The 5 Biggest HIPAA Breaches of 2013

Posted: Jan 23, 2014
Share This:

Last year businesses and organizations across the states encountered a staggering variety of HIPAA breaches, including the 2nd largest breach ever recorded. In data released by the U.S. Department of Health and Human Services (HHS) fines ranging from $150,000 to $1.7 million dollars were administered during 2013 with millions of individuals affected by the violations.

Here we explore the top five HIPAA breaches in terms of individuals affected and look into what led to the exposure of their Protected Health Information (PHI).

1) Advocate Medical Group

Date of breach: 7/15/2103
People affected: 4,029,530

What happened?
An unfortunate turn of events led to the theft of four laptops containing over four million patient records. More than a month after the breach Advocate Medical Group eventually notified patients confirming that social security numbers may have been compromised. Whilst officials reported that the information was password protected there was a resounding feeling of unease as patients faced further risk of identity theft.

Furthermore, this breach is the second largest ever recorded by HHS following an incident in 2011 where over 4.9 million people were put at risk thanks to another theft. It was reported backup tapes were stolen from an employee at Tricare Management Activity, a health insurance carrier for the military.

2) Horizon Blue Cross Blue Shield of New Jersey

Date of breach: 11/01/2013
People affected: 839,711

What happened?
The theft of two laptops from the Newark Headquarters of Horizon Blue Cross Blue Shield last November resulted in the breach of nearly 840,000 individuals’ personal information. Whilst the laptops were reportedly cable-locked the physical security measures taken were not enough, made worse by the fact that Horizon Blue Cross Blue Shield could not guarantee whether information on the laptops was accessible. In this case the configuration of the laptops meant that it could not be confirmed that data was sufficiently encrypted.

3) AHMC Healthcare
Date of breach: 10/12/2013
People affected: 729,000

What happened?
In another case of theft AHMC Healthcare suffered a PHI breach as two password-protected laptops were stolen from their administrative offices in October. Sadly it was too little too late as AHMC was carrying out a security risk assessment at the time of the breach but had not yet enforced an encryption for all company laptops.

In a statement released by the AHMC Healthcare the data contained information from six hospitals/medical centres.

4) Texas Health Harris Methodist Hospital Fort Worth

Date of breach: 5/11/2013
People affected: 277,014

What happened?
Unlike the breaches listed above Texas Health Harris Methodist Hospital Fort Worth fell foul to a breach following the improper disposal of PHI. Document destruction and recycling company, Shred-it International, was contracted to transport and securely destroy microfiche containing individuals’ information from 1980-1990. Instead, records were discovered in various public locations including a Dallas park.

This breach is noteworthy as most modern breaches are a result of the improper protection of electronic information. In this circumstance the typical on-site shredding facilities at Texas Health Harris Methodist Hospital Fort Worth were inadequate for the destruction of the physical microfiche.

5) Indiana Family and Social Services Administration

Date of breach: 4/6/2013 – 5/21/2013
People affected: 187,533

What happened?
A regrettable programming error by a Business Associate (BA) of Indiana Family and Social Services Administration led to the PHI being compromised between April 6 and May 21. The error led to over 187,000 individuals’ being sent other patients information including names, addresses, social security numbers, medical and financial data.

The lesson? Prepare for the unexpected and employ state-of-the-art security measures across all aspects of your business or organization. Across 2013 major health businesses and individuals’ suffered as a result of the inadequate protection of PHI.

Here are some simple ways to prevent breaches, and catastrophic fines, in 2014:

– Encrypt data across all devices including laptops, smartphones and tablets.
– Invest in a risk assessment to safeguard against internal and external disclosure of PHI.
– Thoroughly inspect the security procedures of third party service providers.
– Embrace cloud technology from secure Business Associates who can guarantee HIPAA compliancy.
– Provide comprehensive training for all employees regarding the protection of PHI and privacy procedures.