Blog Post

HIPAA Breaches in the First Four Months of 2018

Reported HIPAA Data Breaches in April:

Another 120,000 Patients at Risk

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) requires healthcare entities to notify OCR of a breach within 60 days of discovery, if that breach compromises 500 or more patient records. Many of last month’s reported events probably began months earlier, but were only reported after internal investigations. For the first four months of 2018, OCR reported a total of 38 breaches on its website, signifying a risk of compromised protected health information (PHI) for nearly one million patients. The 2018 Health Care Compliance Association (HCCA) Compliance Institute Health Insurance Portability and Accountability Act (HIPAA) Update reported that from September 2009 through December 2017, there were 2,178 breaches filed with OCR that affected 500 or more individuals. Additionally, there were over 300,000 reports of PHI breaches that affected fewer than 500 individuals. With regard to large breaches, a total of nearly 177 million individuals were affected.

Have Compliance Concerns? We Have Solutions.

Contact A Consultant Today

Large breaches can be organized into the following categories:

  • Loss/Theft – This category continues to be the most common type of PHI breach reported, accounting for nearly half of all reported breaches;
  • Laptops/Other Portable Storage Devises – This category represents about one-fourth of all reported large PHI breaches;
  • Hacking/IT – This category accounts for about one-fifth of all reported breaches; and
  • Paper Records – This category accounts for another one-fifth of all reported large breaches.

The following is a list of the 10 largest incidents reported for the first four months of 2018, including the number of patient records affected:

  1. 582,174 – The California Department of Developmental Services reported an unauthorized access/disclosure incident on 4/06/2018;
  2. 279,865 – Oklahoma State University Center for Health Sciences reported a hacking incident on 1/05/2018;
  3. 134,512 – St. Peter’s Ambulatory Surgery Center LLC- d/b/a St. Peter’s Surgery & Endoscopy Center reported a hacking incident on 2/28/2018;
  4. 70,320 – Tufts Associated Health Maintenance Organization, Inc. reported an unauthorized access/disclosure incident on 2/16/2018;
  5. 63,551 – Middletown Medical P.C. reported an unauthorized access/disclosure incident on 3/29/2018;
  6. 53,173 – Onco360 and CareMed Specialty Pharmacy reported a hacking incident on 1/12/2018;
  7. 36,305 – Triple-S Advantage, Inc. reported an unauthorized access/disclosure incident on 2/02/2018;
  8. 35,136 – ATI Holdings, LLC and its subsidiaries reported a hacking incident on 3/12/2018;
  9. 34,637 – City of Houston Medical Plan reported a laptop theft incident on 3/22/2018; and
  10. 30,799 – The Mississippi State Department of Health reported an unauthorized access/disclosure incident on 3/26/2018.

OCR mandates covered entities and business associates to establish contingency plans to keep patient data secure. In OCR’s March newsletter, officials insisted that healthcare organizations determine which Information Technology (IT) systems are critical, understand how to operate those systems in a disaster, and backup PHI effectively thereby allowing easy retrieval if the original data is lost or offline.

Connect with a HIPAA Compliance Consultant

Strategic Management Services provides a variety of HIPAA compliance services to ensure your organization understands and meets the requirements of the HIPAA Privacy and Security Rules. If you have questions about the security of your program or would like to speak to one of our consultants, contact us online or give us a call at (703) 683-9600.

Subscribe to blog