Breach List Grows to 52

Most involve theft or loss
Breach List Grows to 52
A list of major breaches of healthcare information has grown to 52 cases, up from 36 incidents when it was launched on Feb. 22.

Of the breaches reported so far, 75 percent have involved the theft or loss of a device, such as a laptop, or paper records.

The Office for Civil Rights within the U.S. Department of Health and Human Services is regularly updating on its Web site a list of organizations that have notified HHS about a breach of unsecured health information involving more than 500 individuals. The list is for incidents since September 2009, when new reporting requirements kicked in.

Under the HITECH Act's breach notification rule, such incidents must be reported to HHS and the media within 60 days. Smaller breaches must be reported to HHS annually.

To view the list, click here.

Only one hacker

Only one hacking incident is on the list. That Dec. 8, 2009, incident at a private practice in Wilmington, N.C., affected 2,000 individuals. Also, only one phishing scam is listed; that case affected 610 at the University of California, San Francisco, on Sept. 22, 2009.

Two of the most recently added breaches are:

  • The theft of a laptop Feb. 20 at Montefiore Medical Center in New York, affecting 625;
  • The theft of a portable electronic device Feb. 20 at a private practice in San Antonio, Texas.

Seven of the incidents on the list are identified only as "private practices" without specifying the name of the organization. "Under current Privacy Act provisions, the Office for Civil Rights may not disclose the names or other identifying information about private practitioners without their written consent," the OCR said in a recent statement.

Difficult to find?

Some observers have questioned why the list is displayed deep within the OCR Web site. For a story on those concerns, click here.

OCR adds new breaches to the site once they are verified by regional offices. They are listed in order by the date of the incident, so it's not easy to pinpoint which cases are newly added. For example, one case dating back to October was added within the last two weeks.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.