Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: MED
Year(s) of Breach: 2016
Company or Organization: all
Date Made Public:
January 23, 2018
Company: Union Hospital
Location: Terre Haute, Indiana
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1

Union Hospital suffered an inadvertent disclosure on approximately 1/18/16 that resulted in 1 record being exposed, which included social security numbers. 

Information Source:
Security Breach Letter
Date Made Public:
January 27, 2017
Company: Synergy Specialists Medical Group
Location: San Diego, California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
0

"On December 9, 2016, we became aware that some patients had received an email from our office earlier that morning that we did not send. Specifically, it appeared to be an email alerting you that our office had a “Docusign” document waiting for you to review. Upon discovery of this fraudulent activity, we immediately sent an email alerting you not to open the email. We also immediately took action to secure our Gmail account and promptly hired forensic IT specialists to determine exactly what happened and whether any of our other systems were affected. Fortunately, the fraudulent activity was determined to be limited to our Gmail account only.

What Information Was Involved? Any information you sent to or received from our office on drjsbdpm@gmail.com. This could include completed patient registration forms if you emailed them to us, prescription or lab requests, and the content of voicemail messages you have left for our office as they would be email transcribed to us for quicker response. We do not send patient records electronically unless specifically requested by a patient so the information is limited to your requests. Further, our office email recipient list, which potentially included your first and last name, and email address may have been exposed."

More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-66062

Information Source:
California Attorney General
Date Made Public:
December 30, 2016
Company: Horizon Healthcare Services Inc. doing business as Horizon Blue Cross Blue Shield of New Jersey and its affiliates
Location: , New Jersey
Type of breach:
DISC
Type of organization:
MED
Records Breached:
55,700

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 30, 2016
Company: State of New Hampshire, Department of Health and Human Services
Location: , New Hampshire
Type of breach:
HACK
Type of organization:
MED
Records Breached:
15,000

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 30, 2016
Company: Bryan Myers, MD PC, Ashley DeWitt, DO PC, Michael Nobles, MD PC
Location: , Tennessee
Type of breach:
HACK
Type of organization:
MED
Records Breached:
13,150

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 29, 2016
Company: New Hampshire Department of Health and Human Services
Location: Concord, New Hampshire
Type of breach:
INSD
Type of organization:
MED
Records Breached:
15,000

"State officials are working to strengthen the security of the state’s computer network, after a data breach last year leaked the confidential information of thousands of New Hampshire Department of Health and Human Services clients.

A former patient at New Hampshire’s state psychiatric hospital used a computer in the hospital library to access information of about 15,000 individuals who received department services, according to a DHHS statement.

While on the state’s network, the patient accessed confidential information including names, addresses, Social Security numbers and Medicaid ID numbers and posted the information on social media sites."

More information: http://www.concordmonitor.com/NH-state-officials-working-to-make-network...

 

Information Source:
Date Made Public:
December 29, 2016
Company: PathGroup
Location: Brentwood, Tennessee
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,443

As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services.

More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...

Information Source:
Government Agency
Date Made Public:
December 29, 2016
Company: PrimeWest Health
Location: Alexandria, Minnesota
Type of breach:
HACK
Type of organization:
MED
Records Breached:
2,441

As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services.

More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...

Information Source:
Government Agency
Date Made Public:
December 29, 2016
Company: PrimeWest Health
Location: , Minnesota
Type of breach:
HACK
Type of organization:
MED
Records Breached:
2,441

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 29, 2016
Company: PathGroup
Location: , Tennessee
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,443

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 28, 2016
Company: Maryland Medical Center/Dr. Morrill
Location: , Maryland
Type of breach:
HACK
Type of organization:
MED
Records Breached:
10,000

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 27, 2016
Company: Susan M. Hughes Center
Location: Cherry Hill, New Jersey
Type of breach:
HACK
Type of organization:
MED
Records Breached:
11,400

As reported by Health and Human Services hacking/IT incident. No specific information as to what information was compromised as provided by health and human services.

More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...

Information Source:
Government Agency
Date Made Public:
December 27, 2016
Company: Susan M Hughes Center
Location: , New Jersey
Type of breach:
HACK
Type of organization:
MED
Records Breached:
11,400

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 23, 2016
Company: Waiting Room Solutions Limited Liability Limited Partnership
Location: Goshen, New York
Type of breach:
DISC
Type of organization:
MED
Records Breached:
700

As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services.

More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...

Information Source:
Government Agency
Date Made Public:
December 23, 2016
Company: Waiting Room Solutions Limited Liability Limited Partnership
Location: , New York
Type of breach:
DISC
Type of organization:
MED
Records Breached:
700

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
December 23, 2016
Company: Brandywine Pediatrics, P.A.
Location: , Delaware
Type of breach:
HACK
Type of organization:
MED
Records Breached:
26,873

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 22, 2016
Company: ADVANTAGE Health Solutions
Location: , Indiana
Type of breach:
HACK
Type of organization:
MED
Records Breached:
2,387

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 22, 2016
Company: Stephen J. Helvie, M.D.
Location: , California
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
2,013

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 21, 2016
Company: Henry County Health Department
Location: Napoleon, Ohio
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
574

As reported by Health and Human Services as theft. No specific information as to what information was compromised as provided by health and human services.

More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...

Information Source:
Government Agency
Date Made Public:
December 21, 2016
Company: Henry County Health Department
Location: , Ohio
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
574

Location of breached information: Electronic Medical Record, Email, Laptop, Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 21, 2016
Company: Community Health Plan of Washington
Location: , Washington
Type of breach:
HACK
Type of organization:
MED
Records Breached:
381,504

Location of breached information: Network Server, Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 20, 2016
Company: Kaiser Foundation Hospital
Location: Oakland, California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
0

"You visited kp.org between November 16 and 28, 2016, and used our online Estimates tool. Due to a system error, there is a small chance that your name, age, address, and some information on how much you’ve spent on health care this year may have been seen by another kp.org user.
 
An update to the Estimates tool was made on November 16, 2016.  After the update, there was a small chance that a subsequent user of the tool may have viewed a previous user’s information.  We discovered the problem on November 28, and immediately rolled back the update to keep similar errors from happening again. 
 
What information was involved?
 
We’ve confirmed that no Social Security numbers or banking or claims information was seen by others. However, the following information may have been mistakenly seen by a kp.org visitor who used the tool after you: 
First and last name, age (not date of birth), address, copay information for your plan, deductible payments(dollars spent toward your deductible) so far in 2016,  out-of-pocket expenses (dollars spent) so far in 2016"

More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65536

Information Source:
California Attorney General
Date Made Public:
December 20, 2016
Company: Alliant Health Plans, Inc.
Location: , Georgia
Type of breach:
HACK
Type of organization:
MED
Records Breached:
1,042

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 20, 2016
Company: Desert Care Family and Sports Medicine
Location: , Arizona
Type of breach:
HACK
Type of organization:
MED
Records Breached:
500

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 19, 2016
Company: Humana Inc. [case #HU16004F3]
Location: , Kentucky
Type of breach:
DISC
Type of organization:
MED
Records Breached:
3,674

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 19, 2016
Company: Brodhead Dental Center
Location: , Pennsylvania
Type of breach:
HACK
Type of organization:
MED
Records Breached:
5,872

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 16, 2016
Company: Fairbanks Hospital
Location: , Indiana
Type of breach:
DISC
Type of organization:
MED
Records Breached:
12,994

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 16, 2016
Company: Southcentral Foundation
Location: , Alaska
Type of breach:
HACK
Type of organization:
MED
Records Breached:
14,719

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 16, 2016
Company: County of Los Angeles Departments of Health and Mental Health
Location: , California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
749,017

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 15, 2016
Company: East Valley Community Health Center, Inc.
Location: , California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
65,000

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 14, 2016
Company: Oak Cliff Orthopaedic Associates
Location: , Texas
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1,057

On October 17, 2016, the covered entity (CE), Oak Cliff Orthopaedic Associates, received a call from the local police stating that two boxes with protected health information (PHI) pertaining to its patients were recovered from a hotel located in Texas. The boxes contained patients’ demographic, financial, and clinical information. The CE filed a police report and retrieved the boxes from the police department the next day. On Dec. 9, 2016, the CE contracted with a third-party vendor to mail breach notification to the affected individuals. The CE completed media notification and offered the affected individuals one (1) year of free identity theft protection services. In addition, it set up a call center to assists individuals with questions. The CE also improved physical security. OCR provided technical assistance regarding business associates and obtained documented assurances that the CE implemented the corrective actions noted above.

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 12, 2016
Company: Quest Diagnostics
Location: Madison, New Jersey
Type of breach:
HACK
Type of organization:
MED
Records Breached:
34,000

"Quest Diagnostics regrets to notify you of a breach of your Protected Health Information (PHI) which we became aware of on November 28, 2016. 

Here are the details of the breach:
On November 26th an unauthorized third party accessed the MyQuest by Care360® internet application and obtained PHI of approximately 34,000 patients.  The data included name, date of birth, lab results, and, in some instances, telephone numbers.

The affected information did not include Social Security numbers, credit card information, insurance or other financial information."


More information: https://oag.ca.gov/ecrime/databreach/reports/sb24-65390

Information Source:
California Attorney General
Date Made Public:
December 12, 2016
Company: Quest Diagnostics
Location: , New Jersey
Type of breach:
HACK
Type of organization:
MED
Records Breached:
34,055

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 11, 2016
Company: Charles Stamitoles
Location: , Florida
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
5,600

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 10, 2016
Company: Appalachian Gastroenterology, P.A.
Location: , North Carolina
Type of breach:
HACK
Type of organization:
MED
Records Breached:
11,000

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 8, 2016
Company: Black Hawk College
Location: , Illinois
Type of breach:
HACK
Type of organization:
MED
Records Breached:
1,000

A computer server for the covered entity’s (CE) reinsurer was infected with ransomware from March 12 to August 8, 2016, making protected health information (PHI) accessible. The PHI included the names, addresses, dates of birth, Social Security numbers, and clinical data pertaining to approximately 1,000 individuals. The CE submitted a breach report to HHS out of caution even though the reinsurer was not a business associate (BA). The CE provided evidence that a BA was not necessary and the disclosures were permitted under HIPAA for health care operations purposes. The reinsurer provided breach notification to the affected individuals and the CE sent notice to the media and posted a substitute notice on its website. The CE also retrained staff and reviewed its BA agreements and its HIPAA policies and procedures. OCR obtained documentation that the CE implemented the actions listed above.

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 7, 2016
Company: Preventice Services, LLC
Location: Houston, Texas
Type of breach:
DISC
Type of organization:
MED
Records Breached:
6,800

As reported by Health and Human Services unauthorized access/disclosure. No specific information as to what information was compromised as provided by health and human services.

More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...

Information Source:
Government Agency
Date Made Public:
December 7, 2016
Company: Preventice Services, LLC
Location: , Texas
Type of breach:
DISC
Type of organization:
MED
Records Breached:
6,800

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 6, 2016
Company: East Valley Community Health Center, Inc.
Location: West Covina, California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
0

"We are sending this letter to you as part of East Valley Community Health Center’s (EVCHC) commitment to patient privacy. We take patient privacy very seriously, and it is important to us that you are made fully aware of a potential privacy issue. We learned that your personal information, including name, date of birth, address, medical record number, health diagnosis codes and insurance account number may have been compromised. However, information such as social security number and/or CA identification/driver license number was not included. On October 18th, an unknown individual logged into an EVCHC server without authorization and installed Troldesh/Shade, encrypting (locking) the files that were stored on the server, this is also known as a ransomware attack. One of the files that was encrypted had patient health information on it, which came from claims that were submitted to health plans. However, to date, there is no indication that the information has been accessed or used by the unauthorized individual."

Information Source:
California Attorney General
Date Made Public:
December 5, 2016
Company: Dr. Melissa D. Selke
Location: Hillsborough Township, New Jersey
Type of breach:
HACK
Type of organization:
MED
Records Breached:
4,277

As reported by Health and Human Services hacking/IT Incident. No specific information as to what information was compromised as provided by health and human services.

More Information: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=9BF4AF...

Information Source:
Government Agency
CSV