Individuals Affected: 307,528
When: May 2014
The Brentwood, Tenn.-based imaging company notified its patients in May after discovering that a network server folder containing protected health information had been accessible on the Internet. An investigation found that the data, which included medical diagnoses, health insurance data, radiology procedures, patients names, DOBs, addresses and Social Security numbers, were indeed readable over the Internet.
Individuals Affected: 342,197
When: February 2014
The county's third-party billing vendor Sutherland Healthcare Solutions reported a burglary Feb. 5 involving the theft of eight unencrypted company computers, containing protected health information. Officials confirmed the computers contained patient Social Security numbers, demographic data, billing information, dates of birth and protected health information, including medical diagnoses. Officials originally said the breach affected 168,500, but later it was discovered to reach more than 340,000.
Individuals Affected: 1.3 million
When: July 2014-May 2014
The state agency notified some 1.3 million people after hackers gained unfettered access to an agency server for nearly a year before being discovered. Hackers likely first gained access to the server as far back as July 2013, according to DPHHS officials, but the breach was only discovered on May 15, 2014. An independently-conducted investigation confirmed May 22 the server had been accessed by outsiders. Data compromised included client, employee and contractors' names, addresses, dates of birth, Social Security numbers, clinical and medical data and dates of service. DPHHS employee bank account and payroll information was also held on the server, officials say.Photo: Ricky 2008, Flickr
Individuals Affected: 2 million
When: May 2014
f birth, photos, medical diagnoses and billing information.Photo: sm.caruso 2007, Flickr
After terminating its Medicaid contract with third-party vendor Xerox, the Texas Health and Human Services Commission, discovered the company had neglected to return paper and electronic health records of the state's Medicaid patients, "putting the state out of compliance with federal regulations and at risk of massive federal fines." Late summer, the state filed suit against Xerox, alleging it had approved requests for braces that weren't medically necessary, also for failing to return 244 boxes of data.
Individuals Affected: 4.5 million
When: April-June 2014
One of the nation's largest hospital operators notified some 4.5 million of its patientsthat their personal information was stolen by cybercriminals. The Franklin, Tenn.-based company, which operates 206 hospitals across 29 states, reported in an Aug. 18 federal security filing that hackers were able to gain access to CHS' systems throughout April and June 2014. The hacking group, which officials say originated from China, "used highly sophisticated malware and technology," the report revealed. According to information security firm TrustedSec, the Chinese hacker group, carried out by Chinese Advanced Persistent Threat, exploited CVE-2014-0160, also known as the Heartbleed vulnerability. Only on Aug. 19 did the Federal Bureau of Investigation issue an alert to healthcare organizations that may be susceptible to an attack. The alert was not specific to Chinese hacking group. This is the largest hacking-related HIPAA breach ever reported, according to data from HHS' Office for Civil Rights.