Thanks to the August 2009 Breach Notification Rule included in the Health Information Technology for Economic and Clinical Health Act, HIPAA-covered entities and associated businesses are required to provide notification following a data breach of protected health information. Groups reporting breaches that compromised the PHI of 500 individuals or more must be posted by the Department of Health and Human Services. Since the 2009 rule, 489 HIPAA-covered entities have reported breaches involving 500 individuals or more. Here is a collection of the nation’s biggest HIPAA breaches. Data from the Department of Health and Human Services.
Individuals Affected: 514,330
When: March 11, 2011
The Rancho Mirage, Calif.-based hospital reported stolen an unencrypted computer containing patient names, ages, dates of births, partial Social Security numbers and the hospital’s medical record number. Hospital officials did not discover the computer had been stolen until March 14, 2011.
Individuals Affected: 780,000
When: March 10, 2012
Unlike the other top breaches, Utah Department of Health confirmed that a server containing personal health information had been actively hacked into. Officials reported that thieves had begun removing information from the server. Addresses, dates of birth, Social Security numbers, diagnoses codes, national provider identification numbers, billing codes and taxpayer identification numbers were all included on the server. The Utah Department of Technology Services shut down the server when the breach was discovered on April 2, 2012. The breach had occurred more than one month earlier. One year of free credit monitoring and identity theft insurance was extended to those affected.
Individuals Affected: 800,000
When: Feb. 26, 2010
Settlement: $750,000 to the state of Massachusetts
The 318-bed, Weymouth, Mass.-based hospital shipped three boxes containing nearly 500 unencrypted back-up computer tapes with protected health information to be erased by Archive Data Solutions. The boxes then went missing, and only one has since been recovered. The tapes contained patient names, Social Security numbers, and financial, clinical and medical diagnoses data. The hospital paid the state $750,000, which was reduced by $275,000 for technology investments already made by the hospital since the breach.
Individuals Affected: 943, 434
When: Oct. 15, 2011
Settlement: 11 total lawsuits could amount to between $944 million and $4.25 billion
The Sutter Health Sacramento, Calif.-based affiliate reported the theft of a company desktop computer containing clinical data and medical diagnoses information of patients. Moreover, the computer also contained limited demographic data of more than 3.3 million additional individuals.
Photo: Sutter Medical Foundation Offices
Individuals Affected: 1,023,209
When: Oct. 2, 2009
Settlement: $1.5 million to U.S. Department of Health and Human Services
The Chattanooga, Tenn.-based health insurer reported stolen 57 unencrypted computer hard drives from one of the company’s leased facilities. The hard drives contained member demographic information in addition to Social Security numbers, diagnosis codes and health plan identification numbers. BCBST paid over $6 million for additional data encryption, and spent nearly $17 million for protection, investigation and member notification. The settlement paid to the HHS was the first enforcement action resulting from HITECH Breach Notification Rule.
Individuals Affected: 1,055,489
When: Aug. 10, 2011
The foundation reported that three unencrypted backup tapes in a locked storage cabinet went missing from its Wilmington, Del. facility. The tapes contained patient names, addresses, dates of birth, Social Security numbers and personal health information. Employee, vendor and patient guarantor financial and demographic information were also included on the tape. The foundation offered individuals affected one year of free credit monitoring and credit protection.
Individuals Affected: 1,220,000
When: Dec. 10, 2009
The Miami, Fla.-based health insurer reported stolen two unencrypted laptops containing member names, dates of birth, addresses, Social Security numbers and personal health information. According to officials, both laptops were reported missing from a locked conference room. Despite the breach occurring in December 2009, the company waited until February 2010 to notify members affected. The number of patients affected by the breach was initially pegged at 208,000; however, that number shot up to 1.22 million by June 2010.
Individuals Affected: 1,700,000
When: Dec. 23, 2010
The Bronx, N.Y.-based health network reported two back-up tapes for two computer systems were stolen from a vendor truck parked on a Manhattan street. The tapes contained 20 years of personal health information of both employees, vendors and patients. The Bronx Healthcare Network includes Jacobi Medical Center, North Central Bronx Hospital, the Health Center at Gun Hill and the Health Center at Tremont. One year of free credit monitoring was provided to individuals affected.
Photo: Florin dr., wikicommons
Individual Affected: 1,900,000
When: Jan. 21, 2011; reported Mar. 14, 2011
The Woodland Hills, Calif.-based Health Insurance Company reportedly lost nine server drives on Jan. 2011 and waited two months before it reported the breach. The servers contained the Social Security numbers, names, addresses, and health information of Health Net employees, members and providers. The company offered two years of free identity and fraud protection and identity theft insurance.
Photo: John Pavliga
Individuals Affected: 4,901,432
When: Sep. 14, 2011
Settlement: $4.9 billion sought in filed class-action lawsuit
In one of history’s biggest HIPAA data breaches, the Falls Church, Va.-based military health care provider reportedly lost back-up tapes containing personally identifiable and protected health information from military beneficiaries’ electronic health records. According to officials, the back-up tapes may have contained patient addresses, phone numbers, Social Security numbers and clinical data.
Photo: Courtesy of the U.S. Army