Skip to main content

Large Patient Information Breach List Climbs to 265

 |  By dnicastro@hcpro.com  
   May 03, 2011

The number of entities reporting breaches of unsecured PHI affecting at least 500 individuals to the Office for Civil Rights, the enforcer of the HIPAA privacy and security rules, reached 265 as of Friday.

By the middle of March, 249 entities had reported breaches, meaning a spike of 16 in the last 45 days, behind the pace established since OCR began posting the breaches more than a year ago.

OCR, per a provision in the Health Informational Technology for Economic and Clinical Health (HITECH) Act, began posting the entities and information about their large breaches in February 2010. In 15 months, an average of about 18 reports per month – or a little more than one every other day -- has surfaced on the OCR website.

Health insurance giant Health Net, Inc. earned the spot as the largest on the list after it reported its potential breach affecting the health records of 1.9 million past and current enrollees to OCR in March. On the Health Net report, the "type of breach" is "unknown," and the "location of breached info" is listed as "other."

At No. 2 is a breach in Manhattan that affected 1.7 million patients. On February 9, The New York City Health and Hospitals Corporation (HHC) reported that it began to notify the affected patients, staff, contractors, vendors, and others who were treated by and/or provided services during the past 20 years.

Prior to that, the breach affecting the most individuals for a large chunk of time was AvMed, Inc. of Florida, whose Dec. 10, 2009, breach involving a laptop affected 1.22 million individuals.

Blue Cross Blue Shield of Tennessee, whose Oct. 2, 2009 breach affected 998,442 individuals, owns the fourth spot on the list. That incident involved the theft of hard drives.

OCR's breach list required by HITECH, the American Recovery and Reinvestment Act of 2009 privacy subpart that includes greater breach notification requirements and more public scrutiny and increased fines for HIPAA violations.

The reporting requirement is included in the interim final rule on breach notification, which became effective on September 23, 2009.

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Tagged Under:


Get the latest on healthcare leadership in your inbox.