"Name.of.Covered.Entity"	"State"	"Covered.Entity.Type"	"Individuals.Affected"	"Breach.Submission.Date"	"Type.of.Breach"	"Location.of.Breached.Information"	"Business.Associate.Present"	"Web.Description"
"Brooke Army Medical Center"	"TX"	"Healthcare Provider"	1000	2009-10-21	"Theft"	"Paper/Films"	FALSE	"A binder containing the protected health information (PHI) of up to 1,272 individuals was stolen from a staff members vehicle.  The PHI included names, telephone numbers, detailed treatment notes, and possibly social security numbers.  In response to the breach, the covered entity (CE) sanctioned the workforce member and developed a new policy requiring on-call staff members to submit any information created during their shifts to the main office instead of adding it to the binder.  Following OCRs investigation, the CE notified the local media about the breach."
"Mid America Kidney Stone Association, LLC"	"MO"	"Healthcare Provider"	1000	2009-10-28	"Theft"	"Network Server"	FALSE	"Five desktop computers containing unencrypted electronic protected health information (e-PHI) were stolen from the covered entity (CE).  Originally, the CE reported that over 500 persons were involved, but subsequent investigation showed that about 260 persons were involved.  The ePHI included demographic and financial information. The CE provided breach notification to affected individuals and HHS.  Following the breach, the CE improved physical security by installing motion detectors and alarm systems security monitoring.  It improved technical safeguards by installing enhanced antivirus and encryption software.  As a result of OCRs investigation the CE updated its computer password policy.  "
"Alaska Department of Health and Social Services"	"AK"	"Healthcare Provider"	501	2009-10-30	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Health Services for Children with Special Needs, Inc."	"DC"	"Health Plan"	3800	2009-11-17	"Loss"	"Laptop"	FALSE	"A laptop was lost by an employee while in transit on public transportation.  The computer contained the protected health information of 3800 individuals.  The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians.  In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules.  The covered entity has installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and updated it risk assessment.  In addition, all employees received additional security training.  
\"
"L. Douglas Carlson, M.D."	"CA"	"Healthcare Provider"	5257	2009-11-20	"Theft"	"Desktop Computer"	FALSE	"A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,257 individuals who were patients of the CE.  The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the covered entity notified all 5,257 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctors private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules.
\"
"David I. Cohen, MD"	"CA"	"Healthcare Provider"	857	2009-11-20	"Theft"	"Desktop Computer"	FALSE	"A shared Computer that was used for backup was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite was unlocked and perhaps ajar.  The Computer contained certain electronic protected health information (ePHI) of 857 patients.  The ePHI involved in the breach included names, dates of birth, and clinical information.  Following the breach, the covered entity notified all affected individuals and the media, added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer, added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctors private office or in a secure filing cabinet, and added administrative safeguards by requiring annual refresher retraining staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place.
\"
"Michele Del Vicario, MD"	"CA"	"Healthcare Provider"	6145	2009-11-20	"Theft"	"Desktop Computer"	FALSE	"A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity.  The Computer contained certain electronic protected health information (ePHI) of 6,145 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all  6,145 affected individuals and the appropriate media;  added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctors private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. 
\"
"Joseph F. Lopez, MD"	"CA"	"Healthcare Provider"	952	2009-11-20	"Theft"	"Desktop Computer"	FALSE	"A shared Computer that was used for backup was stolen on 9/27/09. The Computer contained certain electronic protected health information (ePHI) of 952 patients. Following the breach, the covered entity notified all 952 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctors private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of staff for Privacy and Security Rules. 
\"
"Mark D. Lurie, MD"	"CA"	"Healthcare Provider"	5166	2009-11-20	"Theft"	"Desktop Computer"	FALSE	"A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity.  The Computer contained certain electronic protected health information (ePHI) of 5,166 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 5,166 affected indivs and the appropriate media;  added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctors private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. 
\"
"City of Hope National Medical Center"	"CA"	"Healthcare Provider"	5900	2009-11-23	"Theft"	"Laptop"	FALSE	"A laptop computer was stolen from a workforce members car. The laptop computer contained the protected health information of approximately 5,900 individuals. Following the breach, the covered entity encrypted all protected health information stored on lap tops.  Additionally, OCRs investigation resulted in the covered entity improving their physical safeguards and retraining employees.
\"
"The Children's Hospital of Philadelphia"	"PA"	"Healthcare Provider"	943	2009-11-24	"Theft"	"Laptop"	FALSE	"\N"
"Cogent Healthcare, Inc."	"TN"	"Business Associate"	6400	2009-11-25	"Theft"	"Laptop"	TRUE	"A laptop was stolen from a locked office at the Aurora St. Lukes Medical Center.  The laptop contained protected health information pertaining to 6,400 individuals.  The information included patient names, dates of birth, social security numbers, medical record numbers, and in some cases diagnosis codes.  In response to the theft, the hospital implemented several corrective action measures, including accelerated efforts to encrypt all laptop hard drives, improved physical locks on the office where the theft occurred, staff training regarding the appropriate use and storage of devices containing ePHI, and encryption of portable flash drives and Blackberry devices."
"Democracy Data & Communications, LLC ("	"VA"	"Business Associate"	83000	2009-12-08	"Other"	"Paper/Films"	TRUE	"In its breach report and during the course of OCRs investigation, the covered entity advised that it took various corrective actions to prevent a reoccurrence of the breach.  Specifically, the covered entity conducted a risk assessment which revealed that the breach posed a significant risk of financial, reputational, or other harm to the 83,000 members.  The covered entity sent notification letters to 83,000 members apologizing for the breach and offered a year of free credit monitoring and a $25,000 insurance policy against identity theft ($10,000 for New York residents).  The covered entity also provided training to its call centers on November 29, 2009 to answer inquiries from callers concerned about the breach.  In addition, media outlets were contacted to alert of a breach in states in which more than 500 members were impacted by the breach.  The covered entity advised that media outlets were identified based on location of membership impacted, as well as ensuring it was a major media outlet and press releases were sent to 21 major media outlets on December 18, 2009.  The covered entity also created and implemented a new policy titled Personal Health Information and Personal Identifiable Information Data Security and Handling Policy Acknowledgement Form that centralized all data requests through a Team Track which is an internal electronic submission request that ensures all PHI requested data receives the sign off of the Privacy Officer and Security Officer prior to release.  Further, the covered entity also provided a mandatory annual computer-based training to all staff in May 2010.
\"
"Kern Medical Center"	"CA"	"Healthcare Provider"	596	2009-12-10	"Theft"	"Other"	FALSE	"\N"
"Rick Lawson, Professional Computer Services"	"NC"	"Business Associate"	2000	2009-12-11	"Theft"	"Desktop Computer, Electronic Medical Record, Network Server"	TRUE	"The covered entity (CE) changed the business associate (BA) it used as its information technology vendor.  During the transition, a workforce member of the outgoing BA entered the CEs computer system, changed the passwords, disabled all accounts, and removed drive mappings on the computer server for all of the workstations. The BA also removed the CEs backup program and deactivated all of its antivirus software.  The breach affected approximately 2,000 individuals.  The protected health information (PHI) involved in the breach included patients names, addresses, dates of birth, social security numbers, appointments, insurance information, and dental records.  The CE provided breach notification to affected individuals, HHS, and the media.  Following the breach, the CE implemented security measures in its computer system to ensure that its information technology associates do not have access to the CEs master system and enabled direct controls for the CE.  A new server was installed with no ties to the previous BA.  The new BA corrected the CEs passwords and settings, mitigating the issues caused by the previous vendor.  The CE provided OCR with copies of its HIPAA security and privacy policies and procedures, and its signed BA agreements that included the appropriate HIPAA assurances required by the Security Rule.  As a result of OCRs investigation, the CE improved its physical safeguards and retrained employees.
\
\
\"
"Detroit Department of Health and Wellness Promotion"	"MI"	"Healthcare Provider"	10000	2009-12-15	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Detroit Department of Health and Wellness Promotion"	"MI"	"Healthcare Provider"	646	2009-12-15	"Theft"	"Desktop Computer, Laptop"	FALSE	"A desktop and four laptop computers were stolen from the covered entitys locked facility.  The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, types of services received, and Medicare/Medicaid numbers.Following the breach, the covered entity installed new office door locks with assigned keys, installed security cameras with alarms, and physically secured computers to desks.  The covered entity now stores billing information in its patient management system, and it ensured that no electronic protected health information was stored locally. Additionally, OCRs investigation resulted in the covered entity providing training to workforce members regarding the incident
\"
"University of California, San Francisco"	"CA"	"Healthcare Provider"	610	2009-12-15	"Other"	"Email"	FALSE	"\N"
"Daniel J. Sigman MD PC"	"MA"	"Business Associate"	1860	2010-01-07	"Theft"	"Electronic Medical Record, Other, Other Portable Electronic Device"	TRUE	"Computer backup tapes containing EPHI for the office practice management program including electronic medical records were stolen from the home of the practice manager on December 11, 2009.   The breach affected approximately 1,860 patients. The protected health information on the tapes contained patients names, addresses, telephone numbers, dates of birth, insurance information, social security numbers and medical record information.  Following the breach, Sigman took the following voluntary corrective actions: (1) upgraded software application for backup security; implemented a new external backup system in case the server goes down; (2) encryption software was implemented for data contained on both its backup tapes and network storage device; (3) revised its security policy for transporting backup media; backup tapes must now be stored in a lockbox within a locked office in its facility; the revised policy also prohibits the movement of backup tapes from the facility as well as restricts access to the tapes to designated workforce; (4) employees were retrained on the policies and procedures in place and received training on the new policies and procedures for safeguarding backup tapes; (5) notified affected individuals and the media. 
\"
"Massachusetts Eye and Ear Infirmary"	"MA"	"Healthcare Provider"	1076	2010-01-08	"Theft"	"Other"	FALSE	"Two employees of the covered entity (CE) misused credit card information from several different departments that served approximately 1,076 individuals. The protected health information (PHI) involved in the breach included names, addresses, and credit card information. Following the breach, the CE notified the affected individuals, the media, and HHS and offered one free year of credit monitoring to all affected individuals.  The CE also terminated the employees involved, revised its data breach prevention policy, and reviewed the physical processes involved when payment is made in person using a credit card.  OCR reviewed the CEs breach notification policies to assure that they contained the required elements and obtained assurances that the CE provided breach notification.  
\
\
\"
"Service Benefits Plan Administrative Services Corp"	"DC"	"Business Associate"	3400	2010-01-08	"Theft"	"Paper/Films"	TRUE	"The covered entitys (CE) business associate (BA) incorrectly updated contract holders addresses and mailed protected health information (PHI) to the wrong address of approximately 3,400 individuals.  The PHI involved included demographic information, explanations of benefits, clinical information, and diagnoses.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  Upon discovery of the breach, the CE obtained assurances that the BA took steps to enforce the requirements of the BA agreement.  Specifically, the BA updated its processes and created an incident tracking report.  In addition, a contract was executed for a new vendor to handle mail address verification. Following OCRs investigation, the BA improved its code review process to catch the system error that caused this incident and instituted a manual quality review process.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI.
\
\"
"Merkle Direct Marketing"	"MD"	"Business Associate"	15000	2010-01-11	"Theft"	"Paper/Films"	TRUE	"The covered entitys (CE) business associate (BA) mailed protected health information (PHI) of approximately 15,000 individuals to incorrect addresses due to an error in its quarterly address update process.  The mailing contained demographic information, explanations of benefits, clinical information, and diagnoses. Upon discovery of the breach, the CE collected the returned mail and verified that it had not been delivered, and updated its HIPAA policies and procedures. Following OCRs investigation, the CE was able to recover all or nearly all of the misdirected envelopes. "
"Kaiser Permanente Medical Care Program"	"CA"	"Healthcare Provider"	15500	2010-01-12	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"An unencrypted portable hard drive containing the electronic protected health information (ePHI) of approximately 15,500 individuals was stolen from the vehicle of the covered entitys (CE) employee.  The ePHI involved in the breach included names, medical record numbers, and treatment information.  A subset of records may also have included dates of birth, age, gender, and phone numbers.  Following the breach, the responsible employee was terminated for violating the CEs policies.  OCR obtained assurances of the CEs policies and procedures for safeguarding ePHI and verification that the CE provided breach notification to affected individuals, the media, and HHS.  In addition, the CE deployed encryption software for removable media.    "
"United Micro Data"	"ID"	"Business Associate"	2562	2010-01-14	"Theft"	"Other"	TRUE	"The covered entitys (CEs) business associate (BA) mailed a package to the CE that was supposed to contain a backup data tape and compact disc containing protected health information (PHI); however, the tape was not in the package when delivered.  Approximately 2,000 individuals were affected by the breach. The PHI included demographic, financial, and clinical information.  The CE provided breach notification to affected individuals, HHS, and the media.  Following the breach, the CE revised its procedures for back up data storage instead of sending tapes via the mail.  Following OCRs investigation, the CE continued to reevaluate ways to enhance administrative, physical, and technical safeguards.
\"
"Goodwill Industries of Greater Grand Rapids, Inc."	"MI"	"Healthcare Provider"	10000	2010-01-15	"Theft"	"Other"	FALSE	"On December 15, 2009, a safe was stolen from Goodwills off-site facility, which contained five unencrypted back-up tapes.  The breach affected approximately 10,000 individuals.  The protected health information involved in the breach included full names, addresses, dates of birth, reasons for referral, dates of service, miscellaneous demographics, and, in some cases, Social Security numbers.  The covered entity moved the off-site storage of back-up tapes to a new site controlled by Goodwill.  The tapes are now kept in a commercial grade safe with a combination lock.  The actions taken by Goodwill prior to OCRs formal investigation brought the covered entity into compliance.  
\"
"Children's Medical Center of Dallas"	"TX"	"Healthcare Provider"	3800	2010-01-18	"Loss"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Concentra"	"TX"	"Healthcare Provider"	900	2010-01-19	"Theft"	"Laptop"	FALSE	"An unencrypted laptop computer containing the electronic protected health information (ePHI) of approximately 900 patients was stolen from one of the covered entitys (CE) facilities.  The ePHI  included demographic and clinical data.  Following the breach, the CE filed a police report and notified affected patients, HHS and the media.  Following OCRs investigation, the CE required all business units to identify any devices that contain PHI and revised procedures for future computer purchases.  The CE also implemented physical and technical safeguards for all testing devices that contain ePHI and  replaced  outdated machines that could not be encrypted.  Additionally, the CE revised existing physician agreements to disallow the use of equipment containing ePHI that is not encrypted.  OCR obtained assurances that the CE implemented the corrective action listed above.
\
\"
"Ashley and Gray DDS"	"MO"	"Healthcare Provider"	9309	2010-01-19	"Theft"	"Desktop Computer"	FALSE	"\N"
"Advocate Health Care"	"IL"	"Healthcare Provider"	812	2010-01-22	"Theft"	"Laptop"	FALSE	"On November 24, 2009, an Advocate nurses laptop computer was stolen.  The missing laptop computer contained the protected health information of approximately 812 individuals.  The protected health information involved in the breach included name, address, dates of birth, social security numbers, insurance information, medication, and diagnoses. Following the breach, Advocate specifically addressed mobile device security and accepted use. Additionally, OCRs investigation resulted in Advocate workforce members that use mobile devices are now required to fill out and submit an acknowledgment form that establish proper administrative, technical, and physical security safeguards.  
\"
"The Methodist Hospital"	"TX"	"Healthcare Provider"	689	2010-01-25	"Theft"	"Other"	FALSE	"An unencrypted laptop computer was stolen from the covered entitys unlocked testing office.  The laptop computer contained the protected health information of approximately 689 individuals.  The protected health information involved in the breach included names, dates of birth, Social Security numbers, and the age, gender, race, and medication information of affected individuals.  Following the breach, the covered entity restricted the storage of electronic protected health information to network drives.  Additionally, OCRs investigation resulted in the covered entity improving their physical safeguards and in retraining employees.
\"
"University of California, San Francisco"	"CA"	"Healthcare Provider"	7300	2010-01-27	"Theft"	"Laptop"	FALSE	"\N"
"Carle Clinic Association"	"IL"	"Healthcare Provider"	1300	2010-01-28	"Theft"	"Other, Paper/Films"	FALSE	"\N"
"Health Behavior Innovations (HBI)"	"UT"	"Business Associate"	5700	2010-02-05	"Theft"	"Other"	TRUE	"A laptop computer containing the protected health information (PHI) of 3,500 individuals was stolen from the covered entitys (CE) locked medical office.  The PHI involved in the breach included names, addresses, dates of birth, social security numbers, and medication information. As a result of this incident, the CE encrypted all PHI stored on the medical office computers.  Following OCRs investigation, the CE improved its physical safeguards and retrained employees."
"Center for Neurosciences"	"AZ"	"Healthcare Provider"	1100	2010-02-10	"Theft"	"Laptop"	FALSE	"\N"
"Blue Cross Blue Shield of RI"	"RI"	"Business Associate"	528	2010-02-16	"Other"	"Paper/Films"	TRUE	"On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown Universitys health plan was impermissibly disclosed to two other BCBSRI agents.  The reports contained the PHI of approximately 528 individuals.  The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers.  Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected members claim history to ensure no fraud.
\"
"MSO of Puerto Rico, Inc. "	"PR"	"Business Associate"	1907	2010-02-17	"Theft"	"Paper/Films"	TRUE	"The covered entitys (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 1,907 individuals.  The PHI included names, internal identification numbers, and the number of emergency room visits.  Upon discovery of the breach, the CEs BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail.  As a result of OCRs investigation, the CE created and implemented additional policies and procedures for quality control of mailings.  The CE also provided training to all staff on its revised privacy and security policies and procedures.
\
\
\"
"MSO of Puerto Rico"	"PR"	"Business Associate"	605	2010-02-17	"Theft"	"Paper/Films"	TRUE	"The covered entitys (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 605 individuals.  The PHI included names, internal identification numbers, and the number of emergency room visits.  Upon discovery of the breach, the CEs BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail.  As a result of OCRs investigation, the CE created and implemented additional policies and procedures for quality control of mailings.  The CE also provided training to all staff on its revised privacy and security policies and procedures.
\
\"
"Cardiology Consultants/Baptist Health Care Corporation"	"FL"	"Healthcare Provider"	8000	2010-02-18	"Theft"	"Desktop Computer"	FALSE	"A desktop computer that contained the e-PHI of approximately 8,000 individuals was stolen from the covered entitys (CE) locked medical suite.  The PHI involved in the breach included names, dates of birth, medical record numbers, ultrasound information, exam dates, and reasons for the ultrasound.  The computer that was stolen used proprietary software and a special electronic key to access the PHI.  The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notification on its website.  Following the breach, the CE worked with law enforcement to identify the possible suspect.  The CE upgraded its facility access controls to include proximity card readers for every location that stores PHI.  As a result of OCRs investigation the CE updated its risk analysis and carried out additional risk management activities.  
\
\"
"State of TN, Bureau of TennCare"	"TN"	"Health Plan"	3900	2010-02-19	"Theft"	"Paper/Films"	FALSE	"The covered entity (CE) mailed the wrong information to 3,900 individuals based on a corrupted data file it received from a state agency.  The types of PHI involved were names, dates of birth, social security numbers, member identification numbers, and in some cases, diagnoses, treatments, conditions, and medications.  Following the breach, the CE immediately fixed the corrupted file and mailed corrected letters.  The CE provided breach notification to HHS, the media, and affected individuals and provided substitute notification by posting on its website.  It also offered affected individuals one year of free credit monitoring and comprehensive credit services.  The CE also worked with the state agency to implement a new procedure to improve safeguards for PHI.  OCR obtained assurances that the CE implemented the corrective action listed above.
\
\"
"Lucille Packard Children's Hospital"	"CA"	"Healthcare Provider"	532	2010-02-21	"Other"	"Desktop Computer"	FALSE	"\N"
"University of New Mexico Health Sciences Center"	"NM"	"Healthcare Provider"	1900	2010-02-23	"Other"	"Desktop Computer"	FALSE	"\N"
"Advanced NeuroSpinal Care"	"CA"	"Healthcare Provider"	3500	2010-02-23	"Theft"	"Network Server"	FALSE	"A computer containing the electronic protected health information (ePHI) of 3,500 individuals was stolen from the office of a covered entity (CE).  The ePHI included patient names, addresses, dates of birth, social security numbers, driver's licenses, claims information, diagnoses, and conditions. As a result of the loss, the CE upgraded the alarm system and replaced the server housing and storage security lock-up.  The CE also notified affected individuals, the media, appropriate government agencies, and law enforcement.  In addition, the CE established an office-based hotline to assist affected individuals.  As a result of OCRs investigation, the CE has implemented regularly scheduled security risk analyses and has installed window bars, roll down shutters, four video surveillance cameras, and other physical security measures to prevent theft."
"Central Brooklyn Medical Group, PC"	"NY"	"Healthcare Provider"	500	2010-02-25	"Theft"	"Paper/Films"	FALSE	"OCR opened an investigation of the covered entity (CE), Preferred Health Partners f/k/a Central Brooklyn Medical Group, after it reported appointment schedules, pathology reports and portions of medical records containing the protected health information (PHI) of 500 individuals were stolen from an office.  The PHI included names, ages, telephone numbers, social security numbers, medical insurance information, pathology reports, and other clinical information.  Upon discovery of the breach, the CE filed a police report and worked with law enforcement authorities to recover as much of the PHI as possible that was stolen.  As a result of OCRs investigation, the CE removed PHI such as social security or medical insurance numbers from tracking logs.  In addition, the CE improved safeguards by storing log binders in a locked area and shredding documents regularly.  Further, the CE replaced the manual process of printing certain records with an electronic verification system.  The CE also archived, stored off site, and locked up all paper records and retrained all staff on its HIPAA policies and procedures. "
"Shands at UF"	"FL"	"Healthcare Provider"	12580	2010-03-01	"Theft"	"Laptop"	FALSE	"A laptop containing certain information collected on approximately 12,580 individuals referred to Shands at UF GI Clinical Services was stolen from the private residence of an employee.  The stolen information included patient names, social security numbers, and medical record numbers.  As a result of the incident, the employee was counseled by her supervisor, issued written corrective action with a 3-day suspension, and provided additional HIPAA training.  OCR reviewed Shands at UFs most recent Risk Analysis and Risk Management Plans and they revealed no high risk findings related to encryption, workstation use, or physical security.  OCRs investigation found that Shands at UF has implemented appropriate technical safeguards, such as secure VPN network connections and network storage for workforce usage, encrypted USB portable flash drives, and PGP whole disk encryption.  
\"
"Wyoming Department of Health"	"WY"	"Health Plan"	9023	2010-03-02	"Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"Thrivent Financial for Lutherans"	"WI"	"Health Plan"	9500	2010-03-03	"Theft"	"Laptop"	FALSE	"On January 29, 2010, there was a break-in at one of the Thrivents offices and five laptop computers were stolen; four of the five laptops were recovered.  The missing laptop computer contained the protected health information of approximately 9,400 individuals.    The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation.  The actions taken by the CE prior to OCRs formal investigation brought the CE into compliance. 
\"
"North Carolina Baptist Hospital"	"NC"	"Healthcare Provider"	554	2010-03-03	"Theft"	"Paper/Films"	FALSE	"\N"
"Montefiore Medical Center"	"NY"	"Healthcare Provider"	625	2010-03-09	"Theft"	"Laptop"	FALSE	"An unencrypted laptop computer containing the electronic protected health information (ePHI) of 625 individuals was stolen from the covered entitys (CE) mobile dental van.  The ePHI included names, dates of birth, medical record numbers and dental x-rays.  Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and affected individuals.  As a result of OCRs investigation, the CE revised its procedures so that all ePHI is stored in a data center, rather than the mobile dental van laptop.  In addition, the CE encrypted all mobile dental van laptops and improved physical security for the van.  The CE developed a new policy on ePHI security and retrained all staff.  OCR obtained assurances that the CE implemented the corrective action listed above."
"Ernest T. Bice, Jr. DDS, P.A."	"TX"	"Healthcare Provider"	21000	2010-03-10	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"Three unencrypted external back-up drives were stolen from a safe in the covered entitys locked office.  The laptop computer contained the protected health information of approximately 21,000 individuals.  The protected health information involved in the breach included names, addresses phone numbers, dates of birth, social security numbers, insurance information, and treatment histories.  Following the breach, the covered entity moved back-up data offsite and encrypted all workstations.  Additionally, OCRs investigation resulted in the covered entity improving their physical safeguards and in retraining employees.
\"
"Lee Memorial Health System"	"FL"	"Healthcare Provider"	3800	2010-03-17	"Other"	"Paper/Films"	FALSE	"The covered entity sent postcards to approximately 3,800 patients, which listed the patients demographic information, and a statement that read, Your Physician Has Moved, with a name and description of the practice, Infectious Disease Specialist. The types of PHI involved were demographic and clinical information. Voluntary actions taken prior to OCRs investigation include the issuance of sanctions and review of policies and procedures.
\"
"Laboratory Corporation of America/Dynacare Northwest, Inc."	"WA"	"Healthcare Provider"	5080	2010-03-18	"Theft"	"Laptop"	FALSE	"A laptop computer was stolen from a workforce members car.  The laptop computer contained the protected health information of approximately 5080 individuals.  The protected health information involved in the breach included names, addresses, dates of birth, Social Security numbers, and lab results.  Following the breach, the covered entity encrypted all laptop computers.  
\"
"Mount Sinai Medical Center"	"FL"	"Healthcare Provider"	2600	2010-03-23	"Theft"	"Laptop"	FALSE	"\N"
"Griffin Hospital"	"CT"	"Healthcare Provider"	957	2010-03-26	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Hypertension, Nephrology, Dialysis and Transplantation, PC"	"AL"	"Healthcare Provider"	2465	2010-03-27	"Theft"	"Laptop"	FALSE	"\N"
"Computer Program and Systems, Inc. (CPSI)"	"AL"	"Business Associate"	768	2010-03-30	"Unauthorized Access/Disclosure "	"Email"	TRUE	"\N"
"Laboratory Corporation of America / US LABS / Dianon Systems, Inc"	"AZ"	"Healthcare Provider"	2773	2010-04-01	"Theft"	"Other Portable Electronic Device"	FALSE	"An external hard drive containing ePHI of 2,773 individuals was stolen.  The ePHI included first and last name, medical record number, date of birth, laboratory test information data, and some social security numbers.  CE advises OCR that notice to the individuals went out April 13 and 14, 2010.  The media (St. Petersburg Times) was notified.  CE added emails will now be password protected and encrypted. As a result of the loss, CE has initiated an encryption project to encrypt external hard drives and related media.  
\
\"
"University of Pittsburgh Student Health Center"	"PA"	"Healthcare Provider"	8000	2010-04-02	"Loss, Theft"	"Paper/Films"	FALSE	"\N"
"Providence Hospital"	"MI"	"Healthcare Provider"	83945	2010-04-05	"Other"	"Other"	FALSE	"\N"
"VHS Genesis Lab Inc. "	"IL"	"Healthcare Provider"	6800	2010-04-05	"Loss"	"Paper/Films"	FALSE	"\N"
"McKesson Information Solutions, LLC"	"GA"	"Business Associate"	660	2010-04-09	"Other"	"Paper/Films"	TRUE	"\N"
"Pediatric Sports and Spine Associates"	"TX"	"Healthcare Provider"	955	2010-04-09	"Theft"	"Laptop"	FALSE	"An unencrypted laptop was stolen from an employees vehicle.  The laptop contained the protected health information of approximately 955 individuals.  The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses, medications and other treatment information.  Following the discovery of the breach, the covered entity revised policies, retrained staff and implemented additional physical and technical safeguards including encryption software.  The covered entity also removed the stolen laptops access to the server, sanctioned the involved employee, notified the affected individuals and notified the local media.  
\"
"Affinity Health Plan, Inc."	"NY"	"Health Plan"	344579	2010-04-14	"Theft"	"Other"	FALSE	"Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780. Affinity Health Plan is a not-for-profit managed care plan serving the New York metropolitan area.
\Affinity filed a breach report with the HHS Office for Civil Rights (OCR) on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.
\Affinity estimated that up to 344,579 individuals may have been affected by this breach. OCRs investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents. 
\This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before its recycled, thrown away or sent back to a leasing agent, said OCR Director Leon Rodriguez. HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals data, and have appropriate safeguards in place to protect this information.
\In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.
\"
"Tomah Memorial Hospital"	"WI"	"Healthcare Provider"	600	2010-04-16	"Other"	"Other"	FALSE	"\N"
"Praxair Healthcare Services, Inc. (Home Care Supply in NY)"	"CT"	"Healthcare Provider"	54165	2010-04-19	"Theft"	"Laptop"	FALSE	"A laptop computer was stolen from the covered entitys office by a former employee after it had been damaged. The laptop computer contained the PHI of approximately 54,165 individuals.  The computer contained a limited amount of PHI, including client names and one or more of the following: addresses, phone numbers, social security numbers, insurance provider names and policy numbers, medical diagnostic codes or medical equipment.  Following the breach, the covered entity notified all affected individuals, the media, and HHS of the breach. Additionally, the covered entity completed its laptop encryption project to cover all PHI stored on computers in the office.  Additionally, OCRs investigation resulted in the covered entity reinforcing the requirements of HIPAA to its employees.
\"
"Massachusetts Eye and Ear Infirmary"	"MA"	"Healthcare Provider"	3594	2010-04-20	"Theft"	"Laptop"	FALSE	"\N"
"Blue Cross & Blue Shield of Rhode Island"	"RI"	"Health Plan"	12000	2010-04-21	"Theft"	"Paper/Films"	FALSE	"A covered entity (CE) donated a file cabinet containing the protected health information (PHI) of 12,000 individuals before cleaning it out.  The PHI included members names, addresses, telephone numbers, social security numbers, and Medicare identification numbers.  The covered entity (CE) provided breach notification to HHS, the affected individuals, and media, and offered all affected individuals free credit monitoring for a period of one year.  Following the breach, the CE sanctioned the employees involved in the incident and held a mandatory training regarding the HIPAA Privacy and Security Rule for all departments involved in the breach. The CE also revised the policy for office moves.  OCR obtained assurances that the CE implemented the corrective action listed above.
\
\"
"South Carolina Department of Health and Environmental Control"	"SC"	"Health Plan"	2850	2010-04-22	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"St. Joseph Heritage Healthcare"	"CA"	"Healthcare Provider"	22012	2010-04-23	"Theft"	"Desktop Computer"	FALSE	"22 computers were stolen from Clinical Management Service office.Five of the stolen computers contained the protected health information of approximately 22,012 individuals. The protected health information involved in the breach included name, date of birth, social security number, referral number, encounter number, facility, member ID, diagnosis, procedure, and/or diagnosis code. As a result of this incident, St. Joseph notified the potentially affected individuals, notified the local media, installed security cameras, re-trained employees, and installed encryption software on all laptops and Computers enterprise-wide. OCRs investigation resulted in the covered entity improving their physical and technological safeguards and retraining employees.
\"
"John Muir Physician Network"	"CA"	"Healthcare Provider"	5450	2010-04-24	"Theft"	"Laptop"	FALSE	"Two laptop computers containing the electronic protected health information (ePHI) of approximately 5,450 individuals were stolen from the CE.  The ePHI included patient names, dates of birth, and social security numbers.  The CE provided breach notification to all affected individuals, HHS, and the media.  As a result of OCRs investigation, the CE installed encryption software and increased physical security."
"Medical Center At Bowling Green"	"KY"	"Healthcare Provider"	5148	2010-04-26	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"TOWERS WATSON"	"VA"	"Business Associate"	1874	2010-04-27	"Theft"	"Other"	TRUE	"A business associate (BA), Towers Watson, of the covered entity (CE), General Agencies Welfare Benefits Program, lost two electronic media disks containing protected health information (PHI)  while transporting the disks between two BA offices.  The disks contained the names, health plan numbers, and social security numbers of 1,874 individuals.  The BA notified all affected individuals and provided two years of enhanced credit services.  The CE notified HHS and the media and posted substitute notice on its website.  The CE had the BA destroy any of its PHI that had been retained by the BA and executed a new BA agreement for any remaining PHI that the BA was unable to destroy because they were archival files.  After OCRs investigation, the CE updated its privacy and breach notification policies and procedures.  
\
\"
"UnitedHealth Group health plan single affiliated covered entity"	"MN"	"Health Plan"	735	2010-04-27	"Theft"	"Other, Paper/Films"	FALSE	"\N"
"South Texas Veterans Health Care System"	"TX"	"Healthcare Provider"	1430	2010-04-28	"Improper Disposal, Loss"	"Paper/Films"	FALSE	"\N"
"Rockbridge Area Community Services"	"VA"	"Healthcare Provider"	500	2010-04-29	"Theft"	"Desktop Computer, Laptop"	FALSE	"\N"
"Millennium Medical Management Resources, Inc."	"IL"	"Business Associate"	180111	2010-04-29	"Theft"	"Other, Other Portable Electronic Device"	TRUE	"\N"
"VA Eastern Colorado Health Care System"	"CO"	"Healthcare Provider"	649	2010-05-05	"Theft"	"Paper/Films"	FALSE	"A covered entitys (CEs) employee placed paper records containing protected health information (PHI) in an unsecured box that was left undiscovered in a public parking garage for four days.  The box contained the PHI of 649 patients.  The PHI included treatment records, productivity reports, coding information, names, medical treatments, conditions, diagnoses, and social security numbers.  Upon discovery of the breach, the CE notified the affected individuals and provided credit protection to those whose social security numbers had been breached.  The CE provided OCR with copies of its breach prevention policies and procedures. Following OCRs investigation, the employee who left the records resigned from her position and the CE improved its breach response procedures. "
"Miami VA Healthcare System"	"FL"	"Healthcare Provider"	568	2010-05-05	"Theft"	"Paper/Films"	FALSE	"A covered entitys (CE) pharmacy log book, containing the protected health information (PHI) of 568 individuals, was misplaced and never recovered.  The PHI affected by the breach included names and partial social security numbers.  Following the breach, the CE provided breach notification as required by the HIPAA Breach Notification Rule and instructed employees to cease the practice of keeping log books.  Following OCRs investigation, the CE revised and/or updated its policies and procedures with respect to safeguarding PHI.  Regarding logbooks, it established a written employee agreement, implemented an employee authorization process, and established safeguards.  Additionally, the CE provided training to all staff in the pharmacy department regarding the use of logbooks and accounted for the disclosures in each of the affected individuals accounting log.  "
"Heriberto Rodriguez-Ayala, M.D."	"TX"	"Healthcare Provider"	4200	2010-05-11	"Theft"	"Laptop"	FALSE	"An unencrypted laptop computer containing the protected health information (PHI) of approximately 4,200 individuals was stolen from a personal vehicle.  The PHI included names, addresses, phone numbers, dates of birth, social security numbers, treatment histories, and driver license numbers.  The covered entity (CE) provided breach notification to the affected individuals, HHS, and the media.  As a result of OCRs investigation the covered entity implemented new policies and procedures, retrained staff, and installed encryption software on all workstations."
"Georgetown University Hospital"	"DC"	"Healthcare Provider"	2416	2010-05-13	"Other, Theft"	"Email, Other Portable Electronic Device"	FALSE	"An employee of the covered entity emailed protected health information (PHI) to an offsite research office (which is not itself a covered entity) in violation of the review preparatory to research protocol.  The research office stored the electronic information on an external hard drive that was later stolen.  The device contained the PHI of 2,416 individuals.  The PHI involved in the breach included names, dates of birth, and clinical information.  In response to this incident, the covered entity terminated transmission of the PHI to this research office and gave the responsible employee a verbal warning and counseling.  Additionally, the covered entity undertook a review of all research affiliations involving PHI of hospital patients to confirm that appropriate documentation and procedures are in place.
\"
"Silicon Valley Eyecare Optometry and Contact Lenses"	"CA"	"Healthcare Provider"	40000	2010-05-13	"Theft"	"Network Server"	FALSE	"\N"
"Heritage Health Solutions"	"TX"	"Business Associate"	656	2010-05-14	"Theft"	"Laptop"	TRUE	"\N"
"Oconee Physician Practices"	"SC"	"Healthcare Provider"	653	2010-05-20	"Theft"	"Laptop"	FALSE	"\N"
"University of Rochester Medical Center and Affiliates"	"NY"	"Healthcare Provider"	2628	2010-05-20	"Other"	"Paper/Films"	FALSE	"\N"
"DeBoer & Associates"	"NE"	"Business Associate"	800	2010-05-21	"Theft"	"Laptop"	TRUE	"\N"
"City of Charlotte, NC (Health Plan)"	"NC"	"Business Associate"	5220	2010-05-24	"Loss"	"Other"	TRUE	"\N"
"VA North Texas Health Care System"	"TX"	"Healthcare Provider"	4083	2010-05-25	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"Rainbow Hospice and Palliative Care"	"IL"	"Healthcare Provider"	1000	2010-05-26	"Theft"	"Laptop"	FALSE	"An employees laptop was stolen out of her bag while she was making an admission visit in a patients home.  The evidence showed that although the covered entity had a policy of encrypting and password-protecting its computers, this particular computer did not require a password most of the time.  The invoices contained the protected health information (PHI) of approximately 1,000 individuals.  The PHI stored on the laptop included names, addresses, dates of birth, phone numbers, Social Security numbers, Medicare numbers, electronic health records and commercial insurance information.  Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in The Daily Herald, sanctioned the employee for changing the security settings on the laptop in question, and established stringent computer security guidelines, and retrained its staff in the new requirements, with the intention of preventing a similar event from occurring again.
\"
"Cincinnati Childrens Hospital Medical Center "	"OH"	"Healthcare Provider"	60998	2010-06-01	"Theft"	"Laptop"	FALSE	"An unencrypted laptop computer containing the electronic protected health information (ePHI) of 60,998 individuals was stolen out of a workforce members car.  The ePHI stored on the laptop included names, medical record numbers, and services received.  The covered entity (CE) provided breach notification to affected individuals, HHS, and the media.  Following the breach, the CE established a new internal procedure to encrypt all new computers before they are given to employees.  OCR obtained assurances that the CE implemented the corrective action listed above.
\
\
\"
"University of Louisville Research Foundation, Inc., DBA The Kidney Disease Program"	"KY"	"Healthcare Provider"	708	2010-06-01	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Occupational Health Partners"	"KS"	"Healthcare Provider"	1105	2010-06-01	"Theft"	"Laptop"	FALSE	"\N"
"AvMed, Inc."	"FL"	"Health Plan"	1220000	2010-06-03	"Theft"	"Laptop"	FALSE	"Two laptop computers with questionable encryption (each containing the electronic protected health information (ePHI) of 350,000 individuals) were stolen from the covered entitys (CE) premises.  The types of ePHI involved included demographic and clinical information, diagnoses/conditions, medications, lab results, and other treatment data.  After discovering the breach, the CE reported the theft to law enforcement and worked with the local police to recover the laptops.  As a result of OCRs investigation, the CE developed and implemented new policies and procedures to comply with the Security Rule.  The CE also provided breach notification to all affected individuals, HHS, and the media and placed an accounting of disclosures in the medical records of all affected individuals."
"UnitedHealth Group health plan single affiliated covered entity"	"MN"	"Health Plan"	16291	2010-06-04	"Other"	"Paper/Films"	FALSE	"Paper correspondence to certain members in UnitedHealths prescription drug plans were in advertently sent to the incorrect temporary address due to a database administration error.  Approximately 16,291 individuals were affected by the breach. UnitedHealth members name, plan number and in some instances, date of birth and/or limited medical information. United Health reported that it stopped using PDIs proprietary database for address updates and made outbound verifications calls to members to get accurate temporary addresses.   United Health reported that it revised its address update process.   
\"
"Siemens Medical Solutions, USA, Inc"	"PA"	"Business Associate"	130495	2010-06-04	"Theft"	"Other"	TRUE	"The covered entitys business associate (BA), Siemens Medical Solutions USA, Inc., shipped seven unencrypted compact disks (CDs) that contained the electronic protected health information (ePHI) of 130,495 individuals to the covered entity (CE), Lincoln Medical and Mental Health Center.  The CDs, containing back-up data, were lost in transit.  The ePHI included names, addresses, social security numbers, medical record numbers, health plan information, dates of birth, dates of admission and discharge, diagnostic and procedural codes, and drivers license numbers.  The CE provided breach notification to affected individuals, HHS, and the media.  Upon discovery of the breach, the CE directed the BA to cease using the shipping service as a means of transporting the CDs.  As a result of OCRs investigation, the BA adopted a procedure to encrypt CDs.  The CE also implemented a procedure for a senior employee of the BA to physically deliver the encrypted CDs to the CE.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI."
"Nihal Saran, MD "	"MI"	"Healthcare Provider"	2300	2010-06-04	"Theft"	"Laptop"	FALSE	"A password protected laptop computer containing protected health information (PHI) was stolen from Dr. Saran's personal residence.  The laptop contained the PHI of approximately 2,300 individuals.  The PHI stored on the laptop included patients' names, addresses, dates of birth, Social Security numbers, insurance information, and diagnoses.  Following the breach, Dr. Saran notified the Northville Township Police Department of the theft, contacted the individuals reasonably believed to have been affected by the breach, sent a notice of the breach to the Detroit Free Press and the Monroe News, and installed encryption software for its billing software.
\"
"St. Jude Children's Research Hospital"	"TN"	"Healthcare Provider"	1745	2010-06-08	"Loss"	"Laptop"	FALSE	"\N"
"DentaQuest"	"MA"	"Business Associate"	10515	2010-06-09	"Theft"	"Laptop"	TRUE	"A car containing an unencrypted laptop computer was stolen from West Monroe Partners, a contractor for the covered entitys (CE) business associate (BA), DentaQuest.  The laptop stored a database containing the electronic protected health information (ePHI) of approximately 76,000 individuals, including data on 10,515 of the CEs members.  The types of PHI involved in the breach included names, social security numbers, dates, and certain provider identification numbers.  The CE and BA worked together to provide breach notification to affected individuals and the media, and offered free credit monitoring and enhanced credit services to affected individuals for one year. The CE reported the breach to HHS and provided substitute notification on its website.  The BA implemented procedures to ensure that any third party laptops connecting to its network employ disk encryption.  Further, the BA established a policy to prohibit contractors from storing PHI on laptops.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI.
\
\"
"The Children's Medical Center of Dayton"	"OH"	"Healthcare Provider"	1001	2010-06-14	"Other"	"Email"	FALSE	"\N"
"Comprehensive Care Management Corporation"	"NY"	"Health Plan"	1020	2010-06-14	"Theft"	"Desktop Computer, Email, Laptop, Network Server"	FALSE	"OCR opened an investigation of the covered entity (CE), Comprehensive Care Management Corporation, after it reported two former employees sent emails that contained the electronic protected health information (ePHI) of 1,020 individuals to their personal email accounts to open a competitor organization.  The ePHI included names, addresses, and enrollment information.  Upon discovery of the breach, the CE conducted an internal inquiry and found that the former employees disclosed the ePHI to its competitor.  As a result of OCRs investigation, the CE replaced and strengthened external firewalls, restricted access to email websites, restricted the use of portable devices, limited the ability to upload data to external websites, and evaluated new monitor and control software for network information.  In addition, the CE provided training to all staff on its HIPAA policies and procedures.  The CE also entered into an agreement with its competitor who hired the former employees to return or destroy the ePHI."
"University of Kentucky"	"KY"	"Healthcare Provider"	2027	2010-06-18	"Theft"	"Laptop"	FALSE	"\N"
"alma aguado md pa"	"TX"	"Healthcare Provider"	600	2010-06-21	"Theft"	"Network Server"	FALSE	"OCR investigated the covered entity (CE) following a report that its main server and desktop computers containing the electronic protected health information (ePHI) of 600 individuals were taken from the CEs office.  The ePHI involved in the breach included patient names, addresses, dates of birth, and social security numbers.  As a result of OCRs investigation, the CE changed its privacy and security policies, retrained its employees and provided additional physical security to better safeguard patient ePHI."
"Augusta Data Storage, Inc"	"GA"	"Business Associate"	14000	2010-06-21	"Loss"	"Other"	TRUE	"\N"
"University Health System"	"NV"	"Healthcare Provider"	7526	2010-06-22	"Theft"	"Network Server"	FALSE	"\N"
"Aramark Healthcare Support Services, LLC"	"PA"	"Business Associate"	937	2010-06-24	"Other"	"Email"	TRUE	"A business associate employee sent an email to multiple patients without concealing patient email addresses.  The message concerned a dietary program in which the names and email addresses were visible to all recipients.  The breach affected 937 individuals.  In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with Aramark.  The business associate counseled the employee responsible for the breach and retrained all employees who may communicate with patients via email on the requirements of the Privacy and Security Rules as well as related policies and procedures.
\"
"Mary M. Desch,MD/PathHealer, LTD"	"AZ"	"Healthcare Provider"	5893	2010-06-28	"Theft"	"Laptop"	FALSE	"\N"
"Children's Hospital & Research Center at Oakland"	"CA"	"Healthcare Provider"	1000	2010-06-29	"Other"	"Paper/Films"	FALSE	"\N"
"Centerstone"	"TN"	"Healthcare Provider"	1537	2010-07-02	"Theft"	"Desktop Computer, Paper/Films"	FALSE	"A major flooding event damaged a building where the CE operated its school-based program offices.  The flooding was so significant that the area was deemed a federal disaster area.  An estimated 1,537 individuals were affected by the loss of data due to flood damage.  The types of PHI involved were names, addresses, dates of birth, and social security numbers.  After the flood, the CE attempted to collect as much PHI as it could from the site but access was limited by authorities because the building was deemed toxic and salvage cleanup commenced prior to the CEs ability to access the building.  PHI in paper format was either washed away or disposed of during salvage procedures.  Computers and equipment in the building were destroyed by water damage.  Because the CE relied primarily on their electronic health records stored on an offsite server, medical data was still intact for continuity of care purposes.  The CE provided breach notification to individuals, HHS, and the media, and posted substitute notice on its website.  The CE has since moved its school-based operations to a CE owned facility.  OCR obtained assurances that the CE implemented the corrective action listed above."
"Care 1st Health Plan"	"CA"	"Business Associate"	29000	2010-07-06	"Loss, Other"	"Other, Other Portable Electronic Device"	TRUE	"\N"
"Long Island Consultation Center"	"NY"	"Healthcare Provider"	800	2010-07-07	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals.  The ePHI included names, dates of birth, diagnoses, and other treatment information.  Upon discovery of the breach, the CE conducted a search for the portable device.  The CE provided breach notification to HHS, the media, and affected individuals.  As a result of OCRs investigation, the CE improved physical security.   The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. "
"NYU Hospitals Center"	"NY"	"Healthcare Provider"	2563	2010-07-07	"Theft"	"Other Portable Electronic Device"	FALSE	"The covered entity (CE) misplaced an unencrypted USB drive that contained the electronic protected health information (ePHI) of 2,563 individuals.  The ePHI included names, medical record numbers, ages, genders, procedures, attending physicians names, anesthesiologists names, types of anesthesia, times of arrival in the recovery room, and times of discharge.  Upon discovery of the breach, the CE reported the incident to internal security as a possible theft and conducted a thorough search of the perimeter.  The CE provided breach notification to HHS, the media, and affected individuals.  As a result of OCRs investigation, the CE stopped using USB drives and local desktop computers for data storage.  In addition, the CE updated physical security in the recovery room and installed data prevention software to monitor, block or encrypt mobile media used in the CE.  Further, the CE purchased encrypted USB drives for workforce members with an identified need to download and store ePHI.  The CE also revised its mobile device and portable storage media policy and retrained all workforce members on its policies."
"University of Florida"	"FL"	"Healthcare Provider"	2047	2010-07-08	"Other"	"Paper/Films"	FALSE	"\N"
"SunBridge Healthcare Corporation"	"NM"	"Healthcare Provider"	3830	2010-07-08	"Theft"	"Laptop"	FALSE	"\N"
"Governor's Office of Information Technology"	"CO"	"Business Associate"	105470	2010-07-09	"Theft"	"Desktop Computer"	TRUE	"\N"
"Prince William County Community Services (CS)"	"VA"	"Healthcare Provider"	669	2010-07-15	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"UnitedHealthcare Insurance Company "	"MN"	"Business Associate"	1097	2010-07-17	"Other"	"Paper/Films"	TRUE	"\N"
"Iron Mountain Data Products, Inc. (now known as "	"PA"	"Business Associate"	800000	2010-07-19	"Loss"	"Electronic Medical Record, Other, Other Portable Electronic Device"	TRUE	"\N"
"Montefiore Medical Center"	"NY"	"Healthcare Provider"	16820	2010-07-23	"Theft"	"Desktop Computer"	FALSE	"Two unencrypted desktop computers containing the electronic protected health information (ePHI) of 16,820 individuals were stolen from the covered entity (CE).  The ePHI included medical record numbers, dates of birth, admission /discharge dates, billing codes, and social security numbers.  Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals.  It also provide substitute notification by posting on its website.  As a result of OCRs investigation, the CE replaced its building alarm and installed bars on the windows.  In addition, the CE directed its staff to save patient data only on a centralized network drive, moved all ePHI stored on desktop hard drives to centralized secured network servers, and encrypted all of its computers.   The CE also revised its policy and procedure on password management and provided training to all staff on its new policy."
"The University of Texas at Arlington"	"TX"	"Healthcare Provider"	27000	2010-07-23	"Hacking/IT Incident"	"Network Server"	FALSE	"A file server at the Office of Health Services was compromised and impermissibly accessed.  The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source.  The protected health information involved in the breach included names, addresses diagnostic codes, name of medication prescribed, medication costs and some social security numbers.  Following the discovery of the breach, UTA removed the server from the network, notified the affected individuals and notified local media.  Following the breach, the covered entity also replaced the operating system and implemented additional technical safeguards.  
\"
"Medina OB/GYN Associates, Inc"	"OH"	"Business Associate"	1200	2010-07-23	"Improper Disposal"	"Paper/Films"	TRUE	"\N"
"Montefiore Medical Center"	"NY"	"Healthcare Provider"	23753	2010-07-23	"Theft"	"Desktop Computer"	FALSE	"OCR opened an investigation of the covered entity (CE), Montefiore Medical Center, after it reported three unencrypted desktop computers were stolen that contained the electronic protected health information (ePHI) of 23,753 individuals.  The ePHI included names, medical record numbers, dates of birth, parent or guardian contact numbers, asthma diagnoses, vaccination information, and number of visits to the school health clinic.  Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media.  As a result of OCRs investigation, the CE updated its building alarm to include additional motion sensors and installed surveillance cameras.  Further, the CE encrypted all of its computers, advised that no ePHI is stored on desktop hard drives, removed all ePHI from its computers, and stored ePHI on the centralized secured network servers.  The CE also revised its policy and procedure on password management and provided training to all staff on its new policy."
"DC Chartered Health Plan, Inc"	"DC"	"Health Plan"	540	2010-07-23	"Theft"	"Laptop"	FALSE	"\N"
"Aetna"	"CT"	"Health Plan"	6372	2010-07-27	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"Charles Mitchell MD"	"TX"	"Healthcare Provider"	6873	2010-07-28	"Theft"	"Desktop Computer"	FALSE	"A burglary occurred at the covered entitys (CE) facility and two desktop computers containing protected health information (PHI) were stolen.  Approximately 6873 individuals were affected.  The PHI involved included names, addresses, dates of birth, social security numbers, diagnoses and conditions, medications, and other treatment information.  OCR closed this investigation after determining that the individual who reported the breach worked for a CE no longer in existence."
"Matrix Imaging"	"NY"	"Business Associate"	2631	2010-07-30	"Theft"	"Paper/Films"	TRUE	"The covered entitys (CE) business associate (BA) sent coverage determination letters to incorrect addresses, affecting 2,631 individuals.  The protected health information (PHI) included names, addresses, unique CE identification numbers, and prescription drug information.  Following the breach, the CE reprinted all erroneous coverage determination letters with an apology notice and provided breach notification to all affected individuals and HHS.  The CE implemented additional policies and procedures to ensure mailing list accuracy.  Specifically, the CE implemented a multiple-step quality assurance process and established verification with the BA.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI.  As a result of OCRs investigation, the CE placed a record into its accounting of disclosure records for each individual impacted."
"Baylor College of Medicine"	"TX"	"Healthcare Provider"	1646	2010-07-30	"Theft"	"Laptop"	FALSE	"An unencrypted laptop containing electronic protected health information (ePHI) of approximately 1,618 individuals was stolen from the covered entitys (CE) affiliate.  The ePHI involved in the breach included names, medical reconciliation numbers, dates of service, diagnoses, and dates of birth.  Upon discovery of the breach, the CE and its affiliate jointly notified the affected individuals, OCR, and the local media.  Notifications were delayed at the request of law enforcement.  Following OCRs investigation, the CE revised policies and procedures to require encryption of all mobile devices containing PHI and began encrypting all necessary devices in order to ensure reasonable safeguards."
"Texas Children's Hospital"	"TX"	"Healthcare Provider"	694	2010-07-30	"Theft"	"Laptop"	FALSE	"\N"
"Mercer"	"MI"	"Business Associate"	1073	2010-07-30	"Loss"	"Other"	TRUE	"\N"
"Carolina Center for Development and Rehabilitation"	"NC"	"Healthcare Provider"	1590	2010-07-30	"Theft"	"Paper/Films"	FALSE	"The covered entitys (CE) staff inadvertently sent twenty-three boxes containing the protected health information (PHI) of 1,590 patients to a recycling center.  The PHI included patients full names, addresses, dates of birth, social security numbers, insurance identification numbers, drivers license numbers, diagnoses, medication information, checking and savings account numbers, credit and debit card numbers, and photographs of the patients.  Following the breach, the CE immediately took steps for the records to be returned.  The CE notified HHS, the media, and all individuals affected by the breach, and established a toll free number for patients to call for more information.  The CE cooperated with the state attorney generals investigation and suspended the responsible staff members.  Following OCRs investigation, the CE placed a record into its accounting of disclosure log for each individual affected and terminated the employment of the staff involved in the breach.  In addition, the CE revised its policies and procedures regarding the rights of individuals and safeguards for PHI, and re-trained staff.  "
"WellPoint, Inc."	"IN"	"Health Plan"	31700	2010-07-30	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Wright State Physicians"	"OH"	"Healthcare Provider"	1309	2010-08-03	"Other"	"Laptop"	FALSE	"On June 11, 2010, a laptop computer containing PHI was mistakenly discarded in the trash. The laptop computer contained the protected health information of approximately 1,309 individuals. The protected health information involved in the breach included patient full names or first initial and last name, dates of service, and in some cases, a brief description of medical condition or care. Following the breach, the covered entity submitted evidence of its progress in implementing encryption on its laptop computers in its various departments.         
\"
"Penn Treaty Network America Insurance Company "	"PA"	"Health Plan"	560	2010-08-03	"Other"	"Other"	FALSE	"Social security numbers were inadvertently printed on the address labels in a newsletter mailing.  The mailing had 560 recipients.  The covered entity acted to mitigate the disclosure by verifying that the all mail was correctly delivered.  It also counseled the responsible employee and updated its policies and procedures.
\"
"Aultman Hospital"	"OH"	"Healthcare Provider"	13867	2010-08-05	"Theft"	"Laptop"	FALSE	"\N"
"Jewish Hospital"	"KY"	"Healthcare Provider"	2089	2010-08-05	"Theft"	"Laptop"	FALSE	"\N"
"McKesson Pharmacy Systems LLC"	"GA"	"Business Associate"	11440	2010-08-05	"Other"	"Other, Other Portable Electronic Device"	TRUE	"\N"
"Beauty Dental, Inc."	"IL"	"Healthcare Provider"	657	2010-08-05	"Loss, Theft"	"Paper/Films"	FALSE	"Following the breach, the covered entity notified its clients by letter of the incident, submitted a press release that outlined the circumstances of the breach to the Chicago Tribune and the Chicago Sun Times, required the individual who allegedly stole the documents to return all physical patient PHI in her possession and sign a statement swearing that she no longer possessed any patient documents, would not use or disclose the PHI in any manner and would erase an excel spreadsheet she had in her possession, installed a new security system for the office that requires the input of a code specific to each employee, and implemented new technical safeguards that limited employee access to ePHI according to the employees position and rank.
\"
"Fort Worth Allergy and Asthma Associates"	"TX"	"Healthcare Provider"	25000	2010-08-05	"Theft"	"Network Server"	FALSE	"Several computers, including a server, were stolen during a burglary at the covered entitys (CE) premises. The breach affected approximately 25,000 individuals and included names, addresses, dates of birth, social security numbers, driver license numbers, diagnoses, and conditions. Following the breach, the CE provided breach notification to affected individuals, the media, and HHS.  It also improved physical security and began using a new model for its management practices with an off-site encrypted database.  After the initiation of OCR'S investigation, the CE amended its business associate agreement.
\
\
\"
"St. John's Mercy Medical Group"	"MO"	"Healthcare Provider"	1907	2010-08-09	"Improper Disposal"	"Paper/Films"	FALSE	"Covered entity improperly disposed of patients' Protected Health Information (PHI), by placing the PHI in a dumpster outside of a doctor's office. The PHI involved in the breach included demographic, financial, clinical, and other medical information. Following the breach, the covered entity notified all affected individuals of the breach, posted a notice about the incident on its website; attempted to retrieve and track all of the medical records that were inappropriately disposed of; offered all affected individuals identity theft protection; obtained a formal apology from and assumed direct office operations management of the physician involved; re-educated its workforce to reinforce policies relating to appropriate medical record protection and disposal requirements.
\"
"UNCG Speech and Hearing Center"	"NC"	"Healthcare Provider"	2300	2010-08-09	"Hacking/IT Incident"	"Desktop Computer"	FALSE	"\N"
"Thomas Jefferson University Hospitals, Inc."	"PA"	"Healthcare Provider"	21000	2010-08-09	"Theft"	"Laptop"	FALSE	"\N"
"Mercer Health & Benefits"	"ID"	"Business Associate"	5500	2010-08-10	"Loss"	"Other"	TRUE	"Idaho Power Group Health Plan's business associate, Mercer Health and Benefits, lost a backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Idaho Power was about 5,500 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Idaho Power notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer's Boise office now encrypts backup tapes. Following the incident, Idaho Power renegotiated its contract with Mercer and continues to evaluate its business relationship with Mercer.
\"
"Ward A. Morris, DDS"	"WA"	"Healthcare Provider"	2698	2010-08-11	"Theft"	"Desktop Computer"	FALSE	"\N"
"Chattanooga Family Practice Associates, P.C."	"TN"	"Healthcare Provider"	1711	2010-08-16	"Loss"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Yale University"	"CT"	"Healthcare Provider"	1000	2010-08-18	"Theft"	"Laptop"	FALSE	"\N"
"Cook County Health & Hospitals System"	"IL"	"Healthcare Provider"	7081	2010-08-20	"Theft"	"Laptop"	FALSE	"An employees laptop was stolen out of a locked office; evidence shows that the laptop was password protected but not encrypted.  The laptop contained the protected health information (PHI) of approximately 7,000 individuals.  The PHI stored on the laptop included names, dates of birth, Social Security numbers, internal encounter numbers, and other administrative codes.  Following the breach, the covered entity notified those individuals reasonably believed to have been affected by the breach, placed notice on its website and with a local news center; established stringent computer security guidelines, and retrained its staff in the new requirements with the intention of preventing a similar event from occurring again.
\"
"Eastmoreland Surgical Clinic, William Graham, DO"	"OR"	"Healthcare Provider"	4328	2010-08-20	"Theft"	"Desktop Computer, Laptop, Other, Other Portable Electronic Device"	FALSE	"Three desktop computers, one laptop computer, and a backup drive, containing the electronic protected health information (EPHI) of 4,328 individuals, were stolen on July 5, 2010.  The EPHI involved in the breach included names, addresses, phone numbers, dates of birth, Social Security numbers, reason for visits, and insurance information.  Following the breach, the covered entity implemented backup and whole disk encryption on electronic information systems that maintain EPHI and improved their physical safeguards.  Additionally, OCRs investigation resulted in the covered entity improving their administrative safeguards, such as password complexity requirements and data backup protocols.
\"
"SunBridge Healthcare Corporation"	"NM"	"Healthcare Provider"	1000	2010-08-25	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Pioneer Valley Pathology"	"MA"	"Business Associate"	24750	2010-08-25	"Theft"	"Paper/Films"	TRUE	"A Boston Globe employee discovered the unsecured paper medical records of Pioneer Valley Pathology, a group practice with offices inside Holyoke Medical Center (HMC), at a trash transfer station.  The breach affected approximately 24,750 individuals.  The PHI involved in the breach included names, addresses, dates of birth, social security numbers, insurance information, and medical information.  HMC is not the covered entity (CE) responsible for this breach and it field the breach report in error.  OCR provided HMC with technical assistance related to breach notification.  OCR opened a compliance review against the CE responsible for this breach. "
"KPMG LLP"	"NY"	"Business Associate"	956	2010-08-26	"Theft"	"Other, Other Portable Electronic Device"	TRUE	"OCR opened an investigation of the covered entity (CE), Newark Beth Israel Medical Center, after it reported an employee of the CEs business associate (BA), KPMG LLP, lost an unencrypted USB drive that contained the electronic protected health information (ePHI) of 956 individuals.  The ePHI included names and clinical information.  Upon discovery of the breach, the CEs BA conducted a search of the area.  The CE provided breach notification to HHS, the Media and affected individuals.  As a result of OCRs investigation, the BA installed and implemented encryption software to its electronic equipment and devices.  In addition, the BA encrypted and password protected all equipment and devices that could contain the CEs data.  The BA also reprimanded and retrained the employee and retrained all employees on safeguarding ePHI.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI."
"KPMG LLP"	"NY"	"Business Associate"	3630	2010-08-26	"Theft"	"Other Portable Electronic Device"	TRUE	"The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals.  The ePHI included names, dates of birth, diagnoses, and other treatment information.  Upon discovery of the breach, the CE conducted a search for the portable device.  The CE provided breach notification to HHS, the media, and affected individuals.  As a result of OCRs investigation, the CE improved physical security.   The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. "
"NYU School of Medicine--Aging and Dementia Clinical Research Center "	"NY"	"Healthcare Provider"	1200	2010-08-27	"Loss"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"University of Rochester Medical Center and Affiliates"	"NY"	"Healthcare Provider"	857	2010-09-07	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Aon Consulting"	"PA"	"Business Associate"	22642	2010-09-07	"Other"	"Network Server"	TRUE	"The business associate prepared a document as part of a request for proposal for the covered entitys vision benefit program which mistakenly included protected health information of 22,642 individuals.  The document was posted online for five days.  The protected health information involved in the breach included social security numbers, dates of birth, gender, zip codes, and vision plan enrollment information.  In response to this incident, the covered entity implemented additional safeguards to prevent this type of impermissible disclosure of protected health information.  In particular, the covered entity will now require several layers of review before allowing public disclosure of documents prepared by the business associate.  The covered entity also took steps to enforce the requirements of its business associate agreement with Aon Consulting.  Aon will provide affected individuals with free credit monitoring, fraud resolution resources, and identity theft insurance.  Additionally, the business associate has provided assurances to the covered entity that it has taken steps to prevent this type of impermissible disclosure in the future.
\"
"Curtis R. Bryan, M.D."	"VA"	"Healthcare Provider"	2739	2010-09-08	"Theft"	"Laptop"	FALSE	"\N"
"Mayo Clinic"	"MN"	"Healthcare Provider"	1740	2010-09-08	"Theft"	"Electronic Medical Record"	FALSE	"An employee of the covered entity (CE) impermissibly accessed medical records containing the protected health information (PHI) of 1,740 patients for a period of 4  years. The PHI affected by the breach included the demographic information of 691 individuals, and both demographic and clinical information of 1,049 individuals.  Following the breach, the CE conducted an investigation, terminated the involved employee, re-trained its employees regarding patient privacy and access to PHI, and enhanced its supervision and monitoring of employees PHI access activities. It also provided breach notification to the affected individuals, HHS, and the media, as well as substitute notice on its website.  OCR obtained assurances that the CE completed the voluntary compliance action described above.
\
\"
"LabCorp Patient Service Center"	"NV"	"Healthcare Provider"	507	2010-09-10	"Theft"	"Paper/Films"	FALSE	"\N"
"The Kent Center "	"RI"	"Healthcare Provider"	1361	2010-09-10	"Theft"	"Paper/Films"	FALSE	"\N"
"Pediatric and Adult Allergy, PC"	"IA"	"Healthcare Provider"	19222	2010-09-11	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Ault Chiropractic Center"	"IN"	"Healthcare Provider"	2000	2010-09-15	"Theft"	"Desktop Computer, Laptop"	FALSE	"\N"
"County of Los Angeles"	"CA"	"Healthcare Provider"	33000	2010-09-17	"Theft"	"Paper/Films"	FALSE	"\N"
"Matthew H. Conrad, M.D., P.A."	"KS"	"Healthcare Provider"	1200	2010-09-19	"Theft"	"Laptop, Paper/Films"	FALSE	"\N"
"CareCore National"	"SC"	"Business Associate"	1270	2010-09-20	"Other"	"Paper/Films"	TRUE	"\N"
"Counseling and Psychotherapy of Throggs Neck"	"NY"	"Healthcare Provider"	9000	2010-09-21	"Theft"	"Desktop Computer"	FALSE	"\N"
"Alaskan AIDS Assistance Association"	"AK"	"Business Associate"	2000	2010-09-22	"Theft"	"Other, Other Portable Electronic Device"	TRUE	"\N"
"St. Vincent Hospital and Health Care Center, Inc."	"IN"	"Healthcare Provider"	1199	2010-09-23	"Theft"	"Laptop"	FALSE	"\N"
"Eden Medical Center"	"CA"	"Business Associate"	1474	2010-09-23	"Theft"	"Other, Other Portable Electronic Device"	TRUE	"The covered entity (CE) lost two portable electronic storage devices containing the electronic protected health information (ePHI) of 1,474 individuals.  The ePHI included patients names, dates of birth, and treatment information.  Upon discovery of the breach, the covered entity (CE) notified individuals, HHS, and the media.  Additionally, the CE initiated a project to encrypt emails, external hard drives, and related electronic media.  Following OCRs investigation, the CE filed a police report, updated its policies and procedures in order to better safeguard patients ePHI, and encrypted portable electronic computer devices."
"Oroville Hospital"	"CA"	"Business Associate"	1474	2010-09-23	"Theft"	"Other, Other Portable Electronic Device"	TRUE	"The covered entity (CE) filed a breach report with OCR after two USB storage devices containing electronic protected health information (ePHI) of 1,474 individuals were lost.  The ePHI included names, dates of birth, and treatment information.  Upon discovery of the breach, the CE notified individuals, OCR and the media.  Additionally, the CE initiated an encryption project to encrypt emails, external hard drives, and related media.  Following OCRs investigation, the CE filed a police report, updated its policies and procedures in an effort to better safeguard ePHI, and encrypted USB devices.
\
\"
"NewYork-Presbyterian Hospital and Columbia University Medical Center"	"NY"	"Healthcare Provider"	6800	2010-09-24	"Theft"	"Network Server"	FALSE	"Data breach results in $4.8 million HIPAA settlements
\Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date.
\The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results. 
\NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as New York Presbyterian Hospital/Columbia University Medical Center. NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.
\The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individuals deceased partner, a former patient of NYP, on the internet.
\In addition to the impermissible disclosure of ePHI on the internet, OCRs investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
\When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information, said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.
\NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.
\"
"St. James Hospital and Health Centers"	"IL"	"Healthcare Provider"	967	2010-09-24	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"University of Oklahoma - Tulsa, Neurology Clinic"	"OK"	"Healthcare Provider"	19200	2010-09-27	"Hacking/IT Incident"	"Desktop Computer"	FALSE	"\N"
"LORENZO BROWN, MD INC."	"CA"	"Healthcare Provider"	928	2010-09-29	"Theft"	"Desktop Computer"	FALSE	"\N"
"Joseph A. Gagnon d/b/a Goldthwait Associates"	"MA"	"Business Associate"	11000	2010-10-01	"Improper Disposal"	"Paper/Films"	TRUE	"\N"
"WESTMED Medical Group"	"NY"	"Healthcare Provider"	578	2010-10-05	"Theft"	"Laptop"	FALSE	"An unencrypted laptop computer that contained the electronic protected health information (ePHI) of 578 individuals was stolen from the covered entity (CE), WestMed Medical Group.  The ePHI included names, dates of birth and test results.  Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS and the media.  As a result of OCRs investigation, the CE improved physical security by locking all laptops during the day and storing all laptops in a locked cabinet overnight.  In addition, the CE reconfigured all laptops with strong passwords and implemented a new procedure to save data to a secure file server.  Further, the CE encrypted all laptop hard drives.  The CE also retrained staff on safeguarding ePHI.
\
\"
"Cumberland Gastroenterology, P.S.C."	"KY"	"Healthcare Provider"	2200	2010-10-05	"Theft"	"Paper/Films"	FALSE	"The covered entitys (CE) medical records storage facility was burglarized, resulting in the theft of protected health information (PHI) of 2,207 individuals.  The PHI included names, birth dates, social security numbers, addresses, phone numbers, primary care providers, diagnosis codes, presenting complaints, exam findings, insurance information, dates of visits, services performed, and referring providers.  The CE filed a police report and provided breach notification to affected individuals, HHS, and the media. The CE also conducted an inventory of stolen items and created an accounting of affected individuals. Following the breach, the CE increased physical security, limited the amount of stored PHI, and expedited the adoption of  electronic medical records.  As a result of OCRs investigation the CE executed BA agreements with the storage facility and with a document shredding company.  Additionally, it re-trained workforce members on its revised HIPAA policies and procedures with respect to safeguards for PHI, and placed an accounting of disclosures of PHI in each of the affected individuals medical records.  OCR obtained assurances that the CE implemented the corrective action listed above.
\
\
\"
"Debra C. Duffy, DDS"	"TX"	"Healthcare Provider"	4700	2010-10-05	"Theft"	"Laptop, Network Server"	FALSE	"An unencrypted laptop and network server were stolen during a burglary of the office.The breach affected approximately 4700 individuals.The protected health information involved in the breach included treatment information for pediatric dental patients and social security numbers, insurance identification numbers and drivers license numbers. Following the discovery of the breach, the CE relocated the practice servers, secured the laptops and installed steel doors at the front entrance of the facility. Additionally, the CE notified the affected individuals and local media and retrained staff.  
\"
"Johns Hopkins University Applied Physics Laboratory (JHU/APL) Medical and Dental Insurance Plan"	"MD"	"Health Plan"	692	2010-10-06	"Other"	"Other"	FALSE	"Protected health information was attached to an email addressed to 85 employees by a benefits staff member. Within 5 days, all recipients were notified, and the email was deleted.  Approximately 692 individuals were affected by this breach.  The email included names, dates of birth, social security numbers, and marital and disability status.  To prevent a similar breach from happening in the future, the covered entity instituted a policy to encrypt emails containing protected health information before it is sent out from the benefits department.  Following OCRs investigation, the covered entity updated its policies and procedures establishing a new business process to require that all emails sent by the benefits office to 5 or more staff members that includes an attachment be reviewed by another team member to ensure the proper document is attached and took personnel action with the responsible employee. Further, the benefits office will use an encryption specialist to train all benefits office staff in the proper methods of encryption, explore future capability of automated flagging of any electronic communications sent by benefits office staff containing potentially sensitive data such as 9-digit numbers, and obtain additional HIPAA training.
\"
"LoneStar Audiology Group"	"TX"	"Healthcare Provider"	585	2010-10-08	"Theft"	"Laptop"	FALSE	"A laptop was stolen from a workforce members home. Approximately 585 individuals were affected.  The PHI included addresses, dates of birth, diagnosis and conditions, medications and other treatment information. Following the breach, the covered entity encrypted all its laptops. After the initiation of OCRs investigation, the encryption of the laptops was completed.
\"
"Utah Department of Workforce Services"	"UT"	"Business Associate"	1298	2010-10-13	"Other"	"Desktop Computer, Paper/Films"	TRUE	"\N"
"SW Seattle Orthopaedic and Sports Medicine"	"WA"	"Healthcare Provider"	9493	2010-10-15	"Hacking/IT Incident"	"Network Server"	FALSE	"A database web server, containing the electronic protected health information (EPHI) of 9,493 individuals, was breached by an unknown, external person(s) for use as a game server.  Although there was no indication of access to EPHI, the EPHI on the database web server included names, dates of birth, types of x-rays, and dates of x-rays.  Following the breach, the covered entity relocated two servers to its more secure primary data center and removed the Internet access line that resulted in the breach.  Additionally, OCRs investigation resulted in the covered entity improving their administrative safeguards, such as incident response and reporting.  
\"
"University of Arkansas for Medical Sciences"	"AR"	"Healthcare Provider"	1000	2010-10-18	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Aspen Dental Care P.C."	"CO"	"Healthcare Provider"	2500	2010-10-26	"Theft"	"Other"	FALSE	"A computer hard drive containing encrypted patient records was stolen from the covered entitys (CE) safe.  The hard drive contained clinical and demographic information of approximately 2,500 patients.  Following the breach, the CE provided additional training to its staff.  OCR obtained assurances that the CE implemented the corrective action listed above.
\
\"
"BlueCross BlueShield of Tennessee, Inc."	"TN"	"Health Plan"	1023209	2010-11-01	"Theft"	"Other"	FALSE	"\N"
"Northridge Hospital Medical Center"	"CA"	"Business Associate"	716	2010-11-02	"Loss"	"Paper/Films"	TRUE	"\N"
"Triple-S Management, Corp.; Triple-S Salud, Inc.; "	"PR"	"Business Associate"	475000	2010-11-04	"Hacking/IT Incident, Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Aetna, Inc."	"CT"	"Health Plan"	2345	2010-11-07	"Unauthorized Access/Disclosure"	"Network Server"	FALSE	"Aetna notified all possibly affected individuals of the breach, filed a breach report with OCR, commenced an investigation to identify and correct the root cause of the issue; the coding changes that were causing the breach were removed from IPS via Aetnas emergency Change Management procedures to prevent any further exposure while the problem was analyzed; once the specific code that conflicted with its proxy server settings was identified as the root cause of the breach, it was removed. Also, in an effort to mitigate any harm as a result of the breach, Aetna offered all affected individuals one year of free credit monitoring, and the notification letters included a toll-free number which was established specifically to answer questions related to this incident. 
\"
"Sta-home Health & Hospice"	"MS"	"Healthcare Provider"	1104	2010-11-08	"Theft"	"Desktop Computer"	FALSE	"\N"
"Medical Card System/MCS-HMO/MCS Advantage/MCS Life"	"PR"	"Business Associate"	115000	2010-11-09	"Unauthorized Access/Disclosure"	"Other, Other Portable Electronic Device"	TRUE	"\N"
"VNA of Southeastern Ct."	"CT"	"Healthcare Provider"	12000	2010-11-11	"Theft"	"Laptop"	FALSE	"\N"
"Prime Home Care, LLC"	"NE"	"Healthcare Provider"	1550	2010-11-12	"Theft"	"Desktop Computer"	FALSE	"\N"
"Visiting Nurse Service Association of Schenectady County"	"NY"	"Healthcare Provider"	535	2010-11-12	"Theft"	"Laptop"	FALSE	"An encrypted laptop computer that contained the electronic protected health information (ePHI) of 535 individuals was stolen from the covered entity (CE).  The ePHI included names, addresses, and dates of birth.  Upon discovery of the breach, the CE filed a police report to recover the stolen item.  Following OCRs investigation, the CE disabled the involved staff members account, verbally counseled the staff member, and retrained the staff member.  The CE also adopted and implemented security policies and procedures for laptops/tablet devices and provided training to all staff."
"Manor Care Indy (South), LLC."	"IN"	"Healthcare Provider"	845	2010-11-12	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Robert Wheatley, DDS, PC"	"MO"	"Healthcare Provider"	1400	2010-11-15	"Theft"	"Laptop"	FALSE	"\N"
"Henry Ford Hospital"	"MI"	"Healthcare Provider"	3700	2010-11-15	"Theft"	"Laptop"	FALSE	"\N"
"Holy Cross Hospital"	"FL"	"Healthcare Provider"	1500	2010-11-16	"Theft"	"Paper/Films"	FALSE	"A covered entitys (CE) employee impermissibly obtained copies of patient data sheets containing protected health information (PHI) and sold the PHI to a third party.  The PHI included names, addresses, dates of birth, social security numbers, insurance information, and diagnoses affecting 38 individuals; however, the initial investigation addressed a report of approximately 1,500 affected individuals.  The CE provided breach notification to 44,000 individuals (including those who were potentially affected), HHS and the media.  In addition, free credit monitoring was offered.  Following the breach, the CE cooperated with federal authorities, law enforcement, and the state health administration agency, and provided a report to a national accreditation organization.  As a result of this incident, the CE convened a high level work group to oversee privacy and security issues and hired an expert forensic investigator to perform a risk assessment.  The CE updated its privacy and security policies and procedures, developed a plan to adopt electronic health records and initiated a continuous review process including random HIPAA compliance audits.  The CE also expanded its HIPAA training program for employees.  OCR obtained written assurances that the CE implemented the corrective action listed above."
"Professional Transcription Company, Inc."	"NY"	"Business Associate"	1744	2010-11-24	"Theft"	"Network Server"	TRUE	"The covered entitys (CE) business associate (BA), Professional Transcription Company, posted the electronic protected health information (ePHI) of 1,744 individuals on a website portal of the BA.  The ePHI included names, dates of birth, diagnosis, and other clinical information.  Upon discovery of the breach, the BA shut down the applicable server.  The CE, Newark Beth Israel Medical Center, provided breach notification to HHS, the media, and affected individuals and also posted substitute notice on its website.  As a result of OCRs investigation, the BA located the ePHI online and contacted Google to block files that contained ePHI.  In addition, the BA retrained all employees regarding its security policies.  The CE terminated its BA agreement with the BA.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI."
"Memorial Hospital of Gardena"	"CA"	"Healthcare Provider"	771	2010-11-25	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Oklahoma City VA Medical Center"	"OK"	"Healthcare Provider"	1950	2010-11-29	"Improper Disposal, Loss, Theft"	"Paper/Films"	FALSE	"\N"
"Albert Einstein Healthcare Network"	"PA"	"Healthcare Provider"	613	2010-11-30	"Theft"	"Desktop Computer"	FALSE	"\N"
"Kings County Hospital Center"	"NY"	"Healthcare Provider"	542	2010-11-30	"Theft"	"Desktop Computer"	FALSE	"An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 542 individuals was stolen from the covered entity (CE), Kings County Hospital Center.  The ePHI included names, medical record numbers, admission and treatment dates, diagnostic treatment, pathology and/or medication information, telephone numbers and ages.  Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media.  As a result of OCRs investigation, the CE installed an encryption system for all internal and external computers and laptops.  The CE implemented a new policy that prohibits staff from storing ePHI on their local computer hard drives or Windows desktop."
"University of Tennessee Medical Center"	"TN"	"Healthcare Provider"	8200	2010-11-30	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"H.E.L.P. Financial Corporation"	"MI"	"Business Associate"	9475	2010-12-03	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"A programming error in a business associates IT system caused the PHI of patients to be printed on letters sent to other patients. The printing error affected approximately 9475 individuals.The protected health information involved in the breach included patient names, medical record numbers and account balances. Following the discovery of the breach, the BA corrected the programming error and implemented additional quality checks. Additionally, the BA notified the affected individuals and the CE notified the local media.  
\"
"zarzamora family dental care"	"TX"	"Healthcare Provider"	800	2010-12-07	"Theft"	"Desktop Computer"	FALSE	"\N"
"Hospital Auxilio Mutuo"	"PR"	"Healthcare Provider"	1000	2010-12-13	"Hacking/IT Incident, Theft, Unauthorized Access/Disclosure"	"Desktop Computer, Laptop"	FALSE	"\N"
"Gary C. Spinks, DMD, PC"	"MD"	"Healthcare Provider"	1000	2010-12-13	"Hacking/IT Incident"	"Desktop Computer, Network Server"	FALSE	"\N"
"Gair Medical Transcription Services, Inc."	"PA"	"Business Associate"	1085	2010-12-15	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"Pinnacle Health Systems was notified that a business associate, a medical transcription service, had a server compromised in which reports of Pinnacle patients could be viewed online.  The server compromise involved the protected health information of 1085 individuals.  The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians.  In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules.  The covered entity immediately discontinued its relationship with the business associate and engaged another medical transcription service.  The covered entity also contracted with forensic consultants to ensure that the cause of the compromise was found that that all traces of breached medical reports were removed from online and inaccessible in the future.  
\"
"Cook County Health & Hospitals System"	"IL"	"Healthcare Provider"	556	2010-12-17	"Theft"	"Desktop Computer"	FALSE	"\N"
"Dean Health Systems, Inc.; St. Mary's Hospital; St. Marys Dean Ventures, Incorporated"	"WI"	"Healthcare Provider"	3288	2010-12-20	"Theft"	"Laptop"	FALSE	"\N"
"Riverside Mercy Hospital and Ohio/Mercy Diagnostics"	"OH"	"Healthcare Provider"	1000	2010-12-21	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"California Therapy Solutions"	"CA"	"Healthcare Provider"	1250	2010-12-22	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Hils Transcription"	"IN"	"Business Associate"	585	2010-12-27	"Unauthorized Access/Disclosure"	"Other"	TRUE	"\N"
"The Southwestern Indiana Regional Council on Aging"	"IN"	"Business Associate"	757	2010-12-27	"Theft"	"Laptop"	TRUE	"\N"
"Mankato Clinic"	"MN"	"Healthcare Provider"	3159	2010-12-28	"Theft"	"Laptop"	FALSE	"\N"
"Geisinger Wyoming Valley Medical Center"	"PA"	"Healthcare Provider"	2928	2010-12-28	"Theft"	"Email"	FALSE	"The covered entitys (CE) staff physician emailed the protected health information (PHI) of approximately 2,900 individuals to his home email account while working on an analysis.  The PHI included names, addresses, dates of birth, social security numbers, and medication information.  Following the breach, the CE sanctioned the physician and implemented a plan to auto-encrypt all PHI sent through email.  As a result of OCRs investigation, the CE improved its physical safeguards and retrained employees.
\ 
\"
"Our Lady of Peace Hospital"	"KY"	"Healthcare Provider"	24600	2010-12-29	"Loss, Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Zenith Administrators, Inc."	"MD"	"Business Associate"	800	2010-12-29	"Theft"	"Paper/Films"	TRUE	"\N"
"Southern Perioperative Services, P.C."	"AL"	"Healthcare Provider"	2000	2010-12-30	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"A bag containing a compact disk - read only memory (CD-ROM) was stolen from the vehicle of a physician associated with the covered entity (CE).  The CD-ROM involved in the breach contained names, dates of birth, social security numbers, medical histories, and the treatment information of approximately 2,046 individuals.  Following the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media.  The CE sanctioned and retrained the physician whose bag was stolen and implemented organization wide improvements to its compliance with the Privacy and Security Rules.  As a result of OCRs investigation the covered entity posted substitute notification of the breach in the local paper and confirmed that corrective actions steps were taken. 
\
\
\"
"Keystone/AmeriHealth Mercy Health Plans"	"PA"	"Health Plan"	808	2010-12-30	"Loss"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Ankle + Foot Center of Tampa Bay, Inc."	"FL"	"Healthcare Provider"	156000	2011-01-03	"Theft"	"Network Server"	FALSE	"The covered entitys (CE) network server, containing the electronic protected health information (ePHI) of 136,000 patients, was hacked.  The types of ePHI involved in the breach were demographic and clinical information, including diagnoses and other treatment data.  Following the breach, the CE hired a third party vendor to resolve a data crash and to create a data back-up plan in order to restore office functioning.  To implement adequate safeguards, the CE also employed a cloud service with increased security as the new network server.  Additionally, the CE contacted the local FBI office to assist with the CEs internal investigation of the breach and provided breach notification to all affected individuals, the media, and HHS.  As a result of OCRs investigation, the CE developed and implemented new protocols to comply with the Security Rule.  In addition, the CE provided and initiated new trainings for its staff, completed hiring of a new network vendor, implemented a new electronic health records system, and accounted for the disclosures in the affected individuals medical records."
"OhioHealth Corporation dba Grant Medical Center"	"OH"	"Healthcare Provider"	501	2011-01-04	"Theft"	"Desktop Computer, Laptop"	FALSE	"\N"
"Seacoast Radiology, PA"	"NH"	"Healthcare Provider"	231400	2011-01-10	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Friendship Center Dental Office"	"FL"	"Healthcare Provider"	2200	2011-01-11	"Theft"	"Laptop"	FALSE	"\N"
"Centra"	"VA"	"Healthcare Provider"	11982	2011-01-12	"Theft"	"Laptop"	FALSE	"\N"
"St.Vincent Hospital - Indianapolis"	"IN"	"Healthcare Provider"	1848	2011-01-12	"Hacking/IT Incident"	"Email, Network Server"	FALSE	"\N"
"Franciscan Medical Group"	"WA"	"Healthcare Clearing House"	1250	2011-01-13	"Theft"	"Desktop Computer"	FALSE	"\N"
"State of South Carolina Budget and Control Board Employee Insurance Program (EIP)"	"SC"	"Health Plan"	5596	2011-01-14	"Theft"	"Desktop Computer"	FALSE	"A workstation in the covered entitys (CE) finance department was infected with malware that recorded keystrokes and captured screenshots.  The CE reported 5,596 individuals as being potentially affected by the malware.  The types of PHI involved in the breach included names, addresses, dates of birth, benefits identification numbers, social security numbers, and in some cases, banking information.  The CE provided breach notification to affected individuals, HHS, and the media.  Following the breach, the CE disconnected the workstation from the network and provided the affected employee with new login credentials, a new hard drive, and additional training.  The CE updated its Privacy and Security Rule policies and procedures and initiated mandatory annual supplemental training for all of its employees.  The CE improved safeguards by implementing additional network security monitoring programs to actively protect workstation environments and limit the proliferation of malware infections on its network.  OCR obtained assurances that the appropriate notifications were made and that the corrective actions listed above were completed. "
"Lake Woods Nursing & Rehabilitation Center"	"MI"	"Healthcare Provider"	656	2011-01-18	"Theft"	"Desktop Computer, Laptop"	FALSE	"\N"
"J. A. Still Corporation"	"MO"	"Business Associate"	4800	2011-01-18	"Theft"	"Other"	TRUE	"Two diskettes containing the electronic protected health information (ePHI) of approximately 4,754 individuals were lost by the Covered Entitys (CE) Business Associate (BA) after the package containing the diskettes was damaged by the mail carrier.  Although one of the diskettes was eventually found, the other diskette was never recovered.  The ePHI on the diskettes included names, addresses, dates of birth, social security numbers, and clinical information.  Upon discovery of the breach, the CE obtained a copy of the information contained on the diskettes and notified all affected individuals, OCR and the media.  Following OCRs investigation, the CE terminated its contract with the BA involved in the incident and provided evidence of the assurances in its BA agreement pertaining to the return or destruction of ePHI.  Lastly, the CE entered an accounting of disclosures for each affected individual into its electronic database."
"Travis Software Corp."	"TX"	"Business Associate"	16200	2011-01-18	"Loss"	"Other, Other Portable Electronic Device"	TRUE	"\N"
"Grays Harbor Pediatrics, PLLC"	"WA"	"Healthcare Provider"	12009	2011-01-21	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Hanger Prosthetics & Orthotics, Inc."	"TX"	"Healthcare Provider"	4486	2011-01-24	"Theft"	"Laptop"	FALSE	"An unencrypted laptop was stolen from an employee offsite.  The laptop contained the PHI of 4,486 patients. The protected health information involved in the breach contained names, addresses and procedure codes. Following the breach, the CE filed a police report, notified affected patients and notified the media. Following the discovery of the breach, the covered entity encrypted all existing laptops and implemented a policy requiring all future purchased laptops to be encrypted prior to being issued for use.  
\"
"Baylor Heart and Vascular Center"	"TX"	"Healthcare Provider"	8241	2011-01-25	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"A portable ultrasound machine containing electronic protected health information (ePHI) of approximately 8,241 individuals was stolen from the covered entitys (CE) facility.  The ePHI involved in the breach included patient names, dates of birth, and limited health information.  Upon discovery of the breach, the CE conducted a privacy and security assessment of its portable machines to identify vulnerabilities.  Following OCRs investigation, the CE updated its privacy and security policies, retrained its employees, and increased physical security to ensure reasonable safeguards."
"CHC MEMPHIS CMHC, LLC"	"TN"	"Healthcare Provider"	500	2011-01-28	"Theft"	"Desktop Computer"	FALSE	"\N"
"Jefferson Center for Mental Health"	"CO"	"Healthcare Provider"	546	2011-02-07	"Theft"	"Paper/Films"	FALSE	"A list containing the protected health information (PHI) of 546 patients was stolen from the vehicle of the covered entitys (CE) employee.  The breached PHI included names, dates of birth, social security numbers, and Medicaid information.  Following the breach, the CE changed its practices and procedures to safeguard PHI and trained staff on its new policies.  As a result of OCRs investigation, the CE improved its process for reporting breaches and mitigating harm."
"Integranetics"	"KY"	"Business Associate"	18871	2011-02-07	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Ortho Montana, PSC"	"MT"	"Healthcare Provider"	37000	2011-02-08	"Theft"	"Laptop"	FALSE	"A laptop containing the electronic protected health information (ePHI) of approximately 37,000 patients was lost or stolen when the laptop was taken to an event by a workforce member.  Following the breach, the covered entity (CE) sanctioned the workforce member who responsible for handling the laptop.  As a result of OCRs investigation, the CE conducted a risk analysis and developed a risk management plan.  The CE also removed ePHI from laptops and encrypted laptops, tablets, and cellular smart phones. Additionally, the CE developed new procedures and revised existing procedures in order to safeguard ePHI  ."
"Cancer Care Northwest P.S."	"WA"	"Healthcare Provider"	3100	2011-02-09	"Theft"	"Paper/Films"	FALSE	"The covered entity (CE) accidentally mailed the protected health information (PHI) of approximately 3,100 individuals to other individuals when a mail-merge process mismatched names and addresses.  The PHI involved in the breach included names and indicated that the individuals were patients of the CE.  Following the breach, the CE implemented additional safeguards, as well as policies and procedures to ensure mailing list accuracy.  As a result of this incident, OCR required the CE to train its workforce members on its newly developed policies and procedures.  Additionally, OCR provided technical assistance regarding substitute breach notification methods, including a conspicuous posting on the CEs website."
"Saint Louis University"	"MO"	"Healthcare Provider"	800	2011-02-10	"Hacking/IT Incident"	"Desktop Computer"	FALSE	"\N"
"GRM Information Management Services"	"NJ"	"Business Associate"	1700000	2011-02-11	"Theft"	"Electronic Medical Record, Other"	TRUE	"Unencrypted clinical system backup tapes that contained the electronic protected health information (ePHI) of 1,700,000 individuals were stolen from the unlocked vehicle of an employee of the covered entitys (CE) business associate (BA).  The ePHI included names, medical record numbers, social security numbers, addresses, telephone numbers, health plan numbers, dates of birth, dates of admission, dates of treatment, dates of discharge, dates of death, mothers name, next of kin, clinical information related to diagnosis, treatment, prognosis, laboratory tests and results, and medications.  Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and affected individuals.  As a result of OCRs investigation, the CE terminated its BA agreement and installed encryption software on backup media.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI."
"Long Beach Memorial Medical Center"	"CA"	"Healthcare Provider"	2250	2011-02-11	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Texas Health Harris Methodist Hospital Azle"	"TX"	"Healthcare Provider"	9922	2011-02-13	"Loss, Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Business Express"	"FL"	"Business Associate"	2700	2011-02-15	"Theft"	"Other, Other Portable Electronic Device"	TRUE	"\N"
"Xforia Web Services"	"WV"	"Business Associate"	3655	2011-02-16	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Mountain Vista Medical Center"	"AZ"	"Healthcare Provider"	2291	2011-02-21	"Loss"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Departamento de Salud de Puerto Rico"	"PR"	"Healthcare Provider"	2621	2011-02-22	"Unknown"	"Desktop Computer"	FALSE	"\N"
"Henry Ford Hospital"	"MI"	"Healthcare Provider"	2777	2011-02-23	"Loss"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"TriWest Healthcare Alliance Corp."	"AZ"	"Business Associate"	4500	2011-03-01	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Blue Cross and Blue Shield of Florida "	"FL"	"Health Plan"	7366	2011-03-03	"Unknown"	"Other"	FALSE	"\N"
"University Health Services, University of Massachusetts, Amherst"	"MA"	"Healthcare Provider"	942	2011-03-07	"Unauthorized Access/Disclosure"	"Desktop Computer"	FALSE	"\N"
"Omnicare, Inc"	"KY"	"Healthcare Provider"	8845	2011-03-10	"Theft"	"Laptop"	FALSE	"\N"
"JEFFREY J. SMITH, MD"	"OK"	"Healthcare Provider"	600	2011-03-16	"Theft"	"Desktop Computer, Other, Other Portable Electronic Device"	FALSE	"The covered entity (CE) shipped a skin analysis machine containing the electronic protected health information (ePHI) of approximately 600 individuals to the manufacturer for repairs via UPS.  The machine was damaged and discarded by UPS.  The ePHI included names, dates of birth and facial photographs.  The CE posted breach notification on its website.  As a result of OCRs investigation, the CE revised its policy regarding the security of hardware containing PHI so that all work on hardware will be performed on-site.  The policy also requires that all ePHI is to be backed up and erased from the hardware prior to any unavoidable off-site maintenance.  "
"Coventry Health Care, Inc."	"MD"	"Business Associate"	765	2011-03-18	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Texas Health Arlington Memorial Hospital"	"TX"	"Healthcare Provider"	654	2011-03-23	"Unknown"	"Electronic Medical Record"	FALSE	"The IT department turned on the switch to a BA HIE without notifying patients of the exchange or obtaining authorization.  The interface transmitted the PHI of 654 individuals. The PHI disclosed included patient names, addresses, dates of birth, social security numbers, other identifiers, diagnosis/conditions, medications, lab results, other treatment information and financial information. Following the breach, the CE revised the IT process, created a checklist that included notifying the affected departments and provided  additional training to IT and registration employees.  
\"
"NYU School of Medicine Faculty Group Practice"	"NY"	"Healthcare Provider"	670	2011-03-28	"Theft"	"Desktop Computer"	FALSE	"An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 670 individuals was stolen from the covered entity (CE), NYU Langone Medical Center.  The ePHI included names, diagnoses, the results of diagnostic tests, and clinical information.  Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals.  As a result of OCRs investigation, the CE directed staff to store ePHI on network servers and not on desktops.  In addition, the CE improved physical security by installing a locking device to secure the desktop computer and a latch guard on the office door.  The CE retrained all staff on its policies and procedures for HIPAA and HITECH compliance."
"Rape & Brooks Orthodontics, P.C."	"AL"	"Healthcare Provider"	20744	2011-03-28	"Theft"	"Desktop Computer, Network Server, Other, Other Portable Electronic Device"	FALSE	"\N"
"Clarksburg - Louis A. Johnson VA Medical Center"	"WV"	"Healthcare Provider"	1470	2011-03-30	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"County of Los Angeles"	"CA"	"Healthcare Provider"	667	2011-03-30	"Theft"	"Laptop"	FALSE	"\N"
"EISENHOWER MEDICAL CENTER"	"CA"	"Healthcare Provider"	514330	2011-03-30	"Theft"	"Desktop Computer"	FALSE	"\N"
"Trisha Elaine Cordova"	"AK"	"Business Associate"	1700	2011-03-31	"Theft"	"Laptop"	TRUE	"A personal laptop computer containing the electronic protected health information (ePHI) of 1,700 individuals and approximately 493 adoption home studies was stolen from a contractors vehicle.  The ePHI involved included names, addresses, phone numbers, dates of birth, drivers license numbers, health information, and social security numbers.  At the time of the breach, the covered entity (CE) did not have a business associate (BA) contract with the contractor.  Following OCRs investigation, the CE developed policies and procedures for obtaining BA contracts as required by the Privacy Rule and verified that the contractor no longer had a business relationship with the CE.  OCR obtained assurances that breach notification was provided to the affected individuals, HHS, and the media."
"Park Avenue Obstetrics & Gynecology, PC"	"AZ"	"Healthcare Provider"	635	2011-03-31	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Brian J Daniels D.D.S.,Paul R Daniels D.D.S."	"AZ"	"Business Associate"	10000	2011-04-04	"Theft"	"Other, Other Portable Electronic Device"	TRUE	"\N"
"Hartford Hospital"	"CT"	"Business Associate"	93500	2011-04-05	"Theft"	"Other"	TRUE	"A workforce member of the covered entitys (CE) business associate (BA) saved the electronic protected health information (ePHI) of approximately 93,500 patients on an unsecured computer drive in order to do work from home, and subsequently lost the hard drive.  The PHI included names, addresses, dates of birth, marital status, social security numbers and medical record numbers.  Following the breach, the workforce member involved was sanctioned for violating the CEs policies.  The CE provided breach notification to the media, HHS, and all affected individuals.  It also offered all affected individuals 2 years of free identity protection services.  In addition, the CE disabled the ability for all of its computing devices to download ePHI via USB connection ports.  Further, it began implementing malicious software prevention utilities as well as data encryption controls to supplement its portable computing devices.  OCR obtained assurances that the CE implemented the corrective action listed above.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI.
\
\
\
\"
"Patient Care Services at Saint Francis, Inc."	"OK"	"Healthcare Provider"	84000	2011-04-06	"Theft"	"Network Server"	FALSE	"\N"
"Union Security Insurance Company"	"MO"	"Health Plan"	935	2011-04-08	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Oklaholma State Dept. of Health"	"OK"	"Healthcare Provider"	132940	2011-04-11	"Theft"	"Laptop, Paper/Films"	FALSE	"\N"
"Aiken Community Based Outpatient Clinic"	"SC"	"Healthcare Provider"	2717	2011-04-12	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"IBM"	"NY"	"Business Associate"	1900000	2011-04-14	"Unknown"	"Other"	TRUE	"\N"
"SW General Inc"	"AZ"	"Healthcare Provider"	566	2011-04-14	"Theft"	"Paper/Films"	FALSE	"\N"
"Fairview Health Services"	"MN"	"Healthcare Provider"	1215	2011-04-14	"Loss"	"Paper/Films"	FALSE	"\N"
"Healthcare Solutions Team, LLC"	"IL"	"Business Associate"	675	2011-04-19	"Unauthorized Access/Disclosure"	"Other"	TRUE	"\N"
"Community Action partnership of Natrona County"	"WY"	"Healthcare Provider"	15000	2011-04-20	"Theft"	"Desktop Computer"	FALSE	"The covered entity (CE), Community Action Partnership of Natrona County, reported a breach affecting approximately 15,000 individuals, wherein it asserted that a virus had infected a computer and exported data. The CE provided breach notification to HHS and the media. Upon investigation, the CE determined that no protected health information was exported or breached. As a result of OCRs compliance review, the CE improved safeguards to protect its computers from viruses and malware, conducted a risk analysis, drafted a risk management plan, and revised or developed its HIPAA policies and procedures."
"Keith & Fisher, DDS, PA"	"NC"	"Healthcare Provider"	6000	2011-04-21	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"MacNeal Hospital"	"IL"	"Healthcare Provider"	845	2011-04-25	"Hacking/IT Incident"	"Desktop Computer, Email, Laptop, Network Server"	FALSE	"\N"
"West Lake Hospital "	"IL"	"Healthcare Provider"	686	2011-04-25	"Hacking/IT Incident"	"Desktop Computer, Email, Laptop, Network Server"	FALSE	"\N"
"Phoenix Health Plan"	"AZ"	"Health Plan"	9393	2011-04-25	"Hacking/IT Incident"	"Desktop Computer, Email, Laptop, Network Server"	FALSE	"\N"
"MacNeal Physician Group"	"IL"	"Healthcare Provider"	532	2011-04-25	"Hacking/IT Incident"	"Desktop Computer, Email, Laptop, Network Server"	FALSE	"\N"
"Genesis Clinical Laboratory"	"IL"	"Healthcare Provider"	1070	2011-04-25	"Hacking/IT Incident"	"Desktop Computer, Email, Laptop, Network Server"	FALSE	"\N"
"Knox Community Hospital"	"OH"	"Healthcare Provider"	500	2011-04-28	"Improper Disposal"	"Other"	FALSE	"\N"
"Speare Memorial Hospital"	"NH"	"Healthcare Provider"	5960	2011-05-02	"Theft"	"Laptop"	FALSE	"\N"
"Methodist Charlton Medical Center"	"TX"	"Healthcare Provider"	1500	2011-05-05	"Theft"	"Laptop"	FALSE	"An unencrypted laptop was stolen from a locked office in the hospital.  The laptop contained the PHI of 1523 patients. The protected health information involved in the breach contained demographic and clinical data. Following the breach, the CE filed a police report, notified affected patients and notified the media. Additionally, the CE expanded its encryption policy to include more laptops and implemented additional physical safeguards.
\"
"Drs Edalji and Komer"	"MA"	"Healthcare Provider"	563	2011-05-06	"Theft"	"Laptop"	FALSE	"An unsecured laptop containing the electronic protected health information (ePHI) of approximately 563 individuals was stolen from the car of a business associates (BA) subcontractor.  The PHI included names, addresses, dates of birth, and social security numbers.  Following the breach, the covered entity (CE) notified affected individuals, HHS, and the media, and offered all affected individuals one year of free credit monitoring services.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI.
\
\"
"Reid Hospital & Health Care Services"	"IN"	"Healthcare Provider"	22001	2011-05-06	"Theft"	"Laptop"	FALSE	"\N"
"Union Security Insurance Company"	"MO"	"Health Plan"	850	2011-05-09	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Indiana Regional Medical Center"	"PA"	"Healthcare Provider"	1388	2011-05-09	"Theft"	"Paper/Films"	FALSE	"\N"
"MMM Healthcare, Inc."	"PR"	"Health Plan"	32390	2011-05-09	"Theft"	"Desktop Computer"	FALSE	"\N"
"PMC Medicare Choice"	"PR"	"Health Plan"	24361	2011-05-09	"Theft"	"Desktop Computer"	FALSE	"\N"
"CVS CAREMARK"	"AZ"	"Healthcare Provider"	654	2011-05-11	"Theft, Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"CENTER FOR ARTHRITIS & RHEUMATIC DISEASES"	"FL"	"Healthcare Provider"	8000	2011-05-11	"Theft"	"Other, Paper/Films"	FALSE	"\N"
"Robert B. Miller, MD"	"CA"	"Healthcare Provider"	620	2011-05-17	"Theft"	"Laptop"	FALSE	"\N"
"Imaging Center of Garland"	"TX"	"Healthcare Provider"	1031	2011-05-19	"Improper Disposal"	"Other"	FALSE	"\N"
"St. Mary's Hospital for Children"	"NY"	"Business Associate"	550	2011-05-19	"Theft"	"Paper/Films"	TRUE	"A bag containing 43 pages of protected health information (PHI) of 550 nursing home residents and an encrypted laptop computer were stolen from the vehicle of an employee of the covered entitys (CE) business associate (BA).  The PHI included names, dates of birth, gender identities, names of the nursing homes, and Medicaid numbers.  Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and all affected individuals, as well as offering one year of free identity theft protection.  Following OCRs investigation, the CEs BA terminated the employee and re-trained its staff on its privacy and security policies, including not leaving laptops in unoccupied vehicles.  In addition, the CE reminded all contractors about the need to safeguard confidential information, and reviewed the BAs contractual obligations relating to safeguarding PHI.   The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI."
"Cahaba Government Benefit Administrators, LLC"	"AL"	"Business Associate"	13412	2011-05-25	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"VA Caribbean Healthcare System"	"PR"	"Healthcare Provider"	6006	2011-05-26	"Theft"	"Paper/Films"	FALSE	"An employee of the covered entity (CE), VA Caribbean Healthcare System, left documents containing the protected health information (PHI) of 6,006 individuals in an unsecure bag at a nursing station.  The PHI included names, social security numbers, patient care assignments, patient counts and patient census lists.  Upon discovery of the breach, the CE secured the PHI and provided breach notification to HHS, the media, and affected individuals.  As a result of OCRs investigation, the CE disciplined and retrained the employee and implemented a procedure that nursing leadership is required to conduct rounds on wards once vacated.  The CE also retrained all staff on its privacy and security policies and procedures."
"Agent Benefits Corporation"	"MI"	"Business Associate"	11387	2011-05-26	"Hacking/IT Incident, Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Spartanburg Regional Healthcare System"	"SC"	"Business Associate"	400000	2011-05-27	"Theft"	"Desktop Computer"	TRUE	"\N"
"Saint Joseph - Berea"	"KY"	"Healthcare Provider"	1986	2011-06-02	"Loss, Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Navos"	"WA"	"Health Plan"	2700	2011-06-08	"Unknown"	"Paper/Films"	FALSE	"\N"
"Lower Umpqua Hospital"	"OR"	"Business Associate"	17000	2011-06-08	"Theft"	"Other, Other Portable Electronic Device"	TRUE	"\N"
"Metropolitan Community Health Services, Inc."	"NC"	"Healthcare Provider"	1263	2011-06-09	"Unknown"	"Email"	FALSE	"\N"
"TUBA CITY REGIONAL HEALTH CARE CORPORATION"	"AZ"	"Healthcare Provider"	2000	2011-06-09	"Improper Disposal, Loss"	"Paper/Films"	FALSE	"\N"
"FOOTHILLS NEPHROLOGY, PC"	"SC"	"Healthcare Provider"	1280	2011-06-09	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"A company-issued laptop computer containing the protected health information (PHI) of approximately 1,280 individuals was stolen from the vehicle of a covered entitys (CE) employee.  The PHI included demographic and clinical information.  The CE provided breach notification to the affected individuals, HHS, and the media and created a toll-free number for information regarding the incident.  As a result of this incident, the CE contacted law enforcement, retrained staff on the use of portable media, and initiated a risk analysis.  Following the OCR investigation, the CE reviewed and updated its policies and procedures to ensure adequate safeguards, instituted a new electronic medical records system which encrypts medical information, updated password requirements for computers, and retrained employees."
"Fidelity National Technology Imaging (FNTI)"	"CA"	"Business Associate"	1192	2011-06-10	"Loss"	"Paper/Films"	TRUE	"\N"
"New River Health Association"	"WV"	"Healthcare Provider"	950	2011-06-16	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"HealthCare Partners"	"CA"	"Healthcare Provider"	15677	2011-06-16	"Theft"	"Desktop Computer"	FALSE	"\N"
"Gene S. J. Liaw, MD. PS"	"WA"	"Healthcare Provider"	1105	2011-06-17	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"An unencrypted portable computer drive (a USB) containing the electronic protected health information (ePHI) of 1,105 patients was misplaced and could not be found in the entitys office. The ePHI included names, addresses, phone numbers, dates of birth, diagnosis codes, insurance information, and social security numbers.  The entity provided breach notification to affected individuals and HHS. Following the breach, the entity replaced the missing drive with encryption-capable USB drives, provided secure, locked storage facilities for its mobile devices, and implemented policies preventing removal of such devices from the office. OCRs investigation found that the entity in fact is not a covered entity under the Privacy and Security Rules.  "
"Blue Cross and Blue Shield of Florida "	"FL"	"Health Plan"	3463	2011-06-17	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"NOL, LLC d/b/a Premier Radiology"	"TN"	"Healthcare Provider"	810	2011-06-22	"Theft"	"Laptop"	FALSE	"\N"
"Advanced Diagnostic Imaging, P.C."	"TN"	"Healthcare Provider"	705	2011-06-22	"Theft"	"Laptop"	FALSE	"\N"
"University of Missouri Health Care"	"MO"	"Healthcare Provider"	1288	2011-06-23	"Unknown"	"Paper/Films"	FALSE	"\N"
"Area Agency on Aging, Ohio District 5"	"OH"	"Business Associate"	78042	2011-06-27	"Theft"	"Laptop"	TRUE	"\N"
"Gail Gillespie and Associates, LLC"	"LA"	"Healthcare Provider"	2000	2011-06-28	"Theft"	"Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other, Other Portable Electronic Device"	FALSE	"\N"
"Health Plan of San Mateo"	"CA"	"Health Plan"	694	2011-06-29	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Department of Personnel and Administration"	"CO"	"Business Associate"	3589	2011-06-29	"Theft"	"Other"	TRUE	"
\The covered entitys (CE) business associate (BA) mailed a compact disk (CD) containing electronic protected health information (ePHI) through the inter-office mail system for delivery in another city.  The CD, containing ePHI of 3,589 individuals, was lost en route.  The PHI included state Medicaid and childrens health plan data.  Immediately following the breach, the CE completed a risk analysis to identify additional concerns and developed a risk management plan.  The CE provided breach notification to the affected individuals, HHS, and the media and provided substitute notification on its website. To prevent a similar breach from happening in the future, the CE required all future ePHI to be encrypted prior to shipment.  OCR obtained assurances that the CE  implemented the corrective action listed above.
\
\"
"Yanez Dental Corporation"	"CA"	"Business Associate"	10190	2011-07-04	"Theft"	"Desktop Computer, Network Server"	TRUE	"\N"
"Jackson Health System"	"FL"	"Healthcare Provider"	1562	2011-07-08	"Unauthorized Access/Disclosure"	"Electronic Medical Record, Other"	FALSE	"\N"
"The Mount Sinai Hospital"	"NY"	"Healthcare Provider"	712	2011-07-08	"Theft"	"Laptop"	FALSE	"Two unencrypted laptop computers containing the electronic protected health information (ePHI) of 712 individuals were stolen from the covered entitys (CE) office.  The ePHI included names, dates of birth, social security numbers, diagnostic reports, and demographic information.  Upon discovery of the breach, the CE filed a police report to recover the stolen items.  As a result of OCRs investigation, the CE improved physical security by installing an exit alarm lock and surveillance camera, and implementing a policy and procedure requiring managers to monitor inappropriate use of the facilitys rear exit.  The CE also inventoried its ePHI systems and adopted and implemented policies and procedures for workstation security, encryption, security awareness and training, electronic devices, and media controls."
"Troy Regional Medical Center"	"AL"	"Healthcare Provider"	880	2011-07-08	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"AssureCare Risk Management"	"IL"	"Business Associate"	5000	2011-07-11	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Dr Axel Velez"	"PR"	"Healthcare Provider"	2800	2011-07-13	"Theft"	"Desktop Computer"	FALSE	"\N"
"DeKalb Medical Center, Inc. d/b/a DeKalb Medical Hillandale"	"GA"	"Healthcare Provider"	7500	2011-07-15	"Theft"	"Paper/Films"	FALSE	"\N"
"Beth Israel Deaconess Medical Center"	"MA"	"Healthcare Provider"	2021	2011-07-19	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Assurecare Risk Management, Inc."	"IL"	"Business Associate"	25330	2011-07-21	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Andersen Air Force Base, Guam"	"VA"	"Healthcare Provider"	700	2011-07-22	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"RxAmerica, a subsidiary of CVS Caremark"	"TX"	"Business Associate"	4573	2011-07-22	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"RxAmerica LLC"	"UT"	"Business Associate"	1378	2011-07-22	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Health Care Service Corporation"	"IL"	"Health Plan"	501	2011-07-28	"Theft"	"Paper/Films"	FALSE	"\N"
"University of Kentucky - UK HealthCare"	"KY"	"Healthcare Provider"	3604	2011-07-28	"Theft"	"Laptop"	FALSE	"\N"
"Austin Center for Therapy and Assessment, LLC"	"TX"	"Healthcare Provider"	1870	2011-07-28	"Theft"	"Laptop"	FALSE	"An unencrypted laptop, containing the electronic protected health information (ePHI) of 1,870 individuals, was stolen from the covered entitys (CE) office.  The ePHI involved includes clinical evaluation reports, test results, patient names, addresses, phone numbers, and social security numbers.  Upon discovery of the breach, the CE notified affected individuals, OCR and the media.  Following OCRs investigation, the CE revised its HIPAA policies and procedures, implemented additional physical safeguards in its facility and installed encryption software."
"Treatment Services Northwest"	"OR"	"Healthcare Provider"	1200	2011-07-29	"Theft"	"Desktop Computer"	FALSE	"\N"
"Mills-Peninsula Health Services"	"CA"	"Healthcare Provider"	1500	2011-07-29	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Brigham and Women's Hospital and Faulkner Hospital "	"MA"	"Healthcare Provider"	638	2011-08-03	"Theft"	"Other Portable Electronic Device"	FALSE	"A covered entitys (CE) workforce member lost an external hard drive containing the electronic protected health information (ePHI) of 638 individuals while traveling.  The external hard drive included names, medical record numbers, dates of admission, medications, diagnoses, and treatment information.  The CE notified HHS, the media, and all individuals affected regarding the breach and provided individuals with identity protection services.  Following the breach, the CE sanctioned the workforce member involved and retrained the workforce member and division staff on  safeguards for ePHI.  In addition, the CE established a mitigation workgroup to review policies and procedures regarding the protection of ePHI and created a new external hard drive encryption policy.  OCR obtained assurances that the CE  implemented the corrective action listed above."
"Med Assets"	"NJ"	"Business Associate"	8795	2011-08-08	"Theft"	"Other, Other Portable Electronic Device"	TRUE	"An unencrypted hard drive containing the electronic protected health information (ePHI) of 8,795 individuals was stolen from an employee of the covered entitys (CE) business associate (BA), MedAssets.  The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs.  Upon discovery of the breach, the CE, Clara Maass Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website.  As a result of OCRs investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI.  In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BAs computers.  The BA also hired an IT security analyst to supplement its security program.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI.
\
\"
"Washington State Department of Social and Health Services"	"WA"	"Health Plan"	3950	2011-08-09	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"The Neurological Institute of Savannah & Center for Spine"	"GA"	"Healthcare Provider"	63425	2011-08-15	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Accuprint "	"PR"	"Business Associate"	5848	2011-08-15	"Theft"	"Other"	TRUE	"The covered entitys (CE) business associate (BA) erroneously sent explanation of benefits letters (EOBs) containing the protected health information (PHI) of 5,848 individuals to other individuals.  The PHI included names, addresses, current procedural terminology codes (CPT), explanations of CPT codes, providers names, and dates of service.  Upon discovery of the breach, the CE provided notice to the individuals affected by the breach but did not notify the media.  As a result of OCRs investigation, OCR provided technical assistance regarding the requirements of the Breach Notification Rule to the CE and the CE published a media notice.  In addition, the CE developed policies and procedures requiring quality control checks on the BA.  In addition, the BA adopted a new software system that validates the contents of the EOBs prior to mailing.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use of PHI and required the BA to safeguard all PHI."
"Texas Health Partners"	"TX"	"Business Associate"	10345	2011-08-17	"Theft"	"Laptop"	TRUE	"\N"
"Capron Rescue Squad District"	"IL"	"Healthcare Provider"	815	2011-08-18	"Unauthorized Access/Disclosure"	"Laptop"	FALSE	"\N"
"MedAssets"	"NJ"	"Business Associate"	32008	2011-08-18	"Theft"	"Other, Other Portable Electronic Device"	TRUE	"\N"
"Lexington VAMC"	"KY"	"Healthcare Provider"	1432	2011-08-25	"Theft"	"Laptop, Other Portable Electronic Device, Paper/Films"	FALSE	"The covered entitys (CE) workforce member impermissibly stored the protected health information (PHI) of 1,432 individuals in a personal computer and other portable electronic media in order to conduct research. The PHI included social security numbers, names, initials, ages, and diagnoses.  Additional PHI was found in the workforce members residence.  The CE provided breach notification to a total of 1,890 affected individuals and HHS.  Following the breach, the responsible workforce member is no longer employed by the CE.
\
\OCR opened a compliance review of VA Medical Centers and is consolidating the investigation of this incident into the compliance review.  
\"
"SpaMed Solutions, LLC, Edward McMenamin President,"	"NJ"	"Business Associate"	3000	2011-08-28	"Theft, Unauthorized Access/Disclosure"	"Desktop Computer, Electronic Medical Record, Email, Laptop, Network Server, Other, Other Portable Electronic Device, Paper/Films"	TRUE	"\N"
"HEALTH RESEARCH INSTITUTE, INC., PFEIFFER TREATMENT CENTER"	"IL"	"Healthcare Provider"	2000	2011-08-29	"Theft"	"Desktop Computer, Network Server"	FALSE	"\N"
"Multi-Speciality Collection Services, LLC"	"CA"	"Business Associate"	19651	2011-08-29	"Unauthorized Access/Disclosure"	"Other"	TRUE	"\N"
"Muir Orthopaedic Specialists, A Medical Group Inc."	"CA"	"Healthcare Provider"	1800	2011-09-07	"Theft"	"Paper/Films"	FALSE	"\N"
"NEA Baptist Clinic"	"AR"	"Healthcare Provider"	3116	2011-09-07	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Jonathan Noel MD"	"IN"	"Healthcare Provider"	2059	2011-09-08	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Texas Health and Human Services Commission"	"TX"	"Health Plan"	1696	2011-09-09	"Theft"	"Laptop"	FALSE	"An unencrypted laptop was stolen from an employees vehicle.  The laptop contained the ePHI of 1,696 patients.  The information at issue included patient names, dates of birth, gender, Medicaid identification numbers, procedure codes and diagnosis. Following discovery of the breach, the CE notified affected patients and notified the media. Following the breach, the CE confirmed encryption of laptops per CEs policy and sanctioned three involved employees.   
\"
"Living Healthy Community Clinic"	"WI"	"Business Associate"	3000	2011-09-13	"Hacking/IT Incident"	"Desktop Computer"	TRUE	"\N"
"Centro de Ortodoncia Inc."	"PR"	"Healthcare Provider"	2000	2011-09-13	"Theft"	"Paper/Films"	FALSE	"OCR opened an investigation of the covered entity (CE), Dr. Pedro Valentin, after it reported boxes containing the protected health information (PHI) of 2,000 individuals were moved from the CEs office.  The PHI included names, account numbers, responsible party in charge of account, and method of payment.  OCRs investigation revealed that the individual who removed the PHI was the CEs wife and business partner.  The CE advised OCR that he knew his wife/partner was removing the boxes for the purpose of ascertaining the amount of monies the CE was receiving and that he is in the process of dissolving the partnership.  OCR concluded that the actions alleged in the breach report did not amount to a breach."
"John T. Melvin, M.D.& Associates"	"TX"	"Healthcare Provider"	2541	2011-09-14	"Theft"	"Paper/Films"	FALSE	"\N"
"Diversified Resources, Inc."	"GA"	"Healthcare Provider"	863	2011-09-15	"Theft"	"Laptop"	FALSE	"A password protected, but unencrypted laptop computer was stolen from a nurses car.  The laptop contained the electronic protected health information (ePHI) for 863 individuals receiving services from the covered entity (CE), Diversified Resources, Inc.  The ePHI involved in the breach included names, addresses, phone numbers, primary care physicians names, caregiver contacts, and social security numbers.  The CE provided breach notification to HHS and affected individuals.  Following the breach, CE reviewed its policies and procedures, applied employee sanctions, retrained its workforce, and improved safeguards by requiring file-level encryption.  Pursuant to technical assistance provided by OCR, CE implemented additional administrative safeguards, including a new policy prohibiting employees from leaving laptops unattended in a vehicle."
"VA Gulf Coast Veterans Health Care System"	"MS"	"Healthcare Provider"	1797	2011-09-20	"Theft"	"Paper/Films"	FALSE	"The covered entity (CE), U.S. Department of Veterans Affairs (VA), Gulf Coast Veterans Health Care System, Biloxi Veterans Affairs Medical Center (Biloxi VAMC) reported that the office of an employee was vandalized.  Paper files were found on the office floor, and the protected health information (PHI) of approximately 1,814 individuals was compromised.  The PHI included full names, social security numbers, dates of birth, and medical diagnoses.  The CE provided breach notification to HHS, the media and affected individuals.  Following the breach, VA police at the facility reviewed procedures and continued foot patrols to ensure office doors are locked during non-business hours.  The CE provided additional training to workforce members of the affected department on its physical security policies and procedures to improve safeguards for PHI.  OCR obtained assurances that the CE implemented the corrective action listed above.
\
\"
"Freda J Bowman  MD PA"	"TX"	"Healthcare Provider"	1300	2011-09-20	"Hacking/IT Incident, Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"Bonney Lake Medical Center and Mythili R. Ramachandran, MD"	"WA"	"Healthcare Provider"	2367	2011-09-21	"Theft"	"Desktop Computer, Laptop"	FALSE	"\N"
"Benefits Administration Services, Inc."	"VA"	"Business Associate"	4000	2011-09-22	"Loss"	"Other, Other Portable Electronic Device"	TRUE	"\N"
"VA Illiana Health Care System"	"IL"	"Healthcare Provider"	518	2011-09-23	"Loss"	"Paper/Films"	FALSE	"\N"
"Health Texas Provider Network"	"TX"	"Healthcare Provider"	1259	2011-09-23	"Theft"	"Laptop"	FALSE	"\N"
"AllOne Health Management Solutions, Inc."	"PA"	"Business Associate"	507	2011-09-23	"Theft, Unauthorized Access/Disclosure"	"Laptop, Paper/Films"	TRUE	"\N"
"NYU Hospital for Joint Diseases Inventory Management Department"	"NY"	"Healthcare Provider"	2600	2011-09-26	"Theft"	"Paper/Films"	FALSE	"A box containing 2,600 paper records of tissue implants used in surgeries was discarded by a waste disposal contractor of the covered entity (CE), NYU Hospital for Joint Diseases Inventory Management Department, when the box was not property secured.  The box contained the protected health information (PHI) of 2,239 individuals and included names, dates of birth, dates of surgery, surgeon names, procedures, and types and serial numbers of the tissues used in the surgeries.  Upon discovery of the breach, the CE contacted the waste disposal contractor and determined that the documents were discarded and buried in a landfill out of state.  The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website.  As a result of OCRs investigation, the CE improved safeguards by storing all tissue records in a locked cabinet and requiring management to store the keys.  In addition, the CE counseled the employees involved in the incident and retrained all staff on its policies and procedures for safeguarding PHI.  The CE also implemented a plan to conduct reviews of HIPAA compliance, including both physical access and physical security risks."
"FIRST PRIORITY LIFE INSURANCE COMPANY"	"PA"	"Business Associate"	579	2011-09-28	"Theft, Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Summit Medical Group, PLLC"	"TN"	"Healthcare Provider"	731	2011-09-28	"Theft"	"Paper/Films"	FALSE	"\N"
"MAPFRE Life"	"PR"	"Health Plan"	2209	2011-09-29	"Theft"	"Other"	FALSE	"\N"
"Futurity First Insurance Group"	"CT"	"Business Associate"	1631	2011-10-03	"Loss"	"Other, Other Portable Electronic Device"	TRUE	"\N"
"Henry Ford Health System"	"MI"	"Healthcare Provider"	520	2011-10-03	"Theft"	"Desktop Computer"	FALSE	"\N"
"Indiana University"	"IN"	"Healthcare Provider"	3266	2011-10-04	"Theft"	"Laptop"	FALSE	"\N"
"Adult & Pediatric Dermatology, PC"	"MA"	"Healthcare Provider"	2200	2011-10-07	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy,  Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program.  APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).
\
\The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.  The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members. 
\
\As we say in health care, an ounce of prevention is worth a pound of cure, said OCR Director Leon Rodriguez. That is what a good risk management process is all about  identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information.
\
\In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.
\"
"The Nemours Foundation"	"FL"	"Healthcare Provider"	1055489	2011-10-07	"Loss"	"Other"	FALSE	"\N"
"Thomas J O'Laughlin, MD"	"CA"	"Business Associate"	700	2011-10-07	"Theft, Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"InStep Foot Clinic, P.A."	"MN"	"Healthcare Provider"	2600	2011-10-11	"Theft"	"Electronic Medical Record, Laptop"	FALSE	"\N"
"Lahey Clinic Hospital, Inc."	"MA"	"Healthcare Provider"	599	2011-10-11	"Theft"	"Laptop"	FALSE	"\N"
"Futurity First Insurance Group"	"CT"	"Business Associate"	3994	2011-10-11	"Theft"	"Other"	TRUE	"\N"
"Florida Hospital"	"FL"	"Healthcare Provider"	12784	2011-10-13	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"Thomas Jefferson University Hospitals, Inc."	"PA"	"Healthcare Provider"	3150	2011-10-14	"Theft"	"Other"	FALSE	"\N"
"Lankenau Medical Center"	"PA"	"Healthcare Provider"	500	2011-10-17	"Theft"	"Other"	FALSE	"\N"
"Spectrum Health Ssytems, Inc.  "	"MA"	"Healthcare Provider"	14750	2011-10-20	"Theft"	"Desktop Computer"	FALSE	"\N"
"Conway Regional Medical Center"	"AR"	"Healthcare Provider"	1472	2011-10-21	"Loss"	"Other"	FALSE	"\N"
"HITS Scanning Solutions, Inc."	"MO"	"Business Associate"	7059	2011-10-22	"Theft"	"Other"	TRUE	"The covered entitys (CE) business associate (BA) shipped microfilm records containing protected health information (PHI) of 7,059 workforce members.  The microfilm was lost in transit and not recovered. The PHI included clinical information, diagnoses, names, addresses, zip codes, date of births, social security numbers, drivers license numbers, and other identifiers.  Following the breach, the CE changed its procedures, requiring PHI to be shipped via a new mail carrier that requires a confirmation signature upon receipt and allows for the tracking of packages.  As a result of OCRs investigation the CE retrained its employees on its HIPAA policies and procedures."
"Stone Oak Urgent Care & Family Practice"	"TX"	"Business Associate"	6672	2011-10-24	"Loss, Theft"	"Desktop Computer"	TRUE	"\N"
"Indiana University School of Optometry"	"IN"	"Healthcare Provider"	757	2011-10-25	"Theft"	"Network Server"	FALSE	"A doctors letters and reports were exposed on the Internet for one month after the security configuration of the covered entitys (CE) computer server was changed. The electronic protected health information (ePHI) of 757 individuals appearing on the Internet included patient names, birth dates, medical histories, diagnoses, and treatment plans.  Following the breach, the CE identified and blocked the internet protocol (IP) address that was allowing access to ePHI over the Internet, removed the web portal that was facilitating access, and restored the affected server to its previous security configuration. As a result of OCRs investigation, the CE implemented monitoring and reporting of electronic information systems that transmit ePHI.  OCR obtained assurances that breach notification was provided to affected individuals, the media, and HHS."
"Brevard Emergency Services, P.A."	"FL"	"Healthcare Provider"	2200	2011-10-25	"Theft"	"Paper/Films"	FALSE	"\N"
"Morris Heights Health Center"	"NY"	"Healthcare Provider"	927	2011-10-27	"Theft"	"Laptop"	FALSE	"An unencrypted laptop computer containing the electronic protected health information (ePHI) of 927 individuals was stolen from the covered entitys (CE) school based health center.  The ePHI included names, dates of birth, sex, ethnicities, height, weight, body mass index data, complete physical examination information such as asthma and obesity information, health action plans, and enrollment dates.  Upon discovery of the breach, the CE filed a police report to recover the stolen laptop.  As a result of OCRs investigation, the CE purchased locks to physically secure its school health computers to the desks where the computers are located.  In addition, the CE encrypted all portable devices hard drives and installed software to track portable devices. The CE also retrained all staff on its policies and procedures for using and securing ePHI. "
"Thresholds Inc."	"MI"	"Business Associate"	1100	2011-10-28	"Theft"	"Paper/Films"	TRUE	"\N"
"Pitney Bowes Management Services, Inc."	"CT"	"Business Associate"	1089	2011-10-28	"Theft"	"Desktop Computer"	TRUE	"\N"
"Premier Imaging"	"NC"	"Healthcare Provider"	551	2011-10-28	"Unknown"	"Paper/Films"	FALSE	"A newly hired employee impermissibly took patient registration documents home. The records taken included the protected health information of 551 patients.  The information at issue included names, addresses, birth dates, social security numbers, and drivers license numbers. As a result, the CE terminated the employee, provided notice to the affected individuals, amended registration procedures, implemented additional safeguards for such information, and offered identity theft protection to the affected individuals.
\"
"Julie A. Kennedy, D.M.D., P.A."	"FL"	"Healthcare Provider"	2900	2011-10-31	"Theft"	"Network Server"	FALSE	"Two laptop computers containing the electronic protected health information (ePHI) of approximately 5,450 individuals were stolen from the CE.  The ePHI included patient names, dates of birth, and social security numbers.  The CE provided breach notification to all affected individuals, HHS, and the media.  As a result of OCRs investigation, the CE installed encryption software and increased physical security."
"KCI USA, Inc."	"TX"	"Healthcare Provider"	567	2011-10-31	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Lebanon Internal Medicine Associates"	"PA"	"Healthcare Provider"	55000	2011-11-02	"Improper Disposal"	"Network Server"	FALSE	"\N"
"St. Joseph Medical Center"	"MD"	"Healthcare Provider"	5000	2011-11-03	"Theft"	"Other, Paper/Films"	FALSE	"\N"
"Science Applications International Corporation (SA"	"VA"	"Business Associate"	4900000	2011-11-04	"Loss"	"Other"	TRUE	"\N"
"UCLA Health System"	"CA"	"Healthcare Provider"	2761	2011-11-04	"Theft"	"Other, Other Portable Electronic Device"	FALSE	"\N"
"Logan County Emergeny Ambulance Service Authority"	"WV"	"Healthcare Provider"	12563	2011-11-08	"Loss, Theft"	"Laptop"	FALSE	"\N"
"Amerigroup Community Care of New Mexico, Inc"	"NM"	"Health Plan"	1537	2011-11-13	"Theft"	"Paper/Films"	FALSE	"\N"
"Mid Continent Credit Services, Inc."	"KS"	"Business Associate"	8275	2011-11-14	"Theft"	"Other"	TRUE	"The covered entitys (CE), Lawrence Memorial Hospital, business associate (BA), performed a security update to the CEs website that potentially allowed the impermissible disclosure of 8,275 individuals electronic protected health information (ePHI).  The ePHI consisted of names, addresses, other demographic information, and credit card/bank account numbers.  Upon discovering the breach, CE shut down its website, removed all identified cached pages containing ePHI, started actions to terminate the relationship with the BA, and updated its breach notification policy.  CE also provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website.  It offered credit monitoring service to affected individuals.  As a result of OCRs investigation, CE finalized its new breach notification policy, updated its BA contracts, and re-trained staff on its privacy, security, and breach notification polices."
"Sutter Medical Foundation"	"AL"	"Healthcare Provider"	943434	2011-11-17	"Theft"	"Desktop Computer"	FALSE	"\N"
"Medcenter One"	"ND"	"Healthcare Provider"	650	2011-11-17	"Theft"	"Laptop"	FALSE	"\N"
"Dallas County Hospital District dba Parkland Health & Hospital System"	"TX"	"Healthcare Provider"	2464	2011-11-17	"Unauthorized Access/Disclosure"	"Electronic Medical Record, Paper/Films"	FALSE	"\N"
"University of Kentucky UK HealthCare"	"KY"	"Healthcare Provider"	878	2011-11-23	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"State of Tennessee Sponsored Group Health Plan"	"TN"	"Health Plan"	1770	2011-11-28	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"An equipment operator at the states postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope.  The error affected approximately 1770 enrollees. The letters contained information such as names, addresses, birth dates, and social security numbers. As a result, the CE retrained the employee, submitted a breach report to HHS, provided notice to the affected individuals, notified the media, created a toll-free number for information regarding the incident, posted notice on its website, modified policies to remove the SSN on templates for future mailings, and offered identity theft protection to the affected individuals. Following the OCR investigation, the CE provided reviewed its policies and procedures to ensure adequate safeguards are in place. 
\"
"Cleveland Clinic Florida"	"FL"	"Healthcare Provider"	772	2011-12-01	"Loss"	"Other"	FALSE	"\N"
"Jay C. Platt, DDS"	"IN"	"Healthcare Provider"	10705	2011-12-05	"Theft"	"Other"	FALSE	"\N"
"Rite Aid Corporation "	"PA"	"Healthcare Provider"	2900	2011-12-07	"Other"	"Paper/Films"	FALSE	"\N"
"Blue Vantage Group"	"NY"	"Business Associate"	7226	2011-12-09	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Nation Wise Machine Buyers"	"IL"	"Business Associate"	2000	2011-12-09	"Improper Disposal"	"Paper/Films"	TRUE	"\N"
"University of Nebraska Medical Center"	"NE"	"Healthcare Provider"	611	2011-12-09	"Theft"	"Paper/Films"	FALSE	"\N"
"Roberts S. Smith M.D. Inc."	"GA"	"Healthcare Provider"	17000	2011-12-13	"Theft"	"Laptop"	FALSE	"\N"
"Paul C. Brown, MD, PS"	"WA"	"Healthcare Provider"	4693	2011-12-15	"Theft"	"Other"	FALSE	"\N"
"Molina Healthcare of California"	"CA"	"Health Plan"	11081	2011-12-17	"Other"	"Paper/Films"	FALSE	"\N"
"Aegis Sciences Corporation"	"TN"	"Healthcare Provider"	2185	2011-12-21	"Theft"	"Laptop, Other Portable Electronic Device"	FALSE	"OCR opened an investigation of the covered entity (CE), Aegis Science Corp., after the CE reported that a laptop computer and unencrypted external hard drive containing the electronic protected health information (ePHI) of 2,185 individuals were stolen from a workforce members vehicle.  The ePHI included social security numbers, drivers license numbers, and other demographic information, as well as bank account information of fourteen individuals and credit card information of three individuals.  Upon discovering the breach, the CE filed a police report and hired a private investigator to recover the stolen items.  The CE also initiated plans to encrypt laptops, revise security procedures, retrain employees, and offer credit monitoring to affected individuals.  As a result of OCRs investigation, the CE completed a security risk analysis and risk management report and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI.  The CE also provided media notification in the two localities with greater than 500 individuals affected.  Additionally, the CE encrypted all employee computers and removable media containing ePHI and retrained employees on the CEs confidentiality and security policies."
"Soundpath Health, Inc"	"WA"	"Health Plan"	7581	2011-12-23	"Theft"	"Laptop"	FALSE	"A laptop containing the protected health information (PHI) of approximately 7,581 clients was stolen out a workforce members vehicle and subsequently used to access the covered entitys (CE) company server.  The laptop contained clients demographic information.  After the incident, the CE performed a risk analysis of the specific breach occurrence.  The CE provided OCR with a copy of its risk analysis, as well as its privacy, breach notification, and security policies and procedures. Following OCRs investigation, the CE performed a broader security risk assessment and encrypted all mobile media.  The CE also developed and provided computer security training to its staff members."
"Concentra Health"	"TX"	"Healthcare Provider"	870	2011-12-28	"Theft"	"Laptop"	FALSE	"\N"
"Sleep HealthCenters LLC"	"MA"	"Healthcare Provider"	2988	2011-12-28	"Theft"	"Laptop"	FALSE	"\N"
"Smile Designs"	"FL"	"Healthcare Provider"	1670	2012-01-06	"Theft"	"Desktop Computer, Network Server"	FALSE	"\N"
"Alamance Caswell Local Management Entity"	"NC"	"Business Associate"	50000	2012-01-10	"Other, Unauthorized Access/Disclosure"	"Email, Network Server"	TRUE	"\N"
"CardioNet, Inc"	"PA"	"Healthcare Provider"	1300	2012-01-10	"Theft"	"Laptop"	FALSE	"\N"
"RightNow Technologies"	"MT"	"Business Associate"	2700	2012-01-11	"Unauthorized Access/Disclosure"	"Other"	TRUE	"\N"
"WageWorks, Inc."	"CA"	"Business Associate"	1700	2012-01-13	"Other"	"Paper/Films"	TRUE	"\N"
"Foundation Medical Partners"	"NH"	"Healthcare Provider"	771	2012-01-16	"Theft"	"Paper/Films"	FALSE	"Without permission from the covered entity (CE), an employee provided a list of patient's names to a local counseling center as the employee was leaving the CE to begin employment at the new counseling center in an attempt to coordinate care of the patients she was treating.  The list, containing the PHI of approximately 771 individuals, included names, dates of birth, addresses, phone numbers, names of the insurance carriers, and facility codes.  Following the disclosure, the CE provided breach notification to HHS, the media, and all individuals affected and sanctioned the former employee for violating its policies and procedures. The CE also changed its procedures for list management.  The CE sent a reminder to all of its health care providers regarding the handling of PHI and made plans to provide HIPAA compliance information in a quality assurance newsletter."
"Kansas Department on Aging"	"KS"	"Healthcare Provider"	7757	2012-01-19	"Theft"	"Laptop"	FALSE	"\N"
"Delta Dental of California"	"CA"	"Health Plan"	11646	2012-01-19	"Other"	"Paper/Films"	FALSE	"\N"
"Muskogee Regional Medical Center"	"OK"	"Health Plan"	844	2012-01-20	"Loss"	"Other"	FALSE	"\N"
"ACS, Affiliated Computer Services, Inc., A Xerox Company"	"VA"	"Business Associate"	1444	2012-01-23	"Other, Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Oldendorf Medical Services, PLLC"	"NY"	"Healthcare Provider"	549	2012-01-24	"Theft"	"Laptop"	FALSE	"OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 549 individuals.  The ePHI included names, dates of birth, diagnostic test results, and social security numbers.  Upon discovery of the breach, the CE filed a police report to recover the stolen items.  As a result of OCRs investigation, the CE installed security cameras and new door locks and changed the codes to the outside entrance keypad lock.  The CE also encrypted laptop computers. "
"St.Vincent Physician Network"	"IN"	"Healthcare Provider"	1423	2012-01-26	"Theft, Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Flex Physical Therapy"	"WA"	"Healthcare Provider"	3100	2012-01-27	"Theft"	"Desktop Computer"	FALSE	"
\Three password protected desktop computers and/or media devices containing the electronic protected health information (ePHI) of 3,100 individuals were stolen during a break-in at the covered entitys (CE) office.  The ePHI included names, social security numbers, addresses, dates of birth, claims information, diagnoses and treatment information.  The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice.  Following the breach, the CE also purchased upgraded software and addressed facility access controls.  As result of OCRs investigation, OCR provided technical assistance regarding encryption standards and breach notice requirements.
\"
"Metro Community Provider Network"	"CO"	"Healthcare Provider"	3200	2012-01-27	"Hacking/IT Incident, Other"	"Email"	FALSE	"\N"
"University of Miami "	"FL"	"Healthcare Provider"	1219	2012-01-30	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"UnitedHealth Group health plan single affiliated covered entity"	"MN"	"Health Plan"	6678	2012-02-01	"Other"	"Paper/Films"	FALSE	"\N"
"Triumph, LLC"	"NC"	"Healthcare Provider"	2000	2012-02-01	"Theft"	"Laptop"	FALSE	"\N"
"Accretive Health"	"IL"	"Business Associate"	14000	2012-02-06	"Theft"	"Laptop"	TRUE	"\N"
"Loma Linda University Medical Center (LLUMC)"	"CA"	"Healthcare Provider"	1366	2012-02-08	"Other"	"Paper/Films"	FALSE	"\N"
"Affiliated Computer Services, Inc.  (ACS, Inc.) A Xerox Company"	"NJ"	"Business Associate"	1700	2012-02-08	"Other"	"Other"	TRUE	"\N"
"Medco Health Solutions, Inc."	"NJ"	"Healthcare Provider"	1287	2012-02-13	"Theft"	"Paper/Films"	FALSE	" 
\The covered entity (CE), Medco Health Solutions, mailed letters with incorrect addresses after a programming code in its mailing software caused corruption of its data.  The mailing contained the protected health information (PHI) of 4,341 individuals and included names, medication name and prescription number.  The CE provided breach notification to HHS, the media, and affected individuals.  Upon discovery of the breach, the CE immediately ceased using the update to its mailing software system.  As a result of OCRs investigation, the CE corrected the update to its mailing software system and established manual and automated quality control processes.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI.
\"
"Lakeview Medical Center"	"WI"	"Healthcare Provider"	698	2012-02-14	"Theft"	"Laptop"	FALSE	"\N"
"Goshen Health System, Inc."	"IN"	"Healthcare Provider"	660	2012-02-14	"Hacking/IT Incident"	"Other"	FALSE	"\N"
"Georgetown University Hospital"	"DC"	"Healthcare Provider"	1549	2012-02-15	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Motion Picture Industry Health Plans (MPI)"	"CA"	"Health Plan"	703	2012-02-15	"Theft"	"Other"	FALSE	"The covered entity (CE), Motion Picture Industry Health Plans (MPIHP), mistakenly sent mailings containing protected health information (PHI) to the prior address of approximately 700 individuals due to a computer error.  The PHI involved in the breach included names, claim numbers, dates of service, and provider names.  The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website.  Following the breach, the CE instituted additional safeguards including automatic suppression of documents when conflicting addresses are contained in multiple computer systems.  As a result of OCRs investigation, the CE updated its policies, conducted a new risk analysis, and developed a new risk management plan."
"Ochsner Health System"	"LA"	"Healthcare Provider"	2088	2012-02-20	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Dr. Trandinh"	"OR"	"Business Associate"	2300	2012-02-20	"Theft, Unauthorized Access/Disclosure"	"Laptop"	TRUE	"\N"
"CardioNet, Inc."	"PA"	"Healthcare Provider"	728	2012-02-27	"Theft"	"Laptop"	FALSE	"\N"
"Beth Barrett Consulting, LLC"	"NM"	"Business Associate"	7000	2012-02-28	"Theft"	"Laptop"	TRUE	"\N"
"Catalyst Health Solutions, Inc."	"MD"	"Business Associate"	632	2012-02-28	"Unauthorized Access/Disclosure"	"Other"	TRUE	"\N"
"T&P CONSULTING, INC. D/B/A QUANTUM"	"PR"	"Business Associate"	7706	2012-02-28	"Theft"	"Laptop"	TRUE	"An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 7,706 individuals were stolen from a staff member of the covered entitys (CE) business associate (BA).  The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service.  Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and all individuals affected by the breach.  As a result of OCRs investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees.  In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices.  OCR obtained assurances that the CE implemented the corrective action listed above and required two additional corrective actions.  OCR identified the need for the CE to complete a risk assessment and implement certain security policies and procedures."
"Lee Miller Rehabilitation Associates"	"MD"	"Healthcare Provider"	10480	2012-02-29	"Theft"	"Network Server"	FALSE	"\N"
"Jeremaih J. Twomey, F.A.C.P., P.A."	"TX"	"Business Associate"	2559	2012-03-02	"Theft"	"Other"	TRUE	"\N"
"Anchorage Community Mental Health Services Inc."	"AK"	"Healthcare Provider"	2743	2012-03-03	"Unauthorized Access/Disclosure"	"Desktop Computer"	FALSE	"\N"
"Robley Rex VA Medical Center "	"KY"	"Healthcare Provider"	1182	2012-03-06	"Other"	"Paper/Films"	FALSE	"\N"
"Indiana Internal Medicine Consultants"	"IN"	"Healthcare Provider"	20000	2012-03-09	"Theft"	"Laptop"	FALSE	"A laptop computer that contained the electronic protected health information (ePHI) of approximately 20,000 individuals was stolen from the covered entitys (CE) laboratory managers office.  The ePHI involved in the breach included patients names, dates of birth, clinic identification numbers, and laboratory results.  Following the breach, the CE reported the theft to the building management company.  The management company investigated the theft and determined that cleaning personnel had stolen the laptop.  The company reported that the patient information was not compromised, as the database could not be accessed without propriety software and specialized assistance. As a result of OCRs investigation, physical security was improved by housing the replacement laptop in a locked drawer in a locked office with limited staff access.  The CE also implemented a new policy prohibiting the storage of PHI on the laptop computer and updated additional policies and procedures to enhance safeguards for systems containing PHI.      "
"T & P Consulting, Inc. d/b/a Quantum Health Consulting"	"PR"	"Business Associate"	10000	2012-03-12	"Theft"	"Laptop, Other Portable Electronic Device"	TRUE	"The covered entity (CE) filed a breach report with OCR after an external hard drive and laptop computer containing electronic protected health information (ePHI) of 39,609 individuals were stolen from the CEs Business Associate (BA).  The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and the dates of the service.  Immediately following the breach, the CE conducted a risk assessment, filed a breach report and provided OCR a copy of its BA agreement.  Additionally, the CE notified all affected individuals of the breach and issued a press release.  As a result of OCRs investigation, the CE required the BA to revise its security practices to include laptop encryption and restrictions on the use of portable media devices as outlined in the BAs newly developed security policies and procedures.  "
"Quantum Health Consulting"	"PR"	"Business Associate"	4645	2012-03-12	"Theft"	"Laptop"	TRUE	"OCR opened an investigation of the covered entity (CE), First Proveedores Aliados Por Tu Salud, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 4,645 individuals were stolen from a staff member of the CEs business associate (BA), Quantum Health.  The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service.  Upon discovery of the breach, the CE filed a police report and provided breach notification to all individuals affected by the breach, HHS, and the media.  As a result of OCRs investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retrain its employees.  In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices.    
\"
"Kern Medical Center "	"CA"	"Healthcare Provider"	1431	2012-03-12	"Theft"	"Paper/Films"	FALSE	"\N"
"William F. DeLuca Jr., M.D."	"NY"	"Healthcare Provider"	577	2012-03-13	"Theft"	"Laptop"	FALSE	"OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 577 individuals.  The ePHI included names and pictures.  Upon discovery of the breach, the CE filed a police report to recover the stolen items.  As a result of OCRs investigation, the CE encrypted its computers, changed the locks to a numbered key system, and installed a lock to secure portable devices in storage.  In addition, the CE started using identification numbers instead of names on patients files.  The CE also revised its security policy and trained all staff on its policies."
"Quantum Health Consulting"	"PR"	"Business Associate"	7923	2012-03-13	"Theft"	"Laptop"	TRUE	"An unencrypted laptop computer and an external hard drive containing the electronic protected health information (ePHI) of 7,923 individuals were stolen from a staff member of the CEs business associate (BA).  The ePHI included names, ages, gender, social security numbers, medical services provided, diagnosis codes, and dates of service.  Upon discovery of the breach, the CE filed a police report to recover the stolen items.  The CE also provided breach notification to all affected individuals, HHS, and the media. As a result of OCRs investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. The CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices.  "
"Advanced Clinical Research Institute"	"CA"	"Health Plan"	875	2012-03-14	"Theft"	"Paper/Films"	FALSE	"\N"
"T&P Consulting, INC DBA Quantum HC"	"PR"	"Business Associate"	7606	2012-03-15	"Theft"	"Laptop, Other Portable Electronic Device"	TRUE	"An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 39,609 individuals were stolen from a staff member of the covered entitys (CE) business associate (BA).  The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service.  Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and all affected individuals.  As a result of OCRs investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees.  In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurance that the CE implemented the corrective action listed above and required one additional corrective action.  OCR identified the need for the CE to implement certain security policies, procedures and controls."
"Georgia Health Sciences University"	"GA"	"Healthcare Provider"	513	2012-03-15	"Theft"	"Laptop"	FALSE	"\N"
"Baylor Heart and Vascular Center, LLP"	"TX"	"Healthcare Provider"	1972	2012-03-16	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Chicago Musculoskeletal Institute/Metro Orthopedics"	"IL"	"Healthcare Provider"	750	2012-03-23	"Other"	"Network Server"	FALSE	"\N"
"Caremark PCS Health, L.L.C. (formerly known as Caremark PCS Health, L.P.)"	"IL"	"Business Associate"	3482	2012-03-23	"Other"	"Paper/Films"	TRUE	"\N"
"Duke University Health System"	"NC"	"Healthcare Provider"	1370	2012-03-23	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"St. Joseph's Medical Center"	"CA"	"Healthcare Provider"	712	2012-03-29	"Theft"	"Paper/Films"	FALSE	"\N"
"CenterLight Healthcare"	"NY"	"Health Plan"	642	2012-04-03	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"Lake Granbury Medicl Ceter"	"TX"	"Healthcare Provider"	502	2012-04-04	"Theft"	"Paper/Films"	FALSE	"\N"
"County of Wayne Department of Personnel/Human Resources Benefits Administration Division"	"MI"	"Health Plan"	1229	2012-04-06	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"St. Elizabeth's Medical Center"	"MA"	"Healthcare Provider"	6831	2012-04-06	"Loss"	"Paper/Films"	FALSE	"\N"
"The Neighborhood Christian Clinic"	"AZ"	"Healthcare Provider"	9565	2012-04-09	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"AccentCare Home Health of California, Inc. Medicare # 057564    CA state License # 080000226"	"CA"	"Healthcare Provider"	1000	2012-04-10	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"HealthLOGIX"	"MI"	"Business Associate"	555	2012-04-10	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"David Charles Rish"	"CA"	"Business Associate"	2000	2012-04-10	"Theft"	"Other"	TRUE	"\N"
"Utah Department of Technology Services"	"UT"	"Business Associate"	780000	2012-04-11	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"IU Medical Group"	"IN"	"Healthcare Provider"	1000	2012-04-12	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"Rhinebeck Health Center/Center for Progressive Medicine"	"NY"	"Healthcare Provider"	6745	2012-04-12	"Theft"	"Desktop Computer, Network Server"	FALSE	"The CEs network server and two local computers were hacked and compromised by a computer virus which resulted in the disclosure of electronic protected health information (ePHI) of 6,745 individuals.  The ePHI included names, insurance numbers, diagnoses, medical histories, dates of birth, telephone numbers, and social security numbers.  Upon discovery of the breach, the CE shut down all computer and email systems to prevent unauthorized access to its network and core files.  In addition, the CE decommissioned the previously used server, deactivated the network router, disabled network access to ePHI, and discontinued the previously utilized backup.  As a result of OCRs investigation, the CE deployed a new real-time firewall and intrusion detection system and implemented new measures for software management.  In addition, the CE installed a new network server, deployed a new router with security subscription to actively monitor internal network traffic and external threat patterns, and implemented a centralized antivirus software system."
"Memorial Healthcare System"	"FL"	"Health Plan"	9497	2012-04-13	"Other"	"Other"	FALSE	"\N"
"Roy E. Gondo, M.D."	"WA"	"Healthcare Provider"	2100	2012-04-13	"Theft"	"Desktop Computer, Electronic Medical Record"	FALSE	"\N"
"DRD Management, Inc. D/B/A DRD Knoxville Medical Clinic - Central"	"TX"	"Healthcare Provider"	1000	2012-04-16	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"Emory Healthcare"	"GA"	"Healthcare Provider"	315000	2012-04-18	"Other, Unknown"	"Other"	FALSE	"\N"
"Desert AIDS Project"	"CA"	"Healthcare Provider"	4400	2012-04-20	"Theft"	"Desktop Computer"	FALSE	"\N"
"University of Arkansas for Medical Sciences"	"AR"	"Healthcare Provider"	7121	2012-04-20	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"TLC DENTAL DANIA, LLC"	"FL"	"Healthcare Provider"	750	2012-04-23	"Theft"	"Paper/Films"	FALSE	"\N"
"South Carolina Department of Health and Human Services"	"SC"	"Health Plan"	228435	2012-04-24	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"Oregon Health Authority"	"OR"	"Healthcare Provider"	550	2012-04-26	"Theft"	"Paper/Films"	FALSE	"\N"
"SHIELDS For Families "	"CA"	"Healthcare Provider"	961	2012-04-26	"Theft"	"Network Server"	FALSE	"\N"
"Safe Ride Services, Inc"	"AZ"	"Healthcare Provider"	42000	2012-05-01	"Hacking/IT Incident, Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"IntraCare North Hospital"	"TX"	"Healthcare Provider"	750	2012-05-03	"Theft"	"Paper/Films"	FALSE	"\N"
"Oakland Vision Services, PC"	"MI"	"Healthcare Provider"	3000	2012-05-03	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Baptist Health System"	"AL"	"Healthcare Provider"	1655	2012-05-04	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"University of Houston for UH College of Optometry"	"TX"	"Healthcare Provider"	7000	2012-05-08	"Hacking/IT Incident, Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"Rite Aid Store 1343"	"WV"	"Healthcare Provider"	2905	2012-05-10	"Theft"	"Paper/Films"	FALSE	"\N"
"Iowa Department of Human Services"	"IA"	"Health Plan"	3000	2012-05-11	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"Hogan Services Inc. Health Care Premium Plan"	"MO"	"Health Plan"	1134	2012-05-11	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"Family HealthServices Minnesota, P.A."	"MN"	"Healthcare Provider"	4000	2012-05-14	"Theft"	"Laptop"	FALSE	"\N"
"St. Mary Medical Center"	"CA"	"Healthcare Provider"	3900	2012-05-14	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Our Lady of the Lake Regional Medical Center"	"LA"	"Healthcare Provider"	17000	2012-05-18	"Loss, Theft"	"Laptop"	FALSE	"\N"
"UnitedHealth Group health plan single affiliated covered entity"	"MN"	"Health Plan"	19100	2012-05-18	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"West Dermatology"	"CA"	"Healthcare Provider"	1900	2012-05-18	"Theft"	"Other"	FALSE	"\N"
"Duke University Health System"	"NC"	"Healthcare Provider"	591	2012-05-18	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Ameritas Life Insurance Corp. "	"NE"	"Health Plan"	3000	2012-05-21	"Theft"	"Laptop"	FALSE	"\N"
"Children's Hospital Boston"	"MA"	"Healthcare Provider"	2159	2012-05-22	"Theft"	"Laptop"	FALSE	"\N"
"Data Image, Inc."	"OH"	"Business Associate"	15000	2012-05-22	"Unauthorized Access/Disclosure"	"Other"	TRUE	"\N"
"Physician's Automated Laboratory"	"CA"	"Healthcare Provider"	745	2012-05-23	"Theft"	"Paper/Films"	FALSE	"\N"
"Phoebe Putney Memorial Hospital, Inc. "	"GA"	"Healthcare Provider"	12937	2012-05-24	"Theft"	"Electronic Medical Record, Paper/Films"	FALSE	"\N"
"Independence Physical Therapy"	"CT"	"Healthcare Provider"	925	2012-05-25	"Theft"	"Desktop Computer"	FALSE	"\N"
"Titus Regional Medical Center"	"TX"	"Healthcare Provider"	5700	2012-05-26	"Loss, Unknown"	"Laptop"	FALSE	"\N"
"Titus Regional Medical Center"	"TX"	"Healthcare Provider"	500	2012-05-26	"Theft"	"Other"	FALSE	"\N"
"Lutheran Community Services Northwest"	"WA"	"Healthcare Provider"	756	2012-05-29	"Theft"	"Desktop Computer, Other Portable Electronic Device"	FALSE	"\N"
"Volunteer State Health Plan, Inc. "	"TN"	"Health Plan"	1102	2012-05-31	"Loss"	"Paper/Films"	FALSE	"\N"
"Charlie Norwood VA Medical Center"	"GA"	"Healthcare Provider"	824	2012-06-04	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"PrevMED"	"MD"	"Business Associate"	1444	2012-06-04	"Theft"	"Laptop"	TRUE	"\N"
"Metcare of Florida, Inc."	"FL"	"Healthcare Provider"	2557	2012-06-04	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Robert Witham, MD, FACP"	"OR"	"Healthcare Provider"	11136	2012-06-06	"Theft"	"Desktop Computer"	FALSE	"\N"
"Memorial Sloan-Kettering Cancer Center"	"NY"	"Healthcare Provider"	568	2012-06-08	"Theft"	"Email, Other"	FALSE	"The covered entitys (CE) staff member disclosed an unencrypted Microsoft Excel graph to a non-covered entity physician who re-disclosed it to a medical education organization to be used  in a presentation.  In addition, the medical education organization posted the presentation slides on its website.  The graph contained the protected health information (PHI) of 569 individuals and included names, telephone numbers, social security numbers, ages, cities and states of residence, medical record numbers, and clinical information.  Upon discovery of the breach, the CE ensured that the information was removed from the website and deleted, sanctioned the workforce member responsible, and retrained its workforce on the use of a data loss prevention tool and the risks of embedded PHI.  As a result of OCRs investigation, the CE provided OCR with evidence of its technical safeguards and security awareness initiatives and provided assurance that it implemented the corrective action listed above."
"Gessler Clinic, P.A."	"FL"	"Healthcare Provider"	1409	2012-06-14	"Theft"	"Paper/Films"	FALSE	"\N"
"University of Kentucky HealthCare"	"KY"	"Healthcare Provider"	4490	2012-06-19	"Theft"	"Laptop"	FALSE	"\N"
"Wolf & Yun"	"KY"	"Healthcare Provider"	824	2012-06-22	"Theft"	"Laptop"	FALSE	"\N"
"Karen Kietzman"	"MT"	"Healthcare Provider"	708	2012-06-22	"Theft"	"Laptop, Other Portable Electronic Device"	FALSE	"\N"
"Bruce G. Peller, DMD, PA"	"NC"	"Healthcare Provider"	9953	2012-06-25	"Unauthorized Access/Disclosure"	"Desktop Computer"	FALSE	"\N"
"Sharon L. Rogers, Ph.D., ABPP"	"TX"	"Healthcare Provider"	585	2012-07-03	"Theft"	"Laptop"	FALSE	"\N"
"Health Texas Provider Network - Cardiovascular Consultants of North Texas"	"TX"	"Healthcare Provider"	2462	2012-07-05	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"SwedishAmerican Health System"	"IL"	"Healthcare Provider"	1500	2012-07-12	"Theft"	"Paper/Films"	FALSE	"\N"
"Patterson Dental, Inc."	"MN"	"Business Associate"	2533	2012-07-13	"Loss, Unauthorized Access/Disclosure, Unknown"	"Other Portable Electronic Device"	TRUE	"\N"
"Visiting Nurse Services of Iowa"	"IA"	"Healthcare Provider"	1298	2012-07-16	"Theft"	"Paper/Films"	FALSE	"\N"
"Molalla Family Dental"	"OR"	"Healthcare Provider"	4354	2012-07-16	"Hacking/IT Incident, Other, Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"Pamlico Medical Equipment LLC"	"NC"	"Healthcare Provider"	2917	2012-07-17	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Beth Israel Deaconess Medical Center"	"MA"	"Healthcare Provider"	3900	2012-07-20	"Theft"	"Laptop"	FALSE	"\N"
"NYU School of Medicine Faculty Group Practice"	"NY"	"Healthcare Provider"	8488	2012-07-23	"Theft"	"Desktop Computer"	FALSE	"\N"
"The Surgeons of Lake County, LLC"	"IL"	"Healthcare Provider"	7067	2012-07-25	"Other"	"Network Server"	FALSE	"\N"
"Kindred Healthcare Inc d/b/a Kindred Transitional Care and Rehabilitation-Sellersburg"	"IN"	"Healthcare Provider"	1504	2012-07-25	"Theft"	"Other"	FALSE	"\N"
"Jeffrey Paul Edelstein M.D."	"AZ"	"Healthcare Provider"	4800	2012-07-27	"Theft"	"Network Server"	FALSE	"\N"
"Northwestern Memorial Hospital"	"IL"	"Healthcare Provider"	4211	2012-07-27	"Theft"	"Laptop, Other Portable Electronic Device"	FALSE	"\N"
"Walgreen Co."	"IL"	"Healthcare Provider"	1240	2012-07-30	"Theft"	"Paper/Films"	FALSE	"\N"
"EMC"	"CT"	"Business Associate"	7461	2012-07-30	"Theft"	"Laptop"	TRUE	"\N"
"Oregon Health & Science University"	"OR"	"Healthcare Provider"	702	2012-07-31	"Theft"	"Other"	FALSE	"\N"
"Stanford Hospital & Clinics and School of Medicine"	"CA"	"Healthcare Provider"	2300	2012-08-03	"Theft"	"Desktop Computer"	FALSE	"\N"
"Harris County Hospital District"	"TX"	"Healthcare Provider"	2875	2012-08-03	"Theft"	"Electronic Medical Record, Paper/Films"	FALSE	"\N"
"Siemens Medical Solutions, USA"	"PA"	"Business Associate"	66601	2012-08-10	"Theft"	"Laptop"	TRUE	"\N"
"TEMPLE COMMUNITY HOSPITAL"	"CA"	"Healthcare Provider"	603	2012-08-15	"Theft"	"Desktop Computer"	FALSE	"\N"
"Memorial Healthcare System"	"FL"	"Healthcare Provider"	105646	2012-08-16	"Theft"	"Electronic Medical Record"	FALSE	"\N"
"Liberty Resources, Inc."	"PA"	"Healthcare Provider"	3183	2012-08-17	"Theft"	"Laptop"	FALSE	"An employees personal laptop computer that contained the unencrypted electronic protected health information (ePHI) of 3,183 individuals was stolen from his vehicle.  The ePHI involved in the breach included consumer names, identification numbers, diagnosis codes,  base service unit numbers, service start and end dates, service names, procedure codes, service location identifiers, units authorized, units utilized, units cost, total authorization amounts, total utilized amounts, authorization dates, funding sources, provider names, and master provider index numbers.  The CE timely notified all affected individuals, the media, and HHS, and offered assistance to consumers who wished to place fraud alerts on their consumer credit files.  Following the breach, the CE created and implemented a new policy and procedure to improve safeguards.  This policy prohibits downloading any PHI to a home computer or portable device, prohibits forwarding emails containing PHI to a personal account, cloud service, or unauthorized user, and requires full-disk encryption of agency laptops.  OCR obtained assurances that the CE implemented the corrective action listed above. 
\
\
\"
"The University of Texas MD Anderson Cancer Center"	"TX"	"Healthcare Provider"	2264	2012-08-17	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Central States Southeast and Siouthwest Areas Health & Welfare Fund"	"IL"	"Health Plan"	754	2012-08-21	"Other, Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"LANA MEDICAL CARE"	"FL"	"Healthcare Provider"	500	2012-08-28	"Theft"	"Laptop"	FALSE	"\N"
"Cancer Care Group, P.C."	"IN"	"Healthcare Provider"	55000	2012-08-28	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Tricounty Behavioral Health Clinic"	"GA"	"Healthcare Provider"	4000	2012-08-31	"Theft"	"Laptop"	FALSE	"\N"
"Sierra Plastic Surgery"	"NV"	"Healthcare Provider"	800	2012-09-05	"Hacking/IT Incident, Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"Charlotte Clark-Neitzel, MD"	"WA"	"Healthcare Provider"	942	2012-09-07	"Theft"	"Laptop"	FALSE	"\N"
"University of Miami"	"FL"	"Healthcare Provider"	64846	2012-09-07	"Other, Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"University of New Mexico Health Sciences Center"	"NM"	"Healthcare Provider"	2365	2012-09-12	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Valley Plastic Surgery, P.C."	"VA"	"Healthcare Provider"	4873	2012-09-13	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Ecco Health, LLC"	"NV"	"Business Associate"	5713	2012-09-14	"Loss"	"Other Portable Electronic Device"	TRUE	"\N"
"BHcare, Inc"	"CT"	"Healthcare Provider"	5827	2012-09-14	"Theft"	"Laptop, Other Portable Electronic Device"	FALSE	"OCR opened an investigation of the covered entity (CE), BHcare, Inc. after it reported that a laptop computer and unencrypted back-up tape containing the electronic protected health information (ePHI) of 5,827 individuals were stolen from a workforce members vehicle.  The ePHI included names, date of birth, social security numbers, health insurance numbers, and some patients assessments and diagnosis information. Upon discovering the breach, the CE filed a police report with the Connecticut State Police. The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notice on its website.  The CE offered one year of free credit monitoring services to affected individuals.  As a result of OCRs investigation, the CE completed a risk analysis and risk management plan, retrained employees, and implemented new security policies and procedures to ensure adequate safeguards of ePHI.
\
\
\"
"The Feinstein Institute for Medical Research"	"NY"	"Healthcare Provider"	13000	2012-09-14	"Theft"	"Laptop"	FALSE	"\N"
"St. Therese Medical Group, Inc"	"CA"	"Healthcare Provider"	3031	2012-09-17	"Theft"	"Desktop Computer"	FALSE	"\N"
"Cabinet for Health and Family Services, Department for Community Based Services (Protection and Permanency)"	"KY"	"Health Plan"	2500	2012-09-19	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"PST Services, Inc"	"GA"	"Business Associate"	13074	2012-10-08	"Improper Disposal"	"Paper/Films"	TRUE	"\N"
"Apria Healthcare, Inc."	"CA"	"Healthcare Provider"	65700	2012-10-10	"Theft"	"Laptop"	FALSE	"\N"
"Alexander J. Tikhtman, M.D."	"KY"	"Healthcare Provider"	2376	2012-10-12	"Theft"	"Other Portable Electronic Device"	FALSE	"The covered entity (CE), offices of Alexander J. Tikhtman, M.D., lost an unencrypted flash drive containing the electronic protected health information (ePHI) of 2,376 individuals. The flash drive was not recovered.  The ePHI included patients names, treatment and diagnostic information, and in some instances, dates of birth and social security numbers.  The CE provided breach notification to the affected individuals, HHS, and the media.  It also established a dedicated call center for questions related to the breach and offered free credit monitoring and identity theft services to individuals whose social security numbers were breached.  The CE updated its privacy and security policies and procedures relating to the use, storage, and transmission of PHI.  OCR obtained assurances that the CE completed the corrective action listed above.
\
\"
"Gulf Coast Health Care Services Inc"	"FL"	"Healthcare Provider"	13000	2012-10-15	"Hacking/IT Incident, Theft, Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"Blount Memorial Hospital, Inc"	"TN"	"Healthcare Provider"	27799	2012-10-17	"Theft"	"Laptop"	FALSE	"The covered entity (CE), Blount Memorial Hospital, reported that a laptop computer containing the electronic protected health information (ePHI) of 27,799 individuals was stolen from a workforce members home.  The ePHI involved in the breach included demographic and other financial information.  The CE provided breach notification to affected individuals, HHS, and the media.  Following the breach, the CE reviewed its privacy and security policies and procedures, encrypted all of its laptops, and improved its HIPAA training.  As a result of OCRs investigation, OCR provided technical assistance regarding the CEs security incident procedures and risk management plan.  OCR also reviewed the CEs HIPAA policies and procedures that were created or revised in response to the breach.
\
\
\"
"Alere Home Monitoring, Inc"	"CA"	"Healthcare Provider"	116506	2012-10-18	"Theft"	"Laptop"	FALSE	"\N"
"Coastal home Respiratory, LLP"	"GA"	"Healthcare Provider"	3440	2012-10-18	"Theft"	"Other"	FALSE	"Computers containing the electronic protected health information (ePHI) of 3,440 patients were stolen from the covered entity (CE), Coastal Home Respiratory, during a burglary.  The ePHI included names, addresses, phone numbers, insurance identification numbers, social security numbers, and diagnoses.  The computers were password protected and the data was encoded. The CE promptly notified law enforcement and provided breach notification to affected individuals, HHS, and the media.  Following the breach, the CE cancelled access passwords for patient data, and changed patient data software to a server based system that is password protected and encrypted.  The CEs billing software vendor changed the CEs account numbers to prevent unauthorized access to the ePHI.  The CE improved physical safeguards by installing a new alarm system.  Following OCRs investigation, the CE also improved safeguards for PHI by implementing new procedures for activity reports, audit logs, and security reports."
"Philip P Corneliuson, DDS, INC."	"CA"	"Healthcare Provider"	980	2012-10-22	"Theft"	"Desktop Computer"	FALSE	"\N"
"First Step Counseling, Inc."	"NJ"	"Healthcare Provider"	638	2012-10-23	"Theft"	"Paper/Films"	FALSE	"Two of the covered entitys (CE) employees photocopied documents containing 638 patients protected health information (PHI) and disclosed the documents to their attorney.  The PHI included names, insurance numbers, diagnoses, dates of birth, telephone numbers, and social security numbers.  Upon discovery of the breach, the CE hired attorneys to seek immediate return of all photocopies that contained the PHI.  The CE provided breach notification to the affected individuals, HHS and the media.  As a result of OCRs investigation, the CE transferred to an electronic billing system that is password protected and secured patient files with a lock.  Further, the front desk has been positioned by a protective window and policies have been implemented to prevent patients from standing beside the reception desk.  The CE also reviewed and revised its consent forms and retrained all staff. "
"Logan Community Resources, Inc."	"IN"	"Healthcare Provider"	2900	2012-10-23	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"CVS Caremark"	"RI"	"Healthcare Provider"	955	2012-10-26	"Theft"	"Paper/Films"	FALSE	"\N"
"Memorial Hospital"	"OH"	"Healthcare Provider"	500	2012-10-29	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"QUANTERION SOLUTIONS INC"	"NY"	"Business Associate"	1017	2012-11-01	"Theft"	"Network Server"	TRUE	"An unencrypted thumb drive that contained the electronic protected health information (ePHI) of 1,017 individuals was stolen by an employee of the covered entitys (CE) business associate (BA), Quanterion Solutions, Inc.  The ePHI included names, addresses, dates of birth, drivers license numbers, social security numbers, claims information, clinical information, diagnosis/conditions, lab results, treatment information, and medications.  Upon discovery of the breach, the CE, Surgical Associates of Utica, PC, filed a police report and the employee was arrested.  The CE provided breach notification to HHS, the media, and affected individuals and provided credit monitoring services for these individuals.  As a result of OCRs investigation, the CE executed a BA agreement. 
\
\"
"University of Illinois, College of Nursing"	"IL"	"Business Associate"	508	2012-11-02	"Theft"	"Paper/Films"	TRUE	"\N"
"Miami Beach Healthcare Group Ltd. dba Aventura Hospital and Medical Center"	"FL"	"Healthcare Provider"	2560	2012-11-05	"Theft"	"Electronic Medical Record"	FALSE	"\N"
"WYATT DENTAL GROUP, LLC"	"LA"	"Healthcare Provider"	10271	2012-11-05	"Theft, Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"Women & Infants Hospital of Rhode Island"	"RI"	"Healthcare Provider"	14004	2012-11-05	"Loss"	"Other"	FALSE	"\N"
"Memorial Health System"	"CO"	"Healthcare Provider"	6262	2012-11-07	"Loss"	"Paper/Films"	FALSE	"\N"
"CHRISTUS St. John Hospital"	"TX"	"Healthcare Provider"	5748	2012-11-16	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"L.A. Care Health Plan"	"CA"	"Health Plan"	18000	2012-11-17	"Other"	"Other"	FALSE	"\N"
"Hawaii State Department of Health, Adult Mental Health Division"	"HI"	"Healthcare Provider"	674	2012-11-20	"Hacking/IT Incident"	"Desktop Computer"	FALSE	"\N"
"Soundental Associates, PC"	"CT"	"Healthcare Provider"	14511	2012-11-21	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Original Medicine Acupuncture & Wellness, LLC"	"NM"	"Healthcare Provider"	540	2012-11-21	"Theft"	"Laptop"	FALSE	"\N"
"Brigham and Women's Hospital"	"MA"	"Healthcare Provider"	615	2012-11-26	"Theft"	"Desktop Computer"	FALSE	"\N"
"Advantage Health Solutions, Inc."	"IN"	"Business Associate"	2575	2012-11-26	"Other"	"Other"	TRUE	"\N"
"James M. McGee, D.M.D., P.C."	"GA"	"Healthcare Provider"	1306	2012-11-27	"Theft"	"Paper/Films"	FALSE	"\N"
"Robbins Eye Center PC"	"CT"	"Healthcare Provider"	1749	2012-11-28	"Theft"	"Desktop Computer"	FALSE	"\N"
"Advanced Data Processing, Inc."	"FL"	"Healthcare Clearing House"	10000	2012-11-29	"Theft"	"Desktop Computer"	FALSE	"\N"
"Cuyahoga County Board of Developmental Disabilities"	"OH"	"Healthcare Provider"	613	2012-11-29	"Theft"	"Laptop"	FALSE	"\N"
"Blue Cross Blue Shield"	"IL"	"Business Associate"	500	2012-11-29	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Vidant Pungo Hospital"	"NC"	"Healthcare Provider"	1100	2012-11-29	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"County of San Bernardino Department of Public Heatlh"	"CA"	"Healthcare Provider"	1370	2012-11-29	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"ADPI-West"	"CA"	"Business Associate"	1500	2012-11-29	"Theft, Unauthorized Access/Disclosure"	"Desktop Computer"	TRUE	"\N"
"Landmark Medical Center"	"RI"	"Healthcare Provider"	683	2012-11-30	"Theft"	"Laptop"	FALSE	"\N"
"University of Virginia Medical Center"	"VA"	"Healthcare Provider"	1846	2012-11-30	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Carolinas Medical Center - Randolph"	"NC"	"Healthcare Provider"	5600	2012-12-07	"Hacking/IT Incident"	"Email"	FALSE	"\N"
"Coastal Behavioral Healthcare, Inc."	"FL"	"Healthcare Provider"	4907	2012-12-07	"Theft"	"Paper/Films"	FALSE	"OCR opened an investigation of the covered entity (CE), Coastal Behavioral Healthcare, Inc., after it reported that four pages containing protected health information (PHI) were recovered by local law enforcement during a motor vehicle traffic stop.  The CE indicated the four pages were likely part of a larger report and may have containing the PHI of 4,907 individuals.  The PHI involved in the breach included names, social security numbers, dates of birth, and other identifiers.  The CE provided breach notification to the affected individuals, HHS, and the media.  Following the breach, the CE hired a cybersecurity firm to perform a network audit and to conduct a security risk assessment.  The CE also improved safeguards by restricting physical access to its information technology department, implementing a new electronic health record system, and disabling the ability to print reports from its database containing data similar to the report that was the subject of the breach.  OCR obtained assurances that the CE implemented the corrective action listed above."
"CCS Medical, Inc."	"TX"	"Healthcare Provider"	6601	2012-12-10	"Unauthorized Access/Disclosure"	"Network Server, Other"	FALSE	"\N"
"Columbia University Medical Center and NewYork-Presbyterian Hospital"	"NY"	"Healthcare Provider"	4929	2012-12-14	"Theft"	"Desktop Computer"	FALSE	"\N"
"Health Advantage"	"AR"	"Health Plan"	2863	2012-12-20	"Other"	"Paper/Films"	FALSE	"\N"
"Westerville Dental Center"	"OH"	"Healthcare Provider"	850	2012-12-20	"Theft"	"Laptop, Network Server"	FALSE	"\N"
"HealthPlus, Amerigroup"	"NY"	"Business Associate"	28187	2012-12-21	"Unauthorized Access/Disclosure"	"Other"	TRUE	"\N"
"Center for Orthopedic Research and Education, Inc."	"AZ"	"Healthcare Provider"	35488	2012-12-21	"Theft"	"Paper/Films"	FALSE	"\N"
"Calif. Dept. of Health Care Services (DHCS)"	"CA"	"Health Plan"	2643	2012-12-23	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Richard Switzer MD PC"	"MI"	"Healthcare Provider"	4100	2012-12-23	"Other"	"Laptop"	FALSE	"\N"
"Gibson General Hospital"	"IN"	"Healthcare Provider"	28893	2012-12-26	"Theft"	"Laptop"	FALSE	"\N"
"Sovereign Medical Group, LLC"	"NJ"	"Healthcare Provider"	27800	2012-12-27	"Hacking/IT Incident, Theft"	"Network Server"	FALSE	"\N"
"HP Enterprise Services"	"KY"	"Business Associate"	1090	2012-12-28	"Theft"	"Laptop"	TRUE	"An employee of a subcontractor for the covered entitys (CE) Business Associate (BA), responded to a telephone phishing attack and permitted a hacker to remotely access the laptop computer of the subcontractor.  In violation of the subcontractor BAs policies, the laptop contained the protected health information (PHI) of 1,090 individuals, including names, dates of birth, diagnosis codes, and diagnosis code descriptions and some social security numbers and treatment descriptions.  The CE, through its BA, provided breach notification to HHS, affected individuals, and the media, and provided substitute notice.  The BA also offered a year of credit monitoring to those affected.  In response to the incident, the subcontractor improved safeguards by initiating laptop audits to ensure PHI is not stored on them, re-trained employees, and applied employee sanctions by terminating the employee who failed to follow its policy. OCR obtained assurances that the corrective action listed above was completed. 
\
\"
"Clearpoint Design, Inc."	"MA"	"Business Associate"	4343	2012-12-28	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Omnicell, Inc."	"CA"	"Business Associate"	56820	2012-12-31	"Theft"	"Laptop"	TRUE	"An electronic medication dispensing device was stolen from the locked car of an Omnicell employee.  Omnicell is a business associate (BA) of the covered entity (CE), Sentara.  The protected health information that was involved in the breach included patient names, birth dates, patient numbers, medical record numbers, and clinical information of 56,820 of the CEs patients.  Breach notification was provided to HHS, the media and affected individuals.   The BA represented to the CE that they had recently completed a risk analysis containing details of implemented administrative, physical and technical safeguards.  The BA informed the CE that they have in place a security awareness and training program and provided information regarding its education of workforce members.  As a result of OCRs investigation, OCR obtained an executive summary of the BAs risk analysis and a copy of the CEs most recent risk analysis.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI."
"St. Mark's Medical Center"	"TX"	"Healthcare Provider"	2988	2012-12-31	"Hacking/IT Incident"	"Desktop Computer"	FALSE	"\N"
"Group Health Incorporated"	"NY"	"Health Plan"	1771	2013-01-02	"Theft"	"Paper/Films"	FALSE	"OCR opened an investigation of the covered entity (CE), Group Health Insurance, after it reported that postcard reminders were sent to 1,771 subscribers.  The protected health information (PHI) involved included social security numbers within a series of other numbers inscribed on the outside of the postcard.   The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website.  Upon discovery of the breach, the CE suspended its mailing in order to verify subscriber information to ensure pending and completed projects did not contain social security numbers.  As a result of OCRs investigation, the CE modified its mailing procedures to prevent similar disclosures from recurring in the future and retrained staff on its modified mailing procedure.  The CE provided affected individuals with a free one year subscription for credit monitoring.
\
\"
"Calvin Schuster,MD"	"CA"	"Healthcare Provider"	532	2013-01-04	"Theft"	"Desktop Computer"	FALSE	"\N"
"Clearpoint Design, Inc."	"MA"	"Business Associate"	4125	2013-01-07	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"University of Nevada School of Medicine"	"NV"	"Healthcare Provider"	1483	2013-01-08	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"WorkflowOne"	"OH"	"Business Associate"	635	2013-01-08	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"SilverScript Insurance Company"	"AZ"	"Health Plan"	852	2013-01-08	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Clearpoint Design, Inc."	"MA"	"Business Associate"	7250	2013-01-10	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Pousson Family Dentistry"	"LA"	"Healthcare Provider"	1400	2013-01-10	"Theft"	"Laptop"	FALSE	"\N"
"Clearpoint Design, Inc."	"MA"	"Business Associate"	4100	2013-01-10	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Lee D. Pollan, DMD, PC"	"NY"	"Healthcare Provider"	19178	2013-01-11	"Theft"	"Laptop"	FALSE	"OCR opened an investigation of the covered entity (CE) after it reported an unencrypted laptop was stolen that contained the electronic protected health information (ePHI) of 19,178 individuals.  The ePHI included names, addresses, zip codes, dates of birth, social security numbers, claims information, and diagnosis codes.  Upon discovery of the breach, the CE filed a police report to recover the stolen items.  As a result of OCRs investigation, the CE encrypted the backup drive of the contents of the laptop computer.  The CE also trained all staff on the use of encryption to safeguard data on personal computers and mobile devices."
"Washington University School of Medicine"	"MO"	"Healthcare Provider"	1105	2013-01-11	"Theft"	"Laptop"	FALSE	"\N"
"Riderwood Village"	"MD"	"Healthcare Provider"	3230	2013-01-17	"Theft"	"Laptop"	FALSE	"OCR opened an investigation of the covered entity (CE), Riderwood Senior Living Community, after it reported that five laptop computers (four of which were unencrypted) containing the electronic protected health information (ePHI) of 8,507 individuals were stolen from the facilitys physical therapy department.  The ePHI included names, dates of birth, addresses, Health plan ID numbers, and discussions of therapy treatments.  Upon discovering the breach, the CE filed a police report, mailed individual notice of the breach to all current and former Riderwood residents and affected health plan members, issued a press release to seven media outlets, posted substitute notice on its website for 90 days, and reported the breach to HHS.  Following this breach, the CE encrypted laptops, revised security procedures, and retrained employees.  OCR obtained written assurance that the CE implemented the corrective action listed above as well as new security policies and procedures to ensure adequate safeguards of ePHI."
"WAYNE MEMORIAL HOSPITAL"	"PA"	"Healthcare Provider"	1184	2013-01-18	"Loss"	"Other"	FALSE	"\N"
"Baptist Health System"	"TX"	"Healthcare Provider"	678	2013-01-22	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"BlueCross BlueShield of Western New York"	"NY"	"Business Associate"	725	2013-01-22	"Theft"	"Paper/Films"	TRUE	"OCR opened an investigation of the covered entity (CE), Baillie Lumber Co. Group Health Plan, after it reported its business associate (BA), Blue Cross Blue Shield, mailed a monthly premium notice with invoices that contained the protected health information (PHI) of 725 individuals which was never received by the CE.  The PHI included names, member identification numbers, and social security numbers.  The CE provided breach notification to HHS and affected individuals.  Upon discovery of the breach, the BA contacted the U.S. Post Office to inquire about the package that contained the invoices that the CE never received.  As a result of OCRs investigation, the BA revised its invoice process and removed social security numbers and member identification numbers from its invoices.  The BA also improved safeguards by changing its mailing procedures to send invoices to the CE via secure email.  The breach involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI."
"The University of Texas MD Anderson Cancer Center"	"TX"	"Healthcare Provider"	29021	2013-01-24	"Theft"	"Laptop"	FALSE	"\N"
"Western Wisconsin Medical Association, S.C. - River Falls Medical Clinics"	"WI"	"Healthcare Provider"	2400	2013-01-25	"Theft"	"Paper/Films"	FALSE	"\N"
"RR Donnelley (a sub-BA for UnitedHealth Group)"	"IL"	"Business Associate"	8911	2013-01-30	"Theft"	"Desktop Computer"	TRUE	"\N"
"Kmart Pharmacy #7623"	"LA"	"Business Associate"	16988	2013-01-31	"Improper Disposal"	"Paper/Films"	TRUE	"\N"
"Community Services NW"	"AL"	"Healthcare Provider"	2400	2013-02-02	"Theft"	"Desktop Computer"	FALSE	"\N"
"LifeGas"	"GA"	"Business Associate"	1103	2013-02-04	"Theft"	"Laptop"	TRUE	"\N"
"Yadkinville Chiropractic DCPA"	"NC"	"Business Associate"	1000	2013-02-06	"Theft"	"Desktop Computer"	TRUE	"\N"
"West Georgia Ambulance"	"GA"	"Healthcare Provider"	500	2013-02-11	"Loss"	"Laptop"	FALSE	"\N"
"Center for Pain Management, LLC"	"MD"	"Healthcare Provider"	5822	2013-02-12	"Theft"	"Laptop"	FALSE	"Three laptop computers were stolen from the Rockville, MD office of the covered entity (CE), Center for Pain Management.  The laptops were unencrypted and two of the devices contained the electronic protected health information (ePHI) of 5,822 individuals.  The CE retained Identity Force, a firm specializing in providing mitigation services in cases of security breaches.   Identity Force mailed notification letters to all affected individuals and provided identity theft insurance and credit monitoring services for one year.  The CE also posted the breach notification on its website and notified the media.  The CE engaged the services of an information technology firm to update its devices and computer network.  OCR obtained assurances that the corrective action listed above was completed."
"Coast Healthcare Management, LLC"	"CA"	"Business Associate"	1368	2013-02-12	"Other, Theft"	"Paper/Films"	TRUE	"\N"
"Froedtert Health"	"WI"	"Healthcare Provider"	43549	2013-02-12	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Jackson Health System"	"FL"	"Healthcare Provider"	566	2013-02-13	"Other"	"Paper/Films"	FALSE	"\N"
"Kindred Healthcare, Inc. d/b/a Kindred Transitional Care and Rehabilitation - Marl"	"MA"	"Healthcare Provider"	716	2013-02-14	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"HomeCare of Mid-Missouri, Inc."	"MO"	"Healthcare Provider"	4027	2013-02-14	"Theft"	"Laptop"	FALSE	"\N"
"Heyman HospiceCare at Floyd"	"GA"	"Healthcare Provider"	1819	2013-02-15	"Theft"	"Laptop"	FALSE	"\N"
"ABQ HealthPartners"	"NM"	"Healthcare Provider"	778	2013-02-17	"Theft"	"Laptop"	FALSE	"\N"
"Terrell County Health Department"	"GA"	"Healthcare Provider"	18000	2013-02-18	"Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"DentaQuest of Florida, LLC"	"MA"	"Business Associate"	3667	2013-02-19	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Stronghold Counseling Services Inc"	"SD"	"Healthcare Provider"	8500	2013-02-21	"Theft"	"Desktop Computer"	FALSE	"\N"
"Arizona Oncology"	"AZ"	"Healthcare Provider"	501	2013-02-21	"Theft"	"Laptop"	FALSE	"\N"
"Crescent Health Inc. - a Walgreens Company"	"CA"	"Healthcare Provider"	109000	2013-02-22	"Theft"	"Desktop Computer"	FALSE	"\N"
"County of San Bernardino, Department of Behavioral Health"	"CA"	"Health Plan"	686	2013-02-25	"Theft"	"Paper/Films"	FALSE	"\N"
"WOMENS HEALTH ENTERPRISE, INC."	"GA"	"Healthcare Provider"	3000	2013-02-27	"Theft"	"Laptop"	FALSE	"\N"
"Standard Register"	"OH"	"Business Associate"	2261	2013-03-01	"Theft"	"Paper/Films"	TRUE	"OCR opened an investigation of the covered entity (CE), The Brookdale University Hospital and Medical Center, after it reported its business associate (BA), Standard Register, inadvertently mailed statements to 2,261 individuals using another affiliated CEs envelopes.  The protected health information (PHI) included names, addresses and financial information.  OCR provided technical assistance to the CE regarding safeguarding PHI."
"Health Plus Amerigroup"	"NY"	"Business Associate"	28187	2013-03-01	"Theft"	"Other Portable Electronic Device"	TRUE	"The covered entitys (CE) business associate (BA), Health Plus Amerigroup, mailed an unencrypted compact disk that contained the electronic protected health information (ePHI) of 28,187 individuals to the CE, The Brookdale University Hospital and Medical Center.  OCR closed this breach report and consolidated into an existing breach report filed by OHP PHSP, Inc. regarding the same issues."
"Plexus Group"	"IL"	"Business Associate"	500	2013-03-01	"Unauthorized Access/Disclosure"	"Other"	TRUE	"\N"
"South Miami Hospital"	"FL"	"Healthcare Provider"	834	2013-03-02	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"Lancaster General Medical Group"	"PA"	"Healthcare Provider"	527	2013-03-04	"Theft"	"Paper/Films"	FALSE	"A spreadsheet containing the protected health information (PHI) of 527 individuals was stolen from one of the covered entitys (CE) locations.  The PHI involved in the breach included names and dates of birth.  Following the breach, the CE notified the local police, provided breach notification to HHS, the media, and the affected individuals, and offered identity protection services to the individuals.  The CE attempted to retrieve the PHI.  As a result of OCRs investigation, the CE reviewed its policies to prevent a similar incident from occurring in the future.
\ 
\
\"
"Maine Medical Center"	"ME"	"Healthcare Provider"	1920	2013-03-04	"Other"	"Email"	FALSE	"\N"
"North Los Angeles County Regional Center "	"CA"	"Business Associate"	18162	2013-03-04	"Theft"	"Laptop"	TRUE	"\N"
"Goold Health System (Goold)"	"MA"	"Business Associate"	6332	2013-03-06	"Loss"	"Other Portable Electronic Device"	TRUE	"\N"
"Sports Rehabilitation Consultants"	"OH"	"Healthcare Provider"	1200	2013-03-06	"Theft"	"Desktop Computer"	FALSE	"\N"
"University of Connecticut Health Center"	"CT"	"Healthcare Provider"	1382	2013-03-08	"Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"United HomeCare Services, Inc."	"FL"	"Healthcare Provider"	12299	2013-03-09	"Theft"	"Laptop"	FALSE	"\N"
"Patterson Dental Supply/Patterson Companies"	"MN"	"Business Associate"	6400	2013-03-12	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Connextions c/o Anthem BCBS"	"IN"	"Business Associate"	1678	2013-03-14	"Theft, Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Mount Sinai Medical Center"	"FL"	"Healthcare Provider"	628	2013-03-15	"Theft"	"Desktop Computer, Paper/Films"	FALSE	"\N"
"Thomas L. Davis, Jr. DDS"	"OR"	"Healthcare Provider"	3269	2013-03-15	"Theft"	"Desktop Computer, Electronic Medical Record"	FALSE	"\N"
"HealthCare for Women, Inc."	"MA"	"Healthcare Provider"	8727	2013-03-20	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"University of Mississippi Medical Center"	"MS"	"Healthcare Provider"	500	2013-03-21	"Loss"	"Laptop"	FALSE	"\N"
"Granger Medical Clinic"	"UT"	"Healthcare Provider"	2600	2013-03-22	"Loss, Other, Theft"	"Paper/Films"	FALSE	"\N"
"Texas Tech Unversity Health Sciences Center"	"TX"	"Healthcare Provider"	697	2013-03-22	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Rite Aid #10217"	"RI"	"Healthcare Provider"	2082	2013-03-29	"Other, Unknown"	"Paper/Films"	FALSE	"\N"
"Sunil Kakar, Psy.D."	"WA"	"Business Associate"	629	2013-03-29	"Theft"	"Laptop"	TRUE	"\N"
"QuickRunner, Inc. (dba, RoadRunner Mailing Services)"	"CA"	"Business Associate"	2400	2013-03-29	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Shands Jacksonville Medical Center, Inc."	"FL"	"Healthcare Provider"	1025	2013-04-02	"Theft"	"Electronic Medical Record"	FALSE	"A clinical intern at the covered entity (CE), University of Florida Health Jacksonville (UFHJ) (formerly Shands Jacksonville Medical Center), took photographs of protected health information (PHI) and emailed the PHI to an unauthorized third person for the purpose of filing fraudulent tax returns.  The PHI included the names, addresses, social security numbers, dates of birth, and treatment information of 1,025 individuals.  Law enforcement agencies that learned of the breach informed the CE and requested delays of breach notification.  The CE later provided breach notification to affected individuals, HHS, and the media, and offered affected individuals one year of free identity theft protection.   Following the breach, the CE sanctioned two workforce members who had allowed the intern, who was no longer at the CE, to use their credentials to access the electronic medical records in violation of its policies.  The CE also retrained workforce members on its privacy policies; increased access restrictions to social security numbers; and ended its clinic-based internships.   OCR provided technical assistance and obtained assurances of the CEs plan to update its breach notification policies and procedures.  "
"University of Florida"	"FL"	"Healthcare Provider"	14519	2013-04-03	"Other, Theft, Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"Kmart Corporation"	"IL"	"Healthcare Provider"	12542	2013-04-03	"Theft"	"Electronic Medical Record"	FALSE	"\N"
"PORTAL HEALTHCARE SOLUTIONS LLC"	"VA"	"Business Associate"	2360	2013-04-04	"Theft"	"Network Server"	TRUE	"The covered entitys (CE) business associate (BA) operated a server containing the electronic protected health information (ePHI) of 2,360 individuals that was vulnerable to access by unauthorized persons for over four months.  The ePHI included transcribed doctors notes, which may have included medical diagnoses, clinical laboratory results, diagnostic imaging reports, emergency department records, and medication administration.  Upon discovery of the breach, the CE engaged a computer forensic expert to investigate the incident and terminated the BA agreement.  As a result of OCRs investigation, the CE ensured that its BA secured the server, verified that the server was no longer accessible from the Internet, and required the BA to return or destroy all of the CEs ePHI."
"Hospice and Palliative Care Center of Alamance Caswell"	"NC"	"Healthcare Provider"	5370	2013-04-04	"Theft, Unauthorized Access/Disclosure"	"Laptop, Paper/Films"	FALSE	"\N"
"Texas Health Care, P.L.L.C."	"TX"	"Healthcare Provider"	554	2013-04-05	"Theft"	"Paper/Films"	FALSE	"\N"
"TMG Health "	"PA"	"Business Associate"	3794	2013-04-05	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Wm. Jennings Bryan Dorn VAMC"	"SC"	"Healthcare Provider"	7405	2013-04-10	"Theft"	"Laptop"	FALSE	"A laptop computer contained the protected health information (PHI) of approximately 7,405 individuals was stolen from the Pulmonary Testing Unit of the William Jennings Bryan Dorn Veterans Affairs Medical Center, the covered entity (CE). The PHI involved in the breach included names, dates of birth, and clinical information.  The CE provided breach notice to HHS, the media and affected individuals and provided substitute notification on its website.  It also offered affected individuals credit monitoring services including identity theft protection for one year.   The CE also filed a report with the VA police and VA Office of Inspector General (OIG).  In response to the breach, the CE improved safeguards by physically protecting all laptops attached to medical testing devices and established policies and procedures requiring clinic staff to securely store and purge all personally identifiable information from such medical devices. As a result of OCRs investigation, OCR obtained assurances that the corrective actions listed above were completed."
"John J. Pershing VA Medical Center"	"MO"	"Healthcare Provider"	589	2013-04-11	"Theft"	"Paper/Films"	FALSE	"OCR opened an investigation of the covered entity (CE), John J. Pershing VA Medical Center, after the CE reported that its business associate (BA), Stress Laboratory, placed a box of unsecured protected health information (PHI) in an equipment storage room.  The PHI included the names, social security numbers, diagnoses, and age of approximately 589 individuals.  This breach incident involved a BA, and occurred prior to the September 23, 2013 compliance date.  The BA employee involved in this matter separated from employment in 2012, and the BA was reorganized and has been incorporated into the CE.  The CE provided breach notification to affected individuals, HHS, and the media.  Substitute notification was provided through a posting on the CEs main website with a toll-free information number.  The CE also offered one year of identity protection and credit monitoring services to affected individuals.  As a result of this incident, the CE adopted a new policy that provides guidance to its staff regarding the handling of PHI.  Additionally, the CE trained its employees on this new policy, and re-trained its employees on the Privacy, Security, and Breach Notification Rules.  Finally, OCR obtained assurances that the CE implemented the corrective action listed above.
\
\"
"Oregon Health & Science University"	"OR"	"Healthcare Provider"	1076	2013-04-11	"Theft"	"Laptop"	FALSE	"\N"
"Schneck Medical Center"	"IN"	"Healthcare Provider"	3131	2013-04-12	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"The Guidance Center of Westchester"	"NY"	"Healthcare Provider"	1416	2013-04-17	"Theft"	"Desktop Computer"	FALSE	"\N"
"Hope Hospice"	"TX"	"Healthcare Provider"	818	2013-04-25	"Other"	"Email"	FALSE	"\N"
"IHC Health Services, Inc. dba Intermountain Life Flight"	"UT"	"Healthcare Provider"	857	2013-04-26	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Valley Mental Health"	"UT"	"Healthcare Provider"	700	2013-04-26	"Theft"	"Desktop Computer"	FALSE	"\N"
"ZDI"	"CA"	"Business Associate"	14829	2013-04-29	"Loss"	"Paper/Films"	TRUE	"\N"
"Raleigh Orthopaedic Clinic"	"NC"	"Healthcare Provider"	17300	2013-04-30	"Improper Disposal, Theft, Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Laboratory Corporation of America"	"NC"	"Healthcare Provider"	1580	2013-05-01	"Theft"	"Desktop Computer"	FALSE	"\N"
"Arizona Counseling & Treatment Services, LLC"	"AZ"	"Healthcare Provider"	3800	2013-05-01	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Wood County Hospital"	"OH"	"Healthcare Provider"	2500	2013-05-03	"Theft"	"Other"	FALSE	"\N"
"University of Rochester Medical Center & Affiliates"	"NY"	"Healthcare Provider"	537	2013-05-06	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"AssuranceMD f/k/a Harbor Group"	"PA"	"Business Associate"	22000	2013-05-07	"Theft"	"Other Portable Electronic Device"	TRUE	"An unsecured hard drive containing the electronic protected health information (ePHI) of up to 22,000 individuals was lost in transit between Dr. Andrew F. Brookers business associate, AssuranceMD,  and a subcontracted electronic medical records storage company.  The ePHI involved in the breach included patients names, diagnoses/conditions, lab results, other clinical information and for some patients, addresses, dates of birth and/or social security numbers.  Dr. Brooker provided breach notification to HHS and affected individuals.  Following the breach he updated his HIPAA policies and procedures.  OCR obtained assurances that the corrective action steps listed above were completed.  Prior to completion of additional corrective actions, Dr. Brooker notified OCR that he had sold his private practice.  
\
\"
"Digital Archive Management"	"TX"	"Business Associate"	189489	2013-05-07	"Improper Disposal"	"Paper/Films"	TRUE	"\N"
"Seattle - King County Department of Public Health"	"WA"	"Healthcare Provider"	750	2013-05-07	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"Regional Medical Center"	"TN"	"Healthcare Provider"	1180	2013-05-07	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"E-dreamz, Inc."	"NC"	"Business Associate"	9988	2013-05-08	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"North Atlantic Telecom, Inc."	"TN"	"Business Associate"	539	2013-05-08	"Other"	"Desktop Computer"	TRUE	"\N"
"E-dreamz, Inc."	"NC"	"Business Associate"	1924	2013-05-10	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Indiana University Health Arnett"	"IN"	"Healthcare Provider"	10350	2013-05-13	"Theft"	"Laptop"	FALSE	"\N"
"Dent Neurologic Group, LLP"	"NY"	"Healthcare Provider"	10000	2013-05-14	"Other"	"Email"	FALSE	"\N"
"City of Norwood"	"OH"	"Healthcare Provider"	9577	2013-05-20	"Loss"	"Laptop"	FALSE	"\N"
"Lutheran Social Services of South Central Pennsylvania"	"PA"	"Healthcare Provider"	7803	2013-05-20	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Just the Connection Inc"	"IN"	"Business Associate"	5388	2013-05-20	"Improper Disposal"	"Other"	TRUE	"\N"
"Erskine Family Dentistry"	"IN"	"Healthcare Provider"	2723	2013-05-21	"Hacking/IT Incident"	"Desktop Computer"	FALSE	"\N"
"Health Resources of Arkansas"	"AR"	"Healthcare Provider"	1900	2013-05-23	"Theft, Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"SynerMed / Inland Valleys IPA"	"CA"	"Business Associate"	3164	2013-05-24	"Theft"	"Laptop"	TRUE	"\N"
"Independence Care System"	"NY"	"Health Plan"	2434	2013-05-24	"Theft"	"Laptop"	FALSE	"\N"
"Sonoma Valley Hospital"	"CA"	"Healthcare Provider"	1386	2013-05-24	"Other"	"Other"	FALSE	"\N"
"Bon Secours Mary Immaculate Hospital"	"VA"	"Healthcare Provider"	5764	2013-05-29	"Theft"	"Electronic Medical Record"	FALSE	"The covered entity (CE), Bon Secours Health System, discovered that two Certified Nursing Assistants (CNAs) impermissibly electronically accessed the medical records of approximately 5,764 patients during the prior 12 months.  The protected health information (PHI) contained in the breach included patients names, social security numbers, dates of birth, addresses, clinical information, and other identifiers.  The CE provided breach notification to HHS, affected individuals and the media.   Following the breach, the CE conducted a full investigation, sanctioned the two CNAs, revoked their access to the electronic medical record system and subsequently terminated both employees for their actions.  Following the CEs reports to law enforcement and the state department of health professions, the two former employees plead guilty to Federal misdemeanor charges and had their professional certifications revoked.  OCR reviewed the CEs most recent risk assessment and confirmed that all identified risks are to be addressed by December 2014 according to the CEs Risk Management Plan.  As a result of OCRs investigation, the CE pursued prosecution of the CNAs and provided credit monitoring services to the affected individuals.
\
\"
"University of Florida"	"FL"	"Healthcare Provider"	5875	2013-05-30	"Theft, Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"Community Support Services, Inc."	"OH"	"Healthcare Provider"	1167	2013-06-03	"Theft"	"Email"	FALSE	"\N"
"UMASSAmherst"	"MA"	"Healthcare Provider"	1670	2013-06-05	"Hacking/IT Incident"	"Desktop Computer"	FALSE	"\N"
"Palm Beach County Health Department"	"FL"	"Healthcare Provider"	877	2013-06-11	"Unauthorized Access/Disclosure"	"Desktop Computer"	FALSE	"\N"
"Lucile Packard Children's Hospital"	"CA"	"Healthcare Provider"	12900	2013-06-13	"Theft"	"Laptop"	FALSE	"\N"
"Fayetteville VAMC"	"NC"	"Healthcare Provider"	1093	2013-06-14	"Theft"	"Paper/Films"	FALSE	"The covered entity (CE), Fayetteville VA Medical Clinic Optical Shop, impermissibly disclosed the protected health information (PHI) of approximately 1,094 individuals by placing consultation reports in the recycling bin rather than the shredding bin.  The PHI involved in the breach included patients names, social security numbers, birthdates, addresses, and phone numbers.  The CE provided breach notification to all patients seen in the facility since the origination of the breach, HHS, and the media.  The CE conducted an investigation and removed documents containing PHI from the recycle bin and shredded them according to the CEs procedure.  
\
\The CE provided evidence that it provided additional training regarding security of PHI and disposal methods for documents that contained PHI for Optical Shop workforce members.  In addition, the CE improved safeguards by placing a document shredder on-site.   The responsible staff member was sanctioned according to the CE policy.  OCR obtained assurances that the corrective actions listed above were completed.
\"
"Lincoln County Health and Human Services/Lincoln Community Health Center"	"OR"	"Healthcare Provider"	959	2013-06-14	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Union Security Insurance Company"	"MO"	"Health Plan"	1127	2013-06-17	"Improper Disposal"	"Email"	FALSE	"\N"
"Gulf Breeze Family Eyecare, Inc"	"FL"	"Healthcare Provider"	9626	2013-06-17	"Theft, Unauthorized Access/Disclosure"	"Desktop Computer, Electronic Medical Record, Email, Network Server, Paper/Films"	FALSE	"\N"
"Jacksonville Spine Center"	"FL"	"Healthcare Provider"	5200	2013-06-24	"Theft"	"Paper/Films"	FALSE	"The covered entity (CE), Jacksonville Spine Center, impermissibly disclosed the protected health information (PHI) of approximately 5,200 individuals when a workforce member misaddressed some envelopes due to a spreadsheet error.  The mailing resulted in some individuals receiving correspondence with another patients name on the envelope.  The only PHI involved in the breach was patients names.   The CE provided breach notification to HHS, the media and affected individuals.  The notice to individuals requested that patients either return the envelope to the CE or destroy the envelope.  As a result of this incident, the CE issued a written warning to the responsible workforce member pursuant to the CEs sanction policy. Moreover, the CE implemented additional safeguards including the checking of data file integrity prior to sending mailings. OCR obtained assurances that the CE implemented the corrective action listed above."
"Iowa Department of Human Services"	"IA"	"Healthcare Provider"	7335	2013-06-26	"Loss, Unknown"	"Other"	FALSE	"\N"
"James A. Fosnaugh"	"NE"	"Healthcare Provider"	2125	2013-06-26	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Lone Star Circle of Care"	"TX"	"Healthcare Provider"	1955	2013-06-28	"Theft"	"Laptop"	FALSE	"\N"
"Alberto Gerardo Vazquez Rivera"	"PR"	"Business Associate"	679	2013-06-28	"Theft"	"Laptop"	TRUE	"An encrypted laptop computer was stolen from an AFLAC associates vehicle in Puerto Rico.  The laptop contained PHI of approximately 679 individuals and contained demographic, financial and clinical information, including patient names, addresses, birthdates, social security numbers, claims information, and diagnoses.  The covered entity filed a police report and provided breach notification to all affected individuals, HHS, and the media.  The responsible workforce member was sanctioned.  OCR acknowledges that the incident does not constitute a reportable breach under the Breach Notification Rule because the laptop was sufficiently encrypted."
"RCR Technology Corporation"	"IN"	"Business Associate"	187533	2013-07-01	"Other"	"Paper/Films"	TRUE	"\N"
"CVS Caremark"	"AZ"	"Business Associate"	4305	2013-07-02	"Theft"	"Paper/Films"	TRUE	"Business associate (BA) employees erroneously sent 4,305 health plan members protected health information (PHI) to other plan members.  The PHI involved in the breach included names and prescribed medication(s).  The covered entity, Northrop Grumman Retiree Health Plan, provided breach notification to HHS, and the BA, CVS Caremark, provided breach notification to affected individuals and the media.  Following the breach, the BA revised its quality control policies for targeted mailings and retrained employees involved in the breach to prevent similar incidents in the future.  OCR obtained assurances that the BA implemented the breach notification and policy revisions listed above."
"Health Net, Inc."	"CA"	"Health Plan"	8331	2013-07-02	"Other"	"Paper/Films"	FALSE	"\N"
"South Florida Neurology Associates, P.A."	"FL"	"Healthcare Provider"	900	2013-07-03	"Theft"	"Laptop"	FALSE	"\N"
"Samaritan Regional Health System"	"OH"	"Healthcare Provider"	2203	2013-07-03	"Theft"	"Paper/Films"	FALSE	"The covered entity (CE), Samaritan Regional Health System, mismatched names and addresses in a mailing to former patients of a recently deceased physician.  The protected health information (PHI) included the names and addresses of approximately 2,203 individuals.  The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website.  Following the breach, the CE re-trained staff on proper address validation techniques and implemented new audit procedures for mailings.  OCR obtained assurances that the CE implemented the corrective action listed above."
"MED-EL Coproration"	"NC"	"Healthcare Provider"	609	2013-07-05	"Other"	"Email"	FALSE	"\N"
"Nelson Family of Companies"	"CA"	"Business Associate"	4479	2013-07-05	"Unauthorized Access/Disclosure"	"Email"	TRUE	"\N"
"Family Health Network"	"IL"	"Business Associate"	3133	2013-07-08	"Other"	"Paper/Films"	TRUE	"\N"
"ZDI"	"CA"	"Business Associate"	4718	2013-07-10	"Loss"	"Paper/Films"	TRUE	"\N"
"Medtronic, Inc."	"MN"	"Healthcare Provider"	2764	2013-07-10	"Theft"	"Paper/Films"	FALSE	"The covered entity (CE), Medtronic, misplaced a box of paper records containing the protected health information (PHI) of approximately 2,764 individuals.  The box contained patient pump training records, including a checklist of training received, patients names, device serial numbers, phone numbers, and, in some cases, email addresses. Some of the records may also have included social security numbers, medical necessity forms, physician orders, and copies of documents from one patients medical record.  The CE provided breach notification to affected individuals and HHS.  Following the breach, the CE improved safeguards by redesigning its records tracking procedures and installing software with additional box tracking capabilities.  OCR obtained assurances that the CE implemented the corrective action listed above.
\
\
\"
"Shred-it International Inc."	"TX"	"Business Associate"	277014	2013-07-11	"Improper Disposal"	"Other"	TRUE	"\N"
"Long Beach Memorial Medical Center"	"CA"	"Healthcare Provider"	2864	2013-07-11	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"People Resource Corporation"	"MO"	"Business Associate"	4560	2013-07-15	"Unauthorized Access/Disclosure"	"Other"	TRUE	"\N"
"Harris County"	"TX"	"Health Plan"	21000	2013-07-16	"Unauthorized Access/Disclosure"	"Desktop Computer"	FALSE	"\N"
"Jesle Kuizon"	"CA"	"Business Associate"	800	2013-07-18	"Hacking/IT Incident, Theft, Unauthorized Access/Disclosure"	"Desktop Computer, Network Server"	TRUE	"\N"
"GEO Care, LLC"	"FL"	"Healthcare Provider"	710	2013-07-19	"Theft"	"Desktop Computer"	FALSE	"The FBI notified the covered entity (CE), GEO Care, that a GEO Care employee, inappropriately accessed the patient admission reports of approximately 710 patients at South Florida State Hospital and provided them to a third party, the employees cousin, without authorization. The employees cousin then attempted to sell the reports for an illegal purpose.  The protected health information (PHI) involved in the breach included names, dates of birth, social security numbers, admission dates, discharge dates, and patients unit names.  The CE provided breach notification to HHS, the media, and posted substitute notice on its website.  It also offered identity theft protection to the affected individuals.  The responsible staff member was terminated according to the CEs policy and has also been criminally indicted.  Following the breach, the CE improved safeguards by limiting the use of full social security numbers, restricting access to documents, and performing weekly audits of those workforce members who access documents with full social security numbers.  Additionally, the CE updated its privacy and security policies and procedures and developed new policies and procedures.  It also revised its policies for employee access to electronic PHI based on job title and function, and provided retraining to employees regarding access and disclosure of PHI.  OCR obtained assurances that the corrective actions listed above were completed."
"The Brookdale Hospital and Medical Center"	"NY"	"Healthcare Provider"	2700	2013-07-20	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Louisiana State University Health Care Services Division"	"LA"	"Healthcare Provider"	6994	2013-07-22	"Unauthorized Access/Disclosure"	"Desktop Computer"	FALSE	"\N"
"Oregon Health & Science University"	"OR"	"Healthcare Provider"	1361	2013-07-28	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Rocky Mountain Spine Clinic, P.C."	"CO"	"Healthcare Provider"	532	2013-07-31	"Theft, Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"Vitreo-Retinal Medical Group, Inc. "	"CA"	"Healthcare Provider"	1837	2013-08-02	"Theft"	"Laptop"	FALSE	"\N"
"Health Resources of Arkansas"	"AR"	"Business Associate"	1911	2013-08-05	"Theft"	"Laptop"	TRUE	"\N"
"Baylor All Saints Medical Center at Fort Worth"	"TX"	"Healthcare Provider"	940	2013-08-05	"Unauthorized Access/Disclosure"	"Other Portable Electronic Device"	FALSE	"\N"
"M2ComSys Inc."	"NV"	"Business Associate"	32151	2013-08-08	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Young Family Medicine Inc."	"OH"	"Healthcare Provider"	2045	2013-08-12	"Theft"	"Laptop"	FALSE	"\N"
"Hancock OB/GYN"	"IN"	"Healthcare Provider"	1396	2013-08-12	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"Anthem BCBS of GA"	"IN"	"Business Associate"	5497	2013-08-13	"Theft"	"Other"	TRUE	"The covered entitys (CE) sales representative used an incorrect group number based on an erroneous membership and data file, resulting in an impermissible disclosure of protected health information (PHI) to the CEs business associate (BA).  This breach affected approximately 5,497 individuals and included demographic information. Following the breach, the CE obtained certification that the BA destroyed the PHI and determined that there was a low risk of harm to the affected individuals.  The CE also sent a memorandum and its corrective action/sanction policy to the account managers staff regarding quality control procedures, instituted an additional quality control procedure, and counseled the involved sales representative.  OCR obtained assurances that the CE implemented the corrective action listed above.
\
\"
"InfoCrossing, Inc."	"MO"	"Business Associate"	1357	2013-08-13	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Foundations Recovery Network"	"TN"	"Healthcare Provider"	5690	2013-08-15	"Theft"	"Laptop"	FALSE	"\N"
"California Correctional Health Care Services"	"CA"	"Healthcare Provider"	1033	2013-08-16	"Other"	"Paper/Films"	FALSE	"\N"
"North Texas Comprehensive Spine & Pain Center"	"TX"	"Healthcare Provider"	3200	2013-08-19	"Loss, Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Minne-Tohe Health Center/Elbowoods Memorial Health Center"	"ND"	"Health Plan"	10000	2013-08-21	"Improper Disposal, Unauthorized Access/Disclosure"	"Desktop Computer, Other"	FALSE	"\N"
"Jackson Health System"	"FL"	"Healthcare Provider"	1471	2013-08-22	"Other"	"Paper/Films"	FALSE	"\N"
"Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group"	"IL"	"Healthcare Provider"	4029530	2013-08-23	"Theft"	"Desktop Computer"	FALSE	"\N"
"Summit Community Care Clinic, Inc."	"CO"	"Healthcare Provider"	921	2013-08-27	"Hacking/IT Incident"	"Desktop Computer"	FALSE	"\N"
"UT Physicians"	"TX"	"Healthcare Provider"	596	2013-08-28	"Loss, Theft"	"Laptop"	FALSE	"\N"
"Cogent Healthcare, Inc."	"TN"	"Business Associate"	32000	2013-08-30	"Theft"	"Network Server"	TRUE	"Cogent Healthcare, Inc., a business associate (BA) providing management services for 24 providers of hospitalist services, submitted a breach report to HHS on behalf of these covered entities.  The BAs privacy officer found that protected health information (PHI) for which the BA was responsible was accessible on a File Transfer Protocol (FTP) Internet site.  The PHI involved in the breach affected approximately 32,151 individuals and included patients names, physicians names, dates of birth, diagnoses, treatment summaries, medical histories, medical record numbers and related information.
\
\OCR determined that the reporting entity is a BA and the incident occurred prior to the September 23, 2013, enforcement date.  OCR provided the BA with technical assistance regarding current HIPAA Privacy and Security Rule BA requirements.  
\
\"
"Atlanta Center for Reproductive Medicine"	"GA"	"Healthcare Provider"	654	2013-08-30	"Other"	"Email"	FALSE	"\N"
"St. Anthony's Physician Organization"	"MO"	"Healthcare Provider"	2600	2013-08-30	"Theft"	"Laptop, Other Portable Electronic Device"	FALSE	"\N"
"Janna Benkelman LPC LLC"	"CO"	"Healthcare Provider"	1500	2013-09-03	"Theft"	"Laptop"	FALSE	"\N"
"Olson & White Orthodontics"	"MO"	"Healthcare Provider"	10000	2013-09-03	"Theft"	"Desktop Computer, Network Server"	FALSE	"\N"
"Kaiser Foundation Health Plan of the Northwest"	"OR"	"Health Plan"	647	2013-09-03	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"Hankyu Chung, M.D."	"CA"	"Healthcare Provider"	2182	2013-09-06	"Theft"	"Laptop"	FALSE	"\N"
"ICS Collection Service, Inc."	"IL"	"Business Associate"	1290	2013-09-06	"Hacking/IT Incident"	"Other"	TRUE	"\N"
"PHMHS"	"PR"	"Business Associate"	5000	2013-09-11	"Theft"	"Network Server"	TRUE	"Upon request, a subcontractor (PHM Software Solutions) of the covered entitys (CE) business associate (BA), PHM Healthcare Solutions, modified a software application the CE was utilizing  which led to the disclosure of electronic protected health information (ePHI) of 5,000 individuals on the Internet.  The ePHI included names, gender, member identification numbers, dates of birth, and consent forms.  The CE provided breach notification to HHS, the media, and affected individuals and posted substitute notice on its website.  Upon discovery of the breach, the BA removed the software application and placed it offline.  As a result of OCRs investigation, the CE had its BA to conduct a risk analysis and create a risk management plan to address any vulnerabilities identified in the risk analysis.  The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date.  OCR provided technical assistance to assist the CE understand its obligations under the Privacy and Security Rules regarding BA agreements.  "
"NHC HealthCare, Oak Ridge"	"TN"	"Healthcare Provider"	4268	2013-09-13	"Loss"	"Other"	FALSE	"\N"
"NHC HealthCare, Mauldin"	"SC"	"Healthcare Clearing House"	4204	2013-09-13	"Improper Disposal"	"Other"	FALSE	"\N"
"Blackhawk Consulting Group"	"GA"	"Business Associate"	2029	2013-09-13	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Blackhawk Consulting Group"	"GA"	"Business Associate"	998	2013-09-13	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"South Shore Physicians, PC"	"NY"	"Healthcare Provider"	8000	2013-09-16	"Theft"	"Network Server"	FALSE	"\N"
"Dermatology Associates of Tallahassee"	"FL"	"Healthcare Provider"	915	2013-09-16	"Unknown"	"Other"	FALSE	"\N"
"Sierra View District Hospital"	"CA"	"Healthcare Provider"	1009	2013-09-20	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"InfoCrossing, Inc."	"MO"	"Business Associate"	25461	2013-09-20	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Region Ten Community Services Board"	"VA"	"Healthcare Provider"	10228	2013-09-26	"Theft"	"Email"	FALSE	"The covered entity (CE), Region Ten Community Services Board, reported that multiple employees had responded to an email, appearing to come from an internal sender, informing them that their mailboxes had exceeded limits and instructing them to follow a link to enter username and password.  A forensic investigation was conducted which did not show that any sensitive client information was compromised.  However, in an effort to mitigate any potential harm the CE sent notification to over 10,000 individuals, sent a press release to a local news station and also posted information about the occurrence on its website.  The CE engaged the services of a technology consulting firm and has provided OCR written assurance that it has implemented updates to its computer network including an additional firewall"
"Comprehensive Podiatry LLC"	"OH"	"Healthcare Provider"	1360	2013-09-27	"Theft"	"Laptop"	FALSE	"\N"
"Santa Clara Valley Medical Center"	"CA"	"Healthcare Provider"	579	2013-09-27	"Theft"	"Laptop"	FALSE	""
"Not Applicable "	"CO"	"Business Associate"	3512	2013-09-28	"Theft"	"Laptop"	TRUE	"\N"
"Carol L. Patrick, Ph.D."	"OH"	"Healthcare Provider"	517	2013-09-30	"Theft"	"Network Server"	FALSE	"\N"
"HOPE Family Health"	"TN"	"Healthcare Provider"	6932	2013-09-30	"Theft"	"Laptop"	FALSE	"\N"
"UnityPoint Health Affiliated Covered Entity (UnityPoint)"	"IA"	"Healthcare Provider"	1825	2013-10-02	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"Paragon Benefits, Inc."	"GA"	"Business Associate"	5232	2013-10-02	"Theft"	"Email"	TRUE	"\N"
"University of California, San Francisco"	"CA"	"Healthcare Provider"	3553	2013-10-03	"Theft"	"Laptop, Paper/Films"	FALSE	"\N"
"Reconstructive Orthopaedic Associates II, P.C. d/b/a Rothman Institute"	"PA"	"Healthcare Provider"	2350	2013-10-03	"Theft"	"Paper/Films"	FALSE	"An employee removed paper copies of daily patient schedules and two medical reports from the covered entitys (CE) transcription processing department without authorization upon her termination from employment.  Approximately 2,300 individuals were affected by the breach.  The protected health information (PHI) involved in the breach included patient names, telephone numbers, appointment dates and times, dates of birth, reasons for visits, visit sites, assigned staff/physician, chart numbers, insurance company codes and copays, encounter numbers, and treatment information.  The CE provided breach notification to HHS, the media and affected individuals and provided one year of free credit monitoring to those requested it.  Following the breach, the CE cooperated with local authorities in their arrest and prosecution of the involved employee.  The CE updated its privacy policies and procedures, organized the policies into a HIPAA manual, and retrained 687 employees on its privacy policies and procedures.  In response to OCRs investigation, the CE decided to replace its electronic medical records and practice management systems to improve safeguards for electronic PHI."
"Group Health Cooperative"	"WA"	"Healthcare Provider"	1015	2013-10-03	"Other"	"Paper/Films"	FALSE	"\N"
"Schuylkill Health System"	"PA"	"Healthcare Provider"	2810	2013-10-04	"Theft"	"Laptop"	FALSE	"\N"
"CaroMont Medical Group"	"NC"	"Healthcare Provider"	1310	2013-10-04	"Other"	"Email"	FALSE	"\N"
"Mount SInai Medical Center"	"NY"	"Healthcare Provider"	1586	2013-10-04	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"Healthcare Management System "	"TN"	"Business Associate"	4330	2013-10-04	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Saint Louis University"	"MO"	"Healthcare Provider"	3100	2013-10-07	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"BlackHawk"	"IL"	"Business Associate"	7120	2013-10-09	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Ferris State University - MI College of Optometry"	"MI"	"Healthcare Provider"	3947	2013-10-11	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Access Counseling, LLC"	"IN"	"Healthcare Provider"	566	2013-10-14	"Theft"	"Laptop"	FALSE	"\N"
"Rose Medical Center"	"CO"	"Healthcare Provider"	606	2013-10-14	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"BriovaRx"	"IL"	"Healthcare Provider"	1067	2013-10-14	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"North Country Hospital and Health Center, Inc"	"VT"	"Healthcare Provider"	550	2013-10-15	"Theft"	"Laptop"	FALSE	"\N"
"Hope Community Resources, Inc."	"AK"	"Healthcare Provider"	1556	2013-10-16	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"Broward Health Medical Center"	"FL"	"Healthcare Provider"	960	2013-10-17	"Unauthorized Access/Disclosure"	"Desktop Computer"	FALSE	"\N"
"Mount Sinai Medical Center"	"NY"	"Healthcare Provider"	610	2013-10-21	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Texas Health Presbyterian Dallas Hospital"	"TX"	"Healthcare Provider"	949	2013-10-22	"Theft"	"Desktop Computer"	FALSE	"\N"
"Seton Healthcare Family"	"TX"	"Healthcare Provider"	5500	2013-10-23	"Theft"	"Laptop"	FALSE	"\N"
"PROFESSIONAL TRANSCRIPTION SERVICES"	"NY"	"Business Associate"	37000	2013-10-25	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Good Samaritan Hospital"	"CA"	"Healthcare Provider"	3833	2013-10-25	"Theft"	"Laptop"	FALSE	"The covered entity (CE), Samaritan Regional Health System, mismatched names and addresses in a mailing to former patients of a recently deceased physician.  The protected health information (PHI) included the names and addresses of approximately 2,203 individuals.  The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website.  Following the breach, the CE re-trained staff on proper address validation techniques and implemented new audit procedures for mailings.  OCR obtained assurances that the CE implemented the corrective action listed above."
"SSM Health Care of Wisconsin DBA: St. Marys Janesville Hospital"	"WI"	"Healthcare Provider"	631	2013-10-25	"Theft"	"Laptop"	FALSE	"A laptop computer containing protected health information (PHI) was stolen from the vehicle of a covered entitys (CE) workforce member.  Approximately 633 individuals were affected by the breach.  The PHI included patients names, dates of birth, medical records, and account numbers.  The CE immediately reported the laptop theft to the police.  In response to the breach, the CE provided notice to HHS, the affected individuals, and the media.  In addition, the CE encrypted all company laptops, re-trained each provider and employee in possession of a company laptop, and applied disciplinary policies to the employees involved in the incident.  OCR obtained assurances that the covered entity implemented the corrective action listed above.
\
\"
"AHMC Healthcare Inc. and affiliated Hospitals"	"CA"	"Healthcare Provider"	729000	2013-10-25	"Theft"	"Laptop"	FALSE	"\N"
"Greater Dallas Orthopaedics, PLLC"	"TX"	"Healthcare Provider"	5840	2013-10-28	"Theft"	"Desktop Computer"	FALSE	"\N"
"Spirit Home Health Care, Corp"	"FL"	"Business Associate"	603	2013-10-29	"Improper Disposal"	"Paper/Films"	TRUE	"\N"
"Rotech Healthcare Inc."	"FL"	"Healthcare Provider"	10680	2013-10-29	"Unauthorized Access/Disclosure"	"Laptop"	FALSE	"\N"
"Reimbursement Technologies, Inc."	"PA"	"Healthcare Clearing House"	2300	2013-10-31	"Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"Superior HealthPlan, Inc."	"TX"	"Health Plan"	6284	2013-11-01	"Other"	"Paper/Films"	FALSE	"\N"
"Genesis Rehabilitation Services"	"PA"	"Healthcare Provider"	1167	2013-11-01	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Colorado Health & Wellness, Inc."	"CO"	"Healthcare Provider"	651	2013-11-02	"Theft, Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"Barnabas Health Medical Group"	"NJ"	"Healthcare Provider"	1100	2013-11-05	"Theft"	"Laptop"	FALSE	"\N"
"DaVita, a division of DaVita HealthCare Partners Inc"	"CO"	"Healthcare Provider"	11500	2013-11-05	"Other, Theft"	"Laptop"	FALSE	"\N"
"Blue Cross and Blue Shield of North Carolina"	"NC"	"Health Plan"	687	2013-11-07	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"North Carolina Department of Health and Human Services - Division of State Operated Health Care Facilities  "	"NC"	"Healthcare Provider"	1315	2013-11-08	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Triple S Salud Inc."	"PR"	"Business Associate"	13336	2013-11-08	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Associated Urologists of North Carolina"	"NC"	"Healthcare Provider"	7300	2013-11-08	"Other"	"Other"	FALSE	"\N"
"Kemmet Dental Design "	"ND"	"Healthcare Provider"	2000	2013-11-12	"Other, Theft"	"Paper/Films"	FALSE	"\N"
"Hospice of the Chesapeake"	"MD"	"Healthcare Provider"	7606	2013-11-12	"Theft"	"Email"	FALSE	"Contrary to the covered entitys (CE) established policy, an employee emailed spreadsheets containing the electronic protected health information (ePHI) of 7,035 patients to a personal email account, and a third party may have viewed the spreadsheets.  The PHI included names, addresses, conditions, and diagnoses.  Following the breach, the CE hired an independent computer forensics firm which conducted an independent investigation. The investigation uncovered another spreadsheet containing the PHI of 571 additional patients in the employees personal email account.  The CE provided breach notification to affected individuals, the media, and HHS, and posted substitute notice on its website.  The CE applied sanctions for violating its policy and terminated the responsible employee. As a result of OCRs investigation, OCR obtained assurances that the CE has periodically conducted risk assessments to assess vulnerabilities to ePHI in its computer systems."
"All Source Medical Management"	"AZ"	"Business Associate"	1456	2013-11-13	"Theft"	"Other"	TRUE	"\N"
"Memorial Sloan-Kettering Cancer Center"	"NY"	"Healthcare Provider"	2279	2013-11-13	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Health Fitness Corporation"	"IL"	"Business Associate"	4837	2013-11-14	"Theft"	"Laptop"	TRUE	"\N"
"UHS-Pruitt Corporation"	"GA"	"Healthcare Provider"	1300	2013-11-15	"Theft"	"Laptop"	FALSE	"A managers unencrypted laptop computer was stolen from a hotel parking lot which also included the employees login and system password and the covered entitys (CE) long term care software application.  The laptop contained 1,300 individuals protected health information (PHI) and included names, social security numbers, addresses, dates of birth, bank account numbers, Medicare numbers, possible diagnoses, and patient locations. Following the breach, the CE changed the employees password and performed an analysis to ensure no attempts had been made to access the system and long term care application using the prior account and password.  The CE improved safeguards by encrypting electronic devices and employing devices that do not allow local storage.  The CE has also re-trained employees.  OCR has consolidated this review into a compliance review that involves the same corporate entity and another stolen unencrypted laptop. 
\
\
\"
"United Dynacare, LLC dba Dynacare Laboratories"	"WI"	"Healthcare Provider"	9328	2013-11-18	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Redwood Memorial Hospital"	"CA"	"Healthcare Provider"	1039	2013-11-19	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"University of California, San Francisco"	"CA"	"Healthcare Provider"	8294	2013-11-22	"Theft"	"Laptop, Paper/Films"	FALSE	"\N"
"Kaiser Foundation Hospital- Orange County"	"CA"	"Healthcare Provider"	49000	2013-11-22	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Jones Chiropractic and Maximum Health"	"IN"	"Healthcare Provider"	1500	2013-11-26	"Theft"	"Desktop Computer"	FALSE	"\N"
"Ronald Schubert MD PLLC"	"WA"	"Healthcare Provider"	950	2013-11-26	"Theft"	"Laptop"	FALSE	"\N"
"UPMC"	"PA"	"Healthcare Provider"	1279	2013-11-27	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"UW Medicine"	"WA"	"Healthcare Provider"	76183	2013-11-27	"Hacking/IT Incident"	"Desktop Computer"	FALSE	"\N"
"City of Chicago"	"IL"	"Healthcare Provider"	2080	2013-11-29	"Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"Quality Health Claims Consultants, LLC"	"IL"	"Business Associate"	1573	2013-12-06	"Theft"	"Email"	TRUE	"The Covered Entitys (CE) Business Associate (BA) mailed letters to their clients to request certain documents containing identifying information. An erroneous fax number listing caused some clients to fax their information to the wrong number.  Approximately 1,573 individuals were affected by the breach.  The protected health information (PHI) involved included names, addresses, dates of birth, and social security numbers.  Following the breach, the BA confirmed that any faxes sent to the incorrect fax number were destroyed.   The BA also standardized all company literature to require manual data entry of client-specific contact information to assure quality control.  OCR  provided information to assist the CE to revise its BA agreement.  
\
\"
"SIU HealthCare"	"IL"	"Healthcare Provider"	1891	2013-12-06	"Loss, Theft"	"Laptop"	FALSE	"\N"
"The Good Samaritan Health Center"	"GA"	"Healthcare Provider"	5000	2013-12-06	"Other"	"Desktop Computer"	FALSE	"\N"
"UniHealth Source"	"GA"	"Healthcare Provider"	4500	2013-12-06	"Theft"	"Laptop"	FALSE	"\N"
"Walgreen Co."	"IL"	"Healthcare Provider"	17350	2013-12-06	"Other"	"Paper/Films"	FALSE	"\N"
"Methodist Dallas Medical Center"	"TX"	"Healthcare Provider"	44000	2013-12-06	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Florida Digestive Health Specialists"	"FL"	"Healthcare Provider"	4400	2013-12-09	"Unauthorized Access/Disclosure"	"Desktop Computer"	FALSE	"\N"
"Northside Hospital, Inc."	"GA"	"Healthcare Provider"	4879	2013-12-10	"Loss"	"Laptop"	FALSE	"\N"
"Health Help, Inc."	"KY"	"Healthcare Provider"	535	2013-12-10	"Theft"	"Other Portable Electronic Device"	FALSE	"An unencrypted portable computer drive containing the electronic protected health information (ePHI) of 535 individuals was stolen from a workforce members unlocked personal vehicle parked at home.  The ePHI involved in the breach included names and birthdates.  Upon discovering the breach, the covered entity (CE) provided notice to HHS, affected individuals and the media.  Following the breach, the CE reminded employees of its safeguards policy, provided additional training to workforce members who are authorized to take laptops and mobile devices home, and improved safeguards by instituting random audits to ensure that unencrypted ePHI is not stored on computers and mobile devices.  The CE also updated the computer usage agreement for employees and sanctioned the workforce member for violating its policy.  OCR obtained assurances that the CE implemented the corrective action listed above."
"L.A. Gay & Lesbian Center"	"CA"	"Healthcare Provider"	59000	2013-12-10	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Mosaic"	"NE"	"Healthcare Provider"	3857	2013-12-11	"Other"	"Email"	FALSE	"\N"
"Island Peer Review Organization"	"NY"	"Business Associate"	9642	2013-12-12	"Loss"	"Other Portable Electronic Device"	TRUE	"\N"
"Molina Healthcare In"	"CA"	"Business Associate"	1499	2013-12-16	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Wyoming Department of Health"	"WY"	"Health Plan"	11935	2013-12-16	"Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"Shiloh Medical Clinic"	"MT"	"Healthcare Provider"	1900	2013-12-17	"Unauthorized Access/Disclosure"	"Desktop Computer, Email"	FALSE	"\N"
"DeLoach & Williamson"	"SC"	"Business Associate"	3432	2013-12-18	"Theft"	"Laptop"	TRUE	"DeLoach & Williamsons (a business associate (BA) for South Carolina Health Insurance Pool) employees car was broken into and her password-protected company laptop computer was stolen which contained the electronic protected health information (ePHI) of 3,432 individuals. The ePHI involved in the breach included social security numbers, names, dates of service, and provider identification numbers.  The BA provided breach notification to the covered entity, affected individuals, and HHS.  The covered entity provided breach notification to the media.  Following the breach, the BA immediately launched an internal investigation and retrained the subject employee on the companys  policies on privacy and security of electronic information.  Prior to the incident, the BA had decided to dissolve the company and it ceased operations by December 2013.  The BA intends to legally file for dissolution in December 2014. 
\
\"
"Colby DeHart"	"TN"	"Business Associate"	2777	2013-12-19	"Theft"	"Laptop"	TRUE	"\N"
"ZDI"	"CA"	"Business Associate"	1674	2013-12-20	"Loss"	"Paper/Films"	TRUE	"\N"
"Molina Healthcare of Texas, Inc."	"TX"	"Health Plan"	2826	2013-12-21	"Other"	"Paper/Films"	FALSE	"\N"
"Rob Meaglia, DDS"	"CA"	"Healthcare Provider"	1400	2013-12-23	"Theft"	"Desktop Computer"	FALSE	"\N"
"Jeff Spiegel"	"MA"	"Healthcare Provider"	832	2013-12-23	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"Tranquility Counseling Services"	"NC"	"Healthcare Provider"	1683	2013-12-23	"Other"	"Paper/Films"	FALSE	"\N"
"Florida Department of Health"	"FL"	"Healthcare Provider"	2354	2013-12-23	"Unauthorized Access/Disclosure"	"Desktop Computer"	FALSE	"\N"
"New Mexico Oncology Hematology Consultants, LTD"	"NM"	"Healthcare Provider"	12354	2013-12-31	"Theft"	"Laptop"	FALSE	"\N"
"Colorado Community Health Alliance (CCHA)/Physicians Health Partners"	"CO"	"Business Associate"	1918	2014-01-02	"Unauthorized Access/Disclosure"	"Email"	TRUE	"\N"
"Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates"	"NJ"	"Business Associate"	839711	2014-01-03	"Theft"	"Laptop"	TRUE	"\N"
"Phoebe Putney Memorial Hospital"	"GA"	"Healthcare Provider"	6989	2014-01-03	"Loss"	"Desktop Computer"	FALSE	"\N"
"Coulee Medical Center"	"WA"	"Healthcare Provider"	2500	2014-01-03	"Theft"	"Email, Laptop, Network Server"	FALSE	"The covered entity (CE), Coulee Medical Center, reported that a CE-employed physician disclosed electronic protected health information (ePHI) to his wife without authorization.  The ePHI involved in the breach included names, hospital account numbers, dates of service, CPT codes, and service descriptions for approximately 2,500 individuals.  The CE provided breach notification to HHS and affected individuals.  Upon discovering the breach, the CE sanctioned the physician, required the physician to complete comprehensive HIPAA training, and required all workforce members to complete annual HIPAA training.  As a result of OCRs investigation, the CE implemented new information security policies and procedures to better safeguard its ePHI.  OCR provided the CE with technical assistance regarding what constitutes an adequate Security Rule risk analysis and risk management plan, as well as what constitutes adequate notice to the media pursuant to the Breach Notification Rule.  
\
\"
"RevSpring, Inc."	"MI"	"Business Associate"	3000	2014-01-06	"Other"	"Paper/Films"	TRUE	"\N"
"North Carolina Department of Health and Human Services "	"NC"	"Health Plan"	48752	2014-01-06	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Phreesia, Inc"	"NY"	"Business Associate"	2500	2014-01-08	"Theft"	"Laptop"	TRUE	"\N"
"Tri Lakes Medical Center"	"MS"	"Healthcare Provider"	1489	2014-01-10	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Virginia Premier Health Plan (VPHP)"	"VA"	"Business Associate"	25513	2014-01-10	"Theft"	"Paper/Films"	TRUE	"Virginia Premier Health Plan, a business associate (BA) of the covered entity (CE), Virginia Department of Medical Assistance Services (VA-DMAS), mailed incorrect postcards to Virginia Medicaid members.  The breach included 13,357 postcards that were mailed to the wrong address and 12,156 postcards that contained incorrect services information.  The information did not include social security numbers or financial information.  The BA provided breach notification to HHS, the media, and to affected individuals in English and Spanish.  Following this breach, the BA improved safeguards by retraining employees on safeguards for protected health information, updating procedures for mailings, and implementing additional quality control checks.   OCR obtained assurances that the BA implemented the corrective action listed above."
"Cook County Health & Hospitals System"	"IL"	"Healthcare Provider"	22511	2014-01-11	"Other"	"Email"	FALSE	"\N"
"Southwest General Health Center"	"OH"	"Healthcare Provider"	953	2014-01-13	"Unknown"	"Other"	FALSE	"\N"
"RGH Enterprises, Inc."	"OH"	"Health Plan"	4230	2014-01-13	"Theft"	"Network Server"	FALSE	"Computer hackers installed malware that intercepted the electronic protected health information (ePHI) of approximately 4,230 individuals using the covered entitys (CEs) website.  The ePHI included names, dates of birth, phone numbers, shipping and billing addresses, email addresses, credit card issuers, expiration dates, the last 4 digits of credit card numbers, account numbers, primary physicians, diagnoses, order histories, and health insurers.  Following the breach, the CE removed the malware from the affected computer servers, migrated the website to non-compromised "
"Network Pharmacy Knoxville"	"TN"	"Healthcare Provider"	9602	2014-01-15	"Theft"	"Laptop"	FALSE	"\N"
"Saint Francis Hospital and Medical Center"	"CT"	"Healthcare Provider"	858	2014-01-16	"Theft"	"Paper/Films"	FALSE	"\N"
"Sentara Healthcare"	"VA"	"Healthcare Provider"	3861	2014-01-16	"Theft, Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"Health Dimensions"	"MI"	"Healthcare Provider"	5370	2014-01-16	"Theft"	"Network Server"	FALSE	"\N"
"COMPLETE MEDICAL HOMECARE"	"KS"	"Healthcare Provider"	1700	2014-01-21	"Unauthorized Access/Disclosure"	"Other Portable Electronic Device"	FALSE	"\N"
"Hospital for Special Surgery"	"NY"	"Healthcare Provider"	937	2014-01-21	"Theft"	"Desktop Computer, Paper/Films"	FALSE	"\N"
"The Brooklyn Hospital Center"	"NY"	"Healthcare Provider"	2172	2014-01-22	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Robert B. Neves, M.D."	"CA"	"Business Associate"	611	2014-01-24	"Theft"	"Laptop"	TRUE	""
"Triple-C, Inc."	"PR"	"Business Associate"	398000	2014-01-24	"Theft"	"Network Server"	TRUE	"\N"
"Triple-C, Inc."	"PR"	"Business Associate"	8000	2014-01-24	"Theft, Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Birmingham Printing and Publishing, Inc dba Paper Airplane"	"AL"	"Business Associate"	1085	2014-01-24	"Other"	"Other"	TRUE	"\N"
"Medical Mutual of Ohio"	"OH"	"Business Associate"	1420	2014-01-27	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"University of Wisconsin-Madison School of Pharmacy"	"WI"	"Business Associate"	41437	2014-01-30	"Loss"	"Other Portable Electronic Device"	TRUE	"\N"
"The University of Texas MD Anderson Cancer Center"	"TX"	"Healthcare Provider"	3598	2014-01-31	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Beebe Medical Center"	"DE"	"Healthcare Provider"	1883	2014-01-31	"Other"	"Laptop"	FALSE	"\N"
"St. Joseph Health System "	"TX"	"Health Plan"	405000	2014-02-05	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Min Yi, M.D."	"CA"	"Healthcare Provider"	4676	2014-02-05	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Easter Seal Society of Superior California"	"CA"	"Healthcare Provider"	3026	2014-02-07	"Theft"	"Laptop"	FALSE	"\N"
"PruittHealth Pharmacy Services"	"GA"	"Healthcare Provider"	841	2014-02-07	"Theft"	"Laptop"	FALSE	"A managers unencrypted laptop computer was stolen from the back seat of an employees car.  The laptop contained the protected health information (PHI) of 841 individuals and included names, possible diagnoses, prescription names, dates of service, and service locations.  The covered entity (CE) has improved safeguards by encrypting devices and employing devices that do not allow local storage.  The CE has also revised its privacy and security policies and re-trained employees.  OCR has consolidated this review into a compliance review that involves the same corporate entity and another stolen unencrypted laptop. "
"Kmart Corporation"	"IL"	"Healthcare Provider"	16446	2014-02-10	"Theft"	"Electronic Medical Record, Other"	FALSE	"\N"
"WA State Department of Social & Health Services"	"WA"	"Health Plan"	3104	2014-02-11	"Other, Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Not Applicable "	"NY"	"Business Associate"	6475	2014-02-12	"Other, Theft"	"Laptop"	TRUE	"\N"
"University of Miami"	"FL"	"Healthcare Provider"	13074	2014-02-12	"Loss"	"Paper/Films"	FALSE	"\N"
"Supportive Concepts for Families, Inc."	"PA"	"Healthcare Provider"	593	2014-02-13	"Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"Health Care Solutions at Home Inc."	"OH"	"Health Plan"	1139	2014-02-14	"Theft"	"Other"	FALSE	"The covered entity (CE) mistakenly mailed protected health information (PHI) to the wrong addresses of approximately 1,139 individuals following a computer error at the business associate (BA).  The PHI involved in the breach included names, addresses, dates of birth, dates of service, claims information, and diagnoses.  The CE provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website.  To prevent a similar breach from happening in the future, the CE and BA improved safeguards by updating policies to require multiple reviews of PHI in mailings.  Following OCRs investigation, the CE updated its policies and procedures relating to the minimum necessary standard."
"University of California Davis Medical Center"	"CA"	"Healthcare Provider"	2269	2014-02-14	"Hacking/IT Incident"	"Email"	FALSE	"\N"
"St. Vincent Hospital and Healthcare, Inc"	"IN"	"Healthcare Provider"	1142	2014-02-18	"Theft"	"Laptop"	FALSE	"\N"
"StayWell Health Management, LLC"	"MN"	"Business Associate"	10024	2014-02-21	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"StayWell Health Management, LLC"	"MN"	"Business Associate"	520	2014-02-21	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"StayWell Health Management, LLC"	"MN"	"Business Associate"	4786	2014-02-21	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Inspira Health Network Inc."	"NJ"	"Healthcare Provider"	1411	2014-02-21	"Theft"	"Desktop Computer"	FALSE	"\N"
"StayWell Health Management, LLC"	"MN"	"Business Associate"	1511	2014-02-25	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Care Advantage, Inc."	"VA"	"Healthcare Provider"	3458	2014-02-26	"Theft"	"Laptop"	FALSE	"\N"
"Pair Networks Inc."	"PA"	"Business Associate"	8845	2014-02-26	"Other, Unauthorized Access/Disclosure"	"Other"	TRUE	"\N"
"The Kroger Co., for itself and its affiliates and subsidiaries"	"OH"	"Healthcare Provider"	504	2014-02-26	"Other"	"Electronic Medical Record"	FALSE	"\N"
"Cornerstone Health Care, PA"	"NC"	"Healthcare Provider"	548	2014-02-26	"Loss, Theft"	"Laptop"	FALSE	"\N"
"Joseph Michael Benson M.D"	"TX"	"Healthcare Provider"	7500	2014-02-27	"Theft"	"Desktop Computer"	FALSE	"\N"
"Data Media"	"GA"	"Business Associate"	600	2014-02-28	"Other"	"Other"	TRUE	"\N"
"Eureka Internal Medicine"	"CA"	"Healthcare Provider"	3534	2014-03-04	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"St. Joseph Health System"	"TX"	"Business Associate"	3300	2014-03-05	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Banner Health"	"AZ"	"Healthcare Provider"	55207	2014-03-05	"Other"	"Other"	FALSE	"\N"
"PracMan, Inc."	"AL"	"Business Associate"	1179	2014-03-10	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Iowa Dept. of Human Services"	"IA"	"Health Plan"	2042	2014-03-10	"Other"	"Email, Laptop, Other Portable Electronic Device"	FALSE	"\N"
"Mission City Community Network"	"CA"	"Healthcare Provider"	7800	2014-03-12	"Theft"	"Email"	FALSE	""
"University of California, San Francisco"	"CA"	"Healthcare Provider"	9861	2014-03-12	"Theft"	"Desktop Computer"	FALSE	"\N"
"Detroit Medical Center - Harper University Hospital"	"MI"	"Healthcare Provider"	1087	2014-03-13	"Theft, Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Todd M. Burton, M.D."	"TX"	"Healthcare Provider"	5000	2014-03-13	"Theft"	"Other"	FALSE	"\N"
"Valley View Hosptial Association"	"CO"	"Healthcare Provider"	5415	2014-03-14	"Other"	"Desktop Computer, Laptop"	FALSE	"\N"
"Hospitalists of Arizona"	"AZ"	"Healthcare Provider"	1706	2014-03-16	"Theft"	"Laptop"	FALSE	"\N"
"TMA Practice Management Group"	"TX"	"Business Associate"	2260	2014-03-17	"Improper Disposal, Loss"	"Other Portable Electronic Device"	TRUE	"\N"
"StayWell Health Management, LLC"	"MN"	"Business Associate"	1746	2014-03-18	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Berea College"	"KY"	"Healthcare Provider"	1000	2014-03-20	"Other"	"Electronic Medical Record"	FALSE	"\N"
"HealthPartners, Inc."	"MN"	"Health Plan"	27839	2014-03-21	"Loss, Unauthorized Access/Disclosure"	"Desktop Computer, Laptop, Other Portable Electronic Device"	FALSE	"\N"
"HealthPartners Administrators, Inc."	"MN"	"Business Associate"	796	2014-03-21	"Loss, Unauthorized Access/Disclosure"	"Desktop Computer, Laptop, Other Portable Electronic Device"	TRUE	"\N"
"HealthPartners Administrators, Inc."	"MN"	"Business Associate"	1699	2014-03-21	"Loss, Unauthorized Access/Disclosure"	"Desktop Computer, Laptop, Other Portable Electronic Device"	TRUE	"\N"
"HealthPartners Administrators, Inc."	"MN"	"Business Associate"	715	2014-03-21	"Loss, Unauthorized Access/Disclosure"	"Desktop Computer, Laptop, Other Portable Electronic Device"	TRUE	"\N"
"Talyst"	"WA"	"Business Associate"	1079	2014-03-24	"Theft"	"Laptop"	TRUE	"\N"
"Yellowstone Boys and Girls Ranch"	"MT"	"Healthcare Provider"	543	2014-03-24	"Theft"	"Paper/Films"	FALSE	""
"Orlando Health, Inc."	"FL"	"Healthcare Provider"	586	2014-03-24	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"NOVA Chiropractic & Rehab Center"	"VA"	"Healthcare Provider"	5534	2014-03-27	"Loss, Other"	"Other Portable Electronic Device"	FALSE	"\N"
"Susquehanna Health"	"PA"	"Healthcare Provider"	657	2014-03-27	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"Jewish Hospital"	"KY"	"Healthcare Provider"	2992	2014-03-28	"Other"	"Email"	FALSE	"\N"
"Franciscan Medical Group"	"WA"	"Healthcare Provider"	8300	2014-03-28	"Other"	"Email"	FALSE	"\N"
"Palomar Health"	"CA"	"Healthcare Provider"	5499	2014-03-28	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Myriad Genetic Laboratories, Inc."	"UT"	"Healthcare Provider"	643	2014-03-29	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"RelayHealth, a division of McKesson"	"GA"	"Business Associate"	1000	2014-03-31	"Unauthorized Access/Disclosure"	"Other"	TRUE	"\N"
"Policy Studies, Inc. / Postal Center International, Inc."	"FL"	"Business Associate"	580	2014-03-31	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Midwest Orthopaedics at Rush, LLC"	"IL"	"Healthcare Provider"	1256	2014-03-31	"Hacking/IT Incident"	"Email"	FALSE	"\N"
"Indian Health Service"	"MD"	"Health Plan"	214000	2014-04-01	"Unauthorized Access/Disclosure"	"Laptop"	FALSE	"\N"
"Kaiser Permanente Northern CA Department of Research"	"CA"	"Healthcare Provider"	5178	2014-04-02	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Triple-S Salud "	"PR"	"Health Plan"	5795	2014-04-02	"Theft"	"Other"	FALSE	""
"American Health Inc. "	"PR"	"Health Plan"	17776	2014-04-03	"Theft"	"Other"	FALSE	""
"State Long Term Care Ombudsmans Office, Michigan Department of Community Health "	"MI"	"Health Plan"	2595	2014-04-03	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Presence St. Joseph's Medical Center"	"IL"	"Healthcare Provider"	836	2014-04-04	"Other"	"Paper/Films"	FALSE	"\N"
"Clinical Reference Laboratory, Inc."	"KS"	"Healthcare Provider"	979	2014-04-09	"Loss"	"Paper/Films"	FALSE	"\N"
"Cigna"	"CT"	"Business Associate"	527	2014-04-09	"Loss"	"Paper/Films"	TRUE	"\N"
"Amerigroup Texas, Inc. "	"VA"	"Business Associate"	75026	2014-04-10	"Theft"	"Paper/Films"	TRUE	"\N"
"BLUE CROSS AND BLUE SHIELD OF KANSAS CITY"	"MO"	"Health Plan"	2546	2014-04-11	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"University Urology, P.C."	"TN"	"Healthcare Provider"	1144	2014-04-14	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Healthy Connections, Inc"	"CA"	"Healthcare Provider"	793	2014-04-14	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"IHS"	"MD"	"Health Plan"	5000	2014-04-15	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Triple S Salud Inc."	"PR"	"Business Associate"	7911	2014-04-15	"Theft"	"Other Portable Electronic Device"	TRUE	""
"Greenwood Leflore Hospital"	"MS"	"Healthcare Provider"	3750	2014-04-16	"Theft"	"Other"	FALSE	"\N"
"Service Coordination, Inc."	"MD"	"Business Associate"	10766	2014-04-17	"Hacking/IT Incident, Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Courier Express/Atlanta, Courier Express/Charlotte & Courier Express US, Inc."	"GA"	"Business Associate"	2523	2014-04-17	"Theft, Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Shaker Clinic"	"OH"	"Healthcare Provider"	617	2014-04-18	"Loss"	"Paper/Films"	FALSE	"\N"
"Tri State Adjustments"	"WI"	"Business Associate"	1400	2014-04-18	"Other"	"Other"	TRUE	"\N"
"Larsen Dental Care LLC"	"ID"	"Healthcare Provider"	6900	2014-04-18	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"CENTURA HEALTH"	"CO"	"Healthcare Provider"	12286	2014-04-22	"Hacking/IT Incident"	"Email"	FALSE	"\N"
"Ladies First Choice, Inc."	"FL"	"Healthcare Provider"	2365	2014-04-23	"Theft, Unauthorized Access/Disclosure"	"Laptop"	FALSE	"\N"
"Tufts Associated Health Maintenance Organization, Inc. and Tufts Insurance Company "	"MA"	"Health Plan"	8830	2014-04-24	"Theft"	"Other"	FALSE	"\N"
"Inclusion Research Institute"	"DC"	"Business Associate"	2200	2014-04-24	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Willis North America Inc. Medical Expense Benefit Plan"	"NY"	"Health Plan"	4830	2014-04-24	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"Sorenson Communications"	"UT"	"Business Associate"	9800	2014-04-24	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Baylor Medical Center at McKinney"	"TX"	"Healthcare Provider"	1253	2014-04-25	"Hacking/IT Incident"	"Email"	FALSE	"\N"
"Baylor Medical Center at Irving"	"TX"	"Healthcare Provider"	2308	2014-04-25	"Hacking/IT Incident"	"Email"	FALSE	"\N"
"Baylor Regional Medical Center at Plano"	"TX"	"Healthcare Provider"	1981	2014-04-25	"Hacking/IT Incident"	"Email"	FALSE	"\N"
"HealthTexas Provider Network"	"TX"	"Healthcare Provider"	2742	2014-04-25	"Hacking/IT Incident"	"Email"	FALSE	"\N"
"Ferguson Advertising, Inc."	"IN"	"Business Associate"	1361	2014-04-25	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Iowa Medicaid Enterprise"	"IA"	"Health Plan"	862	2014-04-25	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Flowers Hospital"	"AL"	"Healthcare Provider"	629	2014-04-25	"Theft"	"Paper/Films"	FALSE	"\N"
"Reading Health System"	"PA"	"Healthcare Provider"	1845	2014-04-29	"Loss"	"Paper/Films"	FALSE	"\N"
"MDF Transcription Services"	"MA"	"Business Associate"	15265	2014-04-29	"Other"	"Other"	TRUE	"\N"
"OptumRx"	"IL"	"Business Associate"	5696	2014-04-30	"Theft"	"Paper/Films"	TRUE	"An employee of the covered entitys (CE) business associate (BA) mistakenly mailed protected health information (PHI) to other individuals due to a human error in sorting the data contained in an Excel spreadsheet.  The mailing affected 5,696 individuals and included names and prescription drug names.  The BA provided breach notification to the affected individuals, HHS, and the media.  As a result of OCRs investigation, OCR verified that the CE had a proper BA agreement in place that restricted the BAs use and disclosure of PHI and required the BA to safeguard all PHI.  OCR obtained assurances that the BA completed the corrective actions noted above.  The BA also stated that it has developed a plan to improve safeguards by implementing additional quality checks and controls for mailings."
"UMass Memorial Medical Center"	"MA"	"Healthcare Provider"	2387	2014-05-05	"Unauthorized Access/Disclosure"	"Electronic Medical Record, Paper/Films"	FALSE	"\N"
"KEYSTONE INSURERS GROUP"	"IN"	"Business Associate"	1008	2014-05-06	"Other"	"Email"	TRUE	"\N"
"Options Counseling Center"	"NJ"	"Healthcare Provider"	2828	2014-05-09	"Theft, Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Creel Printing"	"NV"	"Business Associate"	4744	2014-05-10	"Other"	"Paper/Films"	TRUE	"\N"
"Howard L. Weinstein D.P.M."	"TX"	"Healthcare Provider"	1000	2014-05-10	"Theft"	"Laptop"	FALSE	"\N"
"American Health Inc. "	"PR"	"Health Plan"	11531	2014-05-18	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Central City Concern"	"OR"	"Healthcare Provider"	17914	2014-05-19	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Bloom Health"	"MN"	"Business Associate"	502	2014-05-19	"Hacking/IT Incident, Unauthorized Access/Disclosure"	"Email"	TRUE	"\N"
"Elliot Health System"	"NH"	"Healthcare Provider"	1208	2014-05-21	"Theft"	"Desktop Computer"	FALSE	"\N"
"Sutherland Healthcare Solutions, Inc."	"NJ"	"Business Associate"	342197	2014-05-22	"Theft"	"Email, Laptop"	TRUE	"\N"
"Humana Inc [case #15381]"	"KY"	"Health Plan"	2962	2014-05-23	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Jamaica Hospital Medical Center"	"NY"	"Healthcare Provider"	26162	2014-05-23	"Unauthorized Access/Disclosure"	"Desktop Computer"	FALSE	"\N"
"Bay Park Hospital"	"OH"	"Healthcare Provider"	594	2014-05-28	"Unauthorized Access/Disclosure"	"Electronic Medical Record, Network Server"	FALSE	"\N"
"Triple-S Salud "	"PR"	"Health Plan"	56853	2014-05-29	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"NFP Maschino, Hudelson & Associates"	"OK"	"Business Associate"	3814	2014-05-30	"Theft"	"Laptop"	TRUE	"\N"
"Salina Health Education Foundation dba Salina Family Healthcare Center"	"KS"	"Healthcare Provider"	9640	2014-06-05	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"Open Cities Health Center "	"MN"	"Healthcare Provider"	1304	2014-06-05	"Other"	"Email"	FALSE	"\N"
"Mark A. Gillispie"	"CA"	"Healthcare Provider"	5845	2014-06-06	"Theft"	"Desktop Computer"	FALSE	"\N"
"Penn State Milton S Hershey Medical Center"	"PA"	"Healthcare Provider"	1801	2014-06-06	"Other"	"Email, Other Portable Electronic Device"	FALSE	"\N"
"Walgreen Co."	"IL"	"Healthcare Provider"	540	2014-06-06	"Theft"	"Desktop Computer, Paper/Films"	FALSE	"\N"
"St. Francis Hospital"	"GA"	"Healthcare Provider"	1175	2014-06-09	"Other"	"Email"	FALSE	"\N"
"Doctors First Choice Billings, Inc"	"FL"	"Business Associate"	9255	2014-06-11	"Theft"	"Other"	TRUE	""
"Doctors First Choice Billings, Inc."	"FL"	"Business Associate"	1831	2014-06-12	"Hacking/IT Incident"	"Other"	TRUE	"\N"
"Santa Rosa Memorial Hospital "	"CA"	"Healthcare Provider"	33702	2014-06-13	"Loss, Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Baylor Medical Center at Carrollton"	"TX"	"Healthcare Provider"	2874	2014-06-13	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"Group Health Plan of Hurley Medical Center"	"MI"	"Health Plan"	2289	2014-06-16	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"IHS"	"MD"	"Health Plan"	620	2014-06-19	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"David DiGiallorenzo, D.M.D."	"PA"	"Healthcare Provider"	11000	2014-06-19	"Hacking/IT Incident, Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"NRAD Medical Associates, P.C."	"NY"	"Healthcare Provider"	97000	2014-06-20	"Hacking/IT Incident, Unauthorized Access/Disclosure"	"Desktop Computer, Other Portable Electronic Device"	FALSE	"\N"
"NYU Hospitals Center"	"NY"	"Healthcare Provider"	872	2014-06-20	"Theft"	"Laptop"	FALSE	"\N"
"Abrham Tekola, M.D.,INC"	"CA"	"Healthcare Provider"	5471	2014-06-20	"Theft"	"Desktop Computer"	FALSE	""
"Colorado Neurodiagnostics"	"CO"	"Healthcare Provider"	750	2014-06-23	"Theft"	"Laptop"	FALSE	"\N"
"Sloane Stecker Physical Therapy, PC"	"NY"	"Healthcare Provider"	2000	2014-06-24	"Theft"	"Electronic Medical Record"	FALSE	"\N"
"Riverside County Regional Medical Center"	"CA"	"Healthcare Provider"	563	2014-06-24	"Theft"	"Laptop"	FALSE	"\N"
"Rady Children's Hospital - San Diego"	"CA"	"Healthcare Provider"	14121	2014-06-24	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"Rady Children's Hospital - San Diego"	"CA"	"Healthcare Provider"	6307	2014-06-25	"Unauthorized Access/Disclosure"	"Email, Other"	FALSE	"\N"
"Alabama Department of Public Health"	"AL"	"Healthcare Provider"	1200	2014-06-26	"Theft"	"Electronic Medical Record"	FALSE	"\N"
"The Union Labor Life Insurance Company"	"MD"	"Healthcare Provider"	42713	2014-06-27	"Theft"	"Laptop"	FALSE	""
"VA Long Beach Healthcare System"	"CA"	"Healthcare Provider"	592	2014-07-04	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"D&J Optical Inc. "	"AL"	"Health Plan"	1100	2014-07-07	"Hacking/IT Incident"	"Desktop Computer"	FALSE	"\N"
"Montana Department of Public Health and Human Services"	"MT"	"Health Plan"	1062509	2014-07-07	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Highmark Inc."	"PA"	"Business Associate"	2589	2014-07-08	"Theft"	"Paper/Films"	TRUE	"Health profile and care summaries and corresponding cover letters were incorrectly mailed to senior members of the covered entity (CE), Highmark Health, and their physicians.  The protected health information involved in the breach included the names, addresses, telephone numbers, dates of birth, unique medical identifiers (UMI), gender, medications, and health information of 2,589 individuals. The CE provided breach notification to HHS, the media, and affected individuals.  Following the breach, the CE issued a new UMI to each member impacted by the incident.  The CE determined that a process failure by an employee was the root cause for the incorrect mailing and subsequently terminated the employee. As a result of OCRs investigation, the CE instituted new quality review procedures for mailings and retrained employees on its privacy practices and departmental policies, processes and procedures.  OCR obtained details of the CEs revised policies on its health profiles to assure they include only the minimum necessary information.  "
"Haley Chiropractic Clinic"	"WA"	"Healthcare Provider"	6000	2014-07-08	"Theft"	"Desktop Computer, Laptop"	FALSE	"\N"
"St. Vincent Hospital and Health Care Center, Inc."	"IN"	"Business Associate"	63325	2014-07-09	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"InSync Computer Solutions, Inc."	"AL"	"Business Associate"	50918	2014-07-11	"Other"	"Network Server"	TRUE	"\N"
"Western Regional Center for Brain and Spine Surgery"	"NV"	"Healthcare Provider"	12000	2014-07-12	"Theft"	"Network Server"	FALSE	"\N"
"Indian Health Service"	"SD"	"Health Plan"	620	2014-07-15	"Loss, Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"University of Pennsylvania Health System"	"PA"	"Healthcare Provider"	661	2014-07-16	"Theft"	"Paper/Films"	FALSE	"A bag containing a compact disk - read only memory (CD-ROM) was stolen from the vehicle of a physician associated with the covered entity (CE).  The CD-ROM involved in the breach contained names, dates of birth, social security numbers, medical histories, and the treatment information of approximately 2,046 individuals.  Following the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media.  The CE sanctioned and retrained the physician whose bag was stolen and implemented organization wide improvements to its compliance with the Privacy and Security Rules.  As a result of OCRs investigation the covered entity posted substitute notification of the breach in the local paper and confirmed that corrective actions steps were taken. 
\
\
\"
"Bay Area Pain Medical Associates "	"CA"	"Healthcare Provider"	2780	2014-07-16	"Theft"	"Desktop Computer"	FALSE	"\N"
"Minneapolis VA Health Care System"	"MN"	"Health Plan"	500	2014-07-17	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"McKesson Business Performance Services"	"NJ"	"Business Associate"	680	2014-07-23	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Xand Corporation"	"NY"	"Business Associate"	3334	2014-07-23	"Other"	"Network Server"	TRUE	"\N"
"Self Regional Healthcare "	"SC"	"Healthcare Provider"	38906	2014-07-25	"Theft"	"Laptop"	FALSE	"\N"
"Urological Associates of Southern Arizona, P.C."	"AZ"	"Healthcare Provider"	3529	2014-07-25	"Improper Disposal"	"Other"	FALSE	"\N"
"Dr. Veronica Joann Barber"	"CA"	"Business Associate"	4000	2014-07-28	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"PRN Medical Services, LLC dba Symbius Medical, LLC"	"AZ"	"Healthcare Provider"	13877	2014-07-29	"Other, Theft, Unauthorized Access/Disclosure"	"Email, Network Server"	FALSE	"\N"
"Midwest Urological Group"	"IL"	"Healthcare Provider"	982	2014-07-30	"Theft"	"Laptop"	FALSE	"\N"
"Rite Aid Store 5256"	"WA"	"Healthcare Provider"	522	2014-07-30	"Theft"	"Paper/Films"	FALSE	"\N"
"StayWell Health Management, LLC"	"MN"	"Business Associate"	4487	2014-07-31	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Cancer Specialists of Tidewater"	"VA"	"Healthcare Provider"	2318	2014-07-31	"Theft, Unauthorized Access/Disclosure, Unknown"	"Electronic Medical Record, Other"	FALSE	"\N"
"MobilexUSA"	"OH"	"Healthcare Provider"	605	2014-08-06	"Loss"	"Paper/Films"	FALSE	"\N"
"Jersey City Medical Center - Barnabas Health"	"NJ"	"Healthcare Provider"	36400	2014-08-07	"Loss"	"Other"	FALSE	"\N"
"Diamond Computing Company"	"GA"	"Business Associate"	7016	2014-08-07	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Central Utah Clinic, P.C."	"UT"	"Healthcare Provider"	31677	2014-08-07	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"PST Services Inc, a McKesson Co."	"GA"	"Business Associate"	10104	2014-08-08	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Onsite Health Diagnostics (OHD)"	"TX"	"Business Associate"	60582	2014-08-08	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"Apple Valley Care Center"	"CA"	"Healthcare Provider"	1251	2014-08-12	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Kaiser Foundation Health Plan of Colorado"	"CO"	"Health Plan"	11551	2014-08-12	"Other, Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"CareAll Management, LLC"	"TN"	"Healthcare Provider"	28300	2014-08-12	"Improper Disposal"	"Other"	FALSE	"\N"
"Iron Mountain Records Management"	"CA"	"Business Associate"	1674	2014-08-13	"Improper Disposal, Loss, Theft"	"Other"	TRUE	"\N"
"24 ON Physicians, PC/In Compass Health,Inc."	"GA"	"Business Associate"	520	2014-08-14	"Hacking/IT Incident, Other"	"Network Server"	TRUE	"\N"
"Iron Mountain Incorporated"	"MA"	"Business Associate"	10000	2014-08-15	"Loss, Theft"	"Paper/Films"	TRUE	"\N"
"Iron Mountain"	"CA"	"Business Associate"	49714	2014-08-15	"Improper Disposal, Loss, Theft"	"Paper/Films"	TRUE	"\N"
"University Health"	"LA"	"Healthcare Provider"	6073	2014-08-15	"Hacking/IT Incident"	"Network Server"	FALSE	"\N"
"Tri-City Medical Center"	"CA"	"Healthcare Provider"	500	2014-08-18	"Theft"	"Paper/Films"	FALSE	"\N"
"Dennis Flynn MD"	"IL"	"Healthcare Provider"	13646	2014-08-19	"Theft"	"Laptop"	FALSE	"\N"
"Community Health Systems Professional Services Corporation"	"TN"	"Business Associate"	4500000	2014-08-20	"Theft"	"Network Server"	TRUE	""
"Oklahoma City Indian Clinic"	"OK"	"Healthcare Provider"	6000	2014-08-22	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"Steven A. Goldman, MD Inc."	"OH"	"Healthcare Provider"	6141	2014-08-22	"Theft"	"Network Server"	FALSE	"\N"
"Specialty Clinics Of Georgia - Orthopaedics"	"GA"	"Healthcare Provider"	2350	2014-08-25	"Theft"	"Paper/Films"	FALSE	""
"St. Elizabeth's Medical Center"	"MA"	"Healthcare Provider"	595	2014-08-26	"Theft"	"Laptop, Other Portable Electronic Device"	FALSE	"\N"
"Aventura Hospital and Medical Center"	"FL"	"Healthcare Provider"	948	2014-08-26	"Theft"	"Desktop Computer"	FALSE	""
"Midwest Womens Healthcare Specialist"	"MO"	"Healthcare Provider"	1376	2014-08-26	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"Group Health Incorporated"	"NY"	"Health Plan"	802	2014-08-27	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"The Longstreet Clinic, P. C."	"GA"	"Healthcare Provider"	720	2014-08-28	"Improper Disposal"	"Other"	FALSE	"\N"
"Metropolitan Government of Nashville and Davidson County (Metro) Public Health Department"	"TN"	"Health Plan"	1717	2014-08-29	"Other"	"Other"	FALSE	"\N"
"Duke University Health System"	"NC"	"Healthcare Provider"	10993	2014-08-29	"Theft"	"Other Portable Electronic Device"	FALSE	"\N"
"Memorial Hermann Health System"	"TX"	"Healthcare Provider"	10604	2014-08-29	"Unauthorized Access/Disclosure"	"Desktop Computer"	FALSE	"\N"
"AltaMed Health Services Corporation"	"CA"	"Healthcare Provider"	3206	2014-08-29	"Theft"	"Desktop Computer, Network Server, Paper/Films"	FALSE	"\N"
"Bulloch Pediatric Group, LLC"	"GA"	"Healthcare Provider"	10000	2014-09-04	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Emdeon"	"TN"	"Business Associate"	566	2014-09-04	"Theft"	"Paper/Films"	TRUE	""
"Temple University Physicians"	"PA"	"Healthcare Provider"	3780	2014-09-05	"Theft"	"Desktop Computer"	FALSE	"\N"
"The WellPoint Affiliated Covered Entities  "	"IN"	"Health Plan"	1464	2014-09-08	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Thomas Cristello, Chiropractor PC"	"NY"	"Healthcare Provider"	914	2014-09-09	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"ENT Partners of Texas (legally known as Irving-Coppell Ear, Nose and Throat) "	"TX"	"Healthcare Provider"	789	2014-09-09	"Loss, Theft"	"Laptop, Other Portable Electronic Device"	FALSE	"\N"
"Bon Secours Kentucky"	"KY"	"Healthcare Provider"	697	2014-09-09	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Valesco Ventures"	"FL"	"Business Associate"	82601	2014-09-09	"Theft, Unauthorized Access/Disclosure"	"Electronic Medical Record"	TRUE	"\N"
"Wm. Jennings Bryan Dorn VA Medical Center"	"SC"	"Healthcare Provider"	3637	2014-09-10	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Kmart Corporation"	"IL"	"Healthcare Provider"	1866	2014-09-10	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Xerox State Healthcare, LLC"	"TX"	"Business Associate"	2000000	2014-09-10	"Unauthorized Access/Disclosure"	"Desktop Computer, Email, Laptop, Network Server, Other, Other Portable Electronic Device"	TRUE	"\N"
"Cedars-Sinai Health System"	"CA"	"Healthcare Provider"	33136	2014-09-10	"Theft"	"Laptop"	FALSE	"\N"
"Tampa General Hospital"	"FL"	"Healthcare Provider"	675	2014-09-12	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"Santa Fe Medical Group"	"NM"	"Healthcare Provider"	843	2014-09-12	"Theft"	"Other Portable Electronic Device"	FALSE	""
"Emdeon"	"TN"	"Business Associate"	800	2014-09-12	"Theft"	"Paper/Films"	TRUE	""
"South Suburban HIV/AIDS Regional Clinics"	"IL"	"Business Associate"	767	2014-09-17	"Other"	"Email"	TRUE	"\N"
"New Mexico VA Health Care System"	"NM"	"Healthcare Provider"	2657	2014-09-18	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Research Integrity, LLC"	"KY"	"Business Associate"	4077	2014-09-22	"Unauthorized Access/Disclosure"	"Other Portable Electronic Device"	TRUE	"\N"
"Madison Street Provider Network"	"CO"	"Healthcare Provider"	523	2014-09-26	"Theft"	"Laptop"	FALSE	"\N"
"Compassionate Care Hospice of Central Louisiana, LLC"	"LA"	"Healthcare Provider"	707	2014-09-26	"Theft"	"Laptop, Other"	FALSE	"\N"
"American Family Care, Inc."	"AL"	"Healthcare Provider"	2588	2014-09-30	"Theft"	"Laptop"	FALSE	"\N"
"U.S. Health Holdings, Ltd. o/b/o Macomb County, Michigan"	"MI"	"Health Plan"	6302	2014-10-01	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"Mount Sinai Beth Israel"	"NY"	"Healthcare Provider"	10793	2014-10-03	"Theft"	"Laptop"	FALSE	"\N"
"Touchstone Medical Imaging, LLC"	"TN"	"Healthcare Provider"	307528	2014-10-03	"Unauthorized Access/Disclosure"	"Network Server"	FALSE	"\N"
"Albertina Kerr Centers"	"OR"	"Healthcare Provider"	1320	2014-10-06	"Theft"	"Laptop"	FALSE	"\N"
"Vcarve LLC d/b/a MD Manage"	"NJ"	"Business Associate"	585	2014-10-06	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"VARO Healthcare"	"PA"	"Business Associate"	1667	2014-10-07	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"vonica chau DDS PA"	"TX"	"Healthcare Provider"	810	2014-10-08	"Theft"	"Desktop Computer"	FALSE	"\N"
"University of California Davis Medical Center"	"CA"	"Healthcare Provider"	1326	2014-10-08	"Hacking/IT Incident"	"Email"	FALSE	"\N"
"South Texas Veterans Health Care System"	"TX"	"Healthcare Provider"	4000	2014-10-09	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Cone Health Medical Group"	"NC"	"Healthcare Provider"	1872	2014-10-09	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Region Six of the Georgia Department of Behavioral Health and Developmental Disabilities"	"GA"	"Healthcare Provider"	3397	2014-10-09	"Theft"	"Laptop"	FALSE	"\N"
"NYU Urology Associates"	"NY"	"Healthcare Provider"	835	2014-10-10	"Unauthorized Access/Disclosure"	"Other Portable Electronic Device"	FALSE	"\N"
"Health Services Advisory Group, Inc."	"AZ"	"Business Associate"	15380	2014-10-10	"Unauthorized Access/Disclosure"	"Other"	TRUE	"\N"
"M&M Computer Services"	"TX"	"Business Associate"	4500	2014-10-10	"Hacking/IT Incident"	"Network Server"	TRUE	"\N"
"New York City Health & Hospitals Corporation"	"NY"	"Healthcare Provider"	10058	2014-10-10	"Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Southwest Virginia Physicians for Women"	"VA"	"Healthcare Provider"	568	2014-10-10	"Theft, Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"City of Dallas Fire-Rescue Department"	"TX"	"Healthcare Provider"	1000	2014-10-15	"Theft"	"Laptop"	FALSE	""
"Graybill Medical Group"	"CA"	"Healthcare Provider"	1863	2014-10-15	"Theft"	"Other"	FALSE	""
"MD Manage (Vcarve LLC)"	"NJ"	"Business Associate"	35357	2014-10-22	"Unauthorized Access/Disclosure"	"Network Server"	TRUE	"\N"
"Seven Counties Services, Inc."	"KY"	"Healthcare Provider"	727	2014-10-22	"Improper Disposal, Unauthorized Access/Disclosure"	"Paper/Films"	FALSE	"\N"
"Nisar A. Quraishi, M.D."	"NY"	"Healthcare Provider"	20000	2014-10-22	"Theft"	"Paper/Films"	FALSE	"\N"
"Multilingual Psychotherapy Centers, Inc"	"FL"	"Healthcare Provider"	3500	2014-10-28	"Theft"	"Network Server"	FALSE	"\N"
"Burlington Northern Santa Fe Group Benefits Plan"	"TX"	"Health Plan"	507	2014-10-28	"Loss"	"Other Portable Electronic Device"	FALSE	"\N"
"Portland VA Medical Center"	"OR"	"Healthcare Provider"	1740	2014-10-29	"Theft"	"Paper/Films"	FALSE	""
"Memorial Healthcare System"	"FL"	"Healthcare Provider"	1782	2014-10-30	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"Coordinated Health "	"PA"	"Healthcare Provider"	13907	2014-10-31	"Theft"	"Laptop"	FALSE	"\N"
"Jessie Trice Community Health Center, Inc."	"FL"	"Healthcare Provider"	7888	2014-11-03	"Theft"	"Desktop Computer, Network Server"	FALSE	"\N"
"Central Dermatology Center, P.A."	"NC"	"Healthcare Provider"	76258	2014-11-07	"Theft"	"Network Server"	FALSE	""
"Weill Cornell Medical College"	"NY"	"Healthcare Provider"	3936	2014-11-07	"Theft"	"Electronic Medical Record, Laptop"	FALSE	""
"Visionworks Inc."	"TX"	"Health Plan"	74944	2014-11-10	"Loss"	"Network Server"	FALSE	"\N"
"Loi Luu"	"CA"	"Healthcare Provider"	13177	2014-11-14	"Theft"	"Network Server"	FALSE	"\N"
"Iron Mountain"	"CA"	"Business Associate"	2691	2014-11-14	"Theft"	"Paper/Films"	TRUE	"\N"
"Colorado River Indian Tribes"	"AZ"	"Healthcare Provider"	1296	2014-11-14	"Other"	"Email"	FALSE	"\N"
"REEVE-WOODS EYE CENTER"	"CA"	"Healthcare Provider"	30000	2014-11-15	"Theft"	"Network Server"	FALSE	""
"Brigham and Women's Hospital"	"MA"	"Healthcare Provider"	999	2014-11-17	"Theft"	"Laptop, Other Portable Electronic Device"	FALSE	"\N"
"Kirkbride Center"	"PA"	"Healthcare Provider"	860	2014-11-19	"Theft"	"Paper/Films"	FALSE	"\N"
"MetroPlus Health Plan, Inc."	"NY"	"Health Plan"	31980	2014-11-20	"Other"	"Email"	FALSE	"\N"
"Baptist Primary Care, Inc."	"FL"	"Healthcare Provider"	1449	2014-11-20	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	"\N"
"Visionworks Inc."	"TX"	"Health Plan"	47683	2014-11-21	"Theft"	"Network Server"	FALSE	""
"True Vision Eyecare"	"OH"	"Healthcare Provider"	542	2014-11-21	"Theft"	"Laptop"	FALSE	"\N"
"AdminisTEP"	"TX"	"Business Associate"	4469	2014-11-25	"Unauthorized Access/Disclosure"	"Paper/Films"	TRUE	"\N"
"Northfield Hospital & Clinics"	"MN"	"Healthcare Provider"	1778	2014-11-25	"Improper Disposal"	"Paper/Films"	FALSE	"\N"
"Computer Programs and Systems, Inc. "	"AL"	"Business Associate"	25764	2014-11-26	"Theft"	"Network Server"	TRUE	""
"North Big Horn Hospital"	"WY"	"Healthcare Provider"	1607	2014-12-01	"Loss"	"Paper/Films"	FALSE	"\N"
"The Hearing Zone"	"UT"	"Healthcare Provider"	623	2014-12-05	"Theft"	"Laptop"	FALSE	"\N"
"Florida Department of Health"	"FL"	"Healthcare Provider"	2477	2014-12-08	"Other"	"Email"	FALSE	"\N"
"ReachOut Home Care [Case #16687]"	"KY"	"Healthcare Provider"	4500	2014-12-09	"Theft"	"Laptop"	FALSE	""
"Sony Pictures Entertainment Health and Welfare Benefits Plan (the Plan)"	"CA"	"Health Plan"	30000	2014-12-12	"Hacking/IT Incident"	"Desktop Computer, Laptop, Network Server"	FALSE	"\N"
"District Medical Group"	"AZ"	"Healthcare Provider"	616	2014-12-12	"Unauthorized Access/Disclosure"	"Other Portable Electronic Device"	FALSE	"\N"
"Clay County Hospital"	"IL"	"Healthcare Provider"	12621	2014-12-12	"Unauthorized Access/Disclosure"	"Other"	FALSE	"\N"
"St. Mary Mercy Hospital"	"MI"	"Healthcare Provider"	1488	2014-12-12	"Unauthorized Access/Disclosure"	"Email"	FALSE	"\N"
"Walgreen Co."	"IL"	"Healthcare Provider"	160000	2014-12-15	"Other"	"Paper/Films"	FALSE	"\N"
"mdINR LLC"	"FL"	"Healthcare Provider"	1859	2015-01-05	"Unauthorized Access/Disclosure"	"Email"	FALSE	""
"VA Corporate Data Center Operations/Austin Information Technology Center "	"TX"	"Healthcare Provider"	7029	2015-01-07	"Hacking/IT Incident"	"Network Server"	FALSE	""
"Saint Louis County Department of Health"	"MO"	"Healthcare Provider"	4000	2015-01-07	"Unauthorized Access/Disclosure"	"Email, Network Server"	FALSE	""
"Aspire Indiana, Inc."	"IN"	"Healthcare Provider"	43890	2015-01-07	"Theft"	"Laptop"	FALSE	""
"Inland Empire Health Plan (IEHP)"	"CA"	"Health Plan"	1030	2015-01-12	"Theft"	"Desktop Computer"	FALSE	""
"Tennessee Rural Health Improvement Association"	"TN"	"Health Plan"	79000	2015-01-13	"Unauthorized Access/Disclosure"	"Other"	FALSE	""
"National Pain Institute"	"FL"	"Healthcare Provider"	500	2015-01-15	"Improper Disposal"	"Desktop Computer, Laptop"	FALSE	""
"Rainier Surgical, Incorporated"	"TX"	"Healthcare Provider"	4920	2015-01-16	"Theft"	"Paper/Films"	FALSE	""
"St. Peter's Health Partners"	"NY"	"Healthcare Provider"	5117	2015-01-23	"Theft"	"Other Portable Electronic Device"	FALSE	""
"Ronald D. Garrett-Roe, MD"	"TX"	"Healthcare Provider"	1600	2015-01-23	"Hacking/IT Incident"	"Desktop Computer"	FALSE	""
"California Pacific Medical Center "	"CA"	"Healthcare Provider"	845	2015-01-23	"Unauthorized Access/Disclosure"	"Electronic Medical Record"	FALSE	""
"Diana S. Guth DBA Home Respiratory Care"	"CA"	"Healthcare Provider"	1285	2015-01-28	"Unauthorized Access/Disclosure"	"Email"	FALSE	""
"David E. Hansen DDS PS "	"WA"	"Healthcare Provider"	2000	2015-01-29	"Theft"	"Other Portable Electronic Device, Paper/Films"	FALSE	""
"Riverside County Regional Medical Center"	"CA"	"Healthcare Provider"	7925	2015-01-29	"Theft"	"Laptop"	FALSE	""
"North Dallas Urogynecology, PLLC."	"TX"	"Healthcare Provider"	678	2015-01-29	"Theft"	"Laptop"	FALSE	""
"UMass Memorial Medical Group, Inc."	"MA"	"Healthcare Provider"	14100	2015-01-30	"Theft"	"Other"	FALSE	""
"Boston Baskin Cancer Foundation"	"TN"	"Healthcare Provider"	56694	2015-02-02	"Theft"	"Other Portable Electronic Device"	FALSE	""
"South Sunflower County Hospital"	"MS"	"Healthcare Provider"	19000	2015-02-04	"Improper Disposal"	"Paper/Films"	FALSE	""
"Planned Parenthood Southwest Ohio"	"OH"	"Healthcare Provider"	5000	2015-02-05	"Improper Disposal"	"Paper/Films"	FALSE	""
"Senior Health Partners, a Healthfirst company"	"NY"	"Health Plan"	2772	2015-02-06	"Theft"	"Laptop, Other Portable Electronic Device"	FALSE	""
"Tomas, Arturo"	"IL"	"Business Associate"	680	2015-02-09	"Loss"	"Paper/Films"	TRUE	""
"Pathway to Hope"	"FL"	"Healthcare Provider"	600	2015-02-12	"Unauthorized Access/Disclosure"	"Email"	FALSE	""
"Hunt Regional Medical Partners"	"TX"	"Healthcare Provider"	3000	2015-02-18	"Unauthorized Access/Disclosure"	"Other"	FALSE	""
"Marketing Clique"	"TX"	"Health Plan"	8700	2015-02-20	"Unauthorized Access/Disclosure"	"Other"	FALSE	""
"Raymond Mark Turner, M.D."	"NV"	"Healthcare Provider"	2153	2015-02-26	"Theft"	"Laptop"	FALSE	""