rownames,Name.of.Covered.Entity,State,Covered.Entity.Type,Individuals.Affected,Breach.Submission.Date,Type.of.Breach,Location.of.Breached.Information,Business.Associate.Present,Web.Description 1,Brooke Army Medical Center,TX,Healthcare Provider,1000,2009-10-21,Theft,Paper/Films,FALSE,"A binder containing the protected health information (PHI) of up to 1,272 individuals was stolen from a staff members vehicle. The PHI included names, telephone numbers, detailed treatment notes, and possibly social security numbers. In response to the breach, the covered entity (CE) sanctioned the workforce member and developed a new policy requiring on-call staff members to submit any information created during their shifts to the main office instead of adding it to the binder. Following OCRs investigation, the CE notified the local media about the breach." 2,"Mid America Kidney Stone Association, LLC",MO,Healthcare Provider,1000,2009-10-28,Theft,Network Server,FALSE,"Five desktop computers containing unencrypted electronic protected health information (e-PHI) were stolen from the covered entity (CE). Originally, the CE reported that over 500 persons were involved, but subsequent investigation showed that about 260 persons were involved. The ePHI included demographic and financial information. The CE provided breach notification to affected individuals and HHS. Following the breach, the CE improved physical security by installing motion detectors and alarm systems security monitoring. It improved technical safeguards by installing enhanced antivirus and encryption software. As a result of OCRs investigation the CE updated its computer password policy. " 3,Alaska Department of Health and Social Services,AK,Healthcare Provider,501,2009-10-30,Theft,"Other, Other Portable Electronic Device",FALSE,\N 4,"Health Services for Children with Special Needs, Inc.",DC,Health Plan,3800,2009-11-17,Loss,Laptop,FALSE,"A laptop was lost by an employee while in transit on public transportation. The computer contained the protected health information of 3800 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity has installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and updated it risk assessment. In addition, all employees received additional security training. \" 5,"L. Douglas Carlson, M.D.",CA,Healthcare Provider,5257,2009-11-20,Theft,Desktop Computer,FALSE,"A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,257 individuals who were patients of the CE. The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the covered entity notified all 5,257 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctors private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules. \" 6,"David I. Cohen, MD",CA,Healthcare Provider,857,2009-11-20,Theft,Desktop Computer,FALSE,"A shared Computer that was used for backup was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite was unlocked and perhaps ajar. The Computer contained certain electronic protected health information (ePHI) of 857 patients. The ePHI involved in the breach included names, dates of birth, and clinical information. Following the breach, the covered entity notified all affected individuals and the media, added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer, added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctors private office or in a secure filing cabinet, and added administrative safeguards by requiring annual refresher retraining staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. \" 7,"Michele Del Vicario, MD",CA,Healthcare Provider,6145,2009-11-20,Theft,Desktop Computer,FALSE,"A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 6,145 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 6,145 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctors private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. \" 8,"Joseph F. Lopez, MD",CA,Healthcare Provider,952,2009-11-20,Theft,Desktop Computer,FALSE,"A shared Computer that was used for backup was stolen on 9/27/09. The Computer contained certain electronic protected health information (ePHI) of 952 patients. Following the breach, the covered entity notified all 952 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctors private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of staff for Privacy and Security Rules. \" 9,"Mark D. Lurie, MD",CA,Healthcare Provider,5166,2009-11-20,Theft,Desktop Computer,FALSE,"A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,166 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 5,166 affected indivs and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctors private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. \" 10,City of Hope National Medical Center,CA,Healthcare Provider,5900,2009-11-23,Theft,Laptop,FALSE,"A laptop computer was stolen from a workforce members car. The laptop computer contained the protected health information of approximately 5,900 individuals. Following the breach, the covered entity encrypted all protected health information stored on lap tops. Additionally, OCRs investigation resulted in the covered entity improving their physical safeguards and retraining employees. \" 11,The Children's Hospital of Philadelphia,PA,Healthcare Provider,943,2009-11-24,Theft,Laptop,FALSE,\N 12,"Cogent Healthcare, Inc.",TN,Business Associate,6400,2009-11-25,Theft,Laptop,TRUE,"A laptop was stolen from a locked office at the Aurora St. Lukes Medical Center. The laptop contained protected health information pertaining to 6,400 individuals. The information included patient names, dates of birth, social security numbers, medical record numbers, and in some cases diagnosis codes. In response to the theft, the hospital implemented several corrective action measures, including accelerated efforts to encrypt all laptop hard drives, improved physical locks on the office where the theft occurred, staff training regarding the appropriate use and storage of devices containing ePHI, and encryption of portable flash drives and Blackberry devices." 13,"Democracy Data & Communications, LLC (",VA,Business Associate,83000,2009-12-08,Other,Paper/Films,TRUE,"In its breach report and during the course of OCRs investigation, the covered entity advised that it took various corrective actions to prevent a reoccurrence of the breach. Specifically, the covered entity conducted a risk assessment which revealed that the breach posed a significant risk of financial, reputational, or other harm to the 83,000 members. The covered entity sent notification letters to 83,000 members apologizing for the breach and offered a year of free credit monitoring and a $25,000 insurance policy against identity theft ($10,000 for New York residents). The covered entity also provided training to its call centers on November 29, 2009 to answer inquiries from callers concerned about the breach. In addition, media outlets were contacted to alert of a breach in states in which more than 500 members were impacted by the breach. The covered entity advised that media outlets were identified based on location of membership impacted, as well as ensuring it was a major media outlet and press releases were sent to 21 major media outlets on December 18, 2009. The covered entity also created and implemented a new policy titled Personal Health Information and Personal Identifiable Information Data Security and Handling Policy Acknowledgement Form that centralized all data requests through a Team Track which is an internal electronic submission request that ensures all PHI requested data receives the sign off of the Privacy Officer and Security Officer prior to release. Further, the covered entity also provided a mandatory annual computer-based training to all staff in May 2010. \" 14,Kern Medical Center,CA,Healthcare Provider,596,2009-12-10,Theft,Other,FALSE,\N 15,"Rick Lawson, Professional Computer Services",NC,Business Associate,2000,2009-12-11,Theft,"Desktop Computer, Electronic Medical Record, Network Server",TRUE,"The covered entity (CE) changed the business associate (BA) it used as its information technology vendor. During the transition, a workforce member of the outgoing BA entered the CEs computer system, changed the passwords, disabled all accounts, and removed drive mappings on the computer server for all of the workstations. The BA also removed the CEs backup program and deactivated all of its antivirus software. The breach affected approximately 2,000 individuals. The protected health information (PHI) involved in the breach included patients names, addresses, dates of birth, social security numbers, appointments, insurance information, and dental records. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE implemented security measures in its computer system to ensure that its information technology associates do not have access to the CEs master system and enabled direct controls for the CE. A new server was installed with no ties to the previous BA. The new BA corrected the CEs passwords and settings, mitigating the issues caused by the previous vendor. The CE provided OCR with copies of its HIPAA security and privacy policies and procedures, and its signed BA agreements that included the appropriate HIPAA assurances required by the Security Rule. As a result of OCRs investigation, the CE improved its physical safeguards and retrained employees. \ \ \" 16,Detroit Department of Health and Wellness Promotion,MI,Healthcare Provider,10000,2009-12-15,Theft,Other Portable Electronic Device,FALSE,\N 17,Detroit Department of Health and Wellness Promotion,MI,Healthcare Provider,646,2009-12-15,Theft,"Desktop Computer, Laptop",FALSE,"A desktop and four laptop computers were stolen from the covered entitys locked facility. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, types of services received, and Medicare/Medicaid numbers.Following the breach, the covered entity installed new office door locks with assigned keys, installed security cameras with alarms, and physically secured computers to desks. The covered entity now stores billing information in its patient management system, and it ensured that no electronic protected health information was stored locally. Additionally, OCRs investigation resulted in the covered entity providing training to workforce members regarding the incident \" 18,"University of California, San Francisco",CA,Healthcare Provider,610,2009-12-15,Other,Email,FALSE,\N 19,Daniel J. Sigman MD PC,MA,Business Associate,1860,2010-01-07,Theft,"Electronic Medical Record, Other, Other Portable Electronic Device",TRUE,"Computer backup tapes containing EPHI for the office practice management program including electronic medical records were stolen from the home of the practice manager on December 11, 2009. The breach affected approximately 1,860 patients. The protected health information on the tapes contained patients names, addresses, telephone numbers, dates of birth, insurance information, social security numbers and medical record information. Following the breach, Sigman took the following voluntary corrective actions: (1) upgraded software application for backup security; implemented a new external backup system in case the server goes down; (2) encryption software was implemented for data contained on both its backup tapes and network storage device; (3) revised its security policy for transporting backup media; backup tapes must now be stored in a lockbox within a locked office in its facility; the revised policy also prohibits the movement of backup tapes from the facility as well as restricts access to the tapes to designated workforce; (4) employees were retrained on the policies and procedures in place and received training on the new policies and procedures for safeguarding backup tapes; (5) notified affected individuals and the media. \" 20,Massachusetts Eye and Ear Infirmary,MA,Healthcare Provider,1076,2010-01-08,Theft,Other,FALSE,"Two employees of the covered entity (CE) misused credit card information from several different departments that served approximately 1,076 individuals. The protected health information (PHI) involved in the breach included names, addresses, and credit card information. Following the breach, the CE notified the affected individuals, the media, and HHS and offered one free year of credit monitoring to all affected individuals. The CE also terminated the employees involved, revised its data breach prevention policy, and reviewed the physical processes involved when payment is made in person using a credit card. OCR reviewed the CEs breach notification policies to assure that they contained the required elements and obtained assurances that the CE provided breach notification. \ \ \" 21,Service Benefits Plan Administrative Services Corp,DC,Business Associate,3400,2010-01-08,Theft,Paper/Films,TRUE,"The covered entitys (CE) business associate (BA) incorrectly updated contract holders addresses and mailed protected health information (PHI) to the wrong address of approximately 3,400 individuals. The PHI involved included demographic information, explanations of benefits, clinical information, and diagnoses. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. Upon discovery of the breach, the CE obtained assurances that the BA took steps to enforce the requirements of the BA agreement. Specifically, the BA updated its processes and created an incident tracking report. In addition, a contract was executed for a new vendor to handle mail address verification. Following OCRs investigation, the BA improved its code review process to catch the system error that caused this incident and instituted a manual quality review process. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI. \ \" 22,Merkle Direct Marketing,MD,Business Associate,15000,2010-01-11,Theft,Paper/Films,TRUE,"The covered entitys (CE) business associate (BA) mailed protected health information (PHI) of approximately 15,000 individuals to incorrect addresses due to an error in its quarterly address update process. The mailing contained demographic information, explanations of benefits, clinical information, and diagnoses. Upon discovery of the breach, the CE collected the returned mail and verified that it had not been delivered, and updated its HIPAA policies and procedures. Following OCRs investigation, the CE was able to recover all or nearly all of the misdirected envelopes. " 23,Kaiser Permanente Medical Care Program,CA,Healthcare Provider,15500,2010-01-12,Theft,"Other, Other Portable Electronic Device",FALSE,"An unencrypted portable hard drive containing the electronic protected health information (ePHI) of approximately 15,500 individuals was stolen from the vehicle of the covered entitys (CE) employee. The ePHI involved in the breach included names, medical record numbers, and treatment information. A subset of records may also have included dates of birth, age, gender, and phone numbers. Following the breach, the responsible employee was terminated for violating the CEs policies. OCR obtained assurances of the CEs policies and procedures for safeguarding ePHI and verification that the CE provided breach notification to affected individuals, the media, and HHS. In addition, the CE deployed encryption software for removable media. " 24,United Micro Data,ID,Business Associate,2562,2010-01-14,Theft,Other,TRUE,"The covered entitys (CEs) business associate (BA) mailed a package to the CE that was supposed to contain a backup data tape and compact disc containing protected health information (PHI); however, the tape was not in the package when delivered. Approximately 2,000 individuals were affected by the breach. The PHI included demographic, financial, and clinical information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE revised its procedures for back up data storage instead of sending tapes via the mail. Following OCRs investigation, the CE continued to reevaluate ways to enhance administrative, physical, and technical safeguards. \" 25,"Goodwill Industries of Greater Grand Rapids, Inc.",MI,Healthcare Provider,10000,2010-01-15,Theft,Other,FALSE,"On December 15, 2009, a safe was stolen from Goodwills off-site facility, which contained five unencrypted back-up tapes. The breach affected approximately 10,000 individuals. The protected health information involved in the breach included full names, addresses, dates of birth, reasons for referral, dates of service, miscellaneous demographics, and, in some cases, Social Security numbers. The covered entity moved the off-site storage of back-up tapes to a new site controlled by Goodwill. The tapes are now kept in a commercial grade safe with a combination lock. The actions taken by Goodwill prior to OCRs formal investigation brought the covered entity into compliance. \" 26,Children's Medical Center of Dallas,TX,Healthcare Provider,3800,2010-01-18,Loss,"Other, Other Portable Electronic Device",FALSE,\N 27,Concentra,TX,Healthcare Provider,900,2010-01-19,Theft,Laptop,FALSE,"An unencrypted laptop computer containing the electronic protected health information (ePHI) of approximately 900 patients was stolen from one of the covered entitys (CE) facilities. The ePHI included demographic and clinical data. Following the breach, the CE filed a police report and notified affected patients, HHS and the media. Following OCRs investigation, the CE required all business units to identify any devices that contain PHI and revised procedures for future computer purchases. The CE also implemented physical and technical safeguards for all testing devices that contain ePHI and replaced outdated machines that could not be encrypted. Additionally, the CE revised existing physician agreements to disallow the use of equipment containing ePHI that is not encrypted. OCR obtained assurances that the CE implemented the corrective action listed above. \ \" 28,Ashley and Gray DDS,MO,Healthcare Provider,9309,2010-01-19,Theft,Desktop Computer,FALSE,\N 29,Advocate Health Care,IL,Healthcare Provider,812,2010-01-22,Theft,Laptop,FALSE,"On November 24, 2009, an Advocate nurses laptop computer was stolen. The missing laptop computer contained the protected health information of approximately 812 individuals. The protected health information involved in the breach included name, address, dates of birth, social security numbers, insurance information, medication, and diagnoses. Following the breach, Advocate specifically addressed mobile device security and accepted use. Additionally, OCRs investigation resulted in Advocate workforce members that use mobile devices are now required to fill out and submit an acknowledgment form that establish proper administrative, technical, and physical security safeguards. \" 30,The Methodist Hospital,TX,Healthcare Provider,689,2010-01-25,Theft,Other,FALSE,"An unencrypted laptop computer was stolen from the covered entitys unlocked testing office. The laptop computer contained the protected health information of approximately 689 individuals. The protected health information involved in the breach included names, dates of birth, Social Security numbers, and the age, gender, race, and medication information of affected individuals. Following the breach, the covered entity restricted the storage of electronic protected health information to network drives. Additionally, OCRs investigation resulted in the covered entity improving their physical safeguards and in retraining employees. \" 31,"University of California, San Francisco",CA,Healthcare Provider,7300,2010-01-27,Theft,Laptop,FALSE,\N 32,Carle Clinic Association,IL,Healthcare Provider,1300,2010-01-28,Theft,"Other, Paper/Films",FALSE,\N 33,Health Behavior Innovations (HBI),UT,Business Associate,5700,2010-02-05,Theft,Other,TRUE,"A laptop computer containing the protected health information (PHI) of 3,500 individuals was stolen from the covered entitys (CE) locked medical office. The PHI involved in the breach included names, addresses, dates of birth, social security numbers, and medication information. As a result of this incident, the CE encrypted all PHI stored on the medical office computers. Following OCRs investigation, the CE improved its physical safeguards and retrained employees." 34,Center for Neurosciences,AZ,Healthcare Provider,1100,2010-02-10,Theft,Laptop,FALSE,\N 35,Blue Cross Blue Shield of RI,RI,Business Associate,528,2010-02-16,Other,Paper/Films,TRUE,"On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown Universitys health plan was impermissibly disclosed to two other BCBSRI agents. The reports contained the PHI of approximately 528 individuals. The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers. Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected members claim history to ensure no fraud. \" 36,"MSO of Puerto Rico, Inc. ",PR,Business Associate,1907,2010-02-17,Theft,Paper/Films,TRUE,"The covered entitys (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 1,907 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CEs BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCRs investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures. \ \ \" 37,MSO of Puerto Rico,PR,Business Associate,605,2010-02-17,Theft,Paper/Films,TRUE,"The covered entitys (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 605 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CEs BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCRs investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures. \ \" 38,Cardiology Consultants/Baptist Health Care Corporation,FL,Healthcare Provider,8000,2010-02-18,Theft,Desktop Computer,FALSE,"A desktop computer that contained the e-PHI of approximately 8,000 individuals was stolen from the covered entitys (CE) locked medical suite. The PHI involved in the breach included names, dates of birth, medical record numbers, ultrasound information, exam dates, and reasons for the ultrasound. The computer that was stolen used proprietary software and a special electronic key to access the PHI. The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notification on its website. Following the breach, the CE worked with law enforcement to identify the possible suspect. The CE upgraded its facility access controls to include proximity card readers for every location that stores PHI. As a result of OCRs investigation the CE updated its risk analysis and carried out additional risk management activities. \ \" 39,"State of TN, Bureau of TennCare",TN,Health Plan,3900,2010-02-19,Theft,Paper/Films,FALSE,"The covered entity (CE) mailed the wrong information to 3,900 individuals based on a corrupted data file it received from a state agency. The types of PHI involved were names, dates of birth, social security numbers, member identification numbers, and in some cases, diagnoses, treatments, conditions, and medications. Following the breach, the CE immediately fixed the corrupted file and mailed corrected letters. The CE provided breach notification to HHS, the media, and affected individuals and provided substitute notification by posting on its website. It also offered affected individuals one year of free credit monitoring and comprehensive credit services. The CE also worked with the state agency to implement a new procedure to improve safeguards for PHI. OCR obtained assurances that the CE implemented the corrective action listed above. \ \" 40,Lucille Packard Children's Hospital,CA,Healthcare Provider,532,2010-02-21,Other,Desktop Computer,FALSE,\N 41,University of New Mexico Health Sciences Center,NM,Healthcare Provider,1900,2010-02-23,Other,Desktop Computer,FALSE,\N 42,Advanced NeuroSpinal Care,CA,Healthcare Provider,3500,2010-02-23,Theft,Network Server,FALSE,"A computer containing the electronic protected health information (ePHI) of 3,500 individuals was stolen from the office of a covered entity (CE). The ePHI included patient names, addresses, dates of birth, social security numbers, driver's licenses, claims information, diagnoses, and conditions. As a result of the loss, the CE upgraded the alarm system and replaced the server housing and storage security lock-up. The CE also notified affected individuals, the media, appropriate government agencies, and law enforcement. In addition, the CE established an office-based hotline to assist affected individuals. As a result of OCRs investigation, the CE has implemented regularly scheduled security risk analyses and has installed window bars, roll down shutters, four video surveillance cameras, and other physical security measures to prevent theft." 43,"Central Brooklyn Medical Group, PC",NY,Healthcare Provider,500,2010-02-25,Theft,Paper/Films,FALSE,"OCR opened an investigation of the covered entity (CE), Preferred Health Partners f/k/a Central Brooklyn Medical Group, after it reported appointment schedules, pathology reports and portions of medical records containing the protected health information (PHI) of 500 individuals were stolen from an office. The PHI included names, ages, telephone numbers, social security numbers, medical insurance information, pathology reports, and other clinical information. Upon discovery of the breach, the CE filed a police report and worked with law enforcement authorities to recover as much of the PHI as possible that was stolen. As a result of OCRs investigation, the CE removed PHI such as social security or medical insurance numbers from tracking logs. In addition, the CE improved safeguards by storing log binders in a locked area and shredding documents regularly. Further, the CE replaced the manual process of printing certain records with an electronic verification system. The CE also archived, stored off site, and locked up all paper records and retrained all staff on its HIPAA policies and procedures. " 44,Shands at UF,FL,Healthcare Provider,12580,2010-03-01,Theft,Laptop,FALSE,"A laptop containing certain information collected on approximately 12,580 individuals referred to Shands at UF GI Clinical Services was stolen from the private residence of an employee. The stolen information included patient names, social security numbers, and medical record numbers. As a result of the incident, the employee was counseled by her supervisor, issued written corrective action with a 3-day suspension, and provided additional HIPAA training. OCR reviewed Shands at UFs most recent Risk Analysis and Risk Management Plans and they revealed no high risk findings related to encryption, workstation use, or physical security. OCRs investigation found that Shands at UF has implemented appropriate technical safeguards, such as secure VPN network connections and network storage for workforce usage, encrypted USB portable flash drives, and PGP whole disk encryption. \" 45,Wyoming Department of Health,WY,Health Plan,9023,2010-03-02,Unauthorized Access/Disclosure,Network Server,FALSE,\N 46,Thrivent Financial for Lutherans,WI,Health Plan,9500,2010-03-03,Theft,Laptop,FALSE,"On January 29, 2010, there was a break-in at one of the Thrivents offices and five laptop computers were stolen; four of the five laptops were recovered. The missing laptop computer contained the protected health information of approximately 9,400 individuals. The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCRs formal investigation brought the CE into compliance. \" 47,North Carolina Baptist Hospital,NC,Healthcare Provider,554,2010-03-03,Theft,Paper/Films,FALSE,\N 48,Montefiore Medical Center,NY,Healthcare Provider,625,2010-03-09,Theft,Laptop,FALSE,"An unencrypted laptop computer containing the electronic protected health information (ePHI) of 625 individuals was stolen from the covered entitys (CE) mobile dental van. The ePHI included names, dates of birth, medical record numbers and dental x-rays. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and affected individuals. As a result of OCRs investigation, the CE revised its procedures so that all ePHI is stored in a data center, rather than the mobile dental van laptop. In addition, the CE encrypted all mobile dental van laptops and improved physical security for the van. The CE developed a new policy on ePHI security and retrained all staff. OCR obtained assurances that the CE implemented the corrective action listed above." 49,"Ernest T. Bice, Jr. DDS, P.A.",TX,Healthcare Provider,21000,2010-03-10,Theft,"Other, Other Portable Electronic Device",FALSE,"Three unencrypted external back-up drives were stolen from a safe in the covered entitys locked office. The laptop computer contained the protected health information of approximately 21,000 individuals. The protected health information involved in the breach included names, addresses phone numbers, dates of birth, social security numbers, insurance information, and treatment histories. Following the breach, the covered entity moved back-up data offsite and encrypted all workstations. Additionally, OCRs investigation resulted in the covered entity improving their physical safeguards and in retraining employees. \" 50,Lee Memorial Health System,FL,Healthcare Provider,3800,2010-03-17,Other,Paper/Films,FALSE,"The covered entity sent postcards to approximately 3,800 patients, which listed the patients demographic information, and a statement that read, Your Physician Has Moved, with a name and description of the practice, Infectious Disease Specialist. The types of PHI involved were demographic and clinical information. Voluntary actions taken prior to OCRs investigation include the issuance of sanctions and review of policies and procedures. \" 51,"Laboratory Corporation of America/Dynacare Northwest, Inc.",WA,Healthcare Provider,5080,2010-03-18,Theft,Laptop,FALSE,"A laptop computer was stolen from a workforce members car. The laptop computer contained the protected health information of approximately 5080 individuals. The protected health information involved in the breach included names, addresses, dates of birth, Social Security numbers, and lab results. Following the breach, the covered entity encrypted all laptop computers. \" 52,Mount Sinai Medical Center,FL,Healthcare Provider,2600,2010-03-23,Theft,Laptop,FALSE,\N 53,Griffin Hospital,CT,Healthcare Provider,957,2010-03-26,Hacking/IT Incident,Network Server,FALSE,\N 54,"Hypertension, Nephrology, Dialysis and Transplantation, PC",AL,Healthcare Provider,2465,2010-03-27,Theft,Laptop,FALSE,\N 55,"Computer Program and Systems, Inc. (CPSI)",AL,Business Associate,768,2010-03-30,Unauthorized Access/Disclosure ,Email,TRUE,\N 56,"Laboratory Corporation of America / US LABS / Dianon Systems, Inc",AZ,Healthcare Provider,2773,2010-04-01,Theft,Other Portable Electronic Device,FALSE,"An external hard drive containing ePHI of 2,773 individuals was stolen. The ePHI included first and last name, medical record number, date of birth, laboratory test information data, and some social security numbers. CE advises OCR that notice to the individuals went out April 13 and 14, 2010. The media (St. Petersburg Times) was notified. CE added emails will now be password protected and encrypted. As a result of the loss, CE has initiated an encryption project to encrypt external hard drives and related media. \ \" 57,University of Pittsburgh Student Health Center,PA,Healthcare Provider,8000,2010-04-02,"Loss, Theft",Paper/Films,FALSE,\N 58,Providence Hospital,MI,Healthcare Provider,83945,2010-04-05,Other,Other,FALSE,\N 59,VHS Genesis Lab Inc. ,IL,Healthcare Provider,6800,2010-04-05,Loss,Paper/Films,FALSE,\N 60,"McKesson Information Solutions, LLC",GA,Business Associate,660,2010-04-09,Other,Paper/Films,TRUE,\N 61,Pediatric Sports and Spine Associates,TX,Healthcare Provider,955,2010-04-09,Theft,Laptop,FALSE,"An unencrypted laptop was stolen from an employees vehicle. The laptop contained the protected health information of approximately 955 individuals. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses, medications and other treatment information. Following the discovery of the breach, the covered entity revised policies, retrained staff and implemented additional physical and technical safeguards including encryption software. The covered entity also removed the stolen laptops access to the server, sanctioned the involved employee, notified the affected individuals and notified the local media. \" 62,"Affinity Health Plan, Inc.",NY,Health Plan,344579,2010-04-14,Theft,Other,FALSE,"Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780. Affinity Health Plan is a not-for-profit managed care plan serving the New York metropolitan area. \Affinity filed a breach report with the HHS Office for Civil Rights (OCR) on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive. \Affinity estimated that up to 344,579 individuals may have been affected by this breach. OCRs investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents. \This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before its recycled, thrown away or sent back to a leasing agent, said OCR Director Leon Rodriguez. HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals data, and have appropriate safeguards in place to protect this information. \In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI. \" 63,Tomah Memorial Hospital,WI,Healthcare Provider,600,2010-04-16,Other,Other,FALSE,\N 64,"Praxair Healthcare Services, Inc. (Home Care Supply in NY)",CT,Healthcare Provider,54165,2010-04-19,Theft,Laptop,FALSE,"A laptop computer was stolen from the covered entitys office by a former employee after it had been damaged. The laptop computer contained the PHI of approximately 54,165 individuals. The computer contained a limited amount of PHI, including client names and one or more of the following: addresses, phone numbers, social security numbers, insurance provider names and policy numbers, medical diagnostic codes or medical equipment. Following the breach, the covered entity notified all affected individuals, the media, and HHS of the breach. Additionally, the covered entity completed its laptop encryption project to cover all PHI stored on computers in the office. Additionally, OCRs investigation resulted in the covered entity reinforcing the requirements of HIPAA to its employees. \" 65,Massachusetts Eye and Ear Infirmary,MA,Healthcare Provider,3594,2010-04-20,Theft,Laptop,FALSE,\N 66,Blue Cross & Blue Shield of Rhode Island,RI,Health Plan,12000,2010-04-21,Theft,Paper/Films,FALSE,"A covered entity (CE) donated a file cabinet containing the protected health information (PHI) of 12,000 individuals before cleaning it out. The PHI included members names, addresses, telephone numbers, social security numbers, and Medicare identification numbers. The covered entity (CE) provided breach notification to HHS, the affected individuals, and media, and offered all affected individuals free credit monitoring for a period of one year. Following the breach, the CE sanctioned the employees involved in the incident and held a mandatory training regarding the HIPAA Privacy and Security Rule for all departments involved in the breach. The CE also revised the policy for office moves. OCR obtained assurances that the CE implemented the corrective action listed above. \ \" 67,South Carolina Department of Health and Environmental Control,SC,Health Plan,2850,2010-04-22,Improper Disposal,Paper/Films,FALSE,\N 68,St. Joseph Heritage Healthcare,CA,Healthcare Provider,22012,2010-04-23,Theft,Desktop Computer,FALSE,"22 computers were stolen from Clinical Management Service office.Five of the stolen computers contained the protected health information of approximately 22,012 individuals. The protected health information involved in the breach included name, date of birth, social security number, referral number, encounter number, facility, member ID, diagnosis, procedure, and/or diagnosis code. As a result of this incident, St. Joseph notified the potentially affected individuals, notified the local media, installed security cameras, re-trained employees, and installed encryption software on all laptops and Computers enterprise-wide. OCRs investigation resulted in the covered entity improving their physical and technological safeguards and retraining employees. \" 69,John Muir Physician Network,CA,Healthcare Provider,5450,2010-04-24,Theft,Laptop,FALSE,"Two laptop computers containing the electronic protected health information (ePHI) of approximately 5,450 individuals were stolen from the CE. The ePHI included patient names, dates of birth, and social security numbers. The CE provided breach notification to all affected individuals, HHS, and the media. As a result of OCRs investigation, the CE installed encryption software and increased physical security." 70,Medical Center At Bowling Green,KY,Healthcare Provider,5148,2010-04-26,Theft,"Other, Other Portable Electronic Device",FALSE,\N 71,TOWERS WATSON,VA,Business Associate,1874,2010-04-27,Theft,Other,TRUE,"A business associate (BA), Towers Watson, of the covered entity (CE), General Agencies Welfare Benefits Program, lost two electronic media disks containing protected health information (PHI) while transporting the disks between two BA offices. The disks contained the names, health plan numbers, and social security numbers of 1,874 individuals. The BA notified all affected individuals and provided two years of enhanced credit services. The CE notified HHS and the media and posted substitute notice on its website. The CE had the BA destroy any of its PHI that had been retained by the BA and executed a new BA agreement for any remaining PHI that the BA was unable to destroy because they were archival files. After OCRs investigation, the CE updated its privacy and breach notification policies and procedures. \ \" 72,UnitedHealth Group health plan single affiliated covered entity,MN,Health Plan,735,2010-04-27,Theft,"Other, Paper/Films",FALSE,\N 73,South Texas Veterans Health Care System,TX,Healthcare Provider,1430,2010-04-28,"Improper Disposal, Loss",Paper/Films,FALSE,\N 74,Rockbridge Area Community Services,VA,Healthcare Provider,500,2010-04-29,Theft,"Desktop Computer, Laptop",FALSE,\N 75,"Millennium Medical Management Resources, Inc.",IL,Business Associate,180111,2010-04-29,Theft,"Other, Other Portable Electronic Device",TRUE,\N 76,VA Eastern Colorado Health Care System,CO,Healthcare Provider,649,2010-05-05,Theft,Paper/Films,FALSE,"A covered entitys (CEs) employee placed paper records containing protected health information (PHI) in an unsecured box that was left undiscovered in a public parking garage for four days. The box contained the PHI of 649 patients. The PHI included treatment records, productivity reports, coding information, names, medical treatments, conditions, diagnoses, and social security numbers. Upon discovery of the breach, the CE notified the affected individuals and provided credit protection to those whose social security numbers had been breached. The CE provided OCR with copies of its breach prevention policies and procedures. Following OCRs investigation, the employee who left the records resigned from her position and the CE improved its breach response procedures. " 77,Miami VA Healthcare System,FL,Healthcare Provider,568,2010-05-05,Theft,Paper/Films,FALSE,"A covered entitys (CE) pharmacy log book, containing the protected health information (PHI) of 568 individuals, was misplaced and never recovered. The PHI affected by the breach included names and partial social security numbers. Following the breach, the CE provided breach notification as required by the HIPAA Breach Notification Rule and instructed employees to cease the practice of keeping log books. Following OCRs investigation, the CE revised and/or updated its policies and procedures with respect to safeguarding PHI. Regarding logbooks, it established a written employee agreement, implemented an employee authorization process, and established safeguards. Additionally, the CE provided training to all staff in the pharmacy department regarding the use of logbooks and accounted for the disclosures in each of the affected individuals accounting log. " 78,"Heriberto Rodriguez-Ayala, M.D.",TX,Healthcare Provider,4200,2010-05-11,Theft,Laptop,FALSE,"An unencrypted laptop computer containing the protected health information (PHI) of approximately 4,200 individuals was stolen from a personal vehicle. The PHI included names, addresses, phone numbers, dates of birth, social security numbers, treatment histories, and driver license numbers. The covered entity (CE) provided breach notification to the affected individuals, HHS, and the media. As a result of OCRs investigation the covered entity implemented new policies and procedures, retrained staff, and installed encryption software on all workstations." 79,Georgetown University Hospital,DC,Healthcare Provider,2416,2010-05-13,"Other, Theft","Email, Other Portable Electronic Device",FALSE,"An employee of the covered entity emailed protected health information (PHI) to an offsite research office (which is not itself a covered entity) in violation of the review preparatory to research protocol. The research office stored the electronic information on an external hard drive that was later stolen. The device contained the PHI of 2,416 individuals. The PHI involved in the breach included names, dates of birth, and clinical information. In response to this incident, the covered entity terminated transmission of the PHI to this research office and gave the responsible employee a verbal warning and counseling. Additionally, the covered entity undertook a review of all research affiliations involving PHI of hospital patients to confirm that appropriate documentation and procedures are in place. \" 80,Silicon Valley Eyecare Optometry and Contact Lenses,CA,Healthcare Provider,40000,2010-05-13,Theft,Network Server,FALSE,\N 81,Heritage Health Solutions,TX,Business Associate,656,2010-05-14,Theft,Laptop,TRUE,\N 82,Oconee Physician Practices,SC,Healthcare Provider,653,2010-05-20,Theft,Laptop,FALSE,\N 83,University of Rochester Medical Center and Affiliates,NY,Healthcare Provider,2628,2010-05-20,Other,Paper/Films,FALSE,\N 84,DeBoer & Associates,NE,Business Associate,800,2010-05-21,Theft,Laptop,TRUE,\N 85,"City of Charlotte, NC (Health Plan)",NC,Business Associate,5220,2010-05-24,Loss,Other,TRUE,\N 86,VA North Texas Health Care System,TX,Healthcare Provider,4083,2010-05-25,Improper Disposal,Paper/Films,FALSE,\N 87,Rainbow Hospice and Palliative Care,IL,Healthcare Provider,1000,2010-05-26,Theft,Laptop,FALSE,"An employees laptop was stolen out of her bag while she was making an admission visit in a patients home. The evidence showed that although the covered entity had a policy of encrypting and password-protecting its computers, this particular computer did not require a password most of the time. The invoices contained the protected health information (PHI) of approximately 1,000 individuals. The PHI stored on the laptop included names, addresses, dates of birth, phone numbers, Social Security numbers, Medicare numbers, electronic health records and commercial insurance information. Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in The Daily Herald, sanctioned the employee for changing the security settings on the laptop in question, and established stringent computer security guidelines, and retrained its staff in the new requirements, with the intention of preventing a similar event from occurring again. \" 88,Cincinnati Childrens Hospital Medical Center ,OH,Healthcare Provider,60998,2010-06-01,Theft,Laptop,FALSE,"An unencrypted laptop computer containing the electronic protected health information (ePHI) of 60,998 individuals was stolen out of a workforce members car. The ePHI stored on the laptop included names, medical record numbers, and services received. The covered entity (CE) provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE established a new internal procedure to encrypt all new computers before they are given to employees. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ \" 89,"University of Louisville Research Foundation, Inc., DBA The Kidney Disease Program",KY,Healthcare Provider,708,2010-06-01,Hacking/IT Incident,Network Server,FALSE,\N 90,Occupational Health Partners,KS,Healthcare Provider,1105,2010-06-01,Theft,Laptop,FALSE,\N 91,"AvMed, Inc.",FL,Health Plan,1220000,2010-06-03,Theft,Laptop,FALSE,"Two laptop computers with questionable encryption (each containing the electronic protected health information (ePHI) of 350,000 individuals) were stolen from the covered entitys (CE) premises. The types of ePHI involved included demographic and clinical information, diagnoses/conditions, medications, lab results, and other treatment data. After discovering the breach, the CE reported the theft to law enforcement and worked with the local police to recover the laptops. As a result of OCRs investigation, the CE developed and implemented new policies and procedures to comply with the Security Rule. The CE also provided breach notification to all affected individuals, HHS, and the media and placed an accounting of disclosures in the medical records of all affected individuals." 92,UnitedHealth Group health plan single affiliated covered entity,MN,Health Plan,16291,2010-06-04,Other,Paper/Films,FALSE,"Paper correspondence to certain members in UnitedHealths prescription drug plans were in advertently sent to the incorrect temporary address due to a database administration error. Approximately 16,291 individuals were affected by the breach. UnitedHealth members name, plan number and in some instances, date of birth and/or limited medical information. United Health reported that it stopped using PDIs proprietary database for address updates and made outbound verifications calls to members to get accurate temporary addresses. United Health reported that it revised its address update process. \" 93,"Siemens Medical Solutions, USA, Inc",PA,Business Associate,130495,2010-06-04,Theft,Other,TRUE,"The covered entitys business associate (BA), Siemens Medical Solutions USA, Inc., shipped seven unencrypted compact disks (CDs) that contained the electronic protected health information (ePHI) of 130,495 individuals to the covered entity (CE), Lincoln Medical and Mental Health Center. The CDs, containing back-up data, were lost in transit. The ePHI included names, addresses, social security numbers, medical record numbers, health plan information, dates of birth, dates of admission and discharge, diagnostic and procedural codes, and drivers license numbers. The CE provided breach notification to affected individuals, HHS, and the media. Upon discovery of the breach, the CE directed the BA to cease using the shipping service as a means of transporting the CDs. As a result of OCRs investigation, the BA adopted a procedure to encrypt CDs. The CE also implemented a procedure for a senior employee of the BA to physically deliver the encrypted CDs to the CE. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI." 94,"Nihal Saran, MD ",MI,Healthcare Provider,2300,2010-06-04,Theft,Laptop,FALSE,"A password protected laptop computer containing protected health information (PHI) was stolen from Dr. Saran's personal residence. The laptop contained the PHI of approximately 2,300 individuals. The PHI stored on the laptop included patients' names, addresses, dates of birth, Social Security numbers, insurance information, and diagnoses. Following the breach, Dr. Saran notified the Northville Township Police Department of the theft, contacted the individuals reasonably believed to have been affected by the breach, sent a notice of the breach to the Detroit Free Press and the Monroe News, and installed encryption software for its billing software. \" 95,St. Jude Children's Research Hospital,TN,Healthcare Provider,1745,2010-06-08,Loss,Laptop,FALSE,\N 96,DentaQuest,MA,Business Associate,10515,2010-06-09,Theft,Laptop,TRUE,"A car containing an unencrypted laptop computer was stolen from West Monroe Partners, a contractor for the covered entitys (CE) business associate (BA), DentaQuest. The laptop stored a database containing the electronic protected health information (ePHI) of approximately 76,000 individuals, including data on 10,515 of the CEs members. The types of PHI involved in the breach included names, social security numbers, dates, and certain provider identification numbers. The CE and BA worked together to provide breach notification to affected individuals and the media, and offered free credit monitoring and enhanced credit services to affected individuals for one year. The CE reported the breach to HHS and provided substitute notification on its website. The BA implemented procedures to ensure that any third party laptops connecting to its network employ disk encryption. Further, the BA established a policy to prohibit contractors from storing PHI on laptops. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI. \ \" 97,The Children's Medical Center of Dayton,OH,Healthcare Provider,1001,2010-06-14,Other,Email,FALSE,\N 98,Comprehensive Care Management Corporation,NY,Health Plan,1020,2010-06-14,Theft,"Desktop Computer, Email, Laptop, Network Server",FALSE,"OCR opened an investigation of the covered entity (CE), Comprehensive Care Management Corporation, after it reported two former employees sent emails that contained the electronic protected health information (ePHI) of 1,020 individuals to their personal email accounts to open a competitor organization. The ePHI included names, addresses, and enrollment information. Upon discovery of the breach, the CE conducted an internal inquiry and found that the former employees disclosed the ePHI to its competitor. As a result of OCRs investigation, the CE replaced and strengthened external firewalls, restricted access to email websites, restricted the use of portable devices, limited the ability to upload data to external websites, and evaluated new monitor and control software for network information. In addition, the CE provided training to all staff on its HIPAA policies and procedures. The CE also entered into an agreement with its competitor who hired the former employees to return or destroy the ePHI." 99,University of Kentucky,KY,Healthcare Provider,2027,2010-06-18,Theft,Laptop,FALSE,\N 100,alma aguado md pa,TX,Healthcare Provider,600,2010-06-21,Theft,Network Server,FALSE,"OCR investigated the covered entity (CE) following a report that its main server and desktop computers containing the electronic protected health information (ePHI) of 600 individuals were taken from the CEs office. The ePHI involved in the breach included patient names, addresses, dates of birth, and social security numbers. As a result of OCRs investigation, the CE changed its privacy and security policies, retrained its employees and provided additional physical security to better safeguard patient ePHI." 101,"Augusta Data Storage, Inc",GA,Business Associate,14000,2010-06-21,Loss,Other,TRUE,\N 102,University Health System,NV,Healthcare Provider,7526,2010-06-22,Theft,Network Server,FALSE,\N 103,"Aramark Healthcare Support Services, LLC",PA,Business Associate,937,2010-06-24,Other,Email,TRUE,"A business associate employee sent an email to multiple patients without concealing patient email addresses. The message concerned a dietary program in which the names and email addresses were visible to all recipients. The breach affected 937 individuals. In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with Aramark. The business associate counseled the employee responsible for the breach and retrained all employees who may communicate with patients via email on the requirements of the Privacy and Security Rules as well as related policies and procedures. \" 104,"Mary M. Desch,MD/PathHealer, LTD",AZ,Healthcare Provider,5893,2010-06-28,Theft,Laptop,FALSE,\N 105,Children's Hospital & Research Center at Oakland,CA,Healthcare Provider,1000,2010-06-29,Other,Paper/Films,FALSE,\N 106,Centerstone,TN,Healthcare Provider,1537,2010-07-02,Theft,"Desktop Computer, Paper/Films",FALSE,"A major flooding event damaged a building where the CE operated its school-based program offices. The flooding was so significant that the area was deemed a federal disaster area. An estimated 1,537 individuals were affected by the loss of data due to flood damage. The types of PHI involved were names, addresses, dates of birth, and social security numbers. After the flood, the CE attempted to collect as much PHI as it could from the site but access was limited by authorities because the building was deemed toxic and salvage cleanup commenced prior to the CEs ability to access the building. PHI in paper format was either washed away or disposed of during salvage procedures. Computers and equipment in the building were destroyed by water damage. Because the CE relied primarily on their electronic health records stored on an offsite server, medical data was still intact for continuity of care purposes. The CE provided breach notification to individuals, HHS, and the media, and posted substitute notice on its website. The CE has since moved its school-based operations to a CE owned facility. OCR obtained assurances that the CE implemented the corrective action listed above." 107,Care 1st Health Plan,CA,Business Associate,29000,2010-07-06,"Loss, Other","Other, Other Portable Electronic Device",TRUE,\N 108,Long Island Consultation Center,NY,Healthcare Provider,800,2010-07-07,Theft,"Other, Other Portable Electronic Device",FALSE,"The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals. The ePHI included names, dates of birth, diagnoses, and other treatment information. Upon discovery of the breach, the CE conducted a search for the portable device. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCRs investigation, the CE improved physical security. The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. " 109,NYU Hospitals Center,NY,Healthcare Provider,2563,2010-07-07,Theft,Other Portable Electronic Device,FALSE,"The covered entity (CE) misplaced an unencrypted USB drive that contained the electronic protected health information (ePHI) of 2,563 individuals. The ePHI included names, medical record numbers, ages, genders, procedures, attending physicians names, anesthesiologists names, types of anesthesia, times of arrival in the recovery room, and times of discharge. Upon discovery of the breach, the CE reported the incident to internal security as a possible theft and conducted a thorough search of the perimeter. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCRs investigation, the CE stopped using USB drives and local desktop computers for data storage. In addition, the CE updated physical security in the recovery room and installed data prevention software to monitor, block or encrypt mobile media used in the CE. Further, the CE purchased encrypted USB drives for workforce members with an identified need to download and store ePHI. The CE also revised its mobile device and portable storage media policy and retrained all workforce members on its policies." 110,University of Florida,FL,Healthcare Provider,2047,2010-07-08,Other,Paper/Films,FALSE,\N 111,SunBridge Healthcare Corporation,NM,Healthcare Provider,3830,2010-07-08,Theft,Laptop,FALSE,\N 112,Governor's Office of Information Technology,CO,Business Associate,105470,2010-07-09,Theft,Desktop Computer,TRUE,\N 113,Prince William County Community Services (CS),VA,Healthcare Provider,669,2010-07-15,Theft,Other Portable Electronic Device,FALSE,\N 114,UnitedHealthcare Insurance Company ,MN,Business Associate,1097,2010-07-17,Other,Paper/Films,TRUE,\N 115,"Iron Mountain Data Products, Inc. (now known as ",PA,Business Associate,800000,2010-07-19,Loss,"Electronic Medical Record, Other, Other Portable Electronic Device",TRUE,\N 116,Montefiore Medical Center,NY,Healthcare Provider,16820,2010-07-23,Theft,Desktop Computer,FALSE,"Two unencrypted desktop computers containing the electronic protected health information (ePHI) of 16,820 individuals were stolen from the covered entity (CE). The ePHI included medical record numbers, dates of birth, admission /discharge dates, billing codes, and social security numbers. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals. It also provide substitute notification by posting on its website. As a result of OCRs investigation, the CE replaced its building alarm and installed bars on the windows. In addition, the CE directed its staff to save patient data only on a centralized network drive, moved all ePHI stored on desktop hard drives to centralized secured network servers, and encrypted all of its computers. The CE also revised its policy and procedure on password management and provided training to all staff on its new policy." 117,The University of Texas at Arlington,TX,Healthcare Provider,27000,2010-07-23,Hacking/IT Incident,Network Server,FALSE,"A file server at the Office of Health Services was compromised and impermissibly accessed. The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source. The protected health information involved in the breach included names, addresses diagnostic codes, name of medication prescribed, medication costs and some social security numbers. Following the discovery of the breach, UTA removed the server from the network, notified the affected individuals and notified local media. Following the breach, the covered entity also replaced the operating system and implemented additional technical safeguards. \" 118,"Medina OB/GYN Associates, Inc",OH,Business Associate,1200,2010-07-23,Improper Disposal,Paper/Films,TRUE,\N 119,Montefiore Medical Center,NY,Healthcare Provider,23753,2010-07-23,Theft,Desktop Computer,FALSE,"OCR opened an investigation of the covered entity (CE), Montefiore Medical Center, after it reported three unencrypted desktop computers were stolen that contained the electronic protected health information (ePHI) of 23,753 individuals. The ePHI included names, medical record numbers, dates of birth, parent or guardian contact numbers, asthma diagnoses, vaccination information, and number of visits to the school health clinic. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. As a result of OCRs investigation, the CE updated its building alarm to include additional motion sensors and installed surveillance cameras. Further, the CE encrypted all of its computers, advised that no ePHI is stored on desktop hard drives, removed all ePHI from its computers, and stored ePHI on the centralized secured network servers. The CE also revised its policy and procedure on password management and provided training to all staff on its new policy." 120,"DC Chartered Health Plan, Inc",DC,Health Plan,540,2010-07-23,Theft,Laptop,FALSE,\N 121,Aetna,CT,Health Plan,6372,2010-07-27,Improper Disposal,Paper/Films,FALSE,\N 122,Charles Mitchell MD,TX,Healthcare Provider,6873,2010-07-28,Theft,Desktop Computer,FALSE,"A burglary occurred at the covered entitys (CE) facility and two desktop computers containing protected health information (PHI) were stolen. Approximately 6873 individuals were affected. The PHI involved included names, addresses, dates of birth, social security numbers, diagnoses and conditions, medications, and other treatment information. OCR closed this investigation after determining that the individual who reported the breach worked for a CE no longer in existence." 123,Matrix Imaging,NY,Business Associate,2631,2010-07-30,Theft,Paper/Films,TRUE,"The covered entitys (CE) business associate (BA) sent coverage determination letters to incorrect addresses, affecting 2,631 individuals. The protected health information (PHI) included names, addresses, unique CE identification numbers, and prescription drug information. Following the breach, the CE reprinted all erroneous coverage determination letters with an apology notice and provided breach notification to all affected individuals and HHS. The CE implemented additional policies and procedures to ensure mailing list accuracy. Specifically, the CE implemented a multiple-step quality assurance process and established verification with the BA. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI. As a result of OCRs investigation, the CE placed a record into its accounting of disclosure records for each individual impacted." 124,Baylor College of Medicine,TX,Healthcare Provider,1646,2010-07-30,Theft,Laptop,FALSE,"An unencrypted laptop containing electronic protected health information (ePHI) of approximately 1,618 individuals was stolen from the covered entitys (CE) affiliate. The ePHI involved in the breach included names, medical reconciliation numbers, dates of service, diagnoses, and dates of birth. Upon discovery of the breach, the CE and its affiliate jointly notified the affected individuals, OCR, and the local media. Notifications were delayed at the request of law enforcement. Following OCRs investigation, the CE revised policies and procedures to require encryption of all mobile devices containing PHI and began encrypting all necessary devices in order to ensure reasonable safeguards." 125,Texas Children's Hospital,TX,Healthcare Provider,694,2010-07-30,Theft,Laptop,FALSE,\N 126,Mercer,MI,Business Associate,1073,2010-07-30,Loss,Other,TRUE,\N 127,Carolina Center for Development and Rehabilitation,NC,Healthcare Provider,1590,2010-07-30,Theft,Paper/Films,FALSE,"The covered entitys (CE) staff inadvertently sent twenty-three boxes containing the protected health information (PHI) of 1,590 patients to a recycling center. The PHI included patients full names, addresses, dates of birth, social security numbers, insurance identification numbers, drivers license numbers, diagnoses, medication information, checking and savings account numbers, credit and debit card numbers, and photographs of the patients. Following the breach, the CE immediately took steps for the records to be returned. The CE notified HHS, the media, and all individuals affected by the breach, and established a toll free number for patients to call for more information. The CE cooperated with the state attorney generals investigation and suspended the responsible staff members. Following OCRs investigation, the CE placed a record into its accounting of disclosure log for each individual affected and terminated the employment of the staff involved in the breach. In addition, the CE revised its policies and procedures regarding the rights of individuals and safeguards for PHI, and re-trained staff. " 128,"WellPoint, Inc.",IN,Health Plan,31700,2010-07-30,Hacking/IT Incident,Network Server,FALSE,\N 129,Wright State Physicians,OH,Healthcare Provider,1309,2010-08-03,Other,Laptop,FALSE,"On June 11, 2010, a laptop computer containing PHI was mistakenly discarded in the trash. The laptop computer contained the protected health information of approximately 1,309 individuals. The protected health information involved in the breach included patient full names or first initial and last name, dates of service, and in some cases, a brief description of medical condition or care. Following the breach, the covered entity submitted evidence of its progress in implementing encryption on its laptop computers in its various departments. \" 130,Penn Treaty Network America Insurance Company ,PA,Health Plan,560,2010-08-03,Other,Other,FALSE,"Social security numbers were inadvertently printed on the address labels in a newsletter mailing. The mailing had 560 recipients. The covered entity acted to mitigate the disclosure by verifying that the all mail was correctly delivered. It also counseled the responsible employee and updated its policies and procedures. \" 131,Aultman Hospital,OH,Healthcare Provider,13867,2010-08-05,Theft,Laptop,FALSE,\N 132,Jewish Hospital,KY,Healthcare Provider,2089,2010-08-05,Theft,Laptop,FALSE,\N 133,McKesson Pharmacy Systems LLC,GA,Business Associate,11440,2010-08-05,Other,"Other, Other Portable Electronic Device",TRUE,\N 134,"Beauty Dental, Inc.",IL,Healthcare Provider,657,2010-08-05,"Loss, Theft",Paper/Films,FALSE,"Following the breach, the covered entity notified its clients by letter of the incident, submitted a press release that outlined the circumstances of the breach to the Chicago Tribune and the Chicago Sun Times, required the individual who allegedly stole the documents to return all physical patient PHI in her possession and sign a statement swearing that she no longer possessed any patient documents, would not use or disclose the PHI in any manner and would erase an excel spreadsheet she had in her possession, installed a new security system for the office that requires the input of a code specific to each employee, and implemented new technical safeguards that limited employee access to ePHI according to the employees position and rank. \" 135,Fort Worth Allergy and Asthma Associates,TX,Healthcare Provider,25000,2010-08-05,Theft,Network Server,FALSE,"Several computers, including a server, were stolen during a burglary at the covered entitys (CE) premises. The breach affected approximately 25,000 individuals and included names, addresses, dates of birth, social security numbers, driver license numbers, diagnoses, and conditions. Following the breach, the CE provided breach notification to affected individuals, the media, and HHS. It also improved physical security and began using a new model for its management practices with an off-site encrypted database. After the initiation of OCR'S investigation, the CE amended its business associate agreement. \ \ \" 136,St. John's Mercy Medical Group,MO,Healthcare Provider,1907,2010-08-09,Improper Disposal,Paper/Films,FALSE,"Covered entity improperly disposed of patients' Protected Health Information (PHI), by placing the PHI in a dumpster outside of a doctor's office. The PHI involved in the breach included demographic, financial, clinical, and other medical information. Following the breach, the covered entity notified all affected individuals of the breach, posted a notice about the incident on its website; attempted to retrieve and track all of the medical records that were inappropriately disposed of; offered all affected individuals identity theft protection; obtained a formal apology from and assumed direct office operations management of the physician involved; re-educated its workforce to reinforce policies relating to appropriate medical record protection and disposal requirements. \" 137,UNCG Speech and Hearing Center,NC,Healthcare Provider,2300,2010-08-09,Hacking/IT Incident,Desktop Computer,FALSE,\N 138,"Thomas Jefferson University Hospitals, Inc.",PA,Healthcare Provider,21000,2010-08-09,Theft,Laptop,FALSE,\N 139,Mercer Health & Benefits,ID,Business Associate,5500,2010-08-10,Loss,Other,TRUE,"Idaho Power Group Health Plan's business associate, Mercer Health and Benefits, lost a backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Idaho Power was about 5,500 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Idaho Power notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer's Boise office now encrypts backup tapes. Following the incident, Idaho Power renegotiated its contract with Mercer and continues to evaluate its business relationship with Mercer. \" 140,"Ward A. Morris, DDS",WA,Healthcare Provider,2698,2010-08-11,Theft,Desktop Computer,FALSE,\N 141,"Chattanooga Family Practice Associates, P.C.",TN,Healthcare Provider,1711,2010-08-16,Loss,"Other, Other Portable Electronic Device",FALSE,\N 142,Yale University,CT,Healthcare Provider,1000,2010-08-18,Theft,Laptop,FALSE,\N 143,Cook County Health & Hospitals System,IL,Healthcare Provider,7081,2010-08-20,Theft,Laptop,FALSE,"An employees laptop was stolen out of a locked office; evidence shows that the laptop was password protected but not encrypted. The laptop contained the protected health information (PHI) of approximately 7,000 individuals. The PHI stored on the laptop included names, dates of birth, Social Security numbers, internal encounter numbers, and other administrative codes. Following the breach, the covered entity notified those individuals reasonably believed to have been affected by the breach, placed notice on its website and with a local news center; established stringent computer security guidelines, and retrained its staff in the new requirements with the intention of preventing a similar event from occurring again. \" 144,"Eastmoreland Surgical Clinic, William Graham, DO",OR,Healthcare Provider,4328,2010-08-20,Theft,"Desktop Computer, Laptop, Other, Other Portable Electronic Device",FALSE,"Three desktop computers, one laptop computer, and a backup drive, containing the electronic protected health information (EPHI) of 4,328 individuals, were stolen on July 5, 2010. The EPHI involved in the breach included names, addresses, phone numbers, dates of birth, Social Security numbers, reason for visits, and insurance information. Following the breach, the covered entity implemented backup and whole disk encryption on electronic information systems that maintain EPHI and improved their physical safeguards. Additionally, OCRs investigation resulted in the covered entity improving their administrative safeguards, such as password complexity requirements and data backup protocols. \" 145,SunBridge Healthcare Corporation,NM,Healthcare Provider,1000,2010-08-25,Theft,"Other, Other Portable Electronic Device",FALSE,\N 146,Pioneer Valley Pathology,MA,Business Associate,24750,2010-08-25,Theft,Paper/Films,TRUE,"A Boston Globe employee discovered the unsecured paper medical records of Pioneer Valley Pathology, a group practice with offices inside Holyoke Medical Center (HMC), at a trash transfer station. The breach affected approximately 24,750 individuals. The PHI involved in the breach included names, addresses, dates of birth, social security numbers, insurance information, and medical information. HMC is not the covered entity (CE) responsible for this breach and it field the breach report in error. OCR provided HMC with technical assistance related to breach notification. OCR opened a compliance review against the CE responsible for this breach. " 147,KPMG LLP,NY,Business Associate,956,2010-08-26,Theft,"Other, Other Portable Electronic Device",TRUE,"OCR opened an investigation of the covered entity (CE), Newark Beth Israel Medical Center, after it reported an employee of the CEs business associate (BA), KPMG LLP, lost an unencrypted USB drive that contained the electronic protected health information (ePHI) of 956 individuals. The ePHI included names and clinical information. Upon discovery of the breach, the CEs BA conducted a search of the area. The CE provided breach notification to HHS, the Media and affected individuals. As a result of OCRs investigation, the BA installed and implemented encryption software to its electronic equipment and devices. In addition, the BA encrypted and password protected all equipment and devices that could contain the CEs data. The BA also reprimanded and retrained the employee and retrained all employees on safeguarding ePHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI." 148,KPMG LLP,NY,Business Associate,3630,2010-08-26,Theft,Other Portable Electronic Device,TRUE,"The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals. The ePHI included names, dates of birth, diagnoses, and other treatment information. Upon discovery of the breach, the CE conducted a search for the portable device. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCRs investigation, the CE improved physical security. The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. " 149,NYU School of Medicine--Aging and Dementia Clinical Research Center ,NY,Healthcare Provider,1200,2010-08-27,Loss,"Other, Other Portable Electronic Device",FALSE,\N 150,University of Rochester Medical Center and Affiliates,NY,Healthcare Provider,857,2010-09-07,Loss,Other Portable Electronic Device,FALSE,\N 151,Aon Consulting,PA,Business Associate,22642,2010-09-07,Other,Network Server,TRUE,"The business associate prepared a document as part of a request for proposal for the covered entitys vision benefit program which mistakenly included protected health information of 22,642 individuals. The document was posted online for five days. The protected health information involved in the breach included social security numbers, dates of birth, gender, zip codes, and vision plan enrollment information. In response to this incident, the covered entity implemented additional safeguards to prevent this type of impermissible disclosure of protected health information. In particular, the covered entity will now require several layers of review before allowing public disclosure of documents prepared by the business associate. The covered entity also took steps to enforce the requirements of its business associate agreement with Aon Consulting. Aon will provide affected individuals with free credit monitoring, fraud resolution resources, and identity theft insurance. Additionally, the business associate has provided assurances to the covered entity that it has taken steps to prevent this type of impermissible disclosure in the future. \" 152,"Curtis R. Bryan, M.D.",VA,Healthcare Provider,2739,2010-09-08,Theft,Laptop,FALSE,\N 153,Mayo Clinic,MN,Healthcare Provider,1740,2010-09-08,Theft,Electronic Medical Record,FALSE,"An employee of the covered entity (CE) impermissibly accessed medical records containing the protected health information (PHI) of 1,740 patients for a period of 4  years. The PHI affected by the breach included the demographic information of 691 individuals, and both demographic and clinical information of 1,049 individuals. Following the breach, the CE conducted an investigation, terminated the involved employee, re-trained its employees regarding patient privacy and access to PHI, and enhanced its supervision and monitoring of employees PHI access activities. It also provided breach notification to the affected individuals, HHS, and the media, as well as substitute notice on its website. OCR obtained assurances that the CE completed the voluntary compliance action described above. \ \" 154,LabCorp Patient Service Center,NV,Healthcare Provider,507,2010-09-10,Theft,Paper/Films,FALSE,\N 155,The Kent Center ,RI,Healthcare Provider,1361,2010-09-10,Theft,Paper/Films,FALSE,\N 156,"Pediatric and Adult Allergy, PC",IA,Healthcare Provider,19222,2010-09-11,Loss,Other Portable Electronic Device,FALSE,\N 157,Ault Chiropractic Center,IN,Healthcare Provider,2000,2010-09-15,Theft,"Desktop Computer, Laptop",FALSE,\N 158,County of Los Angeles,CA,Healthcare Provider,33000,2010-09-17,Theft,Paper/Films,FALSE,\N 159,"Matthew H. Conrad, M.D., P.A.",KS,Healthcare Provider,1200,2010-09-19,Theft,"Laptop, Paper/Films",FALSE,\N 160,CareCore National,SC,Business Associate,1270,2010-09-20,Other,Paper/Films,TRUE,\N 161,Counseling and Psychotherapy of Throggs Neck,NY,Healthcare Provider,9000,2010-09-21,Theft,Desktop Computer,FALSE,\N 162,Alaskan AIDS Assistance Association,AK,Business Associate,2000,2010-09-22,Theft,"Other, Other Portable Electronic Device",TRUE,\N 163,"St. Vincent Hospital and Health Care Center, Inc.",IN,Healthcare Provider,1199,2010-09-23,Theft,Laptop,FALSE,\N 164,Eden Medical Center,CA,Business Associate,1474,2010-09-23,Theft,"Other, Other Portable Electronic Device",TRUE,"The covered entity (CE) lost two portable electronic storage devices containing the electronic protected health information (ePHI) of 1,474 individuals. The ePHI included patients names, dates of birth, and treatment information. Upon discovery of the breach, the covered entity (CE) notified individuals, HHS, and the media. Additionally, the CE initiated a project to encrypt emails, external hard drives, and related electronic media. Following OCRs investigation, the CE filed a police report, updated its policies and procedures in order to better safeguard patients ePHI, and encrypted portable electronic computer devices." 165,Oroville Hospital,CA,Business Associate,1474,2010-09-23,Theft,"Other, Other Portable Electronic Device",TRUE,"The covered entity (CE) filed a breach report with OCR after two USB storage devices containing electronic protected health information (ePHI) of 1,474 individuals were lost. The ePHI included names, dates of birth, and treatment information. Upon discovery of the breach, the CE notified individuals, OCR and the media. Additionally, the CE initiated an encryption project to encrypt emails, external hard drives, and related media. Following OCRs investigation, the CE filed a police report, updated its policies and procedures in an effort to better safeguard ePHI, and encrypted USB devices. \ \" 166,NewYork-Presbyterian Hospital and Columbia University Medical Center,NY,Healthcare Provider,6800,2010-09-24,Theft,Network Server,FALSE,"Data breach results in $4.8 million HIPAA settlements \Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date. \The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results. \NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as New York Presbyterian Hospital/Columbia University Medical Center. NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI. \The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individuals deceased partner, a former patient of NYP, on the internet. \In addition to the impermissible disclosure of ePHI on the internet, OCRs investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management. \When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information, said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems. \NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports. \" 167,St. James Hospital and Health Centers,IL,Healthcare Provider,967,2010-09-24,Improper Disposal,Paper/Films,FALSE,\N 168,"University of Oklahoma - Tulsa, Neurology Clinic",OK,Healthcare Provider,19200,2010-09-27,Hacking/IT Incident,Desktop Computer,FALSE,\N 169,"LORENZO BROWN, MD INC.",CA,Healthcare Provider,928,2010-09-29,Theft,Desktop Computer,FALSE,\N 170,Joseph A. Gagnon d/b/a Goldthwait Associates,MA,Business Associate,11000,2010-10-01,Improper Disposal,Paper/Films,TRUE,\N 171,WESTMED Medical Group,NY,Healthcare Provider,578,2010-10-05,Theft,Laptop,FALSE,"An unencrypted laptop computer that contained the electronic protected health information (ePHI) of 578 individuals was stolen from the covered entity (CE), WestMed Medical Group. The ePHI included names, dates of birth and test results. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS and the media. As a result of OCRs investigation, the CE improved physical security by locking all laptops during the day and storing all laptops in a locked cabinet overnight. In addition, the CE reconfigured all laptops with strong passwords and implemented a new procedure to save data to a secure file server. Further, the CE encrypted all laptop hard drives. The CE also retrained staff on safeguarding ePHI. \ \" 172,"Cumberland Gastroenterology, P.S.C.",KY,Healthcare Provider,2200,2010-10-05,Theft,Paper/Films,FALSE,"The covered entitys (CE) medical records storage facility was burglarized, resulting in the theft of protected health information (PHI) of 2,207 individuals. The PHI included names, birth dates, social security numbers, addresses, phone numbers, primary care providers, diagnosis codes, presenting complaints, exam findings, insurance information, dates of visits, services performed, and referring providers. The CE filed a police report and provided breach notification to affected individuals, HHS, and the media. The CE also conducted an inventory of stolen items and created an accounting of affected individuals. Following the breach, the CE increased physical security, limited the amount of stored PHI, and expedited the adoption of electronic medical records. As a result of OCRs investigation the CE executed BA agreements with the storage facility and with a document shredding company. Additionally, it re-trained workforce members on its revised HIPAA policies and procedures with respect to safeguards for PHI, and placed an accounting of disclosures of PHI in each of the affected individuals medical records. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ \" 173,"Debra C. Duffy, DDS",TX,Healthcare Provider,4700,2010-10-05,Theft,"Laptop, Network Server",FALSE,"An unencrypted laptop and network server were stolen during a burglary of the office.The breach affected approximately 4700 individuals.The protected health information involved in the breach included treatment information for pediatric dental patients and social security numbers, insurance identification numbers and drivers license numbers. Following the discovery of the breach, the CE relocated the practice servers, secured the laptops and installed steel doors at the front entrance of the facility. Additionally, the CE notified the affected individuals and local media and retrained staff. \" 174,Johns Hopkins University Applied Physics Laboratory (JHU/APL) Medical and Dental Insurance Plan,MD,Health Plan,692,2010-10-06,Other,Other,FALSE,"Protected health information was attached to an email addressed to 85 employees by a benefits staff member. Within 5 days, all recipients were notified, and the email was deleted. Approximately 692 individuals were affected by this breach. The email included names, dates of birth, social security numbers, and marital and disability status. To prevent a similar breach from happening in the future, the covered entity instituted a policy to encrypt emails containing protected health information before it is sent out from the benefits department. Following OCRs investigation, the covered entity updated its policies and procedures establishing a new business process to require that all emails sent by the benefits office to 5 or more staff members that includes an attachment be reviewed by another team member to ensure the proper document is attached and took personnel action with the responsible employee. Further, the benefits office will use an encryption specialist to train all benefits office staff in the proper methods of encryption, explore future capability of automated flagging of any electronic communications sent by benefits office staff containing potentially sensitive data such as 9-digit numbers, and obtain additional HIPAA training. \" 175,LoneStar Audiology Group,TX,Healthcare Provider,585,2010-10-08,Theft,Laptop,FALSE,"A laptop was stolen from a workforce members home. Approximately 585 individuals were affected. The PHI included addresses, dates of birth, diagnosis and conditions, medications and other treatment information. Following the breach, the covered entity encrypted all its laptops. After the initiation of OCRs investigation, the encryption of the laptops was completed. \" 176,Utah Department of Workforce Services,UT,Business Associate,1298,2010-10-13,Other,"Desktop Computer, Paper/Films",TRUE,\N 177,SW Seattle Orthopaedic and Sports Medicine,WA,Healthcare Provider,9493,2010-10-15,Hacking/IT Incident,Network Server,FALSE,"A database web server, containing the electronic protected health information (EPHI) of 9,493 individuals, was breached by an unknown, external person(s) for use as a game server. Although there was no indication of access to EPHI, the EPHI on the database web server included names, dates of birth, types of x-rays, and dates of x-rays. Following the breach, the covered entity relocated two servers to its more secure primary data center and removed the Internet access line that resulted in the breach. Additionally, OCRs investigation resulted in the covered entity improving their administrative safeguards, such as incident response and reporting. \" 178,University of Arkansas for Medical Sciences,AR,Healthcare Provider,1000,2010-10-18,Theft,"Other, Other Portable Electronic Device",FALSE,\N 179,Aspen Dental Care P.C.,CO,Healthcare Provider,2500,2010-10-26,Theft,Other,FALSE,"A computer hard drive containing encrypted patient records was stolen from the covered entitys (CE) safe. The hard drive contained clinical and demographic information of approximately 2,500 patients. Following the breach, the CE provided additional training to its staff. OCR obtained assurances that the CE implemented the corrective action listed above. \ \" 180,"BlueCross BlueShield of Tennessee, Inc.",TN,Health Plan,1023209,2010-11-01,Theft,Other,FALSE,\N 181,Northridge Hospital Medical Center,CA,Business Associate,716,2010-11-02,Loss,Paper/Films,TRUE,\N 182,"Triple-S Management, Corp.; Triple-S Salud, Inc.; ",PR,Business Associate,475000,2010-11-04,"Hacking/IT Incident, Unauthorized Access/Disclosure",Network Server,TRUE,\N 183,"Aetna, Inc.",CT,Health Plan,2345,2010-11-07,Unauthorized Access/Disclosure,Network Server,FALSE,"Aetna notified all possibly affected individuals of the breach, filed a breach report with OCR, commenced an investigation to identify and correct the root cause of the issue; the coding changes that were causing the breach were removed from IPS via Aetnas emergency Change Management procedures to prevent any further exposure while the problem was analyzed; once the specific code that conflicted with its proxy server settings was identified as the root cause of the breach, it was removed. Also, in an effort to mitigate any harm as a result of the breach, Aetna offered all affected individuals one year of free credit monitoring, and the notification letters included a toll-free number which was established specifically to answer questions related to this incident. \" 184,Sta-home Health & Hospice,MS,Healthcare Provider,1104,2010-11-08,Theft,Desktop Computer,FALSE,\N 185,Medical Card System/MCS-HMO/MCS Advantage/MCS Life,PR,Business Associate,115000,2010-11-09,Unauthorized Access/Disclosure,"Other, Other Portable Electronic Device",TRUE,\N 186,VNA of Southeastern Ct.,CT,Healthcare Provider,12000,2010-11-11,Theft,Laptop,FALSE,\N 187,"Prime Home Care, LLC",NE,Healthcare Provider,1550,2010-11-12,Theft,Desktop Computer,FALSE,\N 188,Visiting Nurse Service Association of Schenectady County,NY,Healthcare Provider,535,2010-11-12,Theft,Laptop,FALSE,"An encrypted laptop computer that contained the electronic protected health information (ePHI) of 535 individuals was stolen from the covered entity (CE). The ePHI included names, addresses, and dates of birth. Upon discovery of the breach, the CE filed a police report to recover the stolen item. Following OCRs investigation, the CE disabled the involved staff members account, verbally counseled the staff member, and retrained the staff member. The CE also adopted and implemented security policies and procedures for laptops/tablet devices and provided training to all staff." 189,"Manor Care Indy (South), LLC.",IN,Healthcare Provider,845,2010-11-12,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 190,"Robert Wheatley, DDS, PC",MO,Healthcare Provider,1400,2010-11-15,Theft,Laptop,FALSE,\N 191,Henry Ford Hospital,MI,Healthcare Provider,3700,2010-11-15,Theft,Laptop,FALSE,\N 192,Holy Cross Hospital,FL,Healthcare Provider,1500,2010-11-16,Theft,Paper/Films,FALSE,"A covered entitys (CE) employee impermissibly obtained copies of patient data sheets containing protected health information (PHI) and sold the PHI to a third party. The PHI included names, addresses, dates of birth, social security numbers, insurance information, and diagnoses affecting 38 individuals; however, the initial investigation addressed a report of approximately 1,500 affected individuals. The CE provided breach notification to 44,000 individuals (including those who were potentially affected), HHS and the media. In addition, free credit monitoring was offered. Following the breach, the CE cooperated with federal authorities, law enforcement, and the state health administration agency, and provided a report to a national accreditation organization. As a result of this incident, the CE convened a high level work group to oversee privacy and security issues and hired an expert forensic investigator to perform a risk assessment. The CE updated its privacy and security policies and procedures, developed a plan to adopt electronic health records and initiated a continuous review process including random HIPAA compliance audits. The CE also expanded its HIPAA training program for employees. OCR obtained written assurances that the CE implemented the corrective action listed above." 193,"Professional Transcription Company, Inc.",NY,Business Associate,1744,2010-11-24,Theft,Network Server,TRUE,"The covered entitys (CE) business associate (BA), Professional Transcription Company, posted the electronic protected health information (ePHI) of 1,744 individuals on a website portal of the BA. The ePHI included names, dates of birth, diagnosis, and other clinical information. Upon discovery of the breach, the BA shut down the applicable server. The CE, Newark Beth Israel Medical Center, provided breach notification to HHS, the media, and affected individuals and also posted substitute notice on its website. As a result of OCRs investigation, the BA located the ePHI online and contacted Google to block files that contained ePHI. In addition, the BA retrained all employees regarding its security policies. The CE terminated its BA agreement with the BA. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI." 194,Memorial Hospital of Gardena,CA,Healthcare Provider,771,2010-11-25,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 195,Oklahoma City VA Medical Center,OK,Healthcare Provider,1950,2010-11-29,"Improper Disposal, Loss, Theft",Paper/Films,FALSE,\N 196,Albert Einstein Healthcare Network,PA,Healthcare Provider,613,2010-11-30,Theft,Desktop Computer,FALSE,\N 197,Kings County Hospital Center,NY,Healthcare Provider,542,2010-11-30,Theft,Desktop Computer,FALSE,"An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 542 individuals was stolen from the covered entity (CE), Kings County Hospital Center. The ePHI included names, medical record numbers, admission and treatment dates, diagnostic treatment, pathology and/or medication information, telephone numbers and ages. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. As a result of OCRs investigation, the CE installed an encryption system for all internal and external computers and laptops. The CE implemented a new policy that prohibits staff from storing ePHI on their local computer hard drives or Windows desktop." 198,University of Tennessee Medical Center,TN,Healthcare Provider,8200,2010-11-30,Improper Disposal,Paper/Films,FALSE,\N 199,H.E.L.P. Financial Corporation,MI,Business Associate,9475,2010-12-03,Unauthorized Access/Disclosure,Paper/Films,TRUE,"A programming error in a business associates IT system caused the PHI of patients to be printed on letters sent to other patients. The printing error affected approximately 9475 individuals.The protected health information involved in the breach included patient names, medical record numbers and account balances. Following the discovery of the breach, the BA corrected the programming error and implemented additional quality checks. Additionally, the BA notified the affected individuals and the CE notified the local media. \" 200,zarzamora family dental care,TX,Healthcare Provider,800,2010-12-07,Theft,Desktop Computer,FALSE,\N 201,Hospital Auxilio Mutuo,PR,Healthcare Provider,1000,2010-12-13,"Hacking/IT Incident, Theft, Unauthorized Access/Disclosure","Desktop Computer, Laptop",FALSE,\N 202,"Gary C. Spinks, DMD, PC",MD,Healthcare Provider,1000,2010-12-13,Hacking/IT Incident,"Desktop Computer, Network Server",FALSE,\N 203,"Gair Medical Transcription Services, Inc.",PA,Business Associate,1085,2010-12-15,Unauthorized Access/Disclosure,Network Server,TRUE,"Pinnacle Health Systems was notified that a business associate, a medical transcription service, had a server compromised in which reports of Pinnacle patients could be viewed online. The server compromise involved the protected health information of 1085 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity immediately discontinued its relationship with the business associate and engaged another medical transcription service. The covered entity also contracted with forensic consultants to ensure that the cause of the compromise was found that that all traces of breached medical reports were removed from online and inaccessible in the future. \" 204,Cook County Health & Hospitals System,IL,Healthcare Provider,556,2010-12-17,Theft,Desktop Computer,FALSE,\N 205,"Dean Health Systems, Inc.; St. Mary's Hospital; St. Marys Dean Ventures, Incorporated",WI,Healthcare Provider,3288,2010-12-20,Theft,Laptop,FALSE,\N 206,Riverside Mercy Hospital and Ohio/Mercy Diagnostics,OH,Healthcare Provider,1000,2010-12-21,Improper Disposal,Paper/Films,FALSE,\N 207,California Therapy Solutions,CA,Healthcare Provider,1250,2010-12-22,Theft,"Other, Other Portable Electronic Device",FALSE,\N 208,Hils Transcription,IN,Business Associate,585,2010-12-27,Unauthorized Access/Disclosure,Other,TRUE,\N 209,The Southwestern Indiana Regional Council on Aging,IN,Business Associate,757,2010-12-27,Theft,Laptop,TRUE,\N 210,Mankato Clinic,MN,Healthcare Provider,3159,2010-12-28,Theft,Laptop,FALSE,\N 211,Geisinger Wyoming Valley Medical Center,PA,Healthcare Provider,2928,2010-12-28,Theft,Email,FALSE,"The covered entitys (CE) staff physician emailed the protected health information (PHI) of approximately 2,900 individuals to his home email account while working on an analysis. The PHI included names, addresses, dates of birth, social security numbers, and medication information. Following the breach, the CE sanctioned the physician and implemented a plan to auto-encrypt all PHI sent through email. As a result of OCRs investigation, the CE improved its physical safeguards and retrained employees. \ \" 212,Our Lady of Peace Hospital,KY,Healthcare Provider,24600,2010-12-29,"Loss, Theft","Other, Other Portable Electronic Device",FALSE,\N 213,"Zenith Administrators, Inc.",MD,Business Associate,800,2010-12-29,Theft,Paper/Films,TRUE,\N 214,"Southern Perioperative Services, P.C.",AL,Healthcare Provider,2000,2010-12-30,Theft,"Other, Other Portable Electronic Device",FALSE,"A bag containing a compact disk - read only memory (CD-ROM) was stolen from the vehicle of a physician associated with the covered entity (CE). The CD-ROM involved in the breach contained names, dates of birth, social security numbers, medical histories, and the treatment information of approximately 2,046 individuals. Following the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. The CE sanctioned and retrained the physician whose bag was stolen and implemented organization wide improvements to its compliance with the Privacy and Security Rules. As a result of OCRs investigation the covered entity posted substitute notification of the breach in the local paper and confirmed that corrective actions steps were taken. \ \ \" 215,Keystone/AmeriHealth Mercy Health Plans,PA,Health Plan,808,2010-12-30,Loss,"Other, Other Portable Electronic Device",FALSE,\N 216,"Ankle + Foot Center of Tampa Bay, Inc.",FL,Healthcare Provider,156000,2011-01-03,Theft,Network Server,FALSE,"The covered entitys (CE) network server, containing the electronic protected health information (ePHI) of 136,000 patients, was hacked. The types of ePHI involved in the breach were demographic and clinical information, including diagnoses and other treatment data. Following the breach, the CE hired a third party vendor to resolve a data crash and to create a data back-up plan in order to restore office functioning. To implement adequate safeguards, the CE also employed a cloud service with increased security as the new network server. Additionally, the CE contacted the local FBI office to assist with the CEs internal investigation of the breach and provided breach notification to all affected individuals, the media, and HHS. As a result of OCRs investigation, the CE developed and implemented new protocols to comply with the Security Rule. In addition, the CE provided and initiated new trainings for its staff, completed hiring of a new network vendor, implemented a new electronic health records system, and accounted for the disclosures in the affected individuals medical records." 217,OhioHealth Corporation dba Grant Medical Center,OH,Healthcare Provider,501,2011-01-04,Theft,"Desktop Computer, Laptop",FALSE,\N 218,"Seacoast Radiology, PA",NH,Healthcare Provider,231400,2011-01-10,Hacking/IT Incident,Network Server,FALSE,\N 219,Friendship Center Dental Office,FL,Healthcare Provider,2200,2011-01-11,Theft,Laptop,FALSE,\N 220,Centra,VA,Healthcare Provider,11982,2011-01-12,Theft,Laptop,FALSE,\N 221,St.Vincent Hospital - Indianapolis,IN,Healthcare Provider,1848,2011-01-12,Hacking/IT Incident,"Email, Network Server",FALSE,\N 222,Franciscan Medical Group,WA,Healthcare Clearing House,1250,2011-01-13,Theft,Desktop Computer,FALSE,\N 223,State of South Carolina Budget and Control Board Employee Insurance Program (EIP),SC,Health Plan,5596,2011-01-14,Theft,Desktop Computer,FALSE,"A workstation in the covered entitys (CE) finance department was infected with malware that recorded keystrokes and captured screenshots. The CE reported 5,596 individuals as being potentially affected by the malware. The types of PHI involved in the breach included names, addresses, dates of birth, benefits identification numbers, social security numbers, and in some cases, banking information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE disconnected the workstation from the network and provided the affected employee with new login credentials, a new hard drive, and additional training. The CE updated its Privacy and Security Rule policies and procedures and initiated mandatory annual supplemental training for all of its employees. The CE improved safeguards by implementing additional network security monitoring programs to actively protect workstation environments and limit the proliferation of malware infections on its network. OCR obtained assurances that the appropriate notifications were made and that the corrective actions listed above were completed. " 224,Lake Woods Nursing & Rehabilitation Center,MI,Healthcare Provider,656,2011-01-18,Theft,"Desktop Computer, Laptop",FALSE,\N 225,J. A. Still Corporation,MO,Business Associate,4800,2011-01-18,Theft,Other,TRUE,"Two diskettes containing the electronic protected health information (ePHI) of approximately 4,754 individuals were lost by the Covered Entitys (CE) Business Associate (BA) after the package containing the diskettes was damaged by the mail carrier. Although one of the diskettes was eventually found, the other diskette was never recovered. The ePHI on the diskettes included names, addresses, dates of birth, social security numbers, and clinical information. Upon discovery of the breach, the CE obtained a copy of the information contained on the diskettes and notified all affected individuals, OCR and the media. Following OCRs investigation, the CE terminated its contract with the BA involved in the incident and provided evidence of the assurances in its BA agreement pertaining to the return or destruction of ePHI. Lastly, the CE entered an accounting of disclosures for each affected individual into its electronic database." 226,Travis Software Corp.,TX,Business Associate,16200,2011-01-18,Loss,"Other, Other Portable Electronic Device",TRUE,\N 227,"Grays Harbor Pediatrics, PLLC",WA,Healthcare Provider,12009,2011-01-21,Theft,"Other, Other Portable Electronic Device",FALSE,\N 228,"Hanger Prosthetics & Orthotics, Inc.",TX,Healthcare Provider,4486,2011-01-24,Theft,Laptop,FALSE,"An unencrypted laptop was stolen from an employee offsite. The laptop contained the PHI of 4,486 patients. The protected health information involved in the breach contained names, addresses and procedure codes. Following the breach, the CE filed a police report, notified affected patients and notified the media. Following the discovery of the breach, the covered entity encrypted all existing laptops and implemented a policy requiring all future purchased laptops to be encrypted prior to being issued for use. \" 229,Baylor Heart and Vascular Center,TX,Healthcare Provider,8241,2011-01-25,Theft,"Other, Other Portable Electronic Device",FALSE,"A portable ultrasound machine containing electronic protected health information (ePHI) of approximately 8,241 individuals was stolen from the covered entitys (CE) facility. The ePHI involved in the breach included patient names, dates of birth, and limited health information. Upon discovery of the breach, the CE conducted a privacy and security assessment of its portable machines to identify vulnerabilities. Following OCRs investigation, the CE updated its privacy and security policies, retrained its employees, and increased physical security to ensure reasonable safeguards." 230,"CHC MEMPHIS CMHC, LLC",TN,Healthcare Provider,500,2011-01-28,Theft,Desktop Computer,FALSE,\N 231,Jefferson Center for Mental Health,CO,Healthcare Provider,546,2011-02-07,Theft,Paper/Films,FALSE,"A list containing the protected health information (PHI) of 546 patients was stolen from the vehicle of the covered entitys (CE) employee. The breached PHI included names, dates of birth, social security numbers, and Medicaid information. Following the breach, the CE changed its practices and procedures to safeguard PHI and trained staff on its new policies. As a result of OCRs investigation, the CE improved its process for reporting breaches and mitigating harm." 232,Integranetics,KY,Business Associate,18871,2011-02-07,Hacking/IT Incident,Network Server,TRUE,\N 233,"Ortho Montana, PSC",MT,Healthcare Provider,37000,2011-02-08,Theft,Laptop,FALSE,"A laptop containing the electronic protected health information (ePHI) of approximately 37,000 patients was lost or stolen when the laptop was taken to an event by a workforce member. Following the breach, the covered entity (CE) sanctioned the workforce member who responsible for handling the laptop. As a result of OCRs investigation, the CE conducted a risk analysis and developed a risk management plan. The CE also removed ePHI from laptops and encrypted laptops, tablets, and cellular smart phones. Additionally, the CE developed new procedures and revised existing procedures in order to safeguard ePHI ." 234,Cancer Care Northwest P.S.,WA,Healthcare Provider,3100,2011-02-09,Theft,Paper/Films,FALSE,"The covered entity (CE) accidentally mailed the protected health information (PHI) of approximately 3,100 individuals to other individuals when a mail-merge process mismatched names and addresses. The PHI involved in the breach included names and indicated that the individuals were patients of the CE. Following the breach, the CE implemented additional safeguards, as well as policies and procedures to ensure mailing list accuracy. As a result of this incident, OCR required the CE to train its workforce members on its newly developed policies and procedures. Additionally, OCR provided technical assistance regarding substitute breach notification methods, including a conspicuous posting on the CEs website." 235,Saint Louis University,MO,Healthcare Provider,800,2011-02-10,Hacking/IT Incident,Desktop Computer,FALSE,\N 236,GRM Information Management Services,NJ,Business Associate,1700000,2011-02-11,Theft,"Electronic Medical Record, Other",TRUE,"Unencrypted clinical system backup tapes that contained the electronic protected health information (ePHI) of 1,700,000 individuals were stolen from the unlocked vehicle of an employee of the covered entitys (CE) business associate (BA). The ePHI included names, medical record numbers, social security numbers, addresses, telephone numbers, health plan numbers, dates of birth, dates of admission, dates of treatment, dates of discharge, dates of death, mothers name, next of kin, clinical information related to diagnosis, treatment, prognosis, laboratory tests and results, and medications. Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and affected individuals. As a result of OCRs investigation, the CE terminated its BA agreement and installed encryption software on backup media. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI." 237,Long Beach Memorial Medical Center,CA,Healthcare Provider,2250,2011-02-11,Unauthorized Access/Disclosure,Other,FALSE,\N 238,Texas Health Harris Methodist Hospital Azle,TX,Healthcare Provider,9922,2011-02-13,"Loss, Theft","Other, Other Portable Electronic Device",FALSE,\N 239,Business Express,FL,Business Associate,2700,2011-02-15,Theft,"Other, Other Portable Electronic Device",TRUE,\N 240,Xforia Web Services,WV,Business Associate,3655,2011-02-16,Unauthorized Access/Disclosure,Network Server,TRUE,\N 241,Mountain Vista Medical Center,AZ,Healthcare Provider,2291,2011-02-21,Loss,"Other, Other Portable Electronic Device",FALSE,\N 242,Departamento de Salud de Puerto Rico,PR,Healthcare Provider,2621,2011-02-22,Unknown,Desktop Computer,FALSE,\N 243,Henry Ford Hospital,MI,Healthcare Provider,2777,2011-02-23,Loss,"Other, Other Portable Electronic Device",FALSE,\N 244,TriWest Healthcare Alliance Corp.,AZ,Business Associate,4500,2011-03-01,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 245,Blue Cross and Blue Shield of Florida ,FL,Health Plan,7366,2011-03-03,Unknown,Other,FALSE,\N 246,"University Health Services, University of Massachusetts, Amherst",MA,Healthcare Provider,942,2011-03-07,Unauthorized Access/Disclosure,Desktop Computer,FALSE,\N 247,"Omnicare, Inc",KY,Healthcare Provider,8845,2011-03-10,Theft,Laptop,FALSE,\N 248,"JEFFREY J. SMITH, MD",OK,Healthcare Provider,600,2011-03-16,Theft,"Desktop Computer, Other, Other Portable Electronic Device",FALSE,"The covered entity (CE) shipped a skin analysis machine containing the electronic protected health information (ePHI) of approximately 600 individuals to the manufacturer for repairs via UPS. The machine was damaged and discarded by UPS. The ePHI included names, dates of birth and facial photographs. The CE posted breach notification on its website. As a result of OCRs investigation, the CE revised its policy regarding the security of hardware containing PHI so that all work on hardware will be performed on-site. The policy also requires that all ePHI is to be backed up and erased from the hardware prior to any unavoidable off-site maintenance. " 249,"Coventry Health Care, Inc.",MD,Business Associate,765,2011-03-18,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 250,Texas Health Arlington Memorial Hospital,TX,Healthcare Provider,654,2011-03-23,Unknown,Electronic Medical Record,FALSE,"The IT department turned on the switch to a BA HIE without notifying patients of the exchange or obtaining authorization. The interface transmitted the PHI of 654 individuals. The PHI disclosed included patient names, addresses, dates of birth, social security numbers, other identifiers, diagnosis/conditions, medications, lab results, other treatment information and financial information. Following the breach, the CE revised the IT process, created a checklist that included notifying the affected departments and provided additional training to IT and registration employees. \" 251,NYU School of Medicine Faculty Group Practice,NY,Healthcare Provider,670,2011-03-28,Theft,Desktop Computer,FALSE,"An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 670 individuals was stolen from the covered entity (CE), NYU Langone Medical Center. The ePHI included names, diagnoses, the results of diagnostic tests, and clinical information. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals. As a result of OCRs investigation, the CE directed staff to store ePHI on network servers and not on desktops. In addition, the CE improved physical security by installing a locking device to secure the desktop computer and a latch guard on the office door. The CE retrained all staff on its policies and procedures for HIPAA and HITECH compliance." 252,"Rape & Brooks Orthodontics, P.C.",AL,Healthcare Provider,20744,2011-03-28,Theft,"Desktop Computer, Network Server, Other, Other Portable Electronic Device",FALSE,\N 253,Clarksburg - Louis A. Johnson VA Medical Center,WV,Healthcare Provider,1470,2011-03-30,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 254,County of Los Angeles,CA,Healthcare Provider,667,2011-03-30,Theft,Laptop,FALSE,\N 255,EISENHOWER MEDICAL CENTER,CA,Healthcare Provider,514330,2011-03-30,Theft,Desktop Computer,FALSE,\N 256,Trisha Elaine Cordova,AK,Business Associate,1700,2011-03-31,Theft,Laptop,TRUE,"A personal laptop computer containing the electronic protected health information (ePHI) of 1,700 individuals and approximately 493 adoption home studies was stolen from a contractors vehicle. The ePHI involved included names, addresses, phone numbers, dates of birth, drivers license numbers, health information, and social security numbers. At the time of the breach, the covered entity (CE) did not have a business associate (BA) contract with the contractor. Following OCRs investigation, the CE developed policies and procedures for obtaining BA contracts as required by the Privacy Rule and verified that the contractor no longer had a business relationship with the CE. OCR obtained assurances that breach notification was provided to the affected individuals, HHS, and the media." 257,"Park Avenue Obstetrics & Gynecology, PC",AZ,Healthcare Provider,635,2011-03-31,Theft,"Other, Other Portable Electronic Device",FALSE,\N 258,"Brian J Daniels D.D.S.,Paul R Daniels D.D.S.",AZ,Business Associate,10000,2011-04-04,Theft,"Other, Other Portable Electronic Device",TRUE,\N 259,Hartford Hospital,CT,Business Associate,93500,2011-04-05,Theft,Other,TRUE,"A workforce member of the covered entitys (CE) business associate (BA) saved the electronic protected health information (ePHI) of approximately 93,500 patients on an unsecured computer drive in order to do work from home, and subsequently lost the hard drive. The PHI included names, addresses, dates of birth, marital status, social security numbers and medical record numbers. Following the breach, the workforce member involved was sanctioned for violating the CEs policies. The CE provided breach notification to the media, HHS, and all affected individuals. It also offered all affected individuals 2 years of free identity protection services. In addition, the CE disabled the ability for all of its computing devices to download ePHI via USB connection ports. Further, it began implementing malicious software prevention utilities as well as data encryption controls to supplement its portable computing devices. OCR obtained assurances that the CE implemented the corrective action listed above. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI. \ \ \ \" 260,"Patient Care Services at Saint Francis, Inc.",OK,Healthcare Provider,84000,2011-04-06,Theft,Network Server,FALSE,\N 261,Union Security Insurance Company,MO,Health Plan,935,2011-04-08,Unauthorized Access/Disclosure,Other,FALSE,\N 262,Oklaholma State Dept. of Health,OK,Healthcare Provider,132940,2011-04-11,Theft,"Laptop, Paper/Films",FALSE,\N 263,Aiken Community Based Outpatient Clinic,SC,Healthcare Provider,2717,2011-04-12,Improper Disposal,Paper/Films,FALSE,\N 264,IBM,NY,Business Associate,1900000,2011-04-14,Unknown,Other,TRUE,\N 265,SW General Inc,AZ,Healthcare Provider,566,2011-04-14,Theft,Paper/Films,FALSE,\N 266,Fairview Health Services,MN,Healthcare Provider,1215,2011-04-14,Loss,Paper/Films,FALSE,\N 267,"Healthcare Solutions Team, LLC",IL,Business Associate,675,2011-04-19,Unauthorized Access/Disclosure,Other,TRUE,\N 268,Community Action partnership of Natrona County,WY,Healthcare Provider,15000,2011-04-20,Theft,Desktop Computer,FALSE,"The covered entity (CE), Community Action Partnership of Natrona County, reported a breach affecting approximately 15,000 individuals, wherein it asserted that a virus had infected a computer and exported data. The CE provided breach notification to HHS and the media. Upon investigation, the CE determined that no protected health information was exported or breached. As a result of OCRs compliance review, the CE improved safeguards to protect its computers from viruses and malware, conducted a risk analysis, drafted a risk management plan, and revised or developed its HIPAA policies and procedures." 269,"Keith & Fisher, DDS, PA",NC,Healthcare Provider,6000,2011-04-21,Hacking/IT Incident,Network Server,FALSE,\N 270,MacNeal Hospital,IL,Healthcare Provider,845,2011-04-25,Hacking/IT Incident,"Desktop Computer, Email, Laptop, Network Server",FALSE,\N 271,West Lake Hospital ,IL,Healthcare Provider,686,2011-04-25,Hacking/IT Incident,"Desktop Computer, Email, Laptop, Network Server",FALSE,\N 272,Phoenix Health Plan,AZ,Health Plan,9393,2011-04-25,Hacking/IT Incident,"Desktop Computer, Email, Laptop, Network Server",FALSE,\N 273,MacNeal Physician Group,IL,Healthcare Provider,532,2011-04-25,Hacking/IT Incident,"Desktop Computer, Email, Laptop, Network Server",FALSE,\N 274,Genesis Clinical Laboratory,IL,Healthcare Provider,1070,2011-04-25,Hacking/IT Incident,"Desktop Computer, Email, Laptop, Network Server",FALSE,\N 275,Knox Community Hospital,OH,Healthcare Provider,500,2011-04-28,Improper Disposal,Other,FALSE,\N 276,Speare Memorial Hospital,NH,Healthcare Provider,5960,2011-05-02,Theft,Laptop,FALSE,\N 277,Methodist Charlton Medical Center,TX,Healthcare Provider,1500,2011-05-05,Theft,Laptop,FALSE,"An unencrypted laptop was stolen from a locked office in the hospital. The laptop contained the PHI of 1523 patients. The protected health information involved in the breach contained demographic and clinical data. Following the breach, the CE filed a police report, notified affected patients and notified the media. Additionally, the CE expanded its encryption policy to include more laptops and implemented additional physical safeguards. \" 278,Drs Edalji and Komer,MA,Healthcare Provider,563,2011-05-06,Theft,Laptop,FALSE,"An unsecured laptop containing the electronic protected health information (ePHI) of approximately 563 individuals was stolen from the car of a business associates (BA) subcontractor. The PHI included names, addresses, dates of birth, and social security numbers. Following the breach, the covered entity (CE) notified affected individuals, HHS, and the media, and offered all affected individuals one year of free credit monitoring services. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI. \ \" 279,Reid Hospital & Health Care Services,IN,Healthcare Provider,22001,2011-05-06,Theft,Laptop,FALSE,\N 280,Union Security Insurance Company,MO,Health Plan,850,2011-05-09,Unauthorized Access/Disclosure,Other,FALSE,\N 281,Indiana Regional Medical Center,PA,Healthcare Provider,1388,2011-05-09,Theft,Paper/Films,FALSE,\N 282,"MMM Healthcare, Inc.",PR,Health Plan,32390,2011-05-09,Theft,Desktop Computer,FALSE,\N 283,PMC Medicare Choice,PR,Health Plan,24361,2011-05-09,Theft,Desktop Computer,FALSE,\N 284,CVS CAREMARK,AZ,Healthcare Provider,654,2011-05-11,"Theft, Unauthorized Access/Disclosure",Paper/Films,FALSE,\N 285,CENTER FOR ARTHRITIS & RHEUMATIC DISEASES,FL,Healthcare Provider,8000,2011-05-11,Theft,"Other, Paper/Films",FALSE,\N 286,"Robert B. Miller, MD",CA,Healthcare Provider,620,2011-05-17,Theft,Laptop,FALSE,\N 287,Imaging Center of Garland,TX,Healthcare Provider,1031,2011-05-19,Improper Disposal,Other,FALSE,\N 288,St. Mary's Hospital for Children,NY,Business Associate,550,2011-05-19,Theft,Paper/Films,TRUE,"A bag containing 43 pages of protected health information (PHI) of 550 nursing home residents and an encrypted laptop computer were stolen from the vehicle of an employee of the covered entitys (CE) business associate (BA). The PHI included names, dates of birth, gender identities, names of the nursing homes, and Medicaid numbers. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and all affected individuals, as well as offering one year of free identity theft protection. Following OCRs investigation, the CEs BA terminated the employee and re-trained its staff on its privacy and security policies, including not leaving laptops in unoccupied vehicles. In addition, the CE reminded all contractors about the need to safeguard confidential information, and reviewed the BAs contractual obligations relating to safeguarding PHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI." 289,"Cahaba Government Benefit Administrators, LLC",AL,Business Associate,13412,2011-05-25,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 290,VA Caribbean Healthcare System,PR,Healthcare Provider,6006,2011-05-26,Theft,Paper/Films,FALSE,"An employee of the covered entity (CE), VA Caribbean Healthcare System, left documents containing the protected health information (PHI) of 6,006 individuals in an unsecure bag at a nursing station. The PHI included names, social security numbers, patient care assignments, patient counts and patient census lists. Upon discovery of the breach, the CE secured the PHI and provided breach notification to HHS, the media, and affected individuals. As a result of OCRs investigation, the CE disciplined and retrained the employee and implemented a procedure that nursing leadership is required to conduct rounds on wards once vacated. The CE also retrained all staff on its privacy and security policies and procedures." 291,Agent Benefits Corporation,MI,Business Associate,11387,2011-05-26,"Hacking/IT Incident, Unauthorized Access/Disclosure",Network Server,TRUE,\N 292,Spartanburg Regional Healthcare System,SC,Business Associate,400000,2011-05-27,Theft,Desktop Computer,TRUE,\N 293,Saint Joseph - Berea,KY,Healthcare Provider,1986,2011-06-02,"Loss, Theft","Other, Other Portable Electronic Device",FALSE,\N 294,Navos,WA,Health Plan,2700,2011-06-08,Unknown,Paper/Films,FALSE,\N 295,Lower Umpqua Hospital,OR,Business Associate,17000,2011-06-08,Theft,"Other, Other Portable Electronic Device",TRUE,\N 296,"Metropolitan Community Health Services, Inc.",NC,Healthcare Provider,1263,2011-06-09,Unknown,Email,FALSE,\N 297,TUBA CITY REGIONAL HEALTH CARE CORPORATION,AZ,Healthcare Provider,2000,2011-06-09,"Improper Disposal, Loss",Paper/Films,FALSE,\N 298,"FOOTHILLS NEPHROLOGY, PC",SC,Healthcare Provider,1280,2011-06-09,Theft,"Other, Other Portable Electronic Device",FALSE,"A company-issued laptop computer containing the protected health information (PHI) of approximately 1,280 individuals was stolen from the vehicle of a covered entitys (CE) employee. The PHI included demographic and clinical information. The CE provided breach notification to the affected individuals, HHS, and the media and created a toll-free number for information regarding the incident. As a result of this incident, the CE contacted law enforcement, retrained staff on the use of portable media, and initiated a risk analysis. Following the OCR investigation, the CE reviewed and updated its policies and procedures to ensure adequate safeguards, instituted a new electronic medical records system which encrypts medical information, updated password requirements for computers, and retrained employees." 299,Fidelity National Technology Imaging (FNTI),CA,Business Associate,1192,2011-06-10,Loss,Paper/Films,TRUE,\N 300,New River Health Association,WV,Healthcare Provider,950,2011-06-16,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 301,HealthCare Partners,CA,Healthcare Provider,15677,2011-06-16,Theft,Desktop Computer,FALSE,\N 302,"Gene S. J. Liaw, MD. PS",WA,Healthcare Provider,1105,2011-06-17,Theft,"Other, Other Portable Electronic Device",FALSE,"An unencrypted portable computer drive (a USB) containing the electronic protected health information (ePHI) of 1,105 patients was misplaced and could not be found in the entitys office. The ePHI included names, addresses, phone numbers, dates of birth, diagnosis codes, insurance information, and social security numbers. The entity provided breach notification to affected individuals and HHS. Following the breach, the entity replaced the missing drive with encryption-capable USB drives, provided secure, locked storage facilities for its mobile devices, and implemented policies preventing removal of such devices from the office. OCRs investigation found that the entity in fact is not a covered entity under the Privacy and Security Rules. " 303,Blue Cross and Blue Shield of Florida ,FL,Health Plan,3463,2011-06-17,Unauthorized Access/Disclosure,Other,FALSE,\N 304,"NOL, LLC d/b/a Premier Radiology",TN,Healthcare Provider,810,2011-06-22,Theft,Laptop,FALSE,\N 305,"Advanced Diagnostic Imaging, P.C.",TN,Healthcare Provider,705,2011-06-22,Theft,Laptop,FALSE,\N 306,University of Missouri Health Care,MO,Healthcare Provider,1288,2011-06-23,Unknown,Paper/Films,FALSE,\N 307,"Area Agency on Aging, Ohio District 5",OH,Business Associate,78042,2011-06-27,Theft,Laptop,TRUE,\N 308,"Gail Gillespie and Associates, LLC",LA,Healthcare Provider,2000,2011-06-28,Theft,"Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other, Other Portable Electronic Device",FALSE,\N 309,Health Plan of San Mateo,CA,Health Plan,694,2011-06-29,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 310,Department of Personnel and Administration,CO,Business Associate,3589,2011-06-29,Theft,Other,TRUE," \The covered entitys (CE) business associate (BA) mailed a compact disk (CD) containing electronic protected health information (ePHI) through the inter-office mail system for delivery in another city. The CD, containing ePHI of 3,589 individuals, was lost en route. The PHI included state Medicaid and childrens health plan data. Immediately following the breach, the CE completed a risk analysis to identify additional concerns and developed a risk management plan. The CE provided breach notification to the affected individuals, HHS, and the media and provided substitute notification on its website. To prevent a similar breach from happening in the future, the CE required all future ePHI to be encrypted prior to shipment. OCR obtained assurances that the CE implemented the corrective action listed above. \ \" 311,Yanez Dental Corporation,CA,Business Associate,10190,2011-07-04,Theft,"Desktop Computer, Network Server",TRUE,\N 312,Jackson Health System,FL,Healthcare Provider,1562,2011-07-08,Unauthorized Access/Disclosure,"Electronic Medical Record, Other",FALSE,\N 313,The Mount Sinai Hospital,NY,Healthcare Provider,712,2011-07-08,Theft,Laptop,FALSE,"Two unencrypted laptop computers containing the electronic protected health information (ePHI) of 712 individuals were stolen from the covered entitys (CE) office. The ePHI included names, dates of birth, social security numbers, diagnostic reports, and demographic information. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCRs investigation, the CE improved physical security by installing an exit alarm lock and surveillance camera, and implementing a policy and procedure requiring managers to monitor inappropriate use of the facilitys rear exit. The CE also inventoried its ePHI systems and adopted and implemented policies and procedures for workstation security, encryption, security awareness and training, electronic devices, and media controls." 314,Troy Regional Medical Center,AL,Healthcare Provider,880,2011-07-08,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 315,AssureCare Risk Management,IL,Business Associate,5000,2011-07-11,Hacking/IT Incident,Network Server,TRUE,\N 316,Dr Axel Velez,PR,Healthcare Provider,2800,2011-07-13,Theft,Desktop Computer,FALSE,\N 317,"DeKalb Medical Center, Inc. d/b/a DeKalb Medical Hillandale",GA,Healthcare Provider,7500,2011-07-15,Theft,Paper/Films,FALSE,\N 318,Beth Israel Deaconess Medical Center,MA,Healthcare Provider,2021,2011-07-19,Hacking/IT Incident,Network Server,FALSE,\N 319,"Assurecare Risk Management, Inc.",IL,Business Associate,25330,2011-07-21,Unauthorized Access/Disclosure,Network Server,TRUE,\N 320,"Andersen Air Force Base, Guam",VA,Healthcare Provider,700,2011-07-22,Improper Disposal,Paper/Films,FALSE,\N 321,"RxAmerica, a subsidiary of CVS Caremark",TX,Business Associate,4573,2011-07-22,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 322,RxAmerica LLC,UT,Business Associate,1378,2011-07-22,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 323,Health Care Service Corporation,IL,Health Plan,501,2011-07-28,Theft,Paper/Films,FALSE,\N 324,University of Kentucky - UK HealthCare,KY,Healthcare Provider,3604,2011-07-28,Theft,Laptop,FALSE,\N 325,"Austin Center for Therapy and Assessment, LLC",TX,Healthcare Provider,1870,2011-07-28,Theft,Laptop,FALSE,"An unencrypted laptop, containing the electronic protected health information (ePHI) of 1,870 individuals, was stolen from the covered entitys (CE) office. The ePHI involved includes clinical evaluation reports, test results, patient names, addresses, phone numbers, and social security numbers. Upon discovery of the breach, the CE notified affected individuals, OCR and the media. Following OCRs investigation, the CE revised its HIPAA policies and procedures, implemented additional physical safeguards in its facility and installed encryption software." 326,Treatment Services Northwest,OR,Healthcare Provider,1200,2011-07-29,Theft,Desktop Computer,FALSE,\N 327,Mills-Peninsula Health Services,CA,Healthcare Provider,1500,2011-07-29,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 328,Brigham and Women's Hospital and Faulkner Hospital ,MA,Healthcare Provider,638,2011-08-03,Theft,Other Portable Electronic Device,FALSE,"A covered entitys (CE) workforce member lost an external hard drive containing the electronic protected health information (ePHI) of 638 individuals while traveling. The external hard drive included names, medical record numbers, dates of admission, medications, diagnoses, and treatment information. The CE notified HHS, the media, and all individuals affected regarding the breach and provided individuals with identity protection services. Following the breach, the CE sanctioned the workforce member involved and retrained the workforce member and division staff on safeguards for ePHI. In addition, the CE established a mitigation workgroup to review policies and procedures regarding the protection of ePHI and created a new external hard drive encryption policy. OCR obtained assurances that the CE implemented the corrective action listed above." 329,Med Assets,NJ,Business Associate,8795,2011-08-08,Theft,"Other, Other Portable Electronic Device",TRUE,"An unencrypted hard drive containing the electronic protected health information (ePHI) of 8,795 individuals was stolen from an employee of the covered entitys (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Clara Maass Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCRs investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BAs computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI. \ \" 330,Washington State Department of Social and Health Services,WA,Health Plan,3950,2011-08-09,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 331,The Neurological Institute of Savannah & Center for Spine,GA,Healthcare Provider,63425,2011-08-15,Theft,"Other, Other Portable Electronic Device",FALSE,\N 332,Accuprint ,PR,Business Associate,5848,2011-08-15,Theft,Other,TRUE,"The covered entitys (CE) business associate (BA) erroneously sent explanation of benefits letters (EOBs) containing the protected health information (PHI) of 5,848 individuals to other individuals. The PHI included names, addresses, current procedural terminology codes (CPT), explanations of CPT codes, providers names, and dates of service. Upon discovery of the breach, the CE provided notice to the individuals affected by the breach but did not notify the media. As a result of OCRs investigation, OCR provided technical assistance regarding the requirements of the Breach Notification Rule to the CE and the CE published a media notice. In addition, the CE developed policies and procedures requiring quality control checks on the BA. In addition, the BA adopted a new software system that validates the contents of the EOBs prior to mailing. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use of PHI and required the BA to safeguard all PHI." 333,Texas Health Partners,TX,Business Associate,10345,2011-08-17,Theft,Laptop,TRUE,\N 334,Capron Rescue Squad District,IL,Healthcare Provider,815,2011-08-18,Unauthorized Access/Disclosure,Laptop,FALSE,\N 335,MedAssets,NJ,Business Associate,32008,2011-08-18,Theft,"Other, Other Portable Electronic Device",TRUE,\N 336,Lexington VAMC,KY,Healthcare Provider,1432,2011-08-25,Theft,"Laptop, Other Portable Electronic Device, Paper/Films",FALSE,"The covered entitys (CE) workforce member impermissibly stored the protected health information (PHI) of 1,432 individuals in a personal computer and other portable electronic media in order to conduct research. The PHI included social security numbers, names, initials, ages, and diagnoses. Additional PHI was found in the workforce members residence. The CE provided breach notification to a total of 1,890 affected individuals and HHS. Following the breach, the responsible workforce member is no longer employed by the CE. \ \OCR opened a compliance review of VA Medical Centers and is consolidating the investigation of this incident into the compliance review. \" 337,"SpaMed Solutions, LLC, Edward McMenamin President,",NJ,Business Associate,3000,2011-08-28,"Theft, Unauthorized Access/Disclosure","Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other, Other Portable Electronic Device, Paper/Films",TRUE,\N 338,"HEALTH RESEARCH INSTITUTE, INC., PFEIFFER TREATMENT CENTER",IL,Healthcare Provider,2000,2011-08-29,Theft,"Desktop Computer, Network Server",FALSE,\N 339,"Multi-Speciality Collection Services, LLC",CA,Business Associate,19651,2011-08-29,Unauthorized Access/Disclosure,Other,TRUE,\N 340,"Muir Orthopaedic Specialists, A Medical Group Inc.",CA,Healthcare Provider,1800,2011-09-07,Theft,Paper/Films,FALSE,\N 341,NEA Baptist Clinic,AR,Healthcare Provider,3116,2011-09-07,Hacking/IT Incident,Network Server,FALSE,\N 342,Jonathan Noel MD,IN,Healthcare Provider,2059,2011-09-08,Theft,"Other, Other Portable Electronic Device",FALSE,\N 343,Texas Health and Human Services Commission,TX,Health Plan,1696,2011-09-09,Theft,Laptop,FALSE,"An unencrypted laptop was stolen from an employees vehicle. The laptop contained the ePHI of 1,696 patients. The information at issue included patient names, dates of birth, gender, Medicaid identification numbers, procedure codes and diagnosis. Following discovery of the breach, the CE notified affected patients and notified the media. Following the breach, the CE confirmed encryption of laptops per CEs policy and sanctioned three involved employees. \" 344,Living Healthy Community Clinic,WI,Business Associate,3000,2011-09-13,Hacking/IT Incident,Desktop Computer,TRUE,\N 345,Centro de Ortodoncia Inc.,PR,Healthcare Provider,2000,2011-09-13,Theft,Paper/Films,FALSE,"OCR opened an investigation of the covered entity (CE), Dr. Pedro Valentin, after it reported boxes containing the protected health information (PHI) of 2,000 individuals were moved from the CEs office. The PHI included names, account numbers, responsible party in charge of account, and method of payment. OCRs investigation revealed that the individual who removed the PHI was the CEs wife and business partner. The CE advised OCR that he knew his wife/partner was removing the boxes for the purpose of ascertaining the amount of monies the CE was receiving and that he is in the process of dissolving the partnership. OCR concluded that the actions alleged in the breach report did not amount to a breach." 346,"John T. Melvin, M.D.& Associates",TX,Healthcare Provider,2541,2011-09-14,Theft,Paper/Films,FALSE,\N 347,"Diversified Resources, Inc.",GA,Healthcare Provider,863,2011-09-15,Theft,Laptop,FALSE,"A password protected, but unencrypted laptop computer was stolen from a nurses car. The laptop contained the electronic protected health information (ePHI) for 863 individuals receiving services from the covered entity (CE), Diversified Resources, Inc. The ePHI involved in the breach included names, addresses, phone numbers, primary care physicians names, caregiver contacts, and social security numbers. The CE provided breach notification to HHS and affected individuals. Following the breach, CE reviewed its policies and procedures, applied employee sanctions, retrained its workforce, and improved safeguards by requiring file-level encryption. Pursuant to technical assistance provided by OCR, CE implemented additional administrative safeguards, including a new policy prohibiting employees from leaving laptops unattended in a vehicle." 348,VA Gulf Coast Veterans Health Care System,MS,Healthcare Provider,1797,2011-09-20,Theft,Paper/Films,FALSE,"The covered entity (CE), U.S. Department of Veterans Affairs (VA), Gulf Coast Veterans Health Care System, Biloxi Veterans Affairs Medical Center (Biloxi VAMC) reported that the office of an employee was vandalized. Paper files were found on the office floor, and the protected health information (PHI) of approximately 1,814 individuals was compromised. The PHI included full names, social security numbers, dates of birth, and medical diagnoses. The CE provided breach notification to HHS, the media and affected individuals. Following the breach, VA police at the facility reviewed procedures and continued foot patrols to ensure office doors are locked during non-business hours. The CE provided additional training to workforce members of the affected department on its physical security policies and procedures to improve safeguards for PHI. OCR obtained assurances that the CE implemented the corrective action listed above. \ \" 349,Freda J Bowman MD PA,TX,Healthcare Provider,1300,2011-09-20,"Hacking/IT Incident, Unauthorized Access/Disclosure",Network Server,FALSE,\N 350,"Bonney Lake Medical Center and Mythili R. Ramachandran, MD",WA,Healthcare Provider,2367,2011-09-21,Theft,"Desktop Computer, Laptop",FALSE,\N 351,"Benefits Administration Services, Inc.",VA,Business Associate,4000,2011-09-22,Loss,"Other, Other Portable Electronic Device",TRUE,\N 352,VA Illiana Health Care System,IL,Healthcare Provider,518,2011-09-23,Loss,Paper/Films,FALSE,\N 353,Health Texas Provider Network,TX,Healthcare Provider,1259,2011-09-23,Theft,Laptop,FALSE,\N 354,"AllOne Health Management Solutions, Inc.",PA,Business Associate,507,2011-09-23,"Theft, Unauthorized Access/Disclosure","Laptop, Paper/Films",TRUE,\N 355,NYU Hospital for Joint Diseases Inventory Management Department,NY,Healthcare Provider,2600,2011-09-26,Theft,Paper/Films,FALSE,"A box containing 2,600 paper records of tissue implants used in surgeries was discarded by a waste disposal contractor of the covered entity (CE), NYU Hospital for Joint Diseases Inventory Management Department, when the box was not property secured. The box contained the protected health information (PHI) of 2,239 individuals and included names, dates of birth, dates of surgery, surgeon names, procedures, and types and serial numbers of the tissues used in the surgeries. Upon discovery of the breach, the CE contacted the waste disposal contractor and determined that the documents were discarded and buried in a landfill out of state. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. As a result of OCRs investigation, the CE improved safeguards by storing all tissue records in a locked cabinet and requiring management to store the keys. In addition, the CE counseled the employees involved in the incident and retrained all staff on its policies and procedures for safeguarding PHI. The CE also implemented a plan to conduct reviews of HIPAA compliance, including both physical access and physical security risks." 356,FIRST PRIORITY LIFE INSURANCE COMPANY,PA,Business Associate,579,2011-09-28,"Theft, Unauthorized Access/Disclosure",Paper/Films,TRUE,\N 357,"Summit Medical Group, PLLC",TN,Healthcare Provider,731,2011-09-28,Theft,Paper/Films,FALSE,\N 358,MAPFRE Life,PR,Health Plan,2209,2011-09-29,Theft,Other,FALSE,\N 359,Futurity First Insurance Group,CT,Business Associate,1631,2011-10-03,Loss,"Other, Other Portable Electronic Device",TRUE,\N 360,Henry Ford Health System,MI,Healthcare Provider,520,2011-10-03,Theft,Desktop Computer,FALSE,\N 361,Indiana University,IN,Healthcare Provider,3266,2011-10-04,Theft,Laptop,FALSE,\N 362,"Adult & Pediatric Dermatology, PC",MA,Healthcare Provider,2200,2011-10-07,Theft,"Other, Other Portable Electronic Device",FALSE,"Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). \ \The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members. \ \As we say in health care, an ounce of prevention is worth a pound of cure, said OCR Director Leon Rodriguez. That is what a good risk management process is all about  identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information. \ \In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR. \" 363,The Nemours Foundation,FL,Healthcare Provider,1055489,2011-10-07,Loss,Other,FALSE,\N 364,"Thomas J O'Laughlin, MD",CA,Business Associate,700,2011-10-07,"Theft, Unauthorized Access/Disclosure",Paper/Films,TRUE,\N 365,"InStep Foot Clinic, P.A.",MN,Healthcare Provider,2600,2011-10-11,Theft,"Electronic Medical Record, Laptop",FALSE,\N 366,"Lahey Clinic Hospital, Inc.",MA,Healthcare Provider,599,2011-10-11,Theft,Laptop,FALSE,\N 367,Futurity First Insurance Group,CT,Business Associate,3994,2011-10-11,Theft,Other,TRUE,\N 368,Florida Hospital,FL,Healthcare Provider,12784,2011-10-13,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE,\N 369,"Thomas Jefferson University Hospitals, Inc.",PA,Healthcare Provider,3150,2011-10-14,Theft,Other,FALSE,\N 370,Lankenau Medical Center,PA,Healthcare Provider,500,2011-10-17,Theft,Other,FALSE,\N 371,"Spectrum Health Ssytems, Inc. ",MA,Healthcare Provider,14750,2011-10-20,Theft,Desktop Computer,FALSE,\N 372,Conway Regional Medical Center,AR,Healthcare Provider,1472,2011-10-21,Loss,Other,FALSE,\N 373,"HITS Scanning Solutions, Inc.",MO,Business Associate,7059,2011-10-22,Theft,Other,TRUE,"The covered entitys (CE) business associate (BA) shipped microfilm records containing protected health information (PHI) of 7,059 workforce members. The microfilm was lost in transit and not recovered. The PHI included clinical information, diagnoses, names, addresses, zip codes, date of births, social security numbers, drivers license numbers, and other identifiers. Following the breach, the CE changed its procedures, requiring PHI to be shipped via a new mail carrier that requires a confirmation signature upon receipt and allows for the tracking of packages. As a result of OCRs investigation the CE retrained its employees on its HIPAA policies and procedures." 374,Stone Oak Urgent Care & Family Practice,TX,Business Associate,6672,2011-10-24,"Loss, Theft",Desktop Computer,TRUE,\N 375,Indiana University School of Optometry,IN,Healthcare Provider,757,2011-10-25,Theft,Network Server,FALSE,"A doctors letters and reports were exposed on the Internet for one month after the security configuration of the covered entitys (CE) computer server was changed. The electronic protected health information (ePHI) of 757 individuals appearing on the Internet included patient names, birth dates, medical histories, diagnoses, and treatment plans. Following the breach, the CE identified and blocked the internet protocol (IP) address that was allowing access to ePHI over the Internet, removed the web portal that was facilitating access, and restored the affected server to its previous security configuration. As a result of OCRs investigation, the CE implemented monitoring and reporting of electronic information systems that transmit ePHI. OCR obtained assurances that breach notification was provided to affected individuals, the media, and HHS." 376,"Brevard Emergency Services, P.A.",FL,Healthcare Provider,2200,2011-10-25,Theft,Paper/Films,FALSE,\N 377,Morris Heights Health Center,NY,Healthcare Provider,927,2011-10-27,Theft,Laptop,FALSE,"An unencrypted laptop computer containing the electronic protected health information (ePHI) of 927 individuals was stolen from the covered entitys (CE) school based health center. The ePHI included names, dates of birth, sex, ethnicities, height, weight, body mass index data, complete physical examination information such as asthma and obesity information, health action plans, and enrollment dates. Upon discovery of the breach, the CE filed a police report to recover the stolen laptop. As a result of OCRs investigation, the CE purchased locks to physically secure its school health computers to the desks where the computers are located. In addition, the CE encrypted all portable devices hard drives and installed software to track portable devices. The CE also retrained all staff on its policies and procedures for using and securing ePHI. " 378,Thresholds Inc.,MI,Business Associate,1100,2011-10-28,Theft,Paper/Films,TRUE,\N 379,"Pitney Bowes Management Services, Inc.",CT,Business Associate,1089,2011-10-28,Theft,Desktop Computer,TRUE,\N 380,Premier Imaging,NC,Healthcare Provider,551,2011-10-28,Unknown,Paper/Films,FALSE,"A newly hired employee impermissibly took patient registration documents home. The records taken included the protected health information of 551 patients. The information at issue included names, addresses, birth dates, social security numbers, and drivers license numbers. As a result, the CE terminated the employee, provided notice to the affected individuals, amended registration procedures, implemented additional safeguards for such information, and offered identity theft protection to the affected individuals. \" 381,"Julie A. Kennedy, D.M.D., P.A.",FL,Healthcare Provider,2900,2011-10-31,Theft,Network Server,FALSE,"Two laptop computers containing the electronic protected health information (ePHI) of approximately 5,450 individuals were stolen from the CE. The ePHI included patient names, dates of birth, and social security numbers. The CE provided breach notification to all affected individuals, HHS, and the media. As a result of OCRs investigation, the CE installed encryption software and increased physical security." 382,"KCI USA, Inc.",TX,Healthcare Provider,567,2011-10-31,Theft,"Other, Other Portable Electronic Device",FALSE,\N 383,Lebanon Internal Medicine Associates,PA,Healthcare Provider,55000,2011-11-02,Improper Disposal,Network Server,FALSE,\N 384,St. Joseph Medical Center,MD,Healthcare Provider,5000,2011-11-03,Theft,"Other, Paper/Films",FALSE,\N 385,Science Applications International Corporation (SA,VA,Business Associate,4900000,2011-11-04,Loss,Other,TRUE,\N 386,UCLA Health System,CA,Healthcare Provider,2761,2011-11-04,Theft,"Other, Other Portable Electronic Device",FALSE,\N 387,Logan County Emergeny Ambulance Service Authority,WV,Healthcare Provider,12563,2011-11-08,"Loss, Theft",Laptop,FALSE,\N 388,"Amerigroup Community Care of New Mexico, Inc",NM,Health Plan,1537,2011-11-13,Theft,Paper/Films,FALSE,\N 389,"Mid Continent Credit Services, Inc.",KS,Business Associate,8275,2011-11-14,Theft,Other,TRUE,"The covered entitys (CE), Lawrence Memorial Hospital, business associate (BA), performed a security update to the CEs website that potentially allowed the impermissible disclosure of 8,275 individuals electronic protected health information (ePHI). The ePHI consisted of names, addresses, other demographic information, and credit card/bank account numbers. Upon discovering the breach, CE shut down its website, removed all identified cached pages containing ePHI, started actions to terminate the relationship with the BA, and updated its breach notification policy. CE also provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website. It offered credit monitoring service to affected individuals. As a result of OCRs investigation, CE finalized its new breach notification policy, updated its BA contracts, and re-trained staff on its privacy, security, and breach notification polices." 390,Sutter Medical Foundation,AL,Healthcare Provider,943434,2011-11-17,Theft,Desktop Computer,FALSE,\N 391,Medcenter One,ND,Healthcare Provider,650,2011-11-17,Theft,Laptop,FALSE,\N 392,Dallas County Hospital District dba Parkland Health & Hospital System,TX,Healthcare Provider,2464,2011-11-17,Unauthorized Access/Disclosure,"Electronic Medical Record, Paper/Films",FALSE,\N 393,University of Kentucky UK HealthCare,KY,Healthcare Provider,878,2011-11-23,Loss,Other Portable Electronic Device,FALSE,\N 394,State of Tennessee Sponsored Group Health Plan,TN,Health Plan,1770,2011-11-28,Unauthorized Access/Disclosure,Paper/Films,FALSE,"An equipment operator at the states postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope. The error affected approximately 1770 enrollees. The letters contained information such as names, addresses, birth dates, and social security numbers. As a result, the CE retrained the employee, submitted a breach report to HHS, provided notice to the affected individuals, notified the media, created a toll-free number for information regarding the incident, posted notice on its website, modified policies to remove the SSN on templates for future mailings, and offered identity theft protection to the affected individuals. Following the OCR investigation, the CE provided reviewed its policies and procedures to ensure adequate safeguards are in place. \" 395,Cleveland Clinic Florida,FL,Healthcare Provider,772,2011-12-01,Loss,Other,FALSE,\N 396,"Jay C. Platt, DDS",IN,Healthcare Provider,10705,2011-12-05,Theft,Other,FALSE,\N 397,Rite Aid Corporation ,PA,Healthcare Provider,2900,2011-12-07,Other,Paper/Films,FALSE,\N 398,Blue Vantage Group,NY,Business Associate,7226,2011-12-09,Unauthorized Access/Disclosure,Network Server,TRUE,\N 399,Nation Wise Machine Buyers,IL,Business Associate,2000,2011-12-09,Improper Disposal,Paper/Films,TRUE,\N 400,University of Nebraska Medical Center,NE,Healthcare Provider,611,2011-12-09,Theft,Paper/Films,FALSE,\N 401,Roberts S. Smith M.D. Inc.,GA,Healthcare Provider,17000,2011-12-13,Theft,Laptop,FALSE,\N 402,"Paul C. Brown, MD, PS",WA,Healthcare Provider,4693,2011-12-15,Theft,Other,FALSE,\N 403,Molina Healthcare of California,CA,Health Plan,11081,2011-12-17,Other,Paper/Films,FALSE,\N 404,Aegis Sciences Corporation,TN,Healthcare Provider,2185,2011-12-21,Theft,"Laptop, Other Portable Electronic Device",FALSE,"OCR opened an investigation of the covered entity (CE), Aegis Science Corp., after the CE reported that a laptop computer and unencrypted external hard drive containing the electronic protected health information (ePHI) of 2,185 individuals were stolen from a workforce members vehicle. The ePHI included social security numbers, drivers license numbers, and other demographic information, as well as bank account information of fourteen individuals and credit card information of three individuals. Upon discovering the breach, the CE filed a police report and hired a private investigator to recover the stolen items. The CE also initiated plans to encrypt laptops, revise security procedures, retrain employees, and offer credit monitoring to affected individuals. As a result of OCRs investigation, the CE completed a security risk analysis and risk management report and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI. The CE also provided media notification in the two localities with greater than 500 individuals affected. Additionally, the CE encrypted all employee computers and removable media containing ePHI and retrained employees on the CEs confidentiality and security policies." 405,"Soundpath Health, Inc",WA,Health Plan,7581,2011-12-23,Theft,Laptop,FALSE,"A laptop containing the protected health information (PHI) of approximately 7,581 clients was stolen out a workforce members vehicle and subsequently used to access the covered entitys (CE) company server. The laptop contained clients demographic information. After the incident, the CE performed a risk analysis of the specific breach occurrence. The CE provided OCR with a copy of its risk analysis, as well as its privacy, breach notification, and security policies and procedures. Following OCRs investigation, the CE performed a broader security risk assessment and encrypted all mobile media. The CE also developed and provided computer security training to its staff members." 406,Concentra Health,TX,Healthcare Provider,870,2011-12-28,Theft,Laptop,FALSE,\N 407,Sleep HealthCenters LLC,MA,Healthcare Provider,2988,2011-12-28,Theft,Laptop,FALSE,\N 408,Smile Designs,FL,Healthcare Provider,1670,2012-01-06,Theft,"Desktop Computer, Network Server",FALSE,\N 409,Alamance Caswell Local Management Entity,NC,Business Associate,50000,2012-01-10,"Other, Unauthorized Access/Disclosure","Email, Network Server",TRUE,\N 410,"CardioNet, Inc",PA,Healthcare Provider,1300,2012-01-10,Theft,Laptop,FALSE,\N 411,RightNow Technologies,MT,Business Associate,2700,2012-01-11,Unauthorized Access/Disclosure,Other,TRUE,\N 412,"WageWorks, Inc.",CA,Business Associate,1700,2012-01-13,Other,Paper/Films,TRUE,\N 413,Foundation Medical Partners,NH,Healthcare Provider,771,2012-01-16,Theft,Paper/Films,FALSE,"Without permission from the covered entity (CE), an employee provided a list of patient's names to a local counseling center as the employee was leaving the CE to begin employment at the new counseling center in an attempt to coordinate care of the patients she was treating. The list, containing the PHI of approximately 771 individuals, included names, dates of birth, addresses, phone numbers, names of the insurance carriers, and facility codes. Following the disclosure, the CE provided breach notification to HHS, the media, and all individuals affected and sanctioned the former employee for violating its policies and procedures. The CE also changed its procedures for list management. The CE sent a reminder to all of its health care providers regarding the handling of PHI and made plans to provide HIPAA compliance information in a quality assurance newsletter." 414,Kansas Department on Aging,KS,Healthcare Provider,7757,2012-01-19,Theft,Laptop,FALSE,\N 415,Delta Dental of California,CA,Health Plan,11646,2012-01-19,Other,Paper/Films,FALSE,\N 416,Muskogee Regional Medical Center,OK,Health Plan,844,2012-01-20,Loss,Other,FALSE,\N 417,"ACS, Affiliated Computer Services, Inc., A Xerox Company",VA,Business Associate,1444,2012-01-23,"Other, Unauthorized Access/Disclosure",Paper/Films,TRUE,\N 418,"Oldendorf Medical Services, PLLC",NY,Healthcare Provider,549,2012-01-24,Theft,Laptop,FALSE,"OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 549 individuals. The ePHI included names, dates of birth, diagnostic test results, and social security numbers. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCRs investigation, the CE installed security cameras and new door locks and changed the codes to the outside entrance keypad lock. The CE also encrypted laptop computers. " 419,St.Vincent Physician Network,IN,Healthcare Provider,1423,2012-01-26,"Theft, Unauthorized Access/Disclosure",Paper/Films,FALSE,\N 420,Flex Physical Therapy,WA,Healthcare Provider,3100,2012-01-27,Theft,Desktop Computer,FALSE," \Three password protected desktop computers and/or media devices containing the electronic protected health information (ePHI) of 3,100 individuals were stolen during a break-in at the covered entitys (CE) office. The ePHI included names, social security numbers, addresses, dates of birth, claims information, diagnoses and treatment information. The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice. Following the breach, the CE also purchased upgraded software and addressed facility access controls. As result of OCRs investigation, OCR provided technical assistance regarding encryption standards and breach notice requirements. \" 421,Metro Community Provider Network,CO,Healthcare Provider,3200,2012-01-27,"Hacking/IT Incident, Other",Email,FALSE,\N 422,University of Miami ,FL,Healthcare Provider,1219,2012-01-30,Theft,Other Portable Electronic Device,FALSE,\N 423,UnitedHealth Group health plan single affiliated covered entity,MN,Health Plan,6678,2012-02-01,Other,Paper/Films,FALSE,\N 424,"Triumph, LLC",NC,Healthcare Provider,2000,2012-02-01,Theft,Laptop,FALSE,\N 425,Accretive Health,IL,Business Associate,14000,2012-02-06,Theft,Laptop,TRUE,\N 426,Loma Linda University Medical Center (LLUMC),CA,Healthcare Provider,1366,2012-02-08,Other,Paper/Films,FALSE,\N 427,"Affiliated Computer Services, Inc. (ACS, Inc.) A Xerox Company",NJ,Business Associate,1700,2012-02-08,Other,Other,TRUE,\N 428,"Medco Health Solutions, Inc.",NJ,Healthcare Provider,1287,2012-02-13,Theft,Paper/Films,FALSE," \The covered entity (CE), Medco Health Solutions, mailed letters with incorrect addresses after a programming code in its mailing software caused corruption of its data. The mailing contained the protected health information (PHI) of 4,341 individuals and included names, medication name and prescription number. The CE provided breach notification to HHS, the media, and affected individuals. Upon discovery of the breach, the CE immediately ceased using the update to its mailing software system. As a result of OCRs investigation, the CE corrected the update to its mailing software system and established manual and automated quality control processes. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI. \" 429,Lakeview Medical Center,WI,Healthcare Provider,698,2012-02-14,Theft,Laptop,FALSE,\N 430,"Goshen Health System, Inc.",IN,Healthcare Provider,660,2012-02-14,Hacking/IT Incident,Other,FALSE,\N 431,Georgetown University Hospital,DC,Healthcare Provider,1549,2012-02-15,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 432,Motion Picture Industry Health Plans (MPI),CA,Health Plan,703,2012-02-15,Theft,Other,FALSE,"The covered entity (CE), Motion Picture Industry Health Plans (MPIHP), mistakenly sent mailings containing protected health information (PHI) to the prior address of approximately 700 individuals due to a computer error. The PHI involved in the breach included names, claim numbers, dates of service, and provider names. The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website. Following the breach, the CE instituted additional safeguards including automatic suppression of documents when conflicting addresses are contained in multiple computer systems. As a result of OCRs investigation, the CE updated its policies, conducted a new risk analysis, and developed a new risk management plan." 433,Ochsner Health System,LA,Healthcare Provider,2088,2012-02-20,Loss,Other Portable Electronic Device,FALSE,\N 434,Dr. Trandinh,OR,Business Associate,2300,2012-02-20,"Theft, Unauthorized Access/Disclosure",Laptop,TRUE,\N 435,"CardioNet, Inc.",PA,Healthcare Provider,728,2012-02-27,Theft,Laptop,FALSE,\N 436,"Beth Barrett Consulting, LLC",NM,Business Associate,7000,2012-02-28,Theft,Laptop,TRUE,\N 437,"Catalyst Health Solutions, Inc.",MD,Business Associate,632,2012-02-28,Unauthorized Access/Disclosure,Other,TRUE,\N 438,"T&P CONSULTING, INC. D/B/A QUANTUM",PR,Business Associate,7706,2012-02-28,Theft,Laptop,TRUE,"An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 7,706 individuals were stolen from a staff member of the covered entitys (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and all individuals affected by the breach. As a result of OCRs investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurances that the CE implemented the corrective action listed above and required two additional corrective actions. OCR identified the need for the CE to complete a risk assessment and implement certain security policies and procedures." 439,Lee Miller Rehabilitation Associates,MD,Healthcare Provider,10480,2012-02-29,Theft,Network Server,FALSE,\N 440,"Jeremaih J. Twomey, F.A.C.P., P.A.",TX,Business Associate,2559,2012-03-02,Theft,Other,TRUE,\N 441,Anchorage Community Mental Health Services Inc.,AK,Healthcare Provider,2743,2012-03-03,Unauthorized Access/Disclosure,Desktop Computer,FALSE,\N 442,Robley Rex VA Medical Center ,KY,Healthcare Provider,1182,2012-03-06,Other,Paper/Films,FALSE,\N 443,Indiana Internal Medicine Consultants,IN,Healthcare Provider,20000,2012-03-09,Theft,Laptop,FALSE,"A laptop computer that contained the electronic protected health information (ePHI) of approximately 20,000 individuals was stolen from the covered entitys (CE) laboratory managers office. The ePHI involved in the breach included patients names, dates of birth, clinic identification numbers, and laboratory results. Following the breach, the CE reported the theft to the building management company. The management company investigated the theft and determined that cleaning personnel had stolen the laptop. The company reported that the patient information was not compromised, as the database could not be accessed without propriety software and specialized assistance. As a result of OCRs investigation, physical security was improved by housing the replacement laptop in a locked drawer in a locked office with limited staff access. The CE also implemented a new policy prohibiting the storage of PHI on the laptop computer and updated additional policies and procedures to enhance safeguards for systems containing PHI. " 444,"T & P Consulting, Inc. d/b/a Quantum Health Consulting",PR,Business Associate,10000,2012-03-12,Theft,"Laptop, Other Portable Electronic Device",TRUE,"The covered entity (CE) filed a breach report with OCR after an external hard drive and laptop computer containing electronic protected health information (ePHI) of 39,609 individuals were stolen from the CEs Business Associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and the dates of the service. Immediately following the breach, the CE conducted a risk assessment, filed a breach report and provided OCR a copy of its BA agreement. Additionally, the CE notified all affected individuals of the breach and issued a press release. As a result of OCRs investigation, the CE required the BA to revise its security practices to include laptop encryption and restrictions on the use of portable media devices as outlined in the BAs newly developed security policies and procedures. " 445,Quantum Health Consulting,PR,Business Associate,4645,2012-03-12,Theft,Laptop,TRUE,"OCR opened an investigation of the covered entity (CE), First Proveedores Aliados Por Tu Salud, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 4,645 individuals were stolen from a staff member of the CEs business associate (BA), Quantum Health. The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to all individuals affected by the breach, HHS, and the media. As a result of OCRs investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices. \" 446,Kern Medical Center ,CA,Healthcare Provider,1431,2012-03-12,Theft,Paper/Films,FALSE,\N 447,"William F. DeLuca Jr., M.D.",NY,Healthcare Provider,577,2012-03-13,Theft,Laptop,FALSE,"OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 577 individuals. The ePHI included names and pictures. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCRs investigation, the CE encrypted its computers, changed the locks to a numbered key system, and installed a lock to secure portable devices in storage. In addition, the CE started using identification numbers instead of names on patients files. The CE also revised its security policy and trained all staff on its policies." 448,Quantum Health Consulting,PR,Business Associate,7923,2012-03-13,Theft,Laptop,TRUE,"An unencrypted laptop computer and an external hard drive containing the electronic protected health information (ePHI) of 7,923 individuals were stolen from a staff member of the CEs business associate (BA). The ePHI included names, ages, gender, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items. The CE also provided breach notification to all affected individuals, HHS, and the media. As a result of OCRs investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. The CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. " 449,Advanced Clinical Research Institute,CA,Health Plan,875,2012-03-14,Theft,Paper/Films,FALSE,\N 450,"T&P Consulting, INC DBA Quantum HC",PR,Business Associate,7606,2012-03-15,Theft,"Laptop, Other Portable Electronic Device",TRUE,"An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 39,609 individuals were stolen from a staff member of the covered entitys (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and all affected individuals. As a result of OCRs investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurance that the CE implemented the corrective action listed above and required one additional corrective action. OCR identified the need for the CE to implement certain security policies, procedures and controls." 451,Georgia Health Sciences University,GA,Healthcare Provider,513,2012-03-15,Theft,Laptop,FALSE,\N 452,"Baylor Heart and Vascular Center, LLP",TX,Healthcare Provider,1972,2012-03-16,Theft,Other Portable Electronic Device,FALSE,\N 453,Chicago Musculoskeletal Institute/Metro Orthopedics,IL,Healthcare Provider,750,2012-03-23,Other,Network Server,FALSE,\N 454,"Caremark PCS Health, L.L.C. (formerly known as Caremark PCS Health, L.P.)",IL,Business Associate,3482,2012-03-23,Other,Paper/Films,TRUE,\N 455,Duke University Health System,NC,Healthcare Provider,1370,2012-03-23,Unauthorized Access/Disclosure,Other,FALSE,\N 456,St. Joseph's Medical Center,CA,Healthcare Provider,712,2012-03-29,Theft,Paper/Films,FALSE,\N 457,CenterLight Healthcare,NY,Health Plan,642,2012-04-03,Unauthorized Access/Disclosure,Email,FALSE,\N 458,Lake Granbury Medicl Ceter,TX,Healthcare Provider,502,2012-04-04,Theft,Paper/Films,FALSE,\N 459,County of Wayne Department of Personnel/Human Resources Benefits Administration Division,MI,Health Plan,1229,2012-04-06,Unauthorized Access/Disclosure,Email,FALSE,\N 460,St. Elizabeth's Medical Center,MA,Healthcare Provider,6831,2012-04-06,Loss,Paper/Films,FALSE,\N 461,The Neighborhood Christian Clinic,AZ,Healthcare Provider,9565,2012-04-09,Loss,Other Portable Electronic Device,FALSE,\N 462,"AccentCare Home Health of California, Inc. Medicare # 057564 CA state License # 080000226",CA,Healthcare Provider,1000,2012-04-10,Unauthorized Access/Disclosure,Email,FALSE,\N 463,HealthLOGIX,MI,Business Associate,555,2012-04-10,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 464,David Charles Rish,CA,Business Associate,2000,2012-04-10,Theft,Other,TRUE,\N 465,Utah Department of Technology Services,UT,Business Associate,780000,2012-04-11,Hacking/IT Incident,Network Server,TRUE,\N 466,IU Medical Group,IN,Healthcare Provider,1000,2012-04-12,Improper Disposal,Paper/Films,FALSE,\N 467,Rhinebeck Health Center/Center for Progressive Medicine,NY,Healthcare Provider,6745,2012-04-12,Theft,"Desktop Computer, Network Server",FALSE,"The CEs network server and two local computers were hacked and compromised by a computer virus which resulted in the disclosure of electronic protected health information (ePHI) of 6,745 individuals. The ePHI included names, insurance numbers, diagnoses, medical histories, dates of birth, telephone numbers, and social security numbers. Upon discovery of the breach, the CE shut down all computer and email systems to prevent unauthorized access to its network and core files. In addition, the CE decommissioned the previously used server, deactivated the network router, disabled network access to ePHI, and discontinued the previously utilized backup. As a result of OCRs investigation, the CE deployed a new real-time firewall and intrusion detection system and implemented new measures for software management. In addition, the CE installed a new network server, deployed a new router with security subscription to actively monitor internal network traffic and external threat patterns, and implemented a centralized antivirus software system." 468,Memorial Healthcare System,FL,Health Plan,9497,2012-04-13,Other,Other,FALSE,\N 469,"Roy E. Gondo, M.D.",WA,Healthcare Provider,2100,2012-04-13,Theft,"Desktop Computer, Electronic Medical Record",FALSE,\N 470,"DRD Management, Inc. D/B/A DRD Knoxville Medical Clinic - Central",TX,Healthcare Provider,1000,2012-04-16,Improper Disposal,Paper/Films,FALSE,\N 471,Emory Healthcare,GA,Healthcare Provider,315000,2012-04-18,"Other, Unknown",Other,FALSE,\N 472,Desert AIDS Project,CA,Healthcare Provider,4400,2012-04-20,Theft,Desktop Computer,FALSE,\N 473,University of Arkansas for Medical Sciences,AR,Healthcare Provider,7121,2012-04-20,Unauthorized Access/Disclosure,Other,FALSE,\N 474,"TLC DENTAL DANIA, LLC",FL,Healthcare Provider,750,2012-04-23,Theft,Paper/Films,FALSE,\N 475,South Carolina Department of Health and Human Services,SC,Health Plan,228435,2012-04-24,Unauthorized Access/Disclosure,Email,FALSE,\N 476,Oregon Health Authority,OR,Healthcare Provider,550,2012-04-26,Theft,Paper/Films,FALSE,\N 477,SHIELDS For Families ,CA,Healthcare Provider,961,2012-04-26,Theft,Network Server,FALSE,\N 478,"Safe Ride Services, Inc",AZ,Healthcare Provider,42000,2012-05-01,"Hacking/IT Incident, Unauthorized Access/Disclosure",Network Server,FALSE,\N 479,IntraCare North Hospital,TX,Healthcare Provider,750,2012-05-03,Theft,Paper/Films,FALSE,\N 480,"Oakland Vision Services, PC",MI,Healthcare Provider,3000,2012-05-03,Hacking/IT Incident,Network Server,FALSE,\N 481,Baptist Health System,AL,Healthcare Provider,1655,2012-05-04,Improper Disposal,Paper/Films,FALSE,\N 482,University of Houston for UH College of Optometry,TX,Healthcare Provider,7000,2012-05-08,"Hacking/IT Incident, Unauthorized Access/Disclosure",Network Server,FALSE,\N 483,Rite Aid Store 1343,WV,Healthcare Provider,2905,2012-05-10,Theft,Paper/Films,FALSE,\N 484,Iowa Department of Human Services,IA,Health Plan,3000,2012-05-11,Improper Disposal,Paper/Films,FALSE,\N 485,Hogan Services Inc. Health Care Premium Plan,MO,Health Plan,1134,2012-05-11,Unauthorized Access/Disclosure,Email,FALSE,\N 486,"Family HealthServices Minnesota, P.A.",MN,Healthcare Provider,4000,2012-05-14,Theft,Laptop,FALSE,\N 487,St. Mary Medical Center,CA,Healthcare Provider,3900,2012-05-14,Loss,Other Portable Electronic Device,FALSE,\N 488,Our Lady of the Lake Regional Medical Center,LA,Healthcare Provider,17000,2012-05-18,"Loss, Theft",Laptop,FALSE,\N 489,UnitedHealth Group health plan single affiliated covered entity,MN,Health Plan,19100,2012-05-18,Unauthorized Access/Disclosure,Other,FALSE,\N 490,West Dermatology,CA,Healthcare Provider,1900,2012-05-18,Theft,Other,FALSE,\N 491,Duke University Health System,NC,Healthcare Provider,591,2012-05-18,Unauthorized Access/Disclosure,Other,FALSE,\N 492,Ameritas Life Insurance Corp. ,NE,Health Plan,3000,2012-05-21,Theft,Laptop,FALSE,\N 493,Children's Hospital Boston,MA,Healthcare Provider,2159,2012-05-22,Theft,Laptop,FALSE,\N 494,"Data Image, Inc.",OH,Business Associate,15000,2012-05-22,Unauthorized Access/Disclosure,Other,TRUE,\N 495,Physician's Automated Laboratory,CA,Healthcare Provider,745,2012-05-23,Theft,Paper/Films,FALSE,\N 496,"Phoebe Putney Memorial Hospital, Inc. ",GA,Healthcare Provider,12937,2012-05-24,Theft,"Electronic Medical Record, Paper/Films",FALSE,\N 497,Independence Physical Therapy,CT,Healthcare Provider,925,2012-05-25,Theft,Desktop Computer,FALSE,\N 498,Titus Regional Medical Center,TX,Healthcare Provider,5700,2012-05-26,"Loss, Unknown",Laptop,FALSE,\N 499,Titus Regional Medical Center,TX,Healthcare Provider,500,2012-05-26,Theft,Other,FALSE,\N 500,Lutheran Community Services Northwest,WA,Healthcare Provider,756,2012-05-29,Theft,"Desktop Computer, Other Portable Electronic Device",FALSE,\N 501,"Volunteer State Health Plan, Inc. ",TN,Health Plan,1102,2012-05-31,Loss,Paper/Films,FALSE,\N 502,Charlie Norwood VA Medical Center,GA,Healthcare Provider,824,2012-06-04,Loss,Other Portable Electronic Device,FALSE,\N 503,PrevMED,MD,Business Associate,1444,2012-06-04,Theft,Laptop,TRUE,\N 504,"Metcare of Florida, Inc.",FL,Healthcare Provider,2557,2012-06-04,Theft,Other Portable Electronic Device,FALSE,\N 505,"Robert Witham, MD, FACP",OR,Healthcare Provider,11136,2012-06-06,Theft,Desktop Computer,FALSE,\N 506,Memorial Sloan-Kettering Cancer Center,NY,Healthcare Provider,568,2012-06-08,Theft,"Email, Other",FALSE,"The covered entitys (CE) staff member disclosed an unencrypted Microsoft Excel graph to a non-covered entity physician who re-disclosed it to a medical education organization to be used in a presentation. In addition, the medical education organization posted the presentation slides on its website. The graph contained the protected health information (PHI) of 569 individuals and included names, telephone numbers, social security numbers, ages, cities and states of residence, medical record numbers, and clinical information. Upon discovery of the breach, the CE ensured that the information was removed from the website and deleted, sanctioned the workforce member responsible, and retrained its workforce on the use of a data loss prevention tool and the risks of embedded PHI. As a result of OCRs investigation, the CE provided OCR with evidence of its technical safeguards and security awareness initiatives and provided assurance that it implemented the corrective action listed above." 507,"Gessler Clinic, P.A.",FL,Healthcare Provider,1409,2012-06-14,Theft,Paper/Films,FALSE,\N 508,University of Kentucky HealthCare,KY,Healthcare Provider,4490,2012-06-19,Theft,Laptop,FALSE,\N 509,Wolf & Yun,KY,Healthcare Provider,824,2012-06-22,Theft,Laptop,FALSE,\N 510,Karen Kietzman,MT,Healthcare Provider,708,2012-06-22,Theft,"Laptop, Other Portable Electronic Device",FALSE,\N 511,"Bruce G. Peller, DMD, PA",NC,Healthcare Provider,9953,2012-06-25,Unauthorized Access/Disclosure,Desktop Computer,FALSE,\N 512,"Sharon L. Rogers, Ph.D., ABPP",TX,Healthcare Provider,585,2012-07-03,Theft,Laptop,FALSE,\N 513,Health Texas Provider Network - Cardiovascular Consultants of North Texas,TX,Healthcare Provider,2462,2012-07-05,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE,\N 514,SwedishAmerican Health System,IL,Healthcare Provider,1500,2012-07-12,Theft,Paper/Films,FALSE,\N 515,"Patterson Dental, Inc.",MN,Business Associate,2533,2012-07-13,"Loss, Unauthorized Access/Disclosure, Unknown",Other Portable Electronic Device,TRUE,\N 516,Visiting Nurse Services of Iowa,IA,Healthcare Provider,1298,2012-07-16,Theft,Paper/Films,FALSE,\N 517,Molalla Family Dental,OR,Healthcare Provider,4354,2012-07-16,"Hacking/IT Incident, Other, Unauthorized Access/Disclosure",Network Server,FALSE,\N 518,Pamlico Medical Equipment LLC,NC,Healthcare Provider,2917,2012-07-17,Loss,Other Portable Electronic Device,FALSE,\N 519,Beth Israel Deaconess Medical Center,MA,Healthcare Provider,3900,2012-07-20,Theft,Laptop,FALSE,\N 520,NYU School of Medicine Faculty Group Practice,NY,Healthcare Provider,8488,2012-07-23,Theft,Desktop Computer,FALSE,\N 521,"The Surgeons of Lake County, LLC",IL,Healthcare Provider,7067,2012-07-25,Other,Network Server,FALSE,\N 522,Kindred Healthcare Inc d/b/a Kindred Transitional Care and Rehabilitation-Sellersburg,IN,Healthcare Provider,1504,2012-07-25,Theft,Other,FALSE,\N 523,Jeffrey Paul Edelstein M.D.,AZ,Healthcare Provider,4800,2012-07-27,Theft,Network Server,FALSE,\N 524,Northwestern Memorial Hospital,IL,Healthcare Provider,4211,2012-07-27,Theft,"Laptop, Other Portable Electronic Device",FALSE,\N 525,Walgreen Co.,IL,Healthcare Provider,1240,2012-07-30,Theft,Paper/Films,FALSE,\N 526,EMC,CT,Business Associate,7461,2012-07-30,Theft,Laptop,TRUE,\N 527,Oregon Health & Science University,OR,Healthcare Provider,702,2012-07-31,Theft,Other,FALSE,\N 528,Stanford Hospital & Clinics and School of Medicine,CA,Healthcare Provider,2300,2012-08-03,Theft,Desktop Computer,FALSE,\N 529,Harris County Hospital District,TX,Healthcare Provider,2875,2012-08-03,Theft,"Electronic Medical Record, Paper/Films",FALSE,\N 530,"Siemens Medical Solutions, USA",PA,Business Associate,66601,2012-08-10,Theft,Laptop,TRUE,\N 531,TEMPLE COMMUNITY HOSPITAL,CA,Healthcare Provider,603,2012-08-15,Theft,Desktop Computer,FALSE,\N 532,Memorial Healthcare System,FL,Healthcare Provider,105646,2012-08-16,Theft,Electronic Medical Record,FALSE,\N 533,"Liberty Resources, Inc.",PA,Healthcare Provider,3183,2012-08-17,Theft,Laptop,FALSE,"An employees personal laptop computer that contained the unencrypted electronic protected health information (ePHI) of 3,183 individuals was stolen from his vehicle. The ePHI involved in the breach included consumer names, identification numbers, diagnosis codes, base service unit numbers, service start and end dates, service names, procedure codes, service location identifiers, units authorized, units utilized, units cost, total authorization amounts, total utilized amounts, authorization dates, funding sources, provider names, and master provider index numbers. The CE timely notified all affected individuals, the media, and HHS, and offered assistance to consumers who wished to place fraud alerts on their consumer credit files. Following the breach, the CE created and implemented a new policy and procedure to improve safeguards. This policy prohibits downloading any PHI to a home computer or portable device, prohibits forwarding emails containing PHI to a personal account, cloud service, or unauthorized user, and requires full-disk encryption of agency laptops. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ \" 534,The University of Texas MD Anderson Cancer Center,TX,Healthcare Provider,2264,2012-08-17,Loss,Other Portable Electronic Device,FALSE,\N 535,Central States Southeast and Siouthwest Areas Health & Welfare Fund,IL,Health Plan,754,2012-08-21,"Other, Unauthorized Access/Disclosure",Paper/Films,FALSE,\N 536,LANA MEDICAL CARE,FL,Healthcare Provider,500,2012-08-28,Theft,Laptop,FALSE,\N 537,"Cancer Care Group, P.C.",IN,Healthcare Provider,55000,2012-08-28,Theft,Other Portable Electronic Device,FALSE,\N 538,Tricounty Behavioral Health Clinic,GA,Healthcare Provider,4000,2012-08-31,Theft,Laptop,FALSE,\N 539,Sierra Plastic Surgery,NV,Healthcare Provider,800,2012-09-05,"Hacking/IT Incident, Unauthorized Access/Disclosure",Network Server,FALSE,\N 540,"Charlotte Clark-Neitzel, MD",WA,Healthcare Provider,942,2012-09-07,Theft,Laptop,FALSE,\N 541,University of Miami,FL,Healthcare Provider,64846,2012-09-07,"Other, Unauthorized Access/Disclosure",Paper/Films,FALSE,\N 542,University of New Mexico Health Sciences Center,NM,Healthcare Provider,2365,2012-09-12,Hacking/IT Incident,Network Server,FALSE,\N 543,"Valley Plastic Surgery, P.C.",VA,Healthcare Provider,4873,2012-09-13,Theft,Other Portable Electronic Device,FALSE,\N 544,"Ecco Health, LLC",NV,Business Associate,5713,2012-09-14,Loss,Other Portable Electronic Device,TRUE,\N 545,"BHcare, Inc",CT,Healthcare Provider,5827,2012-09-14,Theft,"Laptop, Other Portable Electronic Device",FALSE,"OCR opened an investigation of the covered entity (CE), BHcare, Inc. after it reported that a laptop computer and unencrypted back-up tape containing the electronic protected health information (ePHI) of 5,827 individuals were stolen from a workforce members vehicle. The ePHI included names, date of birth, social security numbers, health insurance numbers, and some patients assessments and diagnosis information. Upon discovering the breach, the CE filed a police report with the Connecticut State Police. The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notice on its website. The CE offered one year of free credit monitoring services to affected individuals. As a result of OCRs investigation, the CE completed a risk analysis and risk management plan, retrained employees, and implemented new security policies and procedures to ensure adequate safeguards of ePHI. \ \ \" 546,The Feinstein Institute for Medical Research,NY,Healthcare Provider,13000,2012-09-14,Theft,Laptop,FALSE,\N 547,"St. Therese Medical Group, Inc",CA,Healthcare Provider,3031,2012-09-17,Theft,Desktop Computer,FALSE,\N 548,"Cabinet for Health and Family Services, Department for Community Based Services (Protection and Permanency)",KY,Health Plan,2500,2012-09-19,Unauthorized Access/Disclosure,Email,FALSE,\N 549,"PST Services, Inc",GA,Business Associate,13074,2012-10-08,Improper Disposal,Paper/Films,TRUE,\N 550,"Apria Healthcare, Inc.",CA,Healthcare Provider,65700,2012-10-10,Theft,Laptop,FALSE,\N 551,"Alexander J. Tikhtman, M.D.",KY,Healthcare Provider,2376,2012-10-12,Theft,Other Portable Electronic Device,FALSE,"The covered entity (CE), offices of Alexander J. Tikhtman, M.D., lost an unencrypted flash drive containing the electronic protected health information (ePHI) of 2,376 individuals. The flash drive was not recovered. The ePHI included patients names, treatment and diagnostic information, and in some instances, dates of birth and social security numbers. The CE provided breach notification to the affected individuals, HHS, and the media. It also established a dedicated call center for questions related to the breach and offered free credit monitoring and identity theft services to individuals whose social security numbers were breached. The CE updated its privacy and security policies and procedures relating to the use, storage, and transmission of PHI. OCR obtained assurances that the CE completed the corrective action listed above. \ \" 552,Gulf Coast Health Care Services Inc,FL,Healthcare Provider,13000,2012-10-15,"Hacking/IT Incident, Theft, Unauthorized Access/Disclosure",Network Server,FALSE,\N 553,"Blount Memorial Hospital, Inc",TN,Healthcare Provider,27799,2012-10-17,Theft,Laptop,FALSE,"The covered entity (CE), Blount Memorial Hospital, reported that a laptop computer containing the electronic protected health information (ePHI) of 27,799 individuals was stolen from a workforce members home. The ePHI involved in the breach included demographic and other financial information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE reviewed its privacy and security policies and procedures, encrypted all of its laptops, and improved its HIPAA training. As a result of OCRs investigation, OCR provided technical assistance regarding the CEs security incident procedures and risk management plan. OCR also reviewed the CEs HIPAA policies and procedures that were created or revised in response to the breach. \ \ \" 554,"Alere Home Monitoring, Inc",CA,Healthcare Provider,116506,2012-10-18,Theft,Laptop,FALSE,\N 555,"Coastal home Respiratory, LLP",GA,Healthcare Provider,3440,2012-10-18,Theft,Other,FALSE,"Computers containing the electronic protected health information (ePHI) of 3,440 patients were stolen from the covered entity (CE), Coastal Home Respiratory, during a burglary. The ePHI included names, addresses, phone numbers, insurance identification numbers, social security numbers, and diagnoses. The computers were password protected and the data was encoded. The CE promptly notified law enforcement and provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE cancelled access passwords for patient data, and changed patient data software to a server based system that is password protected and encrypted. The CEs billing software vendor changed the CEs account numbers to prevent unauthorized access to the ePHI. The CE improved physical safeguards by installing a new alarm system. Following OCRs investigation, the CE also improved safeguards for PHI by implementing new procedures for activity reports, audit logs, and security reports." 556,"Philip P Corneliuson, DDS, INC.",CA,Healthcare Provider,980,2012-10-22,Theft,Desktop Computer,FALSE,\N 557,"First Step Counseling, Inc.",NJ,Healthcare Provider,638,2012-10-23,Theft,Paper/Films,FALSE,"Two of the covered entitys (CE) employees photocopied documents containing 638 patients protected health information (PHI) and disclosed the documents to their attorney. The PHI included names, insurance numbers, diagnoses, dates of birth, telephone numbers, and social security numbers. Upon discovery of the breach, the CE hired attorneys to seek immediate return of all photocopies that contained the PHI. The CE provided breach notification to the affected individuals, HHS and the media. As a result of OCRs investigation, the CE transferred to an electronic billing system that is password protected and secured patient files with a lock. Further, the front desk has been positioned by a protective window and policies have been implemented to prevent patients from standing beside the reception desk. The CE also reviewed and revised its consent forms and retrained all staff. " 558,"Logan Community Resources, Inc.",IN,Healthcare Provider,2900,2012-10-23,Hacking/IT Incident,Network Server,FALSE,\N 559,CVS Caremark,RI,Healthcare Provider,955,2012-10-26,Theft,Paper/Films,FALSE,\N 560,Memorial Hospital,OH,Healthcare Provider,500,2012-10-29,Improper Disposal,Paper/Films,FALSE,\N 561,QUANTERION SOLUTIONS INC,NY,Business Associate,1017,2012-11-01,Theft,Network Server,TRUE,"An unencrypted thumb drive that contained the electronic protected health information (ePHI) of 1,017 individuals was stolen by an employee of the covered entitys (CE) business associate (BA), Quanterion Solutions, Inc. The ePHI included names, addresses, dates of birth, drivers license numbers, social security numbers, claims information, clinical information, diagnosis/conditions, lab results, treatment information, and medications. Upon discovery of the breach, the CE, Surgical Associates of Utica, PC, filed a police report and the employee was arrested. The CE provided breach notification to HHS, the media, and affected individuals and provided credit monitoring services for these individuals. As a result of OCRs investigation, the CE executed a BA agreement. \ \" 562,"University of Illinois, College of Nursing",IL,Business Associate,508,2012-11-02,Theft,Paper/Films,TRUE,\N 563,Miami Beach Healthcare Group Ltd. dba Aventura Hospital and Medical Center,FL,Healthcare Provider,2560,2012-11-05,Theft,Electronic Medical Record,FALSE,\N 564,"WYATT DENTAL GROUP, LLC",LA,Healthcare Provider,10271,2012-11-05,"Theft, Unauthorized Access/Disclosure",Electronic Medical Record,FALSE,\N 565,Women & Infants Hospital of Rhode Island,RI,Healthcare Provider,14004,2012-11-05,Loss,Other,FALSE,\N 566,Memorial Health System,CO,Healthcare Provider,6262,2012-11-07,Loss,Paper/Films,FALSE,\N 567,CHRISTUS St. John Hospital,TX,Healthcare Provider,5748,2012-11-16,Loss,Other Portable Electronic Device,FALSE,\N 568,L.A. Care Health Plan,CA,Health Plan,18000,2012-11-17,Other,Other,FALSE,\N 569,"Hawaii State Department of Health, Adult Mental Health Division",HI,Healthcare Provider,674,2012-11-20,Hacking/IT Incident,Desktop Computer,FALSE,\N 570,"Soundental Associates, PC",CT,Healthcare Provider,14511,2012-11-21,Theft,Other Portable Electronic Device,FALSE,\N 571,"Original Medicine Acupuncture & Wellness, LLC",NM,Healthcare Provider,540,2012-11-21,Theft,Laptop,FALSE,\N 572,Brigham and Women's Hospital,MA,Healthcare Provider,615,2012-11-26,Theft,Desktop Computer,FALSE,\N 573,"Advantage Health Solutions, Inc.",IN,Business Associate,2575,2012-11-26,Other,Other,TRUE,\N 574,"James M. McGee, D.M.D., P.C.",GA,Healthcare Provider,1306,2012-11-27,Theft,Paper/Films,FALSE,\N 575,Robbins Eye Center PC,CT,Healthcare Provider,1749,2012-11-28,Theft,Desktop Computer,FALSE,\N 576,"Advanced Data Processing, Inc.",FL,Healthcare Clearing House,10000,2012-11-29,Theft,Desktop Computer,FALSE,\N 577,Cuyahoga County Board of Developmental Disabilities,OH,Healthcare Provider,613,2012-11-29,Theft,Laptop,FALSE,\N 578,Blue Cross Blue Shield,IL,Business Associate,500,2012-11-29,Unauthorized Access/Disclosure,Network Server,TRUE,\N 579,Vidant Pungo Hospital,NC,Healthcare Provider,1100,2012-11-29,Improper Disposal,Paper/Films,FALSE,\N 580,County of San Bernardino Department of Public Heatlh,CA,Healthcare Provider,1370,2012-11-29,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 581,ADPI-West,CA,Business Associate,1500,2012-11-29,"Theft, Unauthorized Access/Disclosure",Desktop Computer,TRUE,\N 582,Landmark Medical Center,RI,Healthcare Provider,683,2012-11-30,Theft,Laptop,FALSE,\N 583,University of Virginia Medical Center,VA,Healthcare Provider,1846,2012-11-30,Loss,Other Portable Electronic Device,FALSE,\N 584,Carolinas Medical Center - Randolph,NC,Healthcare Provider,5600,2012-12-07,Hacking/IT Incident,Email,FALSE,\N 585,"Coastal Behavioral Healthcare, Inc.",FL,Healthcare Provider,4907,2012-12-07,Theft,Paper/Films,FALSE,"OCR opened an investigation of the covered entity (CE), Coastal Behavioral Healthcare, Inc., after it reported that four pages containing protected health information (PHI) were recovered by local law enforcement during a motor vehicle traffic stop. The CE indicated the four pages were likely part of a larger report and may have containing the PHI of 4,907 individuals. The PHI involved in the breach included names, social security numbers, dates of birth, and other identifiers. The CE provided breach notification to the affected individuals, HHS, and the media. Following the breach, the CE hired a cybersecurity firm to perform a network audit and to conduct a security risk assessment. The CE also improved safeguards by restricting physical access to its information technology department, implementing a new electronic health record system, and disabling the ability to print reports from its database containing data similar to the report that was the subject of the breach. OCR obtained assurances that the CE implemented the corrective action listed above." 586,"CCS Medical, Inc.",TX,Healthcare Provider,6601,2012-12-10,Unauthorized Access/Disclosure,"Network Server, Other",FALSE,\N 587,Columbia University Medical Center and NewYork-Presbyterian Hospital,NY,Healthcare Provider,4929,2012-12-14,Theft,Desktop Computer,FALSE,\N 588,Health Advantage,AR,Health Plan,2863,2012-12-20,Other,Paper/Films,FALSE,\N 589,Westerville Dental Center,OH,Healthcare Provider,850,2012-12-20,Theft,"Laptop, Network Server",FALSE,\N 590,"HealthPlus, Amerigroup",NY,Business Associate,28187,2012-12-21,Unauthorized Access/Disclosure,Other,TRUE,\N 591,"Center for Orthopedic Research and Education, Inc.",AZ,Healthcare Provider,35488,2012-12-21,Theft,Paper/Films,FALSE,\N 592,Calif. Dept. of Health Care Services (DHCS),CA,Health Plan,2643,2012-12-23,Unauthorized Access/Disclosure,Other,FALSE,\N 593,Richard Switzer MD PC,MI,Healthcare Provider,4100,2012-12-23,Other,Laptop,FALSE,\N 594,Gibson General Hospital,IN,Healthcare Provider,28893,2012-12-26,Theft,Laptop,FALSE,\N 595,"Sovereign Medical Group, LLC",NJ,Healthcare Provider,27800,2012-12-27,"Hacking/IT Incident, Theft",Network Server,FALSE,\N 596,HP Enterprise Services,KY,Business Associate,1090,2012-12-28,Theft,Laptop,TRUE,"An employee of a subcontractor for the covered entitys (CE) Business Associate (BA), responded to a telephone phishing attack and permitted a hacker to remotely access the laptop computer of the subcontractor. In violation of the subcontractor BAs policies, the laptop contained the protected health information (PHI) of 1,090 individuals, including names, dates of birth, diagnosis codes, and diagnosis code descriptions and some social security numbers and treatment descriptions. The CE, through its BA, provided breach notification to HHS, affected individuals, and the media, and provided substitute notice. The BA also offered a year of credit monitoring to those affected. In response to the incident, the subcontractor improved safeguards by initiating laptop audits to ensure PHI is not stored on them, re-trained employees, and applied employee sanctions by terminating the employee who failed to follow its policy. OCR obtained assurances that the corrective action listed above was completed. \ \" 597,"Clearpoint Design, Inc.",MA,Business Associate,4343,2012-12-28,Hacking/IT Incident,Network Server,TRUE,\N 598,"Omnicell, Inc.",CA,Business Associate,56820,2012-12-31,Theft,Laptop,TRUE,"An electronic medication dispensing device was stolen from the locked car of an Omnicell employee. Omnicell is a business associate (BA) of the covered entity (CE), Sentara. The protected health information that was involved in the breach included patient names, birth dates, patient numbers, medical record numbers, and clinical information of 56,820 of the CEs patients. Breach notification was provided to HHS, the media and affected individuals. The BA represented to the CE that they had recently completed a risk analysis containing details of implemented administrative, physical and technical safeguards. The BA informed the CE that they have in place a security awareness and training program and provided information regarding its education of workforce members. As a result of OCRs investigation, OCR obtained an executive summary of the BAs risk analysis and a copy of the CEs most recent risk analysis. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI." 599,St. Mark's Medical Center,TX,Healthcare Provider,2988,2012-12-31,Hacking/IT Incident,Desktop Computer,FALSE,\N 600,Group Health Incorporated,NY,Health Plan,1771,2013-01-02,Theft,Paper/Films,FALSE,"OCR opened an investigation of the covered entity (CE), Group Health Insurance, after it reported that postcard reminders were sent to 1,771 subscribers. The protected health information (PHI) involved included social security numbers within a series of other numbers inscribed on the outside of the postcard. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. Upon discovery of the breach, the CE suspended its mailing in order to verify subscriber information to ensure pending and completed projects did not contain social security numbers. As a result of OCRs investigation, the CE modified its mailing procedures to prevent similar disclosures from recurring in the future and retrained staff on its modified mailing procedure. The CE provided affected individuals with a free one year subscription for credit monitoring. \ \" 601,"Calvin Schuster,MD",CA,Healthcare Provider,532,2013-01-04,Theft,Desktop Computer,FALSE,\N 602,"Clearpoint Design, Inc.",MA,Business Associate,4125,2013-01-07,Hacking/IT Incident,Network Server,TRUE,\N 603,University of Nevada School of Medicine,NV,Healthcare Provider,1483,2013-01-08,Improper Disposal,Paper/Films,FALSE,\N 604,WorkflowOne,OH,Business Associate,635,2013-01-08,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 605,SilverScript Insurance Company,AZ,Health Plan,852,2013-01-08,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 606,"Clearpoint Design, Inc.",MA,Business Associate,7250,2013-01-10,Hacking/IT Incident,Network Server,TRUE,\N 607,Pousson Family Dentistry,LA,Healthcare Provider,1400,2013-01-10,Theft,Laptop,FALSE,\N 608,"Clearpoint Design, Inc.",MA,Business Associate,4100,2013-01-10,Hacking/IT Incident,Network Server,TRUE,\N 609,"Lee D. Pollan, DMD, PC",NY,Healthcare Provider,19178,2013-01-11,Theft,Laptop,FALSE,"OCR opened an investigation of the covered entity (CE) after it reported an unencrypted laptop was stolen that contained the electronic protected health information (ePHI) of 19,178 individuals. The ePHI included names, addresses, zip codes, dates of birth, social security numbers, claims information, and diagnosis codes. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCRs investigation, the CE encrypted the backup drive of the contents of the laptop computer. The CE also trained all staff on the use of encryption to safeguard data on personal computers and mobile devices." 610,Washington University School of Medicine,MO,Healthcare Provider,1105,2013-01-11,Theft,Laptop,FALSE,\N 611,Riderwood Village,MD,Healthcare Provider,3230,2013-01-17,Theft,Laptop,FALSE,"OCR opened an investigation of the covered entity (CE), Riderwood Senior Living Community, after it reported that five laptop computers (four of which were unencrypted) containing the electronic protected health information (ePHI) of 8,507 individuals were stolen from the facilitys physical therapy department. The ePHI included names, dates of birth, addresses, Health plan ID numbers, and discussions of therapy treatments. Upon discovering the breach, the CE filed a police report, mailed individual notice of the breach to all current and former Riderwood residents and affected health plan members, issued a press release to seven media outlets, posted substitute notice on its website for 90 days, and reported the breach to HHS. Following this breach, the CE encrypted laptops, revised security procedures, and retrained employees. OCR obtained written assurance that the CE implemented the corrective action listed above as well as new security policies and procedures to ensure adequate safeguards of ePHI." 612,WAYNE MEMORIAL HOSPITAL,PA,Healthcare Provider,1184,2013-01-18,Loss,Other,FALSE,\N 613,Baptist Health System,TX,Healthcare Provider,678,2013-01-22,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE,\N 614,BlueCross BlueShield of Western New York,NY,Business Associate,725,2013-01-22,Theft,Paper/Films,TRUE,"OCR opened an investigation of the covered entity (CE), Baillie Lumber Co. Group Health Plan, after it reported its business associate (BA), Blue Cross Blue Shield, mailed a monthly premium notice with invoices that contained the protected health information (PHI) of 725 individuals which was never received by the CE. The PHI included names, member identification numbers, and social security numbers. The CE provided breach notification to HHS and affected individuals. Upon discovery of the breach, the BA contacted the U.S. Post Office to inquire about the package that contained the invoices that the CE never received. As a result of OCRs investigation, the BA revised its invoice process and removed social security numbers and member identification numbers from its invoices. The BA also improved safeguards by changing its mailing procedures to send invoices to the CE via secure email. The breach involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI." 615,The University of Texas MD Anderson Cancer Center,TX,Healthcare Provider,29021,2013-01-24,Theft,Laptop,FALSE,\N 616,"Western Wisconsin Medical Association, S.C. - River Falls Medical Clinics",WI,Healthcare Provider,2400,2013-01-25,Theft,Paper/Films,FALSE,\N 617,RR Donnelley (a sub-BA for UnitedHealth Group),IL,Business Associate,8911,2013-01-30,Theft,Desktop Computer,TRUE,\N 618,Kmart Pharmacy #7623,LA,Business Associate,16988,2013-01-31,Improper Disposal,Paper/Films,TRUE,\N 619,Community Services NW,AL,Healthcare Provider,2400,2013-02-02,Theft,Desktop Computer,FALSE,\N 620,LifeGas,GA,Business Associate,1103,2013-02-04,Theft,Laptop,TRUE,\N 621,Yadkinville Chiropractic DCPA,NC,Business Associate,1000,2013-02-06,Theft,Desktop Computer,TRUE,\N 622,West Georgia Ambulance,GA,Healthcare Provider,500,2013-02-11,Loss,Laptop,FALSE,\N 623,"Center for Pain Management, LLC",MD,Healthcare Provider,5822,2013-02-12,Theft,Laptop,FALSE,"Three laptop computers were stolen from the Rockville, MD office of the covered entity (CE), Center for Pain Management. The laptops were unencrypted and two of the devices contained the electronic protected health information (ePHI) of 5,822 individuals. The CE retained Identity Force, a firm specializing in providing mitigation services in cases of security breaches. Identity Force mailed notification letters to all affected individuals and provided identity theft insurance and credit monitoring services for one year. The CE also posted the breach notification on its website and notified the media. The CE engaged the services of an information technology firm to update its devices and computer network. OCR obtained assurances that the corrective action listed above was completed." 624,"Coast Healthcare Management, LLC",CA,Business Associate,1368,2013-02-12,"Other, Theft",Paper/Films,TRUE,\N 625,Froedtert Health,WI,Healthcare Provider,43549,2013-02-12,Unauthorized Access/Disclosure,Other,FALSE,\N 626,Jackson Health System,FL,Healthcare Provider,566,2013-02-13,Other,Paper/Films,FALSE,\N 627,"Kindred Healthcare, Inc. d/b/a Kindred Transitional Care and Rehabilitation - Marl",MA,Healthcare Provider,716,2013-02-14,Theft,Other Portable Electronic Device,FALSE,\N 628,"HomeCare of Mid-Missouri, Inc.",MO,Healthcare Provider,4027,2013-02-14,Theft,Laptop,FALSE,\N 629,Heyman HospiceCare at Floyd,GA,Healthcare Provider,1819,2013-02-15,Theft,Laptop,FALSE,\N 630,ABQ HealthPartners,NM,Healthcare Provider,778,2013-02-17,Theft,Laptop,FALSE,\N 631,Terrell County Health Department,GA,Healthcare Provider,18000,2013-02-18,Unauthorized Access/Disclosure,Network Server,FALSE,\N 632,"DentaQuest of Florida, LLC",MA,Business Associate,3667,2013-02-19,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 633,Stronghold Counseling Services Inc,SD,Healthcare Provider,8500,2013-02-21,Theft,Desktop Computer,FALSE,\N 634,Arizona Oncology,AZ,Healthcare Provider,501,2013-02-21,Theft,Laptop,FALSE,\N 635,Crescent Health Inc. - a Walgreens Company,CA,Healthcare Provider,109000,2013-02-22,Theft,Desktop Computer,FALSE,\N 636,"County of San Bernardino, Department of Behavioral Health",CA,Health Plan,686,2013-02-25,Theft,Paper/Films,FALSE,\N 637,"WOMENS HEALTH ENTERPRISE, INC.",GA,Healthcare Provider,3000,2013-02-27,Theft,Laptop,FALSE,\N 638,Standard Register,OH,Business Associate,2261,2013-03-01,Theft,Paper/Films,TRUE,"OCR opened an investigation of the covered entity (CE), The Brookdale University Hospital and Medical Center, after it reported its business associate (BA), Standard Register, inadvertently mailed statements to 2,261 individuals using another affiliated CEs envelopes. The protected health information (PHI) included names, addresses and financial information. OCR provided technical assistance to the CE regarding safeguarding PHI." 639,Health Plus Amerigroup,NY,Business Associate,28187,2013-03-01,Theft,Other Portable Electronic Device,TRUE,"The covered entitys (CE) business associate (BA), Health Plus Amerigroup, mailed an unencrypted compact disk that contained the electronic protected health information (ePHI) of 28,187 individuals to the CE, The Brookdale University Hospital and Medical Center. OCR closed this breach report and consolidated into an existing breach report filed by OHP PHSP, Inc. regarding the same issues." 640,Plexus Group,IL,Business Associate,500,2013-03-01,Unauthorized Access/Disclosure,Other,TRUE,\N 641,South Miami Hospital,FL,Healthcare Provider,834,2013-03-02,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE,\N 642,Lancaster General Medical Group,PA,Healthcare Provider,527,2013-03-04,Theft,Paper/Films,FALSE,"A spreadsheet containing the protected health information (PHI) of 527 individuals was stolen from one of the covered entitys (CE) locations. The PHI involved in the breach included names and dates of birth. Following the breach, the CE notified the local police, provided breach notification to HHS, the media, and the affected individuals, and offered identity protection services to the individuals. The CE attempted to retrieve the PHI. As a result of OCRs investigation, the CE reviewed its policies to prevent a similar incident from occurring in the future. \ \ \" 643,Maine Medical Center,ME,Healthcare Provider,1920,2013-03-04,Other,Email,FALSE,\N 644,North Los Angeles County Regional Center ,CA,Business Associate,18162,2013-03-04,Theft,Laptop,TRUE,\N 645,Goold Health System (Goold),MA,Business Associate,6332,2013-03-06,Loss,Other Portable Electronic Device,TRUE,\N 646,Sports Rehabilitation Consultants,OH,Healthcare Provider,1200,2013-03-06,Theft,Desktop Computer,FALSE,\N 647,University of Connecticut Health Center,CT,Healthcare Provider,1382,2013-03-08,Unauthorized Access/Disclosure,Network Server,FALSE,\N 648,"United HomeCare Services, Inc.",FL,Healthcare Provider,12299,2013-03-09,Theft,Laptop,FALSE,\N 649,Patterson Dental Supply/Patterson Companies,MN,Business Associate,6400,2013-03-12,Hacking/IT Incident,Network Server,TRUE,\N 650,Connextions c/o Anthem BCBS,IN,Business Associate,1678,2013-03-14,"Theft, Unauthorized Access/Disclosure",Network Server,TRUE,\N 651,Mount Sinai Medical Center,FL,Healthcare Provider,628,2013-03-15,Theft,"Desktop Computer, Paper/Films",FALSE,\N 652,"Thomas L. Davis, Jr. DDS",OR,Healthcare Provider,3269,2013-03-15,Theft,"Desktop Computer, Electronic Medical Record",FALSE,\N 653,"HealthCare for Women, Inc.",MA,Healthcare Provider,8727,2013-03-20,Hacking/IT Incident,Network Server,FALSE,\N 654,University of Mississippi Medical Center,MS,Healthcare Provider,500,2013-03-21,Loss,Laptop,FALSE,\N 655,Granger Medical Clinic,UT,Healthcare Provider,2600,2013-03-22,"Loss, Other, Theft",Paper/Films,FALSE,\N 656,Texas Tech Unversity Health Sciences Center,TX,Healthcare Provider,697,2013-03-22,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 657,Rite Aid #10217,RI,Healthcare Provider,2082,2013-03-29,"Other, Unknown",Paper/Films,FALSE,\N 658,"Sunil Kakar, Psy.D.",WA,Business Associate,629,2013-03-29,Theft,Laptop,TRUE,\N 659,"QuickRunner, Inc. (dba, RoadRunner Mailing Services)",CA,Business Associate,2400,2013-03-29,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 660,"Shands Jacksonville Medical Center, Inc.",FL,Healthcare Provider,1025,2013-04-02,Theft,Electronic Medical Record,FALSE,"A clinical intern at the covered entity (CE), University of Florida Health Jacksonville (UFHJ) (formerly Shands Jacksonville Medical Center), took photographs of protected health information (PHI) and emailed the PHI to an unauthorized third person for the purpose of filing fraudulent tax returns. The PHI included the names, addresses, social security numbers, dates of birth, and treatment information of 1,025 individuals. Law enforcement agencies that learned of the breach informed the CE and requested delays of breach notification. The CE later provided breach notification to affected individuals, HHS, and the media, and offered affected individuals one year of free identity theft protection. Following the breach, the CE sanctioned two workforce members who had allowed the intern, who was no longer at the CE, to use their credentials to access the electronic medical records in violation of its policies. The CE also retrained workforce members on its privacy policies; increased access restrictions to social security numbers; and ended its clinic-based internships. OCR provided technical assistance and obtained assurances of the CEs plan to update its breach notification policies and procedures. " 661,University of Florida,FL,Healthcare Provider,14519,2013-04-03,"Other, Theft, Unauthorized Access/Disclosure",Network Server,FALSE,\N 662,Kmart Corporation,IL,Healthcare Provider,12542,2013-04-03,Theft,Electronic Medical Record,FALSE,\N 663,PORTAL HEALTHCARE SOLUTIONS LLC,VA,Business Associate,2360,2013-04-04,Theft,Network Server,TRUE,"The covered entitys (CE) business associate (BA) operated a server containing the electronic protected health information (ePHI) of 2,360 individuals that was vulnerable to access by unauthorized persons for over four months. The ePHI included transcribed doctors notes, which may have included medical diagnoses, clinical laboratory results, diagnostic imaging reports, emergency department records, and medication administration. Upon discovery of the breach, the CE engaged a computer forensic expert to investigate the incident and terminated the BA agreement. As a result of OCRs investigation, the CE ensured that its BA secured the server, verified that the server was no longer accessible from the Internet, and required the BA to return or destroy all of the CEs ePHI." 664,Hospice and Palliative Care Center of Alamance Caswell,NC,Healthcare Provider,5370,2013-04-04,"Theft, Unauthorized Access/Disclosure","Laptop, Paper/Films",FALSE,\N 665,"Texas Health Care, P.L.L.C.",TX,Healthcare Provider,554,2013-04-05,Theft,Paper/Films,FALSE,\N 666,TMG Health ,PA,Business Associate,3794,2013-04-05,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 667,Wm. Jennings Bryan Dorn VAMC,SC,Healthcare Provider,7405,2013-04-10,Theft,Laptop,FALSE,"A laptop computer contained the protected health information (PHI) of approximately 7,405 individuals was stolen from the Pulmonary Testing Unit of the William Jennings Bryan Dorn Veterans Affairs Medical Center, the covered entity (CE). The PHI involved in the breach included names, dates of birth, and clinical information. The CE provided breach notice to HHS, the media and affected individuals and provided substitute notification on its website. It also offered affected individuals credit monitoring services including identity theft protection for one year. The CE also filed a report with the VA police and VA Office of Inspector General (OIG). In response to the breach, the CE improved safeguards by physically protecting all laptops attached to medical testing devices and established policies and procedures requiring clinic staff to securely store and purge all personally identifiable information from such medical devices. As a result of OCRs investigation, OCR obtained assurances that the corrective actions listed above were completed." 668,John J. Pershing VA Medical Center,MO,Healthcare Provider,589,2013-04-11,Theft,Paper/Films,FALSE,"OCR opened an investigation of the covered entity (CE), John J. Pershing VA Medical Center, after the CE reported that its business associate (BA), Stress Laboratory, placed a box of unsecured protected health information (PHI) in an equipment storage room. The PHI included the names, social security numbers, diagnoses, and age of approximately 589 individuals. This breach incident involved a BA, and occurred prior to the September 23, 2013 compliance date. The BA employee involved in this matter separated from employment in 2012, and the BA was reorganized and has been incorporated into the CE. The CE provided breach notification to affected individuals, HHS, and the media. Substitute notification was provided through a posting on the CEs main website with a toll-free information number. The CE also offered one year of identity protection and credit monitoring services to affected individuals. As a result of this incident, the CE adopted a new policy that provides guidance to its staff regarding the handling of PHI. Additionally, the CE trained its employees on this new policy, and re-trained its employees on the Privacy, Security, and Breach Notification Rules. Finally, OCR obtained assurances that the CE implemented the corrective action listed above. \ \" 669,Oregon Health & Science University,OR,Healthcare Provider,1076,2013-04-11,Theft,Laptop,FALSE,\N 670,Schneck Medical Center,IN,Healthcare Provider,3131,2013-04-12,Unauthorized Access/Disclosure,Other,FALSE,\N 671,The Guidance Center of Westchester,NY,Healthcare Provider,1416,2013-04-17,Theft,Desktop Computer,FALSE,\N 672,Hope Hospice,TX,Healthcare Provider,818,2013-04-25,Other,Email,FALSE,\N 673,"IHC Health Services, Inc. dba Intermountain Life Flight",UT,Healthcare Provider,857,2013-04-26,Unauthorized Access/Disclosure,Other,FALSE,\N 674,Valley Mental Health,UT,Healthcare Provider,700,2013-04-26,Theft,Desktop Computer,FALSE,\N 675,ZDI,CA,Business Associate,14829,2013-04-29,Loss,Paper/Films,TRUE,\N 676,Raleigh Orthopaedic Clinic,NC,Healthcare Provider,17300,2013-04-30,"Improper Disposal, Theft, Unauthorized Access/Disclosure",Paper/Films,FALSE,\N 677,Laboratory Corporation of America,NC,Healthcare Provider,1580,2013-05-01,Theft,Desktop Computer,FALSE,\N 678,"Arizona Counseling & Treatment Services, LLC",AZ,Healthcare Provider,3800,2013-05-01,Theft,Other Portable Electronic Device,FALSE,\N 679,Wood County Hospital,OH,Healthcare Provider,2500,2013-05-03,Theft,Other,FALSE,\N 680,University of Rochester Medical Center & Affiliates,NY,Healthcare Provider,537,2013-05-06,Loss,Other Portable Electronic Device,FALSE,\N 681,AssuranceMD f/k/a Harbor Group,PA,Business Associate,22000,2013-05-07,Theft,Other Portable Electronic Device,TRUE,"An unsecured hard drive containing the electronic protected health information (ePHI) of up to 22,000 individuals was lost in transit between Dr. Andrew F. Brookers business associate, AssuranceMD, and a subcontracted electronic medical records storage company. The ePHI involved in the breach included patients names, diagnoses/conditions, lab results, other clinical information and for some patients, addresses, dates of birth and/or social security numbers. Dr. Brooker provided breach notification to HHS and affected individuals. Following the breach he updated his HIPAA policies and procedures. OCR obtained assurances that the corrective action steps listed above were completed. Prior to completion of additional corrective actions, Dr. Brooker notified OCR that he had sold his private practice. \ \" 682,Digital Archive Management,TX,Business Associate,189489,2013-05-07,Improper Disposal,Paper/Films,TRUE,\N 683,Seattle - King County Department of Public Health,WA,Healthcare Provider,750,2013-05-07,Improper Disposal,Paper/Films,FALSE,\N 684,Regional Medical Center,TN,Healthcare Provider,1180,2013-05-07,Unauthorized Access/Disclosure,Email,FALSE,\N 685,"E-dreamz, Inc.",NC,Business Associate,9988,2013-05-08,Hacking/IT Incident,Network Server,TRUE,\N 686,"North Atlantic Telecom, Inc.",TN,Business Associate,539,2013-05-08,Other,Desktop Computer,TRUE,\N 687,"E-dreamz, Inc.",NC,Business Associate,1924,2013-05-10,Hacking/IT Incident,Network Server,TRUE,\N 688,Indiana University Health Arnett,IN,Healthcare Provider,10350,2013-05-13,Theft,Laptop,FALSE,\N 689,"Dent Neurologic Group, LLP",NY,Healthcare Provider,10000,2013-05-14,Other,Email,FALSE,\N 690,City of Norwood,OH,Healthcare Provider,9577,2013-05-20,Loss,Laptop,FALSE,\N 691,Lutheran Social Services of South Central Pennsylvania,PA,Healthcare Provider,7803,2013-05-20,Hacking/IT Incident,Network Server,FALSE,\N 692,Just the Connection Inc,IN,Business Associate,5388,2013-05-20,Improper Disposal,Other,TRUE,\N 693,Erskine Family Dentistry,IN,Healthcare Provider,2723,2013-05-21,Hacking/IT Incident,Desktop Computer,FALSE,\N 694,Health Resources of Arkansas,AR,Healthcare Provider,1900,2013-05-23,"Theft, Unauthorized Access/Disclosure",Other,FALSE,\N 695,SynerMed / Inland Valleys IPA,CA,Business Associate,3164,2013-05-24,Theft,Laptop,TRUE,\N 696,Independence Care System,NY,Health Plan,2434,2013-05-24,Theft,Laptop,FALSE,\N 697,Sonoma Valley Hospital,CA,Healthcare Provider,1386,2013-05-24,Other,Other,FALSE,\N 698,Bon Secours Mary Immaculate Hospital,VA,Healthcare Provider,5764,2013-05-29,Theft,Electronic Medical Record,FALSE,"The covered entity (CE), Bon Secours Health System, discovered that two Certified Nursing Assistants (CNAs) impermissibly electronically accessed the medical records of approximately 5,764 patients during the prior 12 months. The protected health information (PHI) contained in the breach included patients names, social security numbers, dates of birth, addresses, clinical information, and other identifiers. The CE provided breach notification to HHS, affected individuals and the media. Following the breach, the CE conducted a full investigation, sanctioned the two CNAs, revoked their access to the electronic medical record system and subsequently terminated both employees for their actions. Following the CEs reports to law enforcement and the state department of health professions, the two former employees plead guilty to Federal misdemeanor charges and had their professional certifications revoked. OCR reviewed the CEs most recent risk assessment and confirmed that all identified risks are to be addressed by December 2014 according to the CEs Risk Management Plan. As a result of OCRs investigation, the CE pursued prosecution of the CNAs and provided credit monitoring services to the affected individuals. \ \" 699,University of Florida,FL,Healthcare Provider,5875,2013-05-30,"Theft, Unauthorized Access/Disclosure",Electronic Medical Record,FALSE,\N 700,"Community Support Services, Inc.",OH,Healthcare Provider,1167,2013-06-03,Theft,Email,FALSE,\N 701,UMASSAmherst,MA,Healthcare Provider,1670,2013-06-05,Hacking/IT Incident,Desktop Computer,FALSE,\N 702,Palm Beach County Health Department,FL,Healthcare Provider,877,2013-06-11,Unauthorized Access/Disclosure,Desktop Computer,FALSE,\N 703,Lucile Packard Children's Hospital,CA,Healthcare Provider,12900,2013-06-13,Theft,Laptop,FALSE,\N 704,Fayetteville VAMC,NC,Healthcare Provider,1093,2013-06-14,Theft,Paper/Films,FALSE,"The covered entity (CE), Fayetteville VA Medical Clinic Optical Shop, impermissibly disclosed the protected health information (PHI) of approximately 1,094 individuals by placing consultation reports in the recycling bin rather than the shredding bin. The PHI involved in the breach included patients names, social security numbers, birthdates, addresses, and phone numbers. The CE provided breach notification to all patients seen in the facility since the origination of the breach, HHS, and the media. The CE conducted an investigation and removed documents containing PHI from the recycle bin and shredded them according to the CEs procedure. \ \The CE provided evidence that it provided additional training regarding security of PHI and disposal methods for documents that contained PHI for Optical Shop workforce members. In addition, the CE improved safeguards by placing a document shredder on-site. The responsible staff member was sanctioned according to the CE policy. OCR obtained assurances that the corrective actions listed above were completed. \" 705,Lincoln County Health and Human Services/Lincoln Community Health Center,OR,Healthcare Provider,959,2013-06-14,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 706,Union Security Insurance Company,MO,Health Plan,1127,2013-06-17,Improper Disposal,Email,FALSE,\N 707,"Gulf Breeze Family Eyecare, Inc",FL,Healthcare Provider,9626,2013-06-17,"Theft, Unauthorized Access/Disclosure","Desktop Computer, Electronic Medical Record, Email, Network Server, Paper/Films",FALSE,\N 708,Jacksonville Spine Center,FL,Healthcare Provider,5200,2013-06-24,Theft,Paper/Films,FALSE,"The covered entity (CE), Jacksonville Spine Center, impermissibly disclosed the protected health information (PHI) of approximately 5,200 individuals when a workforce member misaddressed some envelopes due to a spreadsheet error. The mailing resulted in some individuals receiving correspondence with another patients name on the envelope. The only PHI involved in the breach was patients names. The CE provided breach notification to HHS, the media and affected individuals. The notice to individuals requested that patients either return the envelope to the CE or destroy the envelope. As a result of this incident, the CE issued a written warning to the responsible workforce member pursuant to the CEs sanction policy. Moreover, the CE implemented additional safeguards including the checking of data file integrity prior to sending mailings. OCR obtained assurances that the CE implemented the corrective action listed above." 709,Iowa Department of Human Services,IA,Healthcare Provider,7335,2013-06-26,"Loss, Unknown",Other,FALSE,\N 710,James A. Fosnaugh,NE,Healthcare Provider,2125,2013-06-26,Loss,Other Portable Electronic Device,FALSE,\N 711,Lone Star Circle of Care,TX,Healthcare Provider,1955,2013-06-28,Theft,Laptop,FALSE,\N 712,Alberto Gerardo Vazquez Rivera,PR,Business Associate,679,2013-06-28,Theft,Laptop,TRUE,"An encrypted laptop computer was stolen from an AFLAC associates vehicle in Puerto Rico. The laptop contained PHI of approximately 679 individuals and contained demographic, financial and clinical information, including patient names, addresses, birthdates, social security numbers, claims information, and diagnoses. The covered entity filed a police report and provided breach notification to all affected individuals, HHS, and the media. The responsible workforce member was sanctioned. OCR acknowledges that the incident does not constitute a reportable breach under the Breach Notification Rule because the laptop was sufficiently encrypted." 713,RCR Technology Corporation,IN,Business Associate,187533,2013-07-01,Other,Paper/Films,TRUE,\N 714,CVS Caremark,AZ,Business Associate,4305,2013-07-02,Theft,Paper/Films,TRUE,"Business associate (BA) employees erroneously sent 4,305 health plan members protected health information (PHI) to other plan members. The PHI involved in the breach included names and prescribed medication(s). The covered entity, Northrop Grumman Retiree Health Plan, provided breach notification to HHS, and the BA, CVS Caremark, provided breach notification to affected individuals and the media. Following the breach, the BA revised its quality control policies for targeted mailings and retrained employees involved in the breach to prevent similar incidents in the future. OCR obtained assurances that the BA implemented the breach notification and policy revisions listed above." 715,"Health Net, Inc.",CA,Health Plan,8331,2013-07-02,Other,Paper/Films,FALSE,\N 716,"South Florida Neurology Associates, P.A.",FL,Healthcare Provider,900,2013-07-03,Theft,Laptop,FALSE,\N 717,Samaritan Regional Health System,OH,Healthcare Provider,2203,2013-07-03,Theft,Paper/Films,FALSE,"The covered entity (CE), Samaritan Regional Health System, mismatched names and addresses in a mailing to former patients of a recently deceased physician. The protected health information (PHI) included the names and addresses of approximately 2,203 individuals. The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website. Following the breach, the CE re-trained staff on proper address validation techniques and implemented new audit procedures for mailings. OCR obtained assurances that the CE implemented the corrective action listed above." 718,MED-EL Coproration,NC,Healthcare Provider,609,2013-07-05,Other,Email,FALSE,\N 719,Nelson Family of Companies,CA,Business Associate,4479,2013-07-05,Unauthorized Access/Disclosure,Email,TRUE,\N 720,Family Health Network,IL,Business Associate,3133,2013-07-08,Other,Paper/Films,TRUE,\N 721,ZDI,CA,Business Associate,4718,2013-07-10,Loss,Paper/Films,TRUE,\N 722,"Medtronic, Inc.",MN,Healthcare Provider,2764,2013-07-10,Theft,Paper/Films,FALSE,"The covered entity (CE), Medtronic, misplaced a box of paper records containing the protected health information (PHI) of approximately 2,764 individuals. The box contained patient pump training records, including a checklist of training received, patients names, device serial numbers, phone numbers, and, in some cases, email addresses. Some of the records may also have included social security numbers, medical necessity forms, physician orders, and copies of documents from one patients medical record. The CE provided breach notification to affected individuals and HHS. Following the breach, the CE improved safeguards by redesigning its records tracking procedures and installing software with additional box tracking capabilities. OCR obtained assurances that the CE implemented the corrective action listed above. \ \ \" 723,Shred-it International Inc.,TX,Business Associate,277014,2013-07-11,Improper Disposal,Other,TRUE,\N 724,Long Beach Memorial Medical Center,CA,Healthcare Provider,2864,2013-07-11,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE,\N 725,People Resource Corporation,MO,Business Associate,4560,2013-07-15,Unauthorized Access/Disclosure,Other,TRUE,\N 726,Harris County,TX,Health Plan,21000,2013-07-16,Unauthorized Access/Disclosure,Desktop Computer,FALSE,\N 727,Jesle Kuizon,CA,Business Associate,800,2013-07-18,"Hacking/IT Incident, Theft, Unauthorized Access/Disclosure","Desktop Computer, Network Server",TRUE,\N 728,"GEO Care, LLC",FL,Healthcare Provider,710,2013-07-19,Theft,Desktop Computer,FALSE,"The FBI notified the covered entity (CE), GEO Care, that a GEO Care employee, inappropriately accessed the patient admission reports of approximately 710 patients at South Florida State Hospital and provided them to a third party, the employees cousin, without authorization. The employees cousin then attempted to sell the reports for an illegal purpose. The protected health information (PHI) involved in the breach included names, dates of birth, social security numbers, admission dates, discharge dates, and patients unit names. The CE provided breach notification to HHS, the media, and posted substitute notice on its website. It also offered identity theft protection to the affected individuals. The responsible staff member was terminated according to the CEs policy and has also been criminally indicted. Following the breach, the CE improved safeguards by limiting the use of full social security numbers, restricting access to documents, and performing weekly audits of those workforce members who access documents with full social security numbers. Additionally, the CE updated its privacy and security policies and procedures and developed new policies and procedures. It also revised its policies for employee access to electronic PHI based on job title and function, and provided retraining to employees regarding access and disclosure of PHI. OCR obtained assurances that the corrective actions listed above were completed." 729,The Brookdale Hospital and Medical Center,NY,Healthcare Provider,2700,2013-07-20,Loss,Other Portable Electronic Device,FALSE,\N 730,Louisiana State University Health Care Services Division,LA,Healthcare Provider,6994,2013-07-22,Unauthorized Access/Disclosure,Desktop Computer,FALSE,\N 731,Oregon Health & Science University,OR,Healthcare Provider,1361,2013-07-28,Unauthorized Access/Disclosure,Other,FALSE,\N 732,"Rocky Mountain Spine Clinic, P.C.",CO,Healthcare Provider,532,2013-07-31,"Theft, Unauthorized Access/Disclosure",Network Server,FALSE,\N 733,"Vitreo-Retinal Medical Group, Inc. ",CA,Healthcare Provider,1837,2013-08-02,Theft,Laptop,FALSE,\N 734,Health Resources of Arkansas,AR,Business Associate,1911,2013-08-05,Theft,Laptop,TRUE,\N 735,Baylor All Saints Medical Center at Fort Worth,TX,Healthcare Provider,940,2013-08-05,Unauthorized Access/Disclosure,Other Portable Electronic Device,FALSE,\N 736,M2ComSys Inc.,NV,Business Associate,32151,2013-08-08,Unauthorized Access/Disclosure,Network Server,TRUE,\N 737,Young Family Medicine Inc.,OH,Healthcare Provider,2045,2013-08-12,Theft,Laptop,FALSE,\N 738,Hancock OB/GYN,IN,Healthcare Provider,1396,2013-08-12,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE,\N 739,Anthem BCBS of GA,IN,Business Associate,5497,2013-08-13,Theft,Other,TRUE,"The covered entitys (CE) sales representative used an incorrect group number based on an erroneous membership and data file, resulting in an impermissible disclosure of protected health information (PHI) to the CEs business associate (BA). This breach affected approximately 5,497 individuals and included demographic information. Following the breach, the CE obtained certification that the BA destroyed the PHI and determined that there was a low risk of harm to the affected individuals. The CE also sent a memorandum and its corrective action/sanction policy to the account managers staff regarding quality control procedures, instituted an additional quality control procedure, and counseled the involved sales representative. OCR obtained assurances that the CE implemented the corrective action listed above. \ \" 740,"InfoCrossing, Inc.",MO,Business Associate,1357,2013-08-13,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 741,Foundations Recovery Network,TN,Healthcare Provider,5690,2013-08-15,Theft,Laptop,FALSE,\N 742,California Correctional Health Care Services,CA,Healthcare Provider,1033,2013-08-16,Other,Paper/Films,FALSE,\N 743,North Texas Comprehensive Spine & Pain Center,TX,Healthcare Provider,3200,2013-08-19,"Loss, Theft",Other Portable Electronic Device,FALSE,\N 744,Minne-Tohe Health Center/Elbowoods Memorial Health Center,ND,Health Plan,10000,2013-08-21,"Improper Disposal, Unauthorized Access/Disclosure","Desktop Computer, Other",FALSE,\N 745,Jackson Health System,FL,Healthcare Provider,1471,2013-08-22,Other,Paper/Films,FALSE,\N 746,"Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group",IL,Healthcare Provider,4029530,2013-08-23,Theft,Desktop Computer,FALSE,\N 747,"Summit Community Care Clinic, Inc.",CO,Healthcare Provider,921,2013-08-27,Hacking/IT Incident,Desktop Computer,FALSE,\N 748,UT Physicians,TX,Healthcare Provider,596,2013-08-28,"Loss, Theft",Laptop,FALSE,\N 749,"Cogent Healthcare, Inc.",TN,Business Associate,32000,2013-08-30,Theft,Network Server,TRUE,"Cogent Healthcare, Inc., a business associate (BA) providing management services for 24 providers of hospitalist services, submitted a breach report to HHS on behalf of these covered entities. The BAs privacy officer found that protected health information (PHI) for which the BA was responsible was accessible on a File Transfer Protocol (FTP) Internet site. The PHI involved in the breach affected approximately 32,151 individuals and included patients names, physicians names, dates of birth, diagnoses, treatment summaries, medical histories, medical record numbers and related information. \ \OCR determined that the reporting entity is a BA and the incident occurred prior to the September 23, 2013, enforcement date. OCR provided the BA with technical assistance regarding current HIPAA Privacy and Security Rule BA requirements. \ \" 750,Atlanta Center for Reproductive Medicine,GA,Healthcare Provider,654,2013-08-30,Other,Email,FALSE,\N 751,St. Anthony's Physician Organization,MO,Healthcare Provider,2600,2013-08-30,Theft,"Laptop, Other Portable Electronic Device",FALSE,\N 752,Janna Benkelman LPC LLC,CO,Healthcare Provider,1500,2013-09-03,Theft,Laptop,FALSE,\N 753,Olson & White Orthodontics,MO,Healthcare Provider,10000,2013-09-03,Theft,"Desktop Computer, Network Server",FALSE,\N 754,Kaiser Foundation Health Plan of the Northwest,OR,Health Plan,647,2013-09-03,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE,\N 755,"Hankyu Chung, M.D.",CA,Healthcare Provider,2182,2013-09-06,Theft,Laptop,FALSE,\N 756,"ICS Collection Service, Inc.",IL,Business Associate,1290,2013-09-06,Hacking/IT Incident,Other,TRUE,\N 757,PHMHS,PR,Business Associate,5000,2013-09-11,Theft,Network Server,TRUE,"Upon request, a subcontractor (PHM Software Solutions) of the covered entitys (CE) business associate (BA), PHM Healthcare Solutions, modified a software application the CE was utilizing which led to the disclosure of electronic protected health information (ePHI) of 5,000 individuals on the Internet. The ePHI included names, gender, member identification numbers, dates of birth, and consent forms. The CE provided breach notification to HHS, the media, and affected individuals and posted substitute notice on its website. Upon discovery of the breach, the BA removed the software application and placed it offline. As a result of OCRs investigation, the CE had its BA to conduct a risk analysis and create a risk management plan to address any vulnerabilities identified in the risk analysis. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR provided technical assistance to assist the CE understand its obligations under the Privacy and Security Rules regarding BA agreements. " 758,"NHC HealthCare, Oak Ridge",TN,Healthcare Provider,4268,2013-09-13,Loss,Other,FALSE,\N 759,"NHC HealthCare, Mauldin",SC,Healthcare Clearing House,4204,2013-09-13,Improper Disposal,Other,FALSE,\N 760,Blackhawk Consulting Group,GA,Business Associate,2029,2013-09-13,Hacking/IT Incident,Network Server,TRUE,\N 761,Blackhawk Consulting Group,GA,Business Associate,998,2013-09-13,Hacking/IT Incident,Network Server,TRUE,\N 762,"South Shore Physicians, PC",NY,Healthcare Provider,8000,2013-09-16,Theft,Network Server,FALSE,\N 763,Dermatology Associates of Tallahassee,FL,Healthcare Provider,915,2013-09-16,Unknown,Other,FALSE,\N 764,Sierra View District Hospital,CA,Healthcare Provider,1009,2013-09-20,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE,\N 765,"InfoCrossing, Inc.",MO,Business Associate,25461,2013-09-20,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 766,Region Ten Community Services Board,VA,Healthcare Provider,10228,2013-09-26,Theft,Email,FALSE,"The covered entity (CE), Region Ten Community Services Board, reported that multiple employees had responded to an email, appearing to come from an internal sender, informing them that their mailboxes had exceeded limits and instructing them to follow a link to enter username and password. A forensic investigation was conducted which did not show that any sensitive client information was compromised. However, in an effort to mitigate any potential harm the CE sent notification to over 10,000 individuals, sent a press release to a local news station and also posted information about the occurrence on its website. The CE engaged the services of a technology consulting firm and has provided OCR written assurance that it has implemented updates to its computer network including an additional firewall" 767,Comprehensive Podiatry LLC,OH,Healthcare Provider,1360,2013-09-27,Theft,Laptop,FALSE,\N 768,Santa Clara Valley Medical Center,CA,Healthcare Provider,579,2013-09-27,Theft,Laptop,FALSE, 769,Not Applicable ,CO,Business Associate,3512,2013-09-28,Theft,Laptop,TRUE,\N 770,"Carol L. Patrick, Ph.D.",OH,Healthcare Provider,517,2013-09-30,Theft,Network Server,FALSE,\N 771,HOPE Family Health,TN,Healthcare Provider,6932,2013-09-30,Theft,Laptop,FALSE,\N 772,UnityPoint Health Affiliated Covered Entity (UnityPoint),IA,Healthcare Provider,1825,2013-10-02,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE,\N 773,"Paragon Benefits, Inc.",GA,Business Associate,5232,2013-10-02,Theft,Email,TRUE,\N 774,"University of California, San Francisco",CA,Healthcare Provider,3553,2013-10-03,Theft,"Laptop, Paper/Films",FALSE,\N 775,"Reconstructive Orthopaedic Associates II, P.C. d/b/a Rothman Institute",PA,Healthcare Provider,2350,2013-10-03,Theft,Paper/Films,FALSE,"An employee removed paper copies of daily patient schedules and two medical reports from the covered entitys (CE) transcription processing department without authorization upon her termination from employment. Approximately 2,300 individuals were affected by the breach. The protected health information (PHI) involved in the breach included patient names, telephone numbers, appointment dates and times, dates of birth, reasons for visits, visit sites, assigned staff/physician, chart numbers, insurance company codes and copays, encounter numbers, and treatment information. The CE provided breach notification to HHS, the media and affected individuals and provided one year of free credit monitoring to those requested it. Following the breach, the CE cooperated with local authorities in their arrest and prosecution of the involved employee. The CE updated its privacy policies and procedures, organized the policies into a HIPAA manual, and retrained 687 employees on its privacy policies and procedures. In response to OCRs investigation, the CE decided to replace its electronic medical records and practice management systems to improve safeguards for electronic PHI." 776,Group Health Cooperative,WA,Healthcare Provider,1015,2013-10-03,Other,Paper/Films,FALSE,\N 777,Schuylkill Health System,PA,Healthcare Provider,2810,2013-10-04,Theft,Laptop,FALSE,\N 778,CaroMont Medical Group,NC,Healthcare Provider,1310,2013-10-04,Other,Email,FALSE,\N 779,Mount SInai Medical Center,NY,Healthcare Provider,1586,2013-10-04,Improper Disposal,Paper/Films,FALSE,\N 780,Healthcare Management System ,TN,Business Associate,4330,2013-10-04,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 781,Saint Louis University,MO,Healthcare Provider,3100,2013-10-07,Unauthorized Access/Disclosure,Email,FALSE,\N 782,BlackHawk,IL,Business Associate,7120,2013-10-09,Hacking/IT Incident,Network Server,TRUE,\N 783,Ferris State University - MI College of Optometry,MI,Healthcare Provider,3947,2013-10-11,Hacking/IT Incident,Network Server,FALSE,\N 784,"Access Counseling, LLC",IN,Healthcare Provider,566,2013-10-14,Theft,Laptop,FALSE,\N 785,Rose Medical Center,CO,Healthcare Provider,606,2013-10-14,Improper Disposal,Paper/Films,FALSE,\N 786,BriovaRx,IL,Healthcare Provider,1067,2013-10-14,Unauthorized Access/Disclosure,Email,FALSE,\N 787,"North Country Hospital and Health Center, Inc",VT,Healthcare Provider,550,2013-10-15,Theft,Laptop,FALSE,\N 788,"Hope Community Resources, Inc.",AK,Healthcare Provider,1556,2013-10-16,Unauthorized Access/Disclosure,Email,FALSE,\N 789,Broward Health Medical Center,FL,Healthcare Provider,960,2013-10-17,Unauthorized Access/Disclosure,Desktop Computer,FALSE,\N 790,Mount Sinai Medical Center,NY,Healthcare Provider,610,2013-10-21,Loss,Other Portable Electronic Device,FALSE,\N 791,Texas Health Presbyterian Dallas Hospital,TX,Healthcare Provider,949,2013-10-22,Theft,Desktop Computer,FALSE,\N 792,Seton Healthcare Family,TX,Healthcare Provider,5500,2013-10-23,Theft,Laptop,FALSE,\N 793,PROFESSIONAL TRANSCRIPTION SERVICES,NY,Business Associate,37000,2013-10-25,Unauthorized Access/Disclosure,Network Server,TRUE,\N 794,Good Samaritan Hospital,CA,Healthcare Provider,3833,2013-10-25,Theft,Laptop,FALSE,"The covered entity (CE), Samaritan Regional Health System, mismatched names and addresses in a mailing to former patients of a recently deceased physician. The protected health information (PHI) included the names and addresses of approximately 2,203 individuals. The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website. Following the breach, the CE re-trained staff on proper address validation techniques and implemented new audit procedures for mailings. OCR obtained assurances that the CE implemented the corrective action listed above." 795,SSM Health Care of Wisconsin DBA: St. Marys Janesville Hospital,WI,Healthcare Provider,631,2013-10-25,Theft,Laptop,FALSE,"A laptop computer containing protected health information (PHI) was stolen from the vehicle of a covered entitys (CE) workforce member. Approximately 633 individuals were affected by the breach. The PHI included patients names, dates of birth, medical records, and account numbers. The CE immediately reported the laptop theft to the police. In response to the breach, the CE provided notice to HHS, the affected individuals, and the media. In addition, the CE encrypted all company laptops, re-trained each provider and employee in possession of a company laptop, and applied disciplinary policies to the employees involved in the incident. OCR obtained assurances that the covered entity implemented the corrective action listed above. \ \" 796,AHMC Healthcare Inc. and affiliated Hospitals,CA,Healthcare Provider,729000,2013-10-25,Theft,Laptop,FALSE,\N 797,"Greater Dallas Orthopaedics, PLLC",TX,Healthcare Provider,5840,2013-10-28,Theft,Desktop Computer,FALSE,\N 798,"Spirit Home Health Care, Corp",FL,Business Associate,603,2013-10-29,Improper Disposal,Paper/Films,TRUE,\N 799,Rotech Healthcare Inc.,FL,Healthcare Provider,10680,2013-10-29,Unauthorized Access/Disclosure,Laptop,FALSE,\N 800,"Reimbursement Technologies, Inc.",PA,Healthcare Clearing House,2300,2013-10-31,Unauthorized Access/Disclosure,Network Server,FALSE,\N 801,"Superior HealthPlan, Inc.",TX,Health Plan,6284,2013-11-01,Other,Paper/Films,FALSE,\N 802,Genesis Rehabilitation Services,PA,Healthcare Provider,1167,2013-11-01,Loss,Other Portable Electronic Device,FALSE,\N 803,"Colorado Health & Wellness, Inc.",CO,Healthcare Provider,651,2013-11-02,"Theft, Unauthorized Access/Disclosure",Electronic Medical Record,FALSE,\N 804,Barnabas Health Medical Group,NJ,Healthcare Provider,1100,2013-11-05,Theft,Laptop,FALSE,\N 805,"DaVita, a division of DaVita HealthCare Partners Inc",CO,Healthcare Provider,11500,2013-11-05,"Other, Theft",Laptop,FALSE,\N 806,Blue Cross and Blue Shield of North Carolina,NC,Health Plan,687,2013-11-07,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 807,North Carolina Department of Health and Human Services - Division of State Operated Health Care Facilities ,NC,Healthcare Provider,1315,2013-11-08,Unauthorized Access/Disclosure,Other,FALSE,\N 808,Triple S Salud Inc.,PR,Business Associate,13336,2013-11-08,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 809,Associated Urologists of North Carolina,NC,Healthcare Provider,7300,2013-11-08,Other,Other,FALSE,\N 810,Kemmet Dental Design ,ND,Healthcare Provider,2000,2013-11-12,"Other, Theft",Paper/Films,FALSE,\N 811,Hospice of the Chesapeake,MD,Healthcare Provider,7606,2013-11-12,Theft,Email,FALSE,"Contrary to the covered entitys (CE) established policy, an employee emailed spreadsheets containing the electronic protected health information (ePHI) of 7,035 patients to a personal email account, and a third party may have viewed the spreadsheets. The PHI included names, addresses, conditions, and diagnoses. Following the breach, the CE hired an independent computer forensics firm which conducted an independent investigation. The investigation uncovered another spreadsheet containing the PHI of 571 additional patients in the employees personal email account. The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website. The CE applied sanctions for violating its policy and terminated the responsible employee. As a result of OCRs investigation, OCR obtained assurances that the CE has periodically conducted risk assessments to assess vulnerabilities to ePHI in its computer systems." 812,All Source Medical Management,AZ,Business Associate,1456,2013-11-13,Theft,Other,TRUE,\N 813,Memorial Sloan-Kettering Cancer Center,NY,Healthcare Provider,2279,2013-11-13,Loss,Other Portable Electronic Device,FALSE,\N 814,Health Fitness Corporation,IL,Business Associate,4837,2013-11-14,Theft,Laptop,TRUE,\N 815,UHS-Pruitt Corporation,GA,Healthcare Provider,1300,2013-11-15,Theft,Laptop,FALSE,"A managers unencrypted laptop computer was stolen from a hotel parking lot which also included the employees login and system password and the covered entitys (CE) long term care software application. The laptop contained 1,300 individuals protected health information (PHI) and included names, social security numbers, addresses, dates of birth, bank account numbers, Medicare numbers, possible diagnoses, and patient locations. Following the breach, the CE changed the employees password and performed an analysis to ensure no attempts had been made to access the system and long term care application using the prior account and password. The CE improved safeguards by encrypting electronic devices and employing devices that do not allow local storage. The CE has also re-trained employees. OCR has consolidated this review into a compliance review that involves the same corporate entity and another stolen unencrypted laptop. \ \ \" 816,"United Dynacare, LLC dba Dynacare Laboratories",WI,Healthcare Provider,9328,2013-11-18,Theft,Other Portable Electronic Device,FALSE,\N 817,Redwood Memorial Hospital,CA,Healthcare Provider,1039,2013-11-19,Loss,Other Portable Electronic Device,FALSE,\N 818,"University of California, San Francisco",CA,Healthcare Provider,8294,2013-11-22,Theft,"Laptop, Paper/Films",FALSE,\N 819,Kaiser Foundation Hospital- Orange County,CA,Healthcare Provider,49000,2013-11-22,Loss,Other Portable Electronic Device,FALSE,\N 820,Jones Chiropractic and Maximum Health,IN,Healthcare Provider,1500,2013-11-26,Theft,Desktop Computer,FALSE,\N 821,Ronald Schubert MD PLLC,WA,Healthcare Provider,950,2013-11-26,Theft,Laptop,FALSE,\N 822,UPMC,PA,Healthcare Provider,1279,2013-11-27,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE,\N 823,UW Medicine,WA,Healthcare Provider,76183,2013-11-27,Hacking/IT Incident,Desktop Computer,FALSE,\N 824,City of Chicago,IL,Healthcare Provider,2080,2013-11-29,Unauthorized Access/Disclosure,Network Server,FALSE,\N 825,"Quality Health Claims Consultants, LLC",IL,Business Associate,1573,2013-12-06,Theft,Email,TRUE,"The Covered Entitys (CE) Business Associate (BA) mailed letters to their clients to request certain documents containing identifying information. An erroneous fax number listing caused some clients to fax their information to the wrong number. Approximately 1,573 individuals were affected by the breach. The protected health information (PHI) involved included names, addresses, dates of birth, and social security numbers. Following the breach, the BA confirmed that any faxes sent to the incorrect fax number were destroyed. The BA also standardized all company literature to require manual data entry of client-specific contact information to assure quality control. OCR provided information to assist the CE to revise its BA agreement. \ \" 826,SIU HealthCare,IL,Healthcare Provider,1891,2013-12-06,"Loss, Theft",Laptop,FALSE,\N 827,The Good Samaritan Health Center,GA,Healthcare Provider,5000,2013-12-06,Other,Desktop Computer,FALSE,\N 828,UniHealth Source,GA,Healthcare Provider,4500,2013-12-06,Theft,Laptop,FALSE,\N 829,Walgreen Co.,IL,Healthcare Provider,17350,2013-12-06,Other,Paper/Films,FALSE,\N 830,Methodist Dallas Medical Center,TX,Healthcare Provider,44000,2013-12-06,Unauthorized Access/Disclosure,Other,FALSE,\N 831,Florida Digestive Health Specialists,FL,Healthcare Provider,4400,2013-12-09,Unauthorized Access/Disclosure,Desktop Computer,FALSE,\N 832,"Northside Hospital, Inc.",GA,Healthcare Provider,4879,2013-12-10,Loss,Laptop,FALSE,\N 833,"Health Help, Inc.",KY,Healthcare Provider,535,2013-12-10,Theft,Other Portable Electronic Device,FALSE,"An unencrypted portable computer drive containing the electronic protected health information (ePHI) of 535 individuals was stolen from a workforce members unlocked personal vehicle parked at home. The ePHI involved in the breach included names and birthdates. Upon discovering the breach, the covered entity (CE) provided notice to HHS, affected individuals and the media. Following the breach, the CE reminded employees of its safeguards policy, provided additional training to workforce members who are authorized to take laptops and mobile devices home, and improved safeguards by instituting random audits to ensure that unencrypted ePHI is not stored on computers and mobile devices. The CE also updated the computer usage agreement for employees and sanctioned the workforce member for violating its policy. OCR obtained assurances that the CE implemented the corrective action listed above." 834,L.A. Gay & Lesbian Center,CA,Healthcare Provider,59000,2013-12-10,Hacking/IT Incident,Network Server,FALSE,\N 835,Mosaic,NE,Healthcare Provider,3857,2013-12-11,Other,Email,FALSE,\N 836,Island Peer Review Organization,NY,Business Associate,9642,2013-12-12,Loss,Other Portable Electronic Device,TRUE,\N 837,Molina Healthcare In,CA,Business Associate,1499,2013-12-16,Unauthorized Access/Disclosure,Network Server,TRUE,\N 838,Wyoming Department of Health,WY,Health Plan,11935,2013-12-16,Unauthorized Access/Disclosure,Network Server,FALSE,\N 839,Shiloh Medical Clinic,MT,Healthcare Provider,1900,2013-12-17,Unauthorized Access/Disclosure,"Desktop Computer, Email",FALSE,\N 840,DeLoach & Williamson,SC,Business Associate,3432,2013-12-18,Theft,Laptop,TRUE,"DeLoach & Williamsons (a business associate (BA) for South Carolina Health Insurance Pool) employees car was broken into and her password-protected company laptop computer was stolen which contained the electronic protected health information (ePHI) of 3,432 individuals. The ePHI involved in the breach included social security numbers, names, dates of service, and provider identification numbers. The BA provided breach notification to the covered entity, affected individuals, and HHS. The covered entity provided breach notification to the media. Following the breach, the BA immediately launched an internal investigation and retrained the subject employee on the companys policies on privacy and security of electronic information. Prior to the incident, the BA had decided to dissolve the company and it ceased operations by December 2013. The BA intends to legally file for dissolution in December 2014. \ \" 841,Colby DeHart,TN,Business Associate,2777,2013-12-19,Theft,Laptop,TRUE,\N 842,ZDI,CA,Business Associate,1674,2013-12-20,Loss,Paper/Films,TRUE,\N 843,"Molina Healthcare of Texas, Inc.",TX,Health Plan,2826,2013-12-21,Other,Paper/Films,FALSE,\N 844,"Rob Meaglia, DDS",CA,Healthcare Provider,1400,2013-12-23,Theft,Desktop Computer,FALSE,\N 845,Jeff Spiegel,MA,Healthcare Provider,832,2013-12-23,Unauthorized Access/Disclosure,Email,FALSE,\N 846,Tranquility Counseling Services,NC,Healthcare Provider,1683,2013-12-23,Other,Paper/Films,FALSE,\N 847,Florida Department of Health,FL,Healthcare Provider,2354,2013-12-23,Unauthorized Access/Disclosure,Desktop Computer,FALSE,\N 848,"New Mexico Oncology Hematology Consultants, LTD",NM,Healthcare Provider,12354,2013-12-31,Theft,Laptop,FALSE,\N 849,Colorado Community Health Alliance (CCHA)/Physicians Health Partners,CO,Business Associate,1918,2014-01-02,Unauthorized Access/Disclosure,Email,TRUE,\N 850,"Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates",NJ,Business Associate,839711,2014-01-03,Theft,Laptop,TRUE,\N 851,Phoebe Putney Memorial Hospital,GA,Healthcare Provider,6989,2014-01-03,Loss,Desktop Computer,FALSE,\N 852,Coulee Medical Center,WA,Healthcare Provider,2500,2014-01-03,Theft,"Email, Laptop, Network Server",FALSE,"The covered entity (CE), Coulee Medical Center, reported that a CE-employed physician disclosed electronic protected health information (ePHI) to his wife without authorization. The ePHI involved in the breach included names, hospital account numbers, dates of service, CPT codes, and service descriptions for approximately 2,500 individuals. The CE provided breach notification to HHS and affected individuals. Upon discovering the breach, the CE sanctioned the physician, required the physician to complete comprehensive HIPAA training, and required all workforce members to complete annual HIPAA training. As a result of OCRs investigation, the CE implemented new information security policies and procedures to better safeguard its ePHI. OCR provided the CE with technical assistance regarding what constitutes an adequate Security Rule risk analysis and risk management plan, as well as what constitutes adequate notice to the media pursuant to the Breach Notification Rule. \ \" 853,"RevSpring, Inc.",MI,Business Associate,3000,2014-01-06,Other,Paper/Films,TRUE,\N 854,North Carolina Department of Health and Human Services ,NC,Health Plan,48752,2014-01-06,Unauthorized Access/Disclosure,Other,FALSE,\N 855,"Phreesia, Inc",NY,Business Associate,2500,2014-01-08,Theft,Laptop,TRUE,\N 856,Tri Lakes Medical Center,MS,Healthcare Provider,1489,2014-01-10,Hacking/IT Incident,Network Server,FALSE,\N 857,Virginia Premier Health Plan (VPHP),VA,Business Associate,25513,2014-01-10,Theft,Paper/Films,TRUE,"Virginia Premier Health Plan, a business associate (BA) of the covered entity (CE), Virginia Department of Medical Assistance Services (VA-DMAS), mailed incorrect postcards to Virginia Medicaid members. The breach included 13,357 postcards that were mailed to the wrong address and 12,156 postcards that contained incorrect services information. The information did not include social security numbers or financial information. The BA provided breach notification to HHS, the media, and to affected individuals in English and Spanish. Following this breach, the BA improved safeguards by retraining employees on safeguards for protected health information, updating procedures for mailings, and implementing additional quality control checks. OCR obtained assurances that the BA implemented the corrective action listed above." 858,Cook County Health & Hospitals System,IL,Healthcare Provider,22511,2014-01-11,Other,Email,FALSE,\N 859,Southwest General Health Center,OH,Healthcare Provider,953,2014-01-13,Unknown,Other,FALSE,\N 860,"RGH Enterprises, Inc.",OH,Health Plan,4230,2014-01-13,Theft,Network Server,FALSE,"Computer hackers installed malware that intercepted the electronic protected health information (ePHI) of approximately 4,230 individuals using the covered entitys (CEs) website. The ePHI included names, dates of birth, phone numbers, shipping and billing addresses, email addresses, credit card issuers, expiration dates, the last 4 digits of credit card numbers, account numbers, primary physicians, diagnoses, order histories, and health insurers. Following the breach, the CE removed the malware from the affected computer servers, migrated the website to non-compromised " 861,Network Pharmacy Knoxville,TN,Healthcare Provider,9602,2014-01-15,Theft,Laptop,FALSE,\N 862,Saint Francis Hospital and Medical Center,CT,Healthcare Provider,858,2014-01-16,Theft,Paper/Films,FALSE,\N 863,Sentara Healthcare,VA,Healthcare Provider,3861,2014-01-16,"Theft, Unauthorized Access/Disclosure",Electronic Medical Record,FALSE,\N 864,Health Dimensions,MI,Healthcare Provider,5370,2014-01-16,Theft,Network Server,FALSE,\N 865,COMPLETE MEDICAL HOMECARE,KS,Healthcare Provider,1700,2014-01-21,Unauthorized Access/Disclosure,Other Portable Electronic Device,FALSE,\N 866,Hospital for Special Surgery,NY,Healthcare Provider,937,2014-01-21,Theft,"Desktop Computer, Paper/Films",FALSE,\N 867,The Brooklyn Hospital Center,NY,Healthcare Provider,2172,2014-01-22,Loss,Other Portable Electronic Device,FALSE,\N 868,"Robert B. Neves, M.D.",CA,Business Associate,611,2014-01-24,Theft,Laptop,TRUE, 869,"Triple-C, Inc.",PR,Business Associate,398000,2014-01-24,Theft,Network Server,TRUE,\N 870,"Triple-C, Inc.",PR,Business Associate,8000,2014-01-24,"Theft, Unauthorized Access/Disclosure",Network Server,TRUE,\N 871,"Birmingham Printing and Publishing, Inc dba Paper Airplane",AL,Business Associate,1085,2014-01-24,Other,Other,TRUE,\N 872,Medical Mutual of Ohio,OH,Business Associate,1420,2014-01-27,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 873,University of Wisconsin-Madison School of Pharmacy,WI,Business Associate,41437,2014-01-30,Loss,Other Portable Electronic Device,TRUE,\N 874,The University of Texas MD Anderson Cancer Center,TX,Healthcare Provider,3598,2014-01-31,Loss,Other Portable Electronic Device,FALSE,\N 875,Beebe Medical Center,DE,Healthcare Provider,1883,2014-01-31,Other,Laptop,FALSE,\N 876,St. Joseph Health System ,TX,Health Plan,405000,2014-02-05,Hacking/IT Incident,Network Server,FALSE,\N 877,"Min Yi, M.D.",CA,Healthcare Provider,4676,2014-02-05,Theft,Other Portable Electronic Device,FALSE,\N 878,Easter Seal Society of Superior California,CA,Healthcare Provider,3026,2014-02-07,Theft,Laptop,FALSE,\N 879,PruittHealth Pharmacy Services,GA,Healthcare Provider,841,2014-02-07,Theft,Laptop,FALSE,"A managers unencrypted laptop computer was stolen from the back seat of an employees car. The laptop contained the protected health information (PHI) of 841 individuals and included names, possible diagnoses, prescription names, dates of service, and service locations. The covered entity (CE) has improved safeguards by encrypting devices and employing devices that do not allow local storage. The CE has also revised its privacy and security policies and re-trained employees. OCR has consolidated this review into a compliance review that involves the same corporate entity and another stolen unencrypted laptop. " 880,Kmart Corporation,IL,Healthcare Provider,16446,2014-02-10,Theft,"Electronic Medical Record, Other",FALSE,\N 881,WA State Department of Social & Health Services,WA,Health Plan,3104,2014-02-11,"Other, Unauthorized Access/Disclosure",Paper/Films,FALSE,\N 882,Not Applicable ,NY,Business Associate,6475,2014-02-12,"Other, Theft",Laptop,TRUE,\N 883,University of Miami,FL,Healthcare Provider,13074,2014-02-12,Loss,Paper/Films,FALSE,\N 884,"Supportive Concepts for Families, Inc.",PA,Healthcare Provider,593,2014-02-13,Unauthorized Access/Disclosure,Network Server,FALSE,\N 885,Health Care Solutions at Home Inc.,OH,Health Plan,1139,2014-02-14,Theft,Other,FALSE,"The covered entity (CE) mistakenly mailed protected health information (PHI) to the wrong addresses of approximately 1,139 individuals following a computer error at the business associate (BA). The PHI involved in the breach included names, addresses, dates of birth, dates of service, claims information, and diagnoses. The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website. To prevent a similar breach from happening in the future, the CE and BA improved safeguards by updating policies to require multiple reviews of PHI in mailings. Following OCRs investigation, the CE updated its policies and procedures relating to the minimum necessary standard." 886,University of California Davis Medical Center,CA,Healthcare Provider,2269,2014-02-14,Hacking/IT Incident,Email,FALSE,\N 887,"St. Vincent Hospital and Healthcare, Inc",IN,Healthcare Provider,1142,2014-02-18,Theft,Laptop,FALSE,\N 888,"StayWell Health Management, LLC",MN,Business Associate,10024,2014-02-21,Unauthorized Access/Disclosure,Network Server,TRUE,\N 889,"StayWell Health Management, LLC",MN,Business Associate,520,2014-02-21,Unauthorized Access/Disclosure,Network Server,TRUE,\N 890,"StayWell Health Management, LLC",MN,Business Associate,4786,2014-02-21,Unauthorized Access/Disclosure,Network Server,TRUE,\N 891,Inspira Health Network Inc.,NJ,Healthcare Provider,1411,2014-02-21,Theft,Desktop Computer,FALSE,\N 892,"StayWell Health Management, LLC",MN,Business Associate,1511,2014-02-25,Unauthorized Access/Disclosure,Network Server,TRUE,\N 893,"Care Advantage, Inc.",VA,Healthcare Provider,3458,2014-02-26,Theft,Laptop,FALSE,\N 894,Pair Networks Inc.,PA,Business Associate,8845,2014-02-26,"Other, Unauthorized Access/Disclosure",Other,TRUE,\N 895,"The Kroger Co., for itself and its affiliates and subsidiaries",OH,Healthcare Provider,504,2014-02-26,Other,Electronic Medical Record,FALSE,\N 896,"Cornerstone Health Care, PA",NC,Healthcare Provider,548,2014-02-26,"Loss, Theft",Laptop,FALSE,\N 897,Joseph Michael Benson M.D,TX,Healthcare Provider,7500,2014-02-27,Theft,Desktop Computer,FALSE,\N 898,Data Media,GA,Business Associate,600,2014-02-28,Other,Other,TRUE,\N 899,Eureka Internal Medicine,CA,Healthcare Provider,3534,2014-03-04,Improper Disposal,Paper/Films,FALSE,\N 900,St. Joseph Health System,TX,Business Associate,3300,2014-03-05,Hacking/IT Incident,Network Server,TRUE,\N 901,Banner Health,AZ,Healthcare Provider,55207,2014-03-05,Other,Other,FALSE,\N 902,"PracMan, Inc.",AL,Business Associate,1179,2014-03-10,Hacking/IT Incident,Network Server,TRUE,\N 903,Iowa Dept. of Human Services,IA,Health Plan,2042,2014-03-10,Other,"Email, Laptop, Other Portable Electronic Device",FALSE,\N 904,Mission City Community Network,CA,Healthcare Provider,7800,2014-03-12,Theft,Email,FALSE, 905,"University of California, San Francisco",CA,Healthcare Provider,9861,2014-03-12,Theft,Desktop Computer,FALSE,\N 906,Detroit Medical Center - Harper University Hospital,MI,Healthcare Provider,1087,2014-03-13,"Theft, Unauthorized Access/Disclosure",Paper/Films,FALSE,\N 907,"Todd M. Burton, M.D.",TX,Healthcare Provider,5000,2014-03-13,Theft,Other,FALSE,\N 908,Valley View Hosptial Association,CO,Healthcare Provider,5415,2014-03-14,Other,"Desktop Computer, Laptop",FALSE,\N 909,Hospitalists of Arizona,AZ,Healthcare Provider,1706,2014-03-16,Theft,Laptop,FALSE,\N 910,TMA Practice Management Group,TX,Business Associate,2260,2014-03-17,"Improper Disposal, Loss",Other Portable Electronic Device,TRUE,\N 911,"StayWell Health Management, LLC",MN,Business Associate,1746,2014-03-18,Unauthorized Access/Disclosure,Network Server,TRUE,\N 912,Berea College,KY,Healthcare Provider,1000,2014-03-20,Other,Electronic Medical Record,FALSE,\N 913,"HealthPartners, Inc.",MN,Health Plan,27839,2014-03-21,"Loss, Unauthorized Access/Disclosure","Desktop Computer, Laptop, Other Portable Electronic Device",FALSE,\N 914,"HealthPartners Administrators, Inc.",MN,Business Associate,796,2014-03-21,"Loss, Unauthorized Access/Disclosure","Desktop Computer, Laptop, Other Portable Electronic Device",TRUE,\N 915,"HealthPartners Administrators, Inc.",MN,Business Associate,1699,2014-03-21,"Loss, Unauthorized Access/Disclosure","Desktop Computer, Laptop, Other Portable Electronic Device",TRUE,\N 916,"HealthPartners Administrators, Inc.",MN,Business Associate,715,2014-03-21,"Loss, Unauthorized Access/Disclosure","Desktop Computer, Laptop, Other Portable Electronic Device",TRUE,\N 917,Talyst,WA,Business Associate,1079,2014-03-24,Theft,Laptop,TRUE,\N 918,Yellowstone Boys and Girls Ranch,MT,Healthcare Provider,543,2014-03-24,Theft,Paper/Films,FALSE, 919,"Orlando Health, Inc.",FL,Healthcare Provider,586,2014-03-24,Loss,Other Portable Electronic Device,FALSE,\N 920,NOVA Chiropractic & Rehab Center,VA,Healthcare Provider,5534,2014-03-27,"Loss, Other",Other Portable Electronic Device,FALSE,\N 921,Susquehanna Health,PA,Healthcare Provider,657,2014-03-27,Unauthorized Access/Disclosure,Email,FALSE,\N 922,Jewish Hospital,KY,Healthcare Provider,2992,2014-03-28,Other,Email,FALSE,\N 923,Franciscan Medical Group,WA,Healthcare Provider,8300,2014-03-28,Other,Email,FALSE,\N 924,Palomar Health,CA,Healthcare Provider,5499,2014-03-28,Theft,Other Portable Electronic Device,FALSE,\N 925,"Myriad Genetic Laboratories, Inc.",UT,Healthcare Provider,643,2014-03-29,Unauthorized Access/Disclosure,Email,FALSE,\N 926,"RelayHealth, a division of McKesson",GA,Business Associate,1000,2014-03-31,Unauthorized Access/Disclosure,Other,TRUE,\N 927,"Policy Studies, Inc. / Postal Center International, Inc.",FL,Business Associate,580,2014-03-31,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 928,"Midwest Orthopaedics at Rush, LLC",IL,Healthcare Provider,1256,2014-03-31,Hacking/IT Incident,Email,FALSE,\N 929,Indian Health Service,MD,Health Plan,214000,2014-04-01,Unauthorized Access/Disclosure,Laptop,FALSE,\N 930,Kaiser Permanente Northern CA Department of Research,CA,Healthcare Provider,5178,2014-04-02,Hacking/IT Incident,Network Server,FALSE,\N 931,Triple-S Salud ,PR,Health Plan,5795,2014-04-02,Theft,Other,FALSE, 932,American Health Inc. ,PR,Health Plan,17776,2014-04-03,Theft,Other,FALSE, 933,"State Long Term Care Ombudsmans Office, Michigan Department of Community Health ",MI,Health Plan,2595,2014-04-03,Theft,Other Portable Electronic Device,FALSE,\N 934,Presence St. Joseph's Medical Center,IL,Healthcare Provider,836,2014-04-04,Other,Paper/Films,FALSE,\N 935,"Clinical Reference Laboratory, Inc.",KS,Healthcare Provider,979,2014-04-09,Loss,Paper/Films,FALSE,\N 936,Cigna,CT,Business Associate,527,2014-04-09,Loss,Paper/Films,TRUE,\N 937,"Amerigroup Texas, Inc. ",VA,Business Associate,75026,2014-04-10,Theft,Paper/Films,TRUE,\N 938,BLUE CROSS AND BLUE SHIELD OF KANSAS CITY,MO,Health Plan,2546,2014-04-11,Unauthorized Access/Disclosure,Other,FALSE,\N 939,"University Urology, P.C.",TN,Healthcare Provider,1144,2014-04-14,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 940,"Healthy Connections, Inc",CA,Healthcare Provider,793,2014-04-14,Loss,Other Portable Electronic Device,FALSE,\N 941,IHS,MD,Health Plan,5000,2014-04-15,Unauthorized Access/Disclosure,Other,FALSE,\N 942,Triple S Salud Inc.,PR,Business Associate,7911,2014-04-15,Theft,Other Portable Electronic Device,TRUE, 943,Greenwood Leflore Hospital,MS,Healthcare Provider,3750,2014-04-16,Theft,Other,FALSE,\N 944,"Service Coordination, Inc.",MD,Business Associate,10766,2014-04-17,"Hacking/IT Incident, Unauthorized Access/Disclosure",Network Server,TRUE,\N 945,"Courier Express/Atlanta, Courier Express/Charlotte & Courier Express US, Inc.",GA,Business Associate,2523,2014-04-17,"Theft, Unauthorized Access/Disclosure",Paper/Films,TRUE,\N 946,Shaker Clinic,OH,Healthcare Provider,617,2014-04-18,Loss,Paper/Films,FALSE,\N 947,Tri State Adjustments,WI,Business Associate,1400,2014-04-18,Other,Other,TRUE,\N 948,Larsen Dental Care LLC,ID,Healthcare Provider,6900,2014-04-18,Theft,Other Portable Electronic Device,FALSE,\N 949,CENTURA HEALTH,CO,Healthcare Provider,12286,2014-04-22,Hacking/IT Incident,Email,FALSE,\N 950,"Ladies First Choice, Inc.",FL,Healthcare Provider,2365,2014-04-23,"Theft, Unauthorized Access/Disclosure",Laptop,FALSE,\N 951,"Tufts Associated Health Maintenance Organization, Inc. and Tufts Insurance Company ",MA,Health Plan,8830,2014-04-24,Theft,Other,FALSE,\N 952,Inclusion Research Institute,DC,Business Associate,2200,2014-04-24,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 953,Willis North America Inc. Medical Expense Benefit Plan,NY,Health Plan,4830,2014-04-24,Unauthorized Access/Disclosure,Email,FALSE,\N 954,Sorenson Communications,UT,Business Associate,9800,2014-04-24,Hacking/IT Incident,Network Server,TRUE,\N 955,Baylor Medical Center at McKinney,TX,Healthcare Provider,1253,2014-04-25,Hacking/IT Incident,Email,FALSE,\N 956,Baylor Medical Center at Irving,TX,Healthcare Provider,2308,2014-04-25,Hacking/IT Incident,Email,FALSE,\N 957,Baylor Regional Medical Center at Plano,TX,Healthcare Provider,1981,2014-04-25,Hacking/IT Incident,Email,FALSE,\N 958,HealthTexas Provider Network,TX,Healthcare Provider,2742,2014-04-25,Hacking/IT Incident,Email,FALSE,\N 959,"Ferguson Advertising, Inc.",IN,Business Associate,1361,2014-04-25,Hacking/IT Incident,Network Server,TRUE,\N 960,Iowa Medicaid Enterprise,IA,Health Plan,862,2014-04-25,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 961,Flowers Hospital,AL,Healthcare Provider,629,2014-04-25,Theft,Paper/Films,FALSE,\N 962,Reading Health System,PA,Healthcare Provider,1845,2014-04-29,Loss,Paper/Films,FALSE,\N 963,MDF Transcription Services,MA,Business Associate,15265,2014-04-29,Other,Other,TRUE,\N 964,OptumRx,IL,Business Associate,5696,2014-04-30,Theft,Paper/Films,TRUE,"An employee of the covered entitys (CE) business associate (BA) mistakenly mailed protected health information (PHI) to other individuals due to a human error in sorting the data contained in an Excel spreadsheet. The mailing affected 5,696 individuals and included names and prescription drug names. The BA provided breach notification to the affected individuals, HHS, and the media. As a result of OCRs investigation, OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI. OCR obtained assurances that the BA completed the corrective actions noted above. The BA also stated that it has developed a plan to improve safeguards by implementing additional quality checks and controls for mailings." 965,UMass Memorial Medical Center,MA,Healthcare Provider,2387,2014-05-05,Unauthorized Access/Disclosure,"Electronic Medical Record, Paper/Films",FALSE,\N 966,KEYSTONE INSURERS GROUP,IN,Business Associate,1008,2014-05-06,Other,Email,TRUE,\N 967,Options Counseling Center,NJ,Healthcare Provider,2828,2014-05-09,"Theft, Unauthorized Access/Disclosure",Paper/Films,FALSE,\N 968,Creel Printing,NV,Business Associate,4744,2014-05-10,Other,Paper/Films,TRUE,\N 969,Howard L. Weinstein D.P.M.,TX,Healthcare Provider,1000,2014-05-10,Theft,Laptop,FALSE,\N 970,American Health Inc. ,PR,Health Plan,11531,2014-05-18,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 971,Central City Concern,OR,Healthcare Provider,17914,2014-05-19,Unauthorized Access/Disclosure,Other,FALSE,\N 972,Bloom Health,MN,Business Associate,502,2014-05-19,"Hacking/IT Incident, Unauthorized Access/Disclosure",Email,TRUE,\N 973,Elliot Health System,NH,Healthcare Provider,1208,2014-05-21,Theft,Desktop Computer,FALSE,\N 974,"Sutherland Healthcare Solutions, Inc.",NJ,Business Associate,342197,2014-05-22,Theft,"Email, Laptop",TRUE,\N 975,Humana Inc [case #15381],KY,Health Plan,2962,2014-05-23,Theft,Other Portable Electronic Device,FALSE,\N 976,Jamaica Hospital Medical Center,NY,Healthcare Provider,26162,2014-05-23,Unauthorized Access/Disclosure,Desktop Computer,FALSE,\N 977,Bay Park Hospital,OH,Healthcare Provider,594,2014-05-28,Unauthorized Access/Disclosure,"Electronic Medical Record, Network Server",FALSE,\N 978,Triple-S Salud ,PR,Health Plan,56853,2014-05-29,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 979,"NFP Maschino, Hudelson & Associates",OK,Business Associate,3814,2014-05-30,Theft,Laptop,TRUE,\N 980,Salina Health Education Foundation dba Salina Family Healthcare Center,KS,Healthcare Provider,9640,2014-06-05,Unauthorized Access/Disclosure,Email,FALSE,\N 981,Open Cities Health Center ,MN,Healthcare Provider,1304,2014-06-05,Other,Email,FALSE,\N 982,Mark A. Gillispie,CA,Healthcare Provider,5845,2014-06-06,Theft,Desktop Computer,FALSE,\N 983,Penn State Milton S Hershey Medical Center,PA,Healthcare Provider,1801,2014-06-06,Other,"Email, Other Portable Electronic Device",FALSE,\N 984,Walgreen Co.,IL,Healthcare Provider,540,2014-06-06,Theft,"Desktop Computer, Paper/Films",FALSE,\N 985,St. Francis Hospital,GA,Healthcare Provider,1175,2014-06-09,Other,Email,FALSE,\N 986,"Doctors First Choice Billings, Inc",FL,Business Associate,9255,2014-06-11,Theft,Other,TRUE, 987,"Doctors First Choice Billings, Inc.",FL,Business Associate,1831,2014-06-12,Hacking/IT Incident,Other,TRUE,\N 988,Santa Rosa Memorial Hospital ,CA,Healthcare Provider,33702,2014-06-13,"Loss, Theft",Other Portable Electronic Device,FALSE,\N 989,Baylor Medical Center at Carrollton,TX,Healthcare Provider,2874,2014-06-13,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE,\N 990,Group Health Plan of Hurley Medical Center,MI,Health Plan,2289,2014-06-16,Unauthorized Access/Disclosure,Email,FALSE,\N 991,IHS,MD,Health Plan,620,2014-06-19,Unauthorized Access/Disclosure,Other,FALSE,\N 992,"David DiGiallorenzo, D.M.D.",PA,Healthcare Provider,11000,2014-06-19,"Hacking/IT Incident, Unauthorized Access/Disclosure",Other,FALSE,\N 993,"NRAD Medical Associates, P.C.",NY,Healthcare Provider,97000,2014-06-20,"Hacking/IT Incident, Unauthorized Access/Disclosure","Desktop Computer, Other Portable Electronic Device",FALSE,\N 994,NYU Hospitals Center,NY,Healthcare Provider,872,2014-06-20,Theft,Laptop,FALSE,\N 995,"Abrham Tekola, M.D.,INC",CA,Healthcare Provider,5471,2014-06-20,Theft,Desktop Computer,FALSE, 996,Colorado Neurodiagnostics,CO,Healthcare Provider,750,2014-06-23,Theft,Laptop,FALSE,\N 997,"Sloane Stecker Physical Therapy, PC",NY,Healthcare Provider,2000,2014-06-24,Theft,Electronic Medical Record,FALSE,\N 998,Riverside County Regional Medical Center,CA,Healthcare Provider,563,2014-06-24,Theft,Laptop,FALSE,\N 999,Rady Children's Hospital - San Diego,CA,Healthcare Provider,14121,2014-06-24,Unauthorized Access/Disclosure,Email,FALSE,\N 1000,Rady Children's Hospital - San Diego,CA,Healthcare Provider,6307,2014-06-25,Unauthorized Access/Disclosure,"Email, Other",FALSE,\N 1001,Alabama Department of Public Health,AL,Healthcare Provider,1200,2014-06-26,Theft,Electronic Medical Record,FALSE,\N 1002,The Union Labor Life Insurance Company,MD,Healthcare Provider,42713,2014-06-27,Theft,Laptop,FALSE, 1003,VA Long Beach Healthcare System,CA,Healthcare Provider,592,2014-07-04,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 1004,D&J Optical Inc. ,AL,Health Plan,1100,2014-07-07,Hacking/IT Incident,Desktop Computer,FALSE,\N 1005,Montana Department of Public Health and Human Services,MT,Health Plan,1062509,2014-07-07,Hacking/IT Incident,Network Server,FALSE,\N 1006,Highmark Inc.,PA,Business Associate,2589,2014-07-08,Theft,Paper/Films,TRUE,"Health profile and care summaries and corresponding cover letters were incorrectly mailed to senior members of the covered entity (CE), Highmark Health, and their physicians. The protected health information involved in the breach included the names, addresses, telephone numbers, dates of birth, unique medical identifiers (UMI), gender, medications, and health information of 2,589 individuals. The CE provided breach notification to HHS, the media, and affected individuals. Following the breach, the CE issued a new UMI to each member impacted by the incident. The CE determined that a process failure by an employee was the root cause for the incorrect mailing and subsequently terminated the employee. As a result of OCRs investigation, the CE instituted new quality review procedures for mailings and retrained employees on its privacy practices and departmental policies, processes and procedures. OCR obtained details of the CEs revised policies on its health profiles to assure they include only the minimum necessary information. " 1007,Haley Chiropractic Clinic,WA,Healthcare Provider,6000,2014-07-08,Theft,"Desktop Computer, Laptop",FALSE,\N 1008,"St. Vincent Hospital and Health Care Center, Inc.",IN,Business Associate,63325,2014-07-09,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 1009,"InSync Computer Solutions, Inc.",AL,Business Associate,50918,2014-07-11,Other,Network Server,TRUE,\N 1010,Western Regional Center for Brain and Spine Surgery,NV,Healthcare Provider,12000,2014-07-12,Theft,Network Server,FALSE,\N 1011,Indian Health Service,SD,Health Plan,620,2014-07-15,"Loss, Unauthorized Access/Disclosure",Other,FALSE,\N 1012,University of Pennsylvania Health System,PA,Healthcare Provider,661,2014-07-16,Theft,Paper/Films,FALSE,"A bag containing a compact disk - read only memory (CD-ROM) was stolen from the vehicle of a physician associated with the covered entity (CE). The CD-ROM involved in the breach contained names, dates of birth, social security numbers, medical histories, and the treatment information of approximately 2,046 individuals. Following the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. The CE sanctioned and retrained the physician whose bag was stolen and implemented organization wide improvements to its compliance with the Privacy and Security Rules. As a result of OCRs investigation the covered entity posted substitute notification of the breach in the local paper and confirmed that corrective actions steps were taken. \ \ \" 1013,Bay Area Pain Medical Associates ,CA,Healthcare Provider,2780,2014-07-16,Theft,Desktop Computer,FALSE,\N 1014,Minneapolis VA Health Care System,MN,Health Plan,500,2014-07-17,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 1015,McKesson Business Performance Services,NJ,Business Associate,680,2014-07-23,Unauthorized Access/Disclosure,Network Server,TRUE,\N 1016,Xand Corporation,NY,Business Associate,3334,2014-07-23,Other,Network Server,TRUE,\N 1017,Self Regional Healthcare ,SC,Healthcare Provider,38906,2014-07-25,Theft,Laptop,FALSE,\N 1018,"Urological Associates of Southern Arizona, P.C.",AZ,Healthcare Provider,3529,2014-07-25,Improper Disposal,Other,FALSE,\N 1019,Dr. Veronica Joann Barber,CA,Business Associate,4000,2014-07-28,Unauthorized Access/Disclosure,Network Server,TRUE,\N 1020,"PRN Medical Services, LLC dba Symbius Medical, LLC",AZ,Healthcare Provider,13877,2014-07-29,"Other, Theft, Unauthorized Access/Disclosure","Email, Network Server",FALSE,\N 1021,Midwest Urological Group,IL,Healthcare Provider,982,2014-07-30,Theft,Laptop,FALSE,\N 1022,Rite Aid Store 5256,WA,Healthcare Provider,522,2014-07-30,Theft,Paper/Films,FALSE,\N 1023,"StayWell Health Management, LLC",MN,Business Associate,4487,2014-07-31,Hacking/IT Incident,Network Server,TRUE,\N 1024,Cancer Specialists of Tidewater,VA,Healthcare Provider,2318,2014-07-31,"Theft, Unauthorized Access/Disclosure, Unknown","Electronic Medical Record, Other",FALSE,\N 1025,MobilexUSA,OH,Healthcare Provider,605,2014-08-06,Loss,Paper/Films,FALSE,\N 1026,Jersey City Medical Center - Barnabas Health,NJ,Healthcare Provider,36400,2014-08-07,Loss,Other,FALSE,\N 1027,Diamond Computing Company,GA,Business Associate,7016,2014-08-07,Unauthorized Access/Disclosure,Network Server,TRUE,\N 1028,"Central Utah Clinic, P.C.",UT,Healthcare Provider,31677,2014-08-07,Hacking/IT Incident,Network Server,FALSE,\N 1029,"PST Services Inc, a McKesson Co.",GA,Business Associate,10104,2014-08-08,Hacking/IT Incident,Network Server,TRUE,\N 1030,Onsite Health Diagnostics (OHD),TX,Business Associate,60582,2014-08-08,Hacking/IT Incident,Network Server,TRUE,\N 1031,Apple Valley Care Center,CA,Healthcare Provider,1251,2014-08-12,Hacking/IT Incident,Network Server,FALSE,\N 1032,Kaiser Foundation Health Plan of Colorado,CO,Health Plan,11551,2014-08-12,"Other, Unauthorized Access/Disclosure",Other,FALSE,\N 1033,"CareAll Management, LLC",TN,Healthcare Provider,28300,2014-08-12,Improper Disposal,Other,FALSE,\N 1034,Iron Mountain Records Management,CA,Business Associate,1674,2014-08-13,"Improper Disposal, Loss, Theft",Other,TRUE,\N 1035,"24 ON Physicians, PC/In Compass Health,Inc.",GA,Business Associate,520,2014-08-14,"Hacking/IT Incident, Other",Network Server,TRUE,\N 1036,Iron Mountain Incorporated,MA,Business Associate,10000,2014-08-15,"Loss, Theft",Paper/Films,TRUE,\N 1037,Iron Mountain,CA,Business Associate,49714,2014-08-15,"Improper Disposal, Loss, Theft",Paper/Films,TRUE,\N 1038,University Health,LA,Healthcare Provider,6073,2014-08-15,Hacking/IT Incident,Network Server,FALSE,\N 1039,Tri-City Medical Center,CA,Healthcare Provider,500,2014-08-18,Theft,Paper/Films,FALSE,\N 1040,Dennis Flynn MD,IL,Healthcare Provider,13646,2014-08-19,Theft,Laptop,FALSE,\N 1041,Community Health Systems Professional Services Corporation,TN,Business Associate,4500000,2014-08-20,Theft,Network Server,TRUE, 1042,Oklahoma City Indian Clinic,OK,Healthcare Provider,6000,2014-08-22,Unauthorized Access/Disclosure,Email,FALSE,\N 1043,"Steven A. Goldman, MD Inc.",OH,Healthcare Provider,6141,2014-08-22,Theft,Network Server,FALSE,\N 1044,Specialty Clinics Of Georgia - Orthopaedics,GA,Healthcare Provider,2350,2014-08-25,Theft,Paper/Films,FALSE, 1045,St. Elizabeth's Medical Center,MA,Healthcare Provider,595,2014-08-26,Theft,"Laptop, Other Portable Electronic Device",FALSE,\N 1046,Aventura Hospital and Medical Center,FL,Healthcare Provider,948,2014-08-26,Theft,Desktop Computer,FALSE, 1047,Midwest Womens Healthcare Specialist,MO,Healthcare Provider,1376,2014-08-26,Improper Disposal,Paper/Films,FALSE,\N 1048,Group Health Incorporated,NY,Health Plan,802,2014-08-27,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 1049,"The Longstreet Clinic, P. C.",GA,Healthcare Provider,720,2014-08-28,Improper Disposal,Other,FALSE,\N 1050,Metropolitan Government of Nashville and Davidson County (Metro) Public Health Department,TN,Health Plan,1717,2014-08-29,Other,Other,FALSE,\N 1051,Duke University Health System,NC,Healthcare Provider,10993,2014-08-29,Theft,Other Portable Electronic Device,FALSE,\N 1052,Memorial Hermann Health System,TX,Healthcare Provider,10604,2014-08-29,Unauthorized Access/Disclosure,Desktop Computer,FALSE,\N 1053,AltaMed Health Services Corporation,CA,Healthcare Provider,3206,2014-08-29,Theft,"Desktop Computer, Network Server, Paper/Films",FALSE,\N 1054,"Bulloch Pediatric Group, LLC",GA,Healthcare Provider,10000,2014-09-04,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 1055,Emdeon,TN,Business Associate,566,2014-09-04,Theft,Paper/Films,TRUE, 1056,Temple University Physicians,PA,Healthcare Provider,3780,2014-09-05,Theft,Desktop Computer,FALSE,\N 1057,The WellPoint Affiliated Covered Entities ,IN,Health Plan,1464,2014-09-08,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 1058,"Thomas Cristello, Chiropractor PC",NY,Healthcare Provider,914,2014-09-09,Loss,Other Portable Electronic Device,FALSE,\N 1059,"ENT Partners of Texas (legally known as Irving-Coppell Ear, Nose and Throat) ",TX,Healthcare Provider,789,2014-09-09,"Loss, Theft","Laptop, Other Portable Electronic Device",FALSE,\N 1060,Bon Secours Kentucky,KY,Healthcare Provider,697,2014-09-09,Unauthorized Access/Disclosure,Other,FALSE,\N 1061,Valesco Ventures,FL,Business Associate,82601,2014-09-09,"Theft, Unauthorized Access/Disclosure",Electronic Medical Record,TRUE,\N 1062,Wm. Jennings Bryan Dorn VA Medical Center,SC,Healthcare Provider,3637,2014-09-10,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 1063,Kmart Corporation,IL,Healthcare Provider,1866,2014-09-10,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 1064,"Xerox State Healthcare, LLC",TX,Business Associate,2000000,2014-09-10,Unauthorized Access/Disclosure,"Desktop Computer, Email, Laptop, Network Server, Other, Other Portable Electronic Device",TRUE,\N 1065,Cedars-Sinai Health System,CA,Healthcare Provider,33136,2014-09-10,Theft,Laptop,FALSE,\N 1066,Tampa General Hospital,FL,Healthcare Provider,675,2014-09-12,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE,\N 1067,Santa Fe Medical Group,NM,Healthcare Provider,843,2014-09-12,Theft,Other Portable Electronic Device,FALSE, 1068,Emdeon,TN,Business Associate,800,2014-09-12,Theft,Paper/Films,TRUE, 1069,South Suburban HIV/AIDS Regional Clinics,IL,Business Associate,767,2014-09-17,Other,Email,TRUE,\N 1070,New Mexico VA Health Care System,NM,Healthcare Provider,2657,2014-09-18,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 1071,"Research Integrity, LLC",KY,Business Associate,4077,2014-09-22,Unauthorized Access/Disclosure,Other Portable Electronic Device,TRUE,\N 1072,Madison Street Provider Network,CO,Healthcare Provider,523,2014-09-26,Theft,Laptop,FALSE,\N 1073,"Compassionate Care Hospice of Central Louisiana, LLC",LA,Healthcare Provider,707,2014-09-26,Theft,"Laptop, Other",FALSE,\N 1074,"American Family Care, Inc.",AL,Healthcare Provider,2588,2014-09-30,Theft,Laptop,FALSE,\N 1075,"U.S. Health Holdings, Ltd. o/b/o Macomb County, Michigan",MI,Health Plan,6302,2014-10-01,Unauthorized Access/Disclosure,Other,FALSE,\N 1076,Mount Sinai Beth Israel,NY,Healthcare Provider,10793,2014-10-03,Theft,Laptop,FALSE,\N 1077,"Touchstone Medical Imaging, LLC",TN,Healthcare Provider,307528,2014-10-03,Unauthorized Access/Disclosure,Network Server,FALSE,\N 1078,Albertina Kerr Centers,OR,Healthcare Provider,1320,2014-10-06,Theft,Laptop,FALSE,\N 1079,Vcarve LLC d/b/a MD Manage,NJ,Business Associate,585,2014-10-06,Unauthorized Access/Disclosure,Network Server,TRUE,\N 1080,VARO Healthcare,PA,Business Associate,1667,2014-10-07,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 1081,vonica chau DDS PA,TX,Healthcare Provider,810,2014-10-08,Theft,Desktop Computer,FALSE,\N 1082,University of California Davis Medical Center,CA,Healthcare Provider,1326,2014-10-08,Hacking/IT Incident,Email,FALSE,\N 1083,South Texas Veterans Health Care System,TX,Healthcare Provider,4000,2014-10-09,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 1084,Cone Health Medical Group,NC,Healthcare Provider,1872,2014-10-09,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 1085,Region Six of the Georgia Department of Behavioral Health and Developmental Disabilities,GA,Healthcare Provider,3397,2014-10-09,Theft,Laptop,FALSE,\N 1086,NYU Urology Associates,NY,Healthcare Provider,835,2014-10-10,Unauthorized Access/Disclosure,Other Portable Electronic Device,FALSE,\N 1087,"Health Services Advisory Group, Inc.",AZ,Business Associate,15380,2014-10-10,Unauthorized Access/Disclosure,Other,TRUE,\N 1088,M&M Computer Services,TX,Business Associate,4500,2014-10-10,Hacking/IT Incident,Network Server,TRUE,\N 1089,New York City Health & Hospitals Corporation,NY,Healthcare Provider,10058,2014-10-10,Unauthorized Access/Disclosure,Paper/Films,FALSE,\N 1090,Southwest Virginia Physicians for Women,VA,Healthcare Provider,568,2014-10-10,"Theft, Unauthorized Access/Disclosure",Paper/Films,FALSE,\N 1091,City of Dallas Fire-Rescue Department,TX,Healthcare Provider,1000,2014-10-15,Theft,Laptop,FALSE, 1092,Graybill Medical Group,CA,Healthcare Provider,1863,2014-10-15,Theft,Other,FALSE, 1093,MD Manage (Vcarve LLC),NJ,Business Associate,35357,2014-10-22,Unauthorized Access/Disclosure,Network Server,TRUE,\N 1094,"Seven Counties Services, Inc.",KY,Healthcare Provider,727,2014-10-22,"Improper Disposal, Unauthorized Access/Disclosure",Paper/Films,FALSE,\N 1095,"Nisar A. Quraishi, M.D.",NY,Healthcare Provider,20000,2014-10-22,Theft,Paper/Films,FALSE,\N 1096,"Multilingual Psychotherapy Centers, Inc",FL,Healthcare Provider,3500,2014-10-28,Theft,Network Server,FALSE,\N 1097,Burlington Northern Santa Fe Group Benefits Plan,TX,Health Plan,507,2014-10-28,Loss,Other Portable Electronic Device,FALSE,\N 1098,Portland VA Medical Center,OR,Healthcare Provider,1740,2014-10-29,Theft,Paper/Films,FALSE, 1099,Memorial Healthcare System,FL,Healthcare Provider,1782,2014-10-30,Unauthorized Access/Disclosure,Email,FALSE,\N 1100,Coordinated Health ,PA,Healthcare Provider,13907,2014-10-31,Theft,Laptop,FALSE,\N 1101,"Jessie Trice Community Health Center, Inc.",FL,Healthcare Provider,7888,2014-11-03,Theft,"Desktop Computer, Network Server",FALSE,\N 1102,"Central Dermatology Center, P.A.",NC,Healthcare Provider,76258,2014-11-07,Theft,Network Server,FALSE, 1103,Weill Cornell Medical College,NY,Healthcare Provider,3936,2014-11-07,Theft,"Electronic Medical Record, Laptop",FALSE, 1104,Visionworks Inc.,TX,Health Plan,74944,2014-11-10,Loss,Network Server,FALSE,\N 1105,Loi Luu,CA,Healthcare Provider,13177,2014-11-14,Theft,Network Server,FALSE,\N 1106,Iron Mountain,CA,Business Associate,2691,2014-11-14,Theft,Paper/Films,TRUE,\N 1107,Colorado River Indian Tribes,AZ,Healthcare Provider,1296,2014-11-14,Other,Email,FALSE,\N 1108,REEVE-WOODS EYE CENTER,CA,Healthcare Provider,30000,2014-11-15,Theft,Network Server,FALSE, 1109,Brigham and Women's Hospital,MA,Healthcare Provider,999,2014-11-17,Theft,"Laptop, Other Portable Electronic Device",FALSE,\N 1110,Kirkbride Center,PA,Healthcare Provider,860,2014-11-19,Theft,Paper/Films,FALSE,\N 1111,"MetroPlus Health Plan, Inc.",NY,Health Plan,31980,2014-11-20,Other,Email,FALSE,\N 1112,"Baptist Primary Care, Inc.",FL,Healthcare Provider,1449,2014-11-20,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE,\N 1113,Visionworks Inc.,TX,Health Plan,47683,2014-11-21,Theft,Network Server,FALSE, 1114,True Vision Eyecare,OH,Healthcare Provider,542,2014-11-21,Theft,Laptop,FALSE,\N 1115,AdminisTEP,TX,Business Associate,4469,2014-11-25,Unauthorized Access/Disclosure,Paper/Films,TRUE,\N 1116,Northfield Hospital & Clinics,MN,Healthcare Provider,1778,2014-11-25,Improper Disposal,Paper/Films,FALSE,\N 1117,"Computer Programs and Systems, Inc. ",AL,Business Associate,25764,2014-11-26,Theft,Network Server,TRUE, 1118,North Big Horn Hospital,WY,Healthcare Provider,1607,2014-12-01,Loss,Paper/Films,FALSE,\N 1119,The Hearing Zone,UT,Healthcare Provider,623,2014-12-05,Theft,Laptop,FALSE,\N 1120,Florida Department of Health,FL,Healthcare Provider,2477,2014-12-08,Other,Email,FALSE,\N 1121,ReachOut Home Care [Case #16687],KY,Healthcare Provider,4500,2014-12-09,Theft,Laptop,FALSE, 1122,Sony Pictures Entertainment Health and Welfare Benefits Plan (the Plan),CA,Health Plan,30000,2014-12-12,Hacking/IT Incident,"Desktop Computer, Laptop, Network Server",FALSE,\N 1123,District Medical Group,AZ,Healthcare Provider,616,2014-12-12,Unauthorized Access/Disclosure,Other Portable Electronic Device,FALSE,\N 1124,Clay County Hospital,IL,Healthcare Provider,12621,2014-12-12,Unauthorized Access/Disclosure,Other,FALSE,\N 1125,St. Mary Mercy Hospital,MI,Healthcare Provider,1488,2014-12-12,Unauthorized Access/Disclosure,Email,FALSE,\N 1126,Walgreen Co.,IL,Healthcare Provider,160000,2014-12-15,Other,Paper/Films,FALSE,\N 1127,mdINR LLC,FL,Healthcare Provider,1859,2015-01-05,Unauthorized Access/Disclosure,Email,FALSE, 1128,VA Corporate Data Center Operations/Austin Information Technology Center ,TX,Healthcare Provider,7029,2015-01-07,Hacking/IT Incident,Network Server,FALSE, 1129,Saint Louis County Department of Health,MO,Healthcare Provider,4000,2015-01-07,Unauthorized Access/Disclosure,"Email, Network Server",FALSE, 1130,"Aspire Indiana, Inc.",IN,Healthcare Provider,43890,2015-01-07,Theft,Laptop,FALSE, 1131,Inland Empire Health Plan (IEHP),CA,Health Plan,1030,2015-01-12,Theft,Desktop Computer,FALSE, 1132,Tennessee Rural Health Improvement Association,TN,Health Plan,79000,2015-01-13,Unauthorized Access/Disclosure,Other,FALSE, 1133,National Pain Institute,FL,Healthcare Provider,500,2015-01-15,Improper Disposal,"Desktop Computer, Laptop",FALSE, 1134,"Rainier Surgical, Incorporated",TX,Healthcare Provider,4920,2015-01-16,Theft,Paper/Films,FALSE, 1135,St. Peter's Health Partners,NY,Healthcare Provider,5117,2015-01-23,Theft,Other Portable Electronic Device,FALSE, 1136,"Ronald D. Garrett-Roe, MD",TX,Healthcare Provider,1600,2015-01-23,Hacking/IT Incident,Desktop Computer,FALSE, 1137,California Pacific Medical Center ,CA,Healthcare Provider,845,2015-01-23,Unauthorized Access/Disclosure,Electronic Medical Record,FALSE, 1138,Diana S. Guth DBA Home Respiratory Care,CA,Healthcare Provider,1285,2015-01-28,Unauthorized Access/Disclosure,Email,FALSE, 1139,David E. Hansen DDS PS ,WA,Healthcare Provider,2000,2015-01-29,Theft,"Other Portable Electronic Device, Paper/Films",FALSE, 1140,Riverside County Regional Medical Center,CA,Healthcare Provider,7925,2015-01-29,Theft,Laptop,FALSE, 1141,"North Dallas Urogynecology, PLLC.",TX,Healthcare Provider,678,2015-01-29,Theft,Laptop,FALSE, 1142,"UMass Memorial Medical Group, Inc.",MA,Healthcare Provider,14100,2015-01-30,Theft,Other,FALSE, 1143,Boston Baskin Cancer Foundation,TN,Healthcare Provider,56694,2015-02-02,Theft,Other Portable Electronic Device,FALSE, 1144,South Sunflower County Hospital,MS,Healthcare Provider,19000,2015-02-04,Improper Disposal,Paper/Films,FALSE, 1145,Planned Parenthood Southwest Ohio,OH,Healthcare Provider,5000,2015-02-05,Improper Disposal,Paper/Films,FALSE, 1146,"Senior Health Partners, a Healthfirst company",NY,Health Plan,2772,2015-02-06,Theft,"Laptop, Other Portable Electronic Device",FALSE, 1147,"Tomas, Arturo",IL,Business Associate,680,2015-02-09,Loss,Paper/Films,TRUE, 1148,Pathway to Hope,FL,Healthcare Provider,600,2015-02-12,Unauthorized Access/Disclosure,Email,FALSE, 1149,Hunt Regional Medical Partners,TX,Healthcare Provider,3000,2015-02-18,Unauthorized Access/Disclosure,Other,FALSE, 1150,Marketing Clique,TX,Health Plan,8700,2015-02-20,Unauthorized Access/Disclosure,Other,FALSE, 1151,"Raymond Mark Turner, M.D.",NV,Healthcare Provider,2153,2015-02-26,Theft,Laptop,FALSE,