "DateObject[{2014, 12, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other Portable Electronic Device" "False" "On December 12, 2014, the covered entity (CE), District Medical Group, reported that when a workforce member used a thumb drive while working from home the contents of the thumb drive became accessible on the Internet.The media device contained the electronic protected health information (ePHI) of approximately 616 individuals.The PHI involved in the breach included names, addresses, social security numbers, transaction amounts and clinical information.The CE provided breach notification to HHS, the affected individuals and the media.The CE revised its policies and procedures and retrained workforce members.OCR obtained assurances that the CE implemented the corrective actions noted above." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Clay County Hospital" "Healthcare Provider" "Quantity[12621, ""People""]" "DateObject[{2014, 12, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "St. Mary Mercy Hospital" "Healthcare Provider" "Quantity[1488, ""People""]" "DateObject[{2014, 12, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Missing[""NotAvailable""]" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Walgreen Co." "Healthcare Provider" "Quantity[160000, ""People""]" "DateObject[{2014, 12, 15}, ""Day"", ""Gregorian"", -5.]" "Other" "Paper/Films" "False" "The covered entity (CE), Walgreens, mailed patient notification letters to incorrect third parties. The letters included first and last names, addresses, dates of birth, phone numbers, provider names, and details of the vaccines administered and affected approximately 160,000 individuals.The CE provided breach notification to HHS, affected individuals, and the media, and placed notice on its website.Following the breach, the CE resolved issues in its use of the electronic health record (EHR) that were factors in the breach, updated data in the prescriber database and trained its staff on the new requirements.As a result of OCR’s investigation, Walgreens improved safeguards by resolving two issues in its use of the EHR." "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Pediatric Gastroenterology Consultants" "Healthcare Provider" "Quantity[5000, ""People""]" "DateObject[{2014, 12, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "The Corvallis Clinic, P.C." "Healthcare Provider" "Quantity[41000, ""People""]" "DateObject[{2014, 12, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A personal laptop computer belonging to an employee of the covered entity (CE), The Corvallis Clinic, P.C., was stolen from the employee’s locked automobile.The stolen laptop contained the electronic protected health information (ePHI) of 41,000 individuals and included patients’ names, addresses, dates of birth, phone numbers, appointment dates, and the names of treating providers.The CE provided the required notifications under the Breach Notification Rule.Following the breach the CE sanctioned the involved employee and implemented network access control software that restricts employees from gaining access to internal network resources using personally owned equipment.OCR’s investigation confirmed that the appropriate notifications were made and that corrective action steps were taken." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Mercy Medical Center Redding - Oncology Clinic, Privacy Manager Breach" "Healthcare Provider" "Quantity["""", ""People""]" "DateObject[{2014, 12, 22}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Other" "False" "On December 13, 2014, the covered entity (CE), Mercy Medical Center’s Redding Oncology Clinic, reported that electronic protected health information (ePHI) was accessible on the Internet when its business associate (BA), Write-Type, Inc., left the ePHI on its website.The website contained the ePHI of approximately 616 individuals and included names, addresses, medical record numbers, physicians’ names, and clinical information such as diagnoses, medications, lab reports, and other treatment information.The CE provided breach notification to HHS, affected individuals and the media.The CE revised its policies and procedures.OCR obtained assurances that the CE implemented the corrective actions noted above." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Northwestern Memorial HealthCare" "" "Quantity["""", ""People""]" "DateObject[{2014, 12, 23}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "" "False" "" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Independence Blue Cross and AmeriHealth New Jersey " "Health Plan" "Quantity[12450, ""People""]" "DateObject[{2014, 12, 26}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "Members of the covered entity’s (CE) maintenance team improperly disposed of four boxes of paper records containing the protected health information (PHI) of approximately 12,450 individuals in error during the course of an office move within the building.The trash was collected by the CE’s trash removal vendor the next day and transported to a recycling plant. The PHI involved in the breach included names, addresses, identification numbers (including social security numbers), home phone numbers, physician information, health care plans, and group numbers.The CE was not able to determine whether or not someone at the recycling center may have acquired or viewed the PHI.The CE, Independence Blue Cross, provided breach notification to HHS, the media, and affected individuals.The CE offered all members who had their member identification number compromised one year of free credit monitoring.As a result of OCR’s investigation, the CE revised its policies and procedures for trash disposal, as well as maintenance and disposal of provider reports. The CE also sent a reminder to all associates regarding its policies and procedures for proper handling of paper documents and proper disposal of trash and documents containing PHI.Furthermore, the CE sanctioned the employees responsible for the incident.The CE initiated plans to provide additional staff training on its HIPAA policies and procedures for trash disposal." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Murali Menon, Privacy Manager Breach" "Healthcare Provider" "Quantity["""", ""People""]" "DateObject[{2014, 12, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device, Paper/Films" "False" "The covered entity (CE), Murali Menon and Physicians Skin and Weight Centers , reported that on November 4, 2014, an employee’s password protected laptop computer and external hard drive containing the protected health information (PHI) of 2,855 individuals were stolen from a locked vehicle.The theft was discovered within an hour and police were immediately notified.The types of PHI involved in the breach included demographic, financial and clinical information, including names, addresses, dates of birth, social security numbers, credit card/bank account numbers, claims information, and other treatment information.The CE provided breach notification to HHS, the media, and affected individuals, and provided the affected individuals one year of free credit monitoring.As a result of OCR’s investigation, the CE discontinued all use of external hard drives and encrypted all its laptops within 30 days.Additionally the CE revised its policies regarding the removal of electronic devices from the work site,re-trained staff, and provided OCR with its policies and procedures regarding the administrative, physical, and technical safeguarding of electronic PHI." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "mdINR LLC" "Healthcare Provider" "Quantity[1859, ""People""]" "DateObject[{2015, 1, 5}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "VA Corporate Data Center Operations/Austin Information Technology Center " "Healthcare Provider" "Quantity[7029, ""People""]" "DateObject[{2015, 1, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "The covered entity (CE), Veterans Health Administration, discovered that its public facing telehealth website administered by one of its business associates (BA), AuthentiDate Holding Corporation, potentially impermissibly disclosed the protected health information (PHI) of 7,054 individuals.The types of PHI potentially involved in the breach included names, addresses, birthdates, phone numbers, and VA patient identification numbers of veterans who used the telehealth system.The CE provided breach notification to individuals, HHS, and the media, and also provided credit monitoring to the affected individuals.OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI.Upon discovery of the breach, the CE took steps to enforce the requirements of its BA agreement and determined not to renew the agreement with the identified BA.The CE reported that they are no longer doing business with the identified BA.OCR opened a separate case to review the BA’s compliance with the HIPAA Security Rule. " "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Saint Louis County Department of Health" "Healthcare Provider" "Quantity[4000, ""People""]" "DateObject[{2015, 1, 7}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email, Network Server" "False" "On November 18, 2014, an employee of the covered entity (CE), Saint Louis County Department of Health, resigned her position and then impermissibly emailed her personal email account a spreadsheet that was used to reconcile bills for medical services provided to the CE's patients.The types of protected health information (PHI) contained in the spreadsheet included the names, social security numbers, and dates of service of approximately 4,000 patients, along with the names of the medical providers.The CE provided breach notification to HHS, affected individuals, and the media, and also filed a police report.The CE terminated the former employee’s access to its patient database and retrained employees on its HIPAA policies and procedures regarding HIPAA.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Aspire Indiana, Inc." "Healthcare Provider" "Quantity[43890, ""People""]" "DateObject[{2015, 1, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Henry Ford Health System" "" "Quantity["""", ""People""]" "DateObject[{2015, 1, 9}, ""Day"", ""Gregorian"", -5.]" "Missing[""NotAvailable""]" "" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Children's Eyewear Sight" "Healthcare Provider" "Quantity[1030, ""People""]" "DateObject[{2015, 1, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Tennessee Rural Health Improvement Association" "Health Plan" "Quantity[79000, ""People""]" "DateObject[{2015, 1, 13}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "University Hospitals" "Healthcare Provider" "Quantity[833, ""People""]" "DateObject[{2015, 1, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "National Pain Institute" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2015, 1, 15}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Desktop Computer, Laptop" "False" "From July 13, 2013, to August 13, 2013, the covered entity (CE), National Pain Institute, distributed outdated computers to its employees for their personal use without first deleting all electronic protected health information (ePHI) from the computers. The computers contained the PHI of approximately 500 individuals, including names, addresses, dates of birth, diagnoses, and other treatment information.The CE provided breach notification to HHS, affected individuals, and the media.In response to the incident, The CE tracked the computers, repossessed those computers that it was able to locate, and obtained written acknowledgement from the former employees that the PHI from the computers was not used or disclosed to others.In addition, the CE improved safeguards by encrypting all computers, upgrading the malware and software of desktop computers, improving network and email security, improving identity management, and automating and standardizing security for devices containing ePHI.The CE also updated its HIPAA policies and procedures, including a policy for responding to security incidents.OCR obtained assurances that the CE implemented the corrective actions listed. " "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Rainier Surgical, Incorporated" "Healthcare Provider" "Quantity[4920, ""People""]" "DateObject[{2015, 1, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "OCR opened an investigation of the covered entity (CE), Rainier Surgical, Inc., after it reported that a file drawer with explanations of benefits containing the protected health information (PHI) of 4,290 individuals was stolen from a warehouse.The PHI included names, addresses, dates of birth, health insurance information, explanations of benefits, and in some cases, credit card numbers and social security numbers.Upon discovering the breach, the CE filed a police report.The CE provided substitute notice and media notification in the localities with greater than 500 individuals affected.The CE offered one year of free credit monitoring services to individuals whose social security numbers may have been compromised.Following this breach, the CE retrained employees, reviewed its policies and procedures, and began storing some PHI with an on-site third party secure storage vendor.OCR confirmed that the CE took the actions described above." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "St. Peter's Health Partners" "Healthcare Provider" "Quantity[5117, ""People""]" "DateObject[{2015, 1, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Ronald D. Garrett-Roe, MD" "Healthcare Provider" "Quantity[1600, ""People""]" "DateObject[{2015, 1, 23}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "Alleged hackers gained unauthorized access to one or two hard drives on the desktop computers of the covered entity (CE), Dr. Ronald D. Garrett-Roe, affecting approximately 1,600 patients’ protected health information.The CE reported that the hard drive had been removed, all of the files copied, and the hard drive formatted, which caused all of the computer programs, the operating system, and many patient records to be erased. Dr. Garrett-Roe is no longer a covered entity." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "California Pacific Medical Center " "Healthcare Provider" "Quantity[845, ""People""]" "DateObject[{2015, 1, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "On or about October 15, 2014, during a routine review of workforce members’ use of electronic protected health information (ePHI), the covered entity (CE), California Pacific Medical Center, discovered that a workforce member in the pharmacy department had impermissibly accessed the medical records of 13 coworkers. A subsequent audit showed that from October 2013 to October 2014, the workforce member had impermissibly used the medical records of a total of 845 individuals. The ePHI accessed included patient demographics, last four digits of social security numbers, clinical information about diagnoses, clinical notes, physician order information, laboratory and radiological data, and prescription information. OCR verified that the CE applied employee sanctions pursuant to its policy and procedure, provided breach notification to HHS, affected individuals, and the media, and retrained employees on relevant HIPAA policies and procedures. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Diana S. Guth DBA Home Respiratory Care" "Healthcare Provider" "Quantity[1285, ""People""]" "DateObject[{2015, 1, 28}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "David E. Hansen DDS PS " "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2015, 1, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device, Paper/Films" "False" "On January 29, 2015, the covered entity (CE), David E. Hansen DDS PS, reported that a password protected computer back-up disk, 20 encrypted flash drives and 32 paper dental patients' records were stolen during a break-in at the CE’s facility.The media devices contained the electronic protected health information (ePHI) of approximately 2000 individuals.The PHI involved in the breach included patients’ names, diagnoses, medications, and other clinical information.The CE provided breach notification to HHS, affected individuals, and the media.The CE improved physical security and retrained workforce members.OCR obtained assurances that the CE implemented the corrective actions noted above." "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Kaiser Foundation Health Plan of the Mid-Atlantic States, Inc." "Health Plan" "Quantity[630, ""People""]" "DateObject[{2015, 1, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Due to a printing error, patients received appointment reminders containing other patients’ protected health information (PHI).The PHI involved in the breach included the names, medical record numbers, the types of appointments to be scheduled, and provider information for approximately 630 individuals. Following the breach, additional safeguards were implemented to prevent future disclosures.OCR reviewed the covered entity’s policies and procedures to ensure compliance with the Privacy and Security Rules. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Riverside County Regional Medical Center" "Healthcare Provider" "Quantity[7925, ""People""]" "DateObject[{2015, 1, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "North Dallas Urogynecology, PLLC." "Healthcare Provider" "Quantity[678, ""People""]" "DateObject[{2015, 1, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "The covered entity (CE), North Dallas Urogynecology, reported the theft of several items and four unencrypted laptops as a result of a break-in.The incident was immediately reported to the police and an investigation ensued.Approximately 678 patients’ protected health information (PHI) was affected by the breach, which included patient’s names, social security numbers, dates of birth, and lab results.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach the CE increased security within the office and implemented additional physical, technical, and administrative safeguards to ensure the security of electronic PHI. All laptops have encryption technology.In addition, all workforce members were trained or retrained concerning the requirements for compliance with the Privacy, Security, and Breach Notification Rules.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "UMass Memorial Medical Group, Inc." "Healthcare Provider" "Quantity[14100, ""People""]" "DateObject[{2015, 1, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Boston Baskin Cancer Foundation" "Healthcare Provider" "Quantity[56694, ""People""]" "DateObject[{2015, 2, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "On December 2, 2014, a Boston Baskin Cancer Foundation employee’s laptop computer and external hard drive were stolen. The external hard drive contained the electronic protected health information (ePHI) of 56,000 individuals and included patients' names, dates of birth, social security numbers, addresses, phone numbers, clinic medical record numbers, and the first and last dates seen by the clinic. The investigation concluded that the ePHI was copied and stored on an unencrypted external hard.The covered entity (CE) provided breach notification to HHS, affected individuals, and the media, and offered affected individuals complimentary credit monitoring.In response to the breach, the CE deployed software to prevent the downloading of unencrypted documents from computers to portable media.The CE implemented a policy requiring employees to create a passcode for their mobile devices.The CE also revised its risk management policy and established procedures for the removal of hardware and electronic media containing ePHI.After the breach the CE retrained staff and physicians on its HIPAA policies.OCR obtained assurances that the CE implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""Mississippi"", ""UnitedStates""}]" "South Sunflower County Hospital" "Healthcare Provider" "Quantity[19000, ""People""]" "DateObject[{2015, 2, 4}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "A local merchant sent a package with shredded documents containing protected health information (PHI) from the covered entity (CE), South Sunflower County Hospital, used as packing material.The PHI included the dates of service, providers’ names, diagnoses, patients’ names, social security numbers, and dates of birth of 19,345 individuals.The CE retrieved the remaining shredded documents and stored them in a locked room with limited access. The CE provided breach notification to HHS, affected individuals, and the media.The CE investigated and modified its policies and procedures.It contracted with a document shredding company to destroy all hospital paper waste containing PHI and initiated a process to convert health records to an electronic format.As a result of the investigation, OCR reviewed the CE’s HIPAA policies and procedures." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Planned Parenthood Southwest Ohio" "Healthcare Provider" "Quantity[5000, ""People""]" "DateObject[{2015, 2, 5}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "On October 1, 2014, the Covered Entity (CE) mistakenly disposed of binders containing protected health information (PHI).The CE’s archived prescription dispensing logs and waived lab test logs were left in an unlocked closet after business hours and a custodian mistakenly put them in a trash dumpster. The following morning, the dumpster was emptied by the trash collector who took it to be buried with other garbage at a landfill that same day.The PHI involved in the incident included the names, dates of birth, lab results, and medications of approximately 5,000 individuals.After the CE filed the breach report, it determined that the incident was a non-reportable breach based on a four-part breach assessment and a low probability that the PHI in the binders had been compromised. The CE stated that its breach filing to OCR was not untimely, but was made in error. The CE conducted an investigation, re-trained all staff regarding its HIPAA policies and procedures, completed on-site HIPAA compliance audits, and implemented a new policy to address bulk trash removal from the health centers. OCR obtained written assurances that the voluntary actions of the CE listed above were taken." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Senior Health Partners, a Healthfirst company" "Health Plan" "Quantity[2772, ""People""]" "DateObject[{2015, 2, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Tomas, Arturo" "Business Associate" "Quantity[680, ""People""]" "DateObject[{2015, 2, 9}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "True" "On February 2, 2014, Artuo D. Tomas, MD LTD's office, the covered entity (CE), discovered that a package containing the protected health information (PHI) of approximately 680 individuals had been lost in the process of shipment to its billing company through the U.S. Postal Service (USPS).The PHI included individuals’ names, addresses, phone numbers, dates of birth, referring physician names, medical record numbers, diagnoses, and clinical information.The CEprovided notification of the breach to the affected individuals, HHS, and the media.The CE also filed a claim with the USPS regarding the missing package.Following the breach, the CE implemented a new procedure for sending PHI to the billing company that requires PHI to be transmitted either electronically through a secure and encrypted portal or through a third-party mail service with tracking capabilities.Additionally, the CE developed policies and procedures regarding compliance with the Breach Notification Rule.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Haywood County NC" "Healthcare Provider" "Quantity[955, ""People""]" "DateObject[{2015, 2, 9}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "On or around October 31, 2014, a paper accounts receivable report went missing from the covered entity’s (CE) billing office.The report contained the protected health information (PHI) of 955 individuals and included patients’ internal identification numbers, names, clinics visited, and amounts owed.The CE provided breach notification to HHS, affected individuals, and the media, and set up a toll free number answer line and e-mail contact.In response to the incident, the CE conducted an internal investigation and also contacted law enforcement and asked them to investigate.As a result of its investigation, the CE enhanced the physical security for the billing office, provided locked file cabinets, and restricted access to that office.In addition, the CE retrained staff, updated the roles and responsibilities for its HIPAA officer, and reviewed all HIPAA policies and procedures.As part of this investigation, OCR obtained and reviewed the CE’s relevant HIPAA policies and procedures and documentation of staff training." "Entity[""AdministrativeDivision"", {""Hawaii"", ""UnitedStates""}]" "Courier Corporation of Hawaii" "Business Associate" "Quantity[2809, ""People""]" "DateObject[{2015, 2, 11}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "Documents containing the protected health information (PHI) of 3,959 Kaiser Permanente patients, spilled onto the highway when the business associate (BA), Courier Corporation of Hawaii, transported the covered entity’s (CE) documents to storage. Many but not all of the documents were retrieved from the road.The types of PHI involved in the breach included names, addresses, dates of birth, driver’s license information, social security numbers, and other identifiers. The CE provided breach notification to HHS, affected individuals, and the media, and provided affected individuals with free credit monitoring. To prevent a similar breach from happening in the future, the CE and BA retrained staff on HIPAA requirements, revised policies and procedures, and sanctioned workforce members (including termination). The CE and BA also took steps to mitigate harm. As a result of OCR’s investigation, OCR obtained assurances that the notifications and corrective actions listed above were completed." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Pathway to Hope" "Healthcare Provider" "Quantity[600, ""People""]" "DateObject[{2015, 2, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "The covered entity (CE), Pathway to Hope, discovered in January 2015, that a former employee emailed the protected health information (PHI) of 600 individuals to her personal email account, before her last day of employment with the CE for the purpose of building her own practice.The types of PHI in the email included the full names, referral sources, insurance information, and general diagnoses/conditions (i.e. mental health/substance abuse).The CE provided breach notification to HHS and to affected individuals.Media notice was not required.OCR provided technical assistance to the CE regarding the Privacy, Security and Breach Notification Rules.In response to the breach, the CE counseled workforce members, improved its training program, substantially revised its policies and procedures, hired a compliance officer, and began requiring that employees sign non-compete, non-solicitation confidentiality agreements.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Anthem (Working file)" "Health Plan" "Quantity["""", ""People""]" "DateObject[{2015, 2, 13}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Hunt Regional Medical Partners" "Healthcare Provider" "Quantity[3000, ""People""]" "DateObject[{2015, 2, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Vandals broke into a building storing paper protected health information (PHI) for the covered entity (CE), Hunt Regional Medical Partners.The types of PHI involved in the breach included patients' names, addresses, dates of birth, social security numbers, claims information, and patients' chart information.Approximately 3,000 individuals were affected.Upon discovering the breach, the CE filed a police report.The CE provided breach notification to HHS, affected individuals, and the media. The CE improved physical safeguards and retrained staff. OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Marketing Clique" "Health Plan" "Quantity[8700, ""People""]" "DateObject[{2015, 2, 20}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "" "Entity[""AdministrativeDivision"", {""DistrictOfColumbia"", ""UnitedStates""}]" "Children's National Medical Center" "Healthcare Provider" "Quantity[18000, ""People""]" "DateObject[{2015, 2, 24}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "Employees of the covered entity (CE), Children’s National Medical Center (CNMS), responded to phishing emails they believed were legitimate emails.Over 20,000 individuals were affected by the breach which involved demographic, clinical and health insurance information, including a limited number of social security numbers.The CE provided breach notification to HHS, affected individuals, and the media, and offered 12 months of free identity monitoring for those whose social security number was compromised.Following the breach, the CE identified source attacks, remediated accounts, removed exfiltration software, and implemented safeguards to increase firewall protections and inspection of e-mails (monitoring, scanning, and rewriting of embedded Internet addresses). In addition, the CE updated its security policy and retrained employees.OCR obtained assurances that the CE has implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Nevada"", ""UnitedStates""}]" "Raymond Mark Turner, M.D." "Healthcare Provider" "Quantity[2153, ""People""]" "DateObject[{2015, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "One unencrypted laptop computer was stolen during business hours while the office of Dr. Robert Mark Turner was in the process of updating and encrypting its computers. A file on the stolen laptop contained the electronic protected health information (ePHI) of 2,153 individuals which included names, addresses, dates of birth, social security numbers, driver’s license numbers, health insurance information, and records of medical treatment.The covered entity (CE) provided breach notification to HHS, affected individuals, and the media and provided credit monitoring and identity theft protection to affected individuals.In response to the breach, the CE improved physical safeguards and enhanced technical safeguards by implementing an encryption management program for all computer systems. OCR reviewed the CE's HIPAA risk assessment and provided technical assistance on the required elements of a risk analysis and risk management plan." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "St.Vincent Hospital and Health Care Center, Inc." "Healthcare Provider" "Quantity[63325, ""People""]" "DateObject[{2015, 2, 27}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Cathrine Steinborn, DDS" "Healthcare Provider" "Quantity[3224, ""People""]" "DateObject[{2015, 2, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Aventura Hospital and Medical Center" "Healthcare Provider" "Quantity[686, ""People""]" "DateObject[{2015, 2, 27}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer, Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "Amedisys" "Healthcare Provider" "Quantity[6909, ""People""]" "DateObject[{2015, 3, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer, Electronic Medical Record, Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Advance Rehabilitation & Consulting LTD" "Healthcare Provider" "Quantity[570, ""People""]" "DateObject[{2015, 3, 2}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "On December 30, 2014, the covered entity (CE), Advance Rehabilitation & Consulting LTD, discovered that a port on one of its servers was publically accessible to the Internet and allowed an automated botnet attack to the server.Internal investigation revealed that one spreadsheet from 2009 was accessed, but there was no way of knowing if the spreadsheet was viewed.The spreadsheet contained patients' names, diagnoses, dates of visits, account types, and therapists'/physicians' names for 570 patients.In response to the breach, the CE conducted a security risk analysis and improved deficient areas with a detailed risk management plan. The CE provided breach notification to HHS and affected individuals.OCR provided technical assistance regarding media notification and such notification was made.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Georgia Department of Community Health " "Health Plan" "Quantity[557779, ""People""]" "DateObject[{2015, 3, 2}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Georgia Department of Community Health " "Health Plan" "Quantity[355127, ""People""]" "DateObject[{2015, 3, 2}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Kansas"", ""UnitedStates""}]" "Clinical Reference Laboratory, Inc." "Healthcare Provider" "Quantity[4668, ""People""]" "DateObject[{2015, 3, 3}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "The covered entity (CE), Clinical Reference Laboratory, Inc., sent a parcel which was damaged and opened during the mailing process by the United States Postal Services (USPS).The protected health information (PHI) involved in the breach included the names, dates of service, partial social security numbers, and lab test types of approximately 4,668 individuals.The CE provided breach notification to HHS, affected individuals, and the media.Since multiple breach reports have been received involving the same CE and fact pattern, this investigation was consolidated into one investigation." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "St. Mary's Health" "Healthcare Provider" "Quantity[3952, ""People""]" "DateObject[{2015, 3, 5}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Mosaic Medical" "Healthcare Provider" "Quantity[2207, ""People""]" "DateObject[{2015, 3, 5}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "An intruder entered the administrative office of the covered entity (CE) through a window.Nothing was stolen; however, the protected health information (PHI) of 2,202 individuals was stored in the office.The PHI involved in the breach included names, medical information, medical insurance information, addresses, phone numbers, and email addresses.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE moved its administrative office to another location with improved physical safeguards.In addition, the CE instructed staff on its procedures for securely storing PHI.OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Sharon J. Jones M.D." "Healthcare Provider" "Quantity[1342, ""People""]" "DateObject[{2015, 3, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "OCR opened an investigation of the covered entity (CE), Sharon J. Jones, after it reported a breach of 1,342 patients’ protected health information (PHI) when its office was burglarized on January 8, 2015. The CE immediately reported the incident to local law enforcement. The compromised PHI included a combination of first and last names, dates of birth, addresses, telephone numbers, social security numbers, medical insurance information, medical records, and the last four digits of credit card numbers. The CE provided breach notification to HHS, affected individuals, and the media and provided affected individuals with complimentary identity theft protection for one year. Following the breach the CE improved safeguards for paper PHI, especially after having a second burglary on March 20, 2015, which resulted in another breach that OCR investigated separately. The CE secured a new office lease and moved its operations to a more secure building and location. It drafted a facility security plan and implemented physical security enhancements, such as utilizing interior locks, installing alarms and cameras, and shredding unnecessary paper documents. The CE also updated its policies and procedures and provided additional training to its workforce members. OCR obtained assurances that the CE implemented the corrective action listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Valley COmmunity Healthcare" "Healthcare Provider" "Quantity[1233, ""People""]" "DateObject[{2015, 3, 6}, ""Day"", ""Gregorian"", -5.]" "Loss" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Indiana State Medical Association" "Health Plan" "Quantity[38351, ""People""]" "DateObject[{2015, 3, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "San Franciso General Hospital and Trauma Center" "Healthcare Provider" "Quantity[2500, ""People""]" "DateObject[{2015, 3, 6}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Dr. Anthony T. R. Green DDS" "Healthcare Provider" "Quantity[7448, ""People""]" "DateObject[{2015, 3, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other, Paper/Films" "False" "A self-storage facility in Hollis, New York auctioned off the contents of a unit rented by the covered entity (CE) that contained medical records of 8,636 individuals.Ultimately, many of the records were left unattended in a Home Depot parking lot in Jamaica, New York.The protected health information (PHI) involved in the breach included names, dates of birth, addresses, social security numbers, diagnoses, conditions, lab results, and other treatment information.Following the breach, the CE provided breach notification to HHS, affected individuals, and the media, and provided credit and identity theft services to individuals at no cost. The CE also ended its practice of storing patient files outside of the office and implemented policies and procedures that prohibit business associates from having access to PHI before a business associate agreement is in place.OCR obtained assurances that the CE implemented the corrective actions listed above. Additionally, the New York Attorney General and the CE agreed to enter into an Assurance of Discontinuance that requires the CE to take additional corrective actions." "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Virginia Department of Medical Assistance Services (VA-DMAS)" "Health Plan" "Quantity[697586, ""People""]" "DateObject[{2015, 3, 12}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Anthem, Inc. Affiliated Covered Entity" "Health Plan" "Quantity[78800000, ""People""]" "DateObject[{2015, 3, 13}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "EyeCare of Bartlesville" "Healthcare Provider" "Quantity[4000, ""People""]" "DateObject[{2015, 3, 13}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Network Server" "False" "The covered entity’s (CE) database was hacked and held by an outside malware virus.The computer server’s hard drive contained the unencrypted, password protected health information (PHI) of approximately 4,000 individuals.The electronic PHI (ePHI) contained names, addresses, telephone numbers, dates of birth, insurance identification numbers, and diagnosis codes.Since the malware virus was discovered, the CE confirmed that nothing had been copied or removed from the computer, just locked.The CE destroyed the hard drive so that no further access to the hard drive was possible. The CE provided breach notification to HHS, affected individuals, and posted notice on its website.In addition, the CE retrained workforce members, and instituted a requirement of quarterly employee privacy and security awareness training.The CE improved safeguards by changing all passwords.Following OCR’s investigation, the CE further improved safeguards by changing anti-virus software, encrypting all information saved to its hard drive, and moving ePHI to a cloud based system. It revised procedures to require weekly computer virus scans and monthly audit reports. It also changed vendors to those that require HIPAA training.Finally, OCR reviewed the CE’s comprehensive risk analysis plan." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Sacred Heart Health System, Inc." "Healthcare Provider" "Quantity[14177, ""People""]" "DateObject[{2015, 3, 16}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "Sacred Heart Health System, Inc.’s business associate (BA), St. Vincent Health, Inc., a third party billing vendor, was subject to an email phishing attack resulting in the exposure of protected health information for 14,177 individuals.This case has been consolidated with an investigation of the BA." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Premera Blue Cross" "Health Plan" "Quantity[11000000, ""People""]" "DateObject[{2015, 3, 17}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Blue Cross Blue Shield of Michigan " "Health Plan" "Quantity[3903, ""People""]" "DateObject[{2015, 3, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "OCR opened an investigation of the covered entity (CE), Blue Cross Blue Shield of Michigan, after it reported that the protected health information (PHI) of 3,903 of its patients had been stolen for the purposes of identity fraud. The types of PHI disclosed included names, ages, genders, dates of birth, contract numbers, group names and numbers, and social security numbers.The CE provided breach notification to HHS, the media and affected individuals. Following the breach, the CE improved safeguards by masking social security numbers, removing members’ dates of birth, limiting search results to 25 records, and installing new printing devices that require employees to scan their coded badges when printing.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Advantage Consolidated LLC" "Healthcare Provider" "Quantity[151626, ""People""]" "DateObject[{2015, 3, 18}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Career Education Corporation" "Health Plan" "Quantity[2743, ""People""]" "DateObject[{2015, 3, 19}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Kane Hall Barry Neurology" "Healthcare Provider" "Quantity[600, ""People""]" "DateObject[{2015, 3, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "The covered entity (CE), Kane Hall Barry Neurology, reported that on January 20, 2015, an unencrypted laptop computer that contained the protected health information (PHI) of 600 patients was stolen out of a workforce member’s car.The PHI included patients' names, addresses, dates of birth, diagnoses, conditions, and medications.As a result of this breach, the CE improved technical safeguards for its laptop computers and other software devices containing PHI to ensure they are encrypted and password protected.In addition, the CE implemented new policies and trained workforce members on the requirements of HIPAA.The CE provided breach notification to HHS,affected individuals, and the media.It also offered one year of free identity theft protection to affected individuals and established a toll free breach helpline.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Community Health Network" "Healthcare Provider" "Quantity[650, ""People""]" "DateObject[{2015, 3, 20}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "On February 2, 2015, the covered entity (CE) learned that one of its facilities was unable to locate a binder containing point-of-care test results. The missing binder was never found.The binder contained the protected health information of approximately 650 individuals.The types of protected health information involved in the breach included names, dates of service, test types, test results, and possibly dates of birth. The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE retrained its staff, implemented a new quality control log, and instructed medical practices to store information in its electronic medical record.OCR obtained assurances the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Florida Hospital" "Healthcare Provider" "Quantity[8700, ""People""]" "DateObject[{2015, 3, 20}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Law enforcement discovered paper records belonging to the covered entity (CE), Florida Hospital, during the course of an investigation.An internal investigation revealed that two employees had been accessing and printing records in excess of their job duties.The protected health information (PHI) involved in the breach included demographic data (including social security numbers), clinical information, and health insurance information affecting 8,816 individuals. The CE provided breach notification to HHS, affected individuals, and the media, and posted notice on its website. In response to the breach, the CE retrained its staff and began the process of masking social security numbers and eliminating the need to print facesheets.OCR obtained assurances that the CE implemented the corrective actions listed above.The CE also terminated the employees involved in the breach." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Mount Sinai Medical Center" "Healthcare Provider" "Quantity[1406, ""People""]" "DateObject[{2015, 3, 20}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), Mt. Sinai, discovered that an employee was printing paper face sheets in excess of her job duties for an illicit purpose.The face sheets contained the demographic and clinical information of 1,406 individuals.The CE provided breach notification to HHS, affected individuals, and the media.In response to the breach, the CE altered its policies to limit the users allowed to print face sheets. In addition, the CE retrained its workforce and disseminated educational material.OCR obtained assurances that the CE implemented the corrective actions listed.The CE also terminated the employment of the involved employee." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Life Care Center of Attleboro" "Healthcare Provider" "Quantity[2473, ""People""]" "DateObject[{2015, 3, 20}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "AT&T Group Health Plan" "Health Plan" "Quantity[50000, ""People""]" "DateObject[{2015, 3, 23}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Freelancers Insurance Company" "Health Plan" "Quantity[43068, ""People""]" "DateObject[{2015, 3, 24}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Pediatric Associates" "Healthcare Provider" "Quantity[627, ""People""]" "DateObject[{2015, 3, 24}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "The covered entity (CE), Pediatric Associates, discovered that a binder containing paper logs of patient record releases was missing on January 24, 2015.After a search and investigation, the CE determined that most likely the binder was unintentionally discarded. The types of protected health information (PHI) contained in the logs included patients' names, internal chart numbers, recipients of releases, and explanations for the record release (i.e. “parent requested”).The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE changed its procedures to require that record releases be logged electronically.The CE archived or shredded all paper record release logs.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "McDermott Will & Emery LLP is the plan sponsor for the McDermott medical plan" "Health Plan" "Quantity[880, ""People""]" "DateObject[{2015, 3, 24}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "7-Eleven, Inc. Comprehensive Welfare Benefits Plan No. 525" "Health Plan" "Quantity[1688, ""People""]" "DateObject[{2015, 3, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "New" "Health Plan" "Quantity[500, ""People""]" "DateObject[{2015, 3, 27}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Electronic Medical Record, Email, Network Server" "False" "Entity is not covered by HIPAA. " "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Project Vida Health Center" "Healthcare Provider" "Quantity[7700, ""People""]" "DateObject[{2015, 3, 27}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "Encrypted servers containing the electronic protected health information (ePHI) of approximately 7,7A0 individuals were stolen from the covered entity's (CE), Project Vida Health Center facility.The thieves by-passed the locks and the sensors to the facility's security system by entering through a window that was secured withsteel bars.The ePHI included patients' names, dates of birth, social security numbers, addresses, and zip codes. The CE provided breach notification to HHS, affected individuals and the media.Notices to the public were provided in English and Spanish. Following the breach incident, the CE transitioned from a server based systems to a cloud hosted system. The CE demonstrated that it immediately acted to recover data for the purpose of business continuity. The CE provided documentation of the new security measures implemented to sufficiently reduce the risks and vulnerabilities to ePHI. In addition the CE encrypted data and implemented access controls on its information systems.OCR obtained assurances that the CE implemented the corrective actions listed above." "Missing[""NoInput""]" "Triple S Advantage, Inc" "Health Plan" "Quantity[1458, ""People""]" "DateObject[{2015, 3, 31}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc., formerly known as American Health Medicare Inc., has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun.“OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries.TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement.After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;Use or Disclosure of more PHI than was necessary to carry out mailings;Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; andFailure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:A risk analysis and a risk management plan;A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; andA training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises." "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "VA Eastern Colorado Health Care System(ECHCS)" "Healthcare Provider" "Quantity[508, ""People""]" "DateObject[{2015, 4, 2}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Cigna-HealthSpring" "Health Plan" "Quantity[862, ""People""]" "DateObject[{2015, 4, 2}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), Cigna-HealthSpring, discovered that on January 30, 2015, an employee accidently mislabeled envelopes containing health risk assessment surveys which were mailed to 862 patients. The CE provided breach notification to HHS, affected individuals, and the media. In response to the breach, the CE created new procedures for mailings and provided training to staff members.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "Schaeffler Group USA" "Health Plan" "Quantity[550, ""People""]" "DateObject[{2015, 4, 2}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "PIH Health Hospital - Whittier" "Healthcare Provider" "Quantity[826, ""People""]" "DateObject[{2015, 4, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "Documents containing the protected health information (PHI) of 826 PIH Health Hospital patients were stolen from a resident doctor’s private vehicle. The PHI involved in the breach included names, dates of birth, diagnoses, primary providers, hospital unist, and assigned nurses names.The covered entity (CE) provided breach notification to HHS, affected individuals, and the media.In response to the breach, the CE sanctioned and retrained the doctor responsible for the breach, trained all residents, developed a new policy prohibiting residents from taking PHI off-campus, and developed signage reminding residents of the new policy.OCR obtained written assurances of breach notifications provided and corrective actions taken." "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "CDC/NIOSH World Trade Center Health Program (WTCHP)" "Health Plan" "Quantity[958, ""People""]" "DateObject[{2015, 4, 2}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "On February 5, 2015, a remittance advice report containing the health services and financial information of approximately 958 individuals was ripped open while at the U.S. postal office, improperly disclosing the individuals’ protected health information (PHI), including patients’ names, member numbers, services rendered, dates of service, and provider information.The postal office rewrapped the remaining pages from the package, and delivered them to a business associate (BA) of the covered entity (CE), World Trade Center Health Program, to which they were addressed.The CE provided breach notification to HHS and affected individuals, but no media notice was required due to the geographic locations of the affected individuals.In response to the breach, the CE revised its HIPAA training program.Additionally, National Government Services, the BA that sent the mailing on behalf of the CE, revised its mailing processes and procedures by using only non-tear envelopes or boxes for future mailings. OCR obtained assurances that the CE implemented the correction actions listed above." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "City of Philadelphia Fire Department Emergency Medical Services Unit" "Healthcare Provider" "Quantity[81463, ""People""]" "DateObject[{2015, 4, 2}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer, Paper/Films" "False" "In 2012 a rogue employee of the covered entity’s (CE) business associate (BA), Intermedix (dba Advanced Data Processing, Inc.), improperly accessed and disclosed the account information of individuals served by 27 ambulance agencies in 17 states.The CE was initially notified that none of its data was involved; however, on February 3, 2015, the CE was notified by law enforcement in Opa-Locka, Florida that a sheet of paper containing account information regarding the CE’s services was found on a person arrested on that date.Following the 2015 notification, the BA’s investigation confirmed 34 known disclosures, 746 likely disclosures and 80,684 individuals’ protected health information (PHI) that was at risk of disclosure.The types of PHI involved in the breach included demographic information, social security numbers, and health insurance information.The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website.The BA offered 36 months of free credit monitoring and fraud resolution services.Following the breach, the BA created an information security team within its Compliance Department, integrated new security measures into its billing system, and developed a new user interface placing further restrictions on employees based on specific job roles.The CE revised the BA agreement.OCR also obtained assurances that the BA implemented the corrective measured listed above." "Entity[""AdministrativeDivision"", {""Montana"", ""UnitedStates""}]" "Western Montana Clinic" "Healthcare Provider" "Quantity[7038, ""People""]" "DateObject[{2015, 4, 2}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Other" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Tulare County Health & Human Services Agency" "Healthcare Provider" "Quantity[845, ""People""]" "DateObject[{2015, 4, 2}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "The covered entity (CE) reported a breach of 845 individuals’ electronic protected health information (e-PHI), as a result of a workforce member e-mailing information regarding logging into CE’s health care portal, without blind copying the patients, and encrypting the e-mails. This action, or lack thereof, left every patient’s e-mail address exposed. The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE improved safeguards by changing and strengthening password requirements, disabling all patients’ health portal accounts, and implementing new technical safeguards.In addition, the CE required all affected patients to re-register with its online portal, and revised and implemented new policies and procedures.The CE sanctioned the workforce members involved and re-trained the entire workforce.OCR provided technical assistance regarding the HIPAA Security Rule and obtained documented assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Nevada"", ""UnitedStates""}]" "Children's Heart Center" "Healthcare Provider" "Quantity[8791, ""People""]" "DateObject[{2015, 4, 3}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Health Plan sponsored by Covenant Ministries of Benevolance" "Health Plan" "Quantity[782, ""People""]" "DateObject[{2015, 4, 3}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "SUPERVALU Group Health Plan" "Health Plan" "Quantity[10946, ""People""]" "DateObject[{2015, 4, 3}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Elizabeth Kerner, M.D." "Healthcare Provider" "Quantity[873, ""People""]" "DateObject[{2015, 4, 3}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "The covered entity's (CE) staff member sent an email that contained a list of names and email addresses for 873 patients to an unintended recipient.The recipient informed the CE that he had received the information. The types of protected health information (PHI) involved in the breach included patients’ names and email addresses.The CE provided breach notification to HHS, affected individuals, and the media.Following the incident, the intended recipient, a web designer, changed his email address.The CE implemented an encryption policy and re-trained workforce members.The CE provided OCR with a copy of its encryption policy and OCR determined that it complied with the Security Rule." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Allina Health" "Healthcare Provider" "Quantity[838, ""People""]" "DateObject[{2015, 4, 6}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), Allina Health, erroneously mailed a number of letters to patients about preventative screenings which resulted in individuals receiving a letter and a screening sample collection kit at their address, but labeled with another individual’s name.Two business associate (BA) vendors were also involved in processing the mailing.The breach affected approximately 838 individuals and the protected health information (PH)I involved in the breach included individuals’ name.Following the breach, the CE immediately ceased mailing preventative screening kits until it was able to complete an investigation to determine the root cause of the breach, which included reviewing its business associate’s practices regarding the mailing of the screening kits to ensure it had quality control processes in place and were appropriately followed.The CE also initiated and implemented its incident system to timely and effectively manage the investigation, patient notification, and risk mitigation.The CE provided breach notification to HHS, affected individuals, media outlets, and a Minnesota state senator.The CE engaged an outside vendor to mail the individual notifications and establish a call center to accommodate any patient inquiries.The CE also implemented a new workflow in its mailing processes to reduce the number of manual steps and incorporated an additional quality check so as to reduce the potential for error and to ensure the accuracy of mailing lists.The CE also retrained its employees on safeguarding PHI when mailing correspondence, and verified that its employees received the training.OCR obtained documentation evidencing that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "ADT LLC Group Health & Welfare Plan" "Health Plan" "Quantity[3074, ""People""]" "DateObject[{2015, 4, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "International Union of Operating Engineers Local Unions 181, 320 & TVA Health and Welfare Trust Fund" "Health Plan" "Quantity[5440, ""People""]" "DateObject[{2015, 4, 9}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Denton County Health Department" "Healthcare Provider" "Quantity[874, ""People""]" "DateObject[{2015, 4, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "St.Vincent Medical Group, Inc." "Healthcare Provider" "Quantity[756, ""People""]" "DateObject[{2015, 4, 10}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "New York State Office of Mental Health Nathan S. Kline Institute for Psychiatric Research" "Healthcare Provider" "Quantity[563, ""People""]" "DateObject[{2015, 4, 10}, ""Day"", ""Gregorian"", -5.]" "Loss" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Suburban Lung Associates" "Healthcare Provider" "Quantity[2984, ""People""]" "DateObject[{2015, 4, 13}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Concordia Plan Services on behalf of the Concordia Health Plan" "Health Plan" "Quantity[12500, ""People""]" "DateObject[{2015, 4, 16}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "American Sleep Medicine" "Healthcare Provider" "Quantity[1787, ""People""]" "DateObject[{2015, 4, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Jersey City Medical Center" "Healthcare Provider" "Quantity[1447, ""People""]" "DateObject[{2015, 4, 17}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Missing[""NoInput""]" "Puerto Rico Department of Heatlh - Medicaid Program" "Health Plan" "Quantity[500, ""People""]" "DateObject[{2015, 4, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "CompuNet Clinical Laboratories" "Healthcare Provider" "Quantity[2584, ""People""]" "DateObject[{2015, 4, 23}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "On March 17, 2015, the covered entity (CE) learned that a box containing health insurance claim forms was damaged by a Federal Express (FedEx) hub in Memphis, Tennessee. The protected health information (PHI) involved in the breach included the names, addresses, dates of birth, genders, diagnosis codes, procedure codes, insurance identification numbers, and some social security numbers of 2,584 individuals.Through retained legal counsel the CE investigated the incident to determine what and how many forms were missing, and to retrieve as many missing forms as possible.The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of credit protection to affected individuals.Additionally, the CE decreased the size of batch mailings to limit the potential size of a data breach associated with a lost or damaged box. OCR obtained assurances that the corrective actions were taken." "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Saint Agnes Health Care, Inc." "Healthcare Provider" "Quantity[24967, ""People""]" "DateObject[{2015, 4, 24}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Seton Family of Hospitals" "Healthcare Provider" "Quantity[39000, ""People""]" "DateObject[{2015, 4, 24}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Wellmont Health System" "Healthcare Provider" "Quantity[1726, ""People""]" "DateObject[{2015, 4, 24}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Other, Paper/Films" "False" "On March 1, 2015, the covered entity (CE), Wellmont Health System, discovered that one of its employees had disposed of hand-written notes containing protected information (PHI) for 1,726 individuals at a local recycling center.The types of PHI involved in the breach included demographic and clinical information.The employee voluntarily resigned from her position.The CE provided breach notification to HHS, to affected individuals, to the media, and on its website. In response to the breach, the CE retrained its workforce to emphasize the importance of safeguarding and properly disposing of PHI.In addition, the CE reported that employees now utilize laptops and other mobile devices to create notes in patient records, making paper notes virtually nonexistent.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Community Mercy Health Partners" "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2015, 4, 27}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "An individual was accidently sent the invoices of numerous patients of the covered entity (CE) due to human error after guarantor information on an institutional account was inadvertently changed to an individual patient.The protected health information (PHI) involved in the breach included the demographic, financial, and clinical information of 1,999 individuals. The CE provided breach notification to HHS, affected individuals, and the media.To prevent a future similar occurrence, the covered entity re-educated its patient access/registration staff and began revising processes for institutional payers.OCR reviewed the CE’s relevant HIPAA policies and procedures and obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "CEMEX, Inc." "Health Plan" "Quantity[880, ""People""]" "DateObject[{2015, 4, 27}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Kansas"", ""UnitedStates""}]" "Clinical Reference Laboratory, Inc." "Healthcare Provider" "Quantity[864, ""People""]" "DateObject[{2015, 4, 28}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "The covered entity (CE), Clinical Reference Laboratory, Inc. sent a parcel to Massachusetts Mutual Life that was opened and damaged during the mailing process by the United States Postal Services (USPS).The damaged parcel contained the protected health information (PHI) of approximately 864 individuals, including names, partial and full social security numbers, dates of birth, and clinical test codes.OCR received two other breach reports from the CE which involved the same or similar fact patterns as the breach report for this case.OCR consolidated these investigations into one breach compliance review.The CE investigated the breaches and concluded that the likelihood of misuse or further disclosure of the PHI was remote since the USPS confirmed that all unmatched pages were segregated and shredded.The CE provided breach notification to HHS, affected individuals, and notified appropriate authorities required by each jurisdiction that included an affected individual.The CE also offered affected individuals a free two-year subscription to credit monitoring services and credit report controls.Following the breach, the CE appointed a new privacy officer, who was required to complete HIPAA training, and verified that its workforce received HIPAA-related training.The CE also implemented a new breach reporting procedure and initiated the implementation of a secure online portal for clients to obtain PHI electronically.OCR obtained documentation evidencing that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "University of Illinois at Chicago" "Healthcare Provider" "Quantity[3000, ""People""]" "DateObject[{2015, 4, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A physician’s assigned laptop computer containing the electronic protected health information (ePHI) of approximately 3,000 individuals was stolen. The type of ePHI involved in the breach included diagnoses and conditions of the individuals. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE updated relevant HIPAA policies, including encryption, to ensure the safeguarding of ePHI and sanctioned the physician involved.OCR obtained assurances that the CE implemented the corrective actions listed above.The CE also notified the deans and directors of all the CE’s healthcare components of the corrective actions taken in response to this incident." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Consolidated Tribal Health Project, Inc. " "Healthcare Provider" "Quantity[4885, ""People""]" "DateObject[{2015, 4, 28}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Bellevue Hospital Center" "Healthcare Provider" "Quantity[3334, ""People""]" "DateObject[{2015, 4, 28}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Jacobi Medical Center" "Healthcare Provider" "Quantity[90060, ""People""]" "DateObject[{2015, 4, 28}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "County of Los Angeles " "Healthcare Provider" "Quantity[880, ""People""]" "DateObject[{2015, 4, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE), County of Los Angeles, reported that on April 3, 2015, during the execution of a search warrant at the home of a an individual who was employed at the County Department of Health Services (DHS) LAC+USC Medical Center, Hawkins Mental Health Center (Hawkins), in a matter unrelated to County business, law enforcement discovered and seized items that contained confidential patient information for approximately 880 Hawkins patients, treated between 2011 and 2015.The types of protected health information (PHI) involved in the breach included financial, demographic, and clinical information.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE sanctioned the involved employee and terminated the employee’s electronic and information technology access, as well as physical access to DHS’ systems.DHS provided in-service HIPAA training to Hawkins’ staff.OCR obtained assurances that the CE implemented the corrective actions listed.The employee resigned following the breach incident." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Partners HealthCare System, Inc." "Healthcare Provider" "Quantity[3321, ""People""]" "DateObject[{2015, 5, 1}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Walgreen Co." "Healthcare Provider" "Quantity[1138, ""People""]" "DateObject[{2015, 5, 1}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "On March 4, 2015, the covered entity (CE), Walgreens Pharmacy, reported that it discovered its pharmacy paper log in Stafford, Texas was missing. The approximate number of individuals affected by the breach was 1,138. The protected health information (PHI) involved in the breach included patients’ prescription numbers, first and last names, dates of birth, addresses, photo identification types, and the number of individuals who picked up prescriptions. The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE re-trained its pharmacy staff and communicated to them the importance of safeguarding patient information. OCR obtained documentation which showed that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Ventura County Health Care Agency" "Healthcare Provider" "Quantity[1339, ""People""]" "DateObject[{2015, 5, 6}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "The covered entity (CE), Ventura County Health Care Agency, discovered that a backpack containing documents for 1,399 patients was left at an elementary school after it was stolen from an employee’s car.All of the files were intact, and the types of protected health information (PHI) involved in the breach included names, balances owed, and internal account numbers. The CE provided breach notification to HHS, affected individuals, and the media and posted notice on its website,In response to the breach, the CE sanctioned the workforce member in question and retrained staff.The CE also provided OCR with additional documentation, specifically its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation.Additionally, the CE provided OCR with written assurance that it provided refresher reminders to all staff members about its HIPAA Privacy policies and procedures." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Unity Recovery Group, Inc.,Starting Point Detox LLC, Lakeside Treatment Center LLC, Changing Tides Transitional Living LLC, Unity Recovery Center, Inc" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2015, 5, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email, Network Server, Other Portable Electronic Device" "False" "Unity Recovery Group, Inc. (Unity) shared patient information with other covered entities for continuation of substance abuse treatment.It erroneously believed this practice to be an impermissible disclosure and filed a breach report with HHS.After OCR determined that no breach had occurred, OCR provided technical assistance to Unity regarding permissible disclosures for treatment purposes, the difference between “consent” and “authorization” under HIPAA, the definition of a breach of protected health information, when notification must be provided, and when notification is not required.Further, Unity and its affiliates permanently closed on December 31, 2015 with no intention to resume future operations in the same legal entity name." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "UPMC" "Healthcare Provider" "Quantity[2259, ""People""]" "DateObject[{2015, 5, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "A business associate (BA) employee disclosed the protected health information (PHI) of approximately 2,259 of the covered entity’s (CE) patients to outside parties.The PHI involved in the breach included names, dates of birth, and social security numbers.Following the breach, the CE terminated its relationship with the BA.OCR reviewed the CE’s risk analysis to ensure compliance with the Security Rule. " "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Medical Management, LLC (MML)" "Business Associate" "Quantity[20512, ""People""]" "DateObject[{2015, 5, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "True" "Medical Management LLC provides billing services as a business associate (BA) for more than 30 medical facilities in various states, with BA agreements in place for each covered entity (CE).On March 16, 2015, the IRS notified the BA that one of its employees was involved in an identity theft ring.The employee confessed to the activity and was terminated.The BA determined that, during her employment, the employee had access to 30,556 patient’s records containing protected health information (PHI), including demographic information (names, dates of birth and social security numbers).The BA notified each CE of the breach, established a call center, sent letters to the potentially affected individuals on behalf of its CEs, offered credit monitoring and ID theft protection, sent media notice to 12 newspapers, and notified HHS.In response to the breach, the BA upgraded to an improved billing system with more security controls, masked social security numbers where appropriate, and retrained its staff.In addition, the BA implemented software for tracking and monitoring access and user activity, which is monitored by IT staff, in order to identify any abnormal access.OCR obtained assurances that the BA implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Duke LifePoint Conemaugh Memorial Medical Center" "Healthcare Provider" "Quantity[1551, ""People""]" "DateObject[{2015, 5, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "An employee of the covered entity’s (CE) business associate (BA), Medical Management, LLC (“MML”), disclosed the demographic information of 1,551 of the CE’s patients to outside parties.The protected health information (PHI) involved in the breach included names, dates of birth, and social security numbers.Following the breach, the CE assisted the BA in responding to the breach and notifying affected individuals.Additionally, OCR reviewed the CE’s risk analysis to ensure compliance with the Security Rule" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "The MetroHealth System" "Healthcare Provider" "Quantity[981, ""People""]" "DateObject[{2015, 5, 15}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Aflac" "Health Plan" "Quantity[6166, ""People""]" "DateObject[{2015, 5, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Associated Dentists" "Healthcare Provider" "Quantity[4725, ""People""]" "DateObject[{2015, 5, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Alexian Brothers Medical Center" "Healthcare Provider" "Quantity[632, ""People""]" "DateObject[{2015, 5, 19}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Sharon J. Jones, M.D." "" "Quantity[1342, ""People""]" "DateObject[{2015, 5, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Laptop, Paper/Films" "True" "A burglar broke into the office of the covered entity (CE) and stole 17 paper patient charts, an unencrypted desktop computer, two unencrypted laptop computers, and one encrypted computer server.The breach affected approximately 1,342 individuals’ protected health information (PHI) and included demographic, financial, and clinical information.The CE provided breach notification to HHS, affected individuals, and the media.It also established a dedicated call center to answer questions related to the incident and offered free credit monitoring to the affected individuals.Following the breach, the CE moved to a more secure locale and completed risk analyses in July 2015 and February 2016. The CE implemented a risk mitigation plan to reflect the current work environment, updated its policies and procedures onmobile devices, enhanced physical security, and trained workforce members on security awareness.OCR provided technical assistance regarding the HIPAA Security Rule and obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Success 4 Kids & Families, Inc." "Healthcare Provider" "Quantity[506, ""People""]" "DateObject[{2015, 5, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On April 5, 2015, a Success 4 Kids & Family employee’s laptop computer was stolen out of his vehicle while parked during non-work hours. The laptop contained the protected health information (PHI) of 506 individuals, and included clients’ names, addresses, dates of birth, social security numbers, and limited treatment-related information. The laptop was password protected, but was not encrypted.The covered entity (CE) provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website.In response to this incident, the CE contracted with an IT vendor to upgrade servers and provide cloud backup service, encrypted all computers, reviewed its policies and procedures, implemented an encryption policy, and trained staff.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "CareFirst BlueCross BlueShield" "Health Plan" "Quantity[1100000, ""People""]" "DateObject[{2015, 5, 20}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Thomas H. Boyd Memorial Hospital" "Healthcare Provider" "Quantity[8300, ""People""]" "DateObject[{2015, 5, 21}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "A facility where the covered entity (CE) had stored its medical records since 1994 was sold to a third party and possession of this property was given to the new owner for five days, unbeknownst to the CE.The protected health information (PHI) involved in the breach included the clinical, demographic and financial information of 8,300 individuals.Upon discovery of the breach, the CE immediately retrieved all records at the facility.There was no evidence that the records were otherwise compromised.The CE provided breach notification to HHS, affected individuals, and the media.The CE retrained employees on its revised policies and procedures, including the proper storage of PHI and distribution of its revised policies and procedures.OCR obtained assurances that the CE implemented the corrective actions listed. " "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Beacon Health System" "Healthcare Provider" "Quantity[306789, ""People""]" "DateObject[{2015, 5, 22}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "University of Rochester Medical Center & Affiliates" "Healthcare Provider" "Quantity[3403, ""People""]" "DateObject[{2015, 5, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "BUFFALO HEART GROUP" "Healthcare Provider" "Quantity[567, ""People""]" "DateObject[{2015, 5, 28}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Metropolitan Hospital Center" "Healthcare Provider" "Quantity[3957, ""People""]" "DateObject[{2015, 6, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Oregon's Health CO-OP" "Health Plan" "Quantity[14000, ""People""]" "DateObject[{2015, 6, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A personal laptop belonging to an Oregon Health CO-OP's employee was stolen from his unattended, locked car.The laptop was unencrypted and contained the electronic protected health information (ePHI) of approximately 14,000 individuals.The e-PHI involved in the breach was demographic information and included names, addresses, social security numbers, dates of birth, health plan identification numbers, and health plan numbers.Following the breach, the covered entity (CE) sanctioned the employee, implemented additional technical safeguards to prevent the downloading of e-PHI onto a personal electronic device, and trained its employees on these technical safeguards.OCR provided the CE with technical assistance regarding risk analysis and risk management implementation. " "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Rite Aid Corporation" "Healthcare Provider" "Quantity[2345, ""People""]" "DateObject[{2015, 6, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other, Paper/Films" "False" "On April 27, 2015, rioters in Baltimore, MD broke into, vandalized, and looted eight locations of the covered entity (CE), Rite Aid, taking 2,345 filled prescriptions.The “will-call” prescriptions involved in the breach contained patients’ names, addresses, and medication names.The CE provided breach notification to HHS, the media, and affected individuals and offered credit monitoring.All of the vandalized locations, except the one that was burned, have been re-opened with full security restored.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Gallant Risk & Insurance Services, Inc." "Business Associate" "Quantity[995, ""People""]" "DateObject[{2015, 6, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "Lancaster County EMS" "Healthcare Provider" "Quantity[50000, ""People""]" "DateObject[{2015, 6, 4}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Stanislaus Surgical Hospital" "Healthcare Provider" "Quantity[1170, ""People""]" "DateObject[{2015, 6, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Other Portable Electronic Device, Paper/Films" "False" "On April 4, 2015, two paper binders containing the protected health information (PHI) of up to 1,166 individuals were stolen from one of the covered entity’s (CE) facilities along with several other items that did not contain PHI.The type of PHI involved in the breach was financial information.The CE filed a formal police report and police identified two potential suspects. The CE provided breach notification to HHS, affected individuals, and the media and offered credit monitoring to all individuals affected.Following the breach, the CE improved physical security for the facility and the locked file cabinets that contain PHI and updated security procedures for employees’ access to the premises.It also converted its payment system to a paperless, all electronic system and implemented an encryption requirement for all information that is stored on a shared drive.The CE also trained all employees on the changes to its security policies and procedures.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Fred Finch Youth Center" "Healthcare Provider" "Quantity[6871, ""People""]" "DateObject[{2015, 6, 5}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server, Other" "False" "" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Truman Medical Center, Incorporated" "Healthcare Provider" "Quantity[503, ""People""]" "DateObject[{2015, 6, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "An employee of the covered entity (CE), Truman Medical Center, found a list of patients on the internet.The list contained names, addresses, and internal identification numbers for 503 of the CE's patients.The CE determined that the list was posted to a file transfer protocol (FTP) site by the public relations department and was a mailing list used to notify patients that a clinic was moving to a new location.The list was available on the internet from September 2012 until March 2015.The CE provided breach notification to HHS, affected individuals and the media, and provided substitute notice on its website.Following the breach, the CE immediately removed and deleted the patient list from FTP site and reviewed the other information posted on the site.The CE improved safeguards by enabling the public relations employees to send encrypted emails and providing instructions on how to use secure email. The CE also required additional training for workforce members in the public relations department.OCR obtained written assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Keystone Pharmacy, Inc." "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2015, 6, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other, Paper/Films" "False" "On April 27, 2015, rioting broke out in Baltimore, MD and the covered entity (CE), Keystone Pharmacy, was broken into, vandalized and looted.Multiple prescriptions and stock bottles of narcotics were taken. About 150 prescription bags containing patient names and the medications were stolen.The types of protected health information (PHI) contained on the prescriptions included names, addresses, and prescription information.The CE provided breach notification to HHS, affected individuals, and the media, and offered credit monitoring.The location was immediately secured.The CE installed a new front door and upgraded the security system.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "California Physicians' Service d/b/a Blue Shield of California" "Health Plan" "Quantity[843, ""People""]" "DateObject[{2015, 6, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "United Seating and Mobility, LLC d/b/a Numotion" "Healthcare Provider" "Quantity[2722, ""People""]" "DateObject[{2015, 6, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Nevada"", ""UnitedStates""}]" "Implants, Dentures & Dental DBA Half Dental" "Healthcare Provider" "Quantity[12000, ""People""]" "DateObject[{2015, 6, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record, Laptop, Network Server, Other, Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "The Department of Aging and Disability Services" "Health Plan" "Quantity[6600, ""People""]" "DateObject[{2015, 6, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "National Seating & Mobility, Inc." "Healthcare Provider" "Quantity[9627, ""People""]" "DateObject[{2015, 6, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Email, Laptop, Paper/Films" "False" "On April 14, 2015, two unencrypted tablet computers, a smartphone, and a backpack containing paper files—were stolen from two company vehicles of the covered entity (CE), National Seating & Mobility, Inc.The breach involvedthe protected health information (PHI) of 9,627 individuals and included demographic, clinical and financial information.The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. In response to the breach, the CE revised its policies and procedures, encrypted its desktop, laptop and tablet computers and employed remote wiping and tracking technology.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Global Care Delivery, Inc." "Business Associate" "Quantity[18213, ""People""]" "DateObject[{2015, 6, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "Five password-protected, but unencrypted laptop computers were stolen from Global Care Delivery, a business associate (BA) of the covered entity (CE), North Shore LIJ Health System in September 2014.The laptops contained the protected health information (PHI) of 18,213 individuals, including names, dates of birth, insurance identification numbers (which contained social security numbers), and diagnoses and/or treatment codes related to claims.The BA notified police at the time of the incident, but did not notify the CE until May 11, 2015.The BA retained Knoll, Inc. to assist with individual notification and provide call center services to answer questions from individuals impacted by the breach.Breach notification was provided to HHS and affected individuals, and the BA offered complimentary one-year identity theft protection services.The business relationship between the CE and BA ended effective May 11, 2015. The BA has closed its business." "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "St. Martin Parish School Based Health Centers" "Healthcare Provider" "Quantity[3000, ""People""]" "DateObject[{2015, 6, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Electronic Medical Record, Laptop" "False" "On June 15, 2015, St. Martin Parish School Based Health Centers reported a breach at one of its clinics, Cecilia School Based Health Center (CSBHS).The covered entity (CE) experienced a breach of protected health information (PHI) affecting 3,000 individuals when four desktop computers, one laptop, a wireless router, and several printers were stolen during an office break-in on April 30, 2016.The types of PHI involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses, and procedure codes. The CE provided breach notification to HHS, affected individuals, and the media.As a result of this incident, the CE conducted a post-incident risk analysis and directed staff to change and update all passwords.The CE also remotely disabled the login capability for each computer. The CE improved physical security at the CSBHS facility.In addition, the CE stated that no data is stored locally on its computers.OCR obtained assurances from the CE that it implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "University of California Irvine Medical Center" "Healthcare Provider" "Quantity[4859, ""People""]" "DateObject[{2015, 6, 17}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Central Brooklyn Medical Group, PC" "Healthcare Provider" "Quantity[4223, ""People""]" "DateObject[{2015, 6, 19}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "Between January 1, 2015 and April 18, 2015, a physician employed by the covered entity (CE), Central Brooklyn Medical Group, PC, impermissibly disclosed the protected health information (PHI) of approximately 500 patients to his former medical assistants via facsimile on multiple occasions.On one occasion, the physician accidentally transposed digits in the intended facsimile number and disclosed the PHI of 88 patients to an unrelated third party.The types of PHI involved in the breach included patients’ names, ages, sex, appointment dates, times and reasons for visits, treating physician’s names, and medical conditions.The CE sent breach notification letters to 4,135 patients who had been scheduled to see the physician in the year prior to the breach because the CE could not identify which specific patients were affected; however, they were most likely within this group.The CE also provided breach notification to HHS and the media.Upon discovery of the breach, the CE confirmed the destruction of any PHI possessed by the unrelated third party and the medical assistant and sanctioned the physician.The CE also retrained its workforce members regarding HIPAA compliance, including the CE’s policy regarding communications via facsimile.OCR obtained assurances that the CE implemented the corrective actions listed above.In addition, the CE reported the physician to the State Office for Professional Medical Conduct." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Heartland Dental, LLC" "Business Associate" "Quantity[2860, ""People""]" "DateObject[{2015, 6, 24}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Episcopal Health Services Inc. d/b/a St. John's Episcopal Hospital" "Healthcare Provider" "Quantity[509, ""People""]" "DateObject[{2015, 6, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""RhodeIsland"", ""UnitedStates""}]" "CVS Health" "Healthcare Provider" "Quantity[12914, ""People""]" "DateObject[{2015, 6, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Meritus Medical Center, Inc." "Healthcare Provider" "Quantity[1029, ""People""]" "DateObject[{2015, 6, 26}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "The covered entity (CE), Meritus Medical Center, reported that an audit revealed that a vendors’s employee (from Walgreens pharmacy) accessed the protected health information (PHI) of approximately 1,029 patients without a business need to do so.The types of PHI potentially accessed included demographic information such as names, dates of birth, medical record numbers and, in some instances health insurance information or Medicare identification numbers, as well as clinical information.The CE confirmed that it terminated the employee’s access to the electronic health record (EHR) and escorted the employee from the Meritus campus. The CE provided breach notification to HHS, the media, and affected individuals and offered credit monitoring.The CE implemented a new system for implementing technical measures so that the vendor’s employees’ access is limited to a separate system that interfaces with the EHR and pulls only limited patient information specifically related to those patients receiving Walgreens’ services.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "UPMC Health Plan" "Health Plan" "Quantity[722, ""People""]" "DateObject[{2015, 7, 2}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "An employee of the covered entity (CE), UPMC Health Plan, inadvertently sent an unsecure email with protected health information (PHI) to an incorrect, third-party email address.The breach included the electronic PHI of 722 individuals and included names, dates of birth, member identification numbers, phone numbers, types of insurance, and members' primary care providers.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE retrained staff members.OCR reviewed UPMC Health Plan’s risk analysis to ensure compliance with the Security Rule and obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Orlando Health" "Healthcare Provider" "Quantity[3421, ""People""]" "DateObject[{2015, 7, 2}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "The covered entity (CE), Orlando Health, discovered during audit on May 27, 2015, that an employee was accessing protected health information (PHI) outside the scope of her employment.The PHI contained the names, dates of birth and clinical records of 3,421 individuals.The CE provided breach notification to HHS, affected individuals, and the media and posted substitute notice.In response to the breach, the CE retraining employees. In addition, the CE offered credit monitoring to the affected individuals.OCR obtained assurances that the CE implemented the corrective actions listed above.Additionally,the employee involved in the incident was terminated." "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "University of Oklahoma, Department of Obstetrics and Gynecology" "Healthcare Provider" "Quantity[7693, ""People""]" "DateObject[{2015, 7, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted, password-protected laptop computer was stolen from a resident physician’s car.The laptop contained the electronic protected health information (ePHI) of approximately 7,693 individuals and included patients’ names, dates of birth, medical procedure dates, medications, lab results, admission and discharge dates, treating physicians’ names, and treatment plans.The covered entity (CE), University of Oklahoma, provided breach notification to HHS, affected individuals, and the media.It also offered identity protection services to affected individuals and posted substitute notice on its website.Following the breach, the CE retrained the resident physicians on its encryption policies and procedures and counseled and sanctioned the involved resident.As a result of OCR’s investigation, the CE developed a policy on encryption of laptops for all first-year residents.It also instituted a requirement for all first-year residents to disclose all laptops, tablets, and smartphones to be used for the CE’s business and to ensure they are encrypted by the CE’s representatives." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "FireKeepers Casino Hotel" "Health Plan" "Quantity[7666, ""People""]" "DateObject[{2015, 7, 3}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Georgia Department of Human Services" "Health Plan" "Quantity[2983, ""People""]" "DateObject[{2015, 7, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "Georgia Department of Human Services, the covered entity (CE), discovered that on June 8, 2015, an employee emailed a password protected spreadsheet containing protected health information (PHI) to three recipients at a contractor of the CE for research purposes. The contractor was not considered a business associate of the CE.The CE investigated and determined that the spreadsheet contained PHI for 2,983 individuals, including full names, general geographic areas of residence, internal identification numbers, dates of most recent medical assessments, and the diagnoses associated with those assessments. The CE obtained assurances from the recipients that all versions of the spreadsheet and corresponding email chains were deleted and not accessed by anyone elseThe CE timely breach notification to HHS, affected individuals, and the media. In response to the breach, the CE retrained its workforce, revised its policies and procedures, improved its training program, and implemented additional clearance and approval requirements for the sharing of data. OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Massachusetts General Hospital" "Healthcare Provider" "Quantity[648, ""People""]" "DateObject[{2015, 7, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "An employee of the covered entity (CE), Massachusetts General Hospital, sent an unencrypted e-mail to the incorrect e-mail address.The e-mail contained the protected health information (PHI of 648 individuals.The types of PHI involved in the breach included names, dates of birth, medical record number sand social security numbers.Following the breach, the CE sanctioned the employee in question and changed its policy to use a secure storage application instead of e-mail to send PHI.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Integral Health Plan, Inc." "Health Plan" "Quantity[7549, ""People""]" "DateObject[{2015, 7, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), Integral Health Plan, Inc., discovered on May 15, 2015, that its business associate (BA), Independent Living Solutions LLC, sent Explanation of Benefits (EOBs) information to incorrect network providers.The EOBs contained patients' names, dates of birth, Medicaid identification numbers (if applicable), and diagnosis and procedure codes, affecting 7,549 individuals.The CE had a BA agreement in place with the BA since July 2013.The CE provided breach notification to HHS,affected individuals, and the media, and also posted notice on its website.In response to the breach, the CE provided additional training material to its BA.In addition, the CE and BA revised payment processes to implement a two-step verification process before material is mailed.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""DistrictOfColumbia"", ""UnitedStates""}]" "Howard University" "Healthcare Provider" "Quantity[1445, ""People""]" "DateObject[{2015, 7, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "On May 6, 2015, business associates (BAs) sent out 1,445 misdirected collection letters on behalf of the covered entity (CE), Howard University Faculty Practice Plan.The types of protected health information (PHI) involved in the breach included names, account numbers, and dates of service.The BAs involved in the CE's collections efforts included California Healthcare Medical Billing, Inc. (“CHMB”) and JP Recovery Services, Inc. (“JPRS”).The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notification on its website.Following the breach, CHMB developed policies and procedures to enhance its quality assurance process for reports containing PHI. The JPRS IT staff worked closely with the CE to ensure that all future placement data files are verified as correct prior to downloading them into the collection system. The CE provided OCR with copies of the BA agreements between the CE and the two BAs.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Amsterdam Nursing Home Corporation (1992)" "Healthcare Provider" "Quantity[621, ""People""]" "DateObject[{2015, 7, 10}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "OCR opened an investigation of the covered entity (CE), Amsterdam Nursing Home Corporation (1992), after it reported that on January 31, 2015, some of its protected health information (PHI) stored at its business associate (BA), Citistorage, LLC, may have been impermissibly disclosed during efforts to extinguish a fire. The incident affected 621 individuals. The typed of PHI involved in the breach included residents’ names, addresses, dates of birth, health insurance information, social security numbers, and information about health status and treatment.The CE provided breach notification HHS, affected individuals, and the media and posted a substitute notification on its website.As a result of OCR’s investigation, the CE recorded the impermissible disclosure of the affected individuals’ PHI for accounting of disclosure purposes, reminded the BA of its notification obligations as set forth in the BA agreement, and obtained written assurances from the BA that the BA is in compliance with all relevant building and safety codes. The CE also re-issued HIPAA-compliant breach notification letters to the affected individuals residing in Massachusetts." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Mayo Clinic Health System- Red Wing" "Healthcare Provider" "Quantity[601, ""People""]" "DateObject[{2015, 7, 13}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "On May 18, 2015, an access audit revealed that the covered entity's (CE) employee accessed patients’ electronic medical records beyond the scope of authorized access and assigned job responsibilities.The CE discovered that the unauthorized access dated back to 2009.The breach affected approximately 601 individuals and the types of protected health information (PHI) involved in the breach included patients' diagnoses and medical conditions.The CE provided breach notification to HHS, affected individuals, and the media.During OCR’s investigation, the CE retrained the revenue department in its Red Wing SE Minnesota Region on its privacy rules.OCR obtained written assurances that the CE implemented the corrective action steps listed above." "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Maricopa SpecialHealth Care District - Maricopa Integrated Health System" "Healthcare Provider" "Quantity[633, ""People""]" "DateObject[{2015, 7, 14}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "A medical resident lost an unencrypted thumb drive that contained the names, dates of birth, and clinical information or diagnoses of 633 patients selected for a chart review.The covered entity (CE), Maricopa Integrated Health System, provided breach notification to HHS, affected individuals, and the media.In response to the breach, the CE comprehensively reviewed its privacy and security practices and updated its HIPAA policies and procedures.It sanctioned and retrained the medical resident and retrained other workforce members on its HIPAA security procedures.OCR’s investigation resulted in the covered entity improving its HIPAA practices. " "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "Arkansas Blue Cross and Blue Shield" "Health Plan" "Quantity[560, ""People""]" "DateObject[{2015, 7, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "University of California, Los Angeles Health" "Healthcare Provider" "Quantity[4500000, ""People""]" "DateObject[{2015, 7, 17}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Special Agents Mutual Benefit Association" "Health Plan" "Quantity[1475, ""People""]" "DateObject[{2015, 7, 20}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "OCR closed this investigation and consolidated this review into a compliance review that involves the same hacking incident involving CareFirst BlueCross BlueShield." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Montefiore Medical Center " "Healthcare Provider" "Quantity[12517, ""People""]" "DateObject[{2015, 7, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Medical Informatics Engineering" "Business Associate" "Quantity[3900000, ""People""]" "DateObject[{2015, 7, 23}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Electronic Medical Record, Network Server" "True" "" "Entity[""AdministrativeDivision"", {""Montana"", ""UnitedStates""}]" "Urology Associates, Professional Corporation" "Healthcare Provider" "Quantity[6500, ""People""]" "DateObject[{2015, 7, 24}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), Urology Associates, reported that 6,500 individuals were affected by a breach that occurred when unknown individuals broke into a locked storage unit at a secure storage facility where it stored medical records.The boxes containing the medical records had clearly been rifled through, but there was no indication that records were removed.The CE provided breach notification to HHS, affected individuals, and the media.It also provided one year of free credit monitoring to affected individuals.Following the breach, the CE removed the medical records from the storage facility and shredded them after scanning them into a secure encrypted computer database.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Healthfirst Affiliates that include Healthfirst PHSP, Inc., Managed Health, Inc., HF Management Services, LLC, and Senior Health Partners " "Health Plan" "Quantity[5338, ""People""]" "DateObject[{2015, 7, 24}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Advanced Radiology Consultants, LLC" "Healthcare Provider" "Quantity[855, ""People""]" "DateObject[{2015, 7, 24}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "A patient scheduler of the covered entity (CE), Advanced Radiology Consultants, emailed 754 patients’ protected health information (PHI) from her work email account to a personal email account in order to keep a separate record for any performance issues.An additional 100 patients were affected by the breach because the scheduler had access to PHI about them in emails and a USB device (854 total individuals affected).The PHI involved in the breach included patients’ names, dates of birth, phone numbers, account balances, insurance information, treatment and examination information, appointment dates and times, appointment notes, and referring physicians’ information.Following discovery of the breach, the CE sanctioned the workforce member and requested that she delete the PHI she sent to her personal email account.The CE also provided breach notification to HHS, affected individuals, and the media, and provided individuals with credit monitoring services at no cost.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "OhioHealth" "Healthcare Provider" "Quantity[1006, ""People""]" "DateObject[{2015, 7, 24}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "On May 29, 2015, the covered entity (CE), OhioHealth, discovered that an unencrypted portable computer drive (‘thumb drive”) was missing.This breach affected approximately 1,006 individuals.The types of protected health information (PHI) involved in the breach included patients’ names, medical record numbers, names of insurance companies, addresses, dates of birth, physicians’ names, referral and treatment dates, type of procedures, and in certain limited instances, clinical information and social security numbers.The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE sanctioned and retrained the employee who lost the thumb drive, suspended use of thumb drives in the involved department, and retrained employees.The CE also revised its policies on mobile storage device security and usage and on disposition of thumb drives.Additionally, the CE encrypted mobile storage devices and revised and launched annual compliance education for its employees.OCR obtained documentation that the CE implemented the corrective actions steps noted above." "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "The McLean Hospital Corporation" "Healthcare Provider" "Quantity[12673, ""People""]" "DateObject[{2015, 7, 28}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "East Bay Perinatal Medical Associates" "Business Associate" "Quantity[1494, ""People""]" "DateObject[{2015, 7, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Laptop" "True" "" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Prima CARE, PC" "Healthcare Provider" "Quantity[1651, ""People""]" "DateObject[{2015, 7, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""SouthDakota"", ""UnitedStates""}]" "Sioux Falls VA Health Care System" "Healthcare Provider" "Quantity[1111, ""People""]" "DateObject[{2015, 7, 30}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""SouthDakota"", ""UnitedStates""}]" "Siouxland Anesthesiology, Ltd." "Healthcare Provider" "Quantity[13000, ""People""]" "DateObject[{2015, 7, 31}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "North East Medical Services (NEMS)" "Healthcare Provider" "Quantity[69246, ""People""]" "DateObject[{2015, 7, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Orlantino Dyoco, M.D." "Healthcare Provider" "Quantity[9000, ""People""]" "DateObject[{2015, 8, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Laptop" "False" "" "Entity[""AdministrativeDivision"", {""SouthDakota"", ""UnitedStates""}]" "VA Black Hills Health Care System" "Healthcare Provider" "Quantity[1168, ""People""]" "DateObject[{2015, 8, 4}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), Veterans Affairs, reported that between May 15 and 17, 2015, paper records containing protected health information (PHI) were left in an outside trash dumpster on its Hot Springs campus.The breach affected 1,168 individuals and involved names, partial and full social security numbers, addresses, and dates of birth.Following the breach, the CE destroyed the records.Although the CE complied with its breach notification requirements, as a result of OCR’s substantial technical assistance, it initiated a revision of its breach notification procedure.The CE also offered credit monitoring to the 980 veterans whose full social security numbers were potentially breached. " "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Lawrence General Hospital" "Healthcare Provider" "Quantity[2071, ""People""]" "DateObject[{2015, 8, 5}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "T.J. Samson Community Hospital" "Healthcare Provider" "Quantity[2060, ""People""]" "DateObject[{2015, 8, 7}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "The covered entity (CE), TJ Samson Community Hospital, discovered that on June 8, 2015, it had sent an advertisement email to 2,060 patients that inadvertently exposed the names and email addresses of the recipients.The CE provided breach notification to HHS, affected individuals, and the media.In response to the breach, the CE drafted a new policy which details the internal use of its patient portal to communicate with patients.It also counseled its marketing staff on disseminating information.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Vermont"", ""UnitedStates""}]" "Max M Bayard MD, PC" "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2015, 8, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "False" "Two unencrypted laptops and one portable storage device (thumb drive) were stolen during a burglary on August 5, 2015.They collectively contained the electronic protected health information (ePHI) of 2,154 individuals.The ePHI involved in the breach included names, dates of birth, insurance information, social security numbers, dates of treatment, types of treatment, and diagnoses.Following the breach, the office of Dr. Bayard, the covered entity (CE), notified HHS, the individuals affected by the breach, and the media. The CE provided individuals with identity protection services and credit monitoring services at no cost.As a result of OCR’s investigation, the CE implemented facility access control policies and procedures and installed an office alarm system and four surveillance cameras.The CE also encrypted computer workstations and initiated a requirement for the use of privacy screens and a locked storage room when the equipment is not in use. " "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Baylor College of Medicine" "Healthcare Provider" "Quantity[1004, ""People""]" "DateObject[{2015, 8, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device, Paper/Films" "False" "A physician’s backpack containing five unencrypted portable data drives and a handwritten notebook with the protected health information (PHI) of approximately 1,004 pediatric patients was stolen from an automobile.The types of PHI involved in the breach included names, dates of birth, hospital medical record numbers, types of surgery performed, and treating physicians’ names. One of the drives contained surgical images of twenty patients. The breach affected approximately 876 patients of Texas Children's Hospital (TCH) and 128 patients of Memorial-Hermann. The physician, a surgical fellow for the covered entity (CE), Baylor College of Medicine, reported the theft to the police and notified TCH. TCH initiated an investigation and notified the CE of the breach on July 15, 2015.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE distributed an acknowledgment and attestation document to each medical resident and fellow addressing the CE’s patient privacy and security policies, including incident reporting procedures.Due to OCR’s involvement, all residents, fellows and learners are required to complete the acknowledgment and attestation at the beginning of each academic year.The CE also initiated a policy to require the acknowledgment and attestation to be included in each graduate medical education program participant’s contract at the beginning of each academic year." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Walgreen Co." "Healthcare Provider" "Quantity[8345, ""People""]" "DateObject[{2015, 8, 7}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Endocrinology Associates, Inc." "Healthcare Provider" "Quantity[1400, ""People""]" "DateObject[{2015, 8, 14}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "OCR opened an investigation of Endocrinology Associates, the covered entity (CE), after it reported that on June 15, 2015, and June 19, 2015, it discovered that an unauthorized individual had broken and removed the lock securing a portable on demand (POD) storage container that held the protected health information (PHI) of approximately 1,400 individuals.The PHI included individuals’ names, addresses, dates of birth, social security numbers, lab results, diagnoses, and clinical information.The CE provided notification of the breach to the individuals affected by the breach, HHS, and the media.Following the breach, the CE reported the incidents to the local police department, enhanced the physical safeguards applied to the POD storage container, and retrained workforce members on its HIPAA policies and procedures.OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Cancer Care Northwest" "Healthcare Provider" "Quantity[1426, ""People""]" "DateObject[{2015, 8, 17}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "A workforce member of the covered entity (CE), Cancer Care Northwest, lost a paper binder containing protected health information (PHI).The binder was likely thrown away with the garbage when it was not properly safeguarded in an otherwise secure office. Approximately 1,426 individuals were affected by this breach.The PHI included names, dates of birth, diagnoses/conditions and other treatment information.To prevent a similar breach from happening in the future, the CE instructed the work force member to only take notes electronically and retrained the workforce member on its HIPAA policies.The CE provided breach notification to HHS, affected individuals, and the media, and offered identity theft and fraud protection services to affected individuals. OCR obtained assurances that the CE implemented these corrective actions. " "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Colorado Department of Health Care Policy and Financing" "Health Plan" "Quantity[1622, ""People""]" "DateObject[{2015, 8, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Empi Inc and DJO, LLC" "Healthcare Provider" "Quantity[160000, ""People""]" "DateObject[{2015, 8, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Pediatric Group LLC" "Healthcare Provider" "Quantity[10000, ""People""]" "DateObject[{2015, 8, 21}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "PT Northwest, LLC" "Healthcare Provider" "Quantity[1500, ""People""]" "DateObject[{2015, 8, 21}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "The covered entity (CE), PT Northwest, LLC inadvertently emailed a questionnaire to patients that was copied to 1,500 patients. The e-mail should have been distributed to recipients as a blind carbon copy. Some of the e-mail addresses contained patients' names.Following the breach, the CE sanctioned the employee who was responsible for the impermissible disclosure.The CE provided breach notification to HHS, affected individuals, and the media.As a result of OCR’s investigation, the CE conducted companywide annual HIPAA training, and started the process of conducting in person follow-up HIPAA trainings to be completed by December 2015. " "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Pediatric Gastroenterology, Hepatology & Nutrition of Florida, P.A." "Healthcare Provider" "Quantity[13000, ""People""]" "DateObject[{2015, 8, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "On June 25, 2015, the Tampa Police Department notified the covered entity (CE), Pediatric Gastroenterology, Hepatology & Nutrition of Florida, P.A., that paper printouts from their facility were found during a criminal investigation. An employee of the CE removed appointment sheets containing the names, social security numbers, dates of birth, and account numbers of 13,000 patients from the premises without authorization. The CE provided breach notification to HHS and affected individuals and set up a toll free number to answer questions.Following the breach the CE reviewed its policies and retrained staff on its HIPAA privacy and security policies. The CE also implemented physical security procedures to reduce the risk of unauthorized access to printed documents and implemented role based access procedures to limit access to electronic PHI. The CE also improved administrative safeguards by requiring random background checks on its employees throughout the duration of their employment. OCR obtained assurances that the CE implemented the corrective actions noted.The CE also terminated the involved employee's employment.The employee was criminally investigated for actions related to this breach." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Lancaster Cardiology Medical Group, and Sunder Heart Institute and Vascular Medical Clinic" "Healthcare Provider" "Quantity[1200, ""People""]" "DateObject[{2015, 8, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Laptop, Network Server, Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Children's Hospital Medical Center of Akron" "Healthcare Provider" "Quantity[7664, ""People""]" "DateObject[{2015, 8, 26}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "The covered entity (CE) reported that a hard drive was missing that contained approximately 1,800 hours of voice recordings that were communications between dispatchers and medical staff prior to or during medical transport between September 18, 2014, and June 3, 2015.The hard drive was not searchable without a separate application and many of the recordings did not contain protected health informationThe hard drive was missing from the CE's locked, secure area.The breach affected 7,664 individuals and included clinical and demographic information.The CE provided breach notification to HHS, affected individuals, and the media.Upon discovery of the breach, the CE installed a security camera in the area the hard drive was located, ceased storing back-up transport voice recordings on a mobile device, encrypted all mobile devices, andretrained staff.OCR obtained documentation that the CE implemented the compliance actions listed." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "ROBERT SOPER, M.D." "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2015, 8, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "On June 27, 2015, the covered entity (CE), Robert Soper, M.D., discovered that electronic protected health information (ePHI) he was maintaining had been breached when a desktop computer was stolen from the trunk of his car.Approximately 2,000 individuals’ ePHI was affected by the breach. The breach affected the following types of ePHI:patients' names, dates of birth, phone numbers, clinical notes, and e-mails. The CE provided breach notification to HHS, affected individuals, and the media.OCR provided the CE with guidance materials and other technical assistance regarding HIPAA Security Rule compliance.In response to OCR’s technical assistance, the CE implemented a security awareness training program and encryption technology within its medical practice." "Entity[""AdministrativeDivision"", {""Mississippi"", ""UnitedStates""}]" "Merit Health Northwest Mississippi" "Healthcare Provider" "Quantity[846, ""People""]" "DateObject[{2015, 8, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Metropolitan Atlanta Rapid Transit Authority" "Health Plan" "Quantity[800, ""People""]" "DateObject[{2015, 8, 27}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The Metropolitan Atlanta Rapid Transit Authority (MARTA), acting on behalf of its self-insured health plan, mailed 785 Voluntary Critical Illness Insurance forms to the incorrect employees.The correspondence contained protected health information (PHI) including names, addresses, social security numbers, and dates of birth.MARTA conducted a breach assessment and provided breach notification to HHS, affected individuals, and the media.In response to the incident, MARTA developed standard operating procedure for the Benefits Office for handling employees’ PHI and trained employees.Under the new procedures, the staff will not prepopulate employee forms, applications, worksheets, and confirmation statements with individually identifiable information nor will they send documents containing individually identifiable data to the internal print shop.OCR obtained assurances that MARTA implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Minneapolis Clinic of Neurology, Ltd." "Healthcare Provider" "Quantity[1450, ""People""]" "DateObject[{2015, 8, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On July 8, 2015, the covered entity (CE), Minneapolis Clinic of Neurology, Ltd., discovered that a laptop computer was missing from one of its clinics.The breach affected approximately 1,450 individuals and the types of protected health information (PHI) involved in the breach included patients' names and addresses.The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE sanctioned the involved employee with a written warning, distributed its computer network and internet access policy to all employees, and retrained all employees ahead of its annual training.The CE alsoimplemented policies and procedures contained in a new HIPAA Privacy and Security Handbook, increased technical and security safeguards on its mobile electronic devices, and updated the security on its virtual private network software.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "University of California at Los Angeles " "Healthcare Provider" "Quantity[1242, ""People""]" "DateObject[{2015, 9, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Lee Memorial Health System" "Healthcare Provider" "Quantity[1508, ""People""]" "DateObject[{2015, 9, 7}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), Lee Memorial Health System, erroneously sent a letter to about 1,600 patients with the incorrect patients’ names due to an administrative error.The CE determined that the protected health information (PHI) of 1,508 individuals was involved in the breach, including names, physicians’ names and specialties.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE reviewed the incident, determined where the breakdown occurred, and identified opportunities for improvement.Additionally, the CE improved administrative safeguards by implementing new procedures for data requests.The CE also retrained the responsible workforce members.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Oakland Family Services" "Healthcare Provider" "Quantity[16107, ""People""]" "DateObject[{2015, 9, 9}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Excellus Health Plan, Inc." "Health Plan" "Quantity[10000000, ""People""]" "DateObject[{2015, 9, 9}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Blue Cross Blue Shield of North Carolina" "Health Plan" "Quantity[807, ""People""]" "DateObject[{2015, 9, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), Blue Cross Blue Shield of North Carolina, discovered on August 24, 2015, that it had accidently sent payment letters to members that contained information for other members, affecting 806 individuals.The types of PHI in the letters included members' name, telephone numbers, health plans, effective dates, exchange identification numbers, payment amounts, and internal payment identification numbers.The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website.In response to the breach, the CE revised its mailing procedures to implement a two-step verification process before material is mailed.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Blue Cross Blue Shield of North Carolina" "Health Plan" "Quantity[1530, ""People""]" "DateObject[{2015, 9, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), Blue Cross Blue Shield of North Carolina, discovered on August 14, 2015, that its business associate (BA), EDM Americas, had accidently sent invoices to members that contained information for other members, affecting 1,530 individuals.The types of protected health Information (PHI) in the invoice included member names, addresses, internal account numbers, group numbers, coverage dates, and premium amounts due.The CE provided breach notification to HHS, on its website and to the media.The BA sent individual notification on behalf of the CE.In response to the breach, the BA retrained its staff and revised its internal validation and quality control procedures.OCR obtained assurances that the CE implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Sutter Medical Foundation" "Healthcare Provider" "Quantity[2302, ""People""]" "DateObject[{2015, 9, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Affinity Health Plan, Inc." "Health Plan" "Quantity[721, ""People""]" "DateObject[{2015, 9, 14}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "Louisiana State University Health Sciences Center-New Orleans" "Healthcare Provider" "Quantity[14500, ""People""]" "DateObject[{2015, 9, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Daniel A. Sheldon, M.D., P.A." "Healthcare Provider" "Quantity[2075, ""People""]" "DateObject[{2015, 9, 16}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "On May 18, 2013, OCR received an anonymous complaint alleging that the protected health information (PHI) of the patients of the covered entity (CE), Dr. Daniel Sheldon, M.D., P.A., was accessible on the internet via Google.OCR confirmed the allegations when it identified web search results containing private medical records from a website associated with the practice.Following an investigation by OCR, the practice submitted a breach notification to HHS on September 16, 2015, in which it reported that the PHI of approximately 2,075 patients was potentially viewable online, including addresses, dates of birth, names, and clinical information.In response to the incident, the CE contacted its electronic medical record (“EMR”) hosting company, IOS Health Systems (“IOS”), which immediately secured the information and conducted an internal investigation.IOS changed the file locations of the practice’s EMR records, renamed the file structures, obfuscated file directories, conducted standard security inspections, and began an audit trail review to determine any unauthorized access to the CE's records.Additionally, the CE ensured that users did not share any documents or links via non-secure methods, changed all passwords for all users, confirmed username and password confidentiality policies with all employees, ensured proper antivirus and spyware applications were installed, and verified that its firewall was properly configured with the latest version of security upgrades.In response to OCR’s investigation, the practice provided evidence that provided breach notification to HHS, affected individuals and the media, and offered identity theft protection services.It also terminated its relationship with its EMR system hosting company, IOS, and entered into a revised business associate agreement with a new EMR hosting company.Finally, the CE created new policies regarding its breach notification procedures." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Health Care Service Corporation" "Health Plan" "Quantity[501, ""People""]" "DateObject[{2015, 9, 17}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "This case has been consolidated with another review of the same covered entity." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Molina Healthcare" "Health Plan" "Quantity[54203, ""People""]" "DateObject[{2015, 9, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "A former employee of the covered entity’s (CE) business associate (BA), CVS Health, impermissibly exfiltrated the CE’s member information from its systems and saved the protected health information (PHI) onto his personal computer.The PHI involved in the breach included full names, member identification numbers, health card numbers, plan codes and states, and start and end dates.The breach affected approximately 54,203 individuals.The CE provided breach notification to HHS, affected individuals, and the media, and also provided substitute notification.The CE also offered individuals one year of free identity theft protection membership.As a result of this incident, the CE required the BA to improve safeguards by enhancing security for the BA’s fraud management tool and databases containing PHI, and updating its security procedures.OCR reviewed the CE’s policies, procedures, and/or documentation related to impermissible disclosures, safeguards, business associates, and breach notification and obtained assurances that the BA implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Heartland Health Clinic" "Healthcare Provider" "Quantity[3650, ""People""]" "DateObject[{2015, 9, 21}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Electronic Medical Record, Network Server" "False" "Heartland Clinic is not a covered entity as defined by the Privacy Rule.All patients are self pay." "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Skin and Cancer Center of Arizona" "Healthcare Provider" "Quantity[3311, ""People""]" "DateObject[{2015, 9, 21}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Barrington Orthopedic Specialists, Ltd" "Healthcare Provider" "Quantity[1009, ""People""]" "DateObject[{2015, 9, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other" "False" "On August 18, 2015, an employee of the covered entity (CE), Barrington Orthopedic Specialists, Ltd., discovered that a laptop and an electromyography (EMG) machine were stolen from her vehicle.The laptop and the EMG machine contained the names, dates of birth, and clinical and demographic information of approximately 1,009 individuals.The CE provided breach notification to HHS, affected individuals, and the media.It also filed a police report.To prevent similar breaches from happening in the future, the CE added additional units to its inventory, and stopped transporting EMG machines.The CE also retrained and counseled the employee involved in this matter on its HIPAA policies and procedures.OCR obtained and reviewed documentation that substantiates all the CE's actions taken in response to the breach incident. " "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Sunquest Information Systems" "Business Associate" "Quantity[2100, ""People""]" "DateObject[{2015, 9, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates" "Health Plan" "Quantity[1173, ""People""]" "DateObject[{2015, 9, 24}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record, Other" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Silverberg Surgical and Medical Group" "Healthcare Provider" "Quantity[857, ""People""]" "DateObject[{2015, 9, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Kindred Nursing Centers West, L.L.C." "Healthcare Provider" "Quantity[1125, ""People""]" "DateObject[{2015, 9, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Humana Inc [Case 18652]" "Health Plan" "Quantity[2815, ""People""]" "DateObject[{2015, 9, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Paper/Films" "False" "Humana, Inc., the covered entity (CE), discovered that on August 20, 2015, a market staff employee’s briefcase containing an encrypted laptop computer and unsecured paper documents was stolen from her locked vehicle. The CE investigated and determined that the stolen documents contained the protected health information (PHI) of 2,815 individuals, including full names, dates of birth, clinic names, and health insurance information. The CE issued new health insurance member identification numbers to affected individuals, and provided timely breach notification to HHS, to affected individuals, on its website and to the media. In response to the breach, the CE retrained its workforce, disseminated guidance material specifically addressing the proper handling and safeguarding of PHI, and revised procedures to eliminate transportation of PHI in paper format. OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "Baptist Health and Arkansas Health Group" "Healthcare Provider" "Quantity[6500, ""People""]" "DateObject[{2015, 10, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Sentara Healthcare " "Healthcare Provider" "Quantity[1040, ""People""]" "DateObject[{2015, 10, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "CarePlus Health Plans [case 18772]" "Health Plan" "Quantity[2873, ""People""]" "DateObject[{2015, 10, 6}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "On September 18, 2015, the covered entity (CE), CarePlus Health Plans, discovered that “Late Enrollment Penalty Premium Statements” mailed to members on September 11, 2015, had been mailed to incorrect members.The printing apparatus was accidently programmed to insert two statements per envelope instead of one.The types of protected health information (PHI) involved in the mailing included the names, addresses, and identification number of 2,873 members.In response to the breach, the CE mailed correct statements, sanctioned the responsible employee, and retrained employees in the printing and correspondence department.The CE provided breach notification to HHS, to affected individuals, on its website and to the media.OCR obtained assurances that the CE implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Insurance Data Services" "Business Associate" "Quantity[2918, ""People""]" "DateObject[{2015, 10, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "On September 15, 2015, a zippered bag was stolen from a delivery service vehicle with month-end reports for Insurance Data Services, a business associate (BA) of the covered entity (CE), Claystone Clinical Associates.The BA reported that this breach affected 2,918 individuals.The types of protected health information (PHI) involved in the breach included patients’ names, dates of service, balances, insurance providers, diagnostic and procedure codes, addresses, and phone numbers.The BA investigated the breach and assured that the theft was reported to the police.The BA provided breach notification to HHS, affected individuals, and the media.The BA also updated its procedures to utilize a secure client portal to transmit PHI with clients.As a result of OCR’s investigation the BA created policies and procedures relating to safeguarding PHI, using and disclosing PHI, and Breach Rule Notification and trained its staff on its policies.OCR obtained written assurances that the CE completed the corrective actions listed." "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Anne Arundel Health System" "Healthcare Provider" "Quantity[2208, ""People""]" "DateObject[{2015, 10, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "Aspire Home Care and Hospice" "Healthcare Provider" "Quantity[4278, ""People""]" "DateObject[{2015, 10, 9}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "The Johns Hopkins Hospital" "Healthcare Provider" "Quantity[571, ""People""]" "DateObject[{2015, 10, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On October 10, 2015, the covered entity (CE), Johns Hopkins Hospital, reported that a physician’s unencrypted laptop computer storing the electronic protected health information (ePHI) of 571 individuals was stolen at an international airport with all of her belongings. The types of ePHI contained in the laptop included physicians' names, patients' names, medical record numbers, and clinical information.The CE provided breach notification to HHS, the media, affected individuals, and offered credit monitoring.The CE sanctioned the physician involved in accordance with the CE's HIPAA sanctions policy. The CE also circulated a broadcast reminder to its workforce members of their existing policy requiring all devices that contain or may contain PHI to be encrypted and password protected.OCR obtained assurances that any of the CE's portable devices that stores ePHI is required to use the CE's encryption program. Additionally, the CE submitted a copy of its most recent risk analysis and risk management program to OCR. They also provided OCR with information related to their new encryption program that would inform a user when he or she isout of compliance and send them to a website that would refer them to local IT administration. OCR obtained assurances that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "SSM Health Cancer Care" "Healthcare Provider" "Quantity[643, ""People""]" "DateObject[{2015, 10, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), SSM Health Cancer Care, erroneously mailed letters to the addresses of other patients due to using an inaccurate electronic file.The breach affected 670 individuals and included individuals’ names and their inferred treatment relationship.The CE provided breach notification to HHS, affected individuals, and the media.The CE performed a root cause analysis to identify risk areas and opportunities to strengthen controls and also retrained the individual who had erroneously sent out the mailings. The CE also created a new policy and procedures for patient mailings. OCR obtained documentation evidencing that the CE implemented the corrective actions listed." "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "University of Oklahoma Department of Urology" "Healthcare Provider" "Quantity[9300, ""People""]" "DateObject[{2015, 10, 10}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On October 10, 2015, the covered entity (CE), University of Oklahoma Health Sciences Center, reported a breach affecting approximately 9,300 individuals.An unencrypted laptop computer used by a former physician in the Pediatric Urology program was stolen from his vehicle.The laptop contained protected health information (PHI) including patients’ first and last names, medical record numbers, and dates of birth, and in some cases, patients’ age, physicians’ names, and diagnosis, treatment, and/or billing codes.The CE provided the required breach notifications to HHS, affected individuals, and the media.Following discovery of the incident, the CE implemented additional technical safeguards for devices containing electronic PHI and retrained workforce members regarding safeguarding PHI.The CE also revised its physician exit interview to require physicians to attest that all PHI had been removed from personally owned devices at the time of departure.OCR obtained assurances the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Bridgeway Health Solutions" "Health Plan" "Quantity[8208, ""People""]" "DateObject[{2015, 10, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "Nephropathology Associates, PLC" "Healthcare Provider" "Quantity[1260, ""People""]" "DateObject[{2015, 10, 16}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "On July 30, 2015, a physician e-mailed a spreadsheet containing 1,260 patients’ names and clinical information to a vendor that the covered entity (CE), Nephropathology Associates, PLC, was considering for a potential project.The CE notified the hospitals that had referred its patients to the CE and provided breach notification to HHS and affected individuals.The CE did not contact the media because the impermissible disclosures affected less than 500 patients in any one state.Following the breach, the CE obtained assurances from the vendor that it destroyed all files and e-mails that it received from the CE or created using the protected health information (PHI) and that the electronic PHI (ePHI) was not copied or transferred to any other entity.As a result of this incident, the CE issued a written warning to the responsible workforce member and also retrained the employee regarding safeguarding PHI.The CE reminded workforce members to safeguard PHI, including ePHI.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Emergence Health Network" "Healthcare Provider" "Quantity[11100, ""People""]" "DateObject[{2015, 10, 16}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" " Woodhull Medical and Mental Health Center " "Healthcare Provider" "Quantity[1581, ""People""]" "DateObject[{2015, 10, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "BeHealthy Florida, Inc." "Health Plan" "Quantity[835, ""People""]" "DateObject[{2015, 10, 19}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "On September 23, 2015, the covered entity’s (CE) business associate (BA), RR Donnelly, inadvertently placed individuals' health insurance claim number (HICN) on the outside of envelopes containing benefit information packets that were mailed to the CE's members.The HICN is a Medicare beneficiary's identification number and it typically contains the beneficiary's social security number.The breach affected 835 individuals.The CE, BeHealthy, Florida, provided breach notification to HHS, affected individuals, and the media.The CE discussed with the BA the development of a standard procedure for any ad hoc manual member mailings, to be used in the event automated processes are unavailable.It also made processing and procedural changes to prevent similar breaches in the future.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "North Carolina Department of Health and Human Services" "Health Plan" "Quantity[1615, ""People""]" "DateObject[{2015, 10, 19}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "OsteoMed LP" "Health Plan" "Quantity[1134, ""People""]" "DateObject[{2015, 10, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "Upon review of information provided from the reporting entity, OCR determined that the material identified in the breach report did not meet the definition of protected health information as it was employment records (i.e., human resource data)." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Huntington Medical Research Institutes" "Healthcare Provider" "Quantity[4300, ""People""]" "DateObject[{2015, 10, 20}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Laptop, Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "Indian Territory Home Health and Hospice" "Healthcare Provider" "Quantity[4500, ""People""]" "DateObject[{2015, 10, 22}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "This review has been consolidated with a review of Aspire Home Care and Hospice." "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "EnvisionRx" "Business Associate" "Quantity[540, ""People""]" "DateObject[{2015, 10, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "Due to a processing error, the business associate (BA), EnvisionRx, mailed letters to the covered entity’s (CE) members that contained other members' protected health information (PHI).The names, medications, and dates of service of 540 individuals were involved in the breach.The BA provided breach notification to HHS, affected individuals, and the media.The BA responded to the breach by implementing additional quality control procedures, updating its Breach Rule Notification policy, and training the appropriate staff.As a result of OCR’s investigation the BA updated it BA agreement with the CE, Orange-Ulster School District Health Plan.The BA also provided OCR with documentation of its corrective actions." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Florida Department of Health, Children's Medical Services" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2015, 10, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "Bon Secours Saint Francis " "Healthcare Provider" "Quantity[1997, ""People""]" "DateObject[{2015, 10, 26}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "On July 27, 2015, the covered entity, Bon Secours St. Francis Health Systems, Inc., received a complaint that an employee was committing insurance fraud involving billing co-workers’ insurance for an experimental topical cream. The CE audited the electronic system containing protected health information (PHI) and concluded on October 15, 2015, that the employee accessed the PHI of 1,997 patients without a discernible professional need.The types of PHI involved in the breach included patients' names, dates of birth, addresses, diagnoses, treatment plans, and scanned insurance cards and driver’s licenses. The CE provided breach notification to HHS, affected individuals, and the media.In response to this incident, the CE reviewed its policies, re-trained staff, and assessed whether behavior-based auditing software programs would be an appropriate addition to current security measures.OCR obtained assurances that the CE implemented the corrective actions listed above.The CE also terminated the involved employee's employment. " "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Children's Medical Clinics of East Texas" "Healthcare Provider" "Quantity[16000, ""People""]" "DateObject[{2015, 10, 28}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "LTC Dental, P.C." "Healthcare Provider" "Quantity[1680, ""People""]" "DateObject[{2015, 10, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Rush University Medical Center" "Healthcare Provider" "Quantity[1529, ""People""]" "DateObject[{2015, 11, 6}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "On September 9, 2015, a business associate (BA), Standard Register, erroneously mailed announcements concerning a retirement for the covered entity (CE), Rush University Medical Center, which resulted in misdirected letters being sent to the wrong patients associated with the clinic.The breach affected 1,529 individuals and included patients’ names. The CE provided breach notification to HHS, the media, and affected individuals, and provided substitute notice on its website.The CE also entered into a BA agreement with Standard Register and created policies and procedures to establish quality measures for mass mailings.OCR obtained documentation confirming that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "Dean Health Plan" "Health Plan" "Quantity[960, ""People""]" "DateObject[{2015, 11, 11}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "A mailing that contained estimate of payment (EOP) documents was damaged in transit from the covered entity’s (CE) business associate (BA), Emdeon, to a bank via United Parcel Services (UPS).On September 25, 2015, the United States Postal Service returned 31 pages of the 148 page mailing to the CE.The breach incident involved the protected health information (PHI) of approximately 960 individuals and included dates of service, member names, health plan member identification numbers, and procedure codes.The CE investigated the breach but was unable to determine who was at fault.The CE provided breach notification to HHS, affected individuals, and the media.Following the breach, the CE worked with the BA to develop and implement procedures to reduce the number of paper documents transmitted.As a result of OCR’s investigation, OCR reviewed copies of the correspondence with the BA and UPS regarding this matter, the BA agreement, and the CE’s HIPAA policies and procedures." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Good Care Pediatric, LLP" "Healthcare Provider" "Quantity[2300, ""People""]" "DateObject[{2015, 11, 12}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "OCR opened an investigation of the covered entity (CE), Good Care Pediatric, LLP, after it reported that a Trojan Horse virus affected one computer device and caused patient billing files to be accessible by unauthorized individuals online from January 1 through April 3 of 2014.The incident affected 2,300 individuals. The types of electronic protected health information (ePHI) involved included patients’ names, addresses, telephone numbers, dates of birth, and diagnosis codes. As a result of the breach, the CE shut down the external access to the unsecured computer device, conducted a full virus and malware scan of all of its computer devices, and changed passwords for its router, firewall administration, and workforce members. The CE also encrypted all patients’ billing files, retrained its workforce members with respect to its HIPAA policies and procedures, and updated its risk analysis and risk management plan. OCR provided the CE with technical assistance regarding the execution of risk analyses and the implementation of procedures for guarding against, detecting, and reporting malicious software." "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "North Carolina Department of Health and Human Services" "Health Plan" "Quantity[524, ""People""]" "DateObject[{2015, 11, 13}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "OH Muhlenberg, LLC " "Healthcare Provider" "Quantity[84681, ""People""]" "DateObject[{2015, 11, 13}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Email, Laptop, Network Server, Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "HealthPoint" "Healthcare Provider" "Quantity[1300, ""People""]" "DateObject[{2015, 11, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "Midlands Orthopaedics, P.A. " "Healthcare Provider" "Quantity[3902, ""People""]" "DateObject[{2015, 11, 13}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "UC Health, LLC" "Healthcare Provider" "Quantity[1064, ""People""]" "DateObject[{2015, 11, 14}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Alaska"", ""UnitedStates""}]" "Alaska Orthopedic Specialists, Inc." "Healthcare Provider" "Quantity[553, ""People""]" "DateObject[{2015, 11, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Cigna Home Delivery Pharmacy" "Healthcare Provider" "Quantity[592, ""People""]" "DateObject[{2015, 11, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Pathways Professional Counseling" "Healthcare Provider" "Quantity[986, ""People""]" "DateObject[{2015, 11, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "On September 25, 2015, an employee's unencrypted, password-protected laptop computer was stolen from his vehicle.The computer contained the protected health information (PHI) of 985 patients, includingaddresses, names, dates of birth, clinical diagnoses,financial information, social security numbers, email addresses, physician information, health insurance information, treatment information, and medication information.The CE, Pathways Professional Counseling, provided breach notification to HHS, affected individuals, and the media.In response to this breach, the CE engaged a third party to encrypt its computers and retrain employees who may use, disclose, or access PHI.It also revised its HIPAA Compliance Plan, implemented a policy requiring encryption for mobile devices before access is granted, and implemented a policy requiring reasonable security measures when employees use their own electronic devices.The CE also sanctioned the employee involved in the breach.OCR obtained assurances that the CE implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "New Dimension Group, LLC" "Healthcare Provider" "Quantity[1275, ""People""]" "DateObject[{2015, 11, 25}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "The covered entity (“CE”), New Dimensions Group, LLC, discovered that on September 29, 2015, three unencrypted flash drives were reported missing.The breach affected 1,200 individuals, and the protected health information (PHI) that was potentially exposed included names, dates of birth, social security numbers, driver’s license numbers, and clinical information.The CE provided timely breach notification to HHS, to affected individuals, and on its website.Media notification was issued to the Duplin Times and the Star News.The CE provided free credit monitoring for the affected individuals for 12 months.In response to the breach, the CE banned the use of flash drives, developed policies and procedures for media and device controls, and updated its policies and procedures to protect patient PHI.The CE purchased new software to encrypt emails containing PHI and trained employees on its policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Carolyn B Lyde, MD, PA" "Healthcare Provider" "Quantity[1500, ""People""]" "DateObject[{2015, 11, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "An unencrypted, password protected laptop computer containing the protected health information (PHI) of approximately 1,500 individuals, was stolen from the covered entity (CE), Dermatology Center of Lewisville.The laptop was used as a storage device and individuals' names and images of individuals' skin conditions.As a result of OCR’s investigation, the CE adopted encryption technologies, updated its Risk Analysis, implemented its corresponding Risk Management Plan, improved physical security, and retrained its workforce members on its revised policies and procedures." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "PeaceHealth" "Healthcare Provider" "Quantity[1407, ""People""]" "DateObject[{2015, 11, 30}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Centegra Health System " "Healthcare Provider" "Quantity[2929, ""People""]" "DateObject[{2015, 12, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Cottage Health" "Healthcare Provider" "Quantity[11000, ""People""]" "DateObject[{2015, 12, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "University of Colorado Health" "Healthcare Provider" "Quantity[827, ""People""]" "DateObject[{2015, 12, 2}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Nebraska"", ""UnitedStates""}]" "Blue Cross and Blue Shield of Nebraska" "Health Plan" "Quantity[1872, ""People""]" "DateObject[{2015, 12, 3}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "Due to a printing error, explanation of benefit forms were erroneously mailed to members that contained their protected health information (PHI) printed on the front side and another member’s PHI printed on the back side.The breach affected approximately 1,872 individuals and included financial, demographic, and clinical information.The covered entity (CE), Blue Cross and Blue Shield of Nebraska, was also acting as a BA for a number of self-insured health plans.The CE/BA provided breach notification to HHS, affected individuals, and the media. It also developed a new policy to address mechanical printing errors and trained its printing facility employees on the new policy.The CE/BA mitigated any potential effects by flagging and reviewing claims for six months for any misuse of dental data for the affected individuals.OCR obtained written documentation that the CE/BA implemented the voluntary corrective actions listed above. " "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Camelback Women's Health" "Healthcare Provider" "Quantity[810, ""People""]" "DateObject[{2015, 12, 3}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Middlesex Hospital" "Healthcare Provider" "Quantity[946, ""People""]" "DateObject[{2015, 12, 4}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Maine"", ""UnitedStates""}]" "Maine General Health" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2015, 12, 8}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Mary Ruth Buchness, MD, Dermatologist, P.C." "Healthcare Provider" "Quantity[14910, ""People""]" "DateObject[{2015, 12, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "True" "" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Northwest Primary Care Group" "Healthcare Provider" "Quantity[5327, ""People""]" "DateObject[{2015, 12, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "New Mexico Department of Health" "Healthcare Provider" "Quantity[561, ""People""]" "DateObject[{2015, 12, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "The covered entity (CE), New Mexico Department of Health, experienced a breach of protected health information (PHI) affecting 561 individuals when a workforce member’s laptop computer was stolen out of her locked vehicle on October 4, 2015.The laptop contained patients’ names, dates of birth, diagnoses, and medications. The CE provided breach notification to HHS and affected individuals.As a result of this incident, the CE investigated the incident, modified procedures to ensure all information technology (IT) equipment is delivered directly to the IT department and all laptops are automatically encrypted.The CE also initiated a process to identify all laptops across the enterprise that did not have full disk encryption installed and revised its security awareness training to include protection/loss prevention of mobile devices.Additionally, the CE procured a mobile device management system and a security event and incident management solution and developed an implementation schedule for these tools.OCR obtained assurances from the CE that it implemented the actions listed above." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Fidelis Care " "Health Plan" "Quantity[687, ""People""]" "DateObject[{2015, 12, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Fidelis Care " "Health Plan" "Quantity[738, ""People""]" "DateObject[{2015, 12, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Physicians Health Plan of Northern Indiana, Inc." "Health Plan" "Quantity[1708, ""People""]" "DateObject[{2015, 12, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE) mistakenly mailed protected health information (PHI) to unauthorized individuals following a folder/inserter machine error. Approximately 1,708 individuals that include all dependents of the CE's subscribers were affected by this breach.The erroneous billing statement mailing included names, addresses, PHP member identification numbers, and premium amounts. The CE provided breach notification to HHS, affected individuals, and the media.To prevent a similar breach from happening in the future, the CE implemented a formal audit checklist that requires independent verification by mailroom personnel.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Maine"", ""UnitedStates""}]" "Belgrade Regional Health Center" "Healthcare Provider" "Quantity[854, ""People""]" "DateObject[{2015, 12, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Oceans Acquisition, Inc." "Healthcare Provider" "Quantity[659, ""People""]" "DateObject[{2015, 12, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "A laptop computer from the covered entity (CE), Oceans Acquisition, Inc., was stolen from a workforce member’s vehicle.The electronic protected health information (ePHI) on the laptop included patients' first and last names, diagnoses, dates of treatment, dates of birth, insurance providers, and medical record numbers for approximately 659 individuals.Upon discovering the theft, the CE filed a report with the county sheriff's office.Additionally, the CE provided breach notification to HHS, affected individuals, and the media.The CE also improved safeguards, sanctioned the involved workforce member, and retrained staff.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "WhiteGlove Health" "Healthcare Provider" "Quantity[975, ""People""]" "DateObject[{2015, 12, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Allina Health" "Healthcare Provider" "Quantity[6195, ""People""]" "DateObject[{2015, 12, 23}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "On October 27, 2015, the covered entity (CE), Alina Health, discovered that its janitorial vendor erroneously placed its patients’ protected health information (PHI) in the trash dumpster.The breach affected 6,195 individuals and the types of PHI involved included financial, demographic, and clinical information.The CE provided notification of the breach to HHS, affected individuals, and the media and also posted substitute notice on its website.Following the breach, the CE investigated the breach, updated its physical safeguards policy, and educated its workforce on its updated policy.OCR obtained a copy of the CE’s business associate agreement with Iron Mountain for PHI disposal services.OCR obtained documented assurances that the CE implemented the corrective actions taken in response to this breach incident." "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "ST Psychotherapy, LLC" "Healthcare Provider" "Quantity[509, ""People""]" "DateObject[{2015, 12, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "HealthSouth Rehabilitation Hospital of Round Rock" "Healthcare Provider" "Quantity[1359, ""People""]" "DateObject[{2015, 12, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Michael Benjamin, M.D., Inc." "Healthcare Provider" "Quantity[1300, ""People""]" "DateObject[{2015, 12, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE), Michael Benjamin, M.D., Inc., reported that the office and file cabinets were broken into and patient charts containing protected health information (PHI) were taken.The types of PHI involved in the breach included demographic information, recorded vital signs, insurance eligibility information, and some copies of insurance cards and driver’s licenses or identification.Although 1,300 patient charts were in the cabinet, only 100 were actually taken, and 30 of the 100 were recovered from law enforcement.The CE provided breach notification to affected individuals, HHS, and the media.Following the break-in, the CE implemented more robust HIPAA policies and procedures.The CE improved safeguards by reinforced the physical security of its office.OCR obtained assurances that the CE implemented the corrective actions noted above." "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Hillsides" "Healthcare Provider" "Quantity[502, ""People""]" "DateObject[{2015, 12, 30}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "St. Luke's Cornwall Hospital" "Healthcare Provider" "Quantity[29156, ""People""]" "DateObject[{2015, 12, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Pittman Family Dental" "Healthcare Provider" "Quantity[8830, ""People""]" "DateObject[{2015, 12, 31}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "An unauthorized third-party accessed protected health information (PHI), according to the forensic firm that the covered entity (CE), Pittman Family Dental, retained to investigate abnormal activity on its computer server.Approximately 8,830 individuals were affected by the breach.The server included full names, social security numbers (of 5,007 individuals), driver’s license numbers, dates of birth, home addresses, treatment notes, and insurance information.The CE provided breach notification to HHS, affected individuals, and the media.To prevent a similar breach from happening in the future, the CE scrubbed and reinstalled its server, installed an anti-virus/malware solution, and contracted with a company to provide an updated risk analysis and additional training.OCR obtained written assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Elite Imaging" "Healthcare Provider" "Quantity[1457, ""People""]" "DateObject[{2016, 1, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "A log book (sign-in book) containing information about the covered entity’s (CE) patients was stolen from its offices and returned anonymously with a letter.The log-book contained the patients’ full names and the name of the procedure conducted for each patient. The breach affected 1,457 patients.The CE provided breach notification to HHS, affected individuals, and the media.The CE conducted a full review of the incident and filed a police report. It also reviewed and modified its safeguards policies and internal procedures, implemented a new log in procedure, updated its software, and re-trained all staff received on its new policies.The CE’s shredding vendor securely disposed of the log books.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "AHRC Nassau " "Healthcare Provider" "Quantity[1200, ""People""]" "DateObject[{2016, 1, 6}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Brigham and Women's Hospital" "Healthcare Provider" "Quantity[1009, ""People""]" "DateObject[{2016, 1, 11}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "G&S Medical Associates, LLC" "Healthcare Provider" "Quantity[3000, ""People""]" "DateObject[{2016, 1, 14}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Felicia Lewis, MD Lakewood Hills Internal Medicine" "Healthcare Provider" "Quantity[1500, ""People""]" "DateObject[{2016, 1, 14}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Blue Shield of California" "Health Plan" "Quantity[20764, ""People""]" "DateObject[{2016, 1, 14}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "CDC/NIOSH/ World Trade Center Health Program (WTCHP)" "Health Plan" "Quantity[597, ""People""]" "DateObject[{2016, 1, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Hawaii"", ""UnitedStates""}]" "Hawai‘i Medical Service Association" "Health Plan" "Quantity[10179, ""People""]" "DateObject[{2016, 1, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Montana"", ""UnitedStates""}]" "New West Health Services d/b/a New West Medicare " "Health Plan" "Quantity[28209, ""People""]" "DateObject[{2016, 1, 15}, ""Day"", ""Gregorian"", -5.]" "Loss" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "The University of Texas System Administration" "Health Plan" "Quantity[794, ""People""]" "DateObject[{2016, 1, 21}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Livongo Health, Inc." "Healthcare Provider" "Quantity[1950, ""People""]" "DateObject[{2016, 1, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE) learned that its business associate (BA) mislabeled certain packages containing lancet devices so that the devices were sent and delivered to the correct address, but the shipping label stated the wrong name for the CE's members.The label included the wrong member’s name and information from which it could be incorrectly inferred that the individual was to receive a lancet device from the CE and had diabetes.This breach affected 1,950 individuals.The CE provided breach notice to HHS and affected individuals. Following the breach, the CE terminated its relationship with this BA, added a quality assurance process, and communicated the new process to its staff.OCR obtained documented assurances that the CE implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Community Mercy Health Partners" "Healthcare Provider" "Quantity[113528, ""People""]" "DateObject[{2016, 1, 25}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Crown Point Health Center" "Healthcare Provider" "Quantity[1854, ""People""]" "DateObject[{2016, 1, 29}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "Louisiana Healthcare Connections" "Health Plan" "Quantity[13086, ""People""]" "DateObject[{2016, 2, 2}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Iowa"", ""UnitedStates""}]" "Grx Holdings, LLC dba Medicap Pharmacy" "Healthcare Provider" "Quantity[2300, ""People""]" "DateObject[{2016, 2, 2}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Rite Aid Store 01617" "Healthcare Provider" "Quantity[976, ""People""]" "DateObject[{2016, 2, 3}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer, Other" "False" "" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Borgess Medical Center d/b/a Borgess Rheumatology" "Healthcare Provider" "Quantity[700, ""People""]" "DateObject[{2016, 2, 5}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Nebraska"", ""UnitedStates""}]" "SEIM JOHNSON, LLP" "Business Associate" "Quantity[30972, ""People""]" "DateObject[{2016, 2, 8}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "A business associate (BA), Seim Johnson, LLP,reported on behalf of 10 health care provider clients that its health care auditor took his firm-issued laptop computer on a non-business weekend trip.When the employee arrived home from this trip, he discovered the backpack containing the laptop was missing.The laptop contained the protected health information (PHI) of 30,972 individuals and included demographic, clinical, and financial information.The BA provided breach notification to HHS, affected individuals, and the media.After investigating this incident, the BA determined that the laptop may not have been effectively encrypted.Following the breach, the BA sanctioned the involved employee and its security officer, retrained employees on security risks involving portable devices, and implemented new policies and procedures.OCR obtained assurances that the BA implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Washington State Health Care Authority (HCA)" "Health Plan" "Quantity[91187, ""People""]" "DateObject[{2016, 2, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "BlueCross BlueShield of South Carolina " "Business Associate" "Quantity[998, ""People""]" "DateObject[{2016, 2, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "A business associate (BA), BlueCross\BlueShield, of the covered entity (CE), South Carolina Public Employee Benefit Authority, incorrectly mailed pre-authorization dental letters to the CE’s members due to a computer error.During the mailing sorting process, the names of the envelopes were not matched to the correct addresses.The breach affected 998 individuals and included financial, demographic, and clinical information.The BA provided breach notification to HHS, affected individuals, and the media.Following the breach, the BA revised its procedures for ensuring data integrity and accuracy and enhanced procedures to include a quality control validation step.The BA trained systems support staff and confirmed that it requires all of its employees, contractors and consultants employed or retained for longer than 45 days to receive HIPAA training.OCR obtained assurances that the BA implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "DataStat, Inc." "Business Associate" "Quantity[552, ""People""]" "DateObject[{2016, 2, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "An employee of a business associate (BA), DataStat, erroneously misdirected surveys to 487 individuals after failing to following the BA’s re-print protocol after a printer paper jam.The types of protected health information (PHI) involved in the breach included demographic information, including names and addresses.The CE provided breach notification to HHS and affected individuals.The BA also improved technical safeguards to assist with quality assessment checks and sanctioned the involved employee with a written warning.OCR obtained documentation that the BA implemented the corrective actions steps listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Radiology Regional Center, PA" "Healthcare Provider" "Quantity[483063, ""People""]" "DateObject[{2016, 2, 12}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Utah"", ""UnitedStates""}]" "Alliance Health Networks, LLC" "Healthcare Provider" "Quantity[42372, ""People""]" "DateObject[{2016, 2, 15}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Public Health Trust of Miami-Dade County, Florida" "Healthcare Provider" "Quantity[24188, ""People""]" "DateObject[{2016, 2, 19}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Roark's Pharmacy" "Healthcare Provider" "Quantity[3000, ""People""]" "DateObject[{2016, 2, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Network Server" "False" "The covered entity (CE), Roark’s Pharmacy, discovered on January 13, 2016, that its facility had been broken into and computer hard drives containing the protected health information (PHI) of 3,000 individuals were stolen.The types of PHI on the hard drives included patients' names, dates of birth, addresses, diagnoses, conditions, medications, health insurance information, and social security numbers (when used as ID numbers for certain insurance carriers).The CE provided breach notification to HHS and to affected individuals.OCR provided technical assistance to the CE regarding the Breach Notification Rule and impermissible disclosures.In addition, OCR provided resource materials regarding small businesses and the Privacy and Security Rules.In response to the breach, the CE increased its physical security by installing a metal gate over its front door, improving its security alarm system, and physically hiding and securing sensitive equipment.OCR obtained assurances that the CE implemented the corrective actions listed above. " "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "ELLIOT J MARTIN CHIROPRACTIC PC" "Healthcare Provider" "Quantity[1200, ""People""]" "DateObject[{2016, 2, 24}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "BJC HealthCare ACO, LLC" "Healthcare Provider" "Quantity[2393, ""People""]" "DateObject[{2016, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Locust Fork Pharmacy" "Healthcare Provider" "Quantity[5000, ""People""]" "DateObject[{2016, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Vancouver Radiologists, PC" "Healthcare Provider" "Quantity[603, ""People""]" "DateObject[{2016, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), Vancouver Radiologists, PC, on January 4, 2016, received telephone calls from a few patients that they received a postcard mammogram reminder, but with another patient’s name.The CE mailed 603 postcards which contained names, addresses, and generic reminders to schedule a mammogram.The CE submitted a breach notification report to HHS, affected individuals, and the media. In response to the breach, the CE stopped mailing the postcard reminder and revised its mailing procedures.The CE provided OCR with additional documentation specifically its HIPAA Notice of Privacy Practices Policy, as relevant to this breach investigation.OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also provided refresher reminders to all staff members about its HIPAA privacy policies and procedures." "Entity[""AdministrativeDivision"", {""Kansas"", ""UnitedStates""}]" "Valley Hope Association " "Healthcare Provider" "Quantity[52076, ""People""]" "DateObject[{2016, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Nintendo of America Inc." "Health Plan" "Quantity[6248, ""People""]" "DateObject[{2016, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "The covered entity (CE), Nintendo of America, Inc., reported that on May 5, 2014, attackers impermissibly accessed and acquired data in possession of its business associate (BA), Premera. This data included the protected health information (PHI) of former and current participants in health plans of certain members of the Blue Cross Blue Shield Association dating back to 2002.The BA is a member of the Blue Cross Blue Shield Association and is the third-party administrator for the health plan.As a result, some former and current plan participants have been impacted.The CE reported that 6,248 individuals were affected and the PHI involved in the breach included demographic, clinical, and financial information.The BA provided breach notification to HHS, affected individuals, and the media.The CE had a BA agreement in place with Premera.OCR determined that Nintendo is in compliance with the Privacy, Security, and Breach Notification Rules." "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Ecolab Health and Welfare Benefits Plan" "Health Plan" "Quantity[1550, ""People""]" "DateObject[{2016, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Ecolab Health and Welfare Benefits Plan" "Health Plan" "Quantity[1550, ""People""]" "DateObject[{2016, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Freeport Memorial Hospital" "Healthcare Provider" "Quantity[1349, ""People""]" "DateObject[{2016, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Eye Institute of Corpus Christi" "Healthcare Provider" "Quantity[43961, ""People""]" "DateObject[{2016, 2, 26}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record" "False" "After review of the response from the entity, OCR determined that a breach of protected health information did not occur." "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Mind Springs Health" "Healthcare Provider" "Quantity[2147, ""People""]" "DateObject[{2016, 2, 27}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Group Life Hospital and Medical Program" "Health Plan" "Quantity[3000, ""People""]" "DateObject[{2016, 2, 29}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "Walmart Stores, Inc." "Healthcare Provider" "Quantity[4800, ""People""]" "DateObject[{2016, 3, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Centers Plan for Healthy Living " "Health Plan" "Quantity[6893, ""People""]" "DateObject[{2016, 3, 3}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "City of Hope" "Healthcare Provider" "Quantity[1024, ""People""]" "DateObject[{2016, 3, 4}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "21st Century Oncology" "Healthcare Provider" "Quantity[2213597, ""People""]" "DateObject[{2016, 3, 4}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "Cardiology Associates of Jonesboro, Inc." "Healthcare Provider" "Quantity[1669, ""People""]" "DateObject[{2016, 3, 4}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Premier Healthcare, LLC" "Healthcare Provider" "Quantity[205748, ""People""]" "DateObject[{2016, 3, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Walgreen Co." "Healthcare Provider" "Quantity[880, ""People""]" "DateObject[{2016, 3, 4}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Nebraska"", ""UnitedStates""}]" "Complete Family Foot Care" "Healthcare Provider" "Quantity[5883, ""People""]" "DateObject[{2016, 3, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Electronic Medical Record, Network Server" "False" "Bizmatics, Inc., a business associate (BA) that the covered entity (CE), Complete Family Foot Care, employs for the online storage and management of its patient health records, discovered an unauthorized access to the computer servers on which the CE's’s patient files were stored.The breach affected 5,883 individuals and included clinical information.Upon request of the CE, the BA provided breach notification to affected individuals and complimentary identity recovery services for individuals victimized by identity theft.The CE also provided breach notification to HHS and the media and posted substitute notice on its website.Following the breach the BA comprehensively scanned for malware and any external vulnerabilities, upgraded all anti-virus and anti-malware programs as well as system hardware and operating systems, updated server and account passwords, and revised its firewall configurations.The BA also implemented stricter password policies and initiated the installation of an active traffic-monitoring solution for its network.OCR obtained written assurances that the CE and BA implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Illinois Valley Podiatry Group" "Healthcare Provider" "Quantity[26588, ""People""]" "DateObject[{2016, 3, 8}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Electronic Medical Record, Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Cromwell Fire District" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2016, 3, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Vidant Health" "Healthcare Provider" "Quantity[897, ""People""]" "DateObject[{2016, 3, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "UHHS Geauga Medical Center" "Healthcare Provider" "Quantity[677, ""People""]" "DateObject[{2016, 3, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Karmanos Cancer Center" "Healthcare Provider" "Quantity[2808, ""People""]" "DateObject[{2016, 3, 10}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "Virtua Medical Group" "Healthcare Provider" "Quantity[1654, ""People""]" "DateObject[{2016, 3, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server, Other" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Vibrant Body Wellness" "Healthcare Provider" "Quantity[726, ""People""]" "DateObject[{2016, 3, 11}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "JASACare" "Healthcare Provider" "Quantity[1154, ""People""]" "DateObject[{2016, 3, 14}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Laborers Funds Administrative Office of Northern California, Inc." "Health Plan" "Quantity[2373, ""People""]" "DateObject[{2016, 3, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "W. Christopher Bryant DDS PC" "Healthcare Provider" "Quantity[2200, ""People""]" "DateObject[{2016, 3, 17}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Hospital for Special Surgery" "Healthcare Provider" "Quantity[647, ""People""]" "DateObject[{2016, 3, 17}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Lindsay House Surgery Center, LLC" "Healthcare Provider" "Quantity[773, ""People""]" "DateObject[{2016, 3, 18}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Val Verde Regional Medical Center" "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2016, 3, 18}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Montana"", ""UnitedStates""}]" "Bozeman Health Deaconess Hospital" "Healthcare Provider" "Quantity[1124, ""People""]" "DateObject[{2016, 3, 21}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "National Counseling Group" "Healthcare Provider" "Quantity[23000, ""People""]" "DateObject[{2016, 3, 21}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Metropolitan Jewish Health System, Inc. d/b/a MJHS" "Business Associate" "Quantity[2483, ""People""]" "DateObject[{2016, 3, 22}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "True" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Excel Plus Home Health, Incorporated" "Healthcare Provider" "Quantity[524, ""People""]" "DateObject[{2016, 3, 23}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Morton Medical Center, PLLC" "Healthcare Provider" "Quantity[3000, ""People""]" "DateObject[{2016, 3, 24}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Iowa"", ""UnitedStates""}]" "Mercy Iowa City" "Healthcare Provider" "Quantity[15625, ""People""]" "DateObject[{2016, 3, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Email, Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "Aurora Health Care, Inc." "Healthcare Provider" "Quantity[869, ""People""]" "DateObject[{2016, 4, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Pointe Medical Services, Inc." "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2016, 4, 1}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Einstein Healthcare Network " "Healthcare Provider" "Quantity[2939, ""People""]" "DateObject[{2016, 4, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Sisters of Charity of Leavenworth Health System Health Benefits Plan" "Business Associate" "Quantity[540, ""People""]" "DateObject[{2016, 4, 5}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Target Corporation Health Plan" "Business Associate" "Quantity[719, ""People""]" "DateObject[{2016, 4, 5}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Pacific Gas and Electric Company" "Business Associate" "Quantity[2426, ""People""]" "DateObject[{2016, 4, 5}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "True" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "RMA Medical Centers of Florida" "Healthcare Provider" "Quantity[3906, ""People""]" "DateObject[{2016, 4, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "Indian Health Service Northern Navajo Medical Center" "Health Plan" "Quantity[7421, ""People""]" "DateObject[{2016, 4, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "BioReference Laboratories, Inc" "Healthcare Provider" "Quantity[3563, ""People""]" "DateObject[{2016, 4, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "Pain Treatment Centers of America " "Healthcare Provider" "Quantity[19397, ""People""]" "DateObject[{2016, 4, 11}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Electronic Medical Record, Network Server" "False" "PIMS TN: 16-235969Covered Entity:Pain Treatment Centers of AmericaOCR opened an investigation of the covered entity (CE), Pain Treatment Centers of America, after it reported a hacking attacking on its business associate’s (BA), Bizmatics, data servers.This breach resulted in unauthorized access to the BA/s customer records including those of the CE.The breach encompassed 17,339 individuals’ information, which included individuals’ names, addresses, dates of birth, driver's license numbers, social security numbers, claims information, diagnoses/conditions, lab results, medications and other treatment information.The CE provided breach notification to HHS, affected individuals, and the media and also provided and identity theft and credit monitoring service to affected individuals.As a result of OCR’s investigation, the CE updated its BA agreement with the BA to reflect all requirements of 45 C.F.R. §§ 164.314 (a) and 164.504(a)." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Mark Anthony Quintero, M.D., L.L.C." "Healthcare Provider" "Quantity[650, ""People""]" "DateObject[{2016, 4, 12}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Sacred Heart Health System, Inc" "Healthcare Provider" "Quantity[532, ""People""]" "DateObject[{2016, 4, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "OptumRx, Inc." "Healthcare Provider" "Quantity[6229, ""People""]" "DateObject[{2016, 4, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "United Community & Family Services" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2016, 4, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "American Fidelity Assurance Company" "Health Plan" "Quantity[2664, ""People""]" "DateObject[{2016, 4, 13}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "The covered entity (CE), American Fidelity Assurance Company, erroneously mailed letters to customers containing pages that belonged to another customer due to a mailroom equipment malfunction and manual sorting by an employee.The types of protected health information (PHI) involved in the breach included providers’ names, treatment dates, customers’ names, customers’ employers’ names, and customers’ employer identification numbers. Approximately 2,664 individuals were affected by this incident.The CE provided breach notification to HHS, all potentially affected individuals, and the media. The CE also offered credit monitoring services.The CE retrained staff on safeguarding PHI and verbally reprimanded the employee involved in the incident.As a result of this incident, the CE decided to outsource its mailing and sorting process with a business associate using a fully automated sorting process which provides positive assurance and audit capability.In addition, the CE added quality control measures to their mailing process.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Florida Department of Health" "Healthcare Provider" "Quantity[1076, ""People""]" "DateObject[{2016, 4, 13}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "Oneida Tribe of Indians of Wisconsin" "Healthcare Provider" "Quantity[2734, ""People""]" "DateObject[{2016, 4, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Desktop Computer, Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Atique Orthodontics" "Healthcare Provider" "Quantity[1506, ""People""]" "DateObject[{2016, 4, 15}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Vail Clinic, Inc. dba Vail Valley Medical Center, and dba Howard Head Sports Medicine" "Healthcare Provider" "Quantity[3118, ""People""]" "DateObject[{2016, 4, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Laptop, Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Florida Hospital Medical Group" "Healthcare Provider" "Quantity[1906, ""People""]" "DateObject[{2016, 4, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "Quarles & Brady, LLP" "Business Associate" "Quantity[1032, ""People""]" "DateObject[{2016, 4, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Lake Pulmonary Critical Care PA" "Healthcare Provider" "Quantity[648, ""People""]" "DateObject[{2016, 4, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "The covered entity (CE), Lake Pulmonary Critical Care, PA, discovered that a former employee removed patient medical records from the office and took them home. The theft of this protected health information (PHI) affected 648 individuals.The medical information included patients’ names, addresses, phone numbers, dates of birth, social security numbers, health insurance information, medical diagnoses, lab results, medications, and other treatment information. The CE provided timely breach notification to HHS, to affected individuals, and to the media.In response to the breach, the CE improved safeguards by installing employee lockers for all personal items and installing privacy walls at the nurses’ stations.In addition,the CE arranged for HIPAA training for its employees and doctors.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Lake Pulmonary Critical PA" "Healthcare Provider" "Quantity[648, ""People""]" "DateObject[{2016, 4, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "This case was consolidated into another review of this covered entity. " "Entity[""AdministrativeDivision"", {""Wyoming"", ""UnitedStates""}]" "Wyoming Medical Center" "Healthcare Provider" "Quantity[3184, ""People""]" "DateObject[{2016, 4, 20}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Kaiser Foundation Health Plan, Inc." "Business Associate" "Quantity[2451, ""People""]" "DateObject[{2016, 4, 22}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Edwin Shaw Rehabilitation" "Healthcare Provider" "Quantity[975, ""People""]" "DateObject[{2016, 4, 22}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Ohio Department of Mental Health and Addiction Services" "Healthcare Provider" "Quantity[59000, ""People""]" "DateObject[{2016, 4, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Mayfield Clinic Inc" "Healthcare Provider" "Quantity[23341, ""People""]" "DateObject[{2016, 4, 23}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "An unauthorized person sent a fraudulent email with an attachment that triggered a download of a ransomware virus to 23,341 email addresses held by the covered entity’s (CE’s) business associate (BA) on its behalf.The protected health information (PHI) involved in the breach included email addresses.The CE sent an email notification to affected individuals on the day of the incident and sent another email notification two days later.The CE provided breach notification to HHS, affected individuals, and the media and also posted substitute notice on its web site.Following the breach, the CE assessed system controls, provided anti-scanning updates to its employees’ email, deleted the email addresses it maintained on its BA’s systems, and put a hold on the future electronic distribution of newsletters.OCR obtained written assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""DistrictOfColumbia"", ""UnitedStates""}]" "Children's National Medical Center" "Healthcare Provider" "Quantity[4107, ""People""]" "DateObject[{2016, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Oklahoma"", ""UnitedStates""}]" "Comanche County Hospital Authority" "Healthcare Provider" "Quantity[2199, ""People""]" "DateObject[{2016, 4, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Family & Children's Services of Mid Michigan, Inc." "Healthcare Provider" "Quantity[981, ""People""]" "DateObject[{2016, 4, 27}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Northstar Healthcare Acquisitions LLC" "Healthcare Provider" "Quantity[19898, ""People""]" "DateObject[{2016, 4, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "PruittHealth Home Health -- Low Country" "Healthcare Provider" "Quantity[1500, ""People""]" "DateObject[{2016, 4, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Managed Health Services" "Health Plan" "Quantity[610, ""People""]" "DateObject[{2016, 5, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Florida Medical Clinic, PA" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2016, 5, 4}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "UnitedHealth Group Single Affiliated Covered Entity (SACE)" "Health Plan" "Quantity[5330, ""People""]" "DateObject[{2016, 5, 4}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Southeast Eye Institute, P.A. dba eye Associates of Pinellas" "Healthcare Provider" "Quantity[87314, ""People""]" "DateObject[{2016, 5, 5}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Lafayette Pain Care PC" "Healthcare Provider" "Quantity[7500, ""People""]" "DateObject[{2016, 5, 9}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Iowa"", ""UnitedStates""}]" "UnityPoint Health Affiliated Covered Entity" "Healthcare Provider" "Quantity[1620, ""People""]" "DateObject[{2016, 5, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Family Medicine of Weston" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2016, 5, 11}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Northwest Oncology & Hematology, S.C. " "Healthcare Provider" "Quantity[1625, ""People""]" "DateObject[{2016, 5, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Medical Colleagues of Texas, LLP " "Healthcare Provider" "Quantity[68631, ""People""]" "DateObject[{2016, 5, 11}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "Pulaski County Special School District-Employee Benefits Division" "Health Plan" "Quantity[2602, ""People""]" "DateObject[{2016, 5, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Imperial Valley Family Care Medical Group, APC" "Healthcare Provider" "Quantity[649, ""People""]" "DateObject[{2016, 5, 13}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "California Correctional Health Care Services" "Healthcare Provider" "Quantity[400000, ""People""]" "DateObject[{2016, 5, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Associates In EyeCare, P.S.C." "Healthcare Provider" "Quantity[971, ""People""]" "DateObject[{2016, 5, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Other Portable Electronic Device" "False" "An office of the covered entity (CE), Associates in EyeCare, P.S.C., was broken into and two laptop computers and an external hard drive were stolen.The breach affected 971 individuals and the types of protected health information (PHI) involved in the breach included patients’ names, internal account numbers, optical images, technical information about the images, and dates of birth.The CE provided timely breach notification to HHS, affected individuals, and the media.The CE also posted notification about the breach to its website.In response to the breach, the CE changed the exterior locks on the clinic doors, revised its policies for movinglaptops between offices, began saving all patient information to the cloud, and equipped its new laptop with encryption and physical security.Further, CE revised its security policies.OCR obtained assurances that the CE will train its employees on its updated policies. " "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Surgical Care Affiliates" "Business Associate" "Quantity[9009, ""People""]" "DateObject[{2016, 5, 16}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "True" "" "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "San Juan County New Mexico" "Healthcare Provider" "Quantity[12500, ""People""]" "DateObject[{2016, 5, 17}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Complete Chiropractic & Bodywork Therapies" "Healthcare Provider" "Quantity[4082, ""People""]" "DateObject[{2016, 5, 17}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Emergency Room Associates doing business as Emergency Medicine Associates" "Healthcare Provider" "Quantity[1067, ""People""]" "DateObject[{2016, 5, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Tallahassee Memorial HealthCare, Inc." "Healthcare Provider" "Quantity[505, ""People""]" "DateObject[{2016, 5, 20}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Coordinated Health Mutual, Inc." "Health Plan" "Quantity[591, ""People""]" "DateObject[{2016, 5, 20}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Aflac" "Health Plan" "Quantity[930, ""People""]" "DateObject[{2016, 5, 20}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Berkeley Endocrine Clinic" "" "Quantity[1370, ""People""]" "DateObject[{2016, 5, 24}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "True" "" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Keystone Rural Health Consortia, Inc." "Healthcare Provider" "Quantity[800, ""People""]" "DateObject[{2016, 5, 24}, ""Day"", ""Gregorian"", -5.]" "Theft" "Electronic Medical Record, Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Integrated Health Solutions PC" "Healthcare Provider" "Quantity[19776, ""People""]" "DateObject[{2016, 5, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Electronic Medical Record, Network Server" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "California Health & Longevity Institute" "Healthcare Provider" "Quantity[4386, ""People""]" "DateObject[{2016, 5, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "This case has been consolidated into an existing review." "Entity[""AdministrativeDivision"", {""Connecticut"", ""UnitedStates""}]" "Stamford Podiatry Group .P.C" "Healthcare Provider" "Quantity[40491, ""People""]" "DateObject[{2016, 5, 25}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "Orchid MPS Holdings, LLC Welfare Benefit Plan" "Health Plan" "Quantity[771, ""People""]" "DateObject[{2016, 5, 26}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""DistrictOfColumbia"", ""UnitedStates""}]" "Washington DC VA Medical Center" "Healthcare Provider" "Quantity[1062, ""People""]" "DateObject[{2016, 5, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "ENT and Allergy Center" "Healthcare Provider" "Quantity[16200, ""People""]" "DateObject[{2016, 5, 31}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "My Pediatrician, PA" "Business Associate" "Quantity[2500, ""People""]" "DateObject[{2016, 6, 1}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "" "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "The University of New Mexico" "Healthcare Provider" "Quantity[2827, ""People""]" "DateObject[{2016, 6, 3}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "The Vein Doctor" "Healthcare Provider" "Quantity[3000, ""People""]" "DateObject[{2016, 6, 3}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Electronic Medical Record, Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Vincent Vein Center" "Healthcare Provider" "Quantity[2250, ""People""]" "DateObject[{2016, 6, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Electronic Medical Record" "False" "The covered entity (CE), Vincent Vein Center, reported that its business associate (BA), Bizmatics, had owned data servers containing the CE's patient information that were accessed by unauthorized persons.Approximately 2,250 of the CE's patients were affected by the breach. The electronic protected health information (ePHI) involved in the breach included patients' names, addresses, social security numbers, and health visit information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE began evaluating the use of alternate electronic medical record and practice management software. As a result of OCR’s investigation and technical assistance, the CE provided written assurances that it will revise and/or implement its relevant breach notification and BA contract policies and procedures in compliance with HIPAA. OCR opened a separate investigation of the BA." "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Grace Primary Care, PC" "Healthcare Provider" "Quantity[6853, ""People""]" "DateObject[{2016, 6, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Midland County Hospital District d/b/a Midland Memorial Hospital" "Healthcare Provider" "Quantity[1468, ""People""]" "DateObject[{2016, 6, 7}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "Wal-Mart Stores, Inc." "Healthcare Provider" "Quantity[27393, ""People""]" "DateObject[{2016, 6, 8}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "North Ottawa Medical Group" "Healthcare Provider" "Quantity[22000, ""People""]" "DateObject[{2016, 6, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "PruittHealth Hospice Beaufort" "Healthcare Provider" "Quantity[1437, ""People""]" "DateObject[{2016, 6, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "On April 11, 2016, the covered entity (CE), PruittHealth Hospice, experienced a break-in at its Beaufort offices.The perpetrators entered the offices by breaking a side window and then broke into the file cabinets, although it did not appear that any medical records were disturbed or taken.The perpetrators had the opportunity to access the paper medical records for 1,437 individuals. The types of protected health information (PHI) contained in the paper medical records included patients' names, addresses, social security numbers, dates of birth, dates of service, service locations, and other clinical information.Following the breach, the CE reviewed its policies and trained staff on data privacy and information security. Additionally, the CE initiated a criminal investigation with local law enforcement.It improved physical safeguards by replacing the broken window, purchasing file cabinets with more secure locks, and purchasing a monitored security system.The CE provided breach notification to HHS, all patients it ever served, and the media.It also provided substitute notice on its website and set up a toll free information line for affected individuals.OCR obtained assurances that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Saints Mary and Elizabeth Hospital" "Healthcare Provider" "Quantity[1682, ""People""]" "DateObject[{2016, 6, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "EDWARD G. MYERS D.O. INC" "Healthcare Provider" "Quantity[6441, ""People""]" "DateObject[{2016, 6, 10}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Riverside Health System" "Healthcare Provider" "Quantity[578, ""People""]" "DateObject[{2016, 6, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Laser & Dermatologic Surgery Center " "Healthcare Provider" "Quantity[31000, ""People""]" "DateObject[{2016, 6, 14}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Kern County Mental Health" "Health Plan" "Quantity[1212, ""People""]" "DateObject[{2016, 6, 14}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Texas Health and Human Services Commission" "Health Plan" "Quantity[600, ""People""]" "DateObject[{2016, 6, 14}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Allergy, Asthma & Immunology of the Rockies, PC " "Healthcare Provider" "Quantity[6851, ""People""]" "DateObject[{2016, 6, 17}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Midland Women's Clinic" "Healthcare Provider" "Quantity[717, ""People""]" "DateObject[{2016, 6, 17}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "Uncommon Care, P.A." "Healthcare Provider" "Quantity[13674, ""People""]" "DateObject[{2016, 6, 21}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Ceaton C Falgiano" "Healthcare Provider" "Quantity[650, ""People""]" "DateObject[{2016, 6, 27}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Linda J White, DDS, PC" "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2016, 6, 27}, ""Day"", ""Gregorian"", -5.]" "Improper Disposal" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Massachusetts General Hospital " "Healthcare Provider" "Quantity[4293, ""People""]" "DateObject[{2016, 6, 29}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Mercy Medical Center Redding" "Healthcare Provider" "Quantity[520, ""People""]" "DateObject[{2016, 6, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Iowa"", ""UnitedStates""}]" "Planned Parenthood of the Heartland" "Healthcare Provider" "Quantity[2506, ""People""]" "DateObject[{2016, 7, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "The Ambulatory Surgery Center at St. Mary" "Healthcare Provider" "Quantity[13000, ""People""]" "DateObject[{2016, 7, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Heart Center of Southern Maryland, L.L.P." "Healthcare Provider" "Quantity[1350, ""People""]" "DateObject[{2016, 7, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Arkansas"", ""UnitedStates""}]" "Dr. Q Pain and Spine d/b/a Arkansas Spine and Pain" "Healthcare Provider" "Quantity[17100, ""People""]" "DateObject[{2016, 7, 11}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Health Incent, LLC" "Healthcare Provider" "Quantity[1100, ""People""]" "DateObject[{2016, 7, 11}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Colorado"", ""UnitedStates""}]" "Lasair Aesthetic Health, P.C." "Healthcare Provider" "Quantity[1835, ""People""]" "DateObject[{2016, 7, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Kaiser Permanente Northern California" "Health Plan" "Quantity[1136, ""People""]" "DateObject[{2016, 7, 12}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Cefalu Eye-Tech of Green, Inc." "Healthcare Provider" "Quantity[850, ""People""]" "DateObject[{2016, 7, 14}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "An employee of Cefalu Eye-Tech of Green, Inc. (Cefalu) photographed computer screens containing the protected health information (PHI) of approximately 850 individuals, including names, addresses, email addresses, and codes for diagnosis and conditions.Following the breach, Cefalu investigated the breach and provided breach notification to HHS and the affected individuals.OCR determined that the reporting entity is no longer a covered entity.OCR obtained documentation supporting its finding that Cefalu is no longer a covered entity. " "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "SUNSHINE STATE HEALTH PLAN, INC." "Health Plan" "Quantity[1479, ""People""]" "DateObject[{2016, 7, 14}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Minnesota"", ""UnitedStates""}]" "Blaine Chiropractic Center" "Healthcare Provider" "Quantity[1945, ""People""]" "DateObject[{2016, 7, 14}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Lee Rice D.O., Medical Corp DBA Lifewellness Institute" "Healthcare Provider" "Quantity[2473, ""People""]" "DateObject[{2016, 7, 15}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Providence Medical Group- Gateway Clinics" "Healthcare Provider" "Quantity[5978, ""People""]" "DateObject[{2016, 7, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Access Health Care Physicians, LLC" "Healthcare Provider" "Quantity[2500, ""People""]" "DateObject[{2016, 7, 19}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Neurology Physicians LLC" "Healthcare Provider" "Quantity[4831, ""People""]" "DateObject[{2016, 7, 20}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Premier Family Care I, Inc." "Healthcare Provider" "Quantity[1326, ""People""]" "DateObject[{2016, 7, 20}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Brian Halevie-Goldman" "Healthcare Provider" "Quantity[2000, ""People""]" "DateObject[{2016, 7, 20}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Memorial Hermann Health System, reporting on behalf of Memorial Hermann Health System Employee Group Health Plan" "Health Plan" "Quantity[12061, ""People""]" "DateObject[{2016, 7, 20}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Sunbury Plaza Dental" "Business Associate" "Quantity[7784, ""People""]" "DateObject[{2016, 7, 21}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "True" "" "Entity[""AdministrativeDivision"", {""Delaware"", ""UnitedStates""}]" "Ambucor Health Solutions, an unincorporated division of The ScottCare Corporation" "Business Associate" "Quantity[1679, ""People""]" "DateObject[{2016, 7, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email, Other Portable Electronic Device" "True" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Caring for Women, PA" "Healthcare Provider" "Quantity[697, ""People""]" "DateObject[{2016, 7, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "American Family Care, Inc." "Healthcare Provider" "Quantity[7200, ""People""]" "DateObject[{2016, 7, 25}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record, Other" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "StarCare Speciality Health System" "Healthcare Provider" "Quantity[2844, ""People""]" "DateObject[{2016, 7, 25}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop, Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Midwest Orthopedic Pain and Spine" "Healthcare Provider" "Quantity[29153, ""People""]" "DateObject[{2016, 7, 26}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Athletes' Performance, Inc." "Healthcare Provider" "Quantity[854, ""People""]" "DateObject[{2016, 7, 28}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Athens Orthopedic Clinic, P.A." "Healthcare Provider" "Quantity[201000, ""People""]" "DateObject[{2016, 7, 29}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Mississippi"", ""UnitedStates""}]" "Jefferson Medical Associates, P.A." "Healthcare Provider" "Quantity[10401, ""People""]" "DateObject[{2016, 7, 29}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Banner Health" "Healthcare Provider" "Quantity[3620000, ""People""]" "DateObject[{2016, 8, 3}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server, Other" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "The Carle Foundation" "Healthcare Provider" "Quantity[1185, ""People""]" "DateObject[{2016, 8, 4}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Center for Minimmally Invasive Bariatric and General Surgery" "Healthcare Provider" "Quantity[992, ""People""]" "DateObject[{2016, 8, 5}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Prosthetic & Orthotic Care, Inc." "Healthcare Provider" "Quantity[23015, ""People""]" "DateObject[{2016, 8, 7}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Virginia"", ""UnitedStates""}]" "Professional Dermatology Care, P.C." "Healthcare Provider" "Quantity[13237, ""People""]" "DateObject[{2016, 8, 9}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "Newkirk Products, Inc." "Business Associate" "Quantity[3466120, ""People""]" "DateObject[{2016, 8, 9}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "True" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Autism Home Support Services" "Healthcare Provider" "Quantity[533, ""People""]" "DateObject[{2016, 8, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "The covered entity’s (CE) employee disclosed protected health information (PHI) to a university practicum student who contacted individuals by email to ask if they would like to participate in a survey related to autism. The PHI involved in the breach included the demographic information of approximately 533 individuals.The CE provided breach notification to HHS and affected individuals.Following the breach, the CE sanctioned and re-trained the involved employee and confirmed that the practicum student destroyed the PHI received.OCR obtained documentation that the CE implemented the corrective actions listed above." "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Cardiology Associates" "Healthcare Provider" "Quantity[907, ""People""]" "DateObject[{2016, 8, 10}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Florida"", ""UnitedStates""}]" "Rotech Healthcare Inc." "Healthcare Provider" "Quantity[957, ""People""]" "DateObject[{2016, 8, 11}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Arizona"", ""UnitedStates""}]" "Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants" "Healthcare Provider" "Quantity[882590, ""People""]" "DateObject[{2016, 8, 12}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Bon Secours Health System Incorporated" "Healthcare Provider" "Quantity[651971, ""People""]" "DateObject[{2016, 8, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "John E. Gonzalez DDS" "Healthcare Provider" "Quantity[1025, ""People""]" "DateObject[{2016, 8, 14}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Phoenix Dental Care" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2016, 8, 15}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""NewYork"", ""UnitedStates""}]" "New York State Office of Mental Health" "Healthcare Provider" "Quantity[21880, ""People""]" "DateObject[{2016, 8, 15}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Illinois"", ""UnitedStates""}]" "Village of Oak Park, Illinois" "Health Plan" "Quantity[688, ""People""]" "DateObject[{2016, 8, 18}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Indiana"", ""UnitedStates""}]" "Orleans Medical Clinic" "Healthcare Provider" "Quantity[6890, ""People""]" "DateObject[{2016, 8, 19}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""NorthCarolina"", ""UnitedStates""}]" "The Outer Banks Hospital" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2016, 8, 19}, ""Day"", ""Gregorian"", -5.]" "Loss" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "SCAN Health Plan" "Health Plan" "Quantity[87069, ""People""]" "DateObject[{2016, 8, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "CalOptima" "Health Plan" "Quantity[1000, ""People""]" "DateObject[{2016, 8, 22}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other Portable Electronic Device" "False" "" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Summit Medical Group, Inc. dba St. Elizabeth Physicians " "Healthcare Provider" "Quantity[674, ""People""]" "DateObject[{2016, 8, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Planned Parenthood of Greater Washington and North Idaho" "Healthcare Provider" "Quantity[10700, ""People""]" "DateObject[{2016, 8, 26}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "County of Los Angeles" "Healthcare Provider" "Quantity[743, ""People""]" "DateObject[{2016, 8, 30}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Howard R. Jarvis, D.M.D., L.L.C. dba Southwest Portland Dental" "Healthcare Provider" "Quantity[1980, ""People""]" "DateObject[{2016, 8, 30}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Louisiana"", ""UnitedStates""}]" "Center for Neurosurgical & Spine Disorders, LLC" "Healthcare Provider" "Quantity[824, ""People""]" "DateObject[{2016, 8, 31}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Texas"", ""UnitedStates""}]" "Willow Bend Dental" "Healthcare Provider" "Quantity[625, ""People""]" "DateObject[{2016, 8, 31}, ""Day"", ""Gregorian"", -5.]" "Theft" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "CHI Franciscan Healthcare Highline Medical Center" "Healthcare Provider" "Quantity[18399, ""People""]" "DateObject[{2016, 9, 1}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Santa Cruz County Health Services Agency" "Healthcare Provider" "Quantity[25000, ""People""]" "DateObject[{2016, 9, 2}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Missouri"", ""UnitedStates""}]" "Burrell Behavioral Health" "Healthcare Provider" "Quantity[7748, ""People""]" "DateObject[{2016, 9, 2}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "Medical College of Wisconsin" "Healthcare Provider" "Quantity[3179, ""People""]" "DateObject[{2016, 9, 2}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Email" "False" "" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "Geisinger Health Plan" "Health Plan" "Quantity[2814, ""People""]" "DateObject[{2016, 9, 7}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Other" "False" "" "Entity[""AdministrativeDivision"", {""Kansas"", ""UnitedStates""}]" "Decatur Health Systems " "Healthcare Provider" "Quantity[707, ""People""]" "DateObject[{2016, 9, 7}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""RhodeIsland"", ""UnitedStates""}]" "University Gastroenterology, Inc." "Healthcare Provider" "Quantity[15478, ""People""]" "DateObject[{2016, 9, 8}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Maryland"", ""UnitedStates""}]" "Man Alive, Inc. and Lane Treatment Center, LLC" "Healthcare Provider" "Quantity[860, ""People""]" "DateObject[{2016, 9, 8}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer, Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Alabama"", ""UnitedStates""}]" "Public Education Employees' Health Insurance Plan" "Health Plan" "Quantity[1349, ""People""]" "DateObject[{2016, 9, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Martin Army Community Hospital" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2016, 9, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Oregon"", ""UnitedStates""}]" "Asante" "Healthcare Provider" "Quantity[2400, ""People""]" "DateObject[{2016, 9, 9}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "U.S. HealthWorks" "Healthcare Provider" "Quantity[1400, ""People""]" "DateObject[{2016, 9, 9}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Massachusetts"", ""UnitedStates""}]" "Codman Square Health Center " "Healthcare Provider" "Quantity[3840, ""People""]" "DateObject[{2016, 9, 12}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Pratap S. Kurra, M.D." "Healthcare Provider" "Quantity[2029, ""People""]" "DateObject[{2016, 9, 12}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "King of Prussia Dental Associates" "Healthcare Provider" "Quantity[16228, ""People""]" "DateObject[{2016, 9, 13}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""SouthCarolina"", ""UnitedStates""}]" "Heritage Medical Partners, LLC" "Healthcare Provider" "Quantity[812, ""People""]" "DateObject[{2016, 9, 15}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "CHI Franciscan Health St. Clare Hospital and St. Joseph Medical Center" "Healthcare Provider" "Quantity[2818, ""People""]" "DateObject[{2016, 9, 16}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Electronic Medical Record" "False" "" "Entity[""AdministrativeDivision"", {""Pennsylvania"", ""UnitedStates""}]" "KidsPeace" "Healthcare Provider" "Quantity[1456, ""People""]" "DateObject[{2016, 9, 19}, ""Day"", ""Gregorian"", -5.]" "Loss" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Ventura County Health Care Agency" "Healthcare Provider" "Quantity[777, ""People""]" "DateObject[{2016, 9, 20}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Michigan"", ""UnitedStates""}]" "McLaren Greater Lansing Cardiovascular Group" "Healthcare Provider" "Quantity[1000, ""People""]" "DateObject[{2016, 9, 21}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer, Electronic Medical Record, Other" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "USC Keck and Norris Hospitals" "Healthcare Provider" "Quantity[16000, ""People""]" "DateObject[{2016, 9, 21}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""NewJersey"", ""UnitedStates""}]" "New Jersey Spine Center" "Healthcare Provider" "Quantity[28000, ""People""]" "DateObject[{2016, 9, 22}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Electronic Medical Record, Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Kentucky"", ""UnitedStates""}]" "Jennie Stuart Medical Center" "Healthcare Provider" "Quantity[1500, ""People""]" "DateObject[{2016, 9, 23}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""California"", ""UnitedStates""}]" "Hal Meadows, M.D." "Healthcare Provider" "Quantity[6000, ""People""]" "DateObject[{2016, 9, 23}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""Ohio"", ""UnitedStates""}]" "Central Ohio Urology Group, Inc." "Healthcare Provider" "Quantity[300000, ""People""]" "DateObject[{2016, 9, 23}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Washington"", ""UnitedStates""}]" "Group Health" "Health Plan" "Quantity[668, ""People""]" "DateObject[{2016, 9, 23}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" "" "Entity[""AdministrativeDivision"", {""Georgia"", ""UnitedStates""}]" "Thomasville Eye Center" "Healthcare Provider" "Quantity[10891, ""People""]" "DateObject[{2016, 9, 28}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Desktop Computer" "False" "" "Entity[""AdministrativeDivision"", {""NewMexico"", ""UnitedStates""}]" "San Juan Oncology Associates" "Healthcare Provider" "Quantity[500, ""People""]" "DateObject[{2016, 9, 29}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Tennessee"", ""UnitedStates""}]" "Fred's Stores of Tennessee, Incorporated" "Healthcare Provider" "Quantity[9624, ""People""]" "DateObject[{2016, 9, 29}, ""Day"", ""Gregorian"", -5.]" "Theft" "Laptop" "False" "" "Entity[""AdministrativeDivision"", {""Mississippi"", ""UnitedStates""}]" "Urgent Care Clinic of Oxford" "Healthcare Provider" "Quantity[64000, ""People""]" "DateObject[{2016, 9, 30}, ""Day"", ""Gregorian"", -5.]" "Hacking/IT Incident" "Network Server" "False" "" "Entity[""AdministrativeDivision"", {""Wisconsin"", ""UnitedStates""}]" "University of Wisconsin Hospitals and Clinics Authority" "Healthcare Provider" "Quantity[6923, ""People""]" "DateObject[{2016, 9, 30}, ""Day"", ""Gregorian"", -5.]" "Unauthorized Access/Disclosure" "Paper/Films" "False" ""