Skip to main content

Large Patient Information Breaches Pass Century Mark

 |  By dnicastro@hcpro.com  
   July 06, 2010

The number of entities reporting breaches of unsecured protected health information (PHI) affecting 500 or more individuals has hit the 100 mark and then some.

As of Friday, July 2, the number of entities reporting the egregious breaches to the government’s HIPAA privacy and security enforcer hit 107. The number of entities—listed on the Office for Civil Rights (OCR) breach notification website—has more than tripled since the enforcer first began posting them in February. The list has grown about 15 per month, or an entity every other day.

The list is required by HITECH, the American Recovery and Reinvestment Act of 2009 privacy subpart that includes greater breach notification requirements and more public scrutiny and increased fines for HIPAA violations.

The reporting requirement is included in the interim final rule on breach notification, which became effective on September 23, 2009.

Those regulations require:

  • Notice to patients alerting them to breaches “without unreasonable delay,” but no later than 60 days after discovery of the breach
  • Notice to covered entities (CE) by business associates (BA) when BAs discover a breach
  • Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
  • Notice to next of kin about breaches involving patients who are deceased
  • Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE’s response
  • Annual notice to the secretary of HHS 60 days before the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records

 

Of the 107 breaches of unsecured PHI, 20 involve business associates (BAs), or nearly one out of every five. HITECH requires BAs to comply with the HIPAA Security Rule and the use and disclosures provision of the privacy rule.

For each entity, OCR lists the location of the breached information, and laptops took the top spot with an appearance in 34 of the 107 breaches (32%). “Paper records” is listed in 22 breaches, and “portable device” in 11 breaches.

Eleven of the entities on the website are listed as “private practice.” OCR has told HealthLeaders Media it will begin posting the names of entities they consider “individuals” regardless of whether or not those entities give consent; the Privacy Act of 1974 offers that “consent” protection. But OCR requested that not be applied here.

The breach affecting the most individuals is AvMed, Inc. of Florida, whose Dec. 10, 2009, breach involving a laptop affected 1.22 million individuals.

Filling out the top five breaches with the largest number of affected individuals are:

AvMed, Inc.
State: Florida

 

Approximate number of individuals affected: 1,220,000
Date of breach: Dec. 10, 2009
Type of breach: Theft
Location of beached information: Laptop

 

Blue Cross Blue Shield of Tennessee
State: Tennessee
Approximate number of individuals affected: 998,442
Date of breach: Oct. 2, 2009
Type of breach: Theft
Location of breached information: Hard drives

WellPoint, Inc.
State: Indiana
Approximate number of individuals affected: 480,000
Date of breach: (OCR says Nov. 3, 2010)
Type of Breach: Hacking/IT Incident
Location of Breached Information: Network Server

Affinity Health Plan, Inc.
State: New York
Approximate number of individuals affected: 344,579
Date of breach: Nov. 24, 2009
Type of breach: Other
Location of breached information: Other

Emergency Healthcare Physicians, Ltd.
State: Illinois
Business associate involved: Millennium Medical Management Resources, Inc.
Approximate number of individuals affected: 180,111
Date of breach: Feb. 27, 2010
Type of breach: Theft
Location of breached information: Portable electronic device, other

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Tagged Under:


Get the latest on healthcare leadership in your inbox.