HIPAA News

Names of Entities Reporting Health Data Breaches Released by HHS

(March 2, 2010) - Large breaches of patients' health information have been reported by more than 30 HIPAA covered entities since September 2009 when the new federal breach notification requirement took effect, according to the U.S. Department of Health and Human Services (HHS).

The most significant breach, affecting 500,000 individuals, was reported by Blue Cross Blue Shield of Tennessee and attributed to stolen hard drives. More than half of the 36 reported large breaches involved theft, loss or unauthorized access of computers or laptops. Several others occurred in portable electronic devices. Only a few of the reported breaches involved paper records.

The breach notification requirement, enacted in the American Recovery and Reinvestment Act of 2009, requires Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities to notify individuals whose protected health information may have been improperly accessed, used or disclosed. If the incident affects 500 or more patients, the covered entities also are required to notify HHS and the media. HHS must post the names of entities that report large breaches on its Web site.

According to the list posted on the HHS Web site Feb. 22, the causes of the 36 breaches were:
• theft (22);
• theft and unauthorized access (five);
• loss (three);
• incorrect mailing/e-mail (two);
• unauthorized access (two);
• hacking (one); and
• phishing scam (one).
HHS said it also has received approximately 300 reports of smaller breach incidents, typically involving paper records.

Share or bookmarklet this web page at: