"Number" "Name_of_Covered_Entity" "State" "Business_Associate_Involved" "Individuals_Affected" "Date_of_Breach" "Type_of_Breach" "Location_of_Breached_Information" "Date_Posted_or_Updated" "Summary" "breach_start" "breach_end" "year" 0 "Brooke Army Medical Center" "TX" "" 1000 "10/16/2009" "Theft" "Paper" 2014-06-30 "A binder containing the protected health information (PHI) of up to 1,272 individuals was stolen from a staff member's vehicle. The PHI included names, telephone numbers, detailed treatment notes, and possibly social security numbers. In response to the breach, the covered entity (CE) sanctioned the workforce member and developed a new policy requiring on-call staff members to submit any information created during their shifts to the main office instead of adding it to the binder. Following OCR's investigation, the CE notified the local media about the breach." 2009-10-16 NA 2009 1 "Mid America Kidney Stone Association, LLC" "MO" "" 1000 "9/22/2009" "Theft" "Network Server" 2014-05-30 "Five desktop computers containing unencrypted electronic protected health information (e-PHI) were stolen from the covered entity (CE). Originally, the CE reported that over 500 persons were involved, but subsequent investigation showed that about 260 persons were involved. The ePHI included demographic and financial information. The CE provided breach notification to affected individuals and HHS. Following the breach, the CE improved physical security by installing motion detectors and alarm systems security monitoring. It improved technical safeguards by installing enhanced antivirus and encryption software. As a result of OCR's investigation the CE updated its computer password policy. " 2009-09-22 NA 2009 2 "Alaska Department of Health and Social Services" "AK" "" 501 "10/12/2009" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2009-10-12 NA 2009 3 "Health Services for Children with Special Needs, Inc." "DC" "" 3800 "10/9/2009" "Loss" "Laptop" 2014-01-23 "A laptop was lost by an employee while in transit on public transportation. The computer contained the protected health information of 3800 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity has installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and updated it risk assessment. In addition, all employees received additional security training. " 2009-10-09 NA 2009 4 "L. Douglas Carlson, M.D." "CA" "" 5257 "9/27/2009" "Theft" "Desktop Computer" 2014-01-23 "A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,257 individuals who were patients of the CE. The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the covered entity notified all 5,257 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules. " 2009-09-27 NA 2009 5 "David I. Cohen, MD" "CA" "" 857 "9/27/2009" "Theft" "Desktop Computer" 2014-01-23 "A shared Computer that was used for backup was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite was unlocked and perhaps ajar. The Computer contained certain electronic protected health information (ePHI) of 857 patients. The ePHI involved in the breach included names, dates of birth, and clinical information. Following the breach, the covered entity notified all affected individuals and the media, added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer, added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet, and added administrative safeguards by requiring annual refresher retraining staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. " 2009-09-27 NA 2009 6 "Michele Del Vicario, MD" "CA" "" 6145 "9/27/2009" "Theft" "Desktop Computer" 2014-01-23 "A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 6,145 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 6,145 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. " 2009-09-27 NA 2009 7 "Joseph F. Lopez, MD" "CA" "" 952 "9/27/2009" "Theft" "Desktop Computer" 2014-01-23 "A shared Computer that was used for backup was stolen on 9/27/09. The Computer contained certain electronic protected health information (ePHI) of 952 patients. Following the breach, the covered entity notified all 952 affected individuals and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of staff for Privacy and Security Rules. " 2009-09-27 NA 2009 8 "Mark D. Lurie, MD" "CA" "" 5166 "9/27/2009" "Theft" "Desktop Computer" 2014-01-23 "A shared Computer that was used for backup was stolen on 9/27/09 from the reception desk area of the covered entity. The Computer contained certain electronic protected health information (ePHI) of 5,166 individuals who were patients of the CE, The ePHI involved in the breach included names, dates of birth, and clinical information, but there were no social security numbers, financial information, addresses, phone numbers, or other ePHI in any of the reports on the disks or the hard drive on the stolen Computer. Following the breach, the CE: notified all 5,166 affected indiv's and the appropriate media; added technical safeguards of encryption for all ePHI stored on the USB flash drive or the CD used on the replacement computer; all passwords are strong; all computers are password protected; added physical safeguards by keeping new portable devices locked when not in use in a secure combination safe in doctor's private office or in a secure filing cabinet; and added administrative safeguards by requiring annual refresher retraining of CE staff for Privacy and Security Rules as well as requiring immediate retraining of cleaning staff in both Rules, which has already taken place. " 2009-09-27 NA 2009 9 "City of Hope National Medical Center" "CA" "" 5900 "9/27/2009" "Theft" "Laptop" 2014-01-23 "A laptop computer was stolen from a workforce member's car. The laptop computer contained the protected health information of approximately 5,900 individuals. Following the breach, the covered entity encrypted all protected health information stored on lap tops. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and retraining employees. " 2009-09-27 NA 2009 10 "The Children's Hospital of Philadelphia" "PA" "" 943 "10/20/2009" "Theft" "Laptop" 2014-01-23 "" 2009-10-20 NA 2009 11 "Cogent Healthcare of Wisconsin, S.C." "TN" "" 6400 "10/11/2009" "Theft" "Laptop" 2014-04-23 "A laptop was stolen from a locked office at the Aurora St. Lukes Medical Center. The laptop contained protected health information pertaining to 6,400 individuals. The information included patient names, dates of birth, social security numbers, medical record numbers, and in some cases diagnosis codes. In response to the theft, the hospital implemented several corrective action measures, including accelerated efforts to encrypt all laptop hard drives, improved physical locks on the office where the theft occurred, staff training regarding the appropriate use and storage of devices containing ePHI, and encryption of portable flash drives and Blackberry devices." 2009-10-11 NA 2009 12 "Universal American" "NY" "Democracy Data & Communications, LLC (" 83000 "11/12/2009" "Other" "Paper" 2014-01-23 "In its breach report and during the course of OCR's investigation, the covered entity advised that it took various corrective actions to prevent a reoccurrence of the breach. Specifically, the covered entity conducted a risk assessment which revealed that the breach posed a significant risk of financial, reputational, or other harm to the 83,000 members. The covered entity sent notification letters to 83,000 members apologizing for the breach and offered a year of free credit monitoring and a $25,000 insurance policy against identity theft ($10,000 for New York residents). The covered entity also provided training to its call centers on November 29, 2009 to answer inquiries from callers concerned about the breach. In addition, media outlets were contacted to alert of a breach in states in which more than 500 members were impacted by the breach. The covered entity advised that media outlets were identified based on location of membership impacted, as well as ensuring it was a major media outlet and press releases were sent to 21 major media outlets on December 18, 2009. The covered entity also created and implemented a new policy titled 'Personal Health Information and Personal Identifiable Information Data Security and Handling Policy Acknowledgement Form' that centralized all data requests through a 'Team Track' which is an internal electronic submission request that ensures all PHI requested data receives the sign off of the Privacy Officer and Security Officer prior to release. Further, the covered entity also provided a mandatory annual computer-based training to all staff in May 2010. " 2009-11-12 NA 2009 13 "Kern Medical Center" "CA" "" 596 "10/31/2009" "Theft" "Other" 2014-01-23 "" 2009-10-31 NA 2009 14 "Keith W. Mann, DDS, PLLC" "NC" "Rick Lawson, Professional Computer Services" 2000 "12/8/2009" "Hacking/IT Incident" "Desktop Computer, Network Server, Electronic Medical Record" 2014-01-23 "" 2009-12-08 NA 2009 15 "Detroit Department of Health and Wellness Promotion" "MI" "" 10000 "10/22/2009" "Theft" "Other Portable Electronic Device" 2014-01-23 "" 2009-10-22 NA 2009 16 "Detroit Department of Health and Wellness Promotion" "MI" "" 646 "11/26/2009" "Theft" "Laptop, Desktop Computer" 2014-01-23 "A desktop and four laptop computers were stolen from the covered entity's locked facility. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, types of services received, and Medicare/Medicaid numbers.Following the breach, the covered entity installed new office door locks with assigned keys, installed security cameras with alarms, and physically secured computers to desks. The covered entity now stores billing information in its patient management system, and it ensured that no electronic protected health information was stored locally. Additionally, OCR's investigation resulted in the covered entity providing training to workforce members regarding the incident " 2009-11-26 NA 2009 17 "University of California, San Francisco" "CA" "" 610 "9/22/2009" "Other" "E-mail" 2014-01-23 "" 2009-09-22 NA 2009 18 "Daniel J. Sigman MD PC" "MA" "" 1860 "12/11/2009" "Theft" "Other Portable Electronic Device, Other, Electronic Medical Record" 2014-01-23 "Computer backup tapes containing EPHI for the office practice management program including electronic medical records were stolen from the home of the practice manager on December 11, 2009. The breach affected approximately 1,860 patients. The protected health information on the tapes contained patients' names, addresses, telephone numbers, dates of birth, insurance information, social security numbers and medical record information. Following the breach, Sigman took the following voluntary corrective actions: (1) upgraded software application for backup security; implemented a new external backup system in case the server goes down; (2) encryption software was implemented for data contained on both its backup tapes and network storage device; (3) revised its security policy for transporting backup media; backup tapes must now be stored in a lockbox within a locked office in its facility; the revised policy also prohibits the movement of backup tapes from the facility as well as restricts access to the tapes to designated workforce; (4) employees were retrained on the policies and procedures in place and received training on the new policies and procedures for safeguarding backup tapes; (5) notified affected individuals and the media. " 2009-12-11 NA 2009 19 "Massachusetts Eye and Ear Infirmary" "MA" "" 1076 "11/10/2009" "Theft" "Other" 2014-01-23 "" 2009-11-10 NA 2009 20 "BlueCross BlueShield Association" "DC" "Service Benefits Plan Administrative Services Corp" 3400 "10/26/2009" "Theft" "Paper" 2014-06-30 "The covered entity's (CE) business associate (BA) incorrectly updated contract holders' addresses and mailed protected health information (PHI) to the wrong address of approximately 3,400 individuals. The PHI involved included demographic information, explanations of benefits, clinical information, and diagnoses. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. Upon discovery of the breach, the CE obtained assurances that the BA took steps to enforce the requirements of the BA agreement. Specifically, the BA updated its processes and created an incident tracking report. In addition, a contract was executed for a new vendor to handle mail address verification. Following OCR's investigation, the BA improved its code review process to catch the system error that caused this incident and instituted a manual quality review process. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2009-10-26 NA 2009 21 "BlueCross BlueShield Association" "DC" "Merkle Direct Marketing" 15000 "10/7/2009" "Theft" "Paper" 2014-04-24 "The covered entity's (CE) business associate (BA) mailed protected health information (PHI) of approximately 15,000 individuals to incorrect addresses due to an error in its quarterly address update process. The mailing contained demographic information, explanations of benefits, clinical information, and diagnoses. Upon discovery of the breach, the CE collected the returned mail and verified that it had not been delivered, and updated its HIPAA policies and procedures. Following OCR's investigation, the CE was able to recover all or nearly all of the misdirected envelopes. " 2009-10-07 NA 2009 22 "Kaiser Permanente Medical Care Program" "CA" "" 15500 "12/1/2009" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2009-12-01 NA 2009 23 "Blue Island Radiology Consultants" "IL" "United Micro Data" 2562 "12/9/2009" "Theft" "Other" 2014-06-30 "The covered entity's (CE's) business associate (BA) mailed a package to the CE that was supposed to contain a backup data tape and compact disc containing protected health information (PHI); however, the tape was not in the package when delivered. Approximately 2,000 individuals were affected by the breach. The PHI included demographic, financial, and clinical information. The CE provided breach notification to affected individuals, HHS, and the media. Following the breach, the CE revised its procedures for back up data storage instead of sending tapes via the mail. Following OCR's investigation, the CE continued to reevaluate ways to enhance administrative, physical, and technical safeguards. " 2009-12-09 NA 2009 24 "Goodwill Industries of Greater Grand Rapids, Inc." "MI" "" 10000 "12/15/2009" "Theft" "Other" 2014-01-23 "On December 15, 2009, a safe was stolen from Goodwill's off-site facility, which contained five unencrypted back-up tapes. The breach affected approximately 10,000 individuals. The protected health information involved in the breach included full names, addresses, dates of birth, reasons for referral, dates of service, miscellaneous demographics, and, in some cases, Social Security numbers. The covered entity moved the off-site storage of back-up tapes to a new site controlled by Goodwill. The tapes are now kept in a commercial grade safe with a combination lock. The actions taken by Goodwill prior to OCR's formal investigation brought the covered entity into compliance. " 2009-12-15 NA 2009 25 "Children's Medical Center of Dallas" "TX" "" 3800 "11/19/2009" "Loss" "Other Portable Electronic Device, Other" 2014-01-23 "" 2009-11-19 NA 2009 26 "Concentra" "TX" "" 900 "11/19/2009" "Theft" "Laptop" 2014-01-23 "" 2009-11-19 NA 2009 27 "Ashley and Gray DDS" "MO" "" 9309 "1/10/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-01-10 NA 2010 28 "Advocate Health Care" "IL" "" 812 "11/24/2009" "Theft" "Laptop" 2014-01-23 "On November 24, 2009, an Advocate nurse's laptop computer was stolen. The missing laptop computer contained the protected health information of approximately 812 individuals. The protected health information involved in the breach included name, address, dates of birth, social security numbers, insurance information, medication, and diagnoses. Following the breach, Advocate specifically addressed mobile device security and accepted use. Additionally, OCR's investigation resulted in Advocate workforce members that use mobile devices are now required to fill out and submit an acknowledgment form that establish proper administrative, technical, and physical security safeguards. " 2009-11-24 NA 2009 29 "The Methodist Hospital" "TX" "" 689 "1/18/2010" "Theft" "Other" 2014-01-23 "An unencrypted laptop computer was stolen from the covered entity's unlocked testing office. The laptop computer contained the protected health information of approximately 689 individuals. The protected health information involved in the breach included names, dates of birth, Social Security numbers, and the age, gender, race, and medication information of affected individuals. Following the breach, the covered entity restricted the storage of electronic protected health information to network drives. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and in retraining employees. " 2010-01-18 NA 2010 30 "University of California, San Francisco" "CA" "" 7300 "11/30/2009" "Theft" "Laptop" 2014-01-23 "" 2009-11-30 NA 2009 31 "Carle Clinic Association" "IL" "" 1300 "1/13/2010" "Theft" "Other, Paper" 2014-01-23 "" 2010-01-13 NA 2010 32 "Educators Mutual Insurance Association of Utah " "UT" "Health Behavior Innovations (HBI)" 5700 "12/27/2009" "Theft" "Other" 2014-01-23 "" 2009-12-27 NA 2009 33 "University Medical Center of Southern Nevada" "NV" "" 5103 "10/31/2009" "Theft" "Paper" 2014-01-23 "Between the dates of July 31, 2009 and November 19, 2009, a former UMC volunteer faxed patient face sheets to an attorney who used the sheets to contact prospective clients. Although UMC only had proof of two disclosures, it chose to notify all 5,301 individuals that could have been affected by the breach. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, and diagnoses. Following the breach, UMC conducted an internal investigation, notified all 5,301 individuals, notified the media, and notified the Secretary. Additionally, UMC reformulated face sheets so that they no longer include full social security numbers and provided all possible affected individuals with a year of free credit monitoring. As a result of this breach, at least one person has been indicted on one count of conspiracy to illegally disclose personal health information in violation of the HIPAA " 2009-10-31 NA 2009 34 "Center for Neurosciences" "AZ" "" 1100 "12/15/2009" "Theft" "Laptop" 2014-01-23 "" 2009-12-15 NA 2009 35 "Brown University" "RI" "Blue Cross Blue Shield of RI" 528 "12/11/2009" "Other" "Paper" 2014-01-23 "On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown University's health plan was impermissibly disclosed to two other BCBSRI agents. The reports contained the PHI of approximately 528 individuals. The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers. Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected members' claim history to ensure no fraud. " 2009-12-11 NA 2009 36 "MMM Heath Care Inc. " "PR" "MSO of Puerto Rico, Inc. " 1907 "2/4/2010" "Theft" "Paper" 2014-06-03 "The covered entity's (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 1,907 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CE's BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCR's investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures. " 2010-02-04 NA 2010 37 "PMC Medicare Choice" "PR" "MSO of Puerto Rico" 605 "2/4/2010" "Theft" "Paper" 2014-06-03 "The covered entity's (CE) business associate (BA) erroneously merged two lists which led to the disclosure of protected health information (PHI) of 605 individuals. The PHI included names, internal identification numbers, and the number of emergency room visits. Upon discovery of the breach, the CE's BA established a quality control process in order to ensure adequate safeguards for that letters that are sent by mail. As a result of OCR's investigation, the CE created and implemented additional policies and procedures for quality control of mailings. The CE also provided training to all staff on its revised privacy and security policies and procedures. " 2010-02-04 NA 2010 38 "Cardiology Consultants/Baptist Health Care Corporation" "FL" "" 8000 "12/19/2009" "Theft" "Desktop Computer" 2014-06-30 "A desktop computer that contained the e-PHI of approximately 8,000 individuals was stolen from the covered entity's (CE) locked medical suite. The PHI involved in the breach included names, dates of birth, medical record numbers, ultrasound information, exam dates, and reasons for the ultrasound. The computer that was stolen used proprietary software and a special electronic key to access the PHI. The CE provided breach notification to affected individuals, HHS, and the media and posted substitute notification on its website. Following the breach, the CE worked with law enforcement to identify the possible suspect. The CE upgraded its facility access controls to include proximity card readers for every location that stores PHI. As a result of OCR's investigation the CE updated its risk analysis and carried out additional risk management activities. " 2009-12-19 NA 2009 39 "State of TN, Bureau of TennCare" "TN" "" 3900 "12/23/2009" "Theft" "Paper" 2014-06-24 "The covered entity (CE) mailed the wrong information to 3,900 individuals based on a corrupted data file it received from a state agency. The types of PHI involved were names, dates of birth, social security numbers, member identification numbers, and in some cases, diagnoses, treatments, conditions, and medications. Following the breach, the CE immediately fixed the corrupted file and mailed corrected letters. The CE provided breach notification to HHS, the media, and affected individuals and provided substitute notification by posting on its website. It also offered affected individuals one year of free credit monitoring and comprehensive credit services. The CE also worked with the state agency to implement a new procedure to improve safeguards for PHI. OCR obtained assurances that the CE implemented the corrective action listed above. " 2009-12-23 NA 2009 40 "Lucille Packard Children's Hospital" "CA" "" 532 "1/11/2010" "Other" "Desktop Computer" 2014-01-23 "" 2010-01-11 NA 2010 41 "University of New Mexico Health Sciences Center" "NM" "" 1900 "2/8/2010" "Other" "Desktop Computer" 2014-01-23 "" 2010-02-08 NA 2010 42 "Advanced NeuroSpinal Care" "CA" "" 3500 "12/30/2009" "Theft" "Network Server" 2014-04-22 "A computer containing the electronic protected health information (ePHI) of 3,500 individuals was stolen from the office of a covered entity (CE). The ePHI included patient names, addresses, dates of birth, social security numbers, driver's licenses, claims information, diagnoses, and conditions. As a result of the loss, the CE upgraded the alarm system and replaced the server housing and storage security lock-up. The CE also notified affected individuals, the media, appropriate government agencies, and law enforcement. In addition, the CE established an office-based hotline to assist affected individuals. As a result of OCR's investigation, the CE has implemented regularly scheduled security risk analyses and has installed window bars, roll down shutters, four video surveillance cameras, and other physical security measures to prevent theft." 2009-12-30 NA 2009 43 "Aspen Dental Care P.C." "CO" "" 2500 "10/4/2009" "Theft" "Other" 2014-06-30 "A computer hard drive containing encrypted patient records was stolen from the covered entity's (CE) safe. The hard drive contained clinical and demographic information of approximately 2,500 patients. Following the breach, the CE provided additional training to its staff. OCR obtained assurances that the CE implemented the corrective action listed above. " 2009-10-04 NA 2009 44 "Shands at UF" "FL" "" 12580 "1/27/2010" "Theft" "Laptop" 2014-01-23 "A laptop containing certain information collected on approximately 12,580 individuals referred to Shands at UF GI Clinical Services was stolen from the private residence of an employee. The stolen information included patient names, social security numbers, and medical record numbers. As a result of the incident, the employee was counseled by her supervisor, issued written corrective action with a 3-day suspension, and provided additional HIPAA training. OCR reviewed Shands at UF's most recent Risk Analysis and Risk Management Plans and they revealed no high risk findings related to encryption, workstation use, or physical security. OCR's investigation found that Shands at UF has implemented appropriate technical safeguards, such as secure VPN network connections and network storage for workforce usage, encrypted USB portable flash drives, and PGP whole disk encryption. " 2010-01-27 NA 2010 45 "Wyoming Department of Health" "WY" "" 9023 "12/2/2009" "Unauthorized Access/Disclosure " "Network Server" 2014-01-23 "" 2009-12-02 NA 2009 46 "Thrivent Financial for Lutherans" "WI" "" 9500 "1/29/2010" "Theft" "Laptop" 2014-01-23 "On January 29, 2010, there was a break-in at one of the Thrivent's offices and five laptop computers were stolen; four of the five laptops were recovered. The missing laptop computer contained the protected health information of approximately 9,400 individuals. The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCR's formal investigation brought the CE into compliance. " 2010-01-29 NA 2010 47 "North Carolina Baptist Hospital" "NC" "" 554 "2/15/2010" "Theft" "Paper" 2014-01-23 "" 2010-02-15 NA 2010 48 "Montefiore Medical Center" "NY" "" 625 "2/20/2010" "Theft" "Laptop" 2014-06-03 "An unencrypted laptop computer containing the electronic protected health information (ePHI) of 625 individuals was stolen from the covered entity's (CE) mobile dental van. The ePHI included names, dates of birth, medical record numbers and dental x-rays. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and affected individuals. As a result of OCR's investigation, the CE revised its procedures so that all ePHI is stored in a data center, rather than the mobile dental van laptop. In addition, the CE encrypted all mobile dental van laptops and improved physical security for the van. The CE developed a new policy on ePHI security and retrained all staff. OCR obtained assurances that the CE implemented the corrective action listed above." 2010-02-20 NA 2010 49 "Ernest T. Bice, Jr. DDS, P.A." "TX" "" 21000 "2/20/2010" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "Three unencrypted external back-up drives were stolen from a safe in the covered entity's locked office. The laptop computer contained the protected health information of approximately 21,000 individuals. The protected health information involved in the breach included names, addresses phone numbers, dates of birth, social security numbers, insurance information, and treatment histories. Following the breach, the covered entity moved back-up data offsite and encrypted all workstations. Additionally, OCR's investigation resulted in the covered entity improving their physical safeguards and in retraining employees. " 2010-02-20 NA 2010 50 "Lee Memorial Health System" "FL" "" 3800 "1/29/2010" "Other" "Paper" 2014-01-23 "The covered entity sent postcards to approximately 3,800 patients, which listed the patients' demographic information, and a statement that read, 'Your Physician Has Moved,' with a name and description of the practice, Infectious Disease Specialist. The types of PHI involved were demographic and clinical information. Voluntary actions taken prior to OCR's investigation include the issuance of sanctions and review of policies and procedures. " 2010-01-29 NA 2010 51 "Laboratory Corporation of America/Dynacare Northwest, Inc." "WA" "" 5080 "2/12/2010" "Theft" "Laptop" 2014-01-23 "A laptop computer was stolen from a workforce member's car. The laptop computer contained the protected health information of approximately 5080 individuals. The protected health information involved in the breach included names, addresses, dates of birth, Social Security numbers, and lab results. Following the breach, the covered entity encrypted all laptop computers. " 2010-02-12 NA 2010 52 "Mount Sinai Medical Center" "FL" "" 2600 "3/9/2010" "Theft" "Laptop" 2014-01-23 "" 2010-03-09 NA 2010 53 "Griffin Hospital" "CT" "" 957 "2/4/2010" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2010-02-04 NA 2010 54 "Hypertension, Nephrology, Dialysis and Transplantation, PC" "AL" "" 2465 "3/6/2010" "Theft" "Laptop" 2014-01-23 "" 2010-03-06 NA 2010 55 "Reliant Rehabilitation Hospital North Houston" "TX" "Computer Program and Systems, Inc. (CPSI)" 768 "2/9/2010" "Unauthorized Access/Disclosure " "E-mail" 2014-01-23 "" 2010-02-09 NA 2010 56 "Laboratory Corporation of America / US LABS / Dianon Systems, Inc" "AZ" "" 2773 "2/18/2010" "Theft" "Other Portable Electronic Device" 2014-01-23 "" 2010-02-18 NA 2010 57 "University of Pittsburgh Student Health Center" "PA" "" 8000 "3/11/2010" "Theft, Loss" "Paper" 2014-01-23 "" 2010-03-11 NA 2010 58 "Providence Hospital" "MI" "" 83945 "2/4/2010" "Other" "Other" 2014-01-23 "" 2010-02-04 NA 2010 59 "VHS Genesis Lab Inc. " "IL" "" 6800 "1/10/2010" "Loss" "Paper" 2014-01-23 "" 2010-01-10 NA 2010 60 "John Muir Physician Network" "CA" "" 5450 "2/4/2010" "Theft" "Laptop" 2014-01-23 "" 2010-02-04 NA 2010 61 "Beatrice Community Hospital and Health Center" "NE" "McKesson Information Solutions, LLC" 660 "3/19/2010" "Other" "Paper" 2014-01-23 "" 2010-03-19 NA 2010 62 "Pediatric Sports and Spine Associates" "TX" "" 955 "2/10/2010" "Theft" "Laptop" 2014-01-23 "An unencrypted laptop was stolen from an employee's vehicle. The laptop contained the protected health information of approximately 955 individuals. The protected health information involved in the breach included names, addresses, dates of birth, social security numbers, diagnoses, medications and other treatment information. Following the discovery of the breach, the covered entity revised policies, retrained staff and implemented additional physical and technical safeguards including encryption software. The covered entity also removed the stolen laptop's access to the server, sanctioned the involved employee, notified the affected individuals and notified the local media. " 2010-02-10 NA 2010 63 "Affinity Health Plan, Inc." "NY" "" 344579 "11/24/2009" "Theft" "Other" 2014-05-28 "" 2009-11-24 NA 2009 64 "Tomah Memorial Hospital" "WI" "" 600 "3/19/2010" "Other" "Other" 2014-01-23 "" 2010-03-19 NA 2010 65 "Praxair Healthcare Services, Inc. (Home Care Supply in NY)" "CT" "" 54165 "2/18/2010" "Theft" "Laptop" 2014-01-23 "A laptop computer was stolen from the covered entity's office by a former employee after it had been damaged. The laptop computer contained the PHI of approximately 54,165 individuals. The computer contained a limited amount of PHI, including client names and one or more of the following: addresses, phone numbers, social security numbers, insurance provider names and policy numbers, medical diagnostic codes or medical equipment. Following the breach, the covered entity notified all affected individuals, the media, and HHS of the breach. Additionally, the covered entity completed its laptop encryption project to cover all PHI stored on computers in the office. Additionally, OCR's investigation resulted in the covered entity reinforcing the requirements of HIPAA to its employees. " 2010-02-18 NA 2010 66 "Massachusetts Eye and Ear Infirmary" "MA" "" 3594 "2/19/2010" "Theft" "Laptop" 2014-01-23 "" 2010-02-19 NA 2010 67 "Blue Cross & Blue Shield of Rhode Island" "RI" "" 12000 "12/20/2009" "Theft" "Paper" 2014-06-30 "A covered entity (CE) donated a file cabinet containing the protected health information (PHI) of 12,000 individuals before cleaning it out. The PHI included members' names, addresses, telephone numbers, social security numbers, and Medicare identification numbers. The covered entity (CE) provided breach notification to HHS, the affected individuals, and media, and offered all affected individuals free credit monitoring for a period of one year. Following the breach, the CE sanctioned the employees involved in the incident and held a mandatory training regarding the HIPAA Privacy and Security Rule for all departments involved in the breach. The CE also revised the policy for office moves. OCR obtained assurances that the CE implemented the corrective action listed above. " 2009-12-20 NA 2009 68 "South Carolina Department of Health and Environmental Control" "SC" "" 2850 "2/17/2010" "Improper Disposal" "Paper" 2014-01-23 "" 2010-02-17 NA 2010 69 "St. Joseph Heritage Healthcare" "CA" "" 22012 "3/6/2010" "Theft" "Desktop Computer" 2014-01-23 "22 computers were stolen from Clinical Management Service office.Five of the stolen computers contained the protected health information of approximately 22,012 individuals. The protected health information involved in the breach included name, date of birth, social security number, referral number, encounter number, facility, member ID, diagnosis, procedure, and/or diagnosis code. As a result of this incident, St. Joseph notified the potentially affected individuals, notified the local media, installed security cameras, re-trained employees, and installed encryption software on all laptops and Computers enterprise-wide. OCR's investigation resulted in the covered entity improving their physical and technological safeguards and retraining employees. " 2010-03-06 NA 2010 70 "Medical Center At Bowling Green" "KY" "" 5148 "3/24/2010" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-03-24 NA 2010 71 "GENERAL AGENCIES WELFARE BENEFITS PROGRAM" "TN" "TOWERS WATSON" 1874 "2/5/2010" "Loss" "Other" 2014-01-23 "" 2010-02-05 NA 2010 72 "UnitedHealth Group health plan single affiliated covered entity" "MN" "" 735 "3/2/2010" "Theft" "Other, Paper" 2014-01-23 "" 2010-03-02 NA 2010 73 "South Texas Veterans Health Care System" "TX" "" 1430 "9/30/2009" "Loss, Improper Disposal" "Paper" 2014-01-23 "" 2009-09-30 NA 2009 74 "Rockbridge Area Community Services" "VA" "" 500 "3/12/2010" "Theft" "Laptop, Desktop Computer" 2014-01-23 "" 2010-03-12 NA 2010 75 "Emergency Healthcare Physicians, Ltd." "IL" "Millennium Medical Management Resources, Inc." 180111 "2/27/2010" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-02-27 NA 2010 76 "VA Eastern Colorado Health Care System" "CO" "" 649 "1/19/2010" "Theft" "Paper" 2014-06-19 "A covered entity's (CE's) employee placed paper records containing protected health information (PHI) in an unsecured box that was left undiscovered in a public parking garage for four days. The box contained the PHI of 649 patients. The PHI included treatment records, productivity reports, coding information, names, medical treatments, conditions, diagnoses, and social security numbers. Upon discovery of the breach, the CE notified the affected individuals and provided credit protection to those whose social security numbers had been breached. The CE provided OCR with copies of its breach prevention policies and procedures. Following OCR's investigation, the employee who left the records resigned from her position and the CE improved its breach response procedures. " 2010-01-19 NA 2010 77 "Miami VA Healthcare System" "FL" "" 568 "1/19/2010" "Loss" "Paper" 2014-01-23 "" 2010-01-19 NA 2010 78 "Heriberto Rodriguez-Ayala, M.D." "TX" "" 4200 "4/3/2010" "Theft" "Laptop" 2014-01-23 "" 2010-04-03 NA 2010 79 "Georgetown University Hospital" "DC" "" 2416 "3/26/2010" "Theft, Other" "E-mail, Other Portable Electronic Device" 2014-01-23 "An employee of the covered entity emailed protected health information (PHI) to an offsite research office (which is not itself a covered entity) in violation of the review preparatory to research protocol. The research office stored the electronic information on an external hard drive that was later stolen. The device contained the PHI of 2,416 individuals. The PHI involved in the breach included names, dates of birth, and clinical information. In response to this incident, the covered entity terminated transmission of the PHI to this research office and gave the responsible employee a verbal warning and counseling. Additionally, the covered entity undertook a review of all research affiliations involving PHI of hospital patients to confirm that appropriate documentation and procedures are in place. " 2010-03-26 NA 2010 80 "Silicon Valley Eyecare Optometry and Contact Lenses" "CA" "" 40000 "4/2/2010" "Theft" "Network Server" 2014-01-23 "" 2010-04-02 NA 2010 81 "Loma Linda University Health Care" "CA" "" 584 "4/4/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-04-04 NA 2010 82 "Veterans Health Administration" "DC" "Heritage Health Solutions" 656 "4/22/2010" "Theft" "Laptop" 2014-01-23 "" 2010-04-22 NA 2010 83 "State of New Mexico Human Services Department, Medical Assistance Division" "NM" "DentaQuest" 9600 "3/20/2010" "Theft" "Laptop" 2014-01-23 "" 2010-03-20 NA 2010 84 "Oconee Physician Practices" "SC" "" 653 "5/9/2010" "Theft" "Laptop" 2014-01-23 "" 2010-05-09 NA 2010 85 "University of Rochester Medical Center and Affiliates" "NY" "" 2628 "4/19/2010" "Other" "Paper" 2014-01-23 "" 2010-04-19 NA 2010 86 "Omaha Construction Industry Health and Welfare Plan" "NE" "DeBoer & Associates" 800 "1/11/2009" "Theft" "Laptop" 2014-01-23 "" 2009-01-11 NA 2009 87 "City of Charlotte, NC (Health Plan)" "NC" "" 5220 "2/3/2010" "Loss" "Other" 2014-01-23 "" 2010-02-03 NA 2010 88 "VA North Texas Health Care System" "TX" "" 4083 "5/4/2010" "Improper Disposal" "Paper" 2014-01-23 "" 2010-05-04 NA 2010 89 "Rainbow Hospice and Palliative Care" "IL" "" 1000 "4/12/2010" "Theft" "Laptop" 2014-01-23 "An employee's laptop was stolen out of her bag while she was making an admission visit in a patient's home. The evidence showed that although the covered entity had a policy of encrypting and password-protecting its computers, this particular computer did not require a password most of the time. The invoices contained the protected health information (PHI) of approximately 1,000 individuals. The PHI stored on the laptop included names, addresses, dates of birth, phone numbers, Social Security numbers, Medicare numbers, electronic health records and commercial insurance information. Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in The Daily Herald, sanctioned the employee for changing the security settings on the laptop in question, and established stringent computer security guidelines, and retrained its staff in the new requirements, with the intention of preventing a similar event from occurring again. " 2010-04-12 NA 2010 90 "Cincinnati Childrens Hospital Medical Center " "OH" "" 60998 "3/27/2010" "Theft" "Laptop" 2014-01-23 "" 2010-03-27 NA 2010 91 "Occupational Health Partners" "KS" "" 1105 "5/12/2010" "Theft" "Laptop" 2014-01-23 "" 2010-05-12 NA 2010 92 "AvMed, Inc." "FL" "" 1220000 "12/10/2009" "Theft" "Laptop" 2014-06-30 "Two laptop computers with questionable encryption (each containing the electronic protected health information (ePHI) of 350,000 individuals) were stolen from the covered entity's (CE) premises. The types of ePHI involved included demographic and clinical information, diagnoses/conditions, medications, lab results, and other treatment data. After discovering the breach, the CE reported the theft to law enforcement and worked with the local police to recover the laptops. As a result of OCR's investigation, the CE developed and implemented new policies and procedures to comply with the Security Rule. The CE also provided breach notification to all affected individuals, HHS, and the media and placed an accounting of disclosures in the medical records of all affected individuals." 2009-12-10 NA 2009 93 "UnitedHealth Group health plan single affiliated covered entity" "MN" "" 16291 "1/26/2010" "Other" "Paper" 2014-01-23 "Paper correspondence to certain members in UnitedHealth's prescription drug plans were in advertently sent to the incorrect temporary address due to a database administration error. Approximately 16,291 individuals were affected by the breach. UnitedHealth member's name, plan number and in some instances, date of birth and/or limited medical information. United Health reported that it stopped using PDI's proprietary database for address updates and made outbound verifications calls to members to get accurate temporary addresses. United Health reported that it revised its address update process. " 2010-01-26 NA 2010 94 "Lincoln Medical and Mental Health Center" "NY" "Siemens Medical Solutions, USA, Inc" 130495 "3/24/2010" "Theft" "Other" 2014-06-19 "The covered entity's business associate (BA), Siemens Medical Solutions USA, Inc., shipped seven unencrypted compact disks (CDs) that contained the electronic protected health information (ePHI) of 130,495 individuals to the covered entity (CE), Lincoln Medical and Mental Health Center. The CD's, containing back-up data, were lost in transit. The ePHI included names, addresses, social security numbers, medical record numbers, health plan information, dates of birth, dates of admission and discharge, diagnostic and procedural codes, and driver's license numbers. The CE provided breach notification to affected individuals, HHS, and the media. Upon discovery of the breach, the CE directed the BA to cease using the shipping service as a means of transporting the CDs. As a result of OCR's investigation, the BA adopted a procedure to encrypt CDs. The CE also implemented a procedure for a senior employee of the BA to physically deliver the encrypted CDs to the CE. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." 2010-03-24 NA 2010 95 "Nihal Saran, MD " "MI" "" 2300 "5/2/2010" "Theft" "Laptop" 2014-01-23 "A password protected laptop computer containing protected health information (PHI) was stolen from Dr. Saran's personal residence. The laptop contained the PHI of approximately 2,300 individuals. The PHI stored on the laptop included patients' names, addresses, dates of birth, Social Security numbers, insurance information, and diagnoses. Following the breach, Dr. Saran notified the Northville Township Police Department of the theft, contacted the individuals reasonably believed to have been affected by the breach, sent a notice of the breach to the Detroit Free Press and the Monroe News, and installed encryption software for its billing software. " 2010-05-02 NA 2010 96 "University of Louisville Research Foundation, Inc., DBA The Kidney Disease Program" "KY" "" 708 "10/1/2008" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2008-10-01 NA 2008 97 "St. Jude Children's Research Hospital" "TN" "" 1745 "4/19/2010" "Loss" "Laptop" 2014-01-23 "" 2010-04-19 NA 2010 98 "TennCare" "TN" "DentaQuest" 10515 "3/20/2010" "Theft" "Laptop" 2014-06-20 "A car containing an unencrypted laptop computer was stolen from West Monroe Partners, a contractor for the covered entity's (CE) business associate (BA), DentaQuest. The laptop stored a database containing the electronic protected health information (ePHI) of approximately 76,000 individuals, including data on 10,515 of the CE's members. The types of PHI involved in the breach included names, social security numbers, dates, and certain provider identification numbers. The CE and BA worked together to provide breach notification to affected individuals and the media, and offered free credit monitoring and enhanced credit services to affected individuals for one year. The CE reported the breach to HHS and provided substitute notification on its website. The BA implemented procedures to ensure that any third party laptops connecting to its network employ disk encryption. Further, the BA established a policy to prohibit contractors from storing PHI on laptops. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2010-03-20 NA 2010 99 "The Children's Medical Center of Dayton" "OH" "" 1001 "4/22/2010" "Other" "E-mail" 2014-01-23 "" 2010-04-22 NA 2010 100 "Comprehensive Care Management Corporation" "NY" "" 1020 "4/30/2010" "Theft" "Laptop, Desktop Computer, Network Server, E-mail" 2014-06-19 "OCR opened an investigation of the covered entity (CE), Comprehensive Care Management Corporation, after it reported two former employees sent emails that contained the electronic protected health information (ePHI) of 1,020 individuals to their personal email accounts to open a competitor organization. The ePHI included names, addresses, and enrollment information. Upon discovery of the breach, the CE conducted an internal inquiry and found that the former employees disclosed the ePHI to its competitor. As a result of OCR's investigation, the CE replaced and strengthened external firewalls, restricted access to email websites, restricted the use of portable devices, limited the ability to upload data to external websites, and evaluated new monitor and control software for network information. In addition, the CE provided training to all staff on its HIPAA policies and procedures. The CE also entered into an agreement with its competitor who hired the former employees to return or destroy the ePHI." 2010-04-30 NA 2010 101 "alma aguado md pa" "TX" "" 600 "5/29/2010" "Theft" "Network Server" 2014-04-23 "OCR investigated the covered entity (CE) following a report that its main server and desktop computers containing the electronic protected health information (ePHI) of 600 individuals were taken from the CE's office. The ePHI involved in the breach included patient names, addresses, dates of birth, and social security numbers. As a result of OCR's investigation, the CE changed its privacy and security policies, retrained its employees and provided additional physical security to better safeguard patient ePHI." 2010-05-29 NA 2010 102 "University Hospital" "GA" "Augusta Data Storage, Inc" 14000 "5/7/2010" "Loss" "Other" 2014-01-23 "" 2010-05-07 NA 2010 103 "University Health System" "NV" "" 7526 "6/11/2010" "Theft" "Network Server" 2014-01-23 "" 2010-06-11 NA 2010 104 "Sinai Hospital of Baltimore, Inc." "MD" "Aramark Healthcare Support Services, LLC" 937 "5/3/2010" "Other" "E-mail" 2014-01-23 "A business associate employee sent an email to multiple patients without concealing patient email addresses. The message concerned a dietary program in which the names and email addresses were visible to all recipients. The breach affected 937 individuals. In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with Aramark. The business associate counseled the employee responsible for the breach and retrained all employees who may communicate with patients via email on the requirements of the Privacy and Security Rules as well as related policies and procedures. " 2010-05-03 NA 2010 105 "Mary M. Desch,MD/PathHealer, LTD" "AZ" "" 5893 "5/15/2010" "Theft" "Laptop" 2014-01-23 "" 2010-05-15 NA 2010 106 "Children's Hospital & Research Center at Oakland" "CA" "" 1000 "5/25/2010" "Other" "Paper" 2014-01-23 "" 2010-05-25 NA 2010 107 "Centerstone" "TN" "" 1537 "5/1/2010" "Other" "Desktop Computer, Paper" 2014-01-23 "" 2010-05-01 NA 2010 108 "California Department of Healthcare Services" "CA" "Care 1st Health Plan" 29000 "4/29/2010" "Loss, Other" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-04-29 NA 2010 109 "Long Island Consultation Center" "NY" "" 800 "5/21/2010" "Theft" "Other Portable Electronic Device, Other" 2014-06-19 "The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals. The ePHI included names, dates of birth, diagnoses, and other treatment information. Upon discovery of the breach, the CE conducted a search for the portable device. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE improved physical security. The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. " 2010-05-21 NA 2010 110 "NYU Hospitals Center" "NY" "" 2563 "5/8/2010" "Theft" "Other Portable Electronic Device" 2014-05-28 "The covered entity (CE) misplaced an unencrypted USB drive that contained the electronic protected health information (ePHI) of 2,563 individuals. The ePHI included names, medical record numbers, ages, genders, procedures, attending physicians' names, anesthesiologists' names, types of anesthesia, times of arrival in the recovery room, and times of discharge. Upon discovery of the breach, the CE reported the incident to internal security as a possible theft and conducted a thorough search of the perimeter. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE stopped using USB drives and local desktop computers for data storage. In addition, the CE updated physical security in the recovery room and installed data prevention software to monitor, block or encrypt mobile media used in the CE. Further, the CE purchased encrypted USB drives for workforce members with an identified need to download and store ePHI. The CE also revised its mobile device and portable storage media policy and retrained all workforce members on its policies." 2010-05-08 NA 2010 111 "University of Florida" "FL" "" 2047 "5/24/2010" "Other" "Paper" 2014-01-23 "" 2010-05-24 NA 2010 112 "SunBridge Healthcare Corporation" "NM" "" 3830 "5/11/2010" "Theft" "Laptop" 2014-01-23 "" 2010-05-11 NA 2010 113 "Department of Health Care Policy & Financing" "CO" "Governor's Office of Information Technology" 105470 "5/17/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-05-17 NA 2010 114 "Prince William County Community Services (CS)" "VA" "" 669 "6/18/2010" "Theft" "Other Portable Electronic Device" 2014-01-23 "" 2010-06-18 NA 2010 115 "E. Brooks Wilkins Family Medicine, PA" "NC" "" 13000 "2/1/2010" "Theft" "Desktop Computer, Other" 2014-01-23 "The breach report indicated that former employees took protected health information (PHI) pertaining to 13,000 patients and disclosed it to a competing medical practice. The PHI included the names and contact information for the patients. Following the breach, the entity terminated the employees who impermissibly used and disclosed the PHI. OCR also confirmed that the entity complied with the provisions of the Breach Notification Rule and notified the affected individuals. Additionally, the entity retrained its staff regarding the policies and procedures for safeguarding of PHI. " 2010-02-01 NA 2010 116 "John Deere Health Benefit Plan for Wage Employees" "IL" "UnitedHealthcare Insurance Company " 1097 "6/24/2010" "Other" "Paper" 2014-01-23 "" 2010-06-24 NA 2010 117 "South Shore Hospital" "MA" "Iron Mountain Data Products, Inc. (now known as " 800000 "2/26/2010" "Loss" "Other Portable Electronic Device, Other, Electronic Medical Record" 2014-01-23 "" 2010-02-26 NA 2010 118 "Montefiore Medical Center" "NY" "" 16820 "5/22/2010" "Theft" "Desktop Computer" 2014-06-19 "Two unencrypted desktop computers containing the electronic protected health information (ePHI) of 16,820 individuals were stolen from the covered entity (CE). The ePHI included medical record numbers, dates of birth, admission /discharge dates, billing codes, and social security numbers. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals. It also provide substitute notification by posting on its website. As a result of OCR's investigation, the CE replaced its building alarm and installed bars on the windows. In addition, the CE directed its staff to save patient data only on a centralized network drive, moved all ePHI stored on desktop hard drives to centralized secured network servers, and encrypted all of its computers. The CE also revised its policy and procedure on password management and provided training to all staff on its new policy." 2010-05-22 NA 2010 119 "DC Chartered Health Plan, Inc" "DC" "" 540 "5/26/2010" "Theft" "Laptop" 2014-01-23 "" 2010-05-26 NA 2010 120 "Montefiore Medical Center" "NY" "" 23753 "6/9/2010" "Theft" "Desktop Computer" 2014-06-19 "OCR opened an investigation of the covered entity (CE), Montefiore Medical Center, after it reported three unencrypted desktop computers were stolen that contained the electronic protected health information (ePHI) of 23,753 individuals. The ePHI included names, medical record numbers, dates of birth, parent or guardian contact numbers, asthma diagnoses, vaccination information, and number of visits to the school health clinic. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. As a result of OCR's investigation, the CE updated its building alarm to include additional motion sensors and installed surveillance cameras. Further, the CE encrypted all of its computers, advised that no ePHI is stored on desktop hard drives, removed all ePHI from its computers, and stored ePHI on the centralized secured network servers. The CE also revised its policy and procedure on password management and provided training to all staff on its new policy." 2010-06-09 NA 2010 121 "Medina County OB/GYN" "OH" "" 1200 "6/13/2010" "Improper Disposal" "Paper" 2014-01-23 "" 2010-06-13 NA 2010 122 "The University of Texas at Arlington" "TX" "" 27000 "2/19/2009" "Hacking/IT Incident" "Network Server" 2014-01-23 "A file server at the Office of Health Services was compromised and impermissibly accessed. The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source. The protected health information involved in the breach included names, addresses diagnostic codes, name of medication prescribed, medication costs and some social security numbers. Following the discovery of the breach, UTA removed the server from the network, notified the affected individuals and notified local media. Following the breach, the covered entity also replaced the operating system and implemented additional technical safeguards. " 2009-02-19 NA 2009 123 "Aetna" "CT" "" 6372 "3/29/2010" "Improper Disposal" "Paper" 2014-01-23 "" 2010-03-29 NA 2010 124 "Charles Mitchell MD" "TX" "" 6873 "6/27/2010" "Theft" "Desktop Computer" 2014-06-30 "A burglary occurred at the covered entity's (CE) facility and two desktop computers containing protected health information (PHI) were stolen. Approximately 6873 individuals were affected. The PHI involved included names, addresses, dates of birth, social security numbers, diagnoses and conditions, medications, and other treatment information. OCR closed this investigation after determining that the individual who reported the breach worked for a CE no longer in existence." 2010-06-27 NA 2010 125 "Humana Inc [case 4486]" "KY" "Matrix Imaging" 2631 "6/25/2010" "Other" "Paper" 2014-01-23 "" 2010-06-25 NA 2010 126 "WellPoint, Inc." "IN" "" 31700 "11/3/2009" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2009-11-03 NA 2009 127 "Carolina Center for Development and Rehabilitation" "NC" "" 1590 "6/24/2010" "Theft" "Paper" 2014-06-30 "The covered entity's (CE) staff inadvertently sent twenty-three boxes containing the protected health information (PHI) of 1,590 patients to a recycling center. The PHI included patients' full names, addresses, dates of birth, social security numbers, insurance identification numbers, driver's license numbers, diagnoses, medication information, checking and savings account numbers, credit and debit card numbers, and photographs of the patients. Following the breach, the CE immediately took steps for the records to be returned. The CE notified HHS, the media, and all individuals affected by the breach, and established a toll free number for patients to call for more information. The CE cooperated with the state attorney general's investigation and suspended the responsible staff members. Following OCR's investigation, the CE placed a record into its accounting of disclosure log for each individual affected and terminated the employment of the staff involved in the breach. In addition, the CE revised its policies and procedures regarding the rights of individuals and safeguards for PHI, and re-trained staff. " 2010-06-24 NA 2010 128 "Trinity Health Corporation Welfare Benefit Plan" "MI" "Mercer" 1073 "3/29/2010" "Loss" "Other" 2014-01-23 "" 2010-03-29 NA 2010 129 "Texas Children's Hospital" "TX" "" 694 "5/13/2010" "Theft" "Laptop" 2014-01-23 "" 2010-05-13 NA 2010 130 "Baylor College of Medicine" "TX" "" 1646 "5/13/2010" "Theft" "Laptop" 2014-04-24 "An unencrypted laptop containing electronic protected health information (ePHI) of approximately 1,618 individuals was stolen from the covered entity's (CE) affiliate. The ePHI involved in the breach included names, medical reconciliation numbers, dates of service, diagnoses, and dates of birth. Upon discovery of the breach, the CE and its affiliate jointly notified the affected individuals, OCR, and the local media. Notifications were delayed at the request of law enforcement. Following OCR's investigation, the CE revised policies and procedures to require encryption of all mobile devices containing PHI and began encrypting all necessary devices in order to ensure reasonable safeguards." 2010-05-13 NA 2010 131 "Wright State Physicians" "OH" "" 1309 "6/11/2010" "Other" "Laptop" 2014-01-23 "On June 11, 2010, a laptop computer containing PHI was mistakenly discarded in the trash. The laptop computer contained the protected health information of approximately 1,309 individuals. The protected health information involved in the breach included patient full names or first initial and last name, dates of service, and in some cases, a brief description of medical condition or care. Following the breach, the covered entity submitted evidence of its progress in implementing encryption on its laptop computers in its various departments. " 2010-06-11 NA 2010 132 "Penn Treaty Network America Insurance Company " "PA" "" 560 "6/4/2010" "Other" "Other" 2014-01-23 "Social security numbers were inadvertently printed on the address labels in a newsletter mailing. The mailing had 560 recipients. The covered entity acted to mitigate the disclosure by verifying that the all mail was correctly delivered. It also counseled the responsible employee and updated its policies and procedures. " 2010-06-04 NA 2010 133 "Aultman Hospital" "OH" "" 13867 "6/7/2010" "Theft" "Laptop" 2014-01-23 "" 2010-06-07 NA 2010 134 "Fort Worth Allergy and Asthma Associates" "TX" "" 25000 "6/29/2010" "Theft" "Network Server" 2014-01-23 "" 2010-06-29 NA 2010 135 "Beauty Dental, Inc." "IL" "" 657 "6/5/2010" "Theft, Loss" "Paper" 2014-01-23 "Following the breach, the covered entity notified its clients by letter of the incident, submitted a press release that outlined the circumstances of the breach to the Chicago Tribune and the Chicago Sun Times, required the individual who allegedly stole the documents to return all physical patient PHI in her possession and sign a statement swearing that she no longer possessed any patient documents, would not use or disclose the PHI in any manner and would erase an excel spreadsheet she had in her possession, installed a new security system for the office that requires the input of a code specific to each employee, and implemented new technical safeguards that limited employee access to ePHI according to the employee's position and rank. " 2010-06-05 NA 2010 136 "Walsh Pharmacy" "MA" "McKesson Pharmacy Systems LLC" 11440 "6/3/2010" "Other" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-06-03 NA 2010 137 "Jewish Hospital" "KY" "" 2089 "7/16/2010" "Theft" "Laptop" 2014-01-23 "" 2010-07-16 NA 2010 138 "St. John's Mercy Medical Group" "MO" "" 1907 "6/7/2010" "Improper Disposal" "Paper" 2014-01-23 "Covered entity improperly disposed of patients' Protected Health Information (PHI), by placing the PHI in a dumpster outside of a doctor's office. The PHI involved in the breach included demographic, financial, clinical, and other medical information. Following the breach, the covered entity notified all affected individuals of the breach, posted a notice about the incident on its website; attempted to retrieve and track all of the medical records that were inappropriately disposed of; offered all affected individuals identity theft protection; obtained a formal apology from and assumed direct office operations management of the physician involved; re-educated its workforce to reinforce policies relating to appropriate medical record protection and disposal requirements. " 2010-06-07 NA 2010 139 "Thomas Jefferson University Hospitals, Inc." "PA" "" 21000 "6/14/2010" "Theft" "Laptop" 2014-01-23 "" 2010-06-14 NA 2010 140 "UNCG Speech and Hearing Center" "NC" "" 2300 "1/1/1997" "Hacking/IT Incident" "Desktop Computer" 2014-01-23 "" 1997-01-01 NA 1997 141 "Idaho Power Group Health Plan" "ID" "Mercer Health & Benefits" 5500 "3/29/2010" "Loss" "Other" 2014-01-23 "Idaho Power Group Health Plan's business associate, Mercer Health and Benefits, lost a backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Idaho Power was about 5,500 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Idaho Power notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer's Boise office now encrypts backup tapes. Following the incident, Idaho Power renegotiated its contract with Mercer and continues to evaluate its business relationship with Mercer. " 2010-03-29 NA 2010 142 "Loma Linda University School of Dentistry" "CA" "" 10100 "6/13/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-06-13 NA 2010 143 "Ward A. Morris, DDS" "WA" "" 2698 "7/16/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-07-16 NA 2010 144 "Chattanooga Family Practice Associates, P.C." "TN" "" 1711 "7/15/2010" "Loss" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-07-15 NA 2010 145 "Yale University" "CT" "" 1000 "7/28/2010" "Theft" "Laptop" 2014-01-23 "" 2010-07-28 NA 2010 146 "University of Kentucky" "KY" "" 2027 "6/18/2010" "Theft" "Laptop" 2014-01-23 "" 2010-06-18 NA 2010 147 "Cook County Health & Hospitals System" "IL" "" 7081 "5/30/2010" "Theft" "Laptop" 2014-01-23 "An employee's laptop was stolen out of a locked office; evidence shows that the laptop was password protected but not encrypted. The laptop contained the protected health information (PHI) of approximately 7,000 individuals. The PHI stored on the laptop included names, dates of birth, Social Security numbers, internal encounter numbers, and other administrative codes. Following the breach, the covered entity notified those individuals reasonably believed to have been affected by the breach, placed notice on its website and with a local news center; established stringent computer security guidelines, and retrained its staff in the new requirements with the intention of preventing a similar event from occurring again. " 2010-05-30 NA 2010 148 "Eastmoreland Surgical Clinic, William Graham, DO" "OR" "" 4328 "7/5/2010" "Theft" "Laptop, Desktop Computer, Other Portable Electronic Device, Other" 2014-01-23 "Three desktop computers, one laptop computer, and a backup drive, containing the electronic protected health information (EPHI) of 4,328 individuals, were stolen on July 5, 2010. The EPHI involved in the breach included names, addresses, phone numbers, dates of birth, Social Security numbers, reason for visits, and insurance information. Following the breach, the covered entity implemented backup and whole disk encryption on electronic information systems that maintain EPHI and improved their physical safeguards. Additionally, OCR's investigation resulted in the covered entity improving their administrative safeguards, such as password complexity requirements and data backup protocols. " 2010-07-05 NA 2010 149 "SunBridge Healthcare Corporation" "NM" "" 1000 "6/26/2010" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-06-26 NA 2010 150 "Holyoke Medical Center" "MA" "Pioneer Valley Pathology" 24750 "7/26/2010" "Improper Disposal" "Paper" 2014-01-23 "" 2010-07-26 NA 2010 151 "Newark Beth Israel Medical Center" "NJ" "KPMG LLP" 956 "5/10/2010" "Theft" "Other Portable Electronic Device, Other" 2014-06-19 "OCR opened an investigation of the covered entity (CE), Newark Beth Israel Medical Center, after it reported an employee of the CE's business associate (BA), KPMG LLP, lost an unencrypted USB drive that contained the electronic protected health information (ePHI) of 956 individuals. The ePHI included names and clinical information. Upon discovery of the breach, the CE's BA conducted a search of the area. The CE provided breach notification to HHS, the Media and affected individuals. As a result of OCR's investigation, the BA installed and implemented encryption software to its electronic equipment and devices. In addition, the BA encrypted and password protected all equipment and devices that could contain the CE's data. The BA also reprimanded and retrained the employee and retrained all employees on safeguarding ePHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." 2010-05-10 NA 2010 152 "Saint Barnabas Medical Center" "NJ" "KPMG LLP" 3630 "5/10/2010" "Theft" "Other Portable Electronic Device" 2014-06-19 "The covered entity (CE), Long Island Consultation Center, misplaced an unencrypted portable device that contained the electronic protected health information (ePHI) of 800 individuals. The ePHI included names, dates of birth, diagnoses, and other treatment information. Upon discovery of the breach, the CE conducted a search for the portable device. The CE provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE improved physical security. The CE also developed and implemented a policy and procedure prohibiting use of portable media for storing ePHI and trained staff on its new policy. " 2010-05-10 NA 2010 153 "NYU School of Medicine--Aging and Dementia Clinical Research Center " "NY" "" 1200 "4/3/2010" "Loss" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-04-03 NA 2010 154 "University of Rochester Medical Center and Affiliates" "NY" "" 857 "8/2/2010" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2010-08-02 NA 2010 155 "State of Delaware Health Plan" "DE" "Aon Consulting" 22642 "8/16/2010" "Other" "Network Server" 2014-01-23 "The business associate prepared a document as part of a request for proposal for the covered entity's vision benefit program which mistakenly included protected health information of 22,642 individuals. The document was posted online for five days. The protected health information involved in the breach included social security numbers, dates of birth, gender, zip codes, and vision plan enrollment information. In response to this incident, the covered entity implemented additional safeguards to prevent this type of impermissible disclosure of protected health information. In particular, the covered entity will now require several layers of review before allowing public disclosure of documents prepared by the business associate. The covered entity also took steps to enforce the requirements of its business associate agreement with Aon Consulting. Aon will provide affected individuals with free credit monitoring, fraud resolution resources, and identity theft insurance. Additionally, the business associate has provided assurances to the covered entity that it has taken steps to prevent this type of impermissible disclosure in the future. " 2010-08-16 NA 2010 156 "Curtis R. Bryan, M.D." "VA" "" 2739 "7/12/2010" "Theft" "Laptop" 2014-01-23 "" 2010-07-12 NA 2010 157 "Mayo Clinic" "MN" "" 1740 "7/15/2009" "Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-01-23 "" 2009-07-15 NA 2009 158 "LabCorp Patient Service Center" "NV" "" 507 "8/2/2010" "Theft" "Paper" 2014-01-23 "" 2010-08-02 NA 2010 159 "The Kent Center " "RI" "" 1361 "7/13/2010" "Theft" "Paper" 2014-01-23 "" 2010-07-13 NA 2010 160 "Pediatric and Adult Allergy, PC" "IA" "" 19222 "7/11/2010" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2010-07-11 NA 2010 161 "Ault Chiropractic Center" "IN" "" 2000 "9/15/2010" "Theft" "Laptop, Desktop Computer" 2014-01-23 "" 2010-09-15 NA 2010 162 "County of Los Angeles" "CA" "" 33000 "7/29/2010" "Theft" "Paper" 2014-01-23 "" 2010-07-29 NA 2010 163 "Matthew H. Conrad, M.D., P.A." "KS" "" 1200 "8/20/2010" "Theft" "Laptop, Paper" 2014-01-23 "" 2010-08-20 NA 2010 164 "UnitedHealth Group health plan single affiliated covered entity" "MN" "CareCore National" 1270 "7/8/2010" "Other" "Paper" 2014-01-23 "" 2010-07-08 NA 2010 165 "Counseling and Psychotherapy of Throggs Neck" "NY" "" 9000 "9/6/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-09-06 NA 2010 166 "United States Air Force" "OH" "" 2123 "7/29/2010" "Improper Disposal" "Paper" 2014-01-23 "" 2010-07-29 NA 2010 167 "State of Alaska, Department of Health and Social Services" "AK" "Alaskan AIDS Assistance Association" 2000 "9/7/2010" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-09-07 NA 2010 168 "St. Vincent Hospital and Health Care Center, Inc." "IN" "" 1199 "7/25/2010" "Theft" "Laptop" 2014-01-23 "" 2010-07-25 NA 2010 169 "Milford Regional Medical Center" "MA" "" 20000 "7/26/2010" "Improper Disposal" "Paper" 2014-01-23 "" 2010-07-26 NA 2010 170 "Alliance HealthCare Services, Inc." "CA" "Oroville Hospital" 1474 "7/31/2010" "Theft" "Other Portable Electronic Device, Other" 2014-04-24 "The covered entity (CE) filed a breach report with OCR after two USB storage devices containing electronic protected health information (ePHI) of 1,474 individuals were lost. The ePHI included names, dates of birth, and treatment information. Upon discovery of the breach, the CE notified individuals, OCR and the media. Additionally, the CE initiated an encryption project to encrypt emails, external hard drives, and related media. Following OCR's investigation, the CE filed a police report, updated its policies and procedures in an effort to better safeguard ePHI, and encrypted USB devices. " 2010-07-31 NA 2010 171 "Alliance HealthCare Services, Inc." "CA" "Eden Medical Center" 1474 "8/5/2010" "Theft" "Other Portable Electronic Device, Other" 2014-06-24 "The covered entity (CE) lost two portable electronic storage devices containing the electronic protected health information (ePHI) of 1,474 individuals. The ePHI included patients' names, dates of birth, and treatment information. Upon discovery of the breach, the covered entity (CE) notified individuals, HHS, and the media. Additionally, the CE initiated a project to encrypt emails, external hard drives, and related electronic media. Following OCR's investigation, the CE filed a police report, updated its policies and procedures in order to better safeguard patients' ePHI, and encrypted portable electronic computer devices." 2010-08-05 NA 2010 172 "NewYork-Presbyterian Hospital and Columbia University Medical Center" "NY" "" 6800 "7/1/2010" "Theft" "Network Server" 2014-06-19 "Data breach results in $4.8 million HIPAA settlements Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients' electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results. NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as 'New York Presbyterian Hospital/Columbia University Medical Center.' NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI. The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet. In addition to the impermissible disclosure of ePHI on the internet, OCR's investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management. 'When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,' said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. 'Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.' NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports. " 2010-07-01 NA 2010 173 "St. James Hospital and Health Centers" "IL" "" 967 "8/10/2010" "Improper Disposal" "Paper" 2014-01-23 "" 2010-08-10 NA 2010 174 "University of Oklahoma - Tulsa, Neurology Clinic" "OK" "" 19200 "7/28/2010" "Hacking/IT Incident" "Desktop Computer" 2014-01-23 "" 2010-07-28 NA 2010 175 "LORENZO BROWN, MD INC." "CA" "" 928 "8/17/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-08-17 NA 2010 176 "Milton Pathology Associates, P.C." "MA" "Joseph A. Gagnon d/b/a Goldthwait Associates" 11000 "7/26/2010" "Improper Disposal" "Paper" 2014-01-23 "" 2010-07-26 NA 2010 177 "WESTMED Medical Group" "NY" "" 578 "8/17/2010" "Theft" "Laptop" 2014-06-19 "An unencrypted laptop computer that contained the electronic protected health information (ePHI) of 578 individuals was stolen from the covered entity (CE), WestMed Medical Group. The ePHI included names, dates of birth and test results. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS and the media. As a result of OCR's investigation, the CE improved physical security by locking all laptops during the day and storing all laptops in a locked cabinet overnight. In addition, the CE reconfigured all laptops with strong passwords and implemented a new procedure to save data to a secure file server. Further, the CE encrypted all laptop hard drives. The CE also retrained staff on safeguarding ePHI. " 2010-08-17 NA 2010 178 "Debra C. Duffy, DDS" "TX" "" 4700 "8/5/2010" "Theft" "Laptop, Network Server" 2014-01-23 "An unencrypted laptop and network server were stolen during a burglary of the office.The breach affected approximately 4700 individuals.The protected health information involved in the breach included treatment information for pediatric dental patients and social security numbers, insurance identification numbers and driver's license numbers. Following the discovery of the breach, the CE relocated the practice servers, secured the laptops and installed steel doors at the front entrance of the facility. Additionally, the CE notified the affected individuals and local media and retrained staff. " 2010-08-05 NA 2010 179 "Cumberland Gastroenterology, P.S.C." "KY" "" 2200 "9/18/2010" "Theft" "Paper" 2014-01-23 "" 2010-09-18 NA 2010 180 "Johns Hopkins University Applied Physics Laboratory (JHU/APL) Medical and Dental Insurance Plan" "MD" "" 692 "6/15/2010" "Other" "Other" 2014-01-23 "Protected health information was attached to an email addressed to 85 employees by a benefits staff member. Within 5 days, all recipients were notified, and the email was deleted. Approximately 692 individuals were affected by this breach. The email included names, dates of birth, social security numbers, and marital and disability status. To prevent a similar breach from happening in the future, the covered entity instituted a policy to encrypt emails containing protected health information before it is sent out from the benefits department. Following OCR's investigation, the covered entity updated its policies and procedures establishing a new business process to require that all emails sent by the benefits office to 5 or more staff members that includes an attachment be reviewed by another team member to ensure the proper document is attached and took personnel action with the responsible employee. Further, the benefits office will use an encryption specialist to train all benefits office staff in the proper methods of encryption, explore future capability of automated flagging of any electronic communications sent by benefits office staff containing potentially sensitive data such as 9-digit numbers, and obtain additional HIPAA training. " 2010-06-15 NA 2010 181 "LoneStar Audiology Group" "TX" "" 585 "8/11/2010" "Theft" "Laptop" 2014-01-23 "A laptop was stolen from a workforce member's home. Approximately 585 individuals were affected. The PHI included addresses, dates of birth, diagnosis and conditions, medications and other treatment information. Following the breach, the covered entity encrypted all its laptops. After the initiation of OCR's investigation, the encryption of the laptops was completed. " 2010-08-11 NA 2010 182 "Utah Department of Health" "UT" "Utah Department of Workforce Services" 1298 "3/1/2010" "Other" "Desktop Computer, Paper" 2014-01-23 "" 2010-03-01 NA 2010 183 "SW Seattle Orthopaedic and Sports Medicine" "WA" "" 9493 "9/4/2010" "Hacking/IT Incident" "Network Server" 2014-01-23 "A database web server, containing the electronic protected health information (EPHI) of 9,493 individuals, was breached by an unknown, external person(s) for use as a game server. Although there was no indication of access to EPHI, the EPHI on the database web server included names, dates of birth, types of x-rays, and dates of x-rays. Following the breach, the covered entity relocated two servers to its more secure primary data center and removed the Internet access line that resulted in the breach. Additionally, OCR's investigation resulted in the covered entity improving their administrative safeguards, such as incident response and reporting. " 2010-09-04 NA 2010 184 "University of Arkansas for Medical Sciences" "AR" "" 1000 "10/12/2010" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-10-12 NA 2010 185 "BlueCross BlueShield of Tennessee, Inc." "TN" "" 1023209 "10/2/2009" "Theft" "Other" 2014-01-23 "" 2009-10-02 NA 2009 186 "Northridge Hospital Medical Center" "CA" "" 716 "10/16/2010" "Loss" "Paper" 2014-01-23 "" 2010-10-16 NA 2010 187 "Puerto Rico Department of Health" "PR" "Triple-S Management, Corp.; Triple-S Salud, Inc.; " 475000 "10/3/2008" "Unauthorized Access/Disclosure, Hacking/IT Incident" "Network Server" 2014-01-23 "" 2008-10-03 NA 2008 188 "Aetna, Inc." "CT" "" 2345 "9/9/2010" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "Aetna notified all possibly affected individuals of the breach, filed a breach report with OCR, commenced an investigation to identify and correct the root cause of the issue; the coding changes that were causing the breach were removed from IPS via Aetna's emergency Change Management procedures to prevent any further exposure while the problem was analyzed; once the specific code that conflicted with its proxy server settings was identified as the root cause of the breach, it was removed. Also, in an effort to mitigate any harm as a result of the breach, Aetna offered all affected individuals one year of free credit monitoring, and the notification letters included a toll-free number which was established specifically to answer questions related to this incident. " 2010-09-09 NA 2010 189 "Sta-home Health & Hospice" "MS" "" 1104 "9/16/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-09-16 NA 2010 190 "Puerto Rico Department of Health" "PR" "Medical Card System/MCS-HMO/MCS Advantage/MCS Life" 115000 "9/3/2010" "Unauthorized Access/Disclosure" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-09-03 NA 2010 191 "VNA of Southeastern Ct." "CT" "" 12000 "9/30/2010" "Theft" "Laptop" 2014-01-23 "" 2010-09-30 NA 2010 192 "Prime Home Care, LLC" "NE" "" 1550 "9/13/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-09-13 NA 2010 193 "Visiting Nurse Service Association of Schenectady County" "NY" "" 535 "9/14/2010" "Theft" "Laptop" 2014-06-19 "An encrypted laptop computer that contained the electronic protected health information (ePHI) of 535 individuals was stolen from the covered entity (CE). The ePHI included names, addresses, and dates of birth. Upon discovery of the breach, the CE filed a police report to recover the stolen item. Following OCR's investigation, the CE disabled the involved staff member's account, verbally counseled the staff member, and retrained the staff member. The CE also adopted and implemented security policies and procedures for laptops/tablet devices and provided training to all staff." 2010-09-14 NA 2010 194 "Manor Care Indy (South), LLC." "IN" "" 845 "9/11/2010" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2010-09-11 NA 2010 195 "Robert Wheatley, DDS, PC" "MO" "" 1400 "10/17/2010" "Theft" "Laptop" 2014-01-23 "" 2010-10-17 NA 2010 196 "Henry Ford Hospital" "MI" "" 3700 "9/24/2010" "Theft" "Laptop" 2014-01-23 "" 2010-09-24 NA 2010 197 "Holy Cross Hospital" "FL" "" 1500 "7/27/2010" "Theft" "Paper" 2014-01-23 "" 2010-07-27 NA 2010 198 "Newark Beth Israel Medical Center" "NJ" "Professional Transcription Company, Inc." 1744 "1/1/2010" "Theft" "Network Server" 2014-06-19 "The covered entity's (CE) business associate (BA), Professional Transcription Company, posted the electronic protected health information (ePHI) of 1,744 individuals on a website portal of the BA. The ePHI included names, dates of birth, diagnosis, and other clinical information. Upon discovery of the breach, the BA shut down the applicable server. The CE, Newark Beth Israel Medical Center, provided breach notification to HHS, the media, and affected individuals and also posted substitute notice on its website. As a result of OCR's investigation, the BA located the ePHI online and contacted Google to block files that contained ePHI. In addition, the BA retrained all employees regarding its security policies. The CE terminated its BA agreement with the BA. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." 2010-01-01 NA 2010 199 "Memorial Hospital of Gardena" "CA" "" 771 "10/14/2010" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2010-10-14 NA 2010 200 "Oklahoma City VA Medical Center" "OK" "" 1950 "10/8/2010" "Theft, Loss, Improper Disposal" "Paper" 2014-01-23 "" 2010-10-08 NA 2010 201 "Albert Einstein Healthcare Network" "PA" "" 613 "10/21/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-10-21 NA 2010 202 "Kings County Hospital Center" "NY" "" 542 "8/22/2010" "Theft" "Desktop Computer" 2014-06-19 "An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 542 individuals was stolen from the covered entity (CE), Kings County Hospital Center. The ePHI included names, medical record numbers, admission and treatment dates, diagnostic treatment, pathology and/or medication information, telephone numbers and ages. Upon discovery of the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. As a result of OCR's investigation, the CE installed an encryption system for all internal and external computers and laptops. The CE implemented a new policy that prohibits staff from storing ePHI on their local computer hard drives or Windows desktop." 2010-08-22 NA 2010 203 "University of Tennessee Medical Center" "TN" "" 8200 "9/23/2009" "Improper Disposal" "Paper" 2014-01-23 "" 2009-09-23 NA 2009 204 "Ochsner Health System" "LA" "H.E.L.P. Financial Corporation" 9475 "9/27/2010" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "A programming error in a business associate's IT system caused the PHI of patients to be printed on letters sent to other patients. The printing error affected approximately 9475 individuals.The protected health information involved in the breach included patient names, medical record numbers and account balances. Following the discovery of the breach, the BA corrected the programming error and implemented additional quality checks. Additionally, the BA notified the affected individuals and the CE notified the local media. " 2010-09-27 NA 2010 205 "zarzamora family dental care" "TX" "" 800 "10/15/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-10-15 NA 2010 206 "Hospital Auxilio Mutuo" "PR" "" 1000 "11/9/2010" "Theft, Unauthorized Access/Disclosure, Hacking/IT Incident" "Laptop, Desktop Computer" 2014-01-23 "" 2010-11-09 NA 2010 207 "Pinnacle Health System" "PA" "Gair Medical Transcription Services, Inc." 1085 "10/1/2008" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "Pinnacle Health Systems was notified that a business associate, a medical transcription service, had a server compromised in which reports of Pinnacle patients could be viewed online. The server compromise involved the protected health information of 1085 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity immediately discontinued its relationship with the business associate and engaged another medical transcription service. The covered entity also contracted with forensic consultants to ensure that the cause of the compromise was found that that all traces of breached medical reports were removed from online and inaccessible in the future. " 2008-10-01 NA 2008 208 "Gary C. Spinks, DMD, PC" "MD" "" 1000 "9/29/2010" "Hacking/IT Incident" "Desktop Computer, Network Server" 2014-01-23 "" 2010-09-29 NA 2010 209 "Cook County Health & Hospitals System" "IL" "" 556 "11/1/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-11-01 NA 2010 210 "Dean Health Systems, Inc.; St. Mary's Hospital; St. Marys Dean Ventures, Incorporated" "WI" "" 3288 "11/8/2010" "Theft" "Laptop" 2014-01-23 "" 2010-11-08 NA 2010 211 "Riverside Mercy Hospital and Ohio/Mercy Diagnostics" "OH" "" 1000 "3/29/2003" "Improper Disposal" "Paper" 2014-01-23 "" 2003-03-29 NA 2003 212 "California Therapy Solutions" "CA" "" 1250 "11/11/2010" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-11-11 NA 2010 213 "Osceola Medical Center" "WI" "Hils Transcription" 585 "11/25/2010" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2010-11-25 NA 2010 214 "Indiana Family and Social Services Administration" "IN" "The Southwestern Indiana Regional Council on Aging" 757 "11/4/2010" "Theft" "Laptop" 2014-01-23 "" 2010-11-04 NA 2010 215 "Mankato Clinic" "MN" "" 3159 "11/1/2010" "Theft" "Laptop" 2014-01-23 "" 2010-11-01 NA 2010 216 "Geisinger Wyoming Valley Medical Center" "PA" "" 2928 "11/3/2010" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2010-11-03 NA 2010 217 "Our Lady of Peace Hospital" "KY" "" 24600 "3/31/2010" "Theft, Loss" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-03-31 NA 2010 218 "International Union of Operating Engineers Health and Welfare Fund " "MD" "Zenith Administrators, Inc." 800 "10/25/2010" "Theft" "Paper" 2014-01-23 "" 2010-10-25 NA 2010 219 "Southern Perioperative Services, P.C." "AL" "" 2000 "11/17/2010" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-11-17 NA 2010 220 "Keystone/AmeriHealth Mercy Health Plans" "PA" "" 808 "9/20/2010" "Loss" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-09-20 NA 2010 221 "Ankle + Foot Center of Tampa Bay, Inc." "FL" "" 156000 "10/28/2010" "Theft" "Network Server" 2014-06-30 "The covered entity's (CE) network server, containing the electronic protected health information (ePHI) of 136,000 patients, was hacked. The types of ePHI involved in the breach were demographic and clinical information, including diagnoses and other treatment data. Following the breach, the CE hired a third party vendor to resolve a data crash and to create a data back-up plan in order to restore office functioning. To implement adequate safeguards, the CE also employed a cloud service with increased security as the new network server. Additionally, the CE contacted the local FBI office to assist with the CE's internal investigation of the breach and provided breach notification to all affected individuals, the media, and HHS. As a result of OCR's investigation, the CE developed and implemented new protocols to comply with the Security Rule. In addition, the CE provided and initiated new trainings for its staff, completed hiring of a new network vendor, implemented a new electronic health records system, and accounted for the disclosures in the affected individuals' medical records." 2010-10-28 NA 2010 222 "OhioHealth Corporation dba Grant Medical Center" "OH" "" 501 "1/1/2008" "Theft" "Laptop, Desktop Computer" 2014-01-23 "" 2008-01-01 NA 2008 223 "Seacoast Radiology, PA" "NH" "" 231400 "11/12/2010" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2010-11-12 NA 2010 224 "Friendship Center Dental Office" "FL" "" 2200 "12/19/2010" "Theft" "Laptop" 2014-01-23 "" 2010-12-19 NA 2010 225 "Centra" "VA" "" 11982 "11/11/2010" "Theft" "Laptop" 2014-01-23 "" 2010-11-11 NA 2010 226 "St.Vincent Hospital - Indianapolis" "IN" "" 1848 "11/12/2010" "Hacking/IT Incident" "Network Server, E-mail" 2014-01-23 "" 2010-11-12 NA 2010 227 "Texas Health Harris Methodist Hospital Azle" "TX" "" 9922 "4/7/2010" "Theft, Loss" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-04-07 NA 2010 228 "Franciscan Medical Group" "WA" "" 1250 "11/18/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-11-18 NA 2010 229 "State of South Carolina Budget and Control Board Employee Insurance Program (EIP)" "SC" "" 5596 "11/8/2010" "Hacking/IT Incident" "Desktop Computer" 2014-01-23 "" 2010-11-08 NA 2010 230 "Lake Woods Nursing & Rehabilitation Center" "MI" "" 656 "12/28/2010" "Theft" "Laptop, Desktop Computer" 2014-01-23 "" 2010-12-28 NA 2010 231 "Benefit Resources, Inc." "SC" "Travis Software Corp." 16200 "10/13/2010" "Loss" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-10-13 NA 2010 232 "Baptist Memorial Hospital - Huntingdon" "TN" "J. A. Still Corporation" 4800 "11/27/2010" "Theft" "Other" 2014-04-23 "Two diskettes containing the electronic protected health information (ePHI) of approximately 4,754 individuals were lost by the Covered Entity's (CE) Business Associate (BA) after the package containing the diskettes was damaged by the mail carrier. Although one of the diskettes was eventually found, the other diskette was never recovered. The ePHI on the diskettes included names, addresses, dates of birth, social security numbers, and clinical information. Upon discovery of the breach, the CE obtained a copy of the information contained on the diskettes and notified all affected individuals, OCR and the media. Following OCR's investigation, the CE terminated its contract with the BA involved in the incident and provided evidence of the assurances in its BA agreement pertaining to the return or destruction of ePHI. Lastly, the CE entered an accounting of disclosures for each affected individual into its electronic database." 2010-11-27 NA 2010 233 "Grays Harbor Pediatrics, PLLC" "WA" "" 12009 "11/23/2010" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-11-23 NA 2010 234 "Hanger Prosthetics & Orthotics, Inc." "TX" "" 4486 "11/24/2010" "Theft" "Laptop" 2014-01-23 "An unencrypted laptop was stolen from an employee offsite. The laptop contained the PHI of 4,486 patients. The protected health information involved in the breach contained names, addresses and procedure codes. Following the breach, the CE filed a police report, notified affected patients and notified the media. Following the discovery of the breach, the covered entity encrypted all existing laptops and implemented a policy requiring all future purchased laptops to be encrypted prior to being issued for use. " 2010-11-24 NA 2010 235 "Baylor Heart and Vascular Center" "TX" "" 8241 "12/2/2010" "Theft" "Other Portable Electronic Device, Other" 2014-04-23 "A portable ultrasound machine containing electronic protected health information (ePHI) of approximately 8,241 individuals was stolen from the covered entity's (CE) facility. The ePHI involved in the breach included patient names, dates of birth, and limited health information. Upon discovery of the breach, the CE conducted a privacy and security assessment of its portable machines to identify vulnerabilities. Following OCR's investigation, the CE updated its privacy and security policies, retrained its employees, and increased physical security to ensure reasonable safeguards." 2010-12-02 NA 2010 236 "CHC MEMPHIS CMHC, LLC" "TN" "" 500 "12/4/2010" "Theft" "Desktop Computer" 2014-01-23 "" 2010-12-04 NA 2010 237 "Jefferson Center for Mental Health" "CO" "" 546 "12/13/2010" "Theft" "Paper" 2014-01-23 "" 2010-12-13 NA 2010 238 "Green River District Health Department" "KY" "Integranetics" 18871 "1/12/2011" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2011-01-12 NA 2011 239 "Ortho Montana, PSC" "MT" "" 37000 "1/8/2011" "Theft, Loss" "Laptop" 2014-02-14 "" 2011-01-08 NA 2011 240 "Cancer Care Northwest P.S." "WA" "" 3100 "1/7/2011" "Theft" "Paper" 2014-06-30 "The covered entity (CE) accidentally mailed the protected health information (PHI) of approximately 3,100 individuals to other individuals when a mail-merge process mismatched names and addresses. The PHI involved in the breach included names and indicated that the individuals were patients of the CE. Following the breach, the CE implemented additional safeguards, as well as policies and procedures to ensure mailing list accuracy. As a result of this incident, OCR required the CE to train its workforce members on its newly developed policies and procedures. Additionally, OCR provided technical assistance regarding substitute breach notification methods, including a conspicuous posting on the CE's website." 2011-01-07 NA 2011 241 "Saint Louis University" "MO" "" 800 "12/11/2010" "Hacking/IT Incident" "Desktop Computer" 2014-01-23 "" 2010-12-11 NA 2010 242 "New York City Health & Hospitals Corporation's North Bronx Healthcare Network" "NY" "GRM Information Management Services" 1700000 "12/23/2010" "Theft" "Other, Electronic Medical Record" 2014-05-28 "Unencrypted clinical system backup tapes that contained the electronic protected health information (ePHI) of 1,700,000 individuals were stolen from the unlocked vehicle of an employee of the covered entity's (CE) business associate (BA). The ePHI included names, medical record numbers, social security numbers, addresses, telephone numbers, health plan numbers, dates of birth, dates of admission, dates of treatment, dates of discharge, dates of death, mother's name, next of kin, clinical information related to diagnosis, treatment, prognosis, laboratory tests and results, and medications. Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE terminated its BA agreement and installed encryption software on backup media. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." 2010-12-23 NA 2010 243 "Long Beach Memorial Medical Center" "CA" "" 2250 "12/10/2010" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2010-12-10 NA 2010 244 "Walgreen Co." "IL" "Business Express" 2700 "1/26/2011" "Theft" "Other Portable Electronic Device, Other" 2014-06-10 "" 2011-01-26 NA 2011 245 "Charleston Area Medical Center, Inc" "WV" "Xforia Web Services" 3655 "2/8/2011" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2011-02-08 NA 2011 246 "Mountain Vista Medical Center" "AZ" "" 2291 "10/13/2010" "Loss" "Other Portable Electronic Device, Other" 2014-01-23 "" 2010-10-13 NA 2010 247 "Departamento de Salud de Puerto Rico" "PR" "" 2621 "3/14/2010" "Unknown" "Desktop Computer" 2014-01-23 "" 2010-03-14 NA 2010 248 "Henry Ford Hospital" "MI" "" 2777 "1/31/2011" "Loss" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-01-31 NA 2011 249 "Central Brooklyn Medical Group, PC" "NY" "" 500 "8/3/2010" "Theft" "Paper" 2014-06-20 "OCR opened an investigation of the covered entity (CE), Preferred Health Partners f/k/a Central Brooklyn Medical Group, after it reported appointment schedules, pathology reports and portions of medical records containing the protected health information (PHI) of 500 individuals were stolen from an office. The PHI included names, ages, telephone numbers, social security numbers, medical insurance information, pathology reports, and other clinical information. Upon discovery of the breach, the CE filed a police report and worked with law enforcement authorities to recover as much of the PHI as possible that was stolen. As a result of OCR's investigation, the CE removed PHI such as social security or medical insurance numbers from tracking logs. In addition, the CE improved safeguards by storing log binders in a locked area and shredding documents regularly. Further, the CE replaced the manual process of printing certain records with an electronic verification system. The CE also archived, stored off site, and locked up all paper records and retrained all staff on its HIPAA policies and procedures. " 2010-08-03 NA 2010 250 "TRICARE Management Activity" "CO" "" 4500 "6/25/2010" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2010-06-25 NA 2010 251 "Blue Cross and Blue Shield of Florida " "FL" "" 7366 "10/16/2010" "Unknown" "Other" 2014-01-23 "" 2010-10-16 NA 2010 252 "University Health Services, University of Massachusetts, Amherst" "MA" "" 942 "9/29/2010" "Unauthorized Access/Disclosure" "Desktop Computer" 2014-01-23 "" 2010-09-29 NA 2010 253 "Omnicare, Inc" "KY" "" 8845 "1/19/2011" "Theft" "Laptop" 2014-01-23 "" 2011-01-19 NA 2011 254 "JEFFREY J. SMITH, MD" "OK" "" 600 "11/24/2010" "Loss" "Desktop Computer, Other Portable Electronic Device, Other" 2014-01-23 "" 2010-11-24 NA 2010 255 "University of Missouri Health Plan" "MO" "Coventry Health Care, Inc." 765 "1/10/2011" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2011-01-10 NA 2011 256 "Texas Health Arlington Memorial Hospital" "TX" "" 654 "12/23/2010" "Unknown" "Electronic Medical Record" 2014-01-23 "The IT department turned on the switch to a BA HIE without notifying patients of the exchange or obtaining authorization. The interface transmitted the PHI of 654 individuals. The PHI disclosed included patient names, addresses, dates of birth, social security numbers, other identifiers, diagnosis/conditions, medications, lab results, other treatment information and financial information. Following the breach, the CE revised the IT process, created a checklist that included notifying the affected departments and provided additional training to IT and registration employees. " 2010-12-23 NA 2010 257 "NYU School of Medicine Faculty Group Practice" "NY" "" 670 "1/27/2011" "Theft" "Desktop Computer" 2014-06-19 "An unencrypted desktop computer that contained the electronic protected health information (ePHI) of 670 individuals was stolen from the covered entity (CE), NYU Langone Medical Center. The ePHI included names, diagnoses, the results of diagnostic tests, and clinical information. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE directed staff to store ePHI on network servers and not on desktops. In addition, the CE improved physical security by installing a locking device to secure the desktop computer and a latch guard on the office door. The CE retrained all staff on its policies and procedures for HIPAA and HITECH compliance." 2011-01-27 NA 2011 258 "Rape & Brooks Orthodontics, P.C." "AL" "" 20744 "2/3/2011" "Theft" "Desktop Computer, Network Server, Other Portable Electronic Device, Other" 2014-01-23 "" 2011-02-03 NA 2011 259 "Clarksburg - Louis A. Johnson VA Medical Center" "WV" "" 1470 "10/26/2010" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2010-10-26 NA 2010 260 "County of Los Angeles" "CA" "" 667 "2/23/2011" "Theft" "Laptop" 2014-01-23 "" 2011-02-23 NA 2011 261 "EISENHOWER MEDICAL CENTER" "CA" "" 514330 "3/11/2011" "Theft" "Desktop Computer" 2014-01-23 "" 2011-03-11 NA 2011 262 "Catholic Social Services" "AK" "Trisha Elaine Cordova" 1700 "2/1/2011" "Theft" "Laptop" 2014-06-30 "A personal laptop computer containing the electronic protected health information (ePHI) of 1,700 individuals and approximately 493 adoption home studies was stolen from a contractor's vehicle. The ePHI involved included names, addresses, phone numbers, dates of birth, driver's license numbers, health information, and social security numbers. At the time of the breach, the covered entity (CE) did not have a business associate (BA) contract with the contractor. Following OCR's investigation, the CE developed policies and procedures for obtaining BA contracts as required by the Privacy Rule and verified that the contractor no longer had a business relationship with the CE. OCR obtained assurances that breach notification was provided to the affected individuals, HHS, and the media." 2011-02-01 NA 2011 263 "Park Avenue Obstetrics & Gynecology, PC" "AZ" "" 635 "3/25/2011" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-03-25 NA 2011 264 "Brian J Daniels D.D.S.,Paul R Daniels D.D.S." "AZ" "" 10000 "3/1/2011" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-03-01 NA 2011 265 "MidState Medical Center" "CT" "Hartford Hospital" 93500 "2/14/2011" "Loss" "Other" 2014-01-23 "" 2011-02-14 NA 2011 266 "Patient Care Services at Saint Francis, Inc." "OK" "" 84000 "1/13/2011" "Theft" "Network Server" 2014-03-13 "" 2011-01-13 NA 2011 267 "Union Security Insurance Company" "MO" "" 935 "2/18/2011" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2011-02-18 NA 2011 268 "Oklaholma State Dept. of Health" "OK" "" 132940 "4/6/2011" "Theft" "Laptop, Paper" 2014-04-23 "" 2011-04-06 NA 2011 269 "Aiken Community Based Outpatient Clinic" "SC" "" 2717 "2/16/2011" "Improper Disposal" "Paper" 2014-01-23 "" 2011-02-16 NA 2011 270 "Health Net, Inc." "CA" "IBM" 1900000 "1/21/2011" "Unknown" "Other" 2014-01-23 "" 2011-01-21 NA 2011 271 "SW General Inc" "AZ" "" 566 "5/1/2004" "Theft" "Paper" 2014-01-23 "" 2004-05-01 NA 2004 272 "Fairview Health Services" "MN" "" 1215 "2/19/2011" "Loss" "Paper" 2014-01-23 "" 2011-02-19 NA 2011 273 "Time Insurance Company" "WI" "Healthcare Solutions Team, LLC" 675 "2/1/2011" "Unauthorized Access/Disclosure" "Other" 2014-04-23 "" 2011-02-01 NA 2011 274 "Community Action partnership of Natrona County" "WY" "" 15000 "2/23/2011" "Hacking/IT Incident" "Desktop Computer" 2014-01-23 "" 2011-02-23 NA 2011 275 "Keith & Fisher, DDS, PA" "NC" "" 6000 "2/16/2011" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2011-02-16 NA 2011 276 "MacNeal Hospital" "IL" "" 845 "3/10/2011" "Hacking/IT Incident" "Laptop, Desktop Computer, Network Server, E-mail" 2014-03-24 "" 2011-03-10 NA 2011 277 "West Lake Hospital " "IL" "" 686 "3/10/2011" "Hacking/IT Incident" "Laptop, Desktop Computer, Network Server, E-mail" 2014-03-24 "" 2011-03-10 NA 2011 278 "Phoenix Health Plan" "AZ" "" 9393 "3/10/2011" "Hacking/IT Incident" "Laptop, Desktop Computer, Network Server, E-mail" 2014-04-23 "" 2011-03-10 NA 2011 279 "MacNeal Physician Group" "IL" "" 532 "3/10/2011" "Hacking/IT Incident" "Laptop, Desktop Computer, Network Server, E-mail" 2014-03-24 "" 2011-03-10 NA 2011 280 "Genesis Clinical Laboratory" "IL" "" 1070 "3/10/2011" "Hacking/IT Incident" "Laptop, Desktop Computer, Network Server, E-mail" 2014-03-24 "" 2011-03-10 NA 2011 281 "Knox Community Hospital" "OH" "" 500 "10/1/2010" "Improper Disposal" "Other" 2014-01-23 "" 2010-10-01 NA 2010 282 "Speare Memorial Hospital" "NH" "" 5960 "4/2/2011" "Theft" "Laptop" 2014-03-13 "" 2011-04-02 NA 2011 283 "Methodist Charlton Medical Center" "TX" "" 1500 "4/16/2011" "Theft" "Laptop" 2014-01-23 "An unencrypted laptop was stolen from a locked office in the hospital. The laptop contained the PHI of 1523 patients. The protected health information involved in the breach contained demographic and clinical data. Following the breach, the CE filed a police report, notified affected patients and notified the media. Additionally, the CE expanded its encryption policy to include more laptops and implemented additional physical safeguards. " 2011-04-16 NA 2011 284 "Drs Edalji and Komer" "MA" "" 563 "4/12/2011" "Theft" "Laptop" 2014-01-23 "" 2011-04-12 NA 2011 285 "Reid Hospital & Health Care Services" "IN" "" 22001 "4/2/2011" "Theft" "Laptop" 2014-01-23 "" 2011-04-02 NA 2011 286 "Union Security Insurance Company" "MO" "" 850 "3/24/2011" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2011-03-24 NA 2011 287 "Indiana Regional Medical Center" "PA" "" 1388 "9/28/2010" "Theft" "Paper" 2014-01-23 "" 2010-09-28 NA 2010 288 "MMM Healthcare, Inc." "PR" "" 32390 "3/8/2011" "Theft" "Desktop Computer" 2014-01-23 "" 2011-03-08 NA 2011 289 "PMC Medicare Choice" "PR" "" 24361 "3/8/2011" "Theft" "Desktop Computer" 2014-01-23 "" 2011-03-08 NA 2011 290 "CVS CAREMARK" "AZ" "" 654 "1/17/2011" "Theft, Unauthorized Access/Disclosure" "Paper" 2014-04-23 "" 2011-01-17 NA 2011 291 "CENTER FOR ARTHRITIS & RHEUMATIC DISEASES" "FL" "" 8000 "1/1/2011" "Theft" "Other, Paper" 2014-01-23 "" 2011-01-01 NA 2011 292 "Robert B. Miller, MD" "CA" "" 620 "4/1/2011" "Theft" "Laptop" 2014-01-23 "" 2011-04-01 NA 2011 293 "Imaging Center of Garland" "TX" "" 1031 "3/15/2011" "Improper Disposal" "Other" 2014-01-23 "" 2011-03-15 NA 2011 294 "New York State Department of Health" "NY" "St. Mary's Hospital for Children" 550 "4/17/2011" "Theft" "Paper" 2014-06-03 "A bag containing 43 pages of protected health information (PHI) of 550 nursing home residents and an encrypted laptop computer were stolen from the vehicle of an employee of the covered entity's (CE) business associate (BA). The PHI included names, dates of birth, gender identities, names of the nursing homes, and Medicaid numbers. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media, and all affected individuals, as well as offering one year of free identity theft protection. Following OCR's investigation, the CE's BA terminated the employee and re-trained its staff on its privacy and security policies, including not leaving laptops in unoccupied vehicles. In addition, the CE reminded all contractors about the need to safeguard confidential information, and reviewed the BA's contractual obligations relating to safeguarding PHI. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." 2011-04-17 NA 2011 295 "St. Mary's Hospital for Children" "NY" "" 550 "4/17/2011" "Theft" "Paper" 2014-06-02 "A laptop computer containing the protected health information (PHI) of approximately 550 individuals was stolen from the vehicle of the business associate's (BA) workforce member. The PHI included names, dates of birth, gender identities, names of nursing homes, and Medicaid numbers of the covered entity's (CE) patients. Following the breach, the BA terminated the employee who was involved in the breach and provided credit monitoring services to the affected individuals. The BA also re-trained its staff. Following OCR's investigation, the CE and the BA reviewed the BA's contractual obligations relating to PHI during an in-person meeting. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." 2011-04-17 NA 2011 296 "Medicare Fee-for-Service Program" "MD" "Cahaba Government Benefit Administrators, LLC" 13412 "4/11/2011" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2011-04-11 NA 2011 297 "VA Caribbean Healthcare System" "PR" "" 6006 "3/30/2011" "Theft" "Paper" 2014-06-19 "An employee of the covered entity (CE), VA Caribbean Healthcare System, left documents containing the protected health information (PHI) of 6,006 individuals in an unsecure bag at a nursing station. The PHI included names, social security numbers, patient care assignments, patient counts and patient census lists. Upon discovery of the breach, the CE secured the PHI and provided breach notification to HHS, the media, and affected individuals. As a result of OCR's investigation, the CE disciplined and retrained the employee and implemented a procedure that nursing leadership is required to conduct rounds on wards once vacated. The CE also retrained all staff on its privacy and security policies and procedures." 2011-03-30 NA 2011 298 "Blue Cross Blue Shield of Michigan" "MI" "Agent Benefits Corporation" 11387 "11/17/2010" "Unauthorized Access/Disclosure, Hacking/IT Incident" "Network Server" 2014-01-23 "" 2010-11-17 NA 2010 299 "Spartanburg Regional Healthcare System" "SC" "" 400000 "3/28/2011" "Theft" "Desktop Computer" 2014-01-23 "" 2011-03-28 NA 2011 300 "Saint Joseph - Berea" "KY" "" 1986 "4/14/2011" "Theft, Loss" "Other Portable Electronic Device, Other" 2014-04-23 "" 2011-04-14 NA 2011 301 "Navos" "WA" "" 2700 "3/15/2011" "Unknown" "Paper" 2014-01-23 "" 2011-03-15 NA 2011 302 "Dunes Family Health Care, P.C" "OR" "Lower Umpqua Hospital" 17000 "3/11/2011" "Theft" "Other Portable Electronic Device, Other" 2014-02-14 "" 2011-03-11 NA 2011 303 "Metropolitan Community Health Services, Inc." "NC" "" 1263 "5/18/2011" "Unknown" "E-mail" 2014-04-23 "" 2011-05-18 NA 2011 304 "TUBA CITY REGIONAL HEALTH CARE CORPORATION" "AZ" "" 2000 "4/1/2011" "Loss, Improper Disposal" "Paper" 2014-01-23 "" 2011-04-01 NA 2011 305 "FOOTHILLS NEPHROLOGY, PC" "SC" "" 1280 "4/28/2011" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-04-28 NA 2011 306 "Sutter Gould Medical Foundation (SGMF)" "CA" "Fidelity National Technology Imaging (FNTI)" 1192 "5/23/2011" "Loss" "Paper" 2014-01-23 "" 2011-05-23 NA 2011 307 "Silverpop Systems Inc. Health and Welfare Plan" "GA" "" 884 "4/15/2011" "Theft" "Laptop" 2014-01-23 "" 2011-04-15 NA 2011 308 "New River Health Association" "WV" "" 950 "4/1/2011" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2011-04-01 NA 2011 309 "HealthCare Partners" "CA" "" 15677 "4/17/2011" "Theft" "Desktop Computer" 2014-01-23 "" 2011-04-17 NA 2011 310 "Gene S. J. Liaw, MD. PS" "WA" "" 1105 "4/4/2011" "Loss" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-04-04 NA 2011 311 "Blue Cross and Blue Shield of Florida " "FL" "" 3463 "4/11/2011" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2011-04-11 NA 2011 312 "NOL, LLC d/b/a Premier Radiology" "TN" "" 810 "5/7/2011" "Theft" "Laptop" 2014-04-23 "" 2011-05-07 NA 2011 313 "Advanced Diagnostic Imaging, P.C." "TN" "" 705 "5/7/2011" "Theft" "Laptop" 2014-04-23 "" 2011-05-07 NA 2011 314 "University of Missouri Health Care" "MO" "" 1288 "6/14/2011" "Unknown" "Paper" 2014-01-23 "" 2011-06-14 NA 2011 315 "Accendo" "AZ" "" 175350 "1/1/2011" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2011-01-01 NA 2011 316 "Ohio Health Plans" "OH" "Area Agency on Aging, Ohio District 5" 78042 "6/3/2011" "Theft" "Laptop" 2014-01-23 "" 2011-06-03 NA 2011 317 "Gail Gillespie and Associates, LLC" "LA" "" 2000 "6/25/2011" "Theft" "Laptop, Desktop Computer, Network Server, E-mail, Other Portable Electronic Device, Other, Electronic Medical Record" 2014-01-23 "" 2011-06-25 NA 2011 318 "Health Plan of San Mateo" "CA" "" 694 "4/25/2011" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2011-04-25 NA 2011 319 "Department of Health Care Policy and Financing" "CO" "Department of Personnel and Administration" 3589 "5/6/2011" "Loss" "Other" 2014-02-14 "" 2011-05-06 NA 2011 320 "Yanez Dental Corporation" "CA" "" 10190 "5/22/2011" "Theft" "Desktop Computer, Network Server" 2014-01-23 "" 2011-05-22 NA 2011 321 "Jackson Health System" "FL" "" 1562 "10/1/2008" "Unauthorized Access/Disclosure" "Other, Electronic Medical Record" 2014-01-23 "" 2008-10-01 NA 2008 322 "The Mount Sinai Hospital" "NY" "" 712 "6/7/2011" "Theft" "Laptop" 2014-06-02 "Two unencrypted laptop computers containing the electronic protected health information (ePHI) of 712 individuals were stolen from the covered entity's (CE) office. The ePHI included names, dates of birth, social security numbers, diagnostic reports, and demographic information. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE improved physical security by installing an exit alarm lock and surveillance camera, and implementing a policy and procedure requiring managers to monitor inappropriate use of the facility's rear exit. The CE also inventoried its ePHI systems and adopted and implemented policies and procedures for workstation security, encryption, security awareness and training, electronic devices, and media controls." 2011-06-07 NA 2011 323 "Troy Regional Medical Center" "AL" "" 880 "3/22/2011" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2011-03-22 NA 2011 324 "Lansing Community College" "MI" "AssureCare Risk Management" 5000 "5/9/2011" "Hacking/IT Incident" "Network Server" 2014-03-24 "" 2011-05-09 NA 2011 325 "Dr Axel Velez" "PR" "" 2800 "6/19/2011" "Theft" "Desktop Computer" 2014-03-13 "" 2011-06-19 NA 2011 326 " DeKalb Medical Center, Inc. d/b/a DeKalb Medical Hillandale" "GA" "" 7500 "7/11/2010" "Theft" "Paper" 2014-01-23 "" 2010-07-11 NA 2010 327 "Beth Israel Deaconess Medical Center" "MA" "" 2021 "4/17/2011" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2011-04-17 NA 2011 328 "Gypsum Management and Supply, Inc. Medical and Dental Plan" "GA" "Assurecare Risk Management, Inc." 25330 "5/9/2011" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2011-05-09 NA 2011 329 "Andersen Air Force Base, Guam" "VA" "" 700 "5/13/2011" "Improper Disposal" "Paper" 2014-01-23 "" 2011-05-13 NA 2011 330 "Molina Medicare" "CA" "RxAmerica, a subsidiary of CVS Caremark" 4573 "1/1/2011" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2011-01-01 NA 2011 331 "Windsor Health Plan" "TN" "RxAmerica LLC" 1378 "3/1/2011" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2011-03-01 NA 2011 332 "Health Care Service Corporation" "IL" "" 501 "6/28/2011" "Theft" "Paper" 2014-01-23 "" 2011-06-28 NA 2011 333 "University of Kentucky - UK HealthCare" "KY" "" 3604 "6/7/2011" "Theft" "Laptop" 2014-04-23 "" 2011-06-07 NA 2011 334 "Austin Center for Therapy and Assessment, LLC" "TX" "" 1870 "7/8/2011" "Theft" "Laptop" 2014-04-24 "An unencrypted laptop, containing the electronic protected health information (ePHI) of 1,870 individuals, was stolen from the covered entity's (CE) office. The ePHI involved includes clinical evaluation reports, test results, patient names, addresses, phone numbers, and social security numbers. Upon discovery of the breach, the CE notified affected individuals, OCR and the media. Following OCR's investigation, the CE revised its HIPAA policies and procedures, implemented additional physical safeguards in its facility and installed encryption software." 2011-07-08 NA 2011 335 "Treatment Services Northwest" "OR" "" 1200 "7/8/2011" "Theft" "Desktop Computer" 2014-01-23 "" 2011-07-08 NA 2011 336 "Mills-Peninsula Health Services" "CA" "" 1500 "11/1/2009" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2009-11-01 NA 2009 337 "Brigham and Women's Hospital and Faulkner Hospital " "MA" "" 638 "6/21/2011" "Theft" "Other Portable Electronic Device" 2014-06-30 "A covered entity's (CE) workforce member lost an external hard drive containing the electronic protected health information (ePHI) of 638 individuals while traveling. The external hard drive included names, medical record numbers, dates of admission, medications, diagnoses, and treatment information. The CE notified HHS, the media, and all individuals affected regarding the breach and provided individuals with identity protection services. Following the breach, the CE sanctioned the workforce member involved and retrained the workforce member and division staff on safeguards for ePHI. In addition, the CE established a mitigation workgroup to review policies and procedures regarding the protection of ePHI and created a new external hard drive encryption policy. OCR obtained assurances that the CE implemented the corrective action listed above." 2011-06-21 NA 2011 338 "Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan " "IN" "AssureCare Risk Management, Inc." 506 "5/9/2011" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2011-05-09 NA 2011 339 "Monmouth Medical Center" "NJ" "MedAssets" 6443 "6/24/2011" "Theft" "Other Portable Electronic Device, Other" 2014-06-19 "An unencrypted hard drive containing the electronic protected health information (ePHI) of 6,443 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Monmouth Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-06-24 NA 2011 340 "Clara Maass Medical Center" "NJ" "Med Assets" 8795 "6/24/2011" "Theft" "Other Portable Electronic Device, Other" 2014-06-19 "An unencrypted hard drive containing the electronic protected health information (ePHI) of 8,795 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Clara Maass Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-06-24 NA 2011 341 "Newark Beth Israel Medical Center" "NJ" "MedAssets" 15015 "6/24/2011" "Theft" "Other Portable Electronic Device, Other" 2014-06-19 "An unencrypted hard drive containing the electronic protected health information (ePHI) of 15,015 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Newark Beth Israel Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-06-24 NA 2011 342 "Saint Barnabas Medical Center" "NJ" "MedAssets" 6179 "6/24/2011" "Theft" "Other Portable Electronic Device, Other" 2014-06-19 "An unencrypted hard drive containing the electronic protected health information (ePHI) of 6,179 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Saint Barnabas Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-06-24 NA 2011 343 "Washington State Department of Social and Health Services" "WA" "" 3950 "7/1/2011" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2011-07-01 NA 2011 344 "St. Francis Hospital" "DE" "" 948 "6/1/2011" "Loss" "Other Portable Electronic Device, Other" 2014-06-10 "" 2011-06-01 NA 2011 345 "Reznick Group, P.C." "MD" "Assure Care Risk Management" 2459 "5/9/2011" "Hacking/IT Incident" "Network Server" 2014-03-25 "" 2011-05-09 NA 2011 346 "The Neurological Institute of Savannah & Center for Spine" "GA" "" 63425 "7/2/2011" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-07-02 NA 2011 347 "Kimball Medical Center" "NJ" "MedAssets" 6785 "6/24/2011" "Theft" "Other Portable Electronic Device, Other" 2014-06-19 "An unencrypted hard drive containing the electronic protected health information (ePHI) of 6,785 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Kimball Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-06-24 NA 2011 348 "Community Medical Center" "NJ" "MedAssets" 6950 "6/24/2011" "Theft" "Other Portable Electronic Device, Other" 2014-06-19 "An unencrypted hard drive containing the electronic protected health information (ePHI) of 6,950 individuals was stolen from an employee of the covered entity's (CE) business associate (BA), MedAssets. The ePHI included names, dates of birth, social security number, account numbers, medical record numbers, charges incurred, amounts paid, admission and discharge dates, and information regarding health insurance and eligibility for applicable governmental benefit programs. Upon discovery of the breach, the CE, Community Medical Center, filed a police report, provided breach notification to HHS, the media, and affected individuals, and posted substitute notification on its website. As a result of OCR's investigation, the BA retrained the employee, instructed all employees to stop using any type of external storage device that contains ePHI, and recalled and destroyed all unencrypted external hard drives that contained ePHI. In addition, the BA improved technical safeguards by encrypting external hard drives and installing a new software system that monitors, controls and encrypts data leaving the BA's computers. The BA also hired an IT security analyst to supplement its security program. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-06-24 NA 2011 349 "American Health Medicare " "PR" "Accuprint " 5848 "6/1/2011" "Theft" "Other" 2014-06-03 "The covered entity's (CE) business associate (BA) erroneously sent explanation of benefits letters (EOBs) containing the protected health information (PHI) of 5,848 individuals to other individuals. The PHI included names, addresses, current procedural terminology codes (CPT), explanations of CPT codes, providers' names, and dates of service. Upon discovery of the breach, the CE provided notice to the individuals affected by the breach but did not notify the media. As a result of OCR's investigation, OCR provided technical assistance regarding the requirements of the Breach Notification Rule to the CE and the CE published a media notice. In addition, the CE developed policies and procedures requiring quality control checks on the BA. In addition, the BA adopted a new software system that validates the contents of the EOBs prior to mailing. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use of PHI and required the BA to safeguard all PHI." 2011-06-01 NA 2011 350 "Texas Health Presbtyerian Hospital Flower Mound" "TX" "Texas Health Partners" 10345 "6/21/2011" "Theft" "Laptop" 2014-01-23 "" 2011-06-21 NA 2011 351 "Capron Rescue Squad District" "IL" "" 815 "2/5/2011" "Unauthorized Access/Disclosure" "Laptop" 2014-01-23 "" 2011-02-05 NA 2011 352 "Cook County Health & Hospitals System" "IL" "MedAssets" 32008 "6/24/2011" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-06-24 NA 2011 353 "Lexington VAMC" "KY" "" 1432 "5/23/2011" "Theft" "Laptop, Other Portable Electronic Device, Paper" 2014-06-03 "The covered entity's (CE) workforce member impermissibly stored the protected health information (PHI) of 1,432 individuals in a personal computer and other portable electronic media in order to conduct research. The PHI included social security numbers, names, initials, ages, and diagnoses. Additional PHI was found in the workforce member's residence. The CE provided breach notification to a total of 1,890 affected individuals and HHS. Following the breach, the responsible workforce member is no longer employed by the CE. OCR opened a compliance review of VA Medical Centers and is consolidating the investigation of this incident into the compliance review. " 2011-05-23 NA 2011 354 "Dr. Victoria Falcone, Falcone Cosmetic Services, PC, Falcone Cosmetic Services of NJ, PC" "PA" "SpaMed Solutions, LLC, Edward McMenamin President," 3000 "8/14/2011" "Theft, Unauthorized Access/Disclosure" "Laptop, Desktop Computer, Network Server, E-mail, Other Portable Electronic Device, Other, Electronic Medical Record, Paper" 2014-06-10 "" 2011-08-14 NA 2011 355 "HEALTH RESEARCH INSTITUTE, INC., PFEIFFER TREATMENT CENTER" "IL" "" 2000 "7/1/2011" "Theft" "Desktop Computer, Network Server" 2014-01-23 "" 2011-07-01 NA 2011 356 "Stanford Hospital & Clinics" "CA" "Multi-Speciality Collection Services, LLC" 19651 "9/9/2010" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2010-09-09 NA 2010 357 "Muir Orthopaedic Specialists, A Medical Group Inc." "CA" "" 1800 "7/27/2011" "Theft" "Paper" 2014-01-23 "" 2011-07-27 NA 2011 358 "NEA Baptist Clinic" "AR" "" 3116 "7/12/2011" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2011-07-12 NA 2011 359 "Jonathan Noel MD" "IN" "" 2059 "7/13/2011" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-07-13 NA 2011 360 "Texas Health and Human Services Commission" "TX" "" 1696 "3/10/2011" "Theft" "Laptop" 2014-01-23 "An unencrypted laptop was stolen from an employee's vehicle. The laptop contained the ePHI of 1,696 patients. The information at issue included patient names, dates of birth, gender, Medicaid identification numbers, procedure codes and diagnosis. Following discovery of the breach, the CE notified affected patients and notified the media. Following the breach, the CE confirmed encryption of laptops per CE's policy and sanctioned three involved employees. " 2011-03-10 NA 2011 361 "University of Wisconsin Oshkosh" "WI" "Living Healthy Community Clinic" 3000 "7/18/2011" "Hacking/IT Incident" "Desktop Computer" 2014-01-23 "" 2011-07-18 NA 2011 362 "Centro de Ortodoncia Inc." "PR" "" 2000 "5/6/2010" "Theft" "Paper" 2014-06-20 "OCR opened an investigation of the covered entity (CE), Dr. Pedro Valentin, after it reported boxes containing the protected health information (PHI) of 2,000 individuals were moved from the CE's office. The PHI included names, account numbers, responsible party in charge of account, and method of payment. OCR's investigation revealed that the individual who removed the PHI was the CE's wife and business partner. The CE advised OCR that he knew his wife/partner was removing the boxes for the purpose of ascertaining the amount of monies the CE was receiving and that he is in the process of dissolving the partnership. OCR concluded that the actions alleged in the breach report did not amount to a breach." 2010-05-06 NA 2010 363 "John T. Melvin, M.D.& Associates" "TX" "" 2541 "8/9/2011" "Theft" "Paper" 2014-03-13 "" 2011-08-09 NA 2011 364 "Diversified Resources, Inc." "GA" "" 863 "8/11/2011" "Theft" "Laptop" 2014-01-23 "" 2011-08-11 NA 2011 365 "VA Gulf Coast Veterans Health Care System" "MS" "" 1797 "7/21/2011" "Theft" "Paper" 2014-06-20 "The covered entity (CE), U.S. Department of Veterans Affairs (VA), Gulf Coast Veterans Health Care System, Biloxi Veterans Affairs Medical Center (Biloxi VAMC) reported that the office of an employee was vandalized. Paper files were found on the office floor, and the protected health information (PHI) of approximately 1,814 individuals was compromised. The PHI included full names, social security numbers, dates of birth, and medical diagnoses. The CE provided breach notification to HHS, the media and affected individuals. Following the breach, VA police at the facility reviewed procedures and continued foot patrols to ensure office doors are locked during non-business hours. The CE provided additional training to workforce members of the affected department on its physical security policies and procedures to improve safeguards for PHI. OCR obtained assurances that the CE implemented the corrective action listed above. " 2011-07-21 NA 2011 366 "Freda J Bowman MD PA" "TX" "" 1300 "9/20/2011" "Unauthorized Access/Disclosure, Hacking/IT Incident" "Network Server" 2014-01-23 "" 2011-09-20 NA 2011 367 "Bonney Lake Medical Center and Mythili R. Ramachandran, MD" "WA" "" 2367 "8/12/2011" "Theft" "Laptop, Desktop Computer" 2014-02-14 "" 2011-08-12 NA 2011 368 "United States Steel Corporation Plan for Active Employee Insurance Benefits and the United States Steel Corporation Plan for Retiree Insurance Benefits" "PA" "Benefits Administration Services, Inc." 4000 "8/15/2011" "Loss" "Other Portable Electronic Device, Other" 2014-03-24 "" 2011-08-15 NA 2011 369 "VA Illiana Health Care System" "IL" "" 518 "7/14/2011" "Loss" "Paper" 2014-01-23 "" 2011-07-14 NA 2011 370 "Health Texas Provider Network" "TX" "" 1259 "7/27/2011" "Theft" "Laptop" 2014-03-13 "" 2011-07-27 NA 2011 371 "Blue Cross of Northeastern Pennsylvania" "PA" "AllOne Health Management Solutions, Inc." 507 "9/9/2011" "Theft, Unauthorized Access/Disclosure" "Laptop, Paper" 2014-03-24 "" 2011-09-09 NA 2011 372 "NYU Hospital for Joint Diseases Inventory Management Department" "NY" "" 2600 "6/23/2011" "Theft" "Paper" 2014-06-20 "A box containing 2,600 paper records of tissue implants used in surgeries was discarded by a waste disposal contractor of the covered entity (CE), NYU Hospital for Joint Diseases Inventory Management Department, when the box was not property secured. The box contained the protected health information (PHI) of 2,239 individuals and included names, dates of birth, dates of surgery, surgeon names, procedures, and types and serial numbers of the tissues used in the surgeries. Upon discovery of the breach, the CE contacted the waste disposal contractor and determined that the documents were discarded and buried in a landfill out of state. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. As a result of OCR's investigation, the CE improved safeguards by storing all tissue records in a locked cabinet and requiring management to store the keys. In addition, the CE counseled the employees involved in the incident and retrained all staff on its policies and procedures for safeguarding PHI. The CE also implemented a plan to conduct reviews of HIPAA compliance, including both physical access and physical security risks." 2011-06-23 NA 2011 373 "WAYNE HIGHLANDS SCHOOL DISTRICT" "PA" "FIRST PRIORITY LIFE INSURANCE COMPANY" 579 "9/9/2011" "Theft, Unauthorized Access/Disclosure" "Paper" 2014-06-10 "" 2011-09-09 NA 2011 374 "Summit Medical Group, PLLC" "TN" "" 731 "9/4/2011" "Theft" "Paper" 2014-01-23 "" 2011-09-04 NA 2011 375 "MAPFRE Life" "PR" "" 2209 "8/5/2011" "Theft" "Other" 2014-03-13 "" 2011-08-05 NA 2011 376 "American Continental Insurance Company" "TN" "Futurity First Insurance Group" 690 "7/28/2011" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-07-28 NA 2011 377 "United of Omaha Life Insurance Company" "NE" "Futurity First Insurance Group" 1631 "7/28/2011" "Loss" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-07-28 NA 2011 378 "Mutual of Omaha Insurance Company" "NE" "Futurity First Insurance Group" 705 "7/28/2011" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-07-28 NA 2011 379 "Henry Ford Health System" "MI" "" 520 "8/8/2011" "Theft" "Desktop Computer" 2014-01-23 "" 2011-08-08 NA 2011 380 "Indiana University" "IN" "" 3266 "8/16/2011" "Theft" "Laptop" 2014-01-23 "" 2011-08-16 NA 2011 381 "Adult & Pediatric Dermatology, PC" "MA" "" 2200 "9/14/2011" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-09-14 NA 2011 382 "The Nemours Foundation" "FL" "" 1055489 "8/10/2011" "Loss" "Other" 2014-01-23 "" 2011-08-10 NA 2011 383 "California Industrial Medicine, Inc." "CA" "Thomas J O'Laughlin, MD" 700 "9/28/2011" "Theft, Unauthorized Access/Disclosure" "Paper" 2014-02-14 "" 2011-09-28 NA 2011 384 "InStep Foot Clinic, P.A." "MN" "" 2600 "8/28/2011" "Theft" "Laptop, Electronic Medical Record" 2014-01-23 "" 2011-08-28 NA 2011 385 "North Memorial" "MN" "Accretive Health, Inc" 6697 "7/25/2011" "Theft" "Laptop" 2014-01-23 "" 2011-07-25 NA 2011 386 "Lahey Clinic Hospital, Inc." "MA" "" 599 "8/12/2011" "Theft" "Laptop" 2014-03-13 "" 2011-08-12 NA 2011 387 "UnitedHealth Group health plan single affiliated covered entity" "MN" "Futurity First Insurance Group" 3994 "7/28/2011" "Theft" "Other" 2014-01-23 "" 2011-07-28 NA 2011 388 "Good Samaritan Hospital" "MD" "" 1500 "9/9/2011" "Theft" "Paper" 2014-01-23 "" 2011-09-09 NA 2011 389 "Amerigroup Community Care of New Mexico, Inc" "NM" "" 1537 "7/15/2011" "Theft" "Paper" 2014-01-23 "" 2011-07-15 NA 2011 390 "Florida Hospital" "FL" "" 12784 "8/10/2011" "Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-02-19 "" 2011-08-10 NA 2011 391 "Thomas Jefferson University Hospitals, Inc." "PA" "" 3150 "9/6/2011" "Theft" "Other" 2014-01-23 "" 2011-09-06 NA 2011 392 "Lankenau Medical Center" "PA" "" 500 "9/6/2011" "Theft" "Other" 2014-01-23 "" 2011-09-06 NA 2011 393 "Spectrum Health Ssytems, Inc. " "MA" "" 14750 "8/24/2011" "Theft" "Desktop Computer" 2014-03-13 "" 2011-08-24 NA 2011 394 "Conway Regional Medical Center" "AR" "" 1472 "8/24/2011" "Loss" "Other" 2014-01-23 "" 2011-08-24 NA 2011 395 "Concordia Plan Services" "MO" "HITS Scanning Solutions, Inc." 7059 "5/10/2011" "Loss" "Other" 2014-01-23 "" 2011-05-10 NA 2011 396 "Stone Oak Urgent Care & Family Practice" "TX" "Stone Oak Urgent Care & Family Practice" 6672 "10/23/2011" "Theft, Loss" "Desktop Computer" 2014-01-23 "" 2011-10-23 NA 2011 397 "Indiana University School of Optometry" "IN" "" 757 "8/12/2011" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2011-08-12 NA 2011 398 "Brevard Emergency Services, P.A." "FL" "" 2200 "8/26/2011" "Theft" "Paper" 2014-04-23 "" 2011-08-26 NA 2011 399 "Georgetown University Hospital" "DC" "" 1526 "9/9/2011" "Loss" "Other Portable Electronic Device, Other" 2014-03-24 "" 2011-09-09 NA 2011 400 "Morris Heights Health Center" "NY" "" 927 "8/27/2011" "Theft" "Laptop" 2014-06-03 "An unencrypted laptop computer containing the electronic protected health information (ePHI) of 927 individuals was stolen from the covered entity's (CE) school based health center. The ePHI included names, dates of birth, sex, ethnicities, height, weight, body mass index data, complete physical examination information such as asthma and obesity information, health action plans, and enrollment dates. Upon discovery of the breach, the CE filed a police report to recover the stolen laptop. As a result of OCR's investigation, the CE purchased locks to physically secure its' school health computers to the desks where the computers are located. In addition, the CE encrypted all portable devices' hard drives and installed software to track portable devices. The CE also retrained all staff on its policies and procedures for using and securing ePHI. " 2011-08-27 NA 2011 401 "network180" "MI" "Thresholds Inc." 1100 "9/16/2011" "Theft" "Paper" 2014-03-24 "" 2011-09-16 NA 2011 402 "Premier Imaging" "NC" "" 551 "9/14/2011" "Unknown" "Paper" 2014-01-23 "A newly hired employee impermissibly took patient registration documents home. The records taken included the protected health information of 551 patients. The information at issue included names, addresses, birth dates, social security numbers, and driver's license numbers. As a result, the CE terminated the employee, provided notice to the affected individuals, amended registration procedures, implemented additional safeguards for such information, and offered identity theft protection to the affected individuals. " 2011-09-14 NA 2011 403 "The Good Samaritan Hospital of Cincinnati, Ohio" "OH" "Pitney Bowes Management Services, Inc." 1089 "9/3/2011" "Theft" "Desktop Computer" 2014-03-24 "" 2011-09-03 NA 2011 404 "Bethesda Hospital, Inc." "OH" "Pitney Bowes Management Services, Inc." 946 "9/3/2011" "Theft" "Desktop Computer" 2014-03-24 "" 2011-09-03 NA 2011 405 "Julie A. Kennedy, D.M.D., P.A." "FL" "" 2900 "9/30/2011" "Theft" "Network Server" 2014-01-23 "" 2011-09-30 NA 2011 406 "KCI USA, Inc." "TX" "" 567 "9/8/2011" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-09-08 NA 2011 407 "Lebanon Internal Medicine Associates" "PA" "" 55000 "9/10/2011" "Improper Disposal" "Network Server" 2014-01-23 "" 2011-09-10 NA 2011 408 "St. Joseph Medical Center" "MD" "" 5000 "9/11/2011" "Theft" "Other, Paper" 2014-03-24 "" 2011-09-11 NA 2011 409 "TRICARE Management Activity (TMA)" "VA" "Science Applications International Corporation (SA" 4900000 "9/13/2011" "Loss" "Other" 2014-01-23 "" 2011-09-13 NA 2011 410 "UCLA Health System" "CA" "" 2761 "9/6/2011" "Theft" "Other Portable Electronic Device, Other" 2014-01-23 "" 2011-09-06 NA 2011 411 "Logan County Emergeny Ambulance Service Authority" "WV" "" 12563 "10/1/2011" "Theft, Loss" "Laptop" 2014-01-23 "" 2011-10-01 NA 2011 412 "Lawrence Memorial Hospital" "KS" "Mid Continent Credit Services, Inc." 8275 "09/20/2011 - 10/28/2011" "Unauthorized Access/Disclosure, Other" "Other" 2014-04-23 "" 2011-09-20 2011-10-28 2011 413 "Sutter Medical Foundation" "AL" "" 943434 "10/15/2011" "Theft" "Desktop Computer" 2014-01-23 "" 2011-10-15 NA 2011 414 "Medcenter One" "ND" "" 650 "10/21/2011" "Theft" "Laptop" 2014-01-23 "" 2011-10-21 NA 2011 415 "Dallas County Hospital District dba Parkland Health & Hospital System" "TX" "" 2464 "9/5/2011" "Unauthorized Access/Disclosure" "Electronic Medical Record, Paper" 2014-01-23 "" 2011-09-05 NA 2011 416 "University of Kentucky UK HealthCare" "KY" "" 878 "9/25/2011" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2011-09-25 NA 2011 417 "State of Tennessee Sponsored Group Health Plan" "TN" "" 1770 "10/6/2011" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "An equipment operator at the state's postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope. The error affected approximately 1770 enrollees. The letters contained information such as names, addresses, birth dates, and social security numbers. As a result, the CE retrained the employee, submitted a breach report to HHS, provided notice to the affected individuals, notified the media, created a toll-free number for information regarding the incident, posted notice on its website, modified policies to remove the SSN on templates for future mailings, and offered identity theft protection to the affected individuals. Following the OCR investigation, the CE provided reviewed its policies and procedures to ensure adequate safeguards are in place. " 2011-10-06 NA 2011 418 "Cleveland Clinic Florida" "FL" "" 772 "10/3/2011" "Loss" "Other" 2014-04-23 "" 2011-10-03 NA 2011 419 "Jay C. Platt, DDS" "IN" "" 10705 "10/6/2011" "Theft" "Other" 2014-03-24 "" 2011-10-06 NA 2011 420 "Rite Aid Corporation " "PA" "" 2900 "10/7/2011" "Other" "Paper" 2014-01-23 "" 2011-10-07 NA 2011 421 "Advanced Occupational Medicine Specialists" "IL" "Blue Vantage Group" 7226 "10/12/2011" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2011-10-12 NA 2011 422 "Open MRI of Chicago" "IL" "Nation Wise Machine Buyers" 2000 "9/6/2011" "Improper Disposal" "Paper" 2014-01-23 "" 2011-09-06 NA 2011 423 "University of Nebraska Medical Center" "NE" "" 611 "11/15/2011" "Theft" "Paper" 2014-04-23 "" 2011-11-15 NA 2011 424 "Roberts S. Smith M.D. Inc." "GA" "" 17000 "10/17/2011" "Theft" "Laptop" 2014-01-23 "" 2011-10-17 NA 2011 425 "Paul C. Brown, MD, PS" "WA" "" 4693 "10/14/2011 - 10/17/2011" "Theft" "Other" 2014-02-14 "" 2011-10-14 2011-10-17 2011 426 "Molina Healthcare of California" "CA" "" 11081 "9/23/2009" "Other" "Paper" 2014-01-23 "" 2009-09-23 NA 2009 427 "Aegis Sciences Corporation" "TN" "" 2185 "11/22/2011" "Theft" "Laptop, Other Portable Electronic Device" 2014-04-23 "OCR opened an investigation of the covered entity (CE), Aegis Science Corp., after the CE reported that a laptop computer and unencrypted external hard drive containing the electronic protected health information (ePHI) of 2,185 individuals were stolen from a workforce member's vehicle. The ePHI included social security numbers, driver's license numbers, and other demographic information, as well as bank account information of fourteen individuals and credit card information of three individuals. Upon discovering the breach, the CE filed a police report and hired a private investigator to recover the stolen items. The CE also initiated plans to encrypt laptops, revise security procedures, retrain employees, and offer credit monitoring to affected individuals. As a result of OCR's investigation, the CE completed a security risk analysis and risk management report and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI. The CE also provided media notification in the two localities with greater than 500 individuals affected. Additionally, the CE encrypted all employee computers and removable media containing ePHI and retrained employees on the CE's confidentiality and security policies." 2011-11-22 NA 2011 428 "Soundpath Health, Inc" "WA" "" 7581 "11/22/2011" "Theft" "Laptop" 2014-02-14 "" 2011-11-22 NA 2011 429 "Concentra Health" "TX" "" 870 "11/30/2011" "Theft" "Laptop" 2014-01-23 "" 2011-11-30 NA 2011 430 "Sleep HealthCenters LLC" "MA" "" 2988 "11/23/2011" "Theft" "Laptop" 2014-03-13 "" 2011-11-23 NA 2011 431 "Smile Designs" "FL" "" 1670 "12/1/2011" "Theft" "Desktop Computer, Network Server" 2014-01-23 "" 2011-12-01 NA 2011 432 "PBH" "NC" "Alamance Caswell Local Management Entity" 50000 "11/15/2011" "Unauthorized Access/Disclosure, Other" "Network Server, E-mail" 2014-01-23 "" 2011-11-15 NA 2011 433 "CardioNet, Inc" "PA" "" 1300 "11/10/2011" "Theft" "Laptop" 2014-01-23 "" 2011-11-10 NA 2011 434 "MDwise, Inc." "IN" "RightNow Technologies" 2700 "2/10/2011" "Unauthorized Access/Disclosure" "Other" 2014-03-24 "" 2011-02-10 NA 2011 435 "Ford Motor Company" "MI" "WageWorks, Inc." 1700 "1/3/2012" "Other" "Paper" 2014-03-24 "" 2012-01-03 NA 2012 436 "Foundation Medical Partners" "NH" "" 771 "11/19/2011 - 12/01/2011" "Theft" "Paper" 2014-06-02 "Without permission from the covered entity (CE), an employee provided a list of patient's names to a local counseling center as the employee was leaving the CE to begin employment at the new counseling center in an attempt to coordinate care of the patients she was treating. The list, containing the PHI of approximately 771 individuals, included names, dates of birth, addresses, phone numbers, names of the insurance carriers, and facility codes. Following the disclosure, the CE provided breach notification to HHS, the media, and all individuals affected and sanctioned the former employee for violating its policies and procedures. The CE also changed its procedures for list management. The CE sent a reminder to all of its health care providers regarding the handling of PHI and made plans to provide HIPAA compliance information in a quality assurance newsletter." 2011-11-19 2011-12-01 2011 437 "Kansas Department on Aging" "KS" "" 7757 "1/11/2012" "Theft" "Laptop" 2014-01-23 "" 2012-01-11 NA 2012 438 "Delta Dental of California" "CA" "" 11646 "12/22/2011 - 12/23/2011" "Other" "Paper" 2014-01-23 "" 2011-12-22 2011-12-23 2011 439 "Muskogee Regional Medical Center" "OK" "" 844 "12/5/2011" "Loss" "Other" 2014-01-23 "" 2011-12-05 NA 2011 440 "Department of Medical Assistance Services" "VA" "ACS, Affiliated Computer Services, Inc., A Xerox Company" 1444 "11/02/2011 - 11/16/2011" "Unauthorized Access/Disclosure, Other" "Paper" 2014-01-23 "" 2011-11-02 2011-11-16 2011 441 "Oldendorf Medical Services, PLLC" "NY" "" 549 "1/17/2012" "Theft" "Laptop" 2014-06-02 "OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 549 individuals. The ePHI included names, dates of birth, diagnostic test results, and social security numbers. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE installed security cameras and new door locks and changed the codes to the outside entrance keypad lock. The CE also encrypted laptop computers. " 2012-01-17 NA 2012 442 "St.Vincent Physician Network" "IN" "" 1423 "12/01/2010-11/21/2011" "Theft, Unauthorized Access/Disclosure" "Paper" 2014-03-24 "" 2010-12-01 2011-11-21 2010 443 "Flex Physical Therapy" "WA" "" 3100 "12/30/2011" "Theft" "Desktop Computer" 2014-01-23 "" 2011-12-30 NA 2011 444 "Metro Community Provider Network" "CO" "" 3200 "12/5/2011" "Hacking/IT Incident, Other" "E-mail" 2014-01-23 "" 2011-12-05 NA 2011 445 "University of Miami " "FL" "" 1219 "11/24/2011" "Theft" "Other Portable Electronic Device" 2014-01-23 "" 2011-11-24 NA 2011 446 "UnitedHealth Group health plan single affiliated covered entity" "MN" "" 6678 "12/15/2011" "Other" "Paper" 2014-03-24 "" 2011-12-15 NA 2011 447 "Triumph, LLC" "NC" "" 2000 "12/13/2011" "Theft" "Laptop" 2014-01-23 "" 2011-12-13 NA 2011 448 "Fairview Health Services" "MN" "Accretive Health" 14000 "7/25/2011" "Theft" "Laptop" 2014-01-23 "" 2011-07-25 NA 2011 449 "Loma Linda University Medical Center (LLUMC)" "CA" "" 1366 "12/19/2011" "Other" "Paper" 2014-01-23 "" 2011-12-19 NA 2011 450 "Ford Motor Company Salaried Health Reimbursement Arrangement (HRA) Plan" "MI" "Affiliated Computer Services, Inc. (ACS, Inc.) A Xerox Company" 1700 "12/29/2011" "Other" "Other" 2014-03-24 "" 2011-12-29 NA 2011 451 "Medco Health Solutions, Inc." "NJ" "" 1287 "11/30/2011" "Theft" "Paper" 2014-06-20 " The covered entity (CE), Medco Health Solutions, mailed letters with incorrect addresses after a programming code in its mailing software caused corruption of its data. The mailing contained the protected health information (PHI) of 4,341 individuals and included names, medication name and prescription number. The CE provided breach notification to HHS, the media, and affected individuals. Upon discovery of the breach, the CE immediately ceased using the update to its mailing software system. As a result of OCR's investigation, the CE corrected the update to its mailing software system and established manual and automated quality control processes. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI. " 2011-11-30 NA 2011 452 "Lakeview Medical Center" "WI" "" 698 "1/4/2012" "Theft" "Laptop" 2014-01-23 "" 2012-01-04 NA 2012 453 "Goshen Health System, Inc." "IN" "" 660 "12/22/2011" "Hacking/IT Incident" "Other" 2014-01-23 "" 2011-12-22 NA 2011 454 "Georgetown University Hospital" "DC" "" 1549 "11/1/2011" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2011-11-01 NA 2011 455 "Motion Picture Industry Health Plans (MPI)" "CA" "" 703 "09/23/2009 - 12/02/2011" "Other" "Other" 2014-02-14 "" 2009-09-23 2011-12-02 2009 456 "Ochsner Health System" "LA" "" 2088 "1/19/2012" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2012-01-19 NA 2012 457 "Applegate Valley Family Medicine" "OR" "Dr. Trandinh" 2300 "12/01/2011-12/17/2011" "Theft, Unauthorized Access/Disclosure" "Laptop" 2014-01-23 "" 2011-12-01 2011-12-17 2011 458 "CardioNet, Inc." "PA" "" 728 "12/29/2011" "Theft" "Laptop" 2014-01-23 "" 2011-12-29 NA 2011 459 "Presbyterian Healthcare Services" "NM" "Beth Barrett Consulting, LLC" 7000 "12/29/2011" "Theft" "Laptop" 2014-03-13 "" 2011-12-29 NA 2011 460 "Alliant Health Plans, Inc." "GA" "Catalyst Health Solutions, Inc." 632 "1/1/2012" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2012-01-01 NA 2012 461 "FIRST MEDICAL CENTER, INC." "PR" "T&P CONSULTING, INC. D/B/A QUANTUM" 7706 "1/11/2012" "Theft" "Laptop" 2014-06-13 "An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 7,706 individuals were stolen from a staff member of the covered entity's (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and all individuals affected by the breach. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurances that the CE implemented the corrective action listed above and required two additional corrective actions. OCR identified the need for the CE to complete a risk assessment and implement certain security policies and procedures." 2012-01-11 NA 2012 462 "Lee Miller Rehabilitation Associates" "MD" "" 10480 "1/15/2012" "Theft" "Network Server" 2014-01-23 "" 2012-01-15 NA 2012 463 "Jeremaih J. Twomey, F.A.C.P., P.A." "TX" "Jeremaih J. Twomey, F.A.C.P., P.A." 2559 "12/31/2011" "Theft" "Other" 2014-01-23 "" 2011-12-31 NA 2011 464 "Anchorage Community Mental Health Services Inc." "AK" "" 2743 "12/20/2011 - 01/04/2012" "Unauthorized Access/Disclosure" "Desktop Computer" 2014-01-23 "" 2011-12-20 2012-01-04 2011 465 "Robley Rex VA Medical Center " "KY" "" 1182 "1/9/2012" "Other" "Paper" 2014-01-23 "" 2012-01-09 NA 2012 466 "Indiana Internal Medicine Consultants" "IN" "" 20000 "2/11/2012" "Theft" "Laptop" 2014-06-24 "A laptop computer that contained the electronic protected health information (ePHI) of approximately 20,000 individuals was stolen from the covered entity's (CE) laboratory manager's office. The ePHI involved in the breach included patients' names, dates of birth, clinic identification numbers, and laboratory results. Following the breach, the CE reported the theft to the building management company. The management company investigated the theft and determined that cleaning personnel had stolen the laptop. The company reported that the patient information was not compromised, as the database could not be accessed without propriety software and specialized assistance. As a result of OCR's investigation, physical security was improved by housing the replacement laptop in a locked drawer in a locked office with limited staff access. The CE also implemented a new policy prohibiting the storage of PHI on the laptop computer and updated additional policies and procedures to enhance safeguards for systems containing PHI. " 2012-02-11 NA 2012 467 "Policlinica La Familia IPA 343" "PR" "T & P Consulting, Inc. d/b/a Quantum Health Consulting" 5994 "1/11/2012" "Theft" "Laptop" 2014-06-03 "An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 5,994 individuals were stolen from a staff member of the covered entity's (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and all affected individuals. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurance that the CE implemented the corrective action listed above and required one additional corrective action. OCR identified the need for the CE to implement certain security policies, procedures and controls. " 2012-01-11 NA 2012 468 "Servicios Medicos Integrados de Fajardo" "PR" "T & P Consulting, Inc. d/b/a Quantum Health Consulting" 10000 "1/11/2012" "Theft" "Laptop, Other Portable Electronic Device" 2014-04-23 "The covered entity (CE) filed a breach report with OCR after an external hard drive and laptop computer containing electronic protected health information (ePHI) of 39,609 individuals were stolen from the CE's Business Associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and the dates of the service. Immediately following the breach, the CE conducted a risk assessment, filed a breach report and provided OCR a copy of its BA agreement. Additionally, the CE notified all affected individuals of the breach and issued a press release. As a result of OCR's investigation, the CE required the BA to revise its security practices to include laptop encryption and restrictions on the use of portable media devices as outlined in the BA's newly developed security policies and procedures. " 2012-01-11 NA 2012 469 "Proveedores Aliados por tu SAlud" "PR" "Quantum Health Consulting" 4645 "1/12/2012" "Theft" "Laptop" 2014-06-20 "OCR opened an investigation of the covered entity (CE), First Proveedores Aliados Por Tu Salud, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 4,645 individuals were stolen from a staff member of the CE's business associate (BA), Quantum Health. The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to all individuals affected by the breach, HHS, and the media. As a result of OCR's investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices. " 2012-01-12 NA 2012 470 "Centro de Servicios de Cuidados Dirigidos, Inc. d/b/a Metro Salud grupo Profesional" "PR" "T&P Consulting, INC. d/b/a Quantum Health Consulting" 27098 "1/11/2012" "Theft" "Laptop" 2014-06-20 "OCR opened an investigation of the covered entity (CE), Centro De Servicios de Cuidados Dirigidos, Inc. d/b/a Metro Salud grupo Profesional, after it reported an unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 27,098 individuals were stolen from a staff member of the CE's business associate (BA), Quantum Health. The ePHI included names, age, sex, social security numbers, medical services provided, diagnosis codes, and the dates of service. Upon discovery of the breach, the BA filed a police report and provided breach notification to the media, and all affected individuals. The CE provided breach notice to HHS. As a result of OCR's investigation, the CE had its BA conduct a risk analysis and implemented new security policies and procedures to ensure adequate safeguards to protect ePHI and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restricted the use of portable media devices. The CE also terminated its BA agreement with the BA. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." 2012-01-11 NA 2012 471 "Kern Medical Center " "CA" "" 1431 "2/25/2012" "Theft" "Paper" 2014-01-23 "" 2012-02-25 NA 2012 472 "William F. DeLuca Jr., M.D." "NY" "" 577 "1/16/2012" "Theft" "Laptop" 2014-06-02 "OCR opened an investigation of the covered entity (CE) after it reported two unencrypted laptops were stolen that contained the electronic protected health information (ePHI) of 577 individuals. The ePHI included names and pictures. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE encrypted its computers, changed the locks to a numbered key system, and installed a lock to secure portable devices in storage. In addition, the CE started using identification numbers instead of names on patients' files. The CE also revised its security policy and trained all staff on its policies." 2012-01-16 NA 2012 473 "Grupo Medico IPA -341" "PR" "Quantum Health Consulting" 7923 "1/11/2012" "Theft" "Laptop" 2014-06-20 "An unencrypted laptop computer and an external hard drive containing the electronic protected health information (ePHI) of 7,923 individuals were stolen from a staff member of the CE's business associate (BA). The ePHI included names, ages, gender, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report to recover the stolen items. The CE also provided breach notification to all affected individuals, HHS, and the media. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. The CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. " 2012-01-11 NA 2012 474 "Advanced Clinical Research Institute" "CA" "" 875 "1/26/2012" "Theft" "Paper" 2014-01-23 "" 2012-01-26 NA 2012 475 "Access Medical Group -IPA 344" "PR" "T&P Consulting, INC DBA Quantum HC" 7606 "1/11/2012" "Theft" "Laptop, Other Portable Electronic Device" 2014-06-13 "An unencrypted laptop computer and external hard drive containing the electronic protected health information (ePHI) of 39,609 individuals were stolen from a staff member of the covered entity's (CE) business associate (BA). The ePHI included names, ages, sex, social security numbers, medical services provided, diagnosis codes, and dates of service. Upon discovery of the breach, the CE filed a police report and provided breach notification to HHS, the media and all affected individuals. As a result of OCR's investigation, the CE had its BA conduct a risk analysis, implement new security policies and procedures to ensure adequate safeguards to protect ePHI, and retrain its employees. In addition, the CE also had its BA change its security practices to include encryption on all laptops and restrict the use of portable media devices. OCR obtained assurance that the CE implemented the corrective action listed above and required one additional corrective action. OCR identified the need for the CE to implement certain security policies, procedures and controls." 2012-01-11 NA 2012 476 "Georgia Health Sciences University" "GA" "" 513 "1/18/2012" "Theft" "Laptop" 2014-01-23 "" 2012-01-18 NA 2012 477 "Baylor Heart and Vascular Center, LLP" "TX" "" 1972 "1/26/2012" "Theft" "Other Portable Electronic Device" 2014-01-23 "" 2012-01-26 NA 2012 478 "Chicago Musculoskeletal Institute/Metro Orthopedics" "IL" "" 750 "12/31/2011" "Other" "Network Server" 2014-03-24 "" 2011-12-31 NA 2011 479 "Tufts Associated Health Maintenance Organization, Inc. and Tufts Insurance Company" "MA" "Caremark PCS Health, L.L.C. (formerly known as Caremark PCS Health, L.P.)" 3482 "01/17/2012-02/02/2012" "Other" "Paper" 2014-01-23 "" 2012-01-17 2012-02-02 2012 480 "Duke University Health System" "NC" "" 1370 "07/01/2008 - 11/30/2011" "Unauthorized Access/Disclosure" "Other" 2014-04-23 "" 2008-07-01 2011-11-30 2008 481 "St. Joseph's Medical Center" "CA" "" 712 "2/2/2012" "Theft" "Paper" 2014-01-23 "" 2012-02-02 NA 2012 482 "UnitedHealth Group health plan single affiliated covered entity" "MN" "" 3537 "6/28/2011" "Unauthorized Access/Disclosure" "Other" 2014-03-24 "" 2011-06-28 NA 2011 483 "CenterLight Healthcare" "NY" "" 642 "1/27/2012" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2012-01-27 NA 2012 484 "Lake Granbury Medical Center" "TX" "" 502 "2/13/2012" "Theft" "Paper" 2014-01-23 "" 2012-02-13 NA 2012 485 "County of Wayne Department of Personnel/Human Resources Benefits Administration Division" "MI" "" 1229 "3/16/2012" "Unauthorized Access/Disclosure" "E-mail" 2014-06-10 "" 2012-03-16 NA 2012 486 "St. Elizabeth's Medical Center" "MA" "" 6831 "2/1/2012" "Loss" "Paper" 2014-01-23 "" 2012-02-01 NA 2012 487 "The Neighborhood Christian Clinic" "AZ" "" 9565 "2/7/2012" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2012-02-07 NA 2012 488 "AccentCare Home Health of California, Inc. Medicare # 057564 CA state License # 080000226" "CA" "" 1000 "04/20/2012 - 04/21/2012" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2012-04-20 2012-04-21 2012 489 "Seton Health Plan" "TX" "HealthLOGIX" 555 "3/9/2012" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2012-03-09 NA 2012 490 "awklein a med corp" "CA" "David Charles Rish" 2000 "2/1/2011" "Theft" "Other" 2014-01-23 "" 2011-02-01 NA 2011 491 "Utah Department of Health" "UT" "Utah Department of Technology Services" 780000 "03/10/2012-04/02/2012" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2012-03-10 2012-04-02 2012 492 "IU Medical Group" "IN" "" 1000 "4/11/2012" "Improper Disposal" "Paper" 2014-01-23 "" 2012-04-11 NA 2012 493 "Rhinebeck Health Center/Center for Progressive Medicine" "NY" "" 6745 "11/15/2011-12/14/2011" "Theft" "Desktop Computer, Network Server" 2014-06-03 "The CE's network server and two local computers were hacked and compromised by a computer virus which resulted in the disclosure of electronic protected health information (ePHI) of 6,745 individuals. The ePHI included names, insurance numbers, diagnoses, medical histories, dates of birth, telephone numbers, and social security numbers. Upon discovery of the breach, the CE shut down all computer and email systems to prevent unauthorized access to its network and core files. In addition, the CE decommissioned the previously used server, deactivated the network router, disabled network access to ePHI, and discontinued the previously utilized backup. As a result of OCR's investigation, the CE deployed a new real-time firewall and intrusion detection system and implemented new measures for software management. In addition, the CE installed a new network server, deployed a new router with security subscription to actively monitor internal network traffic and external threat patterns, and implemented a centralized antivirus software system." 2011-11-15 2011-12-14 2011 494 "Memorial Healthcare System" "FL" "" 9497 "08/01/2011 - 02/12/2012" "Other" "Other" 2014-01-23 "" 2011-08-01 2012-02-12 2011 495 "Roy E. Gondo, M.D." "WA" "" 2100 "2/21/2012" "Theft" "Desktop Computer, Electronic Medical Record" 2014-01-23 "" 2012-02-21 NA 2012 496 "DRD Management, Inc. D/B/A DRD Knoxville Medical Clinic - Central" "TX" "" 1000 "2/16/2012" "Improper Disposal" "Paper" 2014-01-23 "" 2012-02-16 NA 2012 497 "Emory Healthcare" "GA" "" 315000 "02/07/2012 - 02/20/2012" "Unknown, Other" "Other" 2014-01-23 "" 2012-02-07 2012-02-20 2012 498 "Rex Smith, DPM -Rex Smith Podiatry " "OR" "" 20915 "2/19/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-02-19 NA 2012 499 "Desert AIDS Project" "CA" "" 4400 "4/12/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-04-12 NA 2012 500 "University of Arkansas for Medical Sciences" "AR" "" 7121 "2/15/2012" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2012-02-15 NA 2012 501 "TLC DENTAL DANIA, LLC" "FL" "" 750 "4/23/2012" "Theft" "Paper" 2014-02-20 "" 2012-04-23 NA 2012 502 "South Carolina Department of Health and Human Services" "SC" "" 228435 "01/31/2012 - 04/02/2012" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2012-01-31 2012-04-02 2012 503 "Oregon Health Authority" "OR" "" 550 "4/13/2012" "Theft" "Paper" 2014-04-23 "" 2012-04-13 NA 2012 504 "SHIELDS For Families " "CA" "" 961 "2/27/2012" "Theft" "Network Server" 2014-01-23 "" 2012-02-27 NA 2012 505 "Safe Ride Services, Inc" "AZ" "" 42000 "8/31/2011" "Unauthorized Access/Disclosure, Hacking/IT Incident" "Network Server" 2014-01-23 "" 2011-08-31 NA 2011 506 "IntraCare North Hospital" "TX" "" 750 "03/15/2011 - 08/18/2011" "Theft" "Paper" 2014-01-23 "" 2011-03-15 2011-08-18 2011 507 "Oakland Vision Services, PC" "MI" "" 3000 "4/9/2012" "Hacking/IT Incident" "Network Server" 2014-03-24 "" 2012-04-09 NA 2012 508 "Stephen Haggard, DPM Podiatry " "WA" "" 1597 "3/4/2012" "Theft" "Network Server" 2014-01-23 "" 2012-03-04 NA 2012 509 "Baptist Health System" "AL" "" 1655 "3/8/2012" "Improper Disposal" "Paper" 2014-01-23 "" 2012-03-08 NA 2012 510 "University of Houston for UH College of Optometry" "TX" "" 7000 "02/22/2012-02/23/2012" "Unauthorized Access/Disclosure, Hacking/IT Incident" "Network Server" 2014-01-23 "" 2012-02-22 2012-02-23 2012 511 "Rite Aid Store 1343" "WV" "" 2905 "3/26/2012" "Theft" "Paper" 2014-03-24 "" 2012-03-26 NA 2012 512 "Iowa Department of Human Services" "IA" "" 3000 "02/06/2012 - 03/14/2012" "Improper Disposal" "Paper" 2014-01-23 "" 2012-02-06 2012-03-14 2012 513 "Hogan Services Inc. Health Care Premium Plan" "MO" "" 1134 "3/30/2012" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2012-03-30 NA 2012 514 "Family HealthServices Minnesota, P.A." "MN" "" 4000 "3/30/2012" "Theft" "Laptop" 2014-06-10 "" 2012-03-30 NA 2012 515 "St. Mary Medical Center" "CA" "" 3900 "5/7/2012" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2012-05-07 NA 2012 516 "Fairview Health Services" "MN" "Accretive Health" 623 "7/25/2011" "Theft" "Laptop" 2014-03-24 "" 2011-07-25 NA 2011 517 "Our Lady of the Lake Regional Medical Center" "LA" "" 17000 "3/16/2012" "Theft, Loss" "Laptop" 2014-01-23 "" 2012-03-16 NA 2012 518 "UnitedHealth Group health plan single affiliated covered entity" "MN" "" 19100 "06/28/2011 - 12/12/2011" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2011-06-28 2011-12-12 2011 519 "West Dermatology" "CA" "" 1900 "04/21/2012 - 04/22/2012" "Theft" "Other" 2014-01-23 "" 2012-04-21 2012-04-22 2012 520 "Duke University Health System" "NC" "" 591 "04/21/2004-02/16/2012" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2004-04-21 2012-02-16 2004 521 "Luz Colon, DPM Podiatry " "FL" "" 1137 "3/20/2012" "Theft, Loss" "Laptop" 2014-01-23 "" 2012-03-20 NA 2012 522 "Ameritas Life Insurance Corp. " "NE" "" 3000 "3/21/2012" "Theft" "Laptop" 2014-01-23 "" 2012-03-21 NA 2012 523 "Children's Hospital Boston" "MA" "" 2159 "3/25/2012" "Theft" "Laptop" 2014-01-23 "" 2012-03-25 NA 2012 524 "Upper Valley Medical Center" "OH" "Data Image, Inc." 15000 "10/01/2010-03/21/2012" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2010-10-01 2012-03-21 2010 525 "Physician's Automated Laboratory" "CA" "" 745 "03/23/2012 - 03/26/2012" "Theft" "Paper" 2014-01-23 "" 2012-03-23 2012-03-26 2012 526 "Phoebe Putney Memorial Hospital, Inc. " "GA" "" 12937 "07/26/2010-03/29/2012" "Theft" "Electronic Medical Record, Paper" 2014-02-20 "" 2010-07-26 2012-03-29 2010 527 "Independence Physical Therapy" "CT" "" 925 "8/1/2011" "Theft" "Desktop Computer" 2014-01-23 "" 2011-08-01 NA 2011 528 "Titus Regional Medical Center" "TX" "" 5700 "3/27/2012" "Loss, Unknown" "Laptop" 2014-01-23 "" 2012-03-27 NA 2012 529 "Titus Regional Medical Center" "TX" "" 500 "3/29/2012" "Theft" "Other" 2014-01-23 "" 2012-03-29 NA 2012 530 "Lutheran Community Services Northwest" "WA" "" 756 "03/29/2012-03/30/2012" "Theft" "Desktop Computer, Other Portable Electronic Device" 2014-01-23 "" 2012-03-29 2012-03-30 2012 531 "Volunteer State Health Plan, Inc. " "TN" "" 1102 "03/16/2012-04/20/2012" "Loss" "Paper" 2014-01-23 "" 2012-03-16 2012-04-20 2012 532 "Charlie Norwood VA Medical Center" "GA" "" 824 "3/30/2012" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2012-03-30 NA 2012 533 "Mid America Health, Inc." "IN" "PrevMED" 1444 "4/6/2012" "Theft" "Laptop" 2014-01-23 "" 2012-04-06 NA 2012 534 "Metcare of Florida, Inc." "FL" "" 2557 "05/01/2012 - 05/02/2012" "Theft" "Other Portable Electronic Device" 2014-01-23 "" 2012-05-01 2012-05-02 2012 535 "Robert Witham, MD, FACP" "OR" "" 11136 "4/16/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-04-16 NA 2012 536 "Memorial Sloan-Kettering Cancer Center" "NY" "" 568 "08/13/2009-04/12/2012" "Theft" "E-mail, Other" 2014-06-03 "The covered entity's (CE) staff member disclosed an unencrypted Microsoft Excel graph to a non-covered entity physician who re-disclosed it to a medical education organization to be used in a presentation. In addition, the medical education organization posted the presentation slides on its website. The graph contained the protected health information (PHI) of 569 individuals and included names, telephone numbers, social security numbers, ages, cities and states of residence, medical record numbers, and clinical information. Upon discovery of the breach, the CE ensured that the information was removed from the website and deleted, sanctioned the workforce member responsible, and retrained its workforce on the use of a data loss prevention tool and the risks of embedded PHI. As a result of OCR's investigation, the CE provided OCR with evidence of its technical safeguards and security awareness initiatives and provided assurance that it implemented the corrective action listed above." 2009-08-13 2012-04-12 2009 537 "Gessler Clinic, P.A." "FL" "" 1409 "05/03/2012-05/04/2012" "Theft" "Paper" 2014-01-23 "" 2012-05-03 2012-05-04 2012 538 "University of Kentucky HealthCare" "KY" "" 4490 "5/1/2012" "Theft" "Laptop" 2014-01-23 "" 2012-05-01 NA 2012 539 "Wolf & Yun" "KY" "" 824 "4/24/2012" "Theft" "Laptop" 2014-01-23 "" 2012-04-24 NA 2012 540 "Karen Kietzman" "MT" "" 708 "4/22/2012" "Theft" "Laptop, Other Portable Electronic Device" 2014-03-21 "" 2012-04-22 NA 2012 541 "Bruce G. Peller, DMD, PA" "NC" "" 9953 "4/22/2012" "Unauthorized Access/Disclosure" "Desktop Computer" 2014-01-23 "" 2012-04-22 NA 2012 542 "Sharon L. Rogers, Ph.D., ABPP" "TX" "" 585 "6/16/2012" "Theft" "Laptop" 2014-01-23 "" 2012-06-16 NA 2012 543 "Health Texas Provider Network - Cardiovascular Consultants of North Texas" "TX" "" 2462 "03/16/2012 - 05/11/2012" "Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-01-23 "" 2012-03-16 2012-05-11 2012 544 "SwedishAmerican Health System" "IL" "" 1500 "5/31/2012" "Theft" "Paper" 2014-03-24 "" 2012-05-31 NA 2012 545 "River Arch Dental" "CA" "Patterson Dental, Inc." 2533 "5/12/2012" "Loss, Unauthorized Access/Disclosure, Unknown" "Other Portable Electronic Device" 2014-01-23 "" 2012-05-12 NA 2012 546 "Hamner Square Dental " "CA" "Patterson Dental, Inc" 1112 "5/12/2012" "Theft, Loss, Unauthorized Access/Disclosure, Unknown" "Other Portable Electronic Device" 2014-01-23 "" 2012-05-12 NA 2012 547 "Visiting Nurse Services of Iowa" "IA" "" 1298 "5/27/2012" "Theft" "Paper" 2014-01-23 "" 2012-05-27 NA 2012 548 "Molalla Family Dental" "OR" "" 4354 "5/17/2012" "Unauthorized Access/Disclosure, Hacking/IT Incident, Other" "Network Server" 2014-01-23 "" 2012-05-17 NA 2012 549 "Pamlico Medical Equipment LLC" "NC" "" 2917 "5/16/2012" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2012-05-16 NA 2012 550 "Beth Israel Deaconess Medical Center" "MA" "" 3900 "5/22/2012" "Theft" "Laptop" 2014-01-23 "" 2012-05-22 NA 2012 551 "NYU School of Medicine Faculty Group Practice" "NY" "" 8488 "5/22/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-05-22 NA 2012 552 "Adult & Child Center, Inc." "IN" "Choices, Inc." 550 "5/10/2012" "Hacking/IT Incident" "Other" 2014-01-23 "" 2012-05-10 NA 2012 553 "The Surgeons of Lake County, LLC" "IL" "" 7067 "06/22/2012-06/25/2012" "Other" "Network Server" 2014-01-23 "" 2012-06-22 2012-06-25 2012 554 "Kindred Healthcare Inc d/b/a Kindred Transitional Care and Rehabilitation-Sellersburg" "IN" "" 1504 "06/01/2012-06/04/2012" "Theft" "Other" 2014-01-23 "" 2012-06-01 2012-06-04 2012 555 "Jeffrey Paul Edelstein M.D." "AZ" "" 4800 "5/28/2012" "Theft" "Network Server" 2014-01-23 "" 2012-05-28 NA 2012 556 "Northwestern Memorial Hospital" "IL" "" 4211 "6/11/2012" "Theft" "Laptop, Other Portable Electronic Device" 2014-01-23 "" 2012-06-11 NA 2012 557 "Walgreen Co." "IL" "" 1240 "7/5/2012" "Theft" "Paper" 2014-01-23 "" 2012-07-05 NA 2012 558 "VNA HealthCare" "CT" "EMC" 7461 "6/25/2012" "Theft" "Laptop" 2014-02-19 "" 2012-06-25 NA 2012 559 "Hartford Hospital" "CT" "EMC" 2097 "6/25/2012" "Theft" "Laptop" 2014-04-23 "" 2012-06-25 NA 2012 560 "Diversified Support Services" "IN" "Choices, Inc." 505 "5/10/2012" "Hacking/IT Incident" "Other" 2014-01-23 "" 2012-05-10 NA 2012 561 "Oregon Health & Science University" "OR" "" 702 "7/4/2012" "Theft" "Other" 2014-01-23 "" 2012-07-04 NA 2012 562 "Stanford Hospital & Clinics and School of Medicine" "CA" "" 2300 "07/15/2012 - 07/16/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-07-15 2012-07-16 2012 563 "Midtown Mental Health Center" "IN" "CHOICES, Inc" 890 "5/10/2012" "Hacking/IT Incident" "Other" 2014-01-23 "" 2012-05-10 NA 2012 564 "Harris County Hospital District" "TX" "" 2875 "04/14/2008 - 02/28/2011" "Theft" "Electronic Medical Record, Paper" 2014-04-23 "" 2008-04-14 2011-02-28 2008 565 "Howard University Hospital" "DC" "Siemens Medical Solutions, USA" 66601 "1/25/2012" "Theft" "Laptop" 2014-01-23 "" 2012-01-25 NA 2012 566 "TEMPLE COMMUNITY HOSPITAL" "CA" "" 603 "7/3/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-07-03 NA 2012 567 "Memorial Healthcare System" "FL" "" 105646 "01/01/2011 - 07/05/2012" "Theft" "Electronic Medical Record" 2014-01-23 "" 2011-01-01 2012-07-05 2011 568 "Liberty Resources, Inc." "PA" "" 3183 "8/4/2012" "Theft" "Laptop" 2014-06-24 "An employee's personal laptop computer that contained the unencrypted electronic protected health information (ePHI) of 3,183 individuals was stolen from his vehicle. The ePHI involved in the breach included consumer names, identification numbers, diagnosis codes, base service unit numbers, service start and end dates, service names, procedure codes, service location identifiers, units authorized, units utilized, units cost, total authorization amounts, total utilized amounts, authorization dates, funding sources, provider names, and master provider index numbers. The CE timely notified all affected individuals, the media, and HHS, and offered assistance to consumers who wished to place fraud alerts on their consumer credit files. Following the breach, the CE created and implemented a new policy and procedure to improve safeguards. This policy prohibits downloading any PHI to a home computer or portable device, prohibits forwarding emails containing PHI to a personal account, cloud service, or unauthorized user, and requires full-disk encryption of agency laptops. OCR obtained assurances that the CE implemented the corrective action listed above. " 2012-08-04 NA 2012 569 "The University of Texas MD Anderson Cancer Center" "TX" "" 2264 "7/13/2012" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2012-07-13 NA 2012 570 "Central States Southeast and Siouthwest Areas Health & Welfare Fund" "IL" "" 754 "7/31/2012" "Unauthorized Access/Disclosure, Other" "Paper" 2014-01-23 "" 2012-07-31 NA 2012 571 "LANA MEDICAL CARE" "FL" "" 500 "8/18/2012" "Theft" "Laptop" 2014-01-23 "" 2012-08-18 NA 2012 572 "Cancer Care Group, P.C." "IN" "" 55000 "7/19/2012" "Theft" "Other Portable Electronic Device" 2014-03-24 "" 2012-07-19 NA 2012 573 "Tricounty Behavioral Health Clinic" "GA" "" 4000 "8/26/2012" "Theft" "Laptop" 2014-01-23 "" 2012-08-26 NA 2012 574 "Sierra Plastic Surgery" "NV" "" 800 "08/19/2011-09/20/2011" "Unauthorized Access/Disclosure, Hacking/IT Incident" "Network Server" 2014-01-23 "" 2011-08-19 2011-09-20 2011 575 "Charlotte Clark-Neitzel, MD" "WA" "" 942 "7/24/2012" "Theft" "Laptop" 2014-01-23 "" 2012-07-24 NA 2012 576 "University of Miami" "FL" "" 64846 "7/18/2012" "Unauthorized Access/Disclosure, Other" "Paper" 2014-01-23 "" 2012-07-18 NA 2012 577 "University of New Mexico Health Sciences Center" "NM" "" 2365 "5/21/2012" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2012-05-21 NA 2012 578 "Valley Plastic Surgery, P.C." "VA" "" 4873 "7/15/2012" "Theft" "Other Portable Electronic Device" 2014-03-24 "" 2012-07-15 NA 2012 579 "Colon & Digestive Health Specialists" "AR" "Ecco Health, LLC" 5713 "7/16/2012" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2012-07-16 NA 2012 580 "BHcare, Inc" "CT" "" 5827 "7/19/2012" "Theft" "Laptop, Other Portable Electronic Device" 2014-02-19 "" 2012-07-19 NA 2012 581 "The Feinstein Institute for Medical Research" "NY" "" 13000 "9/2/2012" "Theft" "Laptop" 2014-01-23 "" 2012-09-02 NA 2012 582 "St. Therese Medical Group, Inc" "CA" "" 3031 "7/22/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-07-22 NA 2012 583 "Cabinet for Health and Family Services, Department for Community Based Services (Protection and Permanency)" "KY" "" 2500 "7/20/2012" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2012-07-20 NA 2012 584 "Litton & Giddings Radiological Associates, P.C." "MO" "PST Services, Inc" 13074 "07/31/2012 - 08/02/2012" "Improper Disposal" "Paper" 2014-01-23 "" 2012-07-31 2012-08-02 2012 585 "Apria Healthcare, Inc." "CA" "" 65700 "6/14/2012" "Theft" "Laptop" 2014-01-23 "" 2012-06-14 NA 2012 586 "Alexander J. Tikhtman, M.D." "KY" "" 2376 "8/15/2012" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2012-08-15 NA 2012 587 "Gulf Coast Health Care Services Inc" "FL" "" 13000 "8/17/2012" "Theft, Unauthorized Access/Disclosure, Hacking/IT Incident" "Network Server" 2014-01-23 "" 2012-08-17 NA 2012 588 "Blount Memorial Hospital, Inc" "TN" "" 27799 "8/25/2012" "Theft" "Laptop" 2014-01-23 "" 2012-08-25 NA 2012 589 "Alere Home Monitoring, Inc" "CA" "" 116506 "9/23/2012" "Theft" "Laptop" 2014-01-23 "" 2012-09-23 NA 2012 590 "Coastal home Respiratory, LLP" "GA" "" 3440 "10/4/2012" "Theft" "Other" 2014-01-23 "" 2012-10-04 NA 2012 591 " Philip P Corneliuson, DDS, INC." "CA" "" 980 "9/15/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-09-15 NA 2012 592 "First Step Counseling, Inc." "NJ" "" 638 "05/01/2011 - 08/05/2011" "Theft" "Paper" 2014-06-03 "Two of the covered entity's (CE) employees photocopied documents containing 638 patients' protected health information (PHI) and disclosed the documents to their attorney. The PHI included names, insurance numbers, diagnoses, dates of birth, telephone numbers, and social security numbers. Upon discovery of the breach, the CE hired attorneys to seek immediate return of all photocopies that contained the PHI. The CE provided breach notification to the affected individuals, HHS and the media. As a result of OCR's investigation, the CE transferred to an electronic billing system that is password protected and secured patient files with a lock. Further, the front desk has been positioned by a protective window and policies have been implemented to prevent patients from standing beside the reception desk. The CE also reviewed and revised its consent forms and retrained all staff. " 2011-05-01 2011-08-05 2011 593 "Logan Community Resources, Inc." "IN" "" 2900 "8/24/2012" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2012-08-24 NA 2012 594 "David DiGiallorenzo, D.M.D." "PA" "" 2600 "9/17/2012" "Unauthorized Access/Disclosure, Hacking/IT Incident" "Network Server, Electronic Medical Record" 2014-01-23 "" 2012-09-17 NA 2012 595 "CVS Caremark" "RI" "" 955 "8/13/2012" "Theft" "Paper" 2014-01-23 "" 2012-08-13 NA 2012 596 "Memorial Hospital" "OH" "" 500 "8/29/2012" "Improper Disposal" "Paper" 2014-03-24 "" 2012-08-29 NA 2012 597 "SURGICAL ASSOCIATES OF UTICA, PC" "NY" "QUANTERION SOLUTIONS INC" 1017 "9/18/2012" "Theft" "Network Server" 2014-06-20 "An unencrypted thumb drive that contained the electronic protected health information (ePHI) of 1,017 individuals was stolen by an employee of the covered entity's (CE) business associate (BA), Quanterion Solutions, Inc. The ePHI included names, addresses, dates of birth, driver's license numbers, social security numbers, claims information, clinical information, diagnosis/conditions, lab results, treatment information, and medications. Upon discovery of the breach, the CE, Surgical Associates of Utica, PC, filed a police report and the employee was arrested. The CE provided breach notification to HHS, the media, and affected individuals and provided credit monitoring services for these individuals. As a result of OCR's investigation, the CE executed a BA agreement. " 2012-09-18 NA 2012 598 "Illinois Department of Healthcare and Family Services" "IL" "University of Illinois, College of Nursing" 508 "8/31/2012" "Theft" "Paper" 2014-03-24 "" 2012-08-31 NA 2012 599 "Miami Beach Healthcare Group Ltd. dba Aventura Hospital and Medical Center" "FL" "" 2560 "01/01/2012 - 09/12/2012" "Theft" "Electronic Medical Record" 2014-01-23 "" 2012-01-01 2012-09-12 2012 600 "WYATT DENTAL GROUP, LLC" "LA" "" 10271 "11/04/2011 -04/15/2012" "Theft, Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-01-23 "" 2011-11-04 2012-04-15 2011 601 "Women & Infants Hospital of Rhode Island" "RI" "" 14004 "9/13/2012" "Loss" "Other" 2014-01-23 "" 2012-09-13 NA 2012 602 "Memorial Health System" "CO" "" 6262 "5/1/2012" "Loss" "Paper" 2014-01-23 "" 2012-05-01 NA 2012 603 "CHRISTUS St. John Hospital" "TX" "" 5748 "9/25/2012" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2012-09-25 NA 2012 604 "L.A. Care Health Plan" "CA" "" 18000 "09/17/2012-09/20/2012" "Other" "Other" 2014-01-23 "" 2012-09-17 2012-09-20 2012 605 "Hawaii State Department of Health, Adult Mental Health Division" "HI" "" 674 "9/25/2012" "Hacking/IT Incident" "Desktop Computer" 2014-01-23 "" 2012-09-25 NA 2012 606 "Soundental Associates, PC" "CT" "" 14511 "9/24/2012" "Theft" "Other Portable Electronic Device" 2014-02-19 "" 2012-09-24 NA 2012 607 "Original Medicine Acupuncture & Wellness, LLC" "NM" "" 540 "09/07/2012 - 09/09/2012" "Theft" "Laptop" 2014-01-23 "" 2012-09-07 2012-09-09 2012 608 "Brigham and Women's Hospital" "MA" "" 615 "10/16/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-10-16 NA 2012 609 "St. Francis Health Network, aka Franciscan Alliance ACO" "IN" "Advantage Health Solutions, Inc." 2575 "10/19/2012" "Other" "Other" 2014-01-23 "" 2012-10-19 NA 2012 610 "James M. McGee, D.M.D., P.C." "GA" "" 1306 "09/19/2012 - 09/26/2012" "Theft" "Paper" 2014-01-23 "" 2012-09-19 2012-09-26 2012 611 "Robbins Eye Center PC" "CT" "" 1749 "10/7/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-10-07 NA 2012 612 "Advanced Data Processing, Inc." "FL" "" 10000 "06/15/2012 -10/01/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-06-15 2012-10-01 2012 613 "Cuyahoga County Board of Developmental Disabilities" "OH" "" 613 "11/2/2012" "Theft" "Laptop" 2014-03-24 "" 2012-11-02 NA 2012 614 "Okaloosa County Public Safety" "FL" "Advanced Data Processing, Inc." 715 "06/15/2012 - 10/01/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-06-15 2012-10-01 2012 615 "City of Covington Kentucky Fire Department " "KY" "Advanced Data Processing Inc" 1548 "06/15/2012-10/01/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-06-15 2012-10-01 2012 616 "Northern Trust" "IL" "Blue Cross Blue Shield" 500 "9/13/2012" "Unauthorized Access/Disclosure" "Network Server" 2014-03-24 "" 2012-09-13 NA 2012 617 "Vidant Pungo Hospital" "NC" "" 1100 "10/4/2012" "Improper Disposal" "Paper" 2014-01-23 "" 2012-10-04 NA 2012 618 "County of San Bernardino Department of Public Heatlh" "CA" "" 1370 "09/28/2012 - 09/30/2012" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2012-09-28 2012-09-30 2012 619 "City of Overland Park Fire Department" "FL" "Advanced Data Processing, Inc." 911 "06/15/2012 - 10/01/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-06-15 2012-10-01 2012 620 "Sumner County Emergency Medical Services" "TN" "Advanced Data Processing, Inc" 774 "06/15/2012 - 10/01/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-06-15 2012-10-01 2012 621 "City of El Centro Fire Department" "CA" "ADPI-West" 1500 "10/1/2012" "Theft, Unauthorized Access/Disclosure" "Desktop Computer" 2014-01-23 "" 2012-10-01 NA 2012 622 "Landmark Medical Center" "RI" "" 683 "10/1/2012" "Theft" "Laptop" 2014-01-23 "" 2012-10-01 NA 2012 623 "City of Atlanta/ Atlanta Fire Rescue Department" "GA" "Advanced Data Processing Inc." 908 "06/15/2012-10/01/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-06-15 2012-10-01 2012 624 "University of Virginia Medical Center" "VA" "" 1846 "10/5/2012" "Loss" "Other Portable Electronic Device" 2014-02-14 "" 2012-10-05 NA 2012 625 "Osceola County EMS " "FL" "Advanced Data Processing Inc" 949 "06/15/2012-10/01/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-06-15 2012-10-01 2012 626 "Carolinas Medical Center - Randolph" "NC" "" 5600 "03/11/2012 - 10/08/2012" "Hacking/IT Incident" "E-mail" 2014-01-23 "" 2012-03-11 2012-10-08 2012 627 "Coastal Behavioral Healthcare, Inc." "FL" "" 4907 "4/11/2011" "Theft" "Paper" 2014-01-23 "" 2011-04-11 NA 2011 628 "CCS Medical, Inc." "TX" "" 6601 "05/01/2012 - 09/21/2012" "Unauthorized Access/Disclosure" "Network Server, Other" 2014-01-23 "" 2012-05-01 2012-09-21 2012 629 "City of Gloucester, Fire Department" "MA" "Advanced Data Processing, Inc." 1286 "06/15/2012-10/01/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-06-15 2012-10-01 2012 630 "Columbia University Medical Center and NewYork-Presbyterian Hospital" "NY" "" 4929 "10/12/2012-10/15/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-10-12 2012-10-15 2012 631 "Baptist Health System" "AR" "Health Advantage" 811 "10/13/2012-10/27/2012" "Other" "Paper" 2014-01-23 "" 2012-10-13 2012-10-27 2012 632 "DFA, Employee Benefits Division" "AR" "Health Advantage" 7039 "10/13/2012 - 10/27/2012" "Other" "Paper" 2014-01-23 "" 2012-10-13 2012-10-27 2012 633 "Health Advantage" "AR" "" 2863 "10/13/2012 - 10/27/2012" "Other" "Paper" 2014-01-23 "" 2012-10-13 2012-10-27 2012 634 "University of Michigan Health System" "MI" "Omnicell, Inc." 3999 "11/14/2012" "Theft" "Laptop" 2014-01-23 "" 2012-11-14 NA 2012 635 "Westerville Dental Center" "OH" "" 850 "12/2/2012" "Theft" "Laptop, Network Server" 2014-01-23 "" 2012-12-02 NA 2012 636 "OHP PHSP, Inc." "NY" "HealthPlus, Amerigroup" 28187 "08/31/2012 - 09/21/2012" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2012-08-31 2012-09-21 2012 637 "Center for Orthopedic Research and Education, Inc." "AZ" "" 35488 "10/20/2012 - 10/21/2012" "Theft" "Paper" 2014-04-23 "" 2012-10-20 2012-10-21 2012 638 "Calif. Dept. of Health Care Services (DHCS)" "CA" "" 2643 "12/10/2012 - 12/18/2012" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2012-12-10 2012-12-18 2012 639 "Richard Switzer MD PC" "MI" "" 4100 "11/29/2011" "Other" "Laptop" 2014-03-24 "" 2011-11-29 NA 2011 640 "Gibson General Hospital" "IN" "" 28893 "11/27/2012" "Theft" "Laptop" 2014-03-24 "" 2012-11-27 NA 2012 641 "Sovereign Medical Group, LLC" "NJ" "" 27800 "10/10/2012" "Theft, Hacking/IT Incident" "Network Server" 2014-01-23 "" 2012-10-10 NA 2012 642 "Cabinet for Health & Family Services, Department of Medicaid Services" "KY" "HP Enterprise Services" 1090 "11/15/2012" "Hacking/IT Incident" "Laptop" 2014-01-23 "" 2012-11-15 NA 2012 643 "Harbor Medical Associates, P.C." "MA" "Clearpoint Design, Inc." 4343 "10/18/2012 - 11/04/2012" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2012-10-18 2012-11-04 2012 644 "Sentara Healthcare" "VA" "Omnicell, Inc." 56820 "11/14/2012" "Theft" "Laptop" 2014-02-14 "" 2012-11-14 NA 2012 645 "St. Mark's Medical Center" "TX" "" 2988 "5/21/2012" "Hacking/IT Incident" "Desktop Computer" 2014-01-23 "" 2012-05-21 NA 2012 646 "Group Health Incorporated" "NY" "" 1771 "11/13/2012" "Theft" "Paper" 2014-06-20 "OCR opened an investigation of the covered entity (CE), Group Health Insurance, after it reported that postcard reminders were sent to 1,771 subscribers. The protected health information (PHI) involved included social security numbers within a series of other numbers inscribed on the outside of the postcard. The CE provided breach notification to HHS, the media, and affected individuals, and posted substitute notice on its website. Upon discovery of the breach, the CE suspended its mailing in order to verify subscriber information to ensure pending and completed projects did not contain social security numbers. As a result of OCR's investigation, the CE modified its mailing procedures to prevent similar disclosures from recurring in the future and retrained staff on its modified mailing procedure. The CE provided affected individuals with a free one year subscription for credit monitoring. " 2012-11-13 NA 2012 647 "Calvin Schuster,MD" "CA" "" 532 "11/4/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-11-04 NA 2012 648 "Granite Medical Group, Inc." "MA" "Clearpoint Design, Inc." 4125 "01/02/2010 - 11/15/2012" "Hacking/IT Incident" "Network Server" 2014-02-19 "" 2010-01-02 2012-11-15 2010 649 "University of Nevada School of Medicine" "NV" "" 1483 "10/11/2012" "Improper Disposal" "Paper" 2014-01-23 "" 2012-10-11 NA 2012 650 "Dimensions Healthcare System" "MD" "WorkflowOne" 635 "11/16/2012" "Unauthorized Access/Disclosure" "Paper" 2014-03-25 "" 2012-11-16 NA 2012 651 "SilverScript Insurance Company" "AZ" "" 852 "10/31/2012" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2012-10-31 NA 2012 652 "South Jersey Hospital Inc." "NJ" "Omnicell Inc." 8555 "11/14/2012" "Theft" "Laptop" 2014-01-23 "" 2012-11-14 NA 2012 653 "Child & Family Psychological Services, Inc." "MA" "Clearpoint Design, Inc." 7250 "10/18/2012-10/29/2012" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2012-10-18 2012-10-29 2012 654 "Pousson Family Dentistry" "LA" "" 1400 "12/3/2012" "Theft" "Laptop" 2014-01-23 "" 2012-12-03 NA 2012 655 "South Shore Medical Center" "MA" "Clearpoint Design, Inc." 4100 "01/01/2007-11/15/2012" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2007-01-01 2012-11-15 2007 656 "Lee D. Pollan, DMD, PC" "NY" "" 19178 "11/06/2012-11/15/2012" "Theft" "Laptop" 2014-05-28 "OCR opened an investigation of the covered entity (CE) after it reported an unencrypted laptop was stolen that contained the electronic protected health information (ePHI) of 19,178 individuals. The ePHI included names, addresses, zip codes, dates of birth, social security numbers, claims information, and diagnosis codes. Upon discovery of the breach, the CE filed a police report to recover the stolen items. As a result of OCR's investigation, the CE encrypted the backup drive of the contents of the laptop computer. The CE also trained all staff on the use of encryption to safeguard data on personal computers and mobile devices." 2012-11-06 2012-11-15 2012 657 "Washington University School of Medicine" "MO" "" 1105 "11/28/2012" "Theft" "Laptop" 2014-01-23 "" 2012-11-28 NA 2012 658 "Riderwood Village" "MD" "" 3230 "11/18/2012" "Theft" "Laptop" 2014-01-23 "" 2012-11-18 NA 2012 659 "WAYNE MEMORIAL HOSPITAL" "PA" "" 1184 "12/3/2012" "Loss" "Other" 2014-03-24 "" 2012-12-03 NA 2012 660 "Baptist Health System" "TX" "" 678 "8/14/2011" "Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-03-13 "" 2011-08-14 NA 2011 661 "Baillie Lumber Co. Group Health Plan" "NY" "BlueCross BlueShield of Western New York" 725 "11/27/2012" "Theft" "Paper" 2014-06-20 "OCR opened an investigation of the covered entity (CE), Baillie Lumber Co. Group Health Plan, after it reported its business associate (BA), Blue Cross Blue Shield, mailed a monthly premium notice with invoices that contained the protected health information (PHI) of 725 individuals which was never received by the CE. The PHI included names, member identification numbers, and social security numbers. The CE provided breach notification to HHS and affected individuals. Upon discovery of the breach, the BA contacted the U.S. Post Office to inquire about the package that contained the invoices that the CE never received. As a result of OCR's investigation, the BA revised its invoice process and removed social security numbers and member identification numbers from its invoices. The BA also improved safeguards by changing its mailing procedures to send invoices to the CE via secure email. The breach involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI." 2012-11-27 NA 2012 662 "The University of Texas MD Anderson Cancer Center" "TX" "" 29021 "4/30/2012" "Theft" "Laptop" 2014-01-23 "" 2012-04-30 NA 2012 663 "Western Wisconsin Medical Association, S.C. - River Falls Medical Clinics" "WI" "" 2400 "05/30/2012-08/31/2012" "Theft" "Paper" 2014-03-24 "" 2012-05-30 2012-08-31 2012 664 "Boy Scouts of America Employee Benefit Plan" "TX" "RR Donnelley (a sub-BA for UnitedHealth Group)" 8911 "09/15/2012-11/30/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-09-15 2012-11-30 2012 665 "Kmart Corporation" "IL" "Kmart Pharmacy #7623" 16988 "1/2/2013" "Improper Disposal" "Paper" 2014-02-12 "" 2013-01-02 NA 2013 666 "Community Services NW" "AL" "" 2400 "12/6/2012" "Theft" "Desktop Computer" 2014-04-23 "" 2012-12-06 NA 2012 667 "American HomePatient Inc. " "TN" "LifeGas" 1103 "10/11/2012" "Theft" "Laptop" 2014-01-23 "" 2012-10-11 NA 2012 668 "Yadkinville Chiropractic DCPA" "NC" "Yadkinville Chiropractic DCPA" 1000 "2/1/2013" "Theft" "Desktop Computer" 2014-02-12 "" 2013-02-01 NA 2013 669 "Intervention Services, Inc." "FL" "" 1200 "1/19/2013" "Theft" "Laptop" 2014-01-23 "" 2013-01-19 NA 2013 670 "West Georgia Ambulance" "GA" "" 500 "12/13/2012" "Loss" "Laptop" 2014-01-23 "" 2012-12-13 NA 2012 671 "Center for Pain Management, LLC" "MD" "" 5822 "1/22/2013" "Theft" "Laptop" 2014-01-23 "" 2013-01-22 NA 2013 672 "Multiple Health Plans" "CA" "Coast Healthcare Management, LLC" 1368 "12/7/2013" "Theft, Other" "Paper" 2014-01-23 "" 2013-12-07 NA 2013 673 "Froedtert Health" "WI" "" 43549 "10/27/2012-12/13/2012" "Unauthorized Access/Disclosure" "Other" 2014-03-24 "" 2012-10-27 2012-12-13 2012 674 "Jackson Health System" "FL" "" 566 "05/26/2011 - 02/18/2012" "Other" "Paper" 2014-01-23 "" 2011-05-26 2012-02-18 2011 675 "Riderwood Village" "MD" "" 5270 "11/18/2012" "Theft" "Laptop" 2014-01-23 "" 2012-11-18 NA 2012 676 "Kindred Healthcare, Inc. d/b/a Kindred Transitional Care and Rehabilitation - Marl" "MA" "" 716 "12/15/2012-12/17/2012" "Theft" "Other Portable Electronic Device" 2014-01-23 "" 2012-12-15 2012-12-17 2012 677 "HomeCare of Mid-Missouri, Inc." "MO" "" 4027 "12/14/2012" "Theft" "Laptop" 2014-01-23 "" 2012-12-14 NA 2012 678 "Heyman HospiceCare at Floyd" "GA" "" 1819 "1/4/2013" "Theft" "Laptop" 2014-01-23 "" 2013-01-04 NA 2013 679 "Agency for Health Care Administration" "FL" "DentaQuest of Florida, Inc." 1892 "11/01/2012 - 12/20/2012" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2012-11-01 2012-12-20 2012 680 "ABQ HealthPartners" "NM" "" 778 "12/20/2012" "Theft" "Laptop" 2014-01-23 "" 2012-12-20 NA 2012 681 "Terrell County Health Department" "GA" "" 18000 "01/09/2012 - 04/17/2012" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2012-01-09 2012-04-17 2012 682 "Florida Healthy Kids Corporation" "FL" "DentaQuest of Florida, LLC" 3667 "11/01/2012-12/20/2012" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2012-11-01 2012-12-20 2012 683 "Stronghold Counseling Services Inc" "SD" "" 8500 "12/24/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-12-24 NA 2012 684 "Arizona Oncology" "AZ" "" 501 "11/21/2012" "Theft" "Laptop" 2014-01-23 "" 2012-11-21 NA 2012 685 "Crescent Health Inc. - a Walgreens Company" "CA" "" 109000 "12/28/2012" "Theft" "Desktop Computer" 2014-01-23 "" 2012-12-28 NA 2012 686 "County of San Bernardino, Department of Behavioral Health" "CA" "" 686 "1/12/2013" "Theft" "Paper" 2014-01-23 "" 2013-01-12 NA 2013 687 "WOMENS HEALTH ENTERPRISE, INC." "GA" "" 3000 "1/2/2013" "Theft" "Laptop" 2014-01-23 "" 2013-01-02 NA 2013 688 "The Brookdale University Hospital and Medical Center" "NY" "Standard Register" 2261 "8/11/2012" "Theft" "Paper" 2014-06-20 "OCR opened an investigation of the covered entity (CE), The Brookdale University Hospital and Medical Center, after it reported its business associate (BA), Standard Register, inadvertently mailed statements to 2,261 individuals using another affiliated CE's envelopes. The protected health information (PHI) included names, addresses and financial information. OCR provided technical assistance to the CE regarding safeguarding PHI." 2012-08-11 NA 2012 689 "The Brookdale University Hospital and Medical Center" "NY" "Health Plus Amerigroup" 28187 "9/21/2012" "Theft" "Other Portable Electronic Device" 2014-06-20 "The covered entity's (CE) business associate (BA), Health Plus Amerigroup, mailed an unencrypted compact disk that contained the electronic protected health information (ePHI) of 28,187 individuals to the CE, The Brookdale University Hospital and Medical Center. OCR closed this breach report and consolidated into an existing breach report filed by OHP PHSP, Inc. regarding the same issues." 2012-09-21 NA 2012 690 "Ultra Stores, Inc." "IL" "Plexus Group" 500 "9/13/2012" "Unauthorized Access/Disclosure" "Other" 2014-03-24 "" 2012-09-13 NA 2012 691 "South Miami Hospital" "FL" "" 834 "6/1/2011" "Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-01-23 "" 2011-06-01 NA 2011 692 "Lancaster General Medical Group" "PA" "" 527 "2/5/2013" "Theft" "Paper" 2014-01-23 "" 2013-02-05 NA 2013 693 "Maine Medical Center" "ME" "" 1920 "2/27/2013" "Other" "E-mail" 2014-02-12 "" 2013-02-27 NA 2013 694 "State of California, Dept. of Developmental Services" "CA" "North Los Angeles County Regional Center " 18162 "11/10/2012" "Theft" "Laptop" 2014-01-23 "" 2012-11-10 NA 2012 695 "Utah Department of Health " "UT" "Goold Health System (Goold)" 6332 "01/10/2013-01/11/2013" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2013-01-10 2013-01-11 2013 696 "Sports Rehabilitation Consultants" "OH" "" 1200 "2/1/2013" "Theft" "Desktop Computer" 2014-02-12 "" 2013-02-01 NA 2013 697 "University of Connecticut Health Center" "CT" "" 1382 "06/07/2010 - 12/07/2012" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2010-06-07 2012-12-07 2010 698 "United HomeCare Services, Inc." "FL" "" 12299 "1/8/2013" "Theft" "Laptop" 2014-01-23 "" 2013-01-08 NA 2013 699 "United Home Care Services of Southwest Florida< LLC" "FL" "United HomeCare Services, Inc." 1318 "1/8/2013" "Theft" "Laptop" 2014-01-23 "" 2013-01-08 NA 2013 700 "catoctin Dental/Richard B. Love, DDS, PA" "MD" "Patterson Dental Supply/Patterson Companies" 6400 "1/3/2013" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2013-01-03 NA 2013 701 "Empire Blue Cross Blue Shield" "IN" "Connextions c/o Empire BCBS" 2608 "11/01/2011-10/01/2012" "Theft, Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2011-11-01 2012-10-01 2011 702 "Anthem Blue Cross Blue Shield (OH)" "IN" "Connextions c/o Anthem BCBS" 1678 "11/01/2011-10/01/2012" "Theft, Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2011-11-01 2012-10-01 2011 703 "Anthem Blue Cross Blue Shield (IN)" "IN" "Connextions c/o Anthem BCBS" 528 "11/01/2011-10/01/2012" "Theft, Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2011-11-01 2012-10-01 2011 704 "Mount Sinai Medical Center" "FL" "" 628 "10/01/2012 - 02/18/2013" "Theft" "Desktop Computer, Paper" 2014-01-23 "" 2012-10-01 2013-02-18 2012 705 "Thomas L. Davis, Jr. DDS" "OR" "" 3269 "2/12/2013" "Theft" "Desktop Computer, Electronic Medical Record" 2014-01-23 "" 2013-02-12 NA 2013 706 "HealthCare for Women, Inc." "MA" "" 8727 "01/18/2013-01/23/2013" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2013-01-18 2013-01-23 2013 707 "University of Mississippi Medical Center" "MS" "" 500 "11/01/2012-01/19/2013" "Loss" "Laptop" 2014-01-23 "" 2012-11-01 2013-01-19 2012 708 "Granger Medical Clinic" "UT" "" 2600 "1/17/2013" "Theft, Loss, Other" "Paper" 2014-02-12 "" 2013-01-17 NA 2013 709 "Texas Tech Unversity Health Sciences Center" "TX" "" 697 "2/18/2013" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2013-02-18 NA 2013 710 "Rite Aid #10217" "RI" "" 2082 "2/1/2013" "Unknown, Other" "Paper" 2014-02-12 "" 2013-02-01 NA 2013 711 "WA Department of Social and Health Services" "WA" "Sunil Kakar, Psy.D." 629 "2/4/2013" "Theft" "Laptop" 2014-01-23 "" 2013-02-04 NA 2013 712 "Carpenters Health & Welfare Trust Fund for California" "CA" "QuickRunner, Inc. (dba, RoadRunner Mailing Services)" 2400 "03/11/2013-03/12/2013" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2013-03-11 2013-03-12 2013 713 "Shands Jacksonville Medical Center, Inc." "FL" "" 1025 "05/02/2012-06/22/2012" "Theft, Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-01-23 "" 2012-05-02 2012-06-22 2012 714 "University of Florida" "FL" "" 14519 "03/01/2009 - 10/25/2012" "Theft, Unauthorized Access/Disclosure, Other" "Network Server" 2014-01-23 "" 2009-03-01 2012-10-25 2009 715 "Kmart Corporation" "IL" "" 12542 "3/17/2013" "Theft" "Electronic Medical Record" 2014-02-12 "" 2013-03-17 NA 2013 716 "GLENS FALLS HOSPITAL" "NY" "PORTAL HEALTHCARE SOLUTIONS LLC" 2360 "11/02/2012 - 03/14/2013" "Theft" "Network Server" 2014-06-03 "The covered entity's (CE) business associate (BA) operated a server containing the electronic protected health information (ePHI) of 2,360 individuals that was vulnerable to access by unauthorized persons for over four months. The ePHI included transcribed doctors' notes, which may have included medical diagnoses, clinical laboratory results, diagnostic imaging reports, emergency department records, and medication administration. Upon discovery of the breach, the CE engaged a computer forensic expert to investigate the incident and terminated the BA agreement. As a result of OCR's investigation, the CE ensured that its BA secured the server, verified that the server was no longer accessible from the Internet, and required the BA to return or destroy all of the CE's ePHI." 2012-11-02 2013-03-14 2012 717 "Hospice and Palliative Care Center of Alamance Caswell" "NC" "" 5370 "2/24/2013" "Theft, Unauthorized Access/Disclosure" "Laptop, Paper" 2014-01-23 "" 2013-02-24 NA 2013 718 "Texas Health Care, P.L.L.C." "TX" "" 554 "3/10/2013" "Theft" "Paper" 2014-01-23 "" 2013-03-10 NA 2013 719 "Network Health Insurance Corporation" "WI" "TMG Health " 3794 "2/27/2012" "Unauthorized Access/Disclosure" "Paper" 2014-03-24 "" 2012-02-27 NA 2012 720 "Wm. Jennings Bryan Dorn VAMC" "SC" "" 7405 "2/11/2013" "Loss" "Laptop" 2014-01-23 "" 2013-02-11 NA 2013 721 "John J. Pershing VA Medical Center" "MO" "" 589 "2/20/2013" "Theft" "Paper" 2014-06-20 "OCR opened an investigation of the covered entity (CE), John J. Pershing VA Medical Center, after the CE reported that its business associate (BA), Stress Laboratory, placed a box of unsecured protected health information (PHI) in an equipment storage room. The PHI included the names, social security numbers, diagnoses, and age of approximately 589 individuals. This breach incident involved a BA, and occurred prior to the September 23, 2013 compliance date. The BA employee involved in this matter separated from employment in 2012, and the BA was reorganized and has been incorporated into the CE. The CE provided breach notification to affected individuals, HHS, and the media. Substitute notification was provided through a posting on the CE's main website with a toll-free information number. The CE also offered one year of identity protection and credit monitoring services to affected individuals. As a result of this incident, the CE adopted a new policy that provides guidance to its staff regarding the handling of PHI. Additionally, the CE trained its employees on this new policy, and re-trained its employees on the Privacy, Security, and Breach Notification Rules. Finally, OCR obtained assurances that the CE implemented the corrective action listed above. " 2013-02-20 NA 2013 722 "Oregon Health & Science University" "OR" "" 1076 "2/22/2013" "Theft" "Laptop" 2014-01-23 "" 2013-02-22 NA 2013 723 "Schneck Medical Center" "IN" "" 3131 "3/14/2013" "Unauthorized Access/Disclosure" "Other" 2014-02-12 "" 2013-03-14 NA 2013 724 "The Guidance Center of Westchester" "NY" "" 1416 "2/21/2013" "Theft" "Desktop Computer" 2014-01-23 "" 2013-02-21 NA 2013 725 "Hope Hospice" "TX" "" 818 "12/27/2012 - 02/22/2013" "Other" "E-mail" 2014-01-23 "" 2012-12-27 2013-02-22 2012 726 "IHC Health Services, Inc. dba Intermountain Life Flight" "UT" "" 857 "3/28/2013" "Unauthorized Access/Disclosure" "Other" 2014-02-12 "" 2013-03-28 NA 2013 727 "Valley Mental Health" "UT" "" 700 "2/27/2013" "Theft" "Desktop Computer" 2014-01-23 "" 2013-02-27 NA 2013 728 "Delta Dental of Pennsylvania" "PA" "ZDI" 14829 "3/20/2013" "Loss" "Paper" 2014-01-23 "" 2013-03-20 NA 2013 729 "Raleigh Orthopaedic Clinic" "NC" "" 17300 "1/15/2013" "Theft, Improper Disposal, Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2013-01-15 NA 2013 730 "Laboratory Corporation of America" "NC" "" 1580 "3/15/2013" "Theft" "Desktop Computer" 2014-02-12 "" 2013-03-15 NA 2013 731 "Arizona Counseling & Treatment Services, LLC" "AZ" "" 3800 "03/18/2013-03/25/2013" "Theft" "Other Portable Electronic Device" 2014-01-23 "" 2013-03-18 2013-03-25 2013 732 "Wood County Hospital" "OH" "" 2500 "3/19/2013" "Theft" "Other" 2014-01-23 "" 2013-03-19 NA 2013 733 "University of Rochester Medical Center & Affiliates" "NY" "" 537 "2/15/2013" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2013-02-15 NA 2013 734 "Orthopedics & Adult Reconstructive Surgery" "TX" "AssuranceMD f/k/a Harbor Group" 22000 "03/01/2013 - 03/13/2013" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2013-03-01 2013-03-13 2013 735 "El Centro Regional Medical Center" "CA" "Digital Archive Management" 189489 "11/7/2012" "Improper Disposal" "Paper" 2014-01-23 "" 2012-11-07 NA 2012 736 "Seattle - King County Department of Public Health" "WA" "" 750 "3/7/2013" "Improper Disposal" "Paper" 2014-01-23 "" 2013-03-07 NA 2013 737 "Regional Medical Center" "TN" "" 1180 "2/4/2013" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2013-02-04 NA 2013 738 "Presbyterian Anesthesia Associates PA" "NC" "E-dreamz, Inc." 9988 "4/1/2013" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2013-04-01 NA 2013 739 "Integrity Oncology, an office of Baptist Medical Group" "TN" "North Atlantic Telecom, Inc." 539 "3/5/2013" "Other" "Desktop Computer" 2014-01-23 "" 2013-03-05 NA 2013 740 "Piedmont HealthCare, P.A." "NC" "E-dreamz, Inc." 1924 "3/28/2013" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2013-03-28 NA 2013 741 "Indiana University Health Arnett" "IN" "" 10350 "4/9/2013" "Theft" "Laptop" 2014-01-23 "" 2013-04-09 NA 2013 742 "Dent Neurologic Group, LLP" "NY" "" 10000 "5/13/2013" "Other" "E-mail" 2014-01-23 "" 2013-05-13 NA 2013 743 "City of Norwood" "OH" "" 9577 "04/14/2013 - 04/19/2013" "Loss" "Laptop" 2014-01-23 "" 2013-04-14 2013-04-19 2013 744 "Lutheran Social Services of South Central Pennsylvania" "PA" "" 7803 "06/01/2012 - 03/07/2013" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2012-06-01 2013-03-07 2012 745 "Comfort Dental Marion and Kokomo" "IN" "Just the Connection Inc" 5388 "03/14/2013-03/18/2013" "Improper Disposal" "Other" 2014-01-23 "" 2013-03-14 2013-03-18 2013 746 "Erskine Family Dentistry" "IN" "" 2723 "3/19/2013" "Hacking/IT Incident" "Desktop Computer" 2014-02-12 "" 2013-03-19 NA 2013 747 "Health Resources of Arkansas" "AR" "" 1900 "4/14/2013" "Theft, Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2013-04-14 NA 2013 748 "Various Health Plans" "AL" "SynerMed / Inland Valleys IPA" 3164 "04/14/2013-04/15/2013" "Theft" "Laptop" 2014-01-23 "" 2013-04-14 2013-04-15 2013 749 "Independence Care System" "NY" "" 2434 "5/7/2013" "Theft" "Laptop" 2014-01-23 "" 2013-05-07 NA 2013 750 "Sonoma Valley Hospital" "CA" "" 1386 "2/14/2013" "Other" "Other" 2014-01-23 "" 2013-02-14 NA 2013 751 "University of Florida" "FL" "" 5875 "02/01/2012- 04/11/2013" "Theft, Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-01-23 "" 2012-02-01 2013-04-11 2012 752 "Community Support Services, Inc." "OH" "" 1167 "03/20/2013-03/26/2013" "Theft" "E-mail" 2014-02-12 "" 2013-03-20 2013-03-26 2013 753 "UMASSAmherst" "MA" "" 1670 "10/22/2012" "Hacking/IT Incident" "Desktop Computer" 2014-01-23 "" 2012-10-22 NA 2012 754 "Palm Beach County Health Department" "FL" "" 877 "1/7/2013" "Unauthorized Access/Disclosure" "Desktop Computer" 2014-01-23 "" 2013-01-07 NA 2013 755 "Lucile Packard Children's Hospital" "CA" "" 12900 "5/8/2013" "Theft" "Laptop" 2014-01-23 "" 2013-05-08 NA 2013 756 "Fayetteville VAMC" "NC" "" 1093 "4/17/2013" "Improper Disposal" "Paper" 2014-01-23 "" 2013-04-17 NA 2013 757 "Lincoln County Health and Human Services/Lincoln Community Health Center" "OR" "" 959 "4/17/2013" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2013-04-17 NA 2013 758 "Union Security Insurance Company" "MO" "" 1127 "5/17/2013" "Improper Disposal" "E-mail" 2014-01-23 "" 2013-05-17 NA 2013 759 "Gulf Breeze Family Eyecare, Inc" "FL" "" 9626 "03/08/2013-05/09/2013" "Theft, Unauthorized Access/Disclosure" "Desktop Computer, Network Server, E-mail, Electronic Medical Record, Paper" 2014-01-23 "" 2013-03-08 2013-05-09 2013 760 "Jacksonville Spine Center" "FL" "" 5200 "4/25/2013" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2013-04-25 NA 2013 761 "Iowa Department of Human Services" "IA" "" 7335 "4/30/2013" "Loss, Unknown" "Other" 2014-01-23 "" 2013-04-30 NA 2013 762 "James A. Fosnaugh" "NE" "" 2125 "05/01/2013 - 05/03/2013" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2013-05-01 2013-05-03 2013 763 "Lone Star Circle of Care" "TX" "" 1955 "05/01/2013-05/02/2013" "Theft" "Laptop" 2014-01-23 "" 2013-05-01 2013-05-02 2013 764 "Aflac" "GA" "Alberto Gerardo Vazquez Rivera" 679 "5/9/2013" "Theft" "Laptop" 2014-01-23 "" 2013-05-09 NA 2013 765 "Indiana Family & Social Services Administration" "IN" "RCR Technology Corporation" 187533 "04/06/2013-05/21/2013" "Other" "Paper" 2014-01-23 "" 2013-04-06 2013-05-21 2013 766 "Northrop Grumman Retiree Health Plan" "VA" "CVS Caremark" 4305 "5/20/2013" "Theft" "Paper" 2014-06-24 "Business associate (BA) employees erroneously sent 4,305 health plan members' protected health information (PHI) to other plan members. The PHI involved in the breach included names and prescribed medication(s). The covered entity, Northrop Grumman Retiree Health Plan, provided breach notification to HHS, and the BA, CVS Caremark, provided breach notification to affected individuals and the media. Following the breach, the BA revised its quality control policies for targeted mailings and retrained employees involved in the breach to prevent similar incidents in the future. OCR obtained assurances that the BA implemented the breach notification and policy revisions listed above." 2013-05-20 NA 2013 767 "Health Net, Inc." "CA" "" 8331 "04/01/2013 - 05/31/2013" "Other" "Paper" 2014-01-23 "" 2013-04-01 2013-05-31 2013 768 "South Florida Neurology Associates, P.A." "FL" "" 900 "05/25/2013-05/30/2013" "Theft" "Laptop" 2014-01-23 "" 2013-05-25 2013-05-30 2013 769 "Samaritan Regional Health System" "OH" "" 2203 "5/29/2013" "Other" "Paper" 2014-01-23 "" 2013-05-29 NA 2013 770 "MED-EL Coproration" "NC" "" 609 "6/25/2013" "Other" "E-mail" 2014-01-23 "" 2013-06-25 NA 2013 771 "Sutter Health East Bay Region (Alta Bates Summit Medical Center; Sutter Delta Medical Center; Eden Medical Center)" "CA" "Nelson Family of Companies" 4479 "3/1/2011" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2011-03-01 NA 2011 772 "Illinois Department of Healthcare and Familiy Services" "IL" "Family Health Network" 3133 "5/8/2013" "Other" "Paper" 2014-01-23 "" 2013-05-08 NA 2013 773 "Delta Dental of Pennsylvania" "PA" "ZDI" 4718 "5/13/2013" "Loss" "Paper" 2014-01-23 "" 2013-05-13 NA 2013 774 "Medtronic, Inc." "MN" "" 2764 "03/28/2013-03/29/2013" "Loss" "Paper" 2014-01-23 "" 2013-03-28 2013-03-29 2013 775 "Texas Health Harris Methodist Hospital Fort Worth" "TX" "Shred-it International Inc." 277014 "5/11/2013" "Improper Disposal" "Other" 2014-01-23 "" 2013-05-11 NA 2013 776 "Long Beach Memorial Medical Center" "CA" "" 2864 "09/01/2012-07/01/2013" "Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-01-23 "" 2012-09-01 2013-07-01 2012 777 "Hansen & Associates" "WY" "" 2700 "05/21/2013-05/29/2013" "Theft" "Desktop Computer" 2014-06-10 "" 2013-05-21 2013-05-29 2013 778 "Sheet Metal Local 36 Welfare Fund" "MO" "People Resource Corporation" 4560 "08/01/2012-07/08/2013" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2012-08-01 2013-07-08 2012 779 "Harris County" "TX" "" 21000 "08/15/2005 - 06/14/2007" "Unauthorized Access/Disclosure" "Desktop Computer" 2014-01-23 "" 2005-08-15 2007-06-14 2005 780 "San Jose Medical Supply Co., Inc." "CA" "Jesle Kuizon" 800 "10/01/2011-11/31/2011" "Theft, Unauthorized Access/Disclosure, Hacking/IT Incident" "Desktop Computer, Network Server" 2014-01-23 "" 2011-10-01 NA 2011 781 "GEO Care, LLC" "FL" "" 710 "4/16/2013" "Unauthorized Access/Disclosure" "Desktop Computer" 2014-01-23 "" 2013-04-16 NA 2013 782 "The Brookdale Hospital and Medical Center" "NY" "" 2700 "5/24/2013" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2013-05-24 NA 2013 783 "Louisiana State University Health Care Services Division" "LA" "" 6994 "12/1/2011" "Unauthorized Access/Disclosure" "Desktop Computer" 2014-01-23 "" 2011-12-01 NA 2011 784 "Oregon Health & Science University" "OR" "" 1361 "01/01/2011-07/03/2013" "Unauthorized Access/Disclosure" "Other" 2014-01-31 "" 2011-01-01 2013-07-03 2011 785 "Rocky Mountain Spine Clinic, P.C." "CO" "" 532 "6/11/2013" "Theft, Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2013-06-11 NA 2013 786 "Vitreo-Retinal Medical Group, Inc. " "CA" "" 1837 "6/5/2013" "Theft" "Laptop" 2014-01-23 "" 2013-06-05 NA 2013 787 "Arkansas Department of Human Services" "AR" "Health Resources of Arkansas" 1911 "4/14/2013" "Theft" "Laptop" 2014-02-12 "" 2013-04-14 NA 2013 788 "Baylor All Saints Medical Center at Fort Worth" "TX" "" 940 "05/07/2013-06/06/2013" "Unauthorized Access/Disclosure" "Other Portable Electronic Device" 2014-02-12 "" 2013-05-07 2013-06-06 2013 789 "Cogent Healthcare, Inc." "TN" "M2ComSys Inc." 32151 "05/05/2013-06/24/2013" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2013-05-05 2013-06-24 2013 790 "Young Family Medicine Inc." "OH" "" 2045 "6/12/2013" "Theft" "Laptop" 2014-01-23 "" 2013-06-12 NA 2013 791 "Hancock OB/GYN" "IN" "" 1396 "11/09/2011 - 06/17/2013" "Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-01-23 "" 2011-11-09 2013-06-17 2011 792 "Colfax" "IN" "Anthem BCBS of GA" 5497 "4/11/2013" "Other" "Other" 2014-02-12 "" 2013-04-11 NA 2013 793 "Missouri Department of Social Services" "MO" "InfoCrossing, Inc." 1357 "10/16/2011 - 06/07/2013" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2011-10-16 2013-06-07 2011 794 "Foundations Recovery Network" "TN" "" 5690 "6/15/2013" "Theft" "Laptop" 2014-01-23 "" 2013-06-15 NA 2013 795 "California Correctional Health Care Services" "CA" "" 1033 "6/19/2013" "Other" "Paper" 2014-01-23 "" 2013-06-19 NA 2013 796 "North Texas Comprehensive Spine & Pain Center" "TX" "" 3200 "6/16/2013" "Theft, Loss" "Other Portable Electronic Device" 2014-02-12 "" 2013-06-16 NA 2013 797 "Minne-Tohe Health Center/Elbowoods Memorial Health Center" "ND" "" 10000 "10/1/2011" "Improper Disposal, Unauthorized Access/Disclosure" "Desktop Computer, Other" 2014-01-23 "" 2011-10-01 NA 2011 798 "Jackson Health System" "FL" "" 1471 "01/08/2013 - 01/10/2013" "Other" "Paper" 2014-01-23 "" 2013-01-08 2013-01-10 2013 799 "Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group" "IL" "" 4029530 "7/15/2013" "Theft" "Desktop Computer" 2014-01-23 "" 2013-07-15 NA 2013 800 "Summit Community Care Clinic, Inc." "CO" "" 921 "7/22/2013" "Hacking/IT Incident" "Desktop Computer" 2014-01-23 "" 2013-07-22 NA 2013 801 "UT Physicians" "TX" "" 596 "07/22/2013-08/02/2013" "Theft, Loss" "Laptop" 2014-01-23 "" 2013-07-22 2013-08-02 2013 802 "Parkview Community Hospital Medical Center" "CA" "Cogent Healthcare, Inc." 32000 "05/05/2013 - 06/24/2013" "Other" "Network Server" 2014-01-23 "" 2013-05-05 2013-06-24 2013 803 "Atlanta Center for Reproductive Medicine" "GA" "" 654 "7/12/2013" "Other" "E-mail" 2014-01-23 "" 2013-07-12 NA 2013 804 "St. Anthony's Physician Organization" "MO" "" 2600 "7/29/2013" "Theft" "Laptop, Other Portable Electronic Device" 2014-01-23 "" 2013-07-29 NA 2013 805 "Janna Benkelman LPC LLC" "CO" "" 1500 "8/1/2013" "Theft" "Laptop" 2014-01-23 "" 2013-08-01 NA 2013 806 "Olson & White Orthodontics" "MO" "" 10000 "7/22/2013" "Theft" "Desktop Computer, Network Server" 2014-01-23 "" 2013-07-22 NA 2013 807 "Kaiser Foundation Health Plan of the Northwest" "OR" "" 647 "3/15/2013" "Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-01-23 "" 2013-03-15 NA 2013 808 "Hankyu Chung, M.D." "CA" "" 2182 "6/17/2013" "Theft" "Laptop" 2014-01-23 "" 2013-06-17 NA 2013 809 "ICS Collection Service, Inc. on behalf of University of Chicago Physicians Group" "IL" "ICS Collection Service, Inc." 1290 "7/9/2013" "Hacking/IT Incident" "Other" 2014-01-23 "" 2013-07-09 NA 2013 810 "ACO of Puerto Rico" "PR" "PHMHS" 5000 "03/05/2013 - 07/16/2013" "Theft" "Network Server" 2014-06-20 "Upon request, a subcontractor (PHM Software Solutions) of the covered entity's (CE) business associate (BA), PHM Healthcare Solutions, modified a software application the CE was utilizing which led to the disclosure of electronic protected health information (ePHI) of 5,000 individuals on the Internet. The ePHI included names, gender, member identification numbers, dates of birth, and consent forms. The CE provided breach notification to HHS, the media, and affected individuals and posted substitute notice on its website. Upon discovery of the breach, the BA removed the software application and placed it offline. As a result of OCR's investigation, the CE had its BA to conduct a risk analysis and create a risk management plan to address any vulnerabilities identified in the risk analysis. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR provided technical assistance to assist the CE understand its obligations under the Privacy and Security Rules regarding BA agreements. " 2013-03-05 2013-07-16 2013 811 "NHC HealthCare, Oak Ridge" "TN" "" 4268 "5/10/2013" "Loss" "Other" 2014-03-13 "" 2013-05-10 NA 2013 812 "NHC HealthCare, Mauldin" "SC" "" 4204 "5/15/2013" "Improper Disposal" "Other" 2014-03-13 "" 2013-05-15 NA 2013 813 "Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group " "IL" "Blackhawk Consulting Group" 2029 "06/30/2013 - 08/15/2013" "Hacking/IT Incident" "Network Server" 2014-02-12 "" 2013-06-30 2013-08-15 2013 814 "Dreyer Medical Clinic" "IL" "Blackhawk Consulting Group" 998 "06/30/2013 - 08/15/2013" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2013-06-30 2013-08-15 2013 815 "South Shore Physicians, PC" "NY" "" 8000 "01/01/2006 - 01/12/2012" "Theft" "Network Server" 2014-01-23 "" 2006-01-01 2012-01-12 2006 816 "Dermatology Associates of Tallahassee" "FL" "" 916 "9/4/2013" "Unknown" "Other" 2014-01-23 "" 2013-09-04 NA 2013 817 "Sierra View District Hospital" "CA" "" 1009 "07/01/2013 - 08/02/2013" "Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-01-23 "" 2013-07-01 2013-08-02 2013 818 "Missouri Department of Social Services" "MO" "InfoCrossing, Inc." 25461 "12/21/2009 - 06/07/2013" "Unauthorized Access/Disclosure" "Paper" 2014-02-12 "" 2009-12-21 2013-06-07 2009 819 "Holy Cross Hospital, Inc." "FL" "" 9900 "8/14/2013" "Theft, Unauthorized Access/Disclosure" "Desktop Computer, Network Server" 2014-01-23 "" 2013-08-14 NA 2013 820 "Region Ten Community Services Board" "VA" "" 10228 "7/29/2013" "Hacking/IT Incident" "E-mail" 2014-01-23 "" 2013-07-29 NA 2013 821 "Comprehensive Podiatry LLC" "OH" "" 1360 "8/3/2013" "Theft" "Laptop" 2014-01-23 "" 2013-08-03 NA 2013 822 "Santa Clara Valley Medical Center" "CA" "" 579 "09/14/2013 - 09/15/2013" "Theft" "Laptop" 2014-01-23 "" 2013-09-14 2013-09-15 2013 823 "Sarah Benjamin, DPM - Littleton Podiatry " "CO" "Not Applicable " 3512 "8/27/2013" "Theft" "Laptop" 2014-01-23 "" 2013-08-27 NA 2013 824 "Carol L. Patrick, Ph.D." "OH" "" 517 "08/08/2013-08/09/2013" "Theft" "Network Server" 2014-01-23 "" 2013-08-08 2013-08-09 2013 825 "HOPE Family Health" "TN" "" 6932 "8/4/2013" "Theft" "Laptop" 2014-01-23 "" 2013-08-04 NA 2013 826 "Paul G. Klein, DPM" "NJ" "" 2500 "10/1/2013" "Theft" "Laptop" 2014-06-20 " OCR opened an investigation of the covered entity (CE), Paul G. Klein DPM, after it reported an encrypted and password protected laptop was stolen that contained the electronic protected health information (ePHI) of 2,500 individuals. The ePHI included names, addresses, dates of birth, social security numbers, diagnosis conditions, lab test results, medications, medical notes, and treatment plans. Upon discovery of the breach, the CE filed a police report to recover the stolen item. As a result of OCR's investigation, the CE provided confirmation that there was encryption software and multi-layered password protection software installed on the stolen laptop. OCR determined that the impermissible disclosure of ePHI did not constitute a breach under the Privacy Rule's breach notification rule and provided technical assistance to the CE regarding the requirements of the breach notification rule. " 2013-10-01 NA 2013 827 "UnityPoint Health Affiliated Covered Entity (\UnityPoint\)" "IA" "" 1825 "02/01/2013-08/27/2013" "Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-01-23 "" 2013-02-01 2013-08-27 2013 828 "TSYS Employee Health Plan" "GA" "Paragon Benefits, Inc." 5232 "9/5/2013" "Theft" "E-mail" 2014-01-23 "" 2013-09-05 NA 2013 829 "University of California, San Francisco" "CA" "" 3553 "9/9/2013" "Theft" "Laptop, Paper" 2014-01-23 "" 2013-09-09 NA 2013 830 "Reconstructive Orthopaedic Associates II, P.C. d/b/a Rothman Institute" "PA" "" 2350 "03/18/2013-05/13/2013" "Theft, Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2013-03-18 2013-05-13 2013 831 "Group Health Cooperative" "WA" "" 1015 "9/16/2013" "Other" "Paper" 2014-01-23 "" 2013-09-16 NA 2013 832 "Schuylkill Health System" "PA" "" 2810 "8/7/2013" "Theft" "Laptop" 2014-01-23 "" 2013-08-07 NA 2013 833 "CaroMont Medical Group" "NC" "" 1310 "8/5/2013" "Other" "E-mail" 2014-01-23 "" 2013-08-05 NA 2013 834 "Mount SInai Medical Center" "NY" "" 1586 "8/6/2013" "Improper Disposal" "Paper" 2014-01-23 "" 2013-08-06 NA 2013 835 "Memorial Hospital of Lafayette County" "WI" "Healthcare Management System " 4330 "8/3/2013" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2013-08-03 NA 2013 836 "Saint Louis University" "MO" "" 3100 "7/25/2013" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2013-07-25 NA 2013 837 "MUSC Physicians & MUHA" "SC" "BlackHawk" 7120 "6/30/2013" "Hacking/IT Incident" "Network Server" 2014-02-12 "" 2013-06-30 NA 2013 838 "Ferris State University - MI College of Optometry" "MI" "" 3947 "12/1/2011" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2011-12-01 NA 2011 839 "Access Counseling, LLC" "IN" "" 566 "8/23/2013" "Theft" "Laptop" 2014-01-23 "" 2013-08-23 NA 2013 840 "Rose Medical Center" "CO" "" 606 "06/28/2013 - 07/16/2013" "Improper Disposal" "Paper" 2014-01-23 "" 2013-06-28 2013-07-16 2013 841 "BriovaRx" "IL" "" 1067 "07/03/2013 - 07/11/2013" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2013-07-03 2013-07-11 2013 842 "North Country Hospital and Health Center, Inc" "VT" "" 550 "9/18/2013" "Theft" "Laptop" 2014-01-23 "" 2013-09-18 NA 2013 843 "Hope Community Resources, Inc." "AK" "" 1556 "8/19/2013" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2013-08-19 NA 2013 844 "Broward Health Medical Center" "FL" "" 960 "10/01/2012 - 12/31/2012" "Unauthorized Access/Disclosure" "Desktop Computer" 2014-01-23 "" 2012-10-01 2012-12-31 2012 845 "Sentara Healthcare" "VA" "" 3645 "10/01/2012 - 07/11/2013" "Theft" "Electronic Medical Record, Paper" 2014-01-23 "" 2012-10-01 2013-07-11 2012 846 "Mount Sinai Medical Center" "NY" "" 610 "8/1/2013" "Loss" "Other Portable Electronic Device" 2014-02-12 "" 2013-08-01 NA 2013 847 "Texas Health Presbyterian Dallas Hospital" "TX" "" 949 "8/22/2013" "Theft" "Desktop Computer" 2014-02-12 "" 2013-08-22 NA 2013 848 "Seton Healthcare Family" "TX" "" 5500 "10/4/2013" "Theft" "Laptop" 2014-01-23 "" 2013-10-04 NA 2013 849 "BRONX-LEBANON HOSPITAL CENTER" "NY" "PROFESSIONAL TRANSCRIPTION SERVICES" 10930 "9/23/2009" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2009-09-23 NA 2009 850 "Martin Luther King Jr. Health Center, Inc." "NY" "PROFESSIONAL TRANSCRIPTION SERVICES" 37000 "9/23/2009" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2009-09-23 NA 2009 851 "SSM St. Mary's Health Center" "MO" "Saint Louis University" 1300 "7/25/2013" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2013-07-25 NA 2013 852 "Good Samaritan Hospital" "CA" "" 3833 "7/8/2013" "Theft" "Laptop" 2014-01-23 "" 2013-07-08 NA 2013 853 "SSM Health Care of Wisconsin DBA: St. Mary's Janesville Hospital" "WI" "" 631 "8/27/2013" "Theft" "Laptop" 2014-01-23 "" 2013-08-27 NA 2013 854 "AHMC Healthcare Inc. and affiliated Hospitals" "CA" "" 729000 "10/12/2013" "Theft" "Laptop" 2014-01-23 "" 2013-10-12 NA 2013 855 "Greater Dallas Orthopaedics, PLLC" "TX" "" 5840 "8/30/2013" "Theft" "Desktop Computer" 2014-01-23 "" 2013-08-30 NA 2013 856 "Spirit Home Health Care, Corp" "FL" "Spirit Home Health Care, Corp" 603 "9/19/2013" "Improper Disposal" "Paper" 2014-01-23 "" 2013-09-19 NA 2013 857 "Rotech Healthcare Inc." "FL" "" 10680 "11/26/2010 - 10/01/2013" "Unauthorized Access/Disclosure" "Laptop" 2014-02-18 "" 2010-11-26 2013-10-01 2010 858 "Reimbursement Technologies, Inc." "PA" "" 2300 "05/01/2013 - 07/26/2013" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2013-05-01 2013-07-26 2013 859 "Comprehensive Psychological Services LLC" "SC" "" 3500 "10/28/2013" "Theft" "Laptop" 2014-01-23 "" 2013-10-28 NA 2013 860 "Superior HealthPlan, Inc." "TX" "" 6284 "10/4/2013" "Other" "Paper" 2014-01-23 "" 2013-10-04 NA 2013 861 "Genesis Rehabilitation Services" "PA" "" 1167 "8/30/2013" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2013-08-30 NA 2013 862 "Colorado Health & Wellness, Inc." "CO" "" 651 "9/4/2013" "Theft, Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-01-23 "" 2013-09-04 NA 2013 863 "Barnabas Health Medical Group" "NJ" "" 1100 "9/24/2013" "Theft" "Laptop" 2014-01-23 "" 2013-09-24 NA 2013 864 "DaVita, a division of DaVita HealthCare Partners Inc" "CO" "" 11500 "9/6/2013" "Theft, Other" "Laptop" 2014-01-23 "" 2013-09-06 NA 2013 865 "Blue Cross and Blue Shield of North Carolina" "NC" "" 687 "10/14/2013" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2013-10-14 NA 2013 866 "North Carolina Department of Health and Human Services - Division of State Operated Health Care Facilities " "NC" "" 1315 "8/13/2013" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2013-08-13 NA 2013 867 "Puerto Rico Health Insurance Administration (PRHIA)" "PR" "Triple S Salud Inc." 13336 "9/20/2013" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2013-09-20 NA 2013 868 "Triple-S Salud " "PR" "" 70189 "9/20/2013" "Unauthorized Access/Disclosure" "Paper" 2014-01-23 "" 2013-09-20 NA 2013 869 "Associated Urologists of North Carolina" "NC" "" 7300 "09/17/2012 - 09/17/2013" "Other" "Other" 2014-01-23 "" 2012-09-17 2013-09-17 2012 870 "Kemmet Dental Design " "ND" "" 2000 "11/10/2013" "Theft, Other" "Paper" 2014-01-23 "" 2013-11-10 NA 2013 871 "Hospice of the Chesapeake" "MD" "" 7606 "8/9/2013" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2013-08-09 NA 2013 872 "Scottsdale Dermatology, LTD" "AZ" "All Source Medical Management" 1456 "01/01/2013 -10/04/2013" "Theft" "Other" 2014-01-23 "" 2013-01-01 2013-10-04 2013 873 "Memorial Sloan-Kettering Cancer Center" "NY" "" 2279 "8/1/2013" "Loss" "Other Portable Electronic Device" 2014-02-18 "" 2013-08-01 NA 2013 874 "Gerdau Ameristeel Health and Welfare Plan" "FL" "Health Fitness Corporation" 3804 "9/27/2013" "Theft" "Laptop" 2014-02-18 "" 2013-09-27 NA 2013 875 "Gerdau Macsteel Health and Welfare Plan" "MI" "Health Fitness Corporation" 4837 "9/27/2013" "Theft" "Laptop" 2014-02-18 "" 2013-09-27 NA 2013 876 "UHS-Pruitt Corporation" "GA" "" 1300 "9/26/2013" "Theft" "Laptop" 2014-01-23 "" 2013-09-26 NA 2013 877 "United Dynacare, LLC dba Dynacare Laboratories" "WI" "" 9328 "10/22/2013" "Theft" "Other Portable Electronic Device" 2014-01-23 "" 2013-10-22 NA 2013 878 "Redwood Memorial Hospital" "CA" "" 1039 "11/6/2013" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2013-11-06 NA 2013 879 "Kaiser Foundation Hospital- Orange County" "CA" "" 49000 "9/25/2013" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2013-09-25 NA 2013 880 "Jones Chiropractic and Maximum Health" "IN" "" 1500 "10/13/2013" "Theft" "Desktop Computer" 2014-01-23 "" 2013-10-13 NA 2013 881 "Ronald Schubert MD PLLC" "WA" "" 950 "11/22/2013" "Theft" "Laptop" 2014-01-23 "" 2013-11-22 NA 2013 882 "UPMC" "PA" "" 1279 "11/05/2012 - 11/06/2013" "Unauthorized Access/Disclosure" "Electronic Medical Record" 2014-02-18 "" 2012-11-05 2013-11-06 2012 883 "UW Medicine" "WA" "" 76183 "10/2/2013" "Hacking/IT Incident" "Desktop Computer" 2014-02-18 "" 2013-10-02 NA 2013 884 "City of Chicago" "IL" "" 2080 "06/18/2013 - 10/07/2013" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2013-06-18 2013-10-07 2013 885 "CIty of Joliet" "IL" "Quality Health Claims Consultants, LLC" 1573 "10/8/2013" "Unauthorized Access/Disclosure" "E-mail" 2014-01-23 "" 2013-10-08 NA 2013 886 "SIU HealthCare" "IL" "" 1891 "09/13/2013 - 10/15/2013" "Theft, Loss" "Laptop" 2014-01-23 "" 2013-09-13 2013-10-15 2013 887 "The Good Samaritan Health Center" "GA" "" 5000 "11/6/2013" "Other" "Desktop Computer" 2014-01-23 "" 2013-11-06 NA 2013 888 "UniHealth Source" "GA" "" 4500 "10/8/2013" "Theft" "Laptop" 2014-01-23 "" 2013-10-08 NA 2013 889 "Walgreen Co." "IL" "" 17350 "09/18/2013 - 10/04/2013" "Other" "Paper" 2014-01-23 "" 2013-09-18 2013-10-04 2013 890 "Methodist Dallas Medical Center" "TX" "" 44000 "09/01/2005 - 08/01/2013" "Unauthorized Access/Disclosure" "Other" 2014-01-23 "" 2005-09-01 2013-08-01 2005 891 "Florida Digestive Health Specialists" "FL" "" 4400 "03/06/2013 -09/09/2013" "Unauthorized Access/Disclosure" "Desktop Computer" 2014-01-23 "" 2013-03-06 2013-09-09 2013 892 "Northside Hospital, Inc." "GA" "" 4879 "10/10/2013" "Loss" "Laptop" 2014-01-23 "" 2013-10-10 NA 2013 893 "Health Help, Inc." "KY" "" 535 "10/15/2013" "Theft" "Other Portable Electronic Device" 2014-01-23 "" 2013-10-15 NA 2013 894 "L.A. Gay & Lesbian Center" "CA" "" 59000 "09/17/2013 - 11/08/2013" "Hacking/IT Incident" "Network Server" 2014-01-23 "" 2013-09-17 2013-11-08 2013 895 "Mosaic" "NE" "" 3857 "10/11/2013" "Other" "E-mail" 2014-01-23 "" 2013-10-11 NA 2013 896 "New Jersey Department of Human Services" "NJ" "Island Peer Review Organization" 9642 "10/18/2013" "Loss" "Other Portable Electronic Device" 2014-01-23 "" 2013-10-18 NA 2013 897 "Fairfax County, Virginia" "VA" "Molina Healthcare In" 1499 "09/09/2013 - 10/03/2013" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2013-09-09 2013-10-03 2013 898 "Wyoming Department of Health" "WY" "" 11935 "10/16/2013" "Unauthorized Access/Disclosure" "Network Server" 2014-01-23 "" 2013-10-16 NA 2013 899 "Shiloh Medical Clinic" "MT" "" 1900 "11/8/2013" "Unauthorized Access/Disclosure" "Desktop Computer, E-mail" 2014-01-23 "" 2013-11-08 NA 2013 900 "South Carolina Health Insurance Pool" "SC" "DeLoach & Williamson" 3432 "10/16/2013" "Theft" "Laptop" 2014-01-23 "" 2013-10-16 NA 2013 901 "Tennova Cardiology" "TN" "Colby DeHart" 2777 "10/21/2013" "Theft" "Laptop" 2014-01-23 "" 2013-10-21 NA 2013 902 "Delta Dental of Pennsylvania" "PA" "ZDI" 1674 "10/16/2013" "Loss" "Paper" 2014-03-13 "" 2013-10-16 NA 2013 903 "Molina Healthcare of Texas, Inc." "TX" "" 2826 "10/1/2013" "Other" "Paper" 2014-01-23 "" 2013-10-01 NA 2013 904 "Rob Meaglia, DDS" "CA" "" 1400 "12/16/2013" "Theft" "Desktop Computer" 2014-01-23 "" 2013-12-16 NA 2013 905 "Jeff Spiegel" "MA" "" 832 "11/25/2013" "Unauthorized Access/Disclosure" "E-mail" 2014-03-13 "" 2013-11-25 NA 2013 906 "Tranquility Counseling Services" "NC" "" 1683 "11/1/2013" "Other" "Paper" 2014-01-23 "" 2013-11-01 NA 2013 907 "Florida Department of Health" "FL" "" 2354 "10/30/2013" "Unauthorized Access/Disclosure" "Desktop Computer" 2014-03-05 "" 2013-10-30 NA 2013 908 "New Mexico Oncology Hematology Consultants, LTD" "NM" "" 12354 "11/13/2013" "Theft" "Laptop" 2014-01-23 "" 2013-11-13 NA 2013 909 "Department of Health Care Policy & Financing" "CO" "Colorado Community Health Alliance (CCHA)/Physicians Health Partners" 1918 "11/21/2013" "Unauthorized Access/Disclosure" "E-mail" 2014-02-21 "" 2013-11-21 NA 2013 910 "Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates" "NJ" "" 839711 "11/1/2013" "Theft" "Laptop" 2014-02-21 "" 2013-11-01 NA 2013 911 "Phoebe Putney Memorial Hospital" "GA" "" 6989 "11/5/2013" "Loss" "Desktop Computer" 2014-02-11 "" 2013-11-05 NA 2013 912 "Coulee Medical Center" "WA" "" 2500 "01/01/2010-11/30/2013" "Unauthorized Access/Disclosure" "Laptop, Network Server, E-mail" 2014-02-11 "" 2010-01-01 2013-11-30 2010 913 "University of Pennsylvania Health System" "PA" "RevSpring, Inc." 3000 "11/26/2013" "Other" "Paper" 2014-02-11 "" 2013-11-26 NA 2013 914 "North Carolina Department of Health and Human Services " "NC" "" 48752 "12/30/2013" "Unauthorized Access/Disclosure" "Other" 2014-02-11 "" 2013-12-30 NA 2013 915 "101 FAMILY MEDICAL GROUP" "CA" "Phreesia, Inc" 2500 "11/23/2013" "Theft" "Laptop" 2014-02-11 "" 2013-11-23 NA 2013 916 "Tri Lakes Medical Center" "MS" "" 1489 "9/20/2013" "Hacking/IT Incident" "Network Server" 2014-02-11 "" 2013-09-20 NA 2013 917 "VA Dept. of Medical Assistance Services" "VA" "Virginia Premier Health Plan (VPHP)" 25513 "11/15/2013" "Unauthorized Access/Disclosure, Other" "Paper" 2014-02-11 "" 2013-11-15 NA 2013 918 "Cook County Health & Hospitals System" "IL" "" 22511 "11/12/2013" "Other" "E-mail" 2014-02-11 "" 2013-11-12 NA 2013 919 "Southwest General Health Center" "OH" "" 953 "04/13/2013 - 10/31/2013" "Unknown" "Other" 2014-05-30 "" 2013-04-13 2013-10-31 2013 920 "Robert B. Neves, M.D., Inc" "CA" "" 611 "5/8/2011" "Theft" "Laptop" 2014-01-24 "" 2011-05-08 NA 2011 921 "Triple-S Salud, Inc." "PR" "Triple-C, Inc." 398000 "9/9/2010" "Theft" "Network Server" 2014-02-18 "" 2010-09-09 NA 2010 922 "Triple-S Salud, Inc." "PR" "Triple-C, Inc." 8000 "10/3/2008" "Theft, Unauthorized Access/Disclosure" "Network Server" 2014-01-24 "" 2008-10-03 NA 2008 923 "Urology Centers of Alabama PC and Urology Health Foundation" "AL" "Birmingham Printing and Publishing, Inc dba Paper Airplane" 1085 "8/22/2013" "Other" "Other" 2014-06-03 "" 2013-08-22 NA 2013 924 "Medical Mutual of Ohio" "OH" "" 1420 "10/16/2013" "Unauthorized Access/Disclosure" "Paper" 2014-06-13 "" 2013-10-16 NA 2013 925 "Unity Health Plans Insurance Corporation" "WI" "University of Wisconsin-Madison School of Pharmacy" 41437 "12/12/2013" "Loss" "Other Portable Electronic Device" 2014-02-21 "" 2013-12-12 NA 2013 926 "The University of Texas MD Anderson Cancer Center" "TX" "" 3598 "12/2/2013" "Loss" "Other Portable Electronic Device" 2014-02-11 "" 2013-12-02 NA 2013 927 "Beebe Medical Center" "DE" "" 1883 "9/2/2013" "Other" "Laptop" 2014-02-21 "" 2013-09-02 NA 2013 928 "St. Joseph Health System " "TX" "" 405000 "12/16/2013" "Hacking/IT Incident" "Network Server" 2014-02-11 "" 2013-12-16 NA 2013 929 "Min Yi, M.D." "CA" "" 4676 "5/28/2013" "Theft" "Other Portable Electronic Device" 2014-02-21 "" 2013-05-28 NA 2013 930 "Easter Seal Society of Superior California" "CA" "" 3026 "12/10/2013" "Theft" "Laptop" 2014-02-21 "" 2013-12-10 NA 2013 931 "PruittHealth Pharmacy Services" "GA" "" 841 "12/6/2013" "Theft" "Laptop" 2014-02-25 "" 2013-12-06 NA 2013 932 "RGH Enterprises, Inc." "OH" "" 4230 "03/09/2013-03/11/2013" "Theft" "Network Server" 2014-06-24 "Computer hackers installed malware that intercepted the electronic protected health information (ePHI) of approximately 4,230 individuals using the covered entity's (CE's) website. The ePHI included names, dates of birth, phone numbers, shipping and billing addresses, email addresses, credit card issuers, expiration dates, the last 4 digits of credit card numbers, account numbers, primary physicians, diagnoses, order histories, and health insurers. Following the breach, the CE removed the malware from the affected computer servers, migrated the website to non-compromised " 2013-03-09 2013-03-11 2013 933 "Network Pharmacy Knoxville" "TN" "" 9602 "11/18/2013" "Theft" "Laptop" 2014-02-11 "" 2013-11-18 NA 2013 934 "Saint Francis Hospital and Medical Center" "CT" "" 858 "12/27/2013" "Theft" "Paper" 2014-03-24 "" 2013-12-27 NA 2013 935 "Health Dimensions" "MI" "" 5370 "11/2/2013" "Theft" "Network Server" 2014-02-11 "" 2013-11-02 NA 2013 936 "COMPLETE MEDICAL HOMECARE" "KS" "" 1700 "12/12/2013" "Unauthorized Access/Disclosure" "Other Portable Electronic Device" 2014-02-11 "" 2013-12-12 NA 2013 937 "Hospital for Special Surgery" "NY" "" 937 "3/19/2013" "Theft" "Desktop Computer, Paper" 2014-02-26 "" 2013-03-19 NA 2013 938 "The Brooklyn Hospital Center" "NY" "" 2172 "12/2/2013" "Loss" "Other Portable Electronic Device" 2014-02-24 "" 2013-12-02 NA 2013 939 "Kmart Corporation" "IL" "" 16446 "1/4/2014" "Theft" "Other, Electronic Medical Record" 2014-03-24 "" 2014-01-04 NA 2014 940 "WA State Department of Social & Health Services" "WA" "" 3104 "8/19/2013" "Unauthorized Access/Disclosure, Other" "Paper" 2014-04-21 "" 2013-08-19 NA 2013 941 "Lewis J. Sims, DPM, PC dba Sims and Associates Podiatry " "NY" "" 6475 "1/10/2014" "Theft, Other" "Laptop" 2014-04-21 "" 2014-01-10 NA 2014 942 "University of Miami" "FL" "" 13074 "6/27/2013" "Loss" "Paper" 2014-04-21 "" 2013-06-27 NA 2013 943 "Supportive Concepts for Families, Inc." "PA" "" 593 "2/6/2013" "Unauthorized Access/Disclosure" "Network Server" 2014-02-24 "" 2013-02-06 NA 2013 944 "Health Care Solutions at Home Inc." "OH" "" 1139 "12/17/2013" "Other" "Other" 2014-03-12 "" 2013-12-17 NA 2013 945 "University of California Davis Medical Center" "CA" "" 2269 "12/13/2013" "Hacking/IT Incident" "E-mail" 2014-04-21 "" 2013-12-13 NA 2013 946 "St. Vincent Hospital and Healthcare, Inc" "IN" "" 1142 "12/23/2013" "Theft" "Laptop" 2014-03-12 "" 2013-12-23 NA 2013 947 "Missouri Consolidated Health Care Plan" "MO" "StayWell Health Management, LLC" 10024 "3/23/2012" "Unauthorized Access/Disclosure" "Network Server" 2014-03-12 "" 2012-03-23 NA 2012 948 "The Clorox Company Group Insurance Plan" "CA" "StayWell Health Management, LLC" 520 "4/16/2012" "Unauthorized Access/Disclosure" "Network Server" 2014-03-12 "" 2012-04-16 NA 2012 949 "Regents of the University of Minnesota" "MN" "StayWell Health Management, LLC" 4786 "3/29/2012" "Unauthorized Access/Disclosure" "Network Server" 2014-03-24 "" 2012-03-29 NA 2012 950 "Inspira Health Network Inc." "NJ" "" 1411 "12/23/2013" "Theft" "Desktop Computer" 2014-03-12 "" 2013-12-23 NA 2013 951 "Nissan North America, Inc." "TN" "StayWell Health Management, LLC" 1511 "5/8/2012" "Unauthorized Access/Disclosure" "Network Server" 2014-03-12 "" 2012-05-08 NA 2012 952 "Care Advantage, Inc." "VA" "" 3458 "1/1/2013" "Theft" "Laptop" 2014-03-24 "" 2013-01-01 NA 2013 953 "HealthSource of Ohio Inc." "OH" "Pair Networks Inc." 8845 "11/18/2013" "Unauthorized Access/Disclosure, Other" "Other" 2014-03-12 "" 2013-11-18 NA 2013 954 "The Kroger Co., for itself and its affiliates and subsidiaries" "OH" "" 504 "10/30/2013" "Other" "Electronic Medical Record" 2014-04-21 "" 2013-10-30 NA 2013 955 "Cornerstone Health Care, PA" "NC" "" 548 "12/31/2013" "Theft, Loss" "Laptop" 2014-03-12 "" 2013-12-31 NA 2013 956 "Joseph Michael Benson M.D" "TX" "" 7500 "1/5/2014" "Theft" "Desktop Computer" 2014-03-24 "" 2014-01-05 NA 2014 957 "All for Kids Pediatric Clinic" "AR" "Data Media" 600 "12/27/2013" "Other" "Other" 2014-03-24 "" 2013-12-27 NA 2013 958 "Eureka Internal Medicine" "CA" "" 3534 "9/25/2013" "Improper Disposal" "Paper" 2014-03-24 "" 2013-09-25 NA 2013 959 "Brazos Valley Pathology" "TX" "St. Joseph Health System" 3300 "12/16/2013" "Hacking/IT Incident" "Network Server" 2014-06-24 "" 2013-12-16 NA 2013 960 "Banner Health" "AZ" "" 55207 "2/21/2014" "Other" "Other" 2014-03-24 "" 2014-02-21 NA 2014 961 "Monarch Women's Health" "AL" "PracMan, Inc." 1145 "8/22/2013" "Hacking/IT Incident" "Network Server" 2014-06-02 "" 2013-08-22 NA 2013 962 "Punuru J.M. Reddy, MD, Inc." "AL" "PracMan, Inc." 1179 "8/22/2013" "Hacking/IT Incident" "Network Server" 2014-03-25 "" 2013-08-22 NA 2013 963 "Iowa Dept. of Human Services" "IA" "" 2042 "12/1/2008" "Other" "Laptop, E-mail, Other Portable Electronic Device" 2014-04-21 "" 2008-12-01 NA 2008 964 "City of Hope" "CA" "Sutherland Healthcare Solutions, Inc." 5400 "2/5/2014" "Theft" "Desktop Computer, E-mail" 2014-03-25 "" 2014-02-05 NA 2014 965 "Mission City Community Network" "CA" "" 7800 "5/31/2013" "Theft" "E-mail" 2014-04-21 "" 2013-05-31 NA 2013 966 "Partners In Nephrology & Endocrinology, P.C." "PA" "" 5000 "11/13/2013" "Other" "Other" 2014-03-24 "" 2013-11-13 NA 2013 967 "University of California, San Francisco" "CA" "" 9861 "1/11/2014" "Theft" "Desktop Computer" 2014-03-31 "" 2014-01-11 NA 2014 968 "Detroit Medical Center - Harper University Hospital" "MI" "" 1087 "9/7/2012" "Theft, Unauthorized Access/Disclosure" "Paper" 2014-05-06 "" 2012-09-07 NA 2012 969 "Todd M. Burton, M.D." "TX" "" 5000 "1/13/2014" "Theft" "Other" 2014-03-24 "" 2014-01-13 NA 2014 970 "Valley View Hospital Association" "CO" "" 5415 "9/11/2013" "Other" "Laptop, Desktop Computer" 2014-04-21 "" 2013-09-11 NA 2013 971 "Hospitalists of Arizona" "AZ" "" 1706 "12/31/2013" "Theft" "Laptop" 2014-03-24 "" 2013-12-31 NA 2013 972 "McBroom Clinic, PA" "TX" "TMA Practice Management Group" 2260 "1/9/2014" "Loss, Improper Disposal" "Other Portable Electronic Device" 2014-04-21 "" 2014-01-09 NA 2014 973 "QBE Holdings, Inc." "NY" "StayWell Health Management, LLC" 1746 "5/9/2012" "Unauthorized Access/Disclosure" "Network Server" 2014-04-21 "" 2012-05-09 NA 2012 974 "Berea College" "KY" "" 1000 "1/24/2012" "Other" "Electronic Medical Record" 2014-04-21 "" 2012-01-24 NA 2012 975 "HealthPartners, Inc." "MN" "" 27839 "1/7/2008" "Loss, Unauthorized Access/Disclosure" "Laptop, Desktop Computer, Other Portable Electronic Device" 2014-06-20 "" 2008-01-07 NA 2008 976 "Group Health Plan, Inc. Medical Benefit Plan" "MN" "HealthPartners Administrators, Inc." 796 "1/7/2008" "Loss, Unauthorized Access/Disclosure" "Laptop, Desktop Computer, Other Portable Electronic Device" 2014-04-21 "" 2008-01-07 NA 2008 977 "State Employee Group Insurance Plan" "MN" "HealthPartners Administrators, Inc." 1699 "1/7/2008" "Loss, Unauthorized Access/Disclosure" "Laptop, Desktop Computer, Other Portable Electronic Device" 2014-04-21 "" 2008-01-07 NA 2008 978 "University of Minnesota Employee Benefits" "MN" "HealthPartners Administrators, Inc." 715 "1/7/2008" "Loss, Unauthorized Access/Disclosure" "Laptop, Desktop Computer, Other Portable Electronic Device" 2014-04-21 "" 2008-01-07 NA 2008 979 "San Francisco General Hospital & Trauma Center" "CA" "Sutherland Healthcare Solutions" 55900 "2/5/2014" "Theft" "Desktop Computer" 2014-05-30 "" 2014-02-05 NA 2014 980 "University of Kentucky UK HealthCare" "KY" "Talyst" 1079 "2/4/2014" "Theft" "Laptop" 2014-04-21 "" 2014-02-04 NA 2014 981 "Yellowstone Boys and Girls Ranch" "MT" "" 543 "7/11/2013" "Theft" "Paper" 2014-06-24 "" 2013-07-11 NA 2013 982 "Orlando Health, Inc." "FL" "" 586 "1/28/2014" "Loss" "Other Portable Electronic Device" 2014-04-21 "" 2014-01-28 NA 2014 983 "NOVA Chiropractic & Rehab Center" "VA" "" 5534 "1/30/2014" "Loss, Other" "Other Portable Electronic Device" 2014-04-21 "" 2014-01-30 NA 2014 984 "Susquehanna Health" "PA" "" 657 "12/5/2013" "Unauthorized Access/Disclosure" "E-mail" 2014-04-21 "" 2013-12-05 NA 2013 985 "Jewish Hospital" "KY" "" 2992 "1/15/2014" "Other" "E-mail" 2014-04-21 "" 2014-01-15 NA 2014 986 "Franciscan Medical Group" "WA" "" 8300 "1/15/2014" "Other" "E-mail" 2014-04-21 "" 2014-01-15 NA 2014 987 "Palomar Health" "CA" "" 5499 "2/21/2014" "Theft" "Other Portable Electronic Device" 2014-04-21 "" 2014-02-21 NA 2014 988 "Myriad Genetic Laboratories, Inc." "UT" "" 643 "3/6/2013" "Unauthorized Access/Disclosure" "E-mail" 2014-06-03 "" 2013-03-06 NA 2013 989 "Medical Center of Plano" "TX" "RelayHealth, a division of McKesson" 1000 "12/10/2013" "Unauthorized Access/Disclosure" "Other" 2014-06-03 "" 2013-12-10 NA 2013 990 "Florida Healthy Kids Corporation" "FL" "Policy Studies, Inc. / Postal Center International, Inc." 580 "11/13/2013" "Unauthorized Access/Disclosure" "Paper" 2014-04-21 "" 2013-11-13 NA 2013 991 "Midwest Orthopaedics at Rush, LLC" "IL" "" 1256 "2/10/2014" "Hacking/IT Incident" "E-mail" 2014-04-21 "" 2014-02-10 NA 2014 992 "Texas Health and Human Services Commission" "TX" "EveryChild, Inc." 2934 "2/2/2014" "Theft" "Laptop, Desktop Computer, Other Portable Electronic Device" 2014-04-21 "" 2014-02-02 NA 2014 993 "Kaiser Permanente Northern CA Department of Research" "CA" "" 5178 "10/18/2011" "Hacking/IT Incident" "Network Server" 2014-06-02 "" 2011-10-18 NA 2011 994 "Triple-S Salud " "PR" "" 5795 "1/1/2013" "Theft" "Other" 2014-06-24 "" 2013-01-01 NA 2013 995 "American Health Inc. " "PR" "" 17776 "1/1/2013" "Theft" "Other" 2014-06-27 "" 2013-01-01 NA 2013 996 "State Long Term Care Ombudsman's Office, Michigan Department of Community Health" "MI" "" 2595 "1/30/2014" "Theft" "Other Portable Electronic Device" 2014-04-21 "" 2014-01-30 NA 2014 997 "County of Los Angeles" "CA" "Sutherland Healthcare Solutions, Inc." 338700 "2/5/2014" "Theft" "Desktop Computer, E-mail" 2014-04-21 "" 2014-02-05 NA 2014 998 "Presence St. Joseph's Medical Center" "IL" "" 836 "10/22/2013" "Other" "Paper" 2014-06-03 "" 2013-10-22 NA 2013 999 "Clinical Reference Laboratory, Inc." "KS" "" 979 "2/6/2014" "Loss" "Paper" 2014-04-21 "" 2014-02-06 NA 2014 1000 "Various Health Plans" "CT" "Cigna" 527 "3/5/2014" "Loss" "Paper" 2014-06-27 "" 2014-03-05 NA 2014 1001 "Amerigroup Texas, Inc. " "VA" "Amerigroup Texas, Inc. " 75026 "4/1/2012" "Theft" "Paper" 2014-05-13 "" 2012-04-01 NA 2012 1002 "BLUE CROSS AND BLUE SHIELD OF KANSAS CITY" "MO" "" 2546 "8/16/2013" "Unauthorized Access/Disclosure" "Other" 2014-04-21 "" 2013-08-16 NA 2013 1003 "University Urology, P.C." "TN" "" 1144 "3/7/2013" "Unauthorized Access/Disclosure" "Paper" 2014-05-13 "" 2013-03-07 NA 2013 1004 "Healthy Connections, Inc" "CA" "" 793 "3/25/2014" "Loss" "Other Portable Electronic Device" 2014-06-03 "" 2014-03-25 NA 2014 1005 "Administracion de Seguros de Salud" "PR" "American Health Medicare" 46473 "5/8/2013" "Theft" "Other Portable Electronic Device" 2014-06-03 "" 2013-05-08 NA 2013 1006 "Greenwood Leflore Hospital" "MS" "" 3750 "2/23/2014" "Theft" "Other" 2014-05-09 "" 2014-02-23 NA 2014 1007 "Maryland Developmental Disabilities Administration" "MD" "Service Coordination, Inc." 10766 "11/27/2013" "Unauthorized Access/Disclosure, Hacking/IT Incident" "Network Server" 2014-06-11 "" 2013-11-27 NA 2013 1008 "Los Robles Hospital and Medical Center" "CA" "Courier Express/Atlanta, Courier Express/Charlotte & Courier Express US, Inc." 2523 "2/14/2014" "Theft, Unauthorized Access/Disclosure" "Paper" 2014-05-09 "" 2014-02-14 NA 2014 1009 "Shaker Clinic" "OH" "" 617 "2/18/2014" "Loss" "Paper" 2014-05-27 "" 2014-02-18 NA 2014 1010 "VGM Homelink" "IA" "Tri State Adjustments" 1400 "2/28/2014" "Other" "Other" 2014-05-27 "" 2014-02-28 NA 2014 1011 "Larsen Dental Care LLC" "ID" "" 6900 "3/4/2014" "Theft" "Other Portable Electronic Device" 2014-05-27 "" 2014-03-04 NA 2014 1012 "The Union Labor Life Insurance Company" "MD" "" 46771 "2/17/2014" "Theft" "Laptop" 2014-05-27 "" 2014-02-17 NA 2014 1013 "Coordinated Health" "PA" "" 733 "2/21/2014" "Theft" "Laptop" 2014-05-29 "" 2014-02-21 NA 2014 1014 "CENTURA HEALTH" "CO" "" 12286 "2/11/2014" "Hacking/IT Incident" "E-mail" 2014-05-29 "" 2014-02-11 NA 2014 1015 "Ladies First Choice, Inc." "FL" "" 2365 "1/1/2013" "Theft, Unauthorized Access/Disclosure" "Laptop" 2014-05-29 "" 2013-01-01 NA 2013 1016 "Tufts Associated Health Maintenance Organization, Inc. and Tufts Insurance Company " "MA" "" 8830 "4/10/2014" "Theft" "Other" 2014-05-09 "" 2014-04-10 NA 2014 1017 "Developmental Disabilities Administration" "MD" "Inclusion Research Institute" 2200 "3/3/2014" "Unauthorized Access/Disclosure" "Paper" 2014-05-29 "" 2014-03-03 NA 2014 1018 "Willis North America Inc. Medical Expense Benefit Plan" "NY" "" 4830 "3/19/2014" "Unauthorized Access/Disclosure" "E-mail" 2014-05-29 "" 2014-03-19 NA 2014 1019 "Sorenson Communications/CaptionCall Group Health Plan" "UT" "Sorenson Communications" 9800 "2/20/2014" "Hacking/IT Incident" "Network Server" 2014-05-27 "" 2014-02-20 NA 2014 1020 "Baylor Medical Center at McKinney" "TX" "" 1253 "1/23/2014" "Hacking/IT Incident" "E-mail" 2014-05-09 "" 2014-01-23 NA 2014 1021 "Baylor Medical Center at Irving" "TX" "" 2308 "1/23/2014" "Hacking/IT Incident" "E-mail" 2014-05-09 "" 2014-01-23 NA 2014 1022 "Baylor Regional Medical Center at Plano" "TX" "" 1981 "1/23/2014" "Hacking/IT Incident" "E-mail" 2014-05-07 "" 2014-01-23 NA 2014 1023 "HealthTexas Provider Network" "TX" "" 2742 "1/23/2014" "Hacking/IT Incident" "E-mail" 2014-05-07 "" 2014-01-23 NA 2014 1024 "DeKalb Health" "IN" "Ferguson Advertising, Inc." 1361 "2/9/2014" "Hacking/IT Incident" "Network Server" 2014-05-27 "" 2014-02-09 NA 2014 1025 "Iowa Medicaid Enterprise" "IA" "" 862 "2/26/2014" "Unauthorized Access/Disclosure" "Paper" 2014-05-29 "" 2014-02-26 NA 2014 1026 "Flowers Hospital" "AL" "" 629 "6/3/2013" "Theft" "Paper" 2014-06-20 "" 2013-06-03 NA 2013 1027 "Reading Health System" "PA" "" 1845 "3/2/2012" "Loss" "Paper" 2014-05-27 "" 2012-03-02 NA 2012 1028 "City of Cincinnati" "OH" "OptumRx" 5696 "4/4/2014" "Other" "Paper" 2014-05-07 "" 2014-04-04 NA 2014 1029 "UMass Memorial Medical Center" "MA" "" 2387 "5/6/2002" "Unauthorized Access/Disclosure" "Electronic Medical Record, Paper" 2014-05-27 "" 2002-05-06 NA 2002 1030 "The City of Henderson" "KY" "KEYSTONE INSURERS GROUP" 1008 "6/27/2012" "Other" "E-mail" 2014-05-27 "" 2012-06-27 NA 2012 1031 "Options Counseling Center" "NJ" "" 2828 "5/1/2011" "Theft, Unauthorized Access/Disclosure" "Paper" 2014-06-18 "" 2011-05-01 NA 2011 1032 "Molina Healthcare of California Partner Plan, Inc." "CA" "Creel Printing" 4744 "3/18/2014" "Other" "Paper" 2014-05-27 "" 2014-03-18 NA 2014 1033 "Howard L. Weinstein D.P.M." "TX" "" 1000 "3/13/2014" "Theft" "Laptop" 2014-05-27 "" 2014-03-13 NA 2014 1034 "Bio-Reference Laboratories, Inc." "NJ" " Xand Corporation" 1749 "2/02/2014" "Other" "Network Server" 2014-06-18 "" 2014-02-02 NA 2014 1035 "American Health Inc. " "PR" "" 11531 "9/20/2013" "Unauthorized Access/Disclosure" "Paper" 2014-06-18 "" 2013-09-20 NA 2013 1036 "Central City Concern" "OR" "" 17914 "3/23/2010" "Unauthorized Access/Disclosure" "Other" 2014-06-18 "" 2010-03-23 NA 2010 1037 "Blue Cross Blue Shield of Michigan/Blue Care Network" "MI" "Bloom Health" 502 "2/15/2014" "Unauthorized Access/Disclosure, Hacking/IT Incident" "E-mail" 2014-06-18 "" 2014-02-15 NA 2014 1038 "Elliot Health System" "NH" "" 1208 "3/26/2014" "Theft" "Desktop Computer" 2014-06-18 "" 2014-03-26 NA 2014 1039 "Humana Inc [case #15381]" "KY" "" 2962 "4/2/2014" "Theft" "Other Portable Electronic Device" 2014-06-18 "" 2014-04-02 NA 2014 1040 "Jamaica Hospital Medical Center" "NY" "" 26162 "8/1/2011" "Unauthorized Access/Disclosure" "Desktop Computer" 2014-06-18 "" 2011-08-01 NA 2011 1041 "Bay Park Hospital" "OH" "" 594 "4/1/2013" "Unauthorized Access/Disclosure" "Network Server, Electronic Medical Record" 2014-06-18 "" 2013-04-01 NA 2013 1042 "Triple-S Salud " "PR" "" 56853 "9/20/2013" "Unauthorized Access/Disclosure" "Paper" 2014-06-18 "" 2013-09-20 NA 2013 1043 "Aetna Life Insurance Company" "CT" "NFP Maschino, Hudelson & Associates" 3814 "4/2/2014" "Theft" "Laptop" 2014-06-18 "" 2014-04-02 NA 2014 1044 "Salina Health Education Foundation dba Salina Family Healthcare Center" "KS" "" 9640 "4/8/2014" "Unauthorized Access/Disclosure" "E-mail" 2014-06-20 "" 2014-04-08 NA 2014 1045 "Highmark Inc." "PA" "" 2589 "4/19/2014" "Loss, Unauthorized Access/Disclosure" "Paper" 2014-06-27 "" 2014-04-19 NA 2014 1046 "Mark A. Gillispie" "CA" "" 5845 "11/20/2013" "Theft" "Desktop Computer" 2014-06-27 "" 2013-11-20 NA 2013 1047 "Penn State Milton S Hershey Medical Center" "PA" "" 1801 "9/13/2013" "Other" "E-mail, Other Portable Electronic Device" 2014-06-27 "" 2013-09-13 NA 2013 1048 "Walgreen Co." "IL" "" 540 "3/3/2014" "Theft" "Desktop Computer, Paper" 2014-06-20 "" 2014-03-03 NA 2014 1049 "St. Francis Hospital" "GA" "" 1175 "5/30/2014" "Other" "E-mail" 2014-06-18 "" 2014-05-30 NA 2014 1050 "Puerto Rico Health Insurance " "PR" "American Health Inc" 28413 "9/20/2013" "Theft" "Other" 2014-06-27 "" 2013-09-20 NA 2013 1051 "Hospitalists of Brandon, LLC" "FL" "Doctors First Choice Billings, Inc." 1831 "2/11/2014" "Hacking/IT Incident" "Other" 2014-06-27 "" 2014-02-11 NA 2014 1052 "Santa Rosa Memorial Hospital " "CA" "" 33702 "6/2/2014" "Theft, Loss" "Other Portable Electronic Device" 2014-06-27 "" 2014-06-02 NA 2014 1053 "Group Health Plan of Hurley Medical Center" "MI" "" 2289 "5/13/2014" "Unauthorized Access/Disclosure" "E-mail" 2014-06-27 "" 2014-05-13 NA 2014 1054 "Abrham Tekola, M.D.,INC" "CA" "" 5471 "5/27/2014" "Theft" "Desktop Computer" 2014-06-27 "" 2014-05-27 NA 2014