rownames,Number,Name_of_Covered_Entity,State,Business_Associate_Involved,Individuals_Affected,Date_of_Breach,Type_of_Breach,Location_of_Breached_Information,Date_Posted_or_Updated,Summary,breach_start,breach_end,year 1,0,Brooke Army Medical Center,TX,,1000,10/16/2009,Theft,Paper,2014-06-30,"A binder containing the protected health information (PHI) of up to 1,272 individuals was stolen from a staff member's vehicle. The PHI included names, telephone numbers, detailed treatment notes, and possibly social security numbers. In response to the breach, the covered entity (CE) sanctioned the workforce member and developed a new policy requiring on-call staff members to submit any information created during their shifts to the main office instead of adding it to the binder. Following OCR's investigation, the CE notified the local media about the breach.",2009-10-16,,2009 2,1,"Mid America Kidney Stone Association, LLC",MO,,1000,9/22/2009,Theft,Network Server,2014-05-30,"Five desktop computers containing unencrypted electronic protected health information (e-PHI) were stolen from the covered entity (CE). Originally, the CE reported that over 500 persons were involved, but subsequent investigation showed that about 260 persons were involved. The ePHI included demographic and financial information. The CE provided breach notification to affected individuals and HHS. Following the breach, the CE improved physical security by installing motion detectors and alarm systems security monitoring. It improved technical safeguards by installing enhanced antivirus and encryption software. As a result of OCR's investigation the CE updated its computer password policy. ",2009-09-22,,2009 3,2,Alaska Department of Health and Social Services,AK,,501,10/12/2009,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2009-10-12,,2009 4,3,"Health Services for Children with Special Needs, Inc.",DC,,3800,10/9/2009,Loss,Laptop,2014-01-23,"A laptop was lost by an employee while in transit on public transportation. The computer contained the protected health information of 3800 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity has installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and updated it risk assessment. In addition, all employees received additional security training. ",2009-10-09,,2009 5,4,"L. Douglas Carlson, M.D.",CA,,5257,9/27/2009,Theft,Desktop Computer,2014-01-23,"A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,257 individuals who were patients of the CE. The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the covered entity notified all 5,257 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules. ",2009-09-27,,2009 6,5,"David I. Cohen, MD",CA,,857,9/27/2009,Theft,Desktop Computer,2014-01-23,"A shared Computer that was used for backup was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite was unlocked and perhaps ajar. The Computer contained certain electronic protected health information (ePHI) of 857 patients. The ePHI involved in the breach included names, dates of birth, and clinical information. Following the breach, the covered entity notified all affected individuals and the media, added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer, added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet, and added administrative safeguards by requiring annual refresher retraining staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. ",2009-09-27,,2009 7,6,"Michele Del Vicario, MD",CA,,6145,9/27/2009,Theft,Desktop Computer,2014-01-23,"A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 6,145 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 6,145 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. ",2009-09-27,,2009 8,7,"Joseph F. Lopez, MD",CA,,952,9/27/2009,Theft,Desktop Computer,2014-01-23,"A shared Computer that was used for backup was stolen on 9/27/09. The Computer contained certain electronic protected health information (ePHI) of 952 patients. Following the breach, the covered entity notified all 952 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of staff for Privacy and Security Rules. ",2009-09-27,,2009 9,8,"Mark D. Lurie, MD",CA,,5166,9/27/2009,Theft,Desktop Computer,2014-01-23,"A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,166 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 5,166 affected indiv's and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. ",2009-09-27,,2009 10,9,City of Hope National Medical Center,CA,,5900,9/27/2009,Theft,Laptop,2014-01-23,"A laptop computer was stolen from a workforce member's car. The laptop computer contained the protected health information of approximately 5,900 individuals. Following the breach, the covered entity encrypted all protected health information stored on lap tops. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and retraining employees. ",2009-09-27,,2009 11,10,The Children's Hospital of Philadelphia,PA,,943,10/20/2009,Theft,Laptop,2014-01-23,,2009-10-20,,2009 12,11,"Cogent Healthcare of Wisconsin, S.C.",TN,,6400,10/11/2009,Theft,Laptop,2014-04-23,"A laptop was stolen from a locked office at the Aurora St. Lukes Medical Center. The laptop contained protected health information pertaining to 6,400 individuals. The information included patient names, dates of birth, social security numbers, medical record numbers, and in some cases diagnosis codes. In response to the theft, the hospital implemented several corrective action measures, including accelerated efforts to encrypt all laptop hard drives, improved physical locks on the office where the theft occurred, staff training regarding the appropriate use and storage of devices containing ePHI, and encryption of portable flash drives and Blackberry devices.",2009-10-11,,2009 13,12,Universal American,NY,"Democracy Data & Communications, LLC (",83000,11/12/2009,Other,Paper,2014-01-23,"In its breach report and during the course of OCR's investigation, the covered entity advised that it took various corrective actions to prevent a reoccurrence of the breach. Specifically, the covered entity conducted a risk assessment which revealed that the breach posed a significant risk of financial, reputational, or other harm to the 83,000 members. The covered entity sent notification letters to 83,000 members apologizing for the breach and offered a year of free credit monitoring and a $25,000 insurance policy against identity theft ($10,000 for New York residents). The covered entity also provided training to its call centers on November 29, 2009 to answer inquiries from callers concerned about the breach. In addition, media outlets were contacted to alert of a breach in states in which more than 500 members were impacted by the breach. The covered entity advised that media outlets were identified based on location of membership impacted, as well as ensuring it was a major media outlet and press releases were sent to 21 major media outlets on December 18, 2009. The covered entity also created and implemented a new policy titled 'Personal Health Information and Personal Identifiable Information Data Security and Handling Policy Acknowledgement Form' that centralized all data requests through a 'Team Track' which is an internal electronic submission request that ensures all PHI requested data receives the sign off of the Privacy Officer and Security Officer prior to release. Further, the covered entity also provided a mandatory annual computer-based training to all staff in May 2010. ",2009-11-12,,2009 14,13,Kern Medical Center,CA,,596,10/31/2009,Theft,Other,2014-01-23,,2009-10-31,,2009 15,14,"Keith W. Mann, DDS, PLLC",NC,"Rick Lawson, Professional Computer Services",2000,12/8/2009,Hacking/IT Incident,"Desktop Computer, Network Server, Electronic Medical Record",2014-01-23,,2009-12-08,,2009 16,15,Detroit Department of Health and Wellness Promotion,MI,,10000,10/22/2009,Theft,Other Portable Electronic Device,2014-01-23,,2009-10-22,,2009 17,16,Detroit Department of Health and Wellness Promotion,MI,,646,11/26/2009,Theft,"Laptop, Desktop Computer",2014-01-23,"A desktop and four laptop computers were stolen from the covered entity's locked facility. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, types of services received, and Medicare/Medicaid numbers.Following the breach, the covered entity installed new office door locks with assigned keys, installed security cameras with alarms, and physically secured computers to desks. The covered entity now stores billing information in its patient management system, and it ensured that no electronic protected health information was stored locally. Additionally, OCR's investigation resulted in the covered entity providing training to workforce members regarding the incident ",2009-11-26,,2009 18,17,"University of California, San Francisco",CA,,610,9/22/2009,Other,E-mail,2014-01-23,,2009-09-22,,2009 19,18,Daniel J. Sigman MD PC,MA,,1860,12/11/2009,Theft,"Other Portable Electronic Device, Other, Electronic Medical Record",2014-01-23,"Computer backup tapes containing EPHI for the office practice management program including electronic medical records were stolen from the home of the practice manager on December 11, 2009. The breach affected approximately 1,860 patients. The protected health information on the tapes contained patients' names, addresses, telephone numbers, dates of birth, insurance information, social security numbers and medical record information. Following the breach, Sigman took the following voluntary corrective actions: (1) upgraded software application for backup security; implemented a new external backup system in case the server goes down; (2) encryption software was implemented for data contained on both its backup tapes and network storage device; (3) revised its security policy for transporting backup media; backup tapes must now be stored in a lockbox within a locked office in its facility; the revised policy also prohibits the movement of backup tapes from the facility as well as restricts access to the tapes to designated workforce; (4) employees were retrained on the policies and procedures in place and received training on the new policies and procedures for safeguarding backup tapes; (5) notified affected individuals and the media. ",2009-12-11,,2009 20,19,Massachusetts Eye and Ear Infirmary,MA,,1076,11/10/2009,Theft,Other,2014-01-23,,2009-11-10,,2009 21,20,BlueCross BlueShield Association,DC,Service Benefits Plan Administrative Services Corp,3400,10/26/2009,Theft,Paper,2014-06-30,"The covered entity's (CE) business associate (BA) incorrectly updated contract holders' addresses and mailed protected health information (PHI) to the wrong address of approximately 3,400 individuals. The PHI involved included demographic information, explanations of benefits, clinical information, and diagnoses. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. Upon discovery of the breach, the CE obtained assurances that the BA took steps to enforce the requirements of the BA agreement. Specifically, the BA updated its processes and created an incident tracking report. In addition, a contract was executed for a new vendor to handle mail address verification. Following OCR's investigation, the BA improved its code review process to catch the system error that caused this incident and instituted a manual quality review process. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. ",2009-10-26,,2009 22,21,BlueCross BlueShield Association,DC,Merkle Direct Marketing,15000,10/7/2009,Theft,Paper,2014-04-24,"The covered entity's (CE) business associate (BA) mailed protected health information (PHI) of approximately 15,000 individuals to incorrect addresses due to an error in its quarterly address update process. The mailing contained demographic information, explanations of benefits, clinical information, and diagnoses. Upon discovery of the breach, the CE collected the returned mail and verified that it had not been delivered, and updated its HIPAA policies and procedures. Following OCR's investigation, the CE was able to recover all or nearly all of the misdirected envelopes. ",2009-10-07,,2009 23,22,Kaiser Permanente Medical Care Program,CA,,15500,12/1/2009,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2009-12-01,,2009 24,23,Blue Island Radiology Consultants,IL,United Micro Data,2562,12/9/2009,Theft,Other,2014-06-30,"The covered entity's (CE's) business associate (BA) mailed a package to the CE that was supposed to contain a backup data tape and compact disc containing protected health information (PHI); however, the tape was not in the package when delivered. Approximately 2,000 individuals were affected by the breach. The PHI included demographic, financial, and clinical information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE revised its procedures for back up data storage instead of sending tapes via the mail. Following OCR's investigation, the CE continued to reevaluate ways to enhance administrative, physical, and technical safeguards. ",2009-12-09,,2009 25,24,"Goodwill Industries of Greater Grand Rapids, Inc.",MI,,10000,12/15/2009,Theft,Other,2014-01-23,"On December 15, 2009, a safe was stolen from Goodwill's off-site facility, which contained five unencrypted back-up tapes. The breach affected approximately 10,000 individuals. The protected health information involved in the breach included full names, addresses, dates of birth, reasons for referral, dates of service, miscellaneous demographics, and, in some cases, Social Security numbers. The covered entity moved the off-site storage of back-up tapes to a new site controlled by Goodwill. The tapes are now kept in a commercial grade safe with a combination lock. The actions taken by Goodwill prior to OCR's formal investigation brought the covered entity into compliance. ",2009-12-15,,2009 26,25,Children's Medical Center of Dallas,TX,,3800,11/19/2009,Loss,"Other Portable Electronic Device, Other",2014-01-23,,2009-11-19,,2009 27,26,Concentra,TX,,900,11/19/2009,Theft,Laptop,2014-01-23,,2009-11-19,,2009 28,27,Ashley and Gray DDS,MO,,9309,1/10/2010,Theft,Desktop Computer,2014-01-23,,2010-01-10,,2010 29,28,Advocate Health Care,IL,,812,11/24/2009,Theft,Laptop,2014-01-23,"On November 24, 2009, an Advocate nurse's laptop computer was stolen. The missing laptop computer contained the protected health information of approximately 812 individuals. The protected health information involved in the breach included name, address, dates of birth, social security numbers, insurance information, medication, and diagnoses. Following the breach, Advocate specifically addressed mobile device security and accepted use. Additionally, OCR's investigation resulted in Advocate workforce members that use mobile devices are now required to fill out and submit an acknowledgment form that establish proper administrative, technical, and physical security safeguards. ",2009-11-24,,2009 30,29,The Methodist Hospital,TX,,689,1/18/2010,Theft,Other,2014-01-23,"An unencrypted laptop computer was stolen from the covered entity's unlocked testing office. The laptop computer contained the protected health information of approximately 689 individuals. The protected health information involved in the breach included names, dates of birth, Social Security numbers, and the age, gender, race, and medication information of affected individuals. Following the breach, the covered entity restricted the storage of electronic protected health information to network drives. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and in retraining employees. ",2010-01-18,,2010 31,30,"University of California, San Francisco",CA,,7300,11/30/2009,Theft,Laptop,2014-01-23,,2009-11-30,,2009 32,31,Carle Clinic Association,IL,,1300,1/13/2010,Theft,"Other, Paper",2014-01-23,,2010-01-13,,2010 33,32,Educators Mutual Insurance Association of Utah ,UT,Health Behavior Innovations (HBI),5700,12/27/2009,Theft,Other,2014-01-23,,2009-12-27,,2009 34,33,University Medical Center of Southern Nevada,NV,,5103,10/31/2009,Theft,Paper,2014-01-23,"Between the dates of July 31, 2009 and November 19, 2009, a former UMC volunteer faxed patient face sheets to an attorney who used the sheets to contact prospective clients. Although UMC only had proof of two disclosures, it chose to notify all 5,301 individuals that could have been affected by the breach. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, and diagnoses. Following the breach, UMC conducted an internal investigation, notified all 5,301 individuals, notified the media, and notified the Secretary. Additionally, UMC reformulated face sheets so that they no longer include full social security numbers and provided all possible affected individuals with a year of free credit monitoring. As a result of this breach, at least one person has been indicted on one count of conspiracy to illegally disclose personal health information in violation of the HIPAA ",2009-10-31,,2009 35,34,Center for Neurosciences,AZ,,1100,12/15/2009,Theft,Laptop,2014-01-23,,2009-12-15,,2009 36,35,Brown University,RI,Blue Cross Blue Shield of RI,528,12/11/2009,Other,Paper,2014-01-23,"On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown University's health plan was impermissibly disclosed to two other BCBSRI agents. The reports contained the PHI of approximately 528 individuals. The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers. Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected members' claim history to ensure no fraud. ",2009-12-11,,2009 37,36,MMM Heath Care Inc. ,PR,"MSO of Puerto Rico, Inc. ",1907,2/4/2010,Theft,Paper,2014-06-03,"The covered entity's (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 1,907 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CE's BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCR's investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures. ",2010-02-04,,2010 38,37,PMC Medicare Choice,PR,MSO of Puerto Rico,605,2/4/2010,Theft,Paper,2014-06-03,"The covered entity's (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 605 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CE's BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCR's investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures. ",2010-02-04,,2010 39,38,Cardiology Consultants/Baptist Health Care Corporation,FL,,8000,12/19/2009,Theft,Desktop Computer,2014-06-30,"A desktop computer that contained the e-PHI of approximately 8,000 individuals was stolen from the covered entity's (CE) locked medical suite. The PHI involved in the breach included names, dates of birth, medical record numbers, ultrasound information, exam dates, and reasons for the ultrasound. The computer that was stolen used proprietary software and a special electronic key to access the PHI. The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notification on its website. Following the breach, the CE worked with law enforcement to identify the possible suspect. The CE upgraded its facility access controls to include proximity card readers for every location that stores PHI. As a result of OCR's investigation the CE updated its risk analysis and carried out additional risk management activities. ",2009-12-19,,2009 40,39,"State of TN, Bureau of TennCare",TN,,3900,12/23/2009,Theft,Paper,2014-06-24,"The covered entity (CE) mailed the wrong information to 3,900 individuals based on a corrupted data file it received from a state agency. The types of PHI involved were names, dates of birth, social security numbers, member identification numbers, and in some cases, diagnoses, treatments, conditions, and medications. Following the breach, the CE immediately fixed the corrupted file and mailed corrected letters. The CE provided breach notification to HHS, the media, and affected individuals and provided substitute notification by posting on its website. It also offered affected individuals one year of free credit monitoring and comprehensive credit services. The CE also worked with the state agency to implement a new procedure to improve safeguards for PHI. OCR obtained assurances that the CE implemented the corrective action listed above. ",2009-12-23,,2009 41,40,Lucille Packard Children's Hospital,CA,,532,1/11/2010,Other,Desktop Computer,2014-01-23,,2010-01-11,,2010 42,41,University of New Mexico Health Sciences Center,NM,,1900,2/8/2010,Other,Desktop Computer,2014-01-23,,2010-02-08,,2010 43,42,Advanced NeuroSpinal Care,CA,,3500,12/30/2009,Theft,Network Server,2014-04-22,"A computer containing the electronic protected health information (ePHI) of 3,500 individuals was stolen from the office of a covered entity (CE). The ePHI included patient names, addresses, dates of birth, social security numbers, driver's licenses, claims information, diagnoses, and conditions. As a result of the loss, the CE upgraded the alarm system and replaced the server housing and storage security lock-up. The CE also notified affected individuals, the media, appropriate government agencies, and law enforcement. In addition, the CE established an office-based hotline to assist affected individuals. As a result of OCR's investigation, the CE has implemented regularly scheduled security risk analyses and has installed window bars, roll down shutters, four video surveillance cameras, and other physical security measures to prevent theft.",2009-12-30,,2009 44,43,Aspen Dental Care P.C.,CO,,2500,10/4/2009,Theft,Other,2014-06-30,"A computer hard drive containing encrypted patient records was stolen from the covered entity's (CE) safe. The hard drive contained clinical and demographic information of approximately 2,500 patients. Following the breach, the CE provided additional training to its staff. OCR obtained assurances that the CE implemented the corrective action listed above. ",2009-10-04,,2009 45,44,Shands at UF,FL,,12580,1/27/2010,Theft,Laptop,2014-01-23,"A laptop containing certain information collected on approximately 12,580 individuals referred to Shands at UF GI Clinical Services was stolen from the private residence of an employee. The stolen information included patient names, social security numbers, and medical record numbers. As a result of the incident, the employee was counseled by her supervisor, issued written corrective action with a 3-day suspension, and provided additional HIPAA training. OCR reviewed Shands at UF's most recent Risk Analysis and Risk Management Plans and they revealed no high risk findings related to encryption, workstation use, or physical security. OCR's investigation found that Shands at UF has implemented appropriate technical safeguards, such as secure VPN network connections and network storage for workforce usage, encrypted USB portable flash drives, and PGP whole disk encryption. ",2010-01-27,,2010 46,45,Wyoming Department of Health,WY,,9023,12/2/2009,Unauthorized Access/Disclosure ,Network Server,2014-01-23,,2009-12-02,,2009 47,46,Thrivent Financial for Lutherans,WI,,9500,1/29/2010,Theft,Laptop,2014-01-23,"On January 29, 2010, there was a break-in at one of the Thrivent's offices and five laptop computers were stolen; four of the five laptops were recovered. The missing laptop computer contained the protected health information of approximately 9,400 individuals. The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCR's formal investigation brought the CE into compliance. ",2010-01-29,,2010 48,47,North Carolina Baptist Hospital,NC,,554,2/15/2010,Theft,Paper,2014-01-23,,2010-02-15,,2010 49,48,Montefiore Medical Center,NY,,625,2/20/2010,Theft,Laptop,2014-06-03,"An unencrypted laptop computer containing the electronic protected health information (ePHI) of 625 individuals was stolen from the covered entity's (CE) mobile dental van. The ePHI included names, dates of birth, medical record numbers and dental x-rays. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and affected individuals. As a result of OCR's investigation, the CE revised its procedures so that all ePHI is stored in a data center, rather than the mobile dental van laptop. In addition, the CE encrypted all mobile dental van laptops and improved physical security for the van. The CE developed a new policy on ePHI security and retrained all staff. OCR obtained assurances that the CE implemented the corrective action listed above.",2010-02-20,,2010 50,49,"Ernest T. Bice, Jr. DDS, P.A.",TX,,21000,2/20/2010,Theft,"Other Portable Electronic Device, Other",2014-01-23,"Three unencrypted external back-up drives were stolen from a safe in the covered entity's locked office. The laptop computer contained the protected health information of approximately 21,000 individuals. The protected health information involved in the breach included names, addresses phone numbers, dates of birth, social security numbers, insurance information, and treatment histories. Following the breach, the covered entity moved back-up data offsite and encrypted all workstations. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and in retraining employees. ",2010-02-20,,2010 51,50,Lee Memorial Health System,FL,,3800,1/29/2010,Other,Paper,2014-01-23,"The covered entity sent postcards to approximately 3,800 patients, which listed the patients' demographic information, and a statement that read, 'Your Physician Has Moved,' with a name and description of the practice, Infectious Disease Specialist. The types of PHI involved were demographic and clinical information. Voluntary actions taken prior to OCR's investigation include the issuance of sanctions and review of policies and procedures. ",2010-01-29,,2010 52,51,"Laboratory Corporation of America/Dynacare Northwest, Inc.",WA,,5080,2/12/2010,Theft,Laptop,2014-01-23,"A laptop computer was stolen from a workforce member's car. The laptop computer contained the protected health information of approximately 5080 individuals. The protected health information involved in the breach included names, addresses, dates of birth, Social Security numbers, and lab results. Following the breach, the covered entity encrypted all laptop computers. ",2010-02-12,,2010 53,52,Mount Sinai Medical Center,FL,,2600,3/9/2010,Theft,Laptop,2014-01-23,,2010-03-09,,2010 54,53,Griffin Hospital,CT,,957,2/4/2010,Hacking/IT Incident,Network Server,2014-01-23,,2010-02-04,,2010 55,54,"Hypertension, Nephrology, Dialysis and Transplantation, PC",AL,,2465,3/6/2010,Theft,Laptop,2014-01-23,,2010-03-06,,2010 56,55,Reliant Rehabilitation Hospital North Houston,TX,"Computer Program and Systems, Inc. (CPSI)",768,2/9/2010,Unauthorized Access/Disclosure ,E-mail,2014-01-23,,2010-02-09,,2010 57,56,"Laboratory Corporation of America / US LABS / Dianon Systems, Inc",AZ,,2773,2/18/2010,Theft,Other Portable Electronic Device,2014-01-23,,2010-02-18,,2010 58,57,University of Pittsburgh Student Health Center,PA,,8000,3/11/2010,"Theft, Loss",Paper,2014-01-23,,2010-03-11,,2010 59,58,Providence Hospital,MI,,83945,2/4/2010,Other,Other,2014-01-23,,2010-02-04,,2010 60,59,VHS Genesis Lab Inc. ,IL,,6800,1/10/2010,Loss,Paper,2014-01-23,,2010-01-10,,2010 61,60,John Muir Physician Network,CA,,5450,2/4/2010,Theft,Laptop,2014-01-23,,2010-02-04,,2010 62,61,Beatrice Community Hospital and Health Center,NE,"McKesson Information Solutions, LLC",660,3/19/2010,Other,Paper,2014-01-23,,2010-03-19,,2010 63,62,Pediatric Sports and Spine Associates,TX,,955,2/10/2010,Theft,Laptop,2014-01-23,"An unencrypted laptop was stolen from an employee's vehicle. The laptop contained the protected health information of approximately 955 individuals. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses, medications and other treatment information. Following the discovery of the breach, the covered entity revised policies, retrained staff and implemented additional physical and technical safeguards including encryption software. The covered entity also removed the stolen laptop's access to the server, sanctioned the involved employee, notified the affected individuals and notified the local media. ",2010-02-10,,2010 64,63,"Affinity Health Plan, Inc.",NY,,344579,11/24/2009,Theft,Other,2014-05-28,,2009-11-24,,2009 65,64,Tomah Memorial Hospital,WI,,600,3/19/2010,Other,Other,2014-01-23,,2010-03-19,,2010 66,65,"Praxair Healthcare Services, Inc. (Home Care Supply in NY)",CT,,54165,2/18/2010,Theft,Laptop,2014-01-23,"A laptop computer was stolen from the covered entity's office by a former employee after it had been damaged. The laptop computer contained the PHI of approximately 54,165 individuals. The computer contained a limited amount of PHI, including client names and one or more of the following: addresses, phone numbers, social security numbers, insurance provider names and policy numbers, medical diagnostic codes or medical equipment. Following the breach, the covered entity notified all affected individuals, the media, and HHS of the breach. Additionally, the covered entity completed its laptop encryption project to cover all PHI stored on computers in the office. Additionally, OCR's investigation resulted in the covered entity reinforcing the requirements of HIPAA to its employees. ",2010-02-18,,2010 67,66,Massachusetts Eye and Ear Infirmary,MA,,3594,2/19/2010,Theft,Laptop,2014-01-23,,2010-02-19,,2010 68,67,Blue Cross & Blue Shield of Rhode Island,RI,,12000,12/20/2009,Theft,Paper,2014-06-30,"A covered entity (CE) donated a file cabinet containing the protected health information (PHI) of 12,000 individuals before cleaning it out. The PHI included members' names, addresses, telephone numbers, social security numbers, and Medicare identification numbers. The covered entity (CE) provided breach notification to HHS, the affected individuals, and media, and offered all affected individuals free credit monitoring for a period of one year. Following the breach, the CE sanctioned the employees involved in the incident and held a mandatory training regarding the HIPAA Privacy and Security Rule for all departments involved in the breach. The CE also revised the policy for office moves. OCR obtained assurances that the CE implemented the corrective action listed above. ",2009-12-20,,2009 69,68,South Carolina Department of Health and Environmental Control,SC,,2850,2/17/2010,Improper Disposal,Paper,2014-01-23,,2010-02-17,,2010 70,69,St. Joseph Heritage Healthcare,CA,,22012,3/6/2010,Theft,Desktop Computer,2014-01-23,"22 computers were stolen from Clinical Management Service office.Five of the stolen computers contained the protected health information of approximately 22,012 individuals. The protected health information involved in the breach included name, date of birth, social security number, referral number, encounter number, facility, member ID, diagnosis, procedure, and/or diagnosis code. As a result of this incident, St. Joseph notified the potentially affected individuals, notified the local media, installed security cameras, re-trained employees, and installed encryption software on all laptops and Computers enterprise-wide. OCR's investigation resulted in the covered entity improving their physical and technological safeguards and retraining employees. ",2010-03-06,,2010 71,70,Medical Center At Bowling Green,KY,,5148,3/24/2010,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2010-03-24,,2010 72,71,GENERAL AGENCIES WELFARE BENEFITS PROGRAM,TN,TOWERS WATSON,1874,2/5/2010,Loss,Other,2014-01-23,,2010-02-05,,2010 73,72,UnitedHealth Group health plan single affiliated covered entity,MN,,735,3/2/2010,Theft,"Other, Paper",2014-01-23,,2010-03-02,,2010 74,73,South Texas Veterans Health Care System,TX,,1430,9/30/2009,"Loss, Improper Disposal",Paper,2014-01-23,,2009-09-30,,2009 75,74,Rockbridge Area Community Services,VA,,500,3/12/2010,Theft,"Laptop, Desktop Computer",2014-01-23,,2010-03-12,,2010 76,75,"Emergency Healthcare Physicians, Ltd.",IL,"Millennium Medical Management Resources, Inc.",180111,2/27/2010,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2010-02-27,,2010 77,76,VA Eastern Colorado Health Care System,CO,,649,1/19/2010,Theft,Paper,2014-06-19,"A covered entity's (CE's) employee placed paper records containing protected health information (PHI) in an unsecured box that was left undiscovered in a public parking garage for four days. The box contained the PHI of 649 patients. The PHI included treatment records, productivity reports, coding information, names, medical treatments, conditions, diagnoses, and social security numbers. Upon discovery of the breach, the CE notified the affected individuals and provided credit protection to those whose social security numbers had been breached. The CE provided OCR with copies of its breach prevention policies and procedures. Following OCR's investigation, the employee who left the records resigned from her position and the CE improved its breach response procedures. ",2010-01-19,,2010 78,77,Miami VA Healthcare System,FL,,568,1/19/2010,Loss,Paper,2014-01-23,,2010-01-19,,2010 79,78,"Heriberto Rodriguez-Ayala, M.D.",TX,,4200,4/3/2010,Theft,Laptop,2014-01-23,,2010-04-03,,2010 80,79,Georgetown University Hospital,DC,,2416,3/26/2010,"Theft, Other","E-mail, Other Portable Electronic Device",2014-01-23,"An employee of the covered entity emailed protected health information (PHI) to an offsite research office (which is not itself a covered entity) in violation of the review preparatory to research protocol. The research office stored the electronic information on an external hard drive that was later stolen. The device contained the PHI of 2,416 individuals. The PHI involved in the breach included names, dates of birth, and clinical information. In response to this incident, the covered entity terminated transmission of the PHI to this research office and gave the responsible employee a verbal warning and counseling. Additionally, the covered entity undertook a review of all research affiliations involving PHI of hospital patients to confirm that appropriate documentation and procedures are in place. ",2010-03-26,,2010 81,80,Silicon Valley Eyecare Optometry and Contact Lenses,CA,,40000,4/2/2010,Theft,Network Server,2014-01-23,,2010-04-02,,2010 82,81,Loma Linda University Health Care,CA,,584,4/4/2010,Theft,Desktop Computer,2014-01-23,,2010-04-04,,2010 83,82,Veterans Health Administration,DC,Heritage Health Solutions,656,4/22/2010,Theft,Laptop,2014-01-23,,2010-04-22,,2010 84,83,"State of New Mexico Human Services Department, Medical Assistance Division",NM,DentaQuest,9600,3/20/2010,Theft,Laptop,2014-01-23,,2010-03-20,,2010 85,84,Oconee Physician Practices,SC,,653,5/9/2010,Theft,Laptop,2014-01-23,,2010-05-09,,2010 86,85,University of Rochester Medical Center and Affiliates,NY,,2628,4/19/2010,Other,Paper,2014-01-23,,2010-04-19,,2010 87,86,Omaha Construction Industry Health and Welfare Plan,NE,DeBoer & Associates,800,1/11/2009,Theft,Laptop,2014-01-23,,2009-01-11,,2009 88,87,"City of Charlotte, NC (Health Plan)",NC,,5220,2/3/2010,Loss,Other,2014-01-23,,2010-02-03,,2010 89,88,VA North Texas Health Care System,TX,,4083,5/4/2010,Improper Disposal,Paper,2014-01-23,,2010-05-04,,2010 90,89,Rainbow Hospice and Palliative Care,IL,,1000,4/12/2010,Theft,Laptop,2014-01-23,"An employee's laptop was stolen out of her bag while she was making an admission visit in a patient's home. The evidence showed that although the covered entity had a policy of encrypting and password-protecting its computers, this particular computer did not require a password most of the time. The invoices contained the protected health information (PHI) of approximately 1,000 individuals. The PHI stored on the laptop included names, addresses, dates of birth, phone numbers, Social Security numbers, Medicare numbers, electronic health records and commercial insurance information. Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in The Daily Herald, sanctioned the employee for changing the security settings on the laptop in question, and established stringent computer security guidelines, and retrained its staff in the new requirements, with the intention of preventing a similar event from occurring again. ",2010-04-12,,2010 91,90,Cincinnati Childrens Hospital Medical Center ,OH,,60998,3/27/2010,Theft,Laptop,2014-01-23,,2010-03-27,,2010 92,91,Occupational Health Partners,KS,,1105,5/12/2010,Theft,Laptop,2014-01-23,,2010-05-12,,2010 93,92,"AvMed, Inc.",FL,,1220000,12/10/2009,Theft,Laptop,2014-06-30,"Two laptop computers with questionable encryption (each containing the electronic protected health information (ePHI) of 350,000 individuals) were stolen from the covered entity's (CE) premises. The types of ePHI involved included demographic and clinical information, diagnoses/conditions, medications, lab results, and other treatment data. After discovering the breach, the CE reported the theft to law enforcement and worked with the local police to recover the laptops. As a result of OCR's investigation, the CE developed and implemented new policies and procedures to comply with the Security Rule. The CE also provided breach notification to all affected individuals, HHS, and the media and placed an accounting of disclosures in the medical records of all affected individuals.",2009-12-10,,2009 94,93,UnitedHealth Group health plan single affiliated covered entity,MN,,16291,1/26/2010,Other,Paper,2014-01-23,"Paper correspondence to certain members in UnitedHealth's prescription drug plans were in advertently sent to the incorrect temporary address due to a database administration error. Approximately 16,291 individuals were affected by the breach. UnitedHealth member's name, plan number and in some instances, date of birth and/or limited medical information. United Health reported that it stopped using PDI's proprietary database for address updates and made outbound verifications calls to members to get accurate temporary addresses. United Health reported that it revised its address update process. ",2010-01-26,,2010 95,94,Lincoln Medical and Mental Health Center,NY,"Siemens Medical Solutions, USA, Inc",130495,3/24/2010,Theft,Other,2014-06-19,"The covered entity's business associate (BA), Siemens Medical Solutions USA, Inc., shipped seven unencrypted compact disks (CDs) that contained the electronic protected health information (ePHI) of 130,495 individuals to the covered entity (CE), Lincoln Medical and Mental Health Center. The CD's, containing back-up data, were lost in transit. The ePHI included names, addresses, social security numbers, medical record numbers, health plan information, dates of birth, dates of admission and discharge, diagnostic and procedural codes, and driver's license numbers. The CE provided breach notification to affected individuals, HHS, and the media. Upon discovery of the breach, the CE directed the BA to cease using the shipping service as a means of transporting the CDs. As a result of OCR's investigation, the BA adopted a procedure to encrypt CDs. The CE also implemented a procedure for a senior employee of the BA to physically deliver the encrypted CDs to the CE. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.",2010-03-24,,2010 96,95,"Nihal Saran, MD ",MI,,2300,5/2/2010,Theft,Laptop,2014-01-23,"A password protected laptop computer containing protected health information (PHI) was stolen from Dr. Saran's personal residence. The laptop contained the PHI of approximately 2,300 individuals. The PHI stored on the laptop included patients' names, addresses, dates of birth, Social Security numbers, insurance information, and diagnoses. Following the breach, Dr. Saran notified the Northville Township Police Department of the theft, contacted the individuals reasonably believed to have been affected by the breach, sent a notice of the breach to the Detroit Free Press and the Monroe News, and installed encryption software for its billing software. ",2010-05-02,,2010 97,96,"University of Louisville Research Foundation, Inc., DBA The Kidney Disease Program",KY,,708,10/1/2008,Hacking/IT Incident,Network Server,2014-01-23,,2008-10-01,,2008 98,97,St. Jude Children's Research Hospital,TN,,1745,4/19/2010,Loss,Laptop,2014-01-23,,2010-04-19,,2010 99,98,TennCare,TN,DentaQuest,10515,3/20/2010,Theft,Laptop,2014-06-20,"A car containing an unencrypted laptop computer was stolen from West Monroe Partners, a contractor for the covered entity's (CE) business associate (BA), DentaQuest. The laptop stored a database containing the electronic protected health information (ePHI) of approximately 76,000 individuals, including data on 10,515 of the CE's members. The types of PHI involved in the breach included names, social security numbers, dates, and certain provider identification numbers. The CE and BA worked together to provide breach notification to affected individuals and the media, and offered free credit monitoring and enhanced credit services to affected individuals for one year. The CE reported the breach to HHS and provided substitute notification on its website. The BA implemented procedures to ensure that any third party laptops connecting to its network employ disk encryption. Further, the BA established a policy to prohibit contractors from storing PHI on laptops. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. ",2010-03-20,,2010 100,99,The Children's Medical Center of Dayton,OH,,1001,4/22/2010,Other,E-mail,2014-01-23,,2010-04-22,,2010 101,100,Comprehensive Care Management Corporation,NY,,1020,4/30/2010,Theft,"Laptop, Desktop Computer, Network Server, E-mail",2014-06-19,"OCR opened an investigation of the covered entity (CE), Comprehensive Care Management Corporation, after it reported two former employees sent emails that contained the electronic protected health information (ePHI) of 1,020 individuals to their personal email accounts to open a competitor organization. The ePHI included names, addresses, and enrollment information. Upon discovery of the breach, the CE conducted an internal inquiry and found that the former employees disclosed the ePHI to its competitor. As a result of OCR's investigation, the CE replaced and strengthened external firewalls, restricted access to email websites, restricted the use of portable devices, limited the ability to upload data to external websites, and evaluated new monitor and control software for network information. In addition, the CE provided training to all staff on its HIPAA policies and procedures. The CE also entered into an agreement with its competitor who hired the former employees to return or destroy the ePHI.",2010-04-30,,2010 102,101,alma aguado md pa,TX,,600,5/29/2010,Theft,Network Server,2014-04-23,"OCR investigated the covered entity (CE) following a report that its main server and desktop computers containing the electronic protected health information (ePHI) of 600 individuals were taken from the CE's office. The ePHI involved in the breach included patient names, addresses, dates of birth, and social security numbers. As a result of OCR's investigation, the CE changed its privacy and security policies, retrained its employees and provided additional physical security to better safeguard patient ePHI.",2010-05-29,,2010 103,102,University Hospital,GA,"Augusta Data Storage, Inc",14000,5/7/2010,Loss,Other,2014-01-23,,2010-05-07,,2010 104,103,University Health System,NV,,7526,6/11/2010,Theft,Network Server,2014-01-23,,2010-06-11,,2010 105,104,"Sinai Hospital of Baltimore, Inc.",MD,"Aramark Healthcare Support Services, LLC",937,5/3/2010,Other,E-mail,2014-01-23,"A business associate employee sent an email to multiple patients without concealing patient email addresses. The message concerned a dietary program in which the names and email addresses were visible to all recipients. The breach affected 937 individuals. In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with Aramark. The business associate counseled the employee responsible for the breach and retrained all employees who may communicate with patients via email on the requirements of the Privacy and Security Rules as well as related policies and procedures. ",2010-05-03,,2010 106,105,"Mary M. Desch,MD/PathHealer, LTD",AZ,,5893,5/15/2010,Theft,Laptop,2014-01-23,,2010-05-15,,2010 107,106,Children's Hospital & Research Center at Oakland,CA,,1000,5/25/2010,Other,Paper,2014-01-23,,2010-05-25,,2010 108,107,Centerstone,TN,,1537,5/1/2010,Other,"Desktop Computer, Paper",2014-01-23,,2010-05-01,,2010 109,108,California Department of Healthcare Services,CA,Care 1st Health Plan,29000,4/29/2010,"Loss, Other","Other Portable Electronic Device, Other",2014-01-23,,2010-04-29,,2010 110,109,Long Island Consultation Center,NY,,800,5/21/2010,Theft,"Other Portable Electronic Device, Other",2014-06-19,"The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals. The ePHI included names, dates of birth, diagnoses, and other treatment information. Upon discovery of the breach, the CE conducted a search for the portable device. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE improved physical security. The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. ",2010-05-21,,2010 111,110,NYU Hospitals Center,NY,,2563,5/8/2010,Theft,Other Portable Electronic Device,2014-05-28,"The covered entity (CE) misplaced an unencrypted USB drive that contained the electronic protected health information (ePHI) of 2,563 individuals. The ePHI included names, medical record numbers, ages, genders, procedures, attending physicians' names, anesthesiologists' names, types of anesthesia, times of arrival in the recovery room, and times of discharge. Upon discovery of the breach, the CE reported the incident to internal security as a possible theft and conducted a thorough search of the perimeter. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE stopped using USB drives and local desktop computers for data storage. In addition, the CE updated physical security in the recovery room and installed data prevention software to monitor, block or encrypt mobile media used in the CE. Further, the CE purchased encrypted USB drives for workforce members with an identified need to download and store ePHI. The CE also revised its mobile device and portable storage media policy and retrained all workforce members on its policies.",2010-05-08,,2010 112,111,University of Florida,FL,,2047,5/24/2010,Other,Paper,2014-01-23,,2010-05-24,,2010 113,112,SunBridge Healthcare Corporation,NM,,3830,5/11/2010,Theft,Laptop,2014-01-23,,2010-05-11,,2010 114,113,Department of Health Care Policy & Financing,CO,Governor's Office of Information Technology,105470,5/17/2010,Theft,Desktop Computer,2014-01-23,,2010-05-17,,2010 115,114,Prince William County Community Services (CS),VA,,669,6/18/2010,Theft,Other Portable Electronic Device,2014-01-23,,2010-06-18,,2010 116,115,"E. Brooks Wilkins Family Medicine, PA",NC,,13000,2/1/2010,Theft,"Desktop Computer, Other",2014-01-23,"The breach report indicated that former employees took protected health information (PHI) pertaining to 13,000 patients and disclosed it to a competing medical practice. The PHI included the names and contact information for the patients. Following the breach, the entity terminated the employees who impermissibly used and disclosed the PHI. OCR also confirmed that the entity complied with the provisions of the Breach Notification Rule and notified the affected individuals. Additionally, the entity retrained its staff regarding the policies and procedures for safeguarding of PHI. ",2010-02-01,,2010 117,116,John Deere Health Benefit Plan for Wage Employees,IL,UnitedHealthcare Insurance Company ,1097,6/24/2010,Other,Paper,2014-01-23,,2010-06-24,,2010 118,117,South Shore Hospital,MA,"Iron Mountain Data Products, Inc. (now known as ",800000,2/26/2010,Loss,"Other Portable Electronic Device, Other, Electronic Medical Record",2014-01-23,,2010-02-26,,2010 119,118,Montefiore Medical Center,NY,,16820,5/22/2010,Theft,Desktop Computer,2014-06-19,"Two unencrypted desktop computers containing the electronic protected health information (ePHI) of 16,820 individuals were stolen from the covered entity (CE). The ePHI included medical record numbers, dates of birth, admission /discharge dates, billing codes, and social security numbers. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals. It also provide substitute notification by posting on its website. As a result of OCR's investigation, the CE replaced its building alarm and installed bars on the windows. In addition, the CE directed its staff to save patient data only on a centralized network drive, moved all ePHI stored on desktop hard drives to centralized secured network servers, and encrypted all of its computers. The CE also revised its policy and procedure on password management and provided training to all staff on its new policy.",2010-05-22,,2010 120,119,"DC Chartered Health Plan, Inc",DC,,540,5/26/2010,Theft,Laptop,2014-01-23,,2010-05-26,,2010 121,120,Montefiore Medical Center,NY,,23753,6/9/2010,Theft,Desktop Computer,2014-06-19,"OCR opened an investigation of the covered entity (CE), Montefiore Medical Center, after it reported three unencrypted desktop computers were stolen that contained the electronic protected health information (ePHI) of 23,753 individuals. The ePHI included names, medical record numbers, dates of birth, parent or guardian contact numbers, asthma diagnoses, vaccination information, and number of visits to the school health clinic. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. As a result of OCR's investigation, the CE updated its building alarm to include additional motion sensors and installed surveillance cameras. Further, the CE encrypted all of its computers, advised that no ePHI is stored on desktop hard drives, removed all ePHI from its computers, and stored ePHI on the centralized secured network servers. The CE also revised its policy and procedure on password management and provided training to all staff on its new policy.",2010-06-09,,2010 122,121,Medina County OB/GYN,OH,,1200,6/13/2010,Improper Disposal,Paper,2014-01-23,,2010-06-13,,2010 123,122,The University of Texas at Arlington,TX,,27000,2/19/2009,Hacking/IT Incident,Network Server,2014-01-23,"A file server at the Office of Health Services was compromised and impermissibly accessed. The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source. The protected health information involved in the breach included names, addresses diagnostic codes, name of medication prescribed, medication costs and some social security numbers. Following the discovery of the breach, UTA removed the server from the network, notified the affected individuals and notified local media. Following the breach, the covered entity also replaced the operating system and implemented additional technical safeguards. ",2009-02-19,,2009 124,123,Aetna,CT,,6372,3/29/2010,Improper Disposal,Paper,2014-01-23,,2010-03-29,,2010 125,124,Charles Mitchell MD,TX,,6873,6/27/2010,Theft,Desktop Computer,2014-06-30,"A burglary occurred at the covered entity's (CE) facility and two desktop computers containing protected health information (PHI) were stolen. Approximately 6873 individuals were affected. The PHI involved included names, addresses, dates of birth, social security numbers, diagnoses and conditions, medications, and other treatment information. OCR closed this investigation after determining that the individual who reported the breach worked for a CE no longer in existence.",2010-06-27,,2010 126,125,Humana Inc [case 4486],KY,Matrix Imaging,2631,6/25/2010,Other,Paper,2014-01-23,,2010-06-25,,2010 127,126,"WellPoint, Inc.",IN,,31700,11/3/2009,Hacking/IT Incident,Network Server,2014-01-23,,2009-11-03,,2009 128,127,Carolina Center for Development and Rehabilitation,NC,,1590,6/24/2010,Theft,Paper,2014-06-30,"The covered entity's (CE) staff inadvertently sent twenty-three boxes containing the protected health information (PHI) of 1,590 patients to a recycling center. The PHI included patients' full names, addresses, dates of birth, social security numbers, insurance identification numbers, driver's license numbers, diagnoses, medication information, checking and savings account numbers, credit and debit card numbers, and photographs of the patients. Following the breach, the CE immediately took steps for the records to be returned. The CE notified HHS, the media, and all individuals affected by the breach, and established a toll free number for patients to call for more information. The CE cooperated with the state attorney general's investigation and suspended the responsible staff members. Following OCR's investigation, the CE placed a record into its accounting of disclosure log for each individual affected and terminated the employment of the staff involved in the breach. In addition, the CE revised its policies and procedures regarding the rights of individuals and safeguards for PHI, and re-trained staff. ",2010-06-24,,2010 129,128,Trinity Health Corporation Welfare Benefit Plan,MI,Mercer,1073,3/29/2010,Loss,Other,2014-01-23,,2010-03-29,,2010 130,129,Texas Children's Hospital,TX,,694,5/13/2010,Theft,Laptop,2014-01-23,,2010-05-13,,2010 131,130,Baylor College of Medicine,TX,,1646,5/13/2010,Theft,Laptop,2014-04-24,"An unencrypted laptop containing electronic protected health information (ePHI) of approximately 1,618 individuals was stolen from the covered entity's (CE) affiliate. The ePHI involved in the breach included names, medical reconciliation numbers, dates of service, diagnoses, and dates of birth. Upon discovery of the breach, the CE and its affiliate jointly notified the affected individuals, OCR, and the local media. Notifications were delayed at the request of law enforcement. Following OCR's investigation, the CE revised policies and procedures to require encryption of all mobile devices containing PHI and began encrypting all necessary devices in order to ensure reasonable safeguards.",2010-05-13,,2010 132,131,Wright State Physicians,OH,,1309,6/11/2010,Other,Laptop,2014-01-23,"On June 11, 2010, a laptop computer containing PHI was mistakenly discarded in the trash. The laptop computer contained the protected health information of approximately 1,309 individuals. The protected health information involved in the breach included patient full names or first initial and last name, dates of service, and in some cases, a brief description of medical condition or care. Following the breach, the covered entity submitted evidence of its progress in implementing encryption on its laptop computers in its various departments. ",2010-06-11,,2010 133,132,Penn Treaty Network America Insurance Company ,PA,,560,6/4/2010,Other,Other,2014-01-23,"Social security numbers were inadvertently printed on the address labels in a newsletter mailing. The mailing had 560 recipients. The covered entity acted to mitigate the disclosure by verifying that the all mail was correctly delivered. It also counseled the responsible employee and updated its policies and procedures. ",2010-06-04,,2010 134,133,Aultman Hospital,OH,,13867,6/7/2010,Theft,Laptop,2014-01-23,,2010-06-07,,2010 135,134,Fort Worth Allergy and Asthma Associates,TX,,25000,6/29/2010,Theft,Network Server,2014-01-23,,2010-06-29,,2010 136,135,"Beauty Dental, Inc.",IL,,657,6/5/2010,"Theft, Loss",Paper,2014-01-23,"Following the breach, the covered entity notified its clients by letter of the incident, submitted a press release that outlined the circumstances of the breach to the Chicago Tribune and the Chicago Sun Times, required the individual who allegedly stole the documents to return all physical patient PHI in her possession and sign a statement swearing that she no longer possessed any patient documents, would not use or disclose the PHI in any manner and would erase an excel spreadsheet she had in her possession, installed a new security system for the office that requires the input of a code specific to each employee, and implemented new technical safeguards that limited employee access to ePHI according to the employee's position and rank. ",2010-06-05,,2010 137,136,Walsh Pharmacy,MA,McKesson Pharmacy Systems LLC,11440,6/3/2010,Other,"Other Portable Electronic Device, Other",2014-01-23,,2010-06-03,,2010 138,137,Jewish Hospital,KY,,2089,7/16/2010,Theft,Laptop,2014-01-23,,2010-07-16,,2010 139,138,St. John's Mercy Medical Group,MO,,1907,6/7/2010,Improper Disposal,Paper,2014-01-23,"Covered entity improperly disposed of patients' Protected Health Information (PHI), by placing the PHI in a dumpster outside of a doctor's office. The PHI involved in the breach included demographic, financial, clinical, and other medical information. Following the breach, the covered entity notified all affected individuals of the breach, posted a notice about the incident on its website; attempted to retrieve and track all of the medical records that were inappropriately disposed of; offered all affected individuals identity theft protection; obtained a formal apology from and assumed direct office operations management of the physician involved; re-educated its workforce to reinforce policies relating to appropriate medical record protection and disposal requirements. ",2010-06-07,,2010 140,139,"Thomas Jefferson University Hospitals, Inc.",PA,,21000,6/14/2010,Theft,Laptop,2014-01-23,,2010-06-14,,2010 141,140,UNCG Speech and Hearing Center,NC,,2300,1/1/1997,Hacking/IT Incident,Desktop Computer,2014-01-23,,1997-01-01,,1997 142,141,Idaho Power Group Health Plan,ID,Mercer Health & Benefits,5500,3/29/2010,Loss,Other,2014-01-23,"Idaho Power Group Health Plan's business associate, Mercer Health and Benefits, lost a backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Idaho Power was about 5,500 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Idaho Power notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer's Boise office now encrypts backup tapes. Following the incident, Idaho Power renegotiated its contract with Mercer and continues to evaluate its business relationship with Mercer. ",2010-03-29,,2010 143,142,Loma Linda University School of Dentistry,CA,,10100,6/13/2010,Theft,Desktop Computer,2014-01-23,,2010-06-13,,2010 144,143,"Ward A. Morris, DDS",WA,,2698,7/16/2010,Theft,Desktop Computer,2014-01-23,,2010-07-16,,2010 145,144,"Chattanooga Family Practice Associates, P.C.",TN,,1711,7/15/2010,Loss,"Other Portable Electronic Device, Other",2014-01-23,,2010-07-15,,2010 146,145,Yale University,CT,,1000,7/28/2010,Theft,Laptop,2014-01-23,,2010-07-28,,2010 147,146,University of Kentucky,KY,,2027,6/18/2010,Theft,Laptop,2014-01-23,,2010-06-18,,2010 148,147,Cook County Health & Hospitals System,IL,,7081,5/30/2010,Theft,Laptop,2014-01-23,"An employee's laptop was stolen out of a locked office; evidence shows that the laptop was password protected but not encrypted. The laptop contained the protected health information (PHI) of approximately 7,000 individuals. The PHI stored on the laptop included names, dates of birth, Social Security numbers, internal encounter numbers, and other administrative codes. Following the breach, the covered entity notified those individuals reasonably believed to have been affected by the breach, placed notice on its website and with a local news center; established stringent computer security guidelines, and retrained its staff in the new requirements with the intention of preventing a similar event from occurring again. ",2010-05-30,,2010 149,148,"Eastmoreland Surgical Clinic, William Graham, DO",OR,,4328,7/5/2010,Theft,"Laptop, Desktop Computer, Other Portable Electronic Device, Other",2014-01-23,"Three desktop computers, one laptop computer, and a backup drive, containing the electronic protected health information (EPHI) of 4,328 individuals, were stolen on July 5, 2010. The EPHI involved in the breach included names, addresses, phone numbers, dates of birth, Social Security numbers, reason for visits, and insurance information. Following the breach, the covered entity implemented backup and whole disk encryption on electronic information systems that maintain EPHI and improved their physical safeguards. Additionally, OCR's investigation resulted in the covered entity improving their administrative safeguards, such as password complexity requirements and data backup protocols. ",2010-07-05,,2010 150,149,SunBridge Healthcare Corporation,NM,,1000,6/26/2010,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2010-06-26,,2010 151,150,Holyoke Medical Center,MA,Pioneer Valley Pathology,24750,7/26/2010,Improper Disposal,Paper,2014-01-23,,2010-07-26,,2010 152,151,Newark Beth Israel Medical Center,NJ,KPMG LLP,956,5/10/2010,Theft,"Other Portable Electronic Device, Other",2014-06-19,"OCR opened an investigation of the covered entity (CE), Newark Beth Israel Medical Center, after it reported an employee of the CE's business associate (BA), KPMG LLP, lost an unencrypted USB drive that contained the electronic protected health information (ePHI) of 956 individuals. The ePHI included names and clinical information. Upon discovery of the breach, the CE's BA conducted a search of the area. The CE provided breach notification to HHS, the Media and affected individuals. As a result of OCR's investigation, the BA installed and implemented encryption software to its electronic equipment and devices. In addition, the BA encrypted and password protected all equipment and devices that could contain the CE's data. The BA also reprimanded and retrained the employee and retrained all employees on safeguarding ePHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.",2010-05-10,,2010 153,152,Saint Barnabas Medical Center,NJ,KPMG LLP,3630,5/10/2010,Theft,Other Portable Electronic Device,2014-06-19,"The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals. The ePHI included names, dates of birth, diagnoses, and other treatment information. Upon discovery of the breach, the CE conducted a search for the portable device. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE improved physical security. The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. ",2010-05-10,,2010 154,153,NYU School of Medicine--Aging and Dementia Clinical Research Center ,NY,,1200,4/3/2010,Loss,"Other Portable Electronic Device, Other",2014-01-23,,2010-04-03,,2010 155,154,University of Rochester Medical Center and Affiliates,NY,,857,8/2/2010,Loss,Other Portable Electronic Device,2014-01-23,,2010-08-02,,2010 156,155,State of Delaware Health Plan,DE,Aon Consulting,22642,8/16/2010,Other,Network Server,2014-01-23,"The business associate prepared a document as part of a request for proposal for the covered entity's vision benefit program which mistakenly included protected health information of 22,642 individuals. The document was posted online for five days. The protected health information involved in the breach included social security numbers, dates of birth, gender, zip codes, and vision plan enrollment information. In response to this incident, the covered entity implemented additional safeguards to prevent this type of impermissible disclosure of protected health information. In particular, the covered entity will now require several layers of review before allowing public disclosure of documents prepared by the business associate. The covered entity also took steps to enforce the requirements of its business associate agreement with Aon Consulting. Aon will provide affected individuals with free credit monitoring, fraud resolution resources, and identity theft insurance. Additionally, the business associate has provided assurances to the covered entity that it has taken steps to prevent this type of impermissible disclosure in the future. ",2010-08-16,,2010 157,156,"Curtis R. Bryan, M.D.",VA,,2739,7/12/2010,Theft,Laptop,2014-01-23,,2010-07-12,,2010 158,157,Mayo Clinic,MN,,1740,7/15/2009,Unauthorized Access/Disclosure,Electronic Medical Record,2014-01-23,,2009-07-15,,2009 159,158,LabCorp Patient Service Center,NV,,507,8/2/2010,Theft,Paper,2014-01-23,,2010-08-02,,2010 160,159,The Kent Center ,RI,,1361,7/13/2010,Theft,Paper,2014-01-23,,2010-07-13,,2010 161,160,"Pediatric and Adult Allergy, PC",IA,,19222,7/11/2010,Loss,Other Portable Electronic Device,2014-01-23,,2010-07-11,,2010 162,161,Ault Chiropractic Center,IN,,2000,9/15/2010,Theft,"Laptop, Desktop Computer",2014-01-23,,2010-09-15,,2010 163,162,County of Los Angeles,CA,,33000,7/29/2010,Theft,Paper,2014-01-23,,2010-07-29,,2010 164,163,"Matthew H. Conrad, M.D., P.A.",KS,,1200,8/20/2010,Theft,"Laptop, Paper",2014-01-23,,2010-08-20,,2010 165,164,UnitedHealth Group health plan single affiliated covered entity,MN,CareCore National,1270,7/8/2010,Other,Paper,2014-01-23,,2010-07-08,,2010 166,165,Counseling and Psychotherapy of Throggs Neck,NY,,9000,9/6/2010,Theft,Desktop Computer,2014-01-23,,2010-09-06,,2010 167,166,United States Air Force,OH,,2123,7/29/2010,Improper Disposal,Paper,2014-01-23,,2010-07-29,,2010 168,167,"State of Alaska, Department of Health and Social Services",AK,Alaskan AIDS Assistance Association,2000,9/7/2010,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2010-09-07,,2010 169,168,"St. Vincent Hospital and Health Care Center, Inc.",IN,,1199,7/25/2010,Theft,Laptop,2014-01-23,,2010-07-25,,2010 170,169,Milford Regional Medical Center,MA,,20000,7/26/2010,Improper Disposal,Paper,2014-01-23,,2010-07-26,,2010 171,170,"Alliance HealthCare Services, Inc.",CA,Oroville Hospital,1474,7/31/2010,Theft,"Other Portable Electronic Device, Other",2014-04-24,"The covered entity (CE) filed a breach report with OCR after two USB storage devices containing electronic protected health information (ePHI) of 1,474 individuals were lost. The ePHI included names, dates of birth, and treatment information. Upon discovery of the breach, the CE notified individuals, OCR and the media. Additionally, the CE initiated an encryption project to encrypt emails, external hard drives, and related media. Following OCR's investigation, the CE filed a police report, updated its policies and procedures in an effort to better safeguard ePHI, and encrypted USB devices. ",2010-07-31,,2010 172,171,"Alliance HealthCare Services, Inc.",CA,Eden Medical Center,1474,8/5/2010,Theft,"Other Portable Electronic Device, Other",2014-06-24,"The covered entity (CE) lost two portable electronic storage devices containing the electronic protected health information (ePHI) of 1,474 individuals. The ePHI included patients' names, dates of birth, and treatment information. Upon discovery of the breach, the covered entity (CE) notified individuals, HHS, and the media. Additionally, the CE initiated a project to encrypt emails, external hard drives, and related electronic media. Following OCR's investigation, the CE filed a police report, updated its policies and procedures in order to better safeguard patients' ePHI, and encrypted portable electronic computer devices.",2010-08-05,,2010 173,172,NewYork-Presbyterian Hospital and Columbia University Medical Center,NY,,6800,7/1/2010,Theft,Network Server,2014-06-19,"Data breach results in $4.8 million HIPAA settlements Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients' electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results. NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as 'New York Presbyterian Hospital/Columbia University Medical Center.' NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI. The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet. In addition to the impermissible disclosure of ePHI on the internet, OCR's investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management. 'When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,' said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. 'Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.' NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports. ",2010-07-01,,2010 174,173,St. James Hospital and Health Centers,IL,,967,8/10/2010,Improper Disposal,Paper,2014-01-23,,2010-08-10,,2010 175,174,"University of Oklahoma - Tulsa, Neurology Clinic",OK,,19200,7/28/2010,Hacking/IT Incident,Desktop Computer,2014-01-23,,2010-07-28,,2010 176,175,"LORENZO BROWN, MD INC.",CA,,928,8/17/2010,Theft,Desktop Computer,2014-01-23,,2010-08-17,,2010 177,176,"Milton Pathology Associates, P.C.",MA,Joseph A. Gagnon d/b/a Goldthwait Associates,11000,7/26/2010,Improper Disposal,Paper,2014-01-23,,2010-07-26,,2010 178,177,WESTMED Medical Group,NY,,578,8/17/2010,Theft,Laptop,2014-06-19,"An unencrypted laptop computer that contained the electronic protected health information (ePHI) of 578 individuals was stolen from the covered entity (CE), WestMed Medical Group. The ePHI included names, dates of birth and test results. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS and the media. As a result of OCR's investigation, the CE improved physical security by locking all laptops during the day and storing all laptops in a locked cabinet overnight. In addition, the CE reconfigured all laptops with strong passwords and implemented a new procedure to save data to a secure file server. Further, the CE encrypted all laptop hard drives. The CE also retrained staff on safeguarding ePHI. ",2010-08-17,,2010 179,178,"Debra C. Duffy, DDS",TX,,4700,8/5/2010,Theft,"Laptop, Network Server",2014-01-23,"An unencrypted laptop and network server were stolen during a burglary of the office.The breach affected approximately 4700 individuals.The protected health information involved in the breach included treatment information for pediatric dental patients and social security numbers, insurance identification numbers and driver's license numbers. Following the discovery of the breach, the CE relocated the practice servers, secured the laptops and installed steel doors at the front entrance of the facility. Additionally, the CE notified the affected individuals and local media and retrained staff. ",2010-08-05,,2010 180,179,"Cumberland Gastroenterology, P.S.C.",KY,,2200,9/18/2010,Theft,Paper,2014-01-23,,2010-09-18,,2010 181,180,Johns Hopkins University Applied Physics Laboratory (JHU/APL) Medical and Dental Insurance Plan,MD,,692,6/15/2010,Other,Other,2014-01-23,"Protected health information was attached to an email addressed to 85 employees by a benefits staff member. Within 5 days, all recipients were notified, and the email was deleted. Approximately 692 individuals were affected by this breach. The email included names, dates of birth, social security numbers, and marital and disability status. To prevent a similar breach from happening in the future, the covered entity instituted a policy to encrypt emails containing protected health information before it is sent out from the benefits department. Following OCR's investigation, the covered entity updated its policies and procedures establishing a new business process to require that all emails sent by the benefits office to 5 or more staff members that includes an attachment be reviewed by another team member to ensure the proper document is attached and took personnel action with the responsible employee. Further, the benefits office will use an encryption specialist to train all benefits office staff in the proper methods of encryption, explore future capability of automated flagging of any electronic communications sent by benefits office staff containing potentially sensitive data such as 9-digit numbers, and obtain additional HIPAA training. ",2010-06-15,,2010 182,181,LoneStar Audiology Group,TX,,585,8/11/2010,Theft,Laptop,2014-01-23,"A laptop was stolen from a workforce member's home. Approximately 585 individuals were affected. The PHI included addresses, dates of birth, diagnosis and conditions, medications and other treatment information. Following the breach, the covered entity encrypted all its laptops. After the initiation of OCR's investigation, the encryption of the laptops was completed. ",2010-08-11,,2010 183,182,Utah Department of Health,UT,Utah Department of Workforce Services,1298,3/1/2010,Other,"Desktop Computer, Paper",2014-01-23,,2010-03-01,,2010 184,183,SW Seattle Orthopaedic and Sports Medicine,WA,,9493,9/4/2010,Hacking/IT Incident,Network Server,2014-01-23,"A database web server, containing the electronic protected health information (EPHI) of 9,493 individuals, was breached by an unknown, external person(s) for use as a game server. Although there was no indication of access to EPHI, the EPHI on the database web server included names, dates of birth, types of x-rays, and dates of x-rays. Following the breach, the covered entity relocated two servers to its more secure primary data center and removed the Internet access line that resulted in the breach. Additionally, OCR's investigation resulted in the covered entity improving their administrative safeguards, such as incident response and reporting. ",2010-09-04,,2010 185,184,University of Arkansas for Medical Sciences,AR,,1000,10/12/2010,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2010-10-12,,2010 186,185,"BlueCross BlueShield of Tennessee, Inc.",TN,,1023209,10/2/2009,Theft,Other,2014-01-23,,2009-10-02,,2009 187,186,Northridge Hospital Medical Center,CA,,716,10/16/2010,Loss,Paper,2014-01-23,,2010-10-16,,2010 188,187,Puerto Rico Department of Health,PR,"Triple-S Management, Corp.; Triple-S Salud, Inc.; ",475000,10/3/2008,"Unauthorized Access/Disclosure, Hacking/IT Incident",Network Server,2014-01-23,,2008-10-03,,2008 189,188,"Aetna, Inc.",CT,,2345,9/9/2010,Unauthorized Access/Disclosure,Network Server,2014-01-23,"Aetna notified all possibly affected individuals of the breach, filed a breach report with OCR, commenced an investigation to identify and correct the root cause of the issue; the coding changes that were causing the breach were removed from IPS via Aetna's emergency Change Management procedures to prevent any further exposure while the problem was analyzed; once the specific code that conflicted with its proxy server settings was identified as the root cause of the breach, it was removed. Also, in an effort to mitigate any harm as a result of the breach, Aetna offered all affected individuals one year of free credit monitoring, and the notification letters included a toll-free number which was established specifically to answer questions related to this incident. ",2010-09-09,,2010 190,189,Sta-home Health & Hospice,MS,,1104,9/16/2010,Theft,Desktop Computer,2014-01-23,,2010-09-16,,2010 191,190,Puerto Rico Department of Health,PR,Medical Card System/MCS-HMO/MCS Advantage/MCS Life,115000,9/3/2010,Unauthorized Access/Disclosure,"Other Portable Electronic Device, Other",2014-01-23,,2010-09-03,,2010 192,191,VNA of Southeastern Ct.,CT,,12000,9/30/2010,Theft,Laptop,2014-01-23,,2010-09-30,,2010 193,192,"Prime Home Care, LLC",NE,,1550,9/13/2010,Theft,Desktop Computer,2014-01-23,,2010-09-13,,2010 194,193,Visiting Nurse Service Association of Schenectady County,NY,,535,9/14/2010,Theft,Laptop,2014-06-19,"An encrypted laptop computer that contained the electronic protected health information (ePHI) of 535 individuals was stolen from the covered entity (CE). The ePHI included names, addresses, and dates of birth. Upon discovery of the breach, the CE filed a police report to recover the stolen item. Following OCR's investigation, the CE disabled the involved staff member's account, verbally counseled the staff member, and retrained the staff member. The CE also adopted and implemented security policies and procedures for laptops/tablet devices and provided training to all staff.",2010-09-14,,2010 195,194,"Manor Care Indy (South), LLC.",IN,,845,9/11/2010,Unauthorized Access/Disclosure,Paper,2014-01-23,,2010-09-11,,2010 196,195,"Robert Wheatley, DDS, PC",MO,,1400,10/17/2010,Theft,Laptop,2014-01-23,,2010-10-17,,2010 197,196,Henry Ford Hospital,MI,,3700,9/24/2010,Theft,Laptop,2014-01-23,,2010-09-24,,2010 198,197,Holy Cross Hospital,FL,,1500,7/27/2010,Theft,Paper,2014-01-23,,2010-07-27,,2010 199,198,Newark Beth Israel Medical Center,NJ,"Professional Transcription Company, Inc.",1744,1/1/2010,Theft,Network Server,2014-06-19,"The covered entity's (CE) business associate (BA), Professional Transcription Company, posted the electronic protected health information (ePHI) of 1,744 individuals on a website portal of the BA. The ePHI included names, dates of birth, diagnosis, and other clinical information. Upon discovery of the breach, the BA shut down the applicable server. The CE, Newark Beth Israel Medical Center, provided breach notification to HHS, the media, and affected individuals and also posted substitute notice on its website. As a result of OCR's investigation, the BA located the ePHI online and contacted Google to block files that contained ePHI. In addition, the BA retrained all employees regarding its security policies. The CE terminated its BA agreement with the BA. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.",2010-01-01,,2010 200,199,Memorial Hospital of Gardena,CA,,771,10/14/2010,Unauthorized Access/Disclosure,Paper,2014-01-23,,2010-10-14,,2010 201,200,Oklahoma City VA Medical Center,OK,,1950,10/8/2010,"Theft, Loss, Improper Disposal",Paper,2014-01-23,,2010-10-08,,2010 202,201,Albert Einstein Healthcare Network,PA,,613,10/21/2010,Theft,Desktop Computer,2014-01-23,,2010-10-21,,2010 203,202,Kings County Hospital Center,NY,,542,8/22/2010,Theft,Desktop Computer,2014-06-19,"An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 542 individuals was stolen from the covered entity (CE), Kings County Hospital Center. The ePHI included names, medical record numbers, admission and treatment dates, diagnostic treatment, pathology and/or medication information, telephone numbers and ages. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. As a result of OCR's investigation, the CE installed an encryption system for all internal and external computers and laptops. The CE implemented a new policy that prohibits staff from storing ePHI on their local computer hard drives or Windows desktop.",2010-08-22,,2010 204,203,University of Tennessee Medical Center,TN,,8200,9/23/2009,Improper Disposal,Paper,2014-01-23,,2009-09-23,,2009 205,204,Ochsner Health System,LA,H.E.L.P. Financial Corporation,9475,9/27/2010,Unauthorized Access/Disclosure,Paper,2014-01-23,"A programming error in a business associate's IT system caused the PHI of patients to be printed on letters sent to other patients. The printing error affected approximately 9475 individuals.The protected health information involved in the breach included patient names, medical record numbers and account balances. Following the discovery of the breach, the BA corrected the programming error and implemented additional quality checks. Additionally, the BA notified the affected individuals and the CE notified the local media. ",2010-09-27,,2010 206,205,zarzamora family dental care,TX,,800,10/15/2010,Theft,Desktop Computer,2014-01-23,,2010-10-15,,2010 207,206,Hospital Auxilio Mutuo,PR,,1000,11/9/2010,"Theft, Unauthorized Access/Disclosure, Hacking/IT Incident","Laptop, Desktop Computer",2014-01-23,,2010-11-09,,2010 208,207,Pinnacle Health System,PA,"Gair Medical Transcription Services, Inc.",1085,10/1/2008,Unauthorized Access/Disclosure,Network Server,2014-01-23,"Pinnacle Health Systems was notified that a business associate, a medical transcription service, had a server compromised in which reports of Pinnacle patients could be viewed online. The server compromise involved the protected health information of 1085 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity immediately discontinued its relationship with the business associate and engaged another medical transcription service. The covered entity also contracted with forensic consultants to ensure that the cause of the compromise was found that that all traces of breached medical reports were removed from online and inaccessible in the future. ",2008-10-01,,2008 209,208,"Gary C. Spinks, DMD, PC",MD,,1000,9/29/2010,Hacking/IT Incident,"Desktop Computer, Network Server",2014-01-23,,2010-09-29,,2010 210,209,Cook County Health & Hospitals System,IL,,556,11/1/2010,Theft,Desktop Computer,2014-01-23,,2010-11-01,,2010 211,210,"Dean Health Systems, Inc.; St. Mary's Hospital; St. Marys Dean Ventures, Incorporated",WI,,3288,11/8/2010,Theft,Laptop,2014-01-23,,2010-11-08,,2010 212,211,Riverside Mercy Hospital and Ohio/Mercy Diagnostics,OH,,1000,3/29/2003,Improper Disposal,Paper,2014-01-23,,2003-03-29,,2003 213,212,California Therapy Solutions,CA,,1250,11/11/2010,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2010-11-11,,2010 214,213,Osceola Medical Center,WI,Hils Transcription,585,11/25/2010,Unauthorized Access/Disclosure,Other,2014-01-23,,2010-11-25,,2010 215,214,Indiana Family and Social Services Administration,IN,The Southwestern Indiana Regional Council on Aging,757,11/4/2010,Theft,Laptop,2014-01-23,,2010-11-04,,2010 216,215,Mankato Clinic,MN,,3159,11/1/2010,Theft,Laptop,2014-01-23,,2010-11-01,,2010 217,216,Geisinger Wyoming Valley Medical Center,PA,,2928,11/3/2010,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2010-11-03,,2010 218,217,Our Lady of Peace Hospital,KY,,24600,3/31/2010,"Theft, Loss","Other Portable Electronic Device, Other",2014-01-23,,2010-03-31,,2010 219,218,International Union of Operating Engineers Health and Welfare Fund ,MD,"Zenith Administrators, Inc.",800,10/25/2010,Theft,Paper,2014-01-23,,2010-10-25,,2010 220,219,"Southern Perioperative Services, P.C.",AL,,2000,11/17/2010,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2010-11-17,,2010 221,220,Keystone/AmeriHealth Mercy Health Plans,PA,,808,9/20/2010,Loss,"Other Portable Electronic Device, Other",2014-01-23,,2010-09-20,,2010 222,221,"Ankle + Foot Center of Tampa Bay, Inc.",FL,,156000,10/28/2010,Theft,Network Server,2014-06-30,"The covered entity's (CE) network server, containing the electronic protected health information (ePHI) of 136,000 patients, was hacked. The types of ePHI involved in the breach were demographic and clinical information, including diagnoses and other treatment data. Following the breach, the CE hired a third party vendor to resolve a data crash and to create a data back-up plan in order to restore office functioning. To implement adequate safeguards, the CE also employed a cloud service with increased security as the new network server. Additionally, the CE contacted the local FBI office to assist with the CE's internal investigation of the breach and provided breach notification to all affected individuals, the media, and HHS. As a result of OCR's investigation, the CE developed and implemented new protocols to comply with the Security Rule. In addition, the CE provided and initiated new trainings for its staff, completed hiring of a new network vendor, implemented a new electronic health records system, and accounted for the disclosures in the affected individuals' medical records.",2010-10-28,,2010 223,222,OhioHealth Corporation dba Grant Medical Center,OH,,501,1/1/2008,Theft,"Laptop, Desktop Computer",2014-01-23,,2008-01-01,,2008 224,223,"Seacoast Radiology, PA",NH,,231400,11/12/2010,Hacking/IT Incident,Network Server,2014-01-23,,2010-11-12,,2010 225,224,Friendship Center Dental Office,FL,,2200,12/19/2010,Theft,Laptop,2014-01-23,,2010-12-19,,2010 226,225,Centra,VA,,11982,11/11/2010,Theft,Laptop,2014-01-23,,2010-11-11,,2010 227,226,St.Vincent Hospital - Indianapolis,IN,,1848,11/12/2010,Hacking/IT Incident,"Network Server, E-mail",2014-01-23,,2010-11-12,,2010 228,227,Texas Health Harris Methodist Hospital Azle,TX,,9922,4/7/2010,"Theft, Loss","Other Portable Electronic Device, Other",2014-01-23,,2010-04-07,,2010 229,228,Franciscan Medical Group,WA,,1250,11/18/2010,Theft,Desktop Computer,2014-01-23,,2010-11-18,,2010 230,229,State of South Carolina Budget and Control Board Employee Insurance Program (EIP),SC,,5596,11/8/2010,Hacking/IT Incident,Desktop Computer,2014-01-23,,2010-11-08,,2010 231,230,Lake Woods Nursing & Rehabilitation Center,MI,,656,12/28/2010,Theft,"Laptop, Desktop Computer",2014-01-23,,2010-12-28,,2010 232,231,"Benefit Resources, Inc.",SC,Travis Software Corp.,16200,10/13/2010,Loss,"Other Portable Electronic Device, Other",2014-01-23,,2010-10-13,,2010 233,232,Baptist Memorial Hospital - Huntingdon,TN,J. A. Still Corporation,4800,11/27/2010,Theft,Other,2014-04-23,"Two diskettes containing the electronic protected health information (ePHI) of approximately 4,754 individuals were lost by the Covered Entity's (CE) Business Associate (BA) after the package containing the diskettes was damaged by the mail carrier. Although one of the diskettes was eventually found, the other diskette was never recovered. The ePHI on the diskettes included names, addresses, dates of birth, social security numbers, and clinical information. Upon discovery of the breach, the CE obtained a copy of the information contained on the diskettes and notified all affected individuals, OCR and the media. Following OCR's investigation, the CE terminated its contract with the BA involved in the incident and provided evidence of the assurances in its BA agreement pertaining to the return or destruction of ePHI. Lastly, the CE entered an accounting of disclosures for each affected individual into its electronic database.",2010-11-27,,2010 234,233,"Grays Harbor Pediatrics, PLLC",WA,,12009,11/23/2010,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2010-11-23,,2010 235,234,"Hanger Prosthetics & Orthotics, Inc.",TX,,4486,11/24/2010,Theft,Laptop,2014-01-23,"An unencrypted laptop was stolen from an employee offsite. The laptop contained the PHI of 4,486 patients. The protected health information involved in the breach contained names, addresses and procedure codes. Following the breach, the CE filed a police report, notified affected patients and notified the media. Following the discovery of the breach, the covered entity encrypted all existing laptops and implemented a policy requiring all future purchased laptops to be encrypted prior to being issued for use. ",2010-11-24,,2010 236,235,Baylor Heart and Vascular Center,TX,,8241,12/2/2010,Theft,"Other Portable Electronic Device, Other",2014-04-23,"A portable ultrasound machine containing electronic protected health information (ePHI) of approximately 8,241 individuals was stolen from the covered entity's (CE) facility. The ePHI involved in the breach included patient names, dates of birth, and limited health information. Upon discovery of the breach, the CE conducted a privacy and security assessment of its portable machines to identify vulnerabilities. Following OCR's investigation, the CE updated its privacy and security policies, retrained its employees, and increased physical security to ensure reasonable safeguards.",2010-12-02,,2010 237,236,"CHC MEMPHIS CMHC, LLC",TN,,500,12/4/2010,Theft,Desktop Computer,2014-01-23,,2010-12-04,,2010 238,237,Jefferson Center for Mental Health,CO,,546,12/13/2010,Theft,Paper,2014-01-23,,2010-12-13,,2010 239,238,Green River District Health Department,KY,Integranetics,18871,1/12/2011,Hacking/IT Incident,Network Server,2014-01-23,,2011-01-12,,2011 240,239,"Ortho Montana, PSC",MT,,37000,1/8/2011,"Theft, Loss",Laptop,2014-02-14,,2011-01-08,,2011 241,240,Cancer Care Northwest P.S.,WA,,3100,1/7/2011,Theft,Paper,2014-06-30,"The covered entity (CE) accidentally mailed the protected health information (PHI) of approximately 3,100 individuals to other individuals when a mail-merge process mismatched names and addresses. The PHI involved in the breach included names and indicated that the individuals were patients of the CE. Following the breach, the CE implemented additional safeguards, as well as policies and procedures to ensure mailing list accuracy. As a result of this incident, OCR required the CE to train its workforce members on its newly developed policies and procedures. Additionally, OCR provided technical assistance regarding substitute breach notification methods, including a conspicuous posting on the CE's website.",2011-01-07,,2011 242,241,Saint Louis University,MO,,800,12/11/2010,Hacking/IT Incident,Desktop Computer,2014-01-23,,2010-12-11,,2010 243,242,New York City Health & Hospitals Corporation's North Bronx Healthcare Network,NY,GRM Information Management Services,1700000,12/23/2010,Theft,"Other, Electronic Medical Record",2014-05-28,"Unencrypted clinical system backup tapes that contained the electronic protected health information (ePHI) of 1,700,000 individuals were stolen from the unlocked vehicle of an employee of the covered entity's (CE) business associate (BA). The ePHI included names, medical record numbers, social security numbers, addresses, telephone numbers, health plan numbers, dates of birth, dates of admission, dates of treatment, dates of discharge, dates of death, mother's name, next of kin, clinical information related to diagnosis, treatment, prognosis, laboratory tests and results, and medications. Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE terminated its BA agreement and installed encryption software on backup media. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.",2010-12-23,,2010 244,243,Long Beach Memorial Medical Center,CA,,2250,12/10/2010,Unauthorized Access/Disclosure,Other,2014-01-23,,2010-12-10,,2010 245,244,Walgreen Co.,IL,Business Express,2700,1/26/2011,Theft,"Other Portable Electronic Device, Other",2014-06-10,,2011-01-26,,2011 246,245,"Charleston Area Medical Center, Inc",WV,Xforia Web Services,3655,2/8/2011,Unauthorized Access/Disclosure,Network Server,2014-01-23,,2011-02-08,,2011 247,246,Mountain Vista Medical Center,AZ,,2291,10/13/2010,Loss,"Other Portable Electronic Device, Other",2014-01-23,,2010-10-13,,2010 248,247,Departamento de Salud de Puerto Rico,PR,,2621,3/14/2010,Unknown,Desktop Computer,2014-01-23,,2010-03-14,,2010 249,248,Henry Ford Hospital,MI,,2777,1/31/2011,Loss,"Other Portable Electronic Device, Other",2014-01-23,,2011-01-31,,2011 250,249,"Central Brooklyn Medical Group, PC",NY,,500,8/3/2010,Theft,Paper,2014-06-20,"OCR opened an investigation of the covered entity (CE), Preferred Health Partners f/k/a Central Brooklyn Medical Group, after it reported appointment schedules, pathology reports and portions of medical records containing the protected health information (PHI) of 500 individuals were stolen from an office. The PHI included names, ages, telephone numbers, social security numbers, medical insurance information, pathology reports, and other clinical information. Upon discovery of the breach, the CE filed a police report and worked with law enforcement authorities to recover as much of the PHI as possible that was stolen. As a result of OCR's investigation, the CE removed PHI such as social security or medical insurance numbers from tracking logs. In addition, the CE improved safeguards by storing log binders in a locked area and shredding documents regularly. Further, the CE replaced the manual process of printing certain records with an electronic verification system. The CE also archived, stored off site, and locked up all paper records and retrained all staff on its HIPAA policies and procedures. ",2010-08-03,,2010 251,250,TRICARE Management Activity,CO,,4500,6/25/2010,Unauthorized Access/Disclosure,Paper,2014-01-23,,2010-06-25,,2010 252,251,Blue Cross and Blue Shield of Florida ,FL,,7366,10/16/2010,Unknown,Other,2014-01-23,,2010-10-16,,2010 253,252,"University Health Services, University of Massachusetts, Amherst",MA,,942,9/29/2010,Unauthorized Access/Disclosure,Desktop Computer,2014-01-23,,2010-09-29,,2010 254,253,"Omnicare, Inc",KY,,8845,1/19/2011,Theft,Laptop,2014-01-23,,2011-01-19,,2011 255,254,"JEFFREY J. SMITH, MD",OK,,600,11/24/2010,Loss,"Desktop Computer, Other Portable Electronic Device, Other",2014-01-23,,2010-11-24,,2010 256,255,University of Missouri Health Plan,MO,"Coventry Health Care, Inc.",765,1/10/2011,Unauthorized Access/Disclosure,Paper,2014-01-23,,2011-01-10,,2011 257,256,Texas Health Arlington Memorial Hospital,TX,,654,12/23/2010,Unknown,Electronic Medical Record,2014-01-23,"The IT department turned on the switch to a BA HIE without notifying patients of the exchange or obtaining authorization. The interface transmitted the PHI of 654 individuals. The PHI disclosed included patient names, addresses, dates of birth, social security numbers, other identifiers, diagnosis/conditions, medications, lab results, other treatment information and financial information. Following the breach, the CE revised the IT process, created a checklist that included notifying the affected departments and provided additional training to IT and registration employees. ",2010-12-23,,2010 258,257,NYU School of Medicine Faculty Group Practice,NY,,670,1/27/2011,Theft,Desktop Computer,2014-06-19,"An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 670 individuals was stolen from the covered entity (CE), NYU Langone Medical Center. The ePHI included names, diagnoses, the results of diagnostic tests, and clinical information. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE directed staff to store ePHI on network servers and not on desktops. In addition, the CE improved physical security by installing a locking device to secure the desktop computer and a latch guard on the office door. The CE retrained all staff on its policies and procedures for HIPAA and HITECH compliance.",2011-01-27,,2011 259,258,"Rape & Brooks Orthodontics, P.C.",AL,,20744,2/3/2011,Theft,"Desktop Computer, Network Server, Other Portable Electronic Device, Other",2014-01-23,,2011-02-03,,2011 260,259,Clarksburg - Louis A. Johnson VA Medical Center,WV,,1470,10/26/2010,Unauthorized Access/Disclosure,Paper,2014-01-23,,2010-10-26,,2010 261,260,County of Los Angeles,CA,,667,2/23/2011,Theft,Laptop,2014-01-23,,2011-02-23,,2011 262,261,EISENHOWER MEDICAL CENTER,CA,,514330,3/11/2011,Theft,Desktop Computer,2014-01-23,,2011-03-11,,2011 263,262,Catholic Social Services,AK,Trisha Elaine Cordova,1700,2/1/2011,Theft,Laptop,2014-06-30,"A personal laptop computer containing the electronic protected health information (ePHI) of 1,700 individuals and approximately 493 adoption home studies was stolen from a contractor's vehicle. The ePHI involved included names, addresses, phone numbers, dates of birth, driver's license numbers, health information, and social security numbers. At the time of the breach, the covered entity (CE) did not have a business associate (BA) contract with the contractor. Following OCR's investigation, the CE developed policies and procedures for obtaining BA contracts as required by the Privacy Rule and verified that the contractor no longer had a business relationship with the CE. OCR obtained assurances that breach notification was provided to the affected individuals, HHS, and the media.",2011-02-01,,2011 264,263,"Park Avenue Obstetrics & Gynecology, PC",AZ,,635,3/25/2011,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2011-03-25,,2011 265,264,"Brian J Daniels D.D.S.,Paul R Daniels D.D.S.",AZ,,10000,3/1/2011,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2011-03-01,,2011 266,265,MidState Medical Center,CT,Hartford Hospital,93500,2/14/2011,Loss,Other,2014-01-23,,2011-02-14,,2011 267,266,"Patient Care Services at Saint Francis, Inc.",OK,,84000,1/13/2011,Theft,Network Server,2014-03-13,,2011-01-13,,2011 268,267,Union Security Insurance Company,MO,,935,2/18/2011,Unauthorized Access/Disclosure,Other,2014-01-23,,2011-02-18,,2011 269,268,Oklaholma State Dept. of Health,OK,,132940,4/6/2011,Theft,"Laptop, Paper",2014-04-23,,2011-04-06,,2011 270,269,Aiken Community Based Outpatient Clinic,SC,,2717,2/16/2011,Improper Disposal,Paper,2014-01-23,,2011-02-16,,2011 271,270,"Health Net, Inc.",CA,IBM,1900000,1/21/2011,Unknown,Other,2014-01-23,,2011-01-21,,2011 272,271,SW General Inc,AZ,,566,5/1/2004,Theft,Paper,2014-01-23,,2004-05-01,,2004 273,272,Fairview Health Services,MN,,1215,2/19/2011,Loss,Paper,2014-01-23,,2011-02-19,,2011 274,273,Time Insurance Company,WI,"Healthcare Solutions Team, LLC",675,2/1/2011,Unauthorized Access/Disclosure,Other,2014-04-23,,2011-02-01,,2011 275,274,Community Action partnership of Natrona County,WY,,15000,2/23/2011,Hacking/IT Incident,Desktop Computer,2014-01-23,,2011-02-23,,2011 276,275,"Keith & Fisher, DDS, PA",NC,,6000,2/16/2011,Hacking/IT Incident,Network Server,2014-01-23,,2011-02-16,,2011 277,276,MacNeal Hospital,IL,,845,3/10/2011,Hacking/IT Incident,"Laptop, Desktop Computer, Network Server, E-mail",2014-03-24,,2011-03-10,,2011 278,277,West Lake Hospital ,IL,,686,3/10/2011,Hacking/IT Incident,"Laptop, Desktop Computer, Network Server, E-mail",2014-03-24,,2011-03-10,,2011 279,278,Phoenix Health Plan,AZ,,9393,3/10/2011,Hacking/IT Incident,"Laptop, Desktop Computer, Network Server, E-mail",2014-04-23,,2011-03-10,,2011 280,279,MacNeal Physician Group,IL,,532,3/10/2011,Hacking/IT Incident,"Laptop, Desktop Computer, Network Server, E-mail",2014-03-24,,2011-03-10,,2011 281,280,Genesis Clinical Laboratory,IL,,1070,3/10/2011,Hacking/IT Incident,"Laptop, Desktop Computer, Network Server, E-mail",2014-03-24,,2011-03-10,,2011 282,281,Knox Community Hospital,OH,,500,10/1/2010,Improper Disposal,Other,2014-01-23,,2010-10-01,,2010 283,282,Speare Memorial Hospital,NH,,5960,4/2/2011,Theft,Laptop,2014-03-13,,2011-04-02,,2011 284,283,Methodist Charlton Medical Center,TX,,1500,4/16/2011,Theft,Laptop,2014-01-23,"An unencrypted laptop was stolen from a locked office in the hospital. The laptop contained the PHI of 1523 patients. The protected health information involved in the breach contained demographic and clinical data. Following the breach, the CE filed a police report, notified affected patients and notified the media. Additionally, the CE expanded its encryption policy to include more laptops and implemented additional physical safeguards. ",2011-04-16,,2011 285,284,Drs Edalji and Komer,MA,,563,4/12/2011,Theft,Laptop,2014-01-23,,2011-04-12,,2011 286,285,Reid Hospital & Health Care Services,IN,,22001,4/2/2011,Theft,Laptop,2014-01-23,,2011-04-02,,2011 287,286,Union Security Insurance Company,MO,,850,3/24/2011,Unauthorized Access/Disclosure,Other,2014-01-23,,2011-03-24,,2011 288,287,Indiana Regional Medical Center,PA,,1388,9/28/2010,Theft,Paper,2014-01-23,,2010-09-28,,2010 289,288,"MMM Healthcare, Inc.",PR,,32390,3/8/2011,Theft,Desktop Computer,2014-01-23,,2011-03-08,,2011 290,289,PMC Medicare Choice,PR,,24361,3/8/2011,Theft,Desktop Computer,2014-01-23,,2011-03-08,,2011 291,290,CVS CAREMARK,AZ,,654,1/17/2011,"Theft, Unauthorized Access/Disclosure",Paper,2014-04-23,,2011-01-17,,2011 292,291,CENTER FOR ARTHRITIS & RHEUMATIC DISEASES,FL,,8000,1/1/2011,Theft,"Other, Paper",2014-01-23,,2011-01-01,,2011 293,292,"Robert B. Miller, MD",CA,,620,4/1/2011,Theft,Laptop,2014-01-23,,2011-04-01,,2011 294,293,Imaging Center of Garland,TX,,1031,3/15/2011,Improper Disposal,Other,2014-01-23,,2011-03-15,,2011 295,294,New York State Department of Health,NY,St. Mary's Hospital for Children,550,4/17/2011,Theft,Paper,2014-06-03,"A bag containing 43 pages of protected health information (PHI) of 550 nursing home residents and an encrypted laptop computer were stolen from the vehicle of an employee of the covered entity's (CE) business associate (BA). The PHI included names, dates of birth, gender identities, names of the nursing homes, and Medicaid numbers. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and all affected individuals, as well as offering one year of free identity theft protection. Following OCR's investigation, the CE's BA terminated the employee and re-trained its staff on its privacy and security policies, including not leaving laptops in unoccupied vehicles. In addition, the CE reminded all contractors about the need to safeguard confidential information, and reviewed the BA's contractual obligations relating to safeguarding PHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.",2011-04-17,,2011 296,295,St. Mary's Hospital for Children,NY,,550,4/17/2011,Theft,Paper,2014-06-02,"A laptop computer containing the protected health information (PHI) of approximately 550 individuals was stolen from the vehicle of the business associate's (BA) workforce member. The PHI included names, dates of birth, gender identities, names of nursing homes, and Medicaid numbers of the covered entity's (CE) patients. Following the breach, the BA terminated the employee who was involved in the breach and provided credit monitoring services to the affected individuals. The BA also re-trained its staff. Following OCR's investigation, the CE and the BA reviewed the BA's contractual obligations relating to PHI during an in-person meeting. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.",2011-04-17,,2011 297,296,Medicare Fee-for-Service Program,MD,"Cahaba Government Benefit Administrators, LLC",13412,4/11/2011,Unauthorized Access/Disclosure,Paper,2014-01-23,,2011-04-11,,2011 298,297,VA Caribbean Healthcare System,PR,,6006,3/30/2011,Theft,Paper,2014-06-19,"An employee of the covered entity (CE), VA Caribbean Healthcare System, left documents containing the protected health information (PHI) of 6,006 individuals in an unsecure bag at a nursing station. The PHI included names, social security numbers, patient care assignments, patient counts and patient census lists. Upon discovery of the breach, the CE secured the PHI and provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE disciplined and retrained the employee and implemented a procedure that nursing leadership is required to conduct rounds on wards once vacated. The CE also retrained all staff on its privacy and security policies and procedures.",2011-03-30,,2011 299,298,Blue Cross Blue Shield of Michigan,MI,Agent Benefits Corporation,11387,11/17/2010,"Unauthorized Access/Disclosure, Hacking/IT Incident",Network Server,2014-01-23,,2010-11-17,,2010 300,299,Spartanburg Regional Healthcare System,SC,,400000,3/28/2011,Theft,Desktop Computer,2014-01-23,,2011-03-28,,2011 301,300,Saint Joseph - Berea,KY,,1986,4/14/2011,"Theft, Loss","Other Portable Electronic Device, Other",2014-04-23,,2011-04-14,,2011 302,301,Navos,WA,,2700,3/15/2011,Unknown,Paper,2014-01-23,,2011-03-15,,2011 303,302,"Dunes Family Health Care, P.C",OR,Lower Umpqua Hospital,17000,3/11/2011,Theft,"Other Portable Electronic Device, Other",2014-02-14,,2011-03-11,,2011 304,303,"Metropolitan Community Health Services, Inc.",NC,,1263,5/18/2011,Unknown,E-mail,2014-04-23,,2011-05-18,,2011 305,304,TUBA CITY REGIONAL HEALTH CARE CORPORATION,AZ,,2000,4/1/2011,"Loss, Improper Disposal",Paper,2014-01-23,,2011-04-01,,2011 306,305,"FOOTHILLS NEPHROLOGY, PC",SC,,1280,4/28/2011,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2011-04-28,,2011 307,306,Sutter Gould Medical Foundation (SGMF),CA,Fidelity National Technology Imaging (FNTI),1192,5/23/2011,Loss,Paper,2014-01-23,,2011-05-23,,2011 308,307,Silverpop Systems Inc. Health and Welfare Plan,GA,,884,4/15/2011,Theft,Laptop,2014-01-23,,2011-04-15,,2011 309,308,New River Health Association,WV,,950,4/1/2011,Unauthorized Access/Disclosure,Paper,2014-01-23,,2011-04-01,,2011 310,309,HealthCare Partners,CA,,15677,4/17/2011,Theft,Desktop Computer,2014-01-23,,2011-04-17,,2011 311,310,"Gene S. J. Liaw, MD. PS",WA,,1105,4/4/2011,Loss,"Other Portable Electronic Device, Other",2014-01-23,,2011-04-04,,2011 312,311,Blue Cross and Blue Shield of Florida ,FL,,3463,4/11/2011,Unauthorized Access/Disclosure,Other,2014-01-23,,2011-04-11,,2011 313,312,"NOL, LLC d/b/a Premier Radiology",TN,,810,5/7/2011,Theft,Laptop,2014-04-23,,2011-05-07,,2011 314,313,"Advanced Diagnostic Imaging, P.C.",TN,,705,5/7/2011,Theft,Laptop,2014-04-23,,2011-05-07,,2011 315,314,University of Missouri Health Care,MO,,1288,6/14/2011,Unknown,Paper,2014-01-23,,2011-06-14,,2011 316,315,Accendo,AZ,,175350,1/1/2011,Unauthorized Access/Disclosure,Paper,2014-01-23,,2011-01-01,,2011 317,316,Ohio Health Plans,OH,"Area Agency on Aging, Ohio District 5",78042,6/3/2011,Theft,Laptop,2014-01-23,,2011-06-03,,2011 318,317,"Gail Gillespie and Associates, LLC",LA,,2000,6/25/2011,Theft,"Laptop, Desktop Computer, Network Server, E-mail, Other Portable Electronic Device, Other, Electronic Medical Record",2014-01-23,,2011-06-25,,2011 319,318,Health Plan of San Mateo,CA,,694,4/25/2011,Unauthorized Access/Disclosure,Paper,2014-01-23,,2011-04-25,,2011 320,319,Department of Health Care Policy and Financing,CO,Department of Personnel and Administration,3589,5/6/2011,Loss,Other,2014-02-14,,2011-05-06,,2011 321,320,Yanez Dental Corporation,CA,,10190,5/22/2011,Theft,"Desktop Computer, Network Server",2014-01-23,,2011-05-22,,2011 322,321,Jackson Health System,FL,,1562,10/1/2008,Unauthorized Access/Disclosure,"Other, Electronic Medical Record",2014-01-23,,2008-10-01,,2008 323,322,The Mount Sinai Hospital,NY,,712,6/7/2011,Theft,Laptop,2014-06-02,"Two unencrypted laptop computers containing the electronic protected health information (ePHI) of 712 individuals were stolen from the covered entity's (CE) office. The ePHI included names, dates of birth, social security numbers, diagnostic reports, and demographic information. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE improved physical security by installing an exit alarm lock and surveillance camera, and implementing a policy and procedure requiring managers to monitor inappropriate use of the facility's rear exit. The CE also inventoried its ePHI systems and adopted and implemented policies and procedures for workstation security, encryption, security awareness and training, electronic devices, and media controls.",2011-06-07,,2011 324,323,Troy Regional Medical Center,AL,,880,3/22/2011,Unauthorized Access/Disclosure,Paper,2014-01-23,,2011-03-22,,2011 325,324,Lansing Community College,MI,AssureCare Risk Management,5000,5/9/2011,Hacking/IT Incident,Network Server,2014-03-24,,2011-05-09,,2011 326,325,Dr Axel Velez,PR,,2800,6/19/2011,Theft,Desktop Computer,2014-03-13,,2011-06-19,,2011 327,326," DeKalb Medical Center, Inc. d/b/a DeKalb Medical Hillandale",GA,,7500,7/11/2010,Theft,Paper,2014-01-23,,2010-07-11,,2010 328,327,Beth Israel Deaconess Medical Center,MA,,2021,4/17/2011,Hacking/IT Incident,Network Server,2014-01-23,,2011-04-17,,2011 329,328,"Gypsum Management and Supply, Inc. Medical and Dental Plan",GA,"Assurecare Risk Management, Inc.",25330,5/9/2011,Unauthorized Access/Disclosure,Network Server,2014-01-23,,2011-05-09,,2011 330,329,"Andersen Air Force Base, Guam",VA,,700,5/13/2011,Improper Disposal,Paper,2014-01-23,,2011-05-13,,2011 331,330,Molina Medicare,CA,"RxAmerica, a subsidiary of CVS Caremark",4573,1/1/2011,Unauthorized Access/Disclosure,Paper,2014-01-23,,2011-01-01,,2011 332,331,Windsor Health Plan,TN,RxAmerica LLC,1378,3/1/2011,Unauthorized Access/Disclosure,Paper,2014-01-23,,2011-03-01,,2011 333,332,Health Care Service Corporation,IL,,501,6/28/2011,Theft,Paper,2014-01-23,,2011-06-28,,2011 334,333,University of Kentucky - UK HealthCare,KY,,3604,6/7/2011,Theft,Laptop,2014-04-23,,2011-06-07,,2011 335,334,"Austin Center for Therapy and Assessment, LLC",TX,,1870,7/8/2011,Theft,Laptop,2014-04-24,"An unencrypted laptop, containing the electronic protected health information (ePHI) of 1,870 individuals, was stolen from the covered entity's (CE) office. The ePHI involved includes clinical evaluation reports, test results, patient names, addresses, phone numbers, and social security numbers. Upon discovery of the breach, the CE notified affected individuals, OCR and the media. Following OCR's investigation, the CE revised its HIPAA policies and procedures, implemented additional physical safeguards in its facility and installed encryption software.",2011-07-08,,2011 336,335,Treatment Services Northwest,OR,,1200,7/8/2011,Theft,Desktop Computer,2014-01-23,,2011-07-08,,2011 337,336,Mills-Peninsula Health Services,CA,,1500,11/1/2009,Unauthorized Access/Disclosure,Paper,2014-01-23,,2009-11-01,,2009 338,337,Brigham and Women's Hospital and Faulkner Hospital ,MA,,638,6/21/2011,Theft,Other Portable Electronic Device,2014-06-30,"A covered entity's (CE) workforce member lost an external hard drive containing the electronic protected health information (ePHI) of 638 individuals while traveling. The external hard drive included names, medical record numbers, dates of admission, medications, diagnoses, and treatment information. The CE notified HHS, the media, and all individuals affected regarding the breach and provided individuals with identity protection services. Following the breach, the CE sanctioned the workforce member involved and retrained the workforce member and division staff on safeguards for ePHI. In addition, the CE established a mitigation workgroup to review policies and procedures regarding the protection of ePHI and created a new external hard drive encryption policy. OCR obtained assurances that the CE implemented the corrective action listed above.",2011-06-21,,2011 339,338,"Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan ",IN,"AssureCare Risk Management, Inc.",506,5/9/2011,Hacking/IT Incident,Network Server,2014-01-23,,2011-05-09,,2011 340,339,Monmouth Medical Center,NJ,MedAssets,6443,6/24/2011,Theft,"Other Portable Electronic Device, Other",2014-06-19,"An unencrypted hard drive containing the electronic protected health information (ePHI) of 6,443 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Monmouth Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. ",2011-06-24,,2011 341,340,Clara Maass Medical Center,NJ,Med Assets,8795,6/24/2011,Theft,"Other Portable Electronic Device, Other",2014-06-19,"An unencrypted hard drive containing the electronic protected health information (ePHI) of 8,795 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Clara Maass Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. ",2011-06-24,,2011 342,341,Newark Beth Israel Medical Center,NJ,MedAssets,15015,6/24/2011,Theft,"Other Portable Electronic Device, Other",2014-06-19,"An unencrypted hard drive containing the electronic protected health information (ePHI) of 15,015 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Newark Beth Israel Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. ",2011-06-24,,2011 343,342,Saint Barnabas Medical Center,NJ,MedAssets,6179,6/24/2011,Theft,"Other Portable Electronic Device, Other",2014-06-19,"An unencrypted hard drive containing the electronic protected health information (ePHI) of 6,179 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Saint Barnabas Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. ",2011-06-24,,2011 344,343,Washington State Department of Social and Health Services,WA,,3950,7/1/2011,Unauthorized Access/Disclosure,Paper,2014-01-23,,2011-07-01,,2011 345,344,St. Francis Hospital,DE,,948,6/1/2011,Loss,"Other Portable Electronic Device, Other",2014-06-10,,2011-06-01,,2011 346,345,"Reznick Group, P.C.",MD,Assure Care Risk Management,2459,5/9/2011,Hacking/IT Incident,Network Server,2014-03-25,,2011-05-09,,2011 347,346,The Neurological Institute of Savannah & Center for Spine,GA,,63425,7/2/2011,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2011-07-02,,2011 348,347,Kimball Medical Center,NJ,MedAssets,6785,6/24/2011,Theft,"Other Portable Electronic Device, Other",2014-06-19,"An unencrypted hard drive containing the electronic protected health information (ePHI) of 6,785 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Kimball Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. ",2011-06-24,,2011 349,348,Community Medical Center,NJ,MedAssets,6950,6/24/2011,Theft,"Other Portable Electronic Device, Other",2014-06-19,"An unencrypted hard drive containing the electronic protected health information (ePHI) of 6,950 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Community Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. ",2011-06-24,,2011 350,349,American Health Medicare ,PR,Accuprint ,5848,6/1/2011,Theft,Other,2014-06-03,"The covered entity's (CE) business associate (BA) erroneously sent explanation of benefits letters (EOBs) containing the protected health information (PHI) of 5,848 individuals to other individuals. The PHI included names, addresses, current procedural terminology codes (CPT), explanations of CPT codes, providers' names, and dates of service. Upon discovery of the breach, the CE provided notice to the individuals affected by the breach but did not notify the media. As a result of OCR's investigation, OCR provided technical assistance regarding the requirements of the Breach Notification Rule to the CE and the CE published a media notice. In addition, the CE developed policies and procedures requiring quality control checks on the BA. In addition, the BA adopted a new software system that validates the contents of the EOBs prior to mailing. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use of PHI and required the BA to safeguard all PHI.",2011-06-01,,2011 351,350,Texas Health Presbtyerian Hospital Flower Mound,TX,Texas Health Partners,10345,6/21/2011,Theft,Laptop,2014-01-23,,2011-06-21,,2011 352,351,Capron Rescue Squad District,IL,,815,2/5/2011,Unauthorized Access/Disclosure,Laptop,2014-01-23,,2011-02-05,,2011 353,352,Cook County Health & Hospitals System,IL,MedAssets,32008,6/24/2011,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2011-06-24,,2011 354,353,Lexington VAMC,KY,,1432,5/23/2011,Theft,"Laptop, Other Portable Electronic Device, Paper",2014-06-03,"The covered entity's (CE) workforce member impermissibly stored the protected health information (PHI) of 1,432 individuals in a personal computer and other portable electronic media in order to conduct research. The PHI included social security numbers, names, initials, ages, and diagnoses. Additional PHI was found in the workforce member's residence. The CE provided breach notification to a total of 1,890 affected individuals and HHS. Following the breach, the responsible workforce member is no longer employed by the CE. OCR opened a compliance review of VA Medical Centers and is consolidating the investigation of this incident into the compliance review. ",2011-05-23,,2011 355,354,"Dr. Victoria Falcone, Falcone Cosmetic Services, PC, Falcone Cosmetic Services of NJ, PC",PA,"SpaMed Solutions, LLC, Edward McMenamin President,",3000,8/14/2011,"Theft, Unauthorized Access/Disclosure","Laptop, Desktop Computer, Network Server, E-mail, Other Portable Electronic Device, Other, Electronic Medical Record, Paper",2014-06-10,,2011-08-14,,2011 356,355,"HEALTH RESEARCH INSTITUTE, INC., PFEIFFER TREATMENT CENTER",IL,,2000,7/1/2011,Theft,"Desktop Computer, Network Server",2014-01-23,,2011-07-01,,2011 357,356,Stanford Hospital & Clinics,CA,"Multi-Speciality Collection Services, LLC",19651,9/9/2010,Unauthorized Access/Disclosure,Other,2014-01-23,,2010-09-09,,2010 358,357,"Muir Orthopaedic Specialists, A Medical Group Inc.",CA,,1800,7/27/2011,Theft,Paper,2014-01-23,,2011-07-27,,2011 359,358,NEA Baptist Clinic,AR,,3116,7/12/2011,Hacking/IT Incident,Network Server,2014-01-23,,2011-07-12,,2011 360,359,Jonathan Noel MD,IN,,2059,7/13/2011,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2011-07-13,,2011 361,360,Texas Health and Human Services Commission,TX,,1696,3/10/2011,Theft,Laptop,2014-01-23,"An unencrypted laptop was stolen from an employee's vehicle. The laptop contained the ePHI of 1,696 patients. The information at issue included patient names, dates of birth, gender, Medicaid identification numbers, procedure codes and diagnosis. Following discovery of the breach, the CE notified affected patients and notified the media. Following the breach, the CE confirmed encryption of laptops per CE's policy and sanctioned three involved employees. ",2011-03-10,,2011 362,361,University of Wisconsin Oshkosh,WI,Living Healthy Community Clinic,3000,7/18/2011,Hacking/IT Incident,Desktop Computer,2014-01-23,,2011-07-18,,2011 363,362,Centro de Ortodoncia Inc.,PR,,2000,5/6/2010,Theft,Paper,2014-06-20,"OCR opened an investigation of the covered entity (CE), Dr. Pedro Valentin, after it reported boxes containing the protected health information (PHI) of 2,000 individuals were moved from the CE's office. The PHI included names, account numbers, responsible party in charge of account, and method of payment. OCR's investigation revealed that the individual who removed the PHI was the CE's wife and business partner. The CE advised OCR that he knew his wife/partner was removing the boxes for the purpose of ascertaining the amount of monies the CE was receiving and that he is in the process of dissolving the partnership. OCR concluded that the actions alleged in the breach report did not amount to a breach.",2010-05-06,,2010 364,363,"John T. Melvin, M.D.& Associates",TX,,2541,8/9/2011,Theft,Paper,2014-03-13,,2011-08-09,,2011 365,364,"Diversified Resources, Inc.",GA,,863,8/11/2011,Theft,Laptop,2014-01-23,,2011-08-11,,2011 366,365,VA Gulf Coast Veterans Health Care System,MS,,1797,7/21/2011,Theft,Paper,2014-06-20,"The covered entity (CE), U.S. Department of Veterans Affairs (VA), Gulf Coast Veterans Health Care System, Biloxi Veterans Affairs Medical Center (Biloxi VAMC) reported that the office of an employee was vandalized. Paper files were found on the office floor, and the protected health information (PHI) of approximately 1,814 individuals was compromised. The PHI included full names, social security numbers, dates of birth, and medical diagnoses. The CE provided breach notification to HHS, the media and affected individuals. Following the breach, VA police at the facility reviewed procedures and continued foot patrols to ensure office doors are locked during non-business hours. The CE provided additional training to workforce members of the affected department on its physical security policies and procedures to improve safeguards for PHI. OCR obtained assurances that the CE implemented the corrective action listed above. ",2011-07-21,,2011 367,366,Freda J Bowman MD PA,TX,,1300,9/20/2011,"Unauthorized Access/Disclosure, Hacking/IT Incident",Network Server,2014-01-23,,2011-09-20,,2011 368,367,"Bonney Lake Medical Center and Mythili R. Ramachandran, MD",WA,,2367,8/12/2011,Theft,"Laptop, Desktop Computer",2014-02-14,,2011-08-12,,2011 369,368,United States Steel Corporation Plan for Active Employee Insurance Benefits and the United States Steel Corporation Plan for Retiree Insurance Benefits,PA,"Benefits Administration Services, Inc.",4000,8/15/2011,Loss,"Other Portable Electronic Device, Other",2014-03-24,,2011-08-15,,2011 370,369,VA Illiana Health Care System,IL,,518,7/14/2011,Loss,Paper,2014-01-23,,2011-07-14,,2011 371,370,Health Texas Provider Network,TX,,1259,7/27/2011,Theft,Laptop,2014-03-13,,2011-07-27,,2011 372,371,Blue Cross of Northeastern Pennsylvania,PA,"AllOne Health Management Solutions, Inc.",507,9/9/2011,"Theft, Unauthorized Access/Disclosure","Laptop, Paper",2014-03-24,,2011-09-09,,2011 373,372,NYU Hospital for Joint Diseases Inventory Management Department,NY,,2600,6/23/2011,Theft,Paper,2014-06-20,"A box containing 2,600 paper records of tissue implants used in surgeries was discarded by a waste disposal contractor of the covered entity (CE), NYU Hospital for Joint Diseases Inventory Management Department, when the box was not property secured. The box contained the protected health information (PHI) of 2,239 individuals and included names, dates of birth, dates of surgery, surgeon names, procedures, and types and serial numbers of the tissues used in the surgeries. Upon discovery of the breach, the CE contacted the waste disposal contractor and determined that the documents were discarded and buried in a landfill out of state. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. As a result of OCR's investigation, the CE improved safeguards by storing all tissue records in a locked cabinet and requiring management to store the keys. In addition, the CE counseled the employees involved in the incident and retrained all staff on its policies and procedures for safeguarding PHI. The CE also implemented a plan to conduct reviews of HIPAA compliance, including both physical access and physical security risks.",2011-06-23,,2011 374,373,WAYNE HIGHLANDS SCHOOL DISTRICT,PA,FIRST PRIORITY LIFE INSURANCE COMPANY,579,9/9/2011,"Theft, Unauthorized Access/Disclosure",Paper,2014-06-10,,2011-09-09,,2011 375,374,"Summit Medical Group, PLLC",TN,,731,9/4/2011,Theft,Paper,2014-01-23,,2011-09-04,,2011 376,375,MAPFRE Life,PR,,2209,8/5/2011,Theft,Other,2014-03-13,,2011-08-05,,2011 377,376,American Continental Insurance Company,TN,Futurity First Insurance Group,690,7/28/2011,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2011-07-28,,2011 378,377,United of Omaha Life Insurance Company,NE,Futurity First Insurance Group,1631,7/28/2011,Loss,"Other Portable Electronic Device, Other",2014-01-23,,2011-07-28,,2011 379,378,Mutual of Omaha Insurance Company,NE,Futurity First Insurance Group,705,7/28/2011,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2011-07-28,,2011 380,379,Henry Ford Health System,MI,,520,8/8/2011,Theft,Desktop Computer,2014-01-23,,2011-08-08,,2011 381,380,Indiana University,IN,,3266,8/16/2011,Theft,Laptop,2014-01-23,,2011-08-16,,2011 382,381,"Adult & Pediatric Dermatology, PC",MA,,2200,9/14/2011,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2011-09-14,,2011 383,382,The Nemours Foundation,FL,,1055489,8/10/2011,Loss,Other,2014-01-23,,2011-08-10,,2011 384,383,"California Industrial Medicine, Inc.",CA,"Thomas J O'Laughlin, MD",700,9/28/2011,"Theft, Unauthorized Access/Disclosure",Paper,2014-02-14,,2011-09-28,,2011 385,384,"InStep Foot Clinic, P.A.",MN,,2600,8/28/2011,Theft,"Laptop, Electronic Medical Record",2014-01-23,,2011-08-28,,2011 386,385,North Memorial,MN,"Accretive Health, Inc",6697,7/25/2011,Theft,Laptop,2014-01-23,,2011-07-25,,2011 387,386,"Lahey Clinic Hospital, Inc.",MA,,599,8/12/2011,Theft,Laptop,2014-03-13,,2011-08-12,,2011 388,387,UnitedHealth Group health plan single affiliated covered entity,MN,Futurity First Insurance Group,3994,7/28/2011,Theft,Other,2014-01-23,,2011-07-28,,2011 389,388,Good Samaritan Hospital,MD,,1500,9/9/2011,Theft,Paper,2014-01-23,,2011-09-09,,2011 390,389,"Amerigroup Community Care of New Mexico, Inc",NM,,1537,7/15/2011,Theft,Paper,2014-01-23,,2011-07-15,,2011 391,390,Florida Hospital,FL,,12784,8/10/2011,Unauthorized Access/Disclosure,Electronic Medical Record,2014-02-19,,2011-08-10,,2011 392,391,"Thomas Jefferson University Hospitals, Inc.",PA,,3150,9/6/2011,Theft,Other,2014-01-23,,2011-09-06,,2011 393,392,Lankenau Medical Center,PA,,500,9/6/2011,Theft,Other,2014-01-23,,2011-09-06,,2011 394,393,"Spectrum Health Ssytems, Inc. ",MA,,14750,8/24/2011,Theft,Desktop Computer,2014-03-13,,2011-08-24,,2011 395,394,Conway Regional Medical Center,AR,,1472,8/24/2011,Loss,Other,2014-01-23,,2011-08-24,,2011 396,395,Concordia Plan Services,MO,"HITS Scanning Solutions, Inc.",7059,5/10/2011,Loss,Other,2014-01-23,,2011-05-10,,2011 397,396,Stone Oak Urgent Care & Family Practice,TX,Stone Oak Urgent Care & Family Practice,6672,10/23/2011,"Theft, Loss",Desktop Computer,2014-01-23,,2011-10-23,,2011 398,397,Indiana University School of Optometry,IN,,757,8/12/2011,Unauthorized Access/Disclosure,Network Server,2014-01-23,,2011-08-12,,2011 399,398,"Brevard Emergency Services, P.A.",FL,,2200,8/26/2011,Theft,Paper,2014-04-23,,2011-08-26,,2011 400,399,Georgetown University Hospital,DC,,1526,9/9/2011,Loss,"Other Portable Electronic Device, Other",2014-03-24,,2011-09-09,,2011 401,400,Morris Heights Health Center,NY,,927,8/27/2011,Theft,Laptop,2014-06-03,"An unencrypted laptop computer containing the electronic protected health information (ePHI) of 927 individuals was stolen from the covered entity's (CE) school based health center. The ePHI included names, dates of birth, sex, ethnicities, height, weight, body mass index data, complete physical examination information such as asthma and obesity information, health action plans, and enrollment dates. Upon discovery of the breach, the CE filed a police report to recover the stolen laptop. As a result of OCR's investigation, the CE purchased locks to physically secure its' school health computers to the desks where the computers are located. In addition, the CE encrypted all portable devices' hard drives and installed software to track portable devices. The CE also retrained all staff on its policies and procedures for using and securing ePHI. ",2011-08-27,,2011 402,401,network180,MI,Thresholds Inc.,1100,9/16/2011,Theft,Paper,2014-03-24,,2011-09-16,,2011 403,402,Premier Imaging,NC,,551,9/14/2011,Unknown,Paper,2014-01-23,"A newly hired employee impermissibly took patient registration documents home. The records taken included the protected health information of 551 patients. The information at issue included names, addresses, birth dates, social security numbers, and driver's license numbers. As a result, the CE terminated the employee, provided notice to the affected individuals, amended registration procedures, implemented additional safeguards for such information, and offered identity theft protection to the affected individuals. ",2011-09-14,,2011 404,403,"The Good Samaritan Hospital of Cincinnati, Ohio",OH,"Pitney Bowes Management Services, Inc.",1089,9/3/2011,Theft,Desktop Computer,2014-03-24,,2011-09-03,,2011 405,404,"Bethesda Hospital, Inc.",OH,"Pitney Bowes Management Services, Inc.",946,9/3/2011,Theft,Desktop Computer,2014-03-24,,2011-09-03,,2011 406,405,"Julie A. Kennedy, D.M.D., P.A.",FL,,2900,9/30/2011,Theft,Network Server,2014-01-23,,2011-09-30,,2011 407,406,"KCI USA, Inc.",TX,,567,9/8/2011,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2011-09-08,,2011 408,407,Lebanon Internal Medicine Associates,PA,,55000,9/10/2011,Improper Disposal,Network Server,2014-01-23,,2011-09-10,,2011 409,408,St. Joseph Medical Center,MD,,5000,9/11/2011,Theft,"Other, Paper",2014-03-24,,2011-09-11,,2011 410,409,TRICARE Management Activity (TMA),VA,Science Applications International Corporation (SA,4900000,9/13/2011,Loss,Other,2014-01-23,,2011-09-13,,2011 411,410,UCLA Health System,CA,,2761,9/6/2011,Theft,"Other Portable Electronic Device, Other",2014-01-23,,2011-09-06,,2011 412,411,Logan County Emergeny Ambulance Service Authority,WV,,12563,10/1/2011,"Theft, Loss",Laptop,2014-01-23,,2011-10-01,,2011 413,412,Lawrence Memorial Hospital,KS,"Mid Continent Credit Services, Inc.",8275,09/20/2011 - 10/28/2011,"Unauthorized Access/Disclosure, Other",Other,2014-04-23,,2011-09-20,2011-10-28,2011 414,413,Sutter Medical Foundation,AL,,943434,10/15/2011,Theft,Desktop Computer,2014-01-23,,2011-10-15,,2011 415,414,Medcenter One,ND,,650,10/21/2011,Theft,Laptop,2014-01-23,,2011-10-21,,2011 416,415,Dallas County Hospital District dba Parkland Health & Hospital System,TX,,2464,9/5/2011,Unauthorized Access/Disclosure,"Electronic Medical Record, Paper",2014-01-23,,2011-09-05,,2011 417,416,University of Kentucky UK HealthCare,KY,,878,9/25/2011,Loss,Other Portable Electronic Device,2014-01-23,,2011-09-25,,2011 418,417,State of Tennessee Sponsored Group Health Plan,TN,,1770,10/6/2011,Unauthorized Access/Disclosure,Paper,2014-01-23,"An equipment operator at the state's postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope. The error affected approximately 1770 enrollees. The letters contained information such as names, addresses, birth dates, and social security numbers. As a result, the CE retrained the employee, submitted a breach report to HHS, provided notice to the affected individuals, notified the media, created a toll-free number for information regarding the incident, posted notice on its website, modified policies to remove the SSN on templates for future mailings, and offered identity theft protection to the affected individuals. Following the OCR investigation, the CE provided reviewed its policies and procedures to ensure adequate safeguards are in place. ",2011-10-06,,2011 419,418,Cleveland Clinic Florida,FL,,772,10/3/2011,Loss,Other,2014-04-23,,2011-10-03,,2011 420,419,"Jay C. Platt, DDS",IN,,10705,10/6/2011,Theft,Other,2014-03-24,,2011-10-06,,2011 421,420,Rite Aid Corporation ,PA,,2900,10/7/2011,Other,Paper,2014-01-23,,2011-10-07,,2011 422,421,Advanced Occupational Medicine Specialists,IL,Blue Vantage Group,7226,10/12/2011,Unauthorized Access/Disclosure,Network Server,2014-01-23,,2011-10-12,,2011 423,422,Open MRI of Chicago,IL,Nation Wise Machine Buyers,2000,9/6/2011,Improper Disposal,Paper,2014-01-23,,2011-09-06,,2011 424,423,University of Nebraska Medical Center,NE,,611,11/15/2011,Theft,Paper,2014-04-23,,2011-11-15,,2011 425,424,Roberts S. Smith M.D. Inc.,GA,,17000,10/17/2011,Theft,Laptop,2014-01-23,,2011-10-17,,2011 426,425,"Paul C. Brown, MD, PS",WA,,4693,10/14/2011 - 10/17/2011,Theft,Other,2014-02-14,,2011-10-14,2011-10-17,2011 427,426,Molina Healthcare of California,CA,,11081,9/23/2009,Other,Paper,2014-01-23,,2009-09-23,,2009 428,427,Aegis Sciences Corporation,TN,,2185,11/22/2011,Theft,"Laptop, Other Portable Electronic Device",2014-04-23,"OCR opened an investigation of the covered entity (CE), Aegis Science Corp., after the CE reported that a laptop computer and unencrypted external hard drive containing the electronic protected health information (ePHI) of 2,185 individuals were stolen from a workforce member's vehicle. The ePHI included social security numbers, driver's license numbers, and other demographic information, as well as bank account information of fourteen individuals and credit card information of three individuals. Upon discovering the breach, the CE filed a police report and hired a private investigator to recover the stolen items. The CE also initiated plans to encrypt laptops, revise security procedures, retrain employees, and offer credit monitoring to affected individuals. As a result of OCR's investigation, the CE completed a security risk analysis and risk management report and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI. The CE also provided media notification in the two localities with greater than 500 individuals affected. Additionally, the CE encrypted all employee computers and removable media containing ePHI and retrained employees on the CE's confidentiality and security policies.",2011-11-22,,2011 429,428,"Soundpath Health, Inc",WA,,7581,11/22/2011,Theft,Laptop,2014-02-14,,2011-11-22,,2011 430,429,Concentra Health,TX,,870,11/30/2011,Theft,Laptop,2014-01-23,,2011-11-30,,2011 431,430,Sleep HealthCenters LLC,MA,,2988,11/23/2011,Theft,Laptop,2014-03-13,,2011-11-23,,2011 432,431,Smile Designs,FL,,1670,12/1/2011,Theft,"Desktop Computer, Network Server",2014-01-23,,2011-12-01,,2011 433,432,PBH,NC,Alamance Caswell Local Management Entity,50000,11/15/2011,"Unauthorized Access/Disclosure, Other","Network Server, E-mail",2014-01-23,,2011-11-15,,2011 434,433,"CardioNet, Inc",PA,,1300,11/10/2011,Theft,Laptop,2014-01-23,,2011-11-10,,2011 435,434,"MDwise, Inc.",IN,RightNow Technologies,2700,2/10/2011,Unauthorized Access/Disclosure,Other,2014-03-24,,2011-02-10,,2011 436,435,Ford Motor Company,MI,"WageWorks, Inc.",1700,1/3/2012,Other,Paper,2014-03-24,,2012-01-03,,2012 437,436,Foundation Medical Partners,NH,,771,11/19/2011 - 12/01/2011,Theft,Paper,2014-06-02,"Without permission from the covered entity (CE), an employee provided a list of patient's names to a local counseling center as the employee was leaving the CE to begin employment at the new counseling center in an attempt to coordinate care of the patients she was treating. The list, containing the PHI of approximately 771 individuals, included names, dates of birth, addresses, phone numbers, names of the insurance carriers, and facility codes. Following the disclosure, the CE provided breach notification to HHS, the media, and all individuals affected and sanctioned the former employee for violating its policies and procedures. The CE also changed its procedures for list management. The CE sent a reminder to all of its health care providers regarding the handling of PHI and made plans to provide HIPAA compliance information in a quality assurance newsletter.",2011-11-19,2011-12-01,2011 438,437,Kansas Department on Aging,KS,,7757,1/11/2012,Theft,Laptop,2014-01-23,,2012-01-11,,2012 439,438,Delta Dental of California,CA,,11646,12/22/2011 - 12/23/2011,Other,Paper,2014-01-23,,2011-12-22,2011-12-23,2011 440,439,Muskogee Regional Medical Center,OK,,844,12/5/2011,Loss,Other,2014-01-23,,2011-12-05,,2011 441,440,Department of Medical Assistance Services,VA,"ACS, Affiliated Computer Services, Inc., A Xerox Company",1444,11/02/2011 - 11/16/2011,"Unauthorized Access/Disclosure, Other",Paper,2014-01-23,,2011-11-02,2011-11-16,2011 442,441,"Oldendorf Medical Services, PLLC",NY,,549,1/17/2012,Theft,Laptop,2014-06-02,"OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 549 individuals. The ePHI included names, dates of birth, diagnostic test results, and social security numbers. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE installed security cameras and new door locks and changed the codes to the outside entrance keypad lock. The CE also encrypted laptop computers. ",2012-01-17,,2012 443,442,St.Vincent Physician Network,IN,,1423,12/01/2010-11/21/2011,"Theft, Unauthorized Access/Disclosure",Paper,2014-03-24,,2010-12-01,2011-11-21,2010 444,443,Flex Physical Therapy,WA,,3100,12/30/2011,Theft,Desktop Computer,2014-01-23,,2011-12-30,,2011 445,444,Metro Community Provider Network,CO,,3200,12/5/2011,"Hacking/IT Incident, Other",E-mail,2014-01-23,,2011-12-05,,2011 446,445,University of Miami ,FL,,1219,11/24/2011,Theft,Other Portable Electronic Device,2014-01-23,,2011-11-24,,2011 447,446,UnitedHealth Group health plan single affiliated covered entity,MN,,6678,12/15/2011,Other,Paper,2014-03-24,,2011-12-15,,2011 448,447,"Triumph, LLC",NC,,2000,12/13/2011,Theft,Laptop,2014-01-23,,2011-12-13,,2011 449,448,Fairview Health Services,MN,Accretive Health,14000,7/25/2011,Theft,Laptop,2014-01-23,,2011-07-25,,2011 450,449,Loma Linda University Medical Center (LLUMC),CA,,1366,12/19/2011,Other,Paper,2014-01-23,,2011-12-19,,2011 451,450,Ford Motor Company Salaried Health Reimbursement Arrangement (HRA) Plan,MI,"Affiliated Computer Services, Inc. (ACS, Inc.) A Xerox Company",1700,12/29/2011,Other,Other,2014-03-24,,2011-12-29,,2011 452,451,"Medco Health Solutions, Inc.",NJ,,1287,11/30/2011,Theft,Paper,2014-06-20," The covered entity (CE), Medco Health Solutions, mailed letters with incorrect addresses after a programming code in its mailing software caused corruption of its data. The mailing contained the protected health information (PHI) of 4,341 individuals and included names, medication name and prescription number. The CE provided breach notification to HHS, the media, and affected individuals. Upon discovery of the breach, the CE immediately ceased using the update to its mailing software system. As a result of OCR's investigation, the CE corrected the update to its mailing software system and established manual and automated quality control processes. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. ",2011-11-30,,2011 453,452,Lakeview Medical Center,WI,,698,1/4/2012,Theft,Laptop,2014-01-23,,2012-01-04,,2012 454,453,"Goshen Health System, Inc.",IN,,660,12/22/2011,Hacking/IT Incident,Other,2014-01-23,,2011-12-22,,2011 455,454,Georgetown University Hospital,DC,,1549,11/1/2011,Unauthorized Access/Disclosure,Paper,2014-01-23,,2011-11-01,,2011 456,455,Motion Picture Industry Health Plans (MPI),CA,,703,09/23/2009 - 12/02/2011,Other,Other,2014-02-14,,2009-09-23,2011-12-02,2009 457,456,Ochsner Health System,LA,,2088,1/19/2012,Loss,Other Portable Electronic Device,2014-01-23,,2012-01-19,,2012 458,457,Applegate Valley Family Medicine,OR,Dr. Trandinh,2300,12/01/2011-12/17/2011,"Theft, Unauthorized Access/Disclosure",Laptop,2014-01-23,,2011-12-01,2011-12-17,2011 459,458,"CardioNet, Inc.",PA,,728,12/29/2011,Theft,Laptop,2014-01-23,,2011-12-29,,2011 460,459,Presbyterian Healthcare Services,NM,"Beth Barrett Consulting, LLC",7000,12/29/2011,Theft,Laptop,2014-03-13,,2011-12-29,,2011 461,460,"Alliant Health Plans, Inc.",GA,"Catalyst Health Solutions, Inc.",632,1/1/2012,Unauthorized Access/Disclosure,Other,2014-01-23,,2012-01-01,,2012 462,461,"FIRST MEDICAL CENTER, INC.",PR,"T&P CONSULTING, INC. D/B/A QUANTUM",7706,1/11/2012,Theft,Laptop,2014-06-13,"An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 7,706 individuals were stolen from a staff member of the covered entity's (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and all individuals affected by the breach. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurances that the CE implemented the corrective action listed above and required two additional corrective actions. OCR identified the need for the CE to complete a risk assessment and implement certain security policies and procedures.",2012-01-11,,2012 463,462,Lee Miller Rehabilitation Associates,MD,,10480,1/15/2012,Theft,Network Server,2014-01-23,,2012-01-15,,2012 464,463,"Jeremaih J. Twomey, F.A.C.P., P.A.",TX,"Jeremaih J. Twomey, F.A.C.P., P.A.",2559,12/31/2011,Theft,Other,2014-01-23,,2011-12-31,,2011 465,464,Anchorage Community Mental Health Services Inc.,AK,,2743,12/20/2011 - 01/04/2012,Unauthorized Access/Disclosure,Desktop Computer,2014-01-23,,2011-12-20,2012-01-04,2011 466,465,Robley Rex VA Medical Center ,KY,,1182,1/9/2012,Other,Paper,2014-01-23,,2012-01-09,,2012 467,466,Indiana Internal Medicine Consultants,IN,,20000,2/11/2012,Theft,Laptop,2014-06-24,"A laptop computer that contained the electronic protected health information (ePHI) of approximately 20,000 individuals was stolen from the covered entity's (CE) laboratory manager's office. The ePHI involved in the breach included patients' names, dates of birth, clinic identification numbers, and laboratory results. Following the breach, the CE reported the theft to the building management company. The management company investigated the theft and determined that cleaning personnel had stolen the laptop. The company reported that the patient information was not compromised, as the database could not be accessed without propriety software and specialized assistance. As a result of OCR's investigation, physical security was improved by housing the replacement laptop in a locked drawer in a locked office with limited staff access. The CE also implemented a new policy prohibiting the storage of PHI on the laptop computer and updated additional policies and procedures to enhance safeguards for systems containing PHI. ",2012-02-11,,2012 468,467,Policlinica La Familia IPA 343,PR,"T & P Consulting, Inc. d/b/a Quantum Health Consulting",5994,1/11/2012,Theft,Laptop,2014-06-03,"An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 5,994 individuals were stolen from a staff member of the covered entity's (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and all affected individuals. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurance that the CE implemented the corrective action listed above and required one additional corrective action. OCR identified the need for the CE to implement certain security policies, procedures and controls. ",2012-01-11,,2012 469,468,Servicios Medicos Integrados de Fajardo,PR,"T & P Consulting, Inc. d/b/a Quantum Health Consulting",10000,1/11/2012,Theft,"Laptop, Other Portable Electronic Device",2014-04-23,"The covered entity (CE) filed a breach report with OCR after an external hard drive and laptop computer containing electronic protected health information (ePHI) of 39,609 individuals were stolen from the CE's Business Associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and the dates of the service. Immediately following the breach, the CE conducted a risk assessment, filed a breach report and provided OCR a copy of its BA agreement. Additionally, the CE notified all affected individuals of the breach and issued a press release. As a result of OCR's investigation, the CE required the BA to revise its security practices to include laptop encryption and restrictions on the use of portable media devices as outlined in the BA's newly developed security policies and procedures. ",2012-01-11,,2012 470,469,Proveedores Aliados por tu SAlud,PR,Quantum Health Consulting,4645,1/12/2012,Theft,Laptop,2014-06-20,"OCR opened an investigation of the covered entity (CE), First Proveedores Aliados Por Tu Salud, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 4,645 individuals were stolen from a staff member of the CE's business associate (BA), Quantum Health. The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to all individuals affected by the breach, HHS, and the media. As a result of OCR's investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices. ",2012-01-12,,2012 471,470,"Centro de Servicios de Cuidados Dirigidos, Inc. d/b/a Metro Salud grupo Profesional",PR,"T&P Consulting, INC. d/b/a Quantum Health Consulting",27098,1/11/2012,Theft,Laptop,2014-06-20,"OCR opened an investigation of the covered entity (CE), Centro De Servicios de Cuidados Dirigidos, Inc. d/b/a Metro Salud grupo Profesional, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 27,098 individuals were stolen from a staff member of the CE's business associate (BA), Quantum Health. The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service. Upon discovery of the breach, the BA filed a police report and provided breach notification to the media, and all affected individuals. The CE provided breach notice to HHS. As a result of OCR's investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices. The CE also terminated its BA agreement with the BA. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.",2012-01-11,,2012 472,471,Kern Medical Center ,CA,,1431,2/25/2012,Theft,Paper,2014-01-23,,2012-02-25,,2012 473,472,"William F. DeLuca Jr., M.D.",NY,,577,1/16/2012,Theft,Laptop,2014-06-02,"OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 577 individuals. The ePHI included names and pictures. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE encrypted its computers, changed the locks to a numbered key system, and installed a lock to secure portable devices in storage. In addition, the CE started using identification numbers instead of names on patients' files. The CE also revised its security policy and trained all staff on its policies.",2012-01-16,,2012 474,473,Grupo Medico IPA -341,PR,Quantum Health Consulting,7923,1/11/2012,Theft,Laptop,2014-06-20,"An unencrypted laptop computer and an external hard drive containing the electronic protected health information (ePHI) of 7,923 individuals were stolen from a staff member of the CE's business associate (BA). The ePHI included names, ages, gender, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items. The CE also provided breach notification to all affected individuals, HHS, and the media. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. The CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. ",2012-01-11,,2012 475,474,Advanced Clinical Research Institute,CA,,875,1/26/2012,Theft,Paper,2014-01-23,,2012-01-26,,2012 476,475,Access Medical Group -IPA 344,PR,"T&P Consulting, INC DBA Quantum HC",7606,1/11/2012,Theft,"Laptop, Other Portable Electronic Device",2014-06-13,"An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 39,609 individuals were stolen from a staff member of the covered entity's (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and all affected individuals. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurance that the CE implemented the corrective action listed above and required one additional corrective action. OCR identified the need for the CE to implement certain security policies, procedures and controls.",2012-01-11,,2012 477,476,Georgia Health Sciences University,GA,,513,1/18/2012,Theft,Laptop,2014-01-23,,2012-01-18,,2012 478,477,"Baylor Heart and Vascular Center, LLP",TX,,1972,1/26/2012,Theft,Other Portable Electronic Device,2014-01-23,,2012-01-26,,2012 479,478,Chicago Musculoskeletal Institute/Metro Orthopedics,IL,,750,12/31/2011,Other,Network Server,2014-03-24,,2011-12-31,,2011 480,479,"Tufts Associated Health Maintenance Organization, Inc. and Tufts Insurance Company",MA,"Caremark PCS Health, L.L.C. (formerly known as Caremark PCS Health, L.P.)",3482,01/17/2012-02/02/2012,Other,Paper,2014-01-23,,2012-01-17,2012-02-02,2012 481,480,Duke University Health System,NC,,1370,07/01/2008 - 11/30/2011,Unauthorized Access/Disclosure,Other,2014-04-23,,2008-07-01,2011-11-30,2008 482,481,St. Joseph's Medical Center,CA,,712,2/2/2012,Theft,Paper,2014-01-23,,2012-02-02,,2012 483,482,UnitedHealth Group health plan single affiliated covered entity,MN,,3537,6/28/2011,Unauthorized Access/Disclosure,Other,2014-03-24,,2011-06-28,,2011 484,483,CenterLight Healthcare,NY,,642,1/27/2012,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2012-01-27,,2012 485,484,Lake Granbury Medical Center,TX,,502,2/13/2012,Theft,Paper,2014-01-23,,2012-02-13,,2012 486,485,County of Wayne Department of Personnel/Human Resources Benefits Administration Division,MI,,1229,3/16/2012,Unauthorized Access/Disclosure,E-mail,2014-06-10,,2012-03-16,,2012 487,486,St. Elizabeth's Medical Center,MA,,6831,2/1/2012,Loss,Paper,2014-01-23,,2012-02-01,,2012 488,487,The Neighborhood Christian Clinic,AZ,,9565,2/7/2012,Loss,Other Portable Electronic Device,2014-01-23,,2012-02-07,,2012 489,488,"AccentCare Home Health of California, Inc. Medicare # 057564 CA state License # 080000226",CA,,1000,04/20/2012 - 04/21/2012,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2012-04-20,2012-04-21,2012 490,489,Seton Health Plan,TX,HealthLOGIX,555,3/9/2012,Unauthorized Access/Disclosure,Paper,2014-01-23,,2012-03-09,,2012 491,490,awklein a med corp,CA,David Charles Rish,2000,2/1/2011,Theft,Other,2014-01-23,,2011-02-01,,2011 492,491,Utah Department of Health,UT,Utah Department of Technology Services,780000,03/10/2012-04/02/2012,Hacking/IT Incident,Network Server,2014-01-23,,2012-03-10,2012-04-02,2012 493,492,IU Medical Group,IN,,1000,4/11/2012,Improper Disposal,Paper,2014-01-23,,2012-04-11,,2012 494,493,Rhinebeck Health Center/Center for Progressive Medicine,NY,,6745,11/15/2011-12/14/2011,Theft,"Desktop Computer, Network Server",2014-06-03,"The CE's network server and two local computers were hacked and compromised by a computer virus which resulted in the disclosure of electronic protected health information (ePHI) of 6,745 individuals. The ePHI included names, insurance numbers, diagnoses, medical histories, dates of birth, telephone numbers, and social security numbers. Upon discovery of the breach, the CE shut down all computer and email systems to prevent unauthorized access to its network and core files. In addition, the CE decommissioned the previously used server, deactivated the network router, disabled network access to ePHI, and discontinued the previously utilized backup. As a result of OCR's investigation, the CE deployed a new real-time firewall and intrusion detection system and implemented new measures for software management. In addition, the CE installed a new network server, deployed a new router with security subscription to actively monitor internal network traffic and external threat patterns, and implemented a centralized antivirus software system.",2011-11-15,2011-12-14,2011 495,494,Memorial Healthcare System,FL,,9497,08/01/2011 - 02/12/2012,Other,Other,2014-01-23,,2011-08-01,2012-02-12,2011 496,495,"Roy E. Gondo, M.D.",WA,,2100,2/21/2012,Theft,"Desktop Computer, Electronic Medical Record",2014-01-23,,2012-02-21,,2012 497,496,"DRD Management, Inc. D/B/A DRD Knoxville Medical Clinic - Central",TX,,1000,2/16/2012,Improper Disposal,Paper,2014-01-23,,2012-02-16,,2012 498,497,Emory Healthcare,GA,,315000,02/07/2012 - 02/20/2012,"Unknown, Other",Other,2014-01-23,,2012-02-07,2012-02-20,2012 499,498,"Rex Smith, DPM -Rex Smith Podiatry ",OR,,20915,2/19/2012,Theft,Desktop Computer,2014-01-23,,2012-02-19,,2012 500,499,Desert AIDS Project,CA,,4400,4/12/2012,Theft,Desktop Computer,2014-01-23,,2012-04-12,,2012 501,500,University of Arkansas for Medical Sciences,AR,,7121,2/15/2012,Unauthorized Access/Disclosure,Other,2014-01-23,,2012-02-15,,2012 502,501,"TLC DENTAL DANIA, LLC",FL,,750,4/23/2012,Theft,Paper,2014-02-20,,2012-04-23,,2012 503,502,South Carolina Department of Health and Human Services,SC,,228435,01/31/2012 - 04/02/2012,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2012-01-31,2012-04-02,2012 504,503,Oregon Health Authority,OR,,550,4/13/2012,Theft,Paper,2014-04-23,,2012-04-13,,2012 505,504,SHIELDS For Families ,CA,,961,2/27/2012,Theft,Network Server,2014-01-23,,2012-02-27,,2012 506,505,"Safe Ride Services, Inc",AZ,,42000,8/31/2011,"Unauthorized Access/Disclosure, Hacking/IT Incident",Network Server,2014-01-23,,2011-08-31,,2011 507,506,IntraCare North Hospital,TX,,750,03/15/2011 - 08/18/2011,Theft,Paper,2014-01-23,,2011-03-15,2011-08-18,2011 508,507,"Oakland Vision Services, PC",MI,,3000,4/9/2012,Hacking/IT Incident,Network Server,2014-03-24,,2012-04-09,,2012 509,508,"Stephen Haggard, DPM Podiatry ",WA,,1597,3/4/2012,Theft,Network Server,2014-01-23,,2012-03-04,,2012 510,509,Baptist Health System,AL,,1655,3/8/2012,Improper Disposal,Paper,2014-01-23,,2012-03-08,,2012 511,510,University of Houston for UH College of Optometry,TX,,7000,02/22/2012-02/23/2012,"Unauthorized Access/Disclosure, Hacking/IT Incident",Network Server,2014-01-23,,2012-02-22,2012-02-23,2012 512,511,Rite Aid Store 1343,WV,,2905,3/26/2012,Theft,Paper,2014-03-24,,2012-03-26,,2012 513,512,Iowa Department of Human Services,IA,,3000,02/06/2012 - 03/14/2012,Improper Disposal,Paper,2014-01-23,,2012-02-06,2012-03-14,2012 514,513,Hogan Services Inc. Health Care Premium Plan,MO,,1134,3/30/2012,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2012-03-30,,2012 515,514,"Family HealthServices Minnesota, P.A.",MN,,4000,3/30/2012,Theft,Laptop,2014-06-10,,2012-03-30,,2012 516,515,St. Mary Medical Center,CA,,3900,5/7/2012,Loss,Other Portable Electronic Device,2014-01-23,,2012-05-07,,2012 517,516,Fairview Health Services,MN,Accretive Health,623,7/25/2011,Theft,Laptop,2014-03-24,,2011-07-25,,2011 518,517,Our Lady of the Lake Regional Medical Center,LA,,17000,3/16/2012,"Theft, Loss",Laptop,2014-01-23,,2012-03-16,,2012 519,518,UnitedHealth Group health plan single affiliated covered entity,MN,,19100,06/28/2011 - 12/12/2011,Unauthorized Access/Disclosure,Other,2014-01-23,,2011-06-28,2011-12-12,2011 520,519,West Dermatology,CA,,1900,04/21/2012 - 04/22/2012,Theft,Other,2014-01-23,,2012-04-21,2012-04-22,2012 521,520,Duke University Health System,NC,,591,04/21/2004-02/16/2012,Unauthorized Access/Disclosure,Other,2014-01-23,,2004-04-21,2012-02-16,2004 522,521,"Luz Colon, DPM Podiatry ",FL,,1137,3/20/2012,"Theft, Loss",Laptop,2014-01-23,,2012-03-20,,2012 523,522,Ameritas Life Insurance Corp. ,NE,,3000,3/21/2012,Theft,Laptop,2014-01-23,,2012-03-21,,2012 524,523,Children's Hospital Boston,MA,,2159,3/25/2012,Theft,Laptop,2014-01-23,,2012-03-25,,2012 525,524,Upper Valley Medical Center,OH,"Data Image, Inc.",15000,10/01/2010-03/21/2012,Unauthorized Access/Disclosure,Other,2014-01-23,,2010-10-01,2012-03-21,2010 526,525,Physician's Automated Laboratory,CA,,745,03/23/2012 - 03/26/2012,Theft,Paper,2014-01-23,,2012-03-23,2012-03-26,2012 527,526,"Phoebe Putney Memorial Hospital, Inc. ",GA,,12937,07/26/2010-03/29/2012,Theft,"Electronic Medical Record, Paper",2014-02-20,,2010-07-26,2012-03-29,2010 528,527,Independence Physical Therapy,CT,,925,8/1/2011,Theft,Desktop Computer,2014-01-23,,2011-08-01,,2011 529,528,Titus Regional Medical Center,TX,,5700,3/27/2012,"Loss, Unknown",Laptop,2014-01-23,,2012-03-27,,2012 530,529,Titus Regional Medical Center,TX,,500,3/29/2012,Theft,Other,2014-01-23,,2012-03-29,,2012 531,530,Lutheran Community Services Northwest,WA,,756,03/29/2012-03/30/2012,Theft,"Desktop Computer, Other Portable Electronic Device",2014-01-23,,2012-03-29,2012-03-30,2012 532,531,"Volunteer State Health Plan, Inc. ",TN,,1102,03/16/2012-04/20/2012,Loss,Paper,2014-01-23,,2012-03-16,2012-04-20,2012 533,532,Charlie Norwood VA Medical Center,GA,,824,3/30/2012,Loss,Other Portable Electronic Device,2014-01-23,,2012-03-30,,2012 534,533,"Mid America Health, Inc.",IN,PrevMED,1444,4/6/2012,Theft,Laptop,2014-01-23,,2012-04-06,,2012 535,534,"Metcare of Florida, Inc.",FL,,2557,05/01/2012 - 05/02/2012,Theft,Other Portable Electronic Device,2014-01-23,,2012-05-01,2012-05-02,2012 536,535,"Robert Witham, MD, FACP",OR,,11136,4/16/2012,Theft,Desktop Computer,2014-01-23,,2012-04-16,,2012 537,536,Memorial Sloan-Kettering Cancer Center,NY,,568,08/13/2009-04/12/2012,Theft,"E-mail, Other",2014-06-03,"The covered entity's (CE) staff member disclosed an unencrypted Microsoft Excel graph to a non-covered entity physician who re-disclosed it to a medical education organization to be used in a presentation. In addition, the medical education organization posted the presentation slides on its website. The graph contained the protected health information (PHI) of 569 individuals and included names, telephone numbers, social security numbers, ages, cities and states of residence, medical record numbers, and clinical information. Upon discovery of the breach, the CE ensured that the information was removed from the website and deleted, sanctioned the workforce member responsible, and retrained its workforce on the use of a data loss prevention tool and the risks of embedded PHI. As a result of OCR's investigation, the CE provided OCR with evidence of its technical safeguards and security awareness initiatives and provided assurance that it implemented the corrective action listed above.",2009-08-13,2012-04-12,2009 538,537,"Gessler Clinic, P.A.",FL,,1409,05/03/2012-05/04/2012,Theft,Paper,2014-01-23,,2012-05-03,2012-05-04,2012 539,538,University of Kentucky HealthCare,KY,,4490,5/1/2012,Theft,Laptop,2014-01-23,,2012-05-01,,2012 540,539,Wolf & Yun,KY,,824,4/24/2012,Theft,Laptop,2014-01-23,,2012-04-24,,2012 541,540,Karen Kietzman,MT,,708,4/22/2012,Theft,"Laptop, Other Portable Electronic Device",2014-03-21,,2012-04-22,,2012 542,541,"Bruce G. Peller, DMD, PA",NC,,9953,4/22/2012,Unauthorized Access/Disclosure,Desktop Computer,2014-01-23,,2012-04-22,,2012 543,542,"Sharon L. Rogers, Ph.D., ABPP",TX,,585,6/16/2012,Theft,Laptop,2014-01-23,,2012-06-16,,2012 544,543,Health Texas Provider Network - Cardiovascular Consultants of North Texas,TX,,2462,03/16/2012 - 05/11/2012,Unauthorized Access/Disclosure,Electronic Medical Record,2014-01-23,,2012-03-16,2012-05-11,2012 545,544,SwedishAmerican Health System,IL,,1500,5/31/2012,Theft,Paper,2014-03-24,,2012-05-31,,2012 546,545,River Arch Dental,CA,"Patterson Dental, Inc.",2533,5/12/2012,"Loss, Unauthorized Access/Disclosure, Unknown",Other Portable Electronic Device,2014-01-23,,2012-05-12,,2012 547,546,Hamner Square Dental ,CA,"Patterson Dental, Inc",1112,5/12/2012,"Theft, Loss, Unauthorized Access/Disclosure, Unknown",Other Portable Electronic Device,2014-01-23,,2012-05-12,,2012 548,547,Visiting Nurse Services of Iowa,IA,,1298,5/27/2012,Theft,Paper,2014-01-23,,2012-05-27,,2012 549,548,Molalla Family Dental,OR,,4354,5/17/2012,"Unauthorized Access/Disclosure, Hacking/IT Incident, Other",Network Server,2014-01-23,,2012-05-17,,2012 550,549,Pamlico Medical Equipment LLC,NC,,2917,5/16/2012,Loss,Other Portable Electronic Device,2014-01-23,,2012-05-16,,2012 551,550,Beth Israel Deaconess Medical Center,MA,,3900,5/22/2012,Theft,Laptop,2014-01-23,,2012-05-22,,2012 552,551,NYU School of Medicine Faculty Group Practice,NY,,8488,5/22/2012,Theft,Desktop Computer,2014-01-23,,2012-05-22,,2012 553,552,"Adult & Child Center, Inc.",IN,"Choices, Inc.",550,5/10/2012,Hacking/IT Incident,Other,2014-01-23,,2012-05-10,,2012 554,553,"The Surgeons of Lake County, LLC",IL,,7067,06/22/2012-06/25/2012,Other,Network Server,2014-01-23,,2012-06-22,2012-06-25,2012 555,554,Kindred Healthcare Inc d/b/a Kindred Transitional Care and Rehabilitation-Sellersburg,IN,,1504,06/01/2012-06/04/2012,Theft,Other,2014-01-23,,2012-06-01,2012-06-04,2012 556,555,Jeffrey Paul Edelstein M.D.,AZ,,4800,5/28/2012,Theft,Network Server,2014-01-23,,2012-05-28,,2012 557,556,Northwestern Memorial Hospital,IL,,4211,6/11/2012,Theft,"Laptop, Other Portable Electronic Device",2014-01-23,,2012-06-11,,2012 558,557,Walgreen Co.,IL,,1240,7/5/2012,Theft,Paper,2014-01-23,,2012-07-05,,2012 559,558,VNA HealthCare,CT,EMC,7461,6/25/2012,Theft,Laptop,2014-02-19,,2012-06-25,,2012 560,559,Hartford Hospital,CT,EMC,2097,6/25/2012,Theft,Laptop,2014-04-23,,2012-06-25,,2012 561,560,Diversified Support Services,IN,"Choices, Inc.",505,5/10/2012,Hacking/IT Incident,Other,2014-01-23,,2012-05-10,,2012 562,561,Oregon Health & Science University,OR,,702,7/4/2012,Theft,Other,2014-01-23,,2012-07-04,,2012 563,562,Stanford Hospital & Clinics and School of Medicine,CA,,2300,07/15/2012 - 07/16/2012,Theft,Desktop Computer,2014-01-23,,2012-07-15,2012-07-16,2012 564,563,Midtown Mental Health Center,IN,"CHOICES, Inc",890,5/10/2012,Hacking/IT Incident,Other,2014-01-23,,2012-05-10,,2012 565,564,Harris County Hospital District,TX,,2875,04/14/2008 - 02/28/2011,Theft,"Electronic Medical Record, Paper",2014-04-23,,2008-04-14,2011-02-28,2008 566,565,Howard University Hospital,DC,"Siemens Medical Solutions, USA",66601,1/25/2012,Theft,Laptop,2014-01-23,,2012-01-25,,2012 567,566,TEMPLE COMMUNITY HOSPITAL,CA,,603,7/3/2012,Theft,Desktop Computer,2014-01-23,,2012-07-03,,2012 568,567,Memorial Healthcare System,FL,,105646,01/01/2011 - 07/05/2012,Theft,Electronic Medical Record,2014-01-23,,2011-01-01,2012-07-05,2011 569,568,"Liberty Resources, Inc.",PA,,3183,8/4/2012,Theft,Laptop,2014-06-24,"An employee's personal laptop computer that contained the unencrypted electronic protected health information (ePHI) of 3,183 individuals was stolen from his vehicle. The ePHI involved in the breach included consumer names, identification numbers, diagnosis codes, base service unit numbers, service start and end dates, service names, procedure codes, service location identifiers, units authorized, units utilized, units cost, total authorization amounts, total utilized amounts, authorization dates, funding sources, provider names, and master provider index numbers. The CE timely notified all affected individuals, the media, and HHS, and offered assistance to consumers who wished to place fraud alerts on their consumer credit files. Following the breach, the CE created and implemented a new policy and procedure to improve safeguards. This policy prohibits downloading any PHI to a home computer or portable device, prohibits forwarding emails containing PHI to a personal account, cloud service, or unauthorized user, and requires full-disk encryption of agency laptops. OCR obtained assurances that the CE implemented the corrective action listed above. ",2012-08-04,,2012 570,569,The University of Texas MD Anderson Cancer Center,TX,,2264,7/13/2012,Loss,Other Portable Electronic Device,2014-01-23,,2012-07-13,,2012 571,570,Central States Southeast and Siouthwest Areas Health & Welfare Fund,IL,,754,7/31/2012,"Unauthorized Access/Disclosure, Other",Paper,2014-01-23,,2012-07-31,,2012 572,571,LANA MEDICAL CARE,FL,,500,8/18/2012,Theft,Laptop,2014-01-23,,2012-08-18,,2012 573,572,"Cancer Care Group, P.C.",IN,,55000,7/19/2012,Theft,Other Portable Electronic Device,2014-03-24,,2012-07-19,,2012 574,573,Tricounty Behavioral Health Clinic,GA,,4000,8/26/2012,Theft,Laptop,2014-01-23,,2012-08-26,,2012 575,574,Sierra Plastic Surgery,NV,,800,08/19/2011-09/20/2011,"Unauthorized Access/Disclosure, Hacking/IT Incident",Network Server,2014-01-23,,2011-08-19,2011-09-20,2011 576,575,"Charlotte Clark-Neitzel, MD",WA,,942,7/24/2012,Theft,Laptop,2014-01-23,,2012-07-24,,2012 577,576,University of Miami,FL,,64846,7/18/2012,"Unauthorized Access/Disclosure, Other",Paper,2014-01-23,,2012-07-18,,2012 578,577,University of New Mexico Health Sciences Center,NM,,2365,5/21/2012,Hacking/IT Incident,Network Server,2014-01-23,,2012-05-21,,2012 579,578,"Valley Plastic Surgery, P.C.",VA,,4873,7/15/2012,Theft,Other Portable Electronic Device,2014-03-24,,2012-07-15,,2012 580,579,Colon & Digestive Health Specialists,AR,"Ecco Health, LLC",5713,7/16/2012,Loss,Other Portable Electronic Device,2014-01-23,,2012-07-16,,2012 581,580,"BHcare, Inc",CT,,5827,7/19/2012,Theft,"Laptop, Other Portable Electronic Device",2014-02-19,,2012-07-19,,2012 582,581,The Feinstein Institute for Medical Research,NY,,13000,9/2/2012,Theft,Laptop,2014-01-23,,2012-09-02,,2012 583,582,"St. Therese Medical Group, Inc",CA,,3031,7/22/2012,Theft,Desktop Computer,2014-01-23,,2012-07-22,,2012 584,583,"Cabinet for Health and Family Services, Department for Community Based Services (Protection and Permanency)",KY,,2500,7/20/2012,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2012-07-20,,2012 585,584,"Litton & Giddings Radiological Associates, P.C.",MO,"PST Services, Inc",13074,07/31/2012 - 08/02/2012,Improper Disposal,Paper,2014-01-23,,2012-07-31,2012-08-02,2012 586,585,"Apria Healthcare, Inc.",CA,,65700,6/14/2012,Theft,Laptop,2014-01-23,,2012-06-14,,2012 587,586,"Alexander J. Tikhtman, M.D.",KY,,2376,8/15/2012,Loss,Other Portable Electronic Device,2014-01-23,,2012-08-15,,2012 588,587,Gulf Coast Health Care Services Inc,FL,,13000,8/17/2012,"Theft, Unauthorized Access/Disclosure, Hacking/IT Incident",Network Server,2014-01-23,,2012-08-17,,2012 589,588,"Blount Memorial Hospital, Inc",TN,,27799,8/25/2012,Theft,Laptop,2014-01-23,,2012-08-25,,2012 590,589,"Alere Home Monitoring, Inc",CA,,116506,9/23/2012,Theft,Laptop,2014-01-23,,2012-09-23,,2012 591,590,"Coastal home Respiratory, LLP",GA,,3440,10/4/2012,Theft,Other,2014-01-23,,2012-10-04,,2012 592,591," Philip P Corneliuson, DDS, INC.",CA,,980,9/15/2012,Theft,Desktop Computer,2014-01-23,,2012-09-15,,2012 593,592,"First Step Counseling, Inc.",NJ,,638,05/01/2011 - 08/05/2011,Theft,Paper,2014-06-03,"Two of the covered entity's (CE) employees photocopied documents containing 638 patients' protected health information (PHI) and disclosed the documents to their attorney. The PHI included names, insurance numbers, diagnoses, dates of birth, telephone numbers, and social security numbers. Upon discovery of the breach, the CE hired attorneys to seek immediate return of all photocopies that contained the PHI. The CE provided breach notification to the affected individuals, HHS and the media. As a result of OCR's investigation, the CE transferred to an electronic billing system that is password protected and secured patient files with a lock. Further, the front desk has been positioned by a protective window and policies have been implemented to prevent patients from standing beside the reception desk. The CE also reviewed and revised its consent forms and retrained all staff. ",2011-05-01,2011-08-05,2011 594,593,"Logan Community Resources, Inc.",IN,,2900,8/24/2012,Hacking/IT Incident,Network Server,2014-01-23,,2012-08-24,,2012 595,594,"David DiGiallorenzo, D.M.D.",PA,,2600,9/17/2012,"Unauthorized Access/Disclosure, Hacking/IT Incident","Network Server, Electronic Medical Record",2014-01-23,,2012-09-17,,2012 596,595,CVS Caremark,RI,,955,8/13/2012,Theft,Paper,2014-01-23,,2012-08-13,,2012 597,596,Memorial Hospital,OH,,500,8/29/2012,Improper Disposal,Paper,2014-03-24,,2012-08-29,,2012 598,597,"SURGICAL ASSOCIATES OF UTICA, PC",NY,QUANTERION SOLUTIONS INC,1017,9/18/2012,Theft,Network Server,2014-06-20,"An unencrypted thumb drive that contained the electronic protected health information (ePHI) of 1,017 individuals was stolen by an employee of the covered entity's (CE) business associate (BA), Quanterion Solutions, Inc. The ePHI included names, addresses, dates of birth, driver's license numbers, social security numbers, claims information, clinical information, diagnosis/conditions, lab results, treatment information, and medications. Upon discovery of the breach, the CE, Surgical Associates of Utica, PC, filed a police report and the employee was arrested. The CE provided breach notification to HHS, the media, and affected individuals and provided credit monitoring services for these individuals. As a result of OCR's investigation, the CE executed a BA agreement. ",2012-09-18,,2012 599,598,Illinois Department of Healthcare and Family Services,IL,"University of Illinois, College of Nursing",508,8/31/2012,Theft,Paper,2014-03-24,,2012-08-31,,2012 600,599,Miami Beach Healthcare Group Ltd. dba Aventura Hospital and Medical Center,FL,,2560,01/01/2012 - 09/12/2012,Theft,Electronic Medical Record,2014-01-23,,2012-01-01,2012-09-12,2012 601,600,"WYATT DENTAL GROUP, LLC",LA,,10271,11/04/2011 -04/15/2012,"Theft, Unauthorized Access/Disclosure",Electronic Medical Record,2014-01-23,,2011-11-04,2012-04-15,2011 602,601,Women & Infants Hospital of Rhode Island,RI,,14004,9/13/2012,Loss,Other,2014-01-23,,2012-09-13,,2012 603,602,Memorial Health System,CO,,6262,5/1/2012,Loss,Paper,2014-01-23,,2012-05-01,,2012 604,603,CHRISTUS St. John Hospital,TX,,5748,9/25/2012,Loss,Other Portable Electronic Device,2014-01-23,,2012-09-25,,2012 605,604,L.A. Care Health Plan,CA,,18000,09/17/2012-09/20/2012,Other,Other,2014-01-23,,2012-09-17,2012-09-20,2012 606,605,"Hawaii State Department of Health, Adult Mental Health Division",HI,,674,9/25/2012,Hacking/IT Incident,Desktop Computer,2014-01-23,,2012-09-25,,2012 607,606,"Soundental Associates, PC",CT,,14511,9/24/2012,Theft,Other Portable Electronic Device,2014-02-19,,2012-09-24,,2012 608,607,"Original Medicine Acupuncture & Wellness, LLC",NM,,540,09/07/2012 - 09/09/2012,Theft,Laptop,2014-01-23,,2012-09-07,2012-09-09,2012 609,608,Brigham and Women's Hospital,MA,,615,10/16/2012,Theft,Desktop Computer,2014-01-23,,2012-10-16,,2012 610,609,"St. Francis Health Network, aka Franciscan Alliance ACO",IN,"Advantage Health Solutions, Inc.",2575,10/19/2012,Other,Other,2014-01-23,,2012-10-19,,2012 611,610,"James M. McGee, D.M.D., P.C.",GA,,1306,09/19/2012 - 09/26/2012,Theft,Paper,2014-01-23,,2012-09-19,2012-09-26,2012 612,611,Robbins Eye Center PC,CT,,1749,10/7/2012,Theft,Desktop Computer,2014-01-23,,2012-10-07,,2012 613,612,"Advanced Data Processing, Inc.",FL,,10000,06/15/2012 -10/01/2012,Theft,Desktop Computer,2014-01-23,,2012-06-15,2012-10-01,2012 614,613,Cuyahoga County Board of Developmental Disabilities,OH,,613,11/2/2012,Theft,Laptop,2014-03-24,,2012-11-02,,2012 615,614,Okaloosa County Public Safety,FL,"Advanced Data Processing, Inc.",715,06/15/2012 - 10/01/2012,Theft,Desktop Computer,2014-01-23,,2012-06-15,2012-10-01,2012 616,615,City of Covington Kentucky Fire Department ,KY,Advanced Data Processing Inc,1548,06/15/2012-10/01/2012,Theft,Desktop Computer,2014-01-23,,2012-06-15,2012-10-01,2012 617,616,Northern Trust,IL,Blue Cross Blue Shield,500,9/13/2012,Unauthorized Access/Disclosure,Network Server,2014-03-24,,2012-09-13,,2012 618,617,Vidant Pungo Hospital,NC,,1100,10/4/2012,Improper Disposal,Paper,2014-01-23,,2012-10-04,,2012 619,618,County of San Bernardino Department of Public Heatlh,CA,,1370,09/28/2012 - 09/30/2012,Unauthorized Access/Disclosure,Paper,2014-01-23,,2012-09-28,2012-09-30,2012 620,619,City of Overland Park Fire Department,FL,"Advanced Data Processing, Inc.",911,06/15/2012 - 10/01/2012,Theft,Desktop Computer,2014-01-23,,2012-06-15,2012-10-01,2012 621,620,Sumner County Emergency Medical Services,TN,"Advanced Data Processing, Inc",774,06/15/2012 - 10/01/2012,Theft,Desktop Computer,2014-01-23,,2012-06-15,2012-10-01,2012 622,621,City of El Centro Fire Department,CA,ADPI-West,1500,10/1/2012,"Theft, Unauthorized Access/Disclosure",Desktop Computer,2014-01-23,,2012-10-01,,2012 623,622,Landmark Medical Center,RI,,683,10/1/2012,Theft,Laptop,2014-01-23,,2012-10-01,,2012 624,623,City of Atlanta/ Atlanta Fire Rescue Department,GA,Advanced Data Processing Inc.,908,06/15/2012-10/01/2012,Theft,Desktop Computer,2014-01-23,,2012-06-15,2012-10-01,2012 625,624,University of Virginia Medical Center,VA,,1846,10/5/2012,Loss,Other Portable Electronic Device,2014-02-14,,2012-10-05,,2012 626,625,Osceola County EMS ,FL,Advanced Data Processing Inc,949,06/15/2012-10/01/2012,Theft,Desktop Computer,2014-01-23,,2012-06-15,2012-10-01,2012 627,626,Carolinas Medical Center - Randolph,NC,,5600,03/11/2012 - 10/08/2012,Hacking/IT Incident,E-mail,2014-01-23,,2012-03-11,2012-10-08,2012 628,627,"Coastal Behavioral Healthcare, Inc.",FL,,4907,4/11/2011,Theft,Paper,2014-01-23,,2011-04-11,,2011 629,628,"CCS Medical, Inc.",TX,,6601,05/01/2012 - 09/21/2012,Unauthorized Access/Disclosure,"Network Server, Other",2014-01-23,,2012-05-01,2012-09-21,2012 630,629,"City of Gloucester, Fire Department",MA,"Advanced Data Processing, Inc.",1286,06/15/2012-10/01/2012,Theft,Desktop Computer,2014-01-23,,2012-06-15,2012-10-01,2012 631,630,Columbia University Medical Center and NewYork-Presbyterian Hospital,NY,,4929,10/12/2012-10/15/2012,Theft,Desktop Computer,2014-01-23,,2012-10-12,2012-10-15,2012 632,631,Baptist Health System,AR,Health Advantage,811,10/13/2012-10/27/2012,Other,Paper,2014-01-23,,2012-10-13,2012-10-27,2012 633,632,"DFA, Employee Benefits Division",AR,Health Advantage,7039,10/13/2012 - 10/27/2012,Other,Paper,2014-01-23,,2012-10-13,2012-10-27,2012 634,633,Health Advantage,AR,,2863,10/13/2012 - 10/27/2012,Other,Paper,2014-01-23,,2012-10-13,2012-10-27,2012 635,634,University of Michigan Health System,MI,"Omnicell, Inc.",3999,11/14/2012,Theft,Laptop,2014-01-23,,2012-11-14,,2012 636,635,Westerville Dental Center,OH,,850,12/2/2012,Theft,"Laptop, Network Server",2014-01-23,,2012-12-02,,2012 637,636,"OHP PHSP, Inc.",NY,"HealthPlus, Amerigroup",28187,08/31/2012 - 09/21/2012,Unauthorized Access/Disclosure,Other,2014-01-23,,2012-08-31,2012-09-21,2012 638,637,"Center for Orthopedic Research and Education, Inc.",AZ,,35488,10/20/2012 - 10/21/2012,Theft,Paper,2014-04-23,,2012-10-20,2012-10-21,2012 639,638,Calif. Dept. of Health Care Services (DHCS),CA,,2643,12/10/2012 - 12/18/2012,Unauthorized Access/Disclosure,Other,2014-01-23,,2012-12-10,2012-12-18,2012 640,639,Richard Switzer MD PC,MI,,4100,11/29/2011,Other,Laptop,2014-03-24,,2011-11-29,,2011 641,640,Gibson General Hospital,IN,,28893,11/27/2012,Theft,Laptop,2014-03-24,,2012-11-27,,2012 642,641,"Sovereign Medical Group, LLC",NJ,,27800,10/10/2012,"Theft, Hacking/IT Incident",Network Server,2014-01-23,,2012-10-10,,2012 643,642,"Cabinet for Health & Family Services, Department of Medicaid Services",KY,HP Enterprise Services,1090,11/15/2012,Hacking/IT Incident,Laptop,2014-01-23,,2012-11-15,,2012 644,643,"Harbor Medical Associates, P.C.",MA,"Clearpoint Design, Inc.",4343,10/18/2012 - 11/04/2012,Hacking/IT Incident,Network Server,2014-01-23,,2012-10-18,2012-11-04,2012 645,644,Sentara Healthcare,VA,"Omnicell, Inc.",56820,11/14/2012,Theft,Laptop,2014-02-14,,2012-11-14,,2012 646,645,St. Mark's Medical Center,TX,,2988,5/21/2012,Hacking/IT Incident,Desktop Computer,2014-01-23,,2012-05-21,,2012 647,646,Group Health Incorporated,NY,,1771,11/13/2012,Theft,Paper,2014-06-20,"OCR opened an investigation of the covered entity (CE), Group Health Insurance, after it reported that postcard reminders were sent to 1,771 subscribers. The protected health information (PHI) involved included social security numbers within a series of other numbers inscribed on the outside of the postcard. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. Upon discovery of the breach, the CE suspended its mailing in order to verify subscriber information to ensure pending and completed projects did not contain social security numbers. As a result of OCR's investigation, the CE modified its mailing procedures to prevent similar disclosures from recurring in the future and retrained staff on its modified mailing procedure. The CE provided affected individuals with a free one year subscription for credit monitoring. ",2012-11-13,,2012 648,647,"Calvin Schuster,MD",CA,,532,11/4/2012,Theft,Desktop Computer,2014-01-23,,2012-11-04,,2012 649,648,"Granite Medical Group, Inc.",MA,"Clearpoint Design, Inc.",4125,01/02/2010 - 11/15/2012,Hacking/IT Incident,Network Server,2014-02-19,,2010-01-02,2012-11-15,2010 650,649,University of Nevada School of Medicine,NV,,1483,10/11/2012,Improper Disposal,Paper,2014-01-23,,2012-10-11,,2012 651,650,Dimensions Healthcare System,MD,WorkflowOne,635,11/16/2012,Unauthorized Access/Disclosure,Paper,2014-03-25,,2012-11-16,,2012 652,651,SilverScript Insurance Company,AZ,,852,10/31/2012,Unauthorized Access/Disclosure,Paper,2014-01-23,,2012-10-31,,2012 653,652,South Jersey Hospital Inc.,NJ,Omnicell Inc.,8555,11/14/2012,Theft,Laptop,2014-01-23,,2012-11-14,,2012 654,653,"Child & Family Psychological Services, Inc.",MA,"Clearpoint Design, Inc.",7250,10/18/2012-10/29/2012,Hacking/IT Incident,Network Server,2014-01-23,,2012-10-18,2012-10-29,2012 655,654,Pousson Family Dentistry,LA,,1400,12/3/2012,Theft,Laptop,2014-01-23,,2012-12-03,,2012 656,655,South Shore Medical Center,MA,"Clearpoint Design, Inc.",4100,01/01/2007-11/15/2012,Hacking/IT Incident,Network Server,2014-01-23,,2007-01-01,2012-11-15,2007 657,656,"Lee D. Pollan, DMD, PC",NY,,19178,11/06/2012-11/15/2012,Theft,Laptop,2014-05-28,"OCR opened an investigation of the covered entity (CE) after it reported an unencrypted laptop was stolen that contained the electronic protected health information (ePHI) of 19,178 individuals. The ePHI included names, addresses, zip codes, dates of birth, social security numbers, claims information, and diagnosis codes. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE encrypted the backup drive of the contents of the laptop computer. The CE also trained all staff on the use of encryption to safeguard data on personal computers and mobile devices.",2012-11-06,2012-11-15,2012 658,657,Washington University School of Medicine,MO,,1105,11/28/2012,Theft,Laptop,2014-01-23,,2012-11-28,,2012 659,658,Riderwood Village,MD,,3230,11/18/2012,Theft,Laptop,2014-01-23,,2012-11-18,,2012 660,659,WAYNE MEMORIAL HOSPITAL,PA,,1184,12/3/2012,Loss,Other,2014-03-24,,2012-12-03,,2012 661,660,Baptist Health System,TX,,678,8/14/2011,Unauthorized Access/Disclosure,Electronic Medical Record,2014-03-13,,2011-08-14,,2011 662,661,Baillie Lumber Co. Group Health Plan,NY,BlueCross BlueShield of Western New York,725,11/27/2012,Theft,Paper,2014-06-20,"OCR opened an investigation of the covered entity (CE), Baillie Lumber Co. Group Health Plan, after it reported its business associate (BA), Blue Cross Blue Shield, mailed a monthly premium notice with invoices that contained the protected health information (PHI) of 725 individuals which was never received by the CE. The PHI included names, member identification numbers, and social security numbers. The CE provided breach notification to HHS and affected individuals. Upon discovery of the breach, the BA contacted the U.S. Post Office to inquire about the package that contained the invoices that the CE never received. As a result of OCR's investigation, the BA revised its invoice process and removed social security numbers and member identification numbers from its invoices. The BA also improved safeguards by changing its mailing procedures to send invoices to the CE via secure email. The breach involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.",2012-11-27,,2012 663,662,The University of Texas MD Anderson Cancer Center,TX,,29021,4/30/2012,Theft,Laptop,2014-01-23,,2012-04-30,,2012 664,663,"Western Wisconsin Medical Association, S.C. - River Falls Medical Clinics",WI,,2400,05/30/2012-08/31/2012,Theft,Paper,2014-03-24,,2012-05-30,2012-08-31,2012 665,664,Boy Scouts of America Employee Benefit Plan,TX,RR Donnelley (a sub-BA for UnitedHealth Group),8911,09/15/2012-11/30/2012,Theft,Desktop Computer,2014-01-23,,2012-09-15,2012-11-30,2012 666,665,Kmart Corporation,IL,Kmart Pharmacy #7623,16988,1/2/2013,Improper Disposal,Paper,2014-02-12,,2013-01-02,,2013 667,666,Community Services NW,AL,,2400,12/6/2012,Theft,Desktop Computer,2014-04-23,,2012-12-06,,2012 668,667,American HomePatient Inc. ,TN,LifeGas,1103,10/11/2012,Theft,Laptop,2014-01-23,,2012-10-11,,2012 669,668,Yadkinville Chiropractic DCPA,NC,Yadkinville Chiropractic DCPA,1000,2/1/2013,Theft,Desktop Computer,2014-02-12,,2013-02-01,,2013 670,669,"Intervention Services, Inc.",FL,,1200,1/19/2013,Theft,Laptop,2014-01-23,,2013-01-19,,2013 671,670,West Georgia Ambulance,GA,,500,12/13/2012,Loss,Laptop,2014-01-23,,2012-12-13,,2012 672,671,"Center for Pain Management, LLC",MD,,5822,1/22/2013,Theft,Laptop,2014-01-23,,2013-01-22,,2013 673,672,Multiple Health Plans,CA,"Coast Healthcare Management, LLC",1368,12/7/2013,"Theft, Other",Paper,2014-01-23,,2013-12-07,,2013 674,673,Froedtert Health,WI,,43549,10/27/2012-12/13/2012,Unauthorized Access/Disclosure,Other,2014-03-24,,2012-10-27,2012-12-13,2012 675,674,Jackson Health System,FL,,566,05/26/2011 - 02/18/2012,Other,Paper,2014-01-23,,2011-05-26,2012-02-18,2011 676,675,Riderwood Village,MD,,5270,11/18/2012,Theft,Laptop,2014-01-23,,2012-11-18,,2012 677,676,"Kindred Healthcare, Inc. d/b/a Kindred Transitional Care and Rehabilitation - Marl",MA,,716,12/15/2012-12/17/2012,Theft,Other Portable Electronic Device,2014-01-23,,2012-12-15,2012-12-17,2012 678,677,"HomeCare of Mid-Missouri, Inc.",MO,,4027,12/14/2012,Theft,Laptop,2014-01-23,,2012-12-14,,2012 679,678,Heyman HospiceCare at Floyd,GA,,1819,1/4/2013,Theft,Laptop,2014-01-23,,2013-01-04,,2013 680,679,Agency for Health Care Administration,FL,"DentaQuest of Florida, Inc.",1892,11/01/2012 - 12/20/2012,Unauthorized Access/Disclosure,Paper,2014-01-23,,2012-11-01,2012-12-20,2012 681,680,ABQ HealthPartners,NM,,778,12/20/2012,Theft,Laptop,2014-01-23,,2012-12-20,,2012 682,681,Terrell County Health Department,GA,,18000,01/09/2012 - 04/17/2012,Unauthorized Access/Disclosure,Network Server,2014-01-23,,2012-01-09,2012-04-17,2012 683,682,Florida Healthy Kids Corporation,FL,"DentaQuest of Florida, LLC",3667,11/01/2012-12/20/2012,Unauthorized Access/Disclosure,Paper,2014-01-23,,2012-11-01,2012-12-20,2012 684,683,Stronghold Counseling Services Inc,SD,,8500,12/24/2012,Theft,Desktop Computer,2014-01-23,,2012-12-24,,2012 685,684,Arizona Oncology,AZ,,501,11/21/2012,Theft,Laptop,2014-01-23,,2012-11-21,,2012 686,685,Crescent Health Inc. - a Walgreens Company,CA,,109000,12/28/2012,Theft,Desktop Computer,2014-01-23,,2012-12-28,,2012 687,686,"County of San Bernardino, Department of Behavioral Health",CA,,686,1/12/2013,Theft,Paper,2014-01-23,,2013-01-12,,2013 688,687,"WOMENS HEALTH ENTERPRISE, INC.",GA,,3000,1/2/2013,Theft,Laptop,2014-01-23,,2013-01-02,,2013 689,688,The Brookdale University Hospital and Medical Center,NY,Standard Register,2261,8/11/2012,Theft,Paper,2014-06-20,"OCR opened an investigation of the covered entity (CE), The Brookdale University Hospital and Medical Center, after it reported its business associate (BA), Standard Register, inadvertently mailed statements to 2,261 individuals using another affiliated CE's envelopes. The protected health information (PHI) included names, addresses and financial information. OCR provided technical assistance to the CE regarding safeguarding PHI.",2012-08-11,,2012 690,689,The Brookdale University Hospital and Medical Center,NY,Health Plus Amerigroup,28187,9/21/2012,Theft,Other Portable Electronic Device,2014-06-20,"The covered entity's (CE) business associate (BA), Health Plus Amerigroup, mailed an unencrypted compact disk that contained the electronic protected health information (ePHI) of 28,187 individuals to the CE, The Brookdale University Hospital and Medical Center. OCR closed this breach report and consolidated into an existing breach report filed by OHP PHSP, Inc. regarding the same issues.",2012-09-21,,2012 691,690,"Ultra Stores, Inc.",IL,Plexus Group,500,9/13/2012,Unauthorized Access/Disclosure,Other,2014-03-24,,2012-09-13,,2012 692,691,South Miami Hospital,FL,,834,6/1/2011,Unauthorized Access/Disclosure,Electronic Medical Record,2014-01-23,,2011-06-01,,2011 693,692,Lancaster General Medical Group,PA,,527,2/5/2013,Theft,Paper,2014-01-23,,2013-02-05,,2013 694,693,Maine Medical Center,ME,,1920,2/27/2013,Other,E-mail,2014-02-12,,2013-02-27,,2013 695,694,"State of California, Dept. of Developmental Services",CA,North Los Angeles County Regional Center ,18162,11/10/2012,Theft,Laptop,2014-01-23,,2012-11-10,,2012 696,695,Utah Department of Health ,UT,Goold Health System (Goold),6332,01/10/2013-01/11/2013,Loss,Other Portable Electronic Device,2014-01-23,,2013-01-10,2013-01-11,2013 697,696,Sports Rehabilitation Consultants,OH,,1200,2/1/2013,Theft,Desktop Computer,2014-02-12,,2013-02-01,,2013 698,697,University of Connecticut Health Center,CT,,1382,06/07/2010 - 12/07/2012,Unauthorized Access/Disclosure,Network Server,2014-01-23,,2010-06-07,2012-12-07,2010 699,698,"United HomeCare Services, Inc.",FL,,12299,1/8/2013,Theft,Laptop,2014-01-23,,2013-01-08,,2013 700,699,United Home Care Services of Southwest Florida< LLC,FL,"United HomeCare Services, Inc.",1318,1/8/2013,Theft,Laptop,2014-01-23,,2013-01-08,,2013 701,700,"catoctin Dental/Richard B. Love, DDS, PA",MD,Patterson Dental Supply/Patterson Companies,6400,1/3/2013,Hacking/IT Incident,Network Server,2014-01-23,,2013-01-03,,2013 702,701,Empire Blue Cross Blue Shield,IN,Connextions c/o Empire BCBS,2608,11/01/2011-10/01/2012,"Theft, Unauthorized Access/Disclosure",Network Server,2014-01-23,,2011-11-01,2012-10-01,2011 703,702,Anthem Blue Cross Blue Shield (OH),IN,Connextions c/o Anthem BCBS,1678,11/01/2011-10/01/2012,"Theft, Unauthorized Access/Disclosure",Network Server,2014-01-23,,2011-11-01,2012-10-01,2011 704,703,Anthem Blue Cross Blue Shield (IN),IN,Connextions c/o Anthem BCBS,528,11/01/2011-10/01/2012,"Theft, Unauthorized Access/Disclosure",Network Server,2014-01-23,,2011-11-01,2012-10-01,2011 705,704,Mount Sinai Medical Center,FL,,628,10/01/2012 - 02/18/2013,Theft,"Desktop Computer, Paper",2014-01-23,,2012-10-01,2013-02-18,2012 706,705,"Thomas L. Davis, Jr. DDS",OR,,3269,2/12/2013,Theft,"Desktop Computer, Electronic Medical Record",2014-01-23,,2013-02-12,,2013 707,706,"HealthCare for Women, Inc.",MA,,8727,01/18/2013-01/23/2013,Hacking/IT Incident,Network Server,2014-01-23,,2013-01-18,2013-01-23,2013 708,707,University of Mississippi Medical Center,MS,,500,11/01/2012-01/19/2013,Loss,Laptop,2014-01-23,,2012-11-01,2013-01-19,2012 709,708,Granger Medical Clinic,UT,,2600,1/17/2013,"Theft, Loss, Other",Paper,2014-02-12,,2013-01-17,,2013 710,709,Texas Tech Unversity Health Sciences Center,TX,,697,2/18/2013,Unauthorized Access/Disclosure,Paper,2014-01-23,,2013-02-18,,2013 711,710,Rite Aid #10217,RI,,2082,2/1/2013,"Unknown, Other",Paper,2014-02-12,,2013-02-01,,2013 712,711,WA Department of Social and Health Services,WA,"Sunil Kakar, Psy.D.",629,2/4/2013,Theft,Laptop,2014-01-23,,2013-02-04,,2013 713,712,Carpenters Health & Welfare Trust Fund for California,CA,"QuickRunner, Inc. (dba, RoadRunner Mailing Services)",2400,03/11/2013-03/12/2013,Unauthorized Access/Disclosure,Paper,2014-01-23,,2013-03-11,2013-03-12,2013 714,713,"Shands Jacksonville Medical Center, Inc.",FL,,1025,05/02/2012-06/22/2012,"Theft, Unauthorized Access/Disclosure",Electronic Medical Record,2014-01-23,,2012-05-02,2012-06-22,2012 715,714,University of Florida,FL,,14519,03/01/2009 - 10/25/2012,"Theft, Unauthorized Access/Disclosure, Other",Network Server,2014-01-23,,2009-03-01,2012-10-25,2009 716,715,Kmart Corporation,IL,,12542,3/17/2013,Theft,Electronic Medical Record,2014-02-12,,2013-03-17,,2013 717,716,GLENS FALLS HOSPITAL,NY,PORTAL HEALTHCARE SOLUTIONS LLC,2360,11/02/2012 - 03/14/2013,Theft,Network Server,2014-06-03,"The covered entity's (CE) business associate (BA) operated a server containing the electronic protected health information (ePHI) of 2,360 individuals that was vulnerable to access by unauthorized persons for over four months. The ePHI included transcribed doctors' notes, which may have included medical diagnoses, clinical laboratory results, diagnostic imaging reports, emergency department records, and medication administration. Upon discovery of the breach, the CE engaged a computer forensic expert to investigate the incident and terminated the BA agreement. As a result of OCR's investigation, the CE ensured that its BA secured the server, verified that the server was no longer accessible from the Internet, and required the BA to return or destroy all of the CE's ePHI.",2012-11-02,2013-03-14,2012 718,717,Hospice and Palliative Care Center of Alamance Caswell,NC,,5370,2/24/2013,"Theft, Unauthorized Access/Disclosure","Laptop, Paper",2014-01-23,,2013-02-24,,2013 719,718,"Texas Health Care, P.L.L.C.",TX,,554,3/10/2013,Theft,Paper,2014-01-23,,2013-03-10,,2013 720,719,Network Health Insurance Corporation,WI,TMG Health ,3794,2/27/2012,Unauthorized Access/Disclosure,Paper,2014-03-24,,2012-02-27,,2012 721,720,Wm. Jennings Bryan Dorn VAMC,SC,,7405,2/11/2013,Loss,Laptop,2014-01-23,,2013-02-11,,2013 722,721,John J. Pershing VA Medical Center,MO,,589,2/20/2013,Theft,Paper,2014-06-20,"OCR opened an investigation of the covered entity (CE), John J. Pershing VA Medical Center, after the CE reported that its business associate (BA), Stress Laboratory, placed a box of unsecured protected health information (PHI) in an equipment storage room. The PHI included the names, social security numbers, diagnoses, and age of approximately 589 individuals. This breach incident involved a BA, and occurred prior to the September 23, 2013 compliance date. The BA employee involved in this matter separated from employment in 2012, and the BA was reorganized and has been incorporated into the CE. The CE provided breach notification to affected individuals, HHS, and the media. Substitute notification was provided through a posting on the CE's main website with a toll-free information number. The CE also offered one year of identity protection and credit monitoring services to affected individuals. As a result of this incident, the CE adopted a new policy that provides guidance to its staff regarding the handling of PHI. Additionally, the CE trained its employees on this new policy, and re-trained its employees on the Privacy, Security, and Breach Notification Rules. Finally, OCR obtained assurances that the CE implemented the corrective action listed above. ",2013-02-20,,2013 723,722,Oregon Health & Science University,OR,,1076,2/22/2013,Theft,Laptop,2014-01-23,,2013-02-22,,2013 724,723,Schneck Medical Center,IN,,3131,3/14/2013,Unauthorized Access/Disclosure,Other,2014-02-12,,2013-03-14,,2013 725,724,The Guidance Center of Westchester,NY,,1416,2/21/2013,Theft,Desktop Computer,2014-01-23,,2013-02-21,,2013 726,725,Hope Hospice,TX,,818,12/27/2012 - 02/22/2013,Other,E-mail,2014-01-23,,2012-12-27,2013-02-22,2012 727,726,"IHC Health Services, Inc. dba Intermountain Life Flight",UT,,857,3/28/2013,Unauthorized Access/Disclosure,Other,2014-02-12,,2013-03-28,,2013 728,727,Valley Mental Health,UT,,700,2/27/2013,Theft,Desktop Computer,2014-01-23,,2013-02-27,,2013 729,728,Delta Dental of Pennsylvania,PA,ZDI,14829,3/20/2013,Loss,Paper,2014-01-23,,2013-03-20,,2013 730,729,Raleigh Orthopaedic Clinic,NC,,17300,1/15/2013,"Theft, Improper Disposal, Unauthorized Access/Disclosure",Paper,2014-01-23,,2013-01-15,,2013 731,730,Laboratory Corporation of America,NC,,1580,3/15/2013,Theft,Desktop Computer,2014-02-12,,2013-03-15,,2013 732,731,"Arizona Counseling & Treatment Services, LLC",AZ,,3800,03/18/2013-03/25/2013,Theft,Other Portable Electronic Device,2014-01-23,,2013-03-18,2013-03-25,2013 733,732,Wood County Hospital,OH,,2500,3/19/2013,Theft,Other,2014-01-23,,2013-03-19,,2013 734,733,University of Rochester Medical Center & Affiliates,NY,,537,2/15/2013,Loss,Other Portable Electronic Device,2014-01-23,,2013-02-15,,2013 735,734,Orthopedics & Adult Reconstructive Surgery,TX,AssuranceMD f/k/a Harbor Group,22000,03/01/2013 - 03/13/2013,Loss,Other Portable Electronic Device,2014-01-23,,2013-03-01,2013-03-13,2013 736,735,El Centro Regional Medical Center,CA,Digital Archive Management,189489,11/7/2012,Improper Disposal,Paper,2014-01-23,,2012-11-07,,2012 737,736,Seattle - King County Department of Public Health,WA,,750,3/7/2013,Improper Disposal,Paper,2014-01-23,,2013-03-07,,2013 738,737,Regional Medical Center,TN,,1180,2/4/2013,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2013-02-04,,2013 739,738,Presbyterian Anesthesia Associates PA,NC,"E-dreamz, Inc.",9988,4/1/2013,Hacking/IT Incident,Network Server,2014-01-23,,2013-04-01,,2013 740,739,"Integrity Oncology, an office of Baptist Medical Group",TN,"North Atlantic Telecom, Inc.",539,3/5/2013,Other,Desktop Computer,2014-01-23,,2013-03-05,,2013 741,740,"Piedmont HealthCare, P.A.",NC,"E-dreamz, Inc.",1924,3/28/2013,Hacking/IT Incident,Network Server,2014-01-23,,2013-03-28,,2013 742,741,Indiana University Health Arnett,IN,,10350,4/9/2013,Theft,Laptop,2014-01-23,,2013-04-09,,2013 743,742,"Dent Neurologic Group, LLP",NY,,10000,5/13/2013,Other,E-mail,2014-01-23,,2013-05-13,,2013 744,743,City of Norwood,OH,,9577,04/14/2013 - 04/19/2013,Loss,Laptop,2014-01-23,,2013-04-14,2013-04-19,2013 745,744,Lutheran Social Services of South Central Pennsylvania,PA,,7803,06/01/2012 - 03/07/2013,Hacking/IT Incident,Network Server,2014-01-23,,2012-06-01,2013-03-07,2012 746,745,Comfort Dental Marion and Kokomo,IN,Just the Connection Inc,5388,03/14/2013-03/18/2013,Improper Disposal,Other,2014-01-23,,2013-03-14,2013-03-18,2013 747,746,Erskine Family Dentistry,IN,,2723,3/19/2013,Hacking/IT Incident,Desktop Computer,2014-02-12,,2013-03-19,,2013 748,747,Health Resources of Arkansas,AR,,1900,4/14/2013,"Theft, Unauthorized Access/Disclosure",Other,2014-01-23,,2013-04-14,,2013 749,748,Various Health Plans,AL,SynerMed / Inland Valleys IPA,3164,04/14/2013-04/15/2013,Theft,Laptop,2014-01-23,,2013-04-14,2013-04-15,2013 750,749,Independence Care System,NY,,2434,5/7/2013,Theft,Laptop,2014-01-23,,2013-05-07,,2013 751,750,Sonoma Valley Hospital,CA,,1386,2/14/2013,Other,Other,2014-01-23,,2013-02-14,,2013 752,751,University of Florida,FL,,5875,02/01/2012- 04/11/2013,"Theft, Unauthorized Access/Disclosure",Electronic Medical Record,2014-01-23,,2012-02-01,2013-04-11,2012 753,752,"Community Support Services, Inc.",OH,,1167,03/20/2013-03/26/2013,Theft,E-mail,2014-02-12,,2013-03-20,2013-03-26,2013 754,753,UMASSAmherst,MA,,1670,10/22/2012,Hacking/IT Incident,Desktop Computer,2014-01-23,,2012-10-22,,2012 755,754,Palm Beach County Health Department,FL,,877,1/7/2013,Unauthorized Access/Disclosure,Desktop Computer,2014-01-23,,2013-01-07,,2013 756,755,Lucile Packard Children's Hospital,CA,,12900,5/8/2013,Theft,Laptop,2014-01-23,,2013-05-08,,2013 757,756,Fayetteville VAMC,NC,,1093,4/17/2013,Improper Disposal,Paper,2014-01-23,,2013-04-17,,2013 758,757,Lincoln County Health and Human Services/Lincoln Community Health Center,OR,,959,4/17/2013,Unauthorized Access/Disclosure,Paper,2014-01-23,,2013-04-17,,2013 759,758,Union Security Insurance Company,MO,,1127,5/17/2013,Improper Disposal,E-mail,2014-01-23,,2013-05-17,,2013 760,759,"Gulf Breeze Family Eyecare, Inc",FL,,9626,03/08/2013-05/09/2013,"Theft, Unauthorized Access/Disclosure","Desktop Computer, Network Server, E-mail, Electronic Medical Record, Paper",2014-01-23,,2013-03-08,2013-05-09,2013 761,760,Jacksonville Spine Center,FL,,5200,4/25/2013,Unauthorized Access/Disclosure,Paper,2014-01-23,,2013-04-25,,2013 762,761,Iowa Department of Human Services,IA,,7335,4/30/2013,"Loss, Unknown",Other,2014-01-23,,2013-04-30,,2013 763,762,James A. Fosnaugh,NE,,2125,05/01/2013 - 05/03/2013,Loss,Other Portable Electronic Device,2014-01-23,,2013-05-01,2013-05-03,2013 764,763,Lone Star Circle of Care,TX,,1955,05/01/2013-05/02/2013,Theft,Laptop,2014-01-23,,2013-05-01,2013-05-02,2013 765,764,Aflac,GA,Alberto Gerardo Vazquez Rivera,679,5/9/2013,Theft,Laptop,2014-01-23,,2013-05-09,,2013 766,765,Indiana Family & Social Services Administration,IN,RCR Technology Corporation,187533,04/06/2013-05/21/2013,Other,Paper,2014-01-23,,2013-04-06,2013-05-21,2013 767,766,Northrop Grumman Retiree Health Plan,VA,CVS Caremark,4305,5/20/2013,Theft,Paper,2014-06-24,"Business associate (BA) employees erroneously sent 4,305 health plan members' protected health information (PHI) to other plan members. The PHI involved in the breach included names and prescribed medication(s). The covered entity, Northrop Grumman Retiree Health Plan, provided breach notification to HHS, and the BA, CVS Caremark, provided breach notification to affected individuals and the media. Following the breach, the BA revised its quality control policies for targeted mailings and retrained employees involved in the breach to prevent similar incidents in the future. OCR obtained assurances that the BA implemented the breach notification and policy revisions listed above.",2013-05-20,,2013 768,767,"Health Net, Inc.",CA,,8331,04/01/2013 - 05/31/2013,Other,Paper,2014-01-23,,2013-04-01,2013-05-31,2013 769,768,"South Florida Neurology Associates, P.A.",FL,,900,05/25/2013-05/30/2013,Theft,Laptop,2014-01-23,,2013-05-25,2013-05-30,2013 770,769,Samaritan Regional Health System,OH,,2203,5/29/2013,Other,Paper,2014-01-23,,2013-05-29,,2013 771,770,MED-EL Coproration,NC,,609,6/25/2013,Other,E-mail,2014-01-23,,2013-06-25,,2013 772,771,Sutter Health East Bay Region (Alta Bates Summit Medical Center; Sutter Delta Medical Center; Eden Medical Center),CA,Nelson Family of Companies,4479,3/1/2011,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2011-03-01,,2011 773,772,Illinois Department of Healthcare and Familiy Services,IL,Family Health Network,3133,5/8/2013,Other,Paper,2014-01-23,,2013-05-08,,2013 774,773,Delta Dental of Pennsylvania,PA,ZDI,4718,5/13/2013,Loss,Paper,2014-01-23,,2013-05-13,,2013 775,774,"Medtronic, Inc.",MN,,2764,03/28/2013-03/29/2013,Loss,Paper,2014-01-23,,2013-03-28,2013-03-29,2013 776,775,Texas Health Harris Methodist Hospital Fort Worth,TX,Shred-it International Inc.,277014,5/11/2013,Improper Disposal,Other,2014-01-23,,2013-05-11,,2013 777,776,Long Beach Memorial Medical Center,CA,,2864,09/01/2012-07/01/2013,Unauthorized Access/Disclosure,Electronic Medical Record,2014-01-23,,2012-09-01,2013-07-01,2012 778,777,Hansen & Associates,WY,,2700,05/21/2013-05/29/2013,Theft,Desktop Computer,2014-06-10,,2013-05-21,2013-05-29,2013 779,778,Sheet Metal Local 36 Welfare Fund,MO,People Resource Corporation,4560,08/01/2012-07/08/2013,Unauthorized Access/Disclosure,Other,2014-01-23,,2012-08-01,2013-07-08,2012 780,779,Harris County,TX,,21000,08/15/2005 - 06/14/2007,Unauthorized Access/Disclosure,Desktop Computer,2014-01-23,,2005-08-15,2007-06-14,2005 781,780,"San Jose Medical Supply Co., Inc.",CA,Jesle Kuizon,800,10/01/2011-11/31/2011,"Theft, Unauthorized Access/Disclosure, Hacking/IT Incident","Desktop Computer, Network Server",2014-01-23,,2011-10-01,,2011 782,781,"GEO Care, LLC",FL,,710,4/16/2013,Unauthorized Access/Disclosure,Desktop Computer,2014-01-23,,2013-04-16,,2013 783,782,The Brookdale Hospital and Medical Center,NY,,2700,5/24/2013,Loss,Other Portable Electronic Device,2014-01-23,,2013-05-24,,2013 784,783,Louisiana State University Health Care Services Division,LA,,6994,12/1/2011,Unauthorized Access/Disclosure,Desktop Computer,2014-01-23,,2011-12-01,,2011 785,784,Oregon Health & Science University,OR,,1361,01/01/2011-07/03/2013,Unauthorized Access/Disclosure,Other,2014-01-31,,2011-01-01,2013-07-03,2011 786,785,"Rocky Mountain Spine Clinic, P.C.",CO,,532,6/11/2013,"Theft, Unauthorized Access/Disclosure",Network Server,2014-01-23,,2013-06-11,,2013 787,786,"Vitreo-Retinal Medical Group, Inc. ",CA,,1837,6/5/2013,Theft,Laptop,2014-01-23,,2013-06-05,,2013 788,787,Arkansas Department of Human Services,AR,Health Resources of Arkansas,1911,4/14/2013,Theft,Laptop,2014-02-12,,2013-04-14,,2013 789,788,Baylor All Saints Medical Center at Fort Worth,TX,,940,05/07/2013-06/06/2013,Unauthorized Access/Disclosure,Other Portable Electronic Device,2014-02-12,,2013-05-07,2013-06-06,2013 790,789,"Cogent Healthcare, Inc.",TN,M2ComSys Inc.,32151,05/05/2013-06/24/2013,Unauthorized Access/Disclosure,Network Server,2014-01-23,,2013-05-05,2013-06-24,2013 791,790,Young Family Medicine Inc.,OH,,2045,6/12/2013,Theft,Laptop,2014-01-23,,2013-06-12,,2013 792,791,Hancock OB/GYN,IN,,1396,11/09/2011 - 06/17/2013,Unauthorized Access/Disclosure,Electronic Medical Record,2014-01-23,,2011-11-09,2013-06-17,2011 793,792,Colfax,IN,Anthem BCBS of GA,5497,4/11/2013,Other,Other,2014-02-12,,2013-04-11,,2013 794,793,Missouri Department of Social Services,MO,"InfoCrossing, Inc.",1357,10/16/2011 - 06/07/2013,Unauthorized Access/Disclosure,Paper,2014-01-23,,2011-10-16,2013-06-07,2011 795,794,Foundations Recovery Network,TN,,5690,6/15/2013,Theft,Laptop,2014-01-23,,2013-06-15,,2013 796,795,California Correctional Health Care Services,CA,,1033,6/19/2013,Other,Paper,2014-01-23,,2013-06-19,,2013 797,796,North Texas Comprehensive Spine & Pain Center,TX,,3200,6/16/2013,"Theft, Loss",Other Portable Electronic Device,2014-02-12,,2013-06-16,,2013 798,797,Minne-Tohe Health Center/Elbowoods Memorial Health Center,ND,,10000,10/1/2011,"Improper Disposal, Unauthorized Access/Disclosure","Desktop Computer, Other",2014-01-23,,2011-10-01,,2011 799,798,Jackson Health System,FL,,1471,01/08/2013 - 01/10/2013,Other,Paper,2014-01-23,,2013-01-08,2013-01-10,2013 800,799,"Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group",IL,,4029530,7/15/2013,Theft,Desktop Computer,2014-01-23,,2013-07-15,,2013 801,800,"Summit Community Care Clinic, Inc.",CO,,921,7/22/2013,Hacking/IT Incident,Desktop Computer,2014-01-23,,2013-07-22,,2013 802,801,UT Physicians,TX,,596,07/22/2013-08/02/2013,"Theft, Loss",Laptop,2014-01-23,,2013-07-22,2013-08-02,2013 803,802,Parkview Community Hospital Medical Center,CA,"Cogent Healthcare, Inc.",32000,05/05/2013 - 06/24/2013,Other,Network Server,2014-01-23,,2013-05-05,2013-06-24,2013 804,803,Atlanta Center for Reproductive Medicine,GA,,654,7/12/2013,Other,E-mail,2014-01-23,,2013-07-12,,2013 805,804,St. Anthony's Physician Organization,MO,,2600,7/29/2013,Theft,"Laptop, Other Portable Electronic Device",2014-01-23,,2013-07-29,,2013 806,805,Janna Benkelman LPC LLC,CO,,1500,8/1/2013,Theft,Laptop,2014-01-23,,2013-08-01,,2013 807,806,Olson & White Orthodontics,MO,,10000,7/22/2013,Theft,"Desktop Computer, Network Server",2014-01-23,,2013-07-22,,2013 808,807,Kaiser Foundation Health Plan of the Northwest,OR,,647,3/15/2013,Unauthorized Access/Disclosure,Electronic Medical Record,2014-01-23,,2013-03-15,,2013 809,808,"Hankyu Chung, M.D.",CA,,2182,6/17/2013,Theft,Laptop,2014-01-23,,2013-06-17,,2013 810,809,"ICS Collection Service, Inc. on behalf of University of Chicago Physicians Group",IL,"ICS Collection Service, Inc.",1290,7/9/2013,Hacking/IT Incident,Other,2014-01-23,,2013-07-09,,2013 811,810,ACO of Puerto Rico,PR,PHMHS,5000,03/05/2013 - 07/16/2013,Theft,Network Server,2014-06-20,"Upon request, a subcontractor (PHM Software Solutions) of the covered entity's (CE) business associate (BA), PHM Healthcare Solutions, modified a software application the CE was utilizing which led to the disclosure of electronic protected health information (ePHI) of 5,000 individuals on the Internet. The ePHI included names, gender, member identification numbers, dates of birth, and consent forms. The CE provided breach notification to HHS, the media, and affected individuals and posted substitute notice on its website. Upon discovery of the breach, the BA removed the software application and placed it offline. As a result of OCR's investigation, the CE had its BA to conduct a risk analysis and create a risk management plan to address any vulnerabilities identified in the risk analysis. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR provided technical assistance to assist the CE understand its obligations under the Privacy and Security Rules regarding BA agreements. ",2013-03-05,2013-07-16,2013 812,811,"NHC HealthCare, Oak Ridge",TN,,4268,5/10/2013,Loss,Other,2014-03-13,,2013-05-10,,2013 813,812,"NHC HealthCare, Mauldin",SC,,4204,5/15/2013,Improper Disposal,Other,2014-03-13,,2013-05-15,,2013 814,813,Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group ,IL,Blackhawk Consulting Group,2029,06/30/2013 - 08/15/2013,Hacking/IT Incident,Network Server,2014-02-12,,2013-06-30,2013-08-15,2013 815,814,Dreyer Medical Clinic,IL,Blackhawk Consulting Group,998,06/30/2013 - 08/15/2013,Hacking/IT Incident,Network Server,2014-01-23,,2013-06-30,2013-08-15,2013 816,815,"South Shore Physicians, PC",NY,,8000,01/01/2006 - 01/12/2012,Theft,Network Server,2014-01-23,,2006-01-01,2012-01-12,2006 817,816,Dermatology Associates of Tallahassee,FL,,916,9/4/2013,Unknown,Other,2014-01-23,,2013-09-04,,2013 818,817,Sierra View District Hospital,CA,,1009,07/01/2013 - 08/02/2013,Unauthorized Access/Disclosure,Electronic Medical Record,2014-01-23,,2013-07-01,2013-08-02,2013 819,818,Missouri Department of Social Services,MO,"InfoCrossing, Inc.",25461,12/21/2009 - 06/07/2013,Unauthorized Access/Disclosure,Paper,2014-02-12,,2009-12-21,2013-06-07,2009 820,819,"Holy Cross Hospital, Inc.",FL,,9900,8/14/2013,"Theft, Unauthorized Access/Disclosure","Desktop Computer, Network Server",2014-01-23,,2013-08-14,,2013 821,820,Region Ten Community Services Board,VA,,10228,7/29/2013,Hacking/IT Incident,E-mail,2014-01-23,,2013-07-29,,2013 822,821,Comprehensive Podiatry LLC,OH,,1360,8/3/2013,Theft,Laptop,2014-01-23,,2013-08-03,,2013 823,822,Santa Clara Valley Medical Center,CA,,579,09/14/2013 - 09/15/2013,Theft,Laptop,2014-01-23,,2013-09-14,2013-09-15,2013 824,823,"Sarah Benjamin, DPM - Littleton Podiatry ",CO,Not Applicable ,3512,8/27/2013,Theft,Laptop,2014-01-23,,2013-08-27,,2013 825,824,"Carol L. Patrick, Ph.D.",OH,,517,08/08/2013-08/09/2013,Theft,Network Server,2014-01-23,,2013-08-08,2013-08-09,2013 826,825,HOPE Family Health,TN,,6932,8/4/2013,Theft,Laptop,2014-01-23,,2013-08-04,,2013 827,826,"Paul G. Klein, DPM",NJ,,2500,10/1/2013,Theft,Laptop,2014-06-20," OCR opened an investigation of the covered entity (CE), Paul G. Klein DPM, after it reported an encrypted and password protected laptop was stolen that contained the electronic protected health information (ePHI) of 2,500 individuals. The ePHI included names, addresses, dates of birth, social security numbers, diagnosis conditions, lab test results, medications, medical notes, and treatment plans. Upon discovery of the breach, the CE filed a police report to recover the stolen item. As a result of OCR's investigation, the CE provided confirmation that there was encryption software and multi-layered password protection software installed on the stolen laptop. OCR determined that the impermissible disclosure of ePHI did not constitute a breach under the Privacy Rule's breach notification rule and provided technical assistance to the CE regarding the requirements of the breach notification rule. ",2013-10-01,,2013 828,827,UnityPoint Health Affiliated Covered Entity (\UnityPoint\),IA,,1825,02/01/2013-08/27/2013,Unauthorized Access/Disclosure,Electronic Medical Record,2014-01-23,,2013-02-01,2013-08-27,2013 829,828,TSYS Employee Health Plan,GA,"Paragon Benefits, Inc.",5232,9/5/2013,Theft,E-mail,2014-01-23,,2013-09-05,,2013 830,829,"University of California, San Francisco",CA,,3553,9/9/2013,Theft,"Laptop, Paper",2014-01-23,,2013-09-09,,2013 831,830,"Reconstructive Orthopaedic Associates II, P.C. d/b/a Rothman Institute",PA,,2350,03/18/2013-05/13/2013,"Theft, Unauthorized Access/Disclosure",Paper,2014-01-23,,2013-03-18,2013-05-13,2013 832,831,Group Health Cooperative,WA,,1015,9/16/2013,Other,Paper,2014-01-23,,2013-09-16,,2013 833,832,Schuylkill Health System,PA,,2810,8/7/2013,Theft,Laptop,2014-01-23,,2013-08-07,,2013 834,833,CaroMont Medical Group,NC,,1310,8/5/2013,Other,E-mail,2014-01-23,,2013-08-05,,2013 835,834,Mount SInai Medical Center,NY,,1586,8/6/2013,Improper Disposal,Paper,2014-01-23,,2013-08-06,,2013 836,835,Memorial Hospital of Lafayette County,WI,Healthcare Management System ,4330,8/3/2013,Unauthorized Access/Disclosure,Paper,2014-01-23,,2013-08-03,,2013 837,836,Saint Louis University,MO,,3100,7/25/2013,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2013-07-25,,2013 838,837,MUSC Physicians & MUHA,SC,BlackHawk,7120,6/30/2013,Hacking/IT Incident,Network Server,2014-02-12,,2013-06-30,,2013 839,838,Ferris State University - MI College of Optometry,MI,,3947,12/1/2011,Hacking/IT Incident,Network Server,2014-01-23,,2011-12-01,,2011 840,839,"Access Counseling, LLC",IN,,566,8/23/2013,Theft,Laptop,2014-01-23,,2013-08-23,,2013 841,840,Rose Medical Center,CO,,606,06/28/2013 - 07/16/2013,Improper Disposal,Paper,2014-01-23,,2013-06-28,2013-07-16,2013 842,841,BriovaRx,IL,,1067,07/03/2013 - 07/11/2013,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2013-07-03,2013-07-11,2013 843,842,"North Country Hospital and Health Center, Inc",VT,,550,9/18/2013,Theft,Laptop,2014-01-23,,2013-09-18,,2013 844,843,"Hope Community Resources, Inc.",AK,,1556,8/19/2013,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2013-08-19,,2013 845,844,Broward Health Medical Center,FL,,960,10/01/2012 - 12/31/2012,Unauthorized Access/Disclosure,Desktop Computer,2014-01-23,,2012-10-01,2012-12-31,2012 846,845,Sentara Healthcare,VA,,3645,10/01/2012 - 07/11/2013,Theft,"Electronic Medical Record, Paper",2014-01-23,,2012-10-01,2013-07-11,2012 847,846,Mount Sinai Medical Center,NY,,610,8/1/2013,Loss,Other Portable Electronic Device,2014-02-12,,2013-08-01,,2013 848,847,Texas Health Presbyterian Dallas Hospital,TX,,949,8/22/2013,Theft,Desktop Computer,2014-02-12,,2013-08-22,,2013 849,848,Seton Healthcare Family,TX,,5500,10/4/2013,Theft,Laptop,2014-01-23,,2013-10-04,,2013 850,849,BRONX-LEBANON HOSPITAL CENTER,NY,PROFESSIONAL TRANSCRIPTION SERVICES,10930,9/23/2009,Unauthorized Access/Disclosure,Network Server,2014-01-23,,2009-09-23,,2009 851,850,"Martin Luther King Jr. Health Center, Inc.",NY,PROFESSIONAL TRANSCRIPTION SERVICES,37000,9/23/2009,Unauthorized Access/Disclosure,Network Server,2014-01-23,,2009-09-23,,2009 852,851,SSM St. Mary's Health Center,MO,Saint Louis University,1300,7/25/2013,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2013-07-25,,2013 853,852,Good Samaritan Hospital,CA,,3833,7/8/2013,Theft,Laptop,2014-01-23,,2013-07-08,,2013 854,853,SSM Health Care of Wisconsin DBA: St. Mary's Janesville Hospital,WI,,631,8/27/2013,Theft,Laptop,2014-01-23,,2013-08-27,,2013 855,854,AHMC Healthcare Inc. and affiliated Hospitals,CA,,729000,10/12/2013,Theft,Laptop,2014-01-23,,2013-10-12,,2013 856,855,"Greater Dallas Orthopaedics, PLLC",TX,,5840,8/30/2013,Theft,Desktop Computer,2014-01-23,,2013-08-30,,2013 857,856,"Spirit Home Health Care, Corp",FL,"Spirit Home Health Care, Corp",603,9/19/2013,Improper Disposal,Paper,2014-01-23,,2013-09-19,,2013 858,857,Rotech Healthcare Inc.,FL,,10680,11/26/2010 - 10/01/2013,Unauthorized Access/Disclosure,Laptop,2014-02-18,,2010-11-26,2013-10-01,2010 859,858,"Reimbursement Technologies, Inc.",PA,,2300,05/01/2013 - 07/26/2013,Unauthorized Access/Disclosure,Network Server,2014-01-23,,2013-05-01,2013-07-26,2013 860,859,Comprehensive Psychological Services LLC,SC,,3500,10/28/2013,Theft,Laptop,2014-01-23,,2013-10-28,,2013 861,860,"Superior HealthPlan, Inc.",TX,,6284,10/4/2013,Other,Paper,2014-01-23,,2013-10-04,,2013 862,861,Genesis Rehabilitation Services,PA,,1167,8/30/2013,Loss,Other Portable Electronic Device,2014-01-23,,2013-08-30,,2013 863,862,"Colorado Health & Wellness, Inc.",CO,,651,9/4/2013,"Theft, Unauthorized Access/Disclosure",Electronic Medical Record,2014-01-23,,2013-09-04,,2013 864,863,Barnabas Health Medical Group,NJ,,1100,9/24/2013,Theft,Laptop,2014-01-23,,2013-09-24,,2013 865,864,"DaVita, a division of DaVita HealthCare Partners Inc",CO,,11500,9/6/2013,"Theft, Other",Laptop,2014-01-23,,2013-09-06,,2013 866,865,Blue Cross and Blue Shield of North Carolina,NC,,687,10/14/2013,Unauthorized Access/Disclosure,Paper,2014-01-23,,2013-10-14,,2013 867,866,North Carolina Department of Health and Human Services - Division of State Operated Health Care Facilities ,NC,,1315,8/13/2013,Unauthorized Access/Disclosure,Other,2014-01-23,,2013-08-13,,2013 868,867,Puerto Rico Health Insurance Administration (PRHIA),PR,Triple S Salud Inc.,13336,9/20/2013,Unauthorized Access/Disclosure,Paper,2014-01-23,,2013-09-20,,2013 869,868,Triple-S Salud ,PR,,70189,9/20/2013,Unauthorized Access/Disclosure,Paper,2014-01-23,,2013-09-20,,2013 870,869,Associated Urologists of North Carolina,NC,,7300,09/17/2012 - 09/17/2013,Other,Other,2014-01-23,,2012-09-17,2013-09-17,2012 871,870,Kemmet Dental Design ,ND,,2000,11/10/2013,"Theft, Other",Paper,2014-01-23,,2013-11-10,,2013 872,871,Hospice of the Chesapeake,MD,,7606,8/9/2013,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2013-08-09,,2013 873,872,"Scottsdale Dermatology, LTD",AZ,All Source Medical Management,1456,01/01/2013 -10/04/2013,Theft,Other,2014-01-23,,2013-01-01,2013-10-04,2013 874,873,Memorial Sloan-Kettering Cancer Center,NY,,2279,8/1/2013,Loss,Other Portable Electronic Device,2014-02-18,,2013-08-01,,2013 875,874,Gerdau Ameristeel Health and Welfare Plan,FL,Health Fitness Corporation,3804,9/27/2013,Theft,Laptop,2014-02-18,,2013-09-27,,2013 876,875,Gerdau Macsteel Health and Welfare Plan,MI,Health Fitness Corporation,4837,9/27/2013,Theft,Laptop,2014-02-18,,2013-09-27,,2013 877,876,UHS-Pruitt Corporation,GA,,1300,9/26/2013,Theft,Laptop,2014-01-23,,2013-09-26,,2013 878,877,"United Dynacare, LLC dba Dynacare Laboratories",WI,,9328,10/22/2013,Theft,Other Portable Electronic Device,2014-01-23,,2013-10-22,,2013 879,878,Redwood Memorial Hospital,CA,,1039,11/6/2013,Loss,Other Portable Electronic Device,2014-01-23,,2013-11-06,,2013 880,879,Kaiser Foundation Hospital- Orange County,CA,,49000,9/25/2013,Loss,Other Portable Electronic Device,2014-01-23,,2013-09-25,,2013 881,880,Jones Chiropractic and Maximum Health,IN,,1500,10/13/2013,Theft,Desktop Computer,2014-01-23,,2013-10-13,,2013 882,881,Ronald Schubert MD PLLC,WA,,950,11/22/2013,Theft,Laptop,2014-01-23,,2013-11-22,,2013 883,882,UPMC,PA,,1279,11/05/2012 - 11/06/2013,Unauthorized Access/Disclosure,Electronic Medical Record,2014-02-18,,2012-11-05,2013-11-06,2012 884,883,UW Medicine,WA,,76183,10/2/2013,Hacking/IT Incident,Desktop Computer,2014-02-18,,2013-10-02,,2013 885,884,City of Chicago,IL,,2080,06/18/2013 - 10/07/2013,Unauthorized Access/Disclosure,Network Server,2014-01-23,,2013-06-18,2013-10-07,2013 886,885,CIty of Joliet,IL,"Quality Health Claims Consultants, LLC",1573,10/8/2013,Unauthorized Access/Disclosure,E-mail,2014-01-23,,2013-10-08,,2013 887,886,SIU HealthCare,IL,,1891,09/13/2013 - 10/15/2013,"Theft, Loss",Laptop,2014-01-23,,2013-09-13,2013-10-15,2013 888,887,The Good Samaritan Health Center,GA,,5000,11/6/2013,Other,Desktop Computer,2014-01-23,,2013-11-06,,2013 889,888,UniHealth Source,GA,,4500,10/8/2013,Theft,Laptop,2014-01-23,,2013-10-08,,2013 890,889,Walgreen Co.,IL,,17350,09/18/2013 - 10/04/2013,Other,Paper,2014-01-23,,2013-09-18,2013-10-04,2013 891,890,Methodist Dallas Medical Center,TX,,44000,09/01/2005 - 08/01/2013,Unauthorized Access/Disclosure,Other,2014-01-23,,2005-09-01,2013-08-01,2005 892,891,Florida Digestive Health Specialists,FL,,4400,03/06/2013 -09/09/2013,Unauthorized Access/Disclosure,Desktop Computer,2014-01-23,,2013-03-06,2013-09-09,2013 893,892,"Northside Hospital, Inc.",GA,,4879,10/10/2013,Loss,Laptop,2014-01-23,,2013-10-10,,2013 894,893,"Health Help, Inc.",KY,,535,10/15/2013,Theft,Other Portable Electronic Device,2014-01-23,,2013-10-15,,2013 895,894,L.A. Gay & Lesbian Center,CA,,59000,09/17/2013 - 11/08/2013,Hacking/IT Incident,Network Server,2014-01-23,,2013-09-17,2013-11-08,2013 896,895,Mosaic,NE,,3857,10/11/2013,Other,E-mail,2014-01-23,,2013-10-11,,2013 897,896,New Jersey Department of Human Services,NJ,Island Peer Review Organization,9642,10/18/2013,Loss,Other Portable Electronic Device,2014-01-23,,2013-10-18,,2013 898,897,"Fairfax County, Virginia",VA,Molina Healthcare In,1499,09/09/2013 - 10/03/2013,Unauthorized Access/Disclosure,Network Server,2014-01-23,,2013-09-09,2013-10-03,2013 899,898,Wyoming Department of Health,WY,,11935,10/16/2013,Unauthorized Access/Disclosure,Network Server,2014-01-23,,2013-10-16,,2013 900,899,Shiloh Medical Clinic,MT,,1900,11/8/2013,Unauthorized Access/Disclosure,"Desktop Computer, E-mail",2014-01-23,,2013-11-08,,2013 901,900,South Carolina Health Insurance Pool,SC,DeLoach & Williamson,3432,10/16/2013,Theft,Laptop,2014-01-23,,2013-10-16,,2013 902,901,Tennova Cardiology,TN,Colby DeHart,2777,10/21/2013,Theft,Laptop,2014-01-23,,2013-10-21,,2013 903,902,Delta Dental of Pennsylvania,PA,ZDI,1674,10/16/2013,Loss,Paper,2014-03-13,,2013-10-16,,2013 904,903,"Molina Healthcare of Texas, Inc.",TX,,2826,10/1/2013,Other,Paper,2014-01-23,,2013-10-01,,2013 905,904,"Rob Meaglia, DDS",CA,,1400,12/16/2013,Theft,Desktop Computer,2014-01-23,,2013-12-16,,2013 906,905,Jeff Spiegel,MA,,832,11/25/2013,Unauthorized Access/Disclosure,E-mail,2014-03-13,,2013-11-25,,2013 907,906,Tranquility Counseling Services,NC,,1683,11/1/2013,Other,Paper,2014-01-23,,2013-11-01,,2013 908,907,Florida Department of Health,FL,,2354,10/30/2013,Unauthorized Access/Disclosure,Desktop Computer,2014-03-05,,2013-10-30,,2013 909,908,"New Mexico Oncology Hematology Consultants, LTD",NM,,12354,11/13/2013,Theft,Laptop,2014-01-23,,2013-11-13,,2013 910,909,Department of Health Care Policy & Financing,CO,Colorado Community Health Alliance (CCHA)/Physicians Health Partners,1918,11/21/2013,Unauthorized Access/Disclosure,E-mail,2014-02-21,,2013-11-21,,2013 911,910,"Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates",NJ,,839711,11/1/2013,Theft,Laptop,2014-02-21,,2013-11-01,,2013 912,911,Phoebe Putney Memorial Hospital,GA,,6989,11/5/2013,Loss,Desktop Computer,2014-02-11,,2013-11-05,,2013 913,912,Coulee Medical Center,WA,,2500,01/01/2010-11/30/2013,Unauthorized Access/Disclosure,"Laptop, Network Server, E-mail",2014-02-11,,2010-01-01,2013-11-30,2010 914,913,University of Pennsylvania Health System,PA,"RevSpring, Inc.",3000,11/26/2013,Other,Paper,2014-02-11,,2013-11-26,,2013 915,914,North Carolina Department of Health and Human Services ,NC,,48752,12/30/2013,Unauthorized Access/Disclosure,Other,2014-02-11,,2013-12-30,,2013 916,915,101 FAMILY MEDICAL GROUP,CA,"Phreesia, Inc",2500,11/23/2013,Theft,Laptop,2014-02-11,,2013-11-23,,2013 917,916,Tri Lakes Medical Center,MS,,1489,9/20/2013,Hacking/IT Incident,Network Server,2014-02-11,,2013-09-20,,2013 918,917,VA Dept. of Medical Assistance Services,VA,Virginia Premier Health Plan (VPHP),25513,11/15/2013,"Unauthorized Access/Disclosure, Other",Paper,2014-02-11,,2013-11-15,,2013 919,918,Cook County Health & Hospitals System,IL,,22511,11/12/2013,Other,E-mail,2014-02-11,,2013-11-12,,2013 920,919,Southwest General Health Center,OH,,953,04/13/2013 - 10/31/2013,Unknown,Other,2014-05-30,,2013-04-13,2013-10-31,2013 921,920,"Robert B. Neves, M.D., Inc",CA,,611,5/8/2011,Theft,Laptop,2014-01-24,,2011-05-08,,2011 922,921,"Triple-S Salud, Inc.",PR,"Triple-C, Inc.",398000,9/9/2010,Theft,Network Server,2014-02-18,,2010-09-09,,2010 923,922,"Triple-S Salud, Inc.",PR,"Triple-C, Inc.",8000,10/3/2008,"Theft, Unauthorized Access/Disclosure",Network Server,2014-01-24,,2008-10-03,,2008 924,923,Urology Centers of Alabama PC and Urology Health Foundation,AL,"Birmingham Printing and Publishing, Inc dba Paper Airplane",1085,8/22/2013,Other,Other,2014-06-03,,2013-08-22,,2013 925,924,Medical Mutual of Ohio,OH,,1420,10/16/2013,Unauthorized Access/Disclosure,Paper,2014-06-13,,2013-10-16,,2013 926,925,Unity Health Plans Insurance Corporation,WI,University of Wisconsin-Madison School of Pharmacy,41437,12/12/2013,Loss,Other Portable Electronic Device,2014-02-21,,2013-12-12,,2013 927,926,The University of Texas MD Anderson Cancer Center,TX,,3598,12/2/2013,Loss,Other Portable Electronic Device,2014-02-11,,2013-12-02,,2013 928,927,Beebe Medical Center,DE,,1883,9/2/2013,Other,Laptop,2014-02-21,,2013-09-02,,2013 929,928,St. Joseph Health System ,TX,,405000,12/16/2013,Hacking/IT Incident,Network Server,2014-02-11,,2013-12-16,,2013 930,929,"Min Yi, M.D.",CA,,4676,5/28/2013,Theft,Other Portable Electronic Device,2014-02-21,,2013-05-28,,2013 931,930,Easter Seal Society of Superior California,CA,,3026,12/10/2013,Theft,Laptop,2014-02-21,,2013-12-10,,2013 932,931,PruittHealth Pharmacy Services,GA,,841,12/6/2013,Theft,Laptop,2014-02-25,,2013-12-06,,2013 933,932,"RGH Enterprises, Inc.",OH,,4230,03/09/2013-03/11/2013,Theft,Network Server,2014-06-24,"Computer hackers installed malware that intercepted the electronic protected health information (ePHI) of approximately 4,230 individuals using the covered entity's (CE's) website. The ePHI included names, dates of birth, phone numbers, shipping and billing addresses, email addresses, credit card issuers, expiration dates, the last 4 digits of credit card numbers, account numbers, primary physicians, diagnoses, order histories, and health insurers. Following the breach, the CE removed the malware from the affected computer servers, migrated the website to non-compromised ",2013-03-09,2013-03-11,2013 934,933,Network Pharmacy Knoxville,TN,,9602,11/18/2013,Theft,Laptop,2014-02-11,,2013-11-18,,2013 935,934,Saint Francis Hospital and Medical Center,CT,,858,12/27/2013,Theft,Paper,2014-03-24,,2013-12-27,,2013 936,935,Health Dimensions,MI,,5370,11/2/2013,Theft,Network Server,2014-02-11,,2013-11-02,,2013 937,936,COMPLETE MEDICAL HOMECARE,KS,,1700,12/12/2013,Unauthorized Access/Disclosure,Other Portable Electronic Device,2014-02-11,,2013-12-12,,2013 938,937,Hospital for Special Surgery,NY,,937,3/19/2013,Theft,"Desktop Computer, Paper",2014-02-26,,2013-03-19,,2013 939,938,The Brooklyn Hospital Center,NY,,2172,12/2/2013,Loss,Other Portable Electronic Device,2014-02-24,,2013-12-02,,2013 940,939,Kmart Corporation,IL,,16446,1/4/2014,Theft,"Other, Electronic Medical Record",2014-03-24,,2014-01-04,,2014 941,940,WA State Department of Social & Health Services,WA,,3104,8/19/2013,"Unauthorized Access/Disclosure, Other",Paper,2014-04-21,,2013-08-19,,2013 942,941,"Lewis J. Sims, DPM, PC dba Sims and Associates Podiatry ",NY,,6475,1/10/2014,"Theft, Other",Laptop,2014-04-21,,2014-01-10,,2014 943,942,University of Miami,FL,,13074,6/27/2013,Loss,Paper,2014-04-21,,2013-06-27,,2013 944,943,"Supportive Concepts for Families, Inc.",PA,,593,2/6/2013,Unauthorized Access/Disclosure,Network Server,2014-02-24,,2013-02-06,,2013 945,944,Health Care Solutions at Home Inc.,OH,,1139,12/17/2013,Other,Other,2014-03-12,,2013-12-17,,2013 946,945,University of California Davis Medical Center,CA,,2269,12/13/2013,Hacking/IT Incident,E-mail,2014-04-21,,2013-12-13,,2013 947,946,"St. Vincent Hospital and Healthcare, Inc",IN,,1142,12/23/2013,Theft,Laptop,2014-03-12,,2013-12-23,,2013 948,947,Missouri Consolidated Health Care Plan,MO,"StayWell Health Management, LLC",10024,3/23/2012,Unauthorized Access/Disclosure,Network Server,2014-03-12,,2012-03-23,,2012 949,948,The Clorox Company Group Insurance Plan,CA,"StayWell Health Management, LLC",520,4/16/2012,Unauthorized Access/Disclosure,Network Server,2014-03-12,,2012-04-16,,2012 950,949,Regents of the University of Minnesota,MN,"StayWell Health Management, LLC",4786,3/29/2012,Unauthorized Access/Disclosure,Network Server,2014-03-24,,2012-03-29,,2012 951,950,Inspira Health Network Inc.,NJ,,1411,12/23/2013,Theft,Desktop Computer,2014-03-12,,2013-12-23,,2013 952,951,"Nissan North America, Inc.",TN,"StayWell Health Management, LLC",1511,5/8/2012,Unauthorized Access/Disclosure,Network Server,2014-03-12,,2012-05-08,,2012 953,952,"Care Advantage, Inc.",VA,,3458,1/1/2013,Theft,Laptop,2014-03-24,,2013-01-01,,2013 954,953,HealthSource of Ohio Inc.,OH,Pair Networks Inc.,8845,11/18/2013,"Unauthorized Access/Disclosure, Other",Other,2014-03-12,,2013-11-18,,2013 955,954,"The Kroger Co., for itself and its affiliates and subsidiaries",OH,,504,10/30/2013,Other,Electronic Medical Record,2014-04-21,,2013-10-30,,2013 956,955,"Cornerstone Health Care, PA",NC,,548,12/31/2013,"Theft, Loss",Laptop,2014-03-12,,2013-12-31,,2013 957,956,Joseph Michael Benson M.D,TX,,7500,1/5/2014,Theft,Desktop Computer,2014-03-24,,2014-01-05,,2014 958,957,All for Kids Pediatric Clinic,AR,Data Media,600,12/27/2013,Other,Other,2014-03-24,,2013-12-27,,2013 959,958,Eureka Internal Medicine,CA,,3534,9/25/2013,Improper Disposal,Paper,2014-03-24,,2013-09-25,,2013 960,959,Brazos Valley Pathology,TX,St. Joseph Health System,3300,12/16/2013,Hacking/IT Incident,Network Server,2014-06-24,,2013-12-16,,2013 961,960,Banner Health,AZ,,55207,2/21/2014,Other,Other,2014-03-24,,2014-02-21,,2014 962,961,Monarch Women's Health,AL,"PracMan, Inc.",1145,8/22/2013,Hacking/IT Incident,Network Server,2014-06-02,,2013-08-22,,2013 963,962,"Punuru J.M. Reddy, MD, Inc.",AL,"PracMan, Inc.",1179,8/22/2013,Hacking/IT Incident,Network Server,2014-03-25,,2013-08-22,,2013 964,963,Iowa Dept. of Human Services,IA,,2042,12/1/2008,Other,"Laptop, E-mail, Other Portable Electronic Device",2014-04-21,,2008-12-01,,2008 965,964,City of Hope,CA,"Sutherland Healthcare Solutions, Inc.",5400,2/5/2014,Theft,"Desktop Computer, E-mail",2014-03-25,,2014-02-05,,2014 966,965,Mission City Community Network,CA,,7800,5/31/2013,Theft,E-mail,2014-04-21,,2013-05-31,,2013 967,966,"Partners In Nephrology & Endocrinology, P.C.",PA,,5000,11/13/2013,Other,Other,2014-03-24,,2013-11-13,,2013 968,967,"University of California, San Francisco",CA,,9861,1/11/2014,Theft,Desktop Computer,2014-03-31,,2014-01-11,,2014 969,968,Detroit Medical Center - Harper University Hospital,MI,,1087,9/7/2012,"Theft, Unauthorized Access/Disclosure",Paper,2014-05-06,,2012-09-07,,2012 970,969,"Todd M. Burton, M.D.",TX,,5000,1/13/2014,Theft,Other,2014-03-24,,2014-01-13,,2014 971,970,Valley View Hospital Association,CO,,5415,9/11/2013,Other,"Laptop, Desktop Computer",2014-04-21,,2013-09-11,,2013 972,971,Hospitalists of Arizona,AZ,,1706,12/31/2013,Theft,Laptop,2014-03-24,,2013-12-31,,2013 973,972,"McBroom Clinic, PA",TX,TMA Practice Management Group,2260,1/9/2014,"Loss, Improper Disposal",Other Portable Electronic Device,2014-04-21,,2014-01-09,,2014 974,973,"QBE Holdings, Inc.",NY,"StayWell Health Management, LLC",1746,5/9/2012,Unauthorized Access/Disclosure,Network Server,2014-04-21,,2012-05-09,,2012 975,974,Berea College,KY,,1000,1/24/2012,Other,Electronic Medical Record,2014-04-21,,2012-01-24,,2012 976,975,"HealthPartners, Inc.",MN,,27839,1/7/2008,"Loss, Unauthorized Access/Disclosure","Laptop, Desktop Computer, Other Portable Electronic Device",2014-06-20,,2008-01-07,,2008 977,976,"Group Health Plan, Inc. Medical Benefit Plan",MN,"HealthPartners Administrators, Inc.",796,1/7/2008,"Loss, Unauthorized Access/Disclosure","Laptop, Desktop Computer, Other Portable Electronic Device",2014-04-21,,2008-01-07,,2008 978,977,State Employee Group Insurance Plan,MN,"HealthPartners Administrators, Inc.",1699,1/7/2008,"Loss, Unauthorized Access/Disclosure","Laptop, Desktop Computer, Other Portable Electronic Device",2014-04-21,,2008-01-07,,2008 979,978,University of Minnesota Employee Benefits,MN,"HealthPartners Administrators, Inc.",715,1/7/2008,"Loss, Unauthorized Access/Disclosure","Laptop, Desktop Computer, Other Portable Electronic Device",2014-04-21,,2008-01-07,,2008 980,979,San Francisco General Hospital & Trauma Center,CA,Sutherland Healthcare Solutions,55900,2/5/2014,Theft,Desktop Computer,2014-05-30,,2014-02-05,,2014 981,980,University of Kentucky UK HealthCare,KY,Talyst,1079,2/4/2014,Theft,Laptop,2014-04-21,,2014-02-04,,2014 982,981,Yellowstone Boys and Girls Ranch,MT,,543,7/11/2013,Theft,Paper,2014-06-24,,2013-07-11,,2013 983,982,"Orlando Health, Inc.",FL,,586,1/28/2014,Loss,Other Portable Electronic Device,2014-04-21,,2014-01-28,,2014 984,983,NOVA Chiropractic & Rehab Center,VA,,5534,1/30/2014,"Loss, Other",Other Portable Electronic Device,2014-04-21,,2014-01-30,,2014 985,984,Susquehanna Health,PA,,657,12/5/2013,Unauthorized Access/Disclosure,E-mail,2014-04-21,,2013-12-05,,2013 986,985,Jewish Hospital,KY,,2992,1/15/2014,Other,E-mail,2014-04-21,,2014-01-15,,2014 987,986,Franciscan Medical Group,WA,,8300,1/15/2014,Other,E-mail,2014-04-21,,2014-01-15,,2014 988,987,Palomar Health,CA,,5499,2/21/2014,Theft,Other Portable Electronic Device,2014-04-21,,2014-02-21,,2014 989,988,"Myriad Genetic Laboratories, Inc.",UT,,643,3/6/2013,Unauthorized Access/Disclosure,E-mail,2014-06-03,,2013-03-06,,2013 990,989,Medical Center of Plano,TX,"RelayHealth, a division of McKesson",1000,12/10/2013,Unauthorized Access/Disclosure,Other,2014-06-03,,2013-12-10,,2013 991,990,Florida Healthy Kids Corporation,FL,"Policy Studies, Inc. / Postal Center International, Inc.",580,11/13/2013,Unauthorized Access/Disclosure,Paper,2014-04-21,,2013-11-13,,2013 992,991,"Midwest Orthopaedics at Rush, LLC",IL,,1256,2/10/2014,Hacking/IT Incident,E-mail,2014-04-21,,2014-02-10,,2014 993,992,Texas Health and Human Services Commission,TX,"EveryChild, Inc.",2934,2/2/2014,Theft,"Laptop, Desktop Computer, Other Portable Electronic Device",2014-04-21,,2014-02-02,,2014 994,993,Kaiser Permanente Northern CA Department of Research,CA,,5178,10/18/2011,Hacking/IT Incident,Network Server,2014-06-02,,2011-10-18,,2011 995,994,Triple-S Salud ,PR,,5795,1/1/2013,Theft,Other,2014-06-24,,2013-01-01,,2013 996,995,American Health Inc. ,PR,,17776,1/1/2013,Theft,Other,2014-06-27,,2013-01-01,,2013 997,996,"State Long Term Care Ombudsman's Office, Michigan Department of Community Health",MI,,2595,1/30/2014,Theft,Other Portable Electronic Device,2014-04-21,,2014-01-30,,2014 998,997,County of Los Angeles,CA,"Sutherland Healthcare Solutions, Inc.",338700,2/5/2014,Theft,"Desktop Computer, E-mail",2014-04-21,,2014-02-05,,2014 999,998,Presence St. Joseph's Medical Center,IL,,836,10/22/2013,Other,Paper,2014-06-03,,2013-10-22,,2013 1000,999,"Clinical Reference Laboratory, Inc.",KS,,979,2/6/2014,Loss,Paper,2014-04-21,,2014-02-06,,2014 1001,1000,Various Health Plans,CT,Cigna,527,3/5/2014,Loss,Paper,2014-06-27,,2014-03-05,,2014 1002,1001,"Amerigroup Texas, Inc. ",VA,"Amerigroup Texas, Inc. ",75026,4/1/2012,Theft,Paper,2014-05-13,,2012-04-01,,2012 1003,1002,BLUE CROSS AND BLUE SHIELD OF KANSAS CITY,MO,,2546,8/16/2013,Unauthorized Access/Disclosure,Other,2014-04-21,,2013-08-16,,2013 1004,1003,"University Urology, P.C.",TN,,1144,3/7/2013,Unauthorized Access/Disclosure,Paper,2014-05-13,,2013-03-07,,2013 1005,1004,"Healthy Connections, Inc",CA,,793,3/25/2014,Loss,Other Portable Electronic Device,2014-06-03,,2014-03-25,,2014 1006,1005,Administracion de Seguros de Salud,PR,American Health Medicare,46473,5/8/2013,Theft,Other Portable Electronic Device,2014-06-03,,2013-05-08,,2013 1007,1006,Greenwood Leflore Hospital,MS,,3750,2/23/2014,Theft,Other,2014-05-09,,2014-02-23,,2014 1008,1007,Maryland Developmental Disabilities Administration,MD,"Service Coordination, Inc.",10766,11/27/2013,"Unauthorized Access/Disclosure, Hacking/IT Incident",Network Server,2014-06-11,,2013-11-27,,2013 1009,1008,Los Robles Hospital and Medical Center,CA,"Courier Express/Atlanta, Courier Express/Charlotte & Courier Express US, Inc.",2523,2/14/2014,"Theft, Unauthorized Access/Disclosure",Paper,2014-05-09,,2014-02-14,,2014 1010,1009,Shaker Clinic,OH,,617,2/18/2014,Loss,Paper,2014-05-27,,2014-02-18,,2014 1011,1010,VGM Homelink,IA,Tri State Adjustments,1400,2/28/2014,Other,Other,2014-05-27,,2014-02-28,,2014 1012,1011,Larsen Dental Care LLC,ID,,6900,3/4/2014,Theft,Other Portable Electronic Device,2014-05-27,,2014-03-04,,2014 1013,1012,The Union Labor Life Insurance Company,MD,,46771,2/17/2014,Theft,Laptop,2014-05-27,,2014-02-17,,2014 1014,1013,Coordinated Health,PA,,733,2/21/2014,Theft,Laptop,2014-05-29,,2014-02-21,,2014 1015,1014,CENTURA HEALTH,CO,,12286,2/11/2014,Hacking/IT Incident,E-mail,2014-05-29,,2014-02-11,,2014 1016,1015,"Ladies First Choice, Inc.",FL,,2365,1/1/2013,"Theft, Unauthorized Access/Disclosure",Laptop,2014-05-29,,2013-01-01,,2013 1017,1016,"Tufts Associated Health Maintenance Organization, Inc. and Tufts Insurance Company ",MA,,8830,4/10/2014,Theft,Other,2014-05-09,,2014-04-10,,2014 1018,1017,Developmental Disabilities Administration,MD,Inclusion Research Institute,2200,3/3/2014,Unauthorized Access/Disclosure,Paper,2014-05-29,,2014-03-03,,2014 1019,1018,Willis North America Inc. Medical Expense Benefit Plan,NY,,4830,3/19/2014,Unauthorized Access/Disclosure,E-mail,2014-05-29,,2014-03-19,,2014 1020,1019,Sorenson Communications/CaptionCall Group Health Plan,UT,Sorenson Communications,9800,2/20/2014,Hacking/IT Incident,Network Server,2014-05-27,,2014-02-20,,2014 1021,1020,Baylor Medical Center at McKinney,TX,,1253,1/23/2014,Hacking/IT Incident,E-mail,2014-05-09,,2014-01-23,,2014 1022,1021,Baylor Medical Center at Irving,TX,,2308,1/23/2014,Hacking/IT Incident,E-mail,2014-05-09,,2014-01-23,,2014 1023,1022,Baylor Regional Medical Center at Plano,TX,,1981,1/23/2014,Hacking/IT Incident,E-mail,2014-05-07,,2014-01-23,,2014 1024,1023,HealthTexas Provider Network,TX,,2742,1/23/2014,Hacking/IT Incident,E-mail,2014-05-07,,2014-01-23,,2014 1025,1024,DeKalb Health,IN,"Ferguson Advertising, Inc.",1361,2/9/2014,Hacking/IT Incident,Network Server,2014-05-27,,2014-02-09,,2014 1026,1025,Iowa Medicaid Enterprise,IA,,862,2/26/2014,Unauthorized Access/Disclosure,Paper,2014-05-29,,2014-02-26,,2014 1027,1026,Flowers Hospital,AL,,629,6/3/2013,Theft,Paper,2014-06-20,,2013-06-03,,2013 1028,1027,Reading Health System,PA,,1845,3/2/2012,Loss,Paper,2014-05-27,,2012-03-02,,2012 1029,1028,City of Cincinnati,OH,OptumRx,5696,4/4/2014,Other,Paper,2014-05-07,,2014-04-04,,2014 1030,1029,UMass Memorial Medical Center,MA,,2387,5/6/2002,Unauthorized Access/Disclosure,"Electronic Medical Record, Paper",2014-05-27,,2002-05-06,,2002 1031,1030,The City of Henderson,KY,KEYSTONE INSURERS GROUP,1008,6/27/2012,Other,E-mail,2014-05-27,,2012-06-27,,2012 1032,1031,Options Counseling Center,NJ,,2828,5/1/2011,"Theft, Unauthorized Access/Disclosure",Paper,2014-06-18,,2011-05-01,,2011 1033,1032,"Molina Healthcare of California Partner Plan, Inc.",CA,Creel Printing,4744,3/18/2014,Other,Paper,2014-05-27,,2014-03-18,,2014 1034,1033,Howard L. Weinstein D.P.M.,TX,,1000,3/13/2014,Theft,Laptop,2014-05-27,,2014-03-13,,2014 1035,1034,"Bio-Reference Laboratories, Inc.",NJ, Xand Corporation,1749,2/02/2014,Other,Network Server,2014-06-18,,2014-02-02,,2014 1036,1035,American Health Inc. ,PR,,11531,9/20/2013,Unauthorized Access/Disclosure,Paper,2014-06-18,,2013-09-20,,2013 1037,1036,Central City Concern,OR,,17914,3/23/2010,Unauthorized Access/Disclosure,Other,2014-06-18,,2010-03-23,,2010 1038,1037,Blue Cross Blue Shield of Michigan/Blue Care Network,MI,Bloom Health,502,2/15/2014,"Unauthorized Access/Disclosure, Hacking/IT Incident",E-mail,2014-06-18,,2014-02-15,,2014 1039,1038,Elliot Health System,NH,,1208,3/26/2014,Theft,Desktop Computer,2014-06-18,,2014-03-26,,2014 1040,1039,Humana Inc [case #15381],KY,,2962,4/2/2014,Theft,Other Portable Electronic Device,2014-06-18,,2014-04-02,,2014 1041,1040,Jamaica Hospital Medical Center,NY,,26162,8/1/2011,Unauthorized Access/Disclosure,Desktop Computer,2014-06-18,,2011-08-01,,2011 1042,1041,Bay Park Hospital,OH,,594,4/1/2013,Unauthorized Access/Disclosure,"Network Server, Electronic Medical Record",2014-06-18,,2013-04-01,,2013 1043,1042,Triple-S Salud ,PR,,56853,9/20/2013,Unauthorized Access/Disclosure,Paper,2014-06-18,,2013-09-20,,2013 1044,1043,Aetna Life Insurance Company,CT,"NFP Maschino, Hudelson & Associates",3814,4/2/2014,Theft,Laptop,2014-06-18,,2014-04-02,,2014 1045,1044,Salina Health Education Foundation dba Salina Family Healthcare Center,KS,,9640,4/8/2014,Unauthorized Access/Disclosure,E-mail,2014-06-20,,2014-04-08,,2014 1046,1045,Highmark Inc.,PA,,2589,4/19/2014,"Loss, Unauthorized Access/Disclosure",Paper,2014-06-27,,2014-04-19,,2014 1047,1046,Mark A. Gillispie,CA,,5845,11/20/2013,Theft,Desktop Computer,2014-06-27,,2013-11-20,,2013 1048,1047,Penn State Milton S Hershey Medical Center,PA,,1801,9/13/2013,Other,"E-mail, Other Portable Electronic Device",2014-06-27,,2013-09-13,,2013 1049,1048,Walgreen Co.,IL,,540,3/3/2014,Theft,"Desktop Computer, Paper",2014-06-20,,2014-03-03,,2014 1050,1049,St. Francis Hospital,GA,,1175,5/30/2014,Other,E-mail,2014-06-18,,2014-05-30,,2014 1051,1050,Puerto Rico Health Insurance ,PR,American Health Inc,28413,9/20/2013,Theft,Other,2014-06-27,,2013-09-20,,2013 1052,1051,"Hospitalists of Brandon, LLC",FL,"Doctors First Choice Billings, Inc.",1831,2/11/2014,Hacking/IT Incident,Other,2014-06-27,,2014-02-11,,2014 1053,1052,Santa Rosa Memorial Hospital ,CA,,33702,6/2/2014,"Theft, Loss",Other Portable Electronic Device,2014-06-27,,2014-06-02,,2014 1054,1053,Group Health Plan of Hurley Medical Center,MI,,2289,5/13/2014,Unauthorized Access/Disclosure,E-mail,2014-06-27,,2014-05-13,,2014 1055,1054,"Abrham Tekola, M.D.,INC",CA,,5471,5/27/2014,Theft,Desktop Computer,2014-06-27,,2014-05-27,,2014