Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: all
Company or Organization:
Date Made Public:
June 15, 2018
Company: New Jersey Department of Human Services
Location: , New Jersey
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,263

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
November 22, 2013
Company: New Jersey Department of Human Services
Location: , New Jersey
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
9,825

An employee of the covered entity's (CE) business associate (BA), Island Peer Review Organization, lost an unencrypted and not password-protected portable computer drive (a "USB" drive) that contained 9,825 patients’ names, addresses, dates of birth, social security numbers, clinical information, diagnoses, conditions, and identification numbers (including member identification, Medicaid identification, subscriber identification, patient account number and patient control number). The CE, New Jersey Department of Human Services, provided breach notification to HHS, and the BA notified affected individuals and the media. Following the breach, the BA recovered all of the USB drives used by employees and retrained these employees on the BA’s security policies and the appropriate use of encryption on portable electronic media. As a result of OCR’s investigation and technical assistance, the BA retrained certain staff and implemented a policy requiring staff to use only portable media purchased by the BA's Information Systems Department. The BA installed technical safeguards on all computers so only approved portable devices are allowed access while any other types can be rendered as “read only” or unusable. Further, the CE indicated that the BA's device access will be monitored and logged to guard against employees who attempt to copy data to unauthorized devices. OCR advised the CE of the requirements to perform a thorough and accurate risk analysis and establish a risk management plan.

Location of breached information: Other Portable Electronic Device

Business associate present: No

Information Source:
US Department of Health and Human Services
CSV