Individuals affected: 501 – An unencrypted USB hard drive containing patient information was stolen from a DHSS employee's car. After conducting an investigation, OCR officials discovered that DHSS had failed to complete a risk analysis, implement adequate security measures and neglected to have security training for its employees and address device encryption.
Individuals affected: 612,402 – The protected health information, Social Security numbers and demographic data of patients were made accessible to unauthorized users over the Internet for a period of nearly five months. An OCR investigation determined WellPoint failed to perform an adequate technical evaluation in response to a software upgrade. The managed care company also neglected to implement user verification technology to the Web-based patient database. Photo: Plurimus, 2009
Individuals affected: 870 – A Concentra unencrypted laptop was stolen in November 2011, and according to OCR officials, the healthcare company from 2008 to 2012 failed to manage encryption policies, identify which assets needed to be encrypted and document why encryption was not reasonable for certain cases. In 2008, almost 28 percent of Concentra laptops were not encrypted, and a complete inventory assessment to assess this did not occur until four years later. Photo: M.O. Stevens, via Wikimedia Commons
Individuals affected: NA – A 2007 OCR investigation, launched in response to media reports on the topic, found several CVS pharmacies were disposing of protected health information in public dumpsters. In collaboration with OCR, the Federal Trade Commission also launched an investigation into CVS. Officials determined the pharmacy chain did not have adequate policies and safeguards in place to protect patient data and dispose of it in the proper way. Photo: Ron Cogswell, 2011
Individuals affected: 41 – The Maryland-based health center from 2008 to 2009 denied 41 patient requests for their medical records, for which the medical group practice was fined $1.3 million. Moreover, during the investigation into Cignet allegations, the practice subsequently refused to respond to several of OCR's demands to produce the records and failed to cooperate with investigation requests, OCR officials said. For this, the practice was fined $3 million. Photo: Google, 2013
Individuals affected: 6,800 – An OCR investigation discovered the HIPAA breach transpired when a CU physician, who developed applications for NYP and CU, attempted to deactivate a personally owned computer server on the network containing ePHI. Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on Google. The data was so widely accessible online that the entities learned of the breach after receiving a complaint by an individual who saw the ePHI of their deceased partner, a former NYP patient, online. Photo: Paul VanDerWerf, 2014