Health Care’s Biggest Breach Offenders

Health Care’s Biggest Breach Offenders Health Care’s Biggest Breach Offenders

Since the HIPAA breach notification rule became effective in September 2009, the HHS Office for Civil Rights has collected and publicly posted reports on more than 500 major breaches of protected health information, each affecting at least 500 individuals. Combined with 55,000+ reports of smaller breaches, more than 21 million individuals have been affected in little more than three years. Here are the most egregious violators of patient privacy; the top breaches affecting from 514,330 to 4.9 million individuals.

Eisenhower Medical Center, Rancho Mirage, Calif. Eisenhower Medical Center, Rancho Mirage, Calif.

A hospital computer stolen in a burglary on March 11, 2011, contained names, birth dates, medical records numbers and the last four digits of Social Security numbers on 514,330 patients. The computer had data relating only to the hospital and not for other providers on the campus.

Florida Celebration Hospital near Orlando Florida Celebration Hospital near Orlando

The FBI in August 2012 arrested an emergency department registration clerk and charged him with accessing 760,000 ED records over two years and selling thousands of them. The records were for patients in an automobile accident and the buyer was a referral service for chiropractors and attorneys. The hospital offered credit and identity protection services. The clerk later pleaded guilty and faces up to 15 years; sentencing is scheduled for this month.

Utah Medicaid Utah Medicaid

The Utah Department of Technology Services on March 30 discovered what was believed to be a hacker ring in Europe had gained access to data on 780,000 Medicaid and CHIP beneficiaries, including 280,000 Social Security numbers. The director of the technology department lost his job and the governor apologized to the state’s residents for not adequately protecting their information. Those with compromised SSNs received credit monitoring services.

South Shore Hospital, Weymouth, Mass. South Shore Hospital, Weymouth, Mass.

The hospital in February 2010 lost two boxes of back-up tapes sent for destruction. Information on about 800,000 patients, including an undisclosed number of Social Security and financial information, were among the compromised data. Still, the hospital declined to notify patients individually, saying state law permitted alternative, cheaper ways. The hospital later agreed to a $750,000 settlement with the states attorney general.

Blue Cross and Blue Shield of Tennessee Blue Cross and Blue Shield of Tennessee

The Blues plan lost 57 hard drives to theft in October 2009. The investigation took many months and eventually determined about 1.5 million individuals were affected. High-risk members received credit and identity protection services. The plan was unusually upfront with regular updates and treated the breach as a teachable moment for itself and the industry. Still, it got socked with a $1.5 million fine from the HHS Office for Civil Rights.

AvMed Health Plans, Orlando AvMed Health Plans, Orlando

Two laptops with PHI including SSNs on 1.2 million current and former members of Florida health insurer AvMed were stolen in December 2009. The company offered identity protection services. Some affected members later reported identity theft and filed a class action lawsuit. Recently, the U.S. Eleventh Circuit Court of Appeals reversed a lower court ruling and permitted the case to proceed. The ruling is important because it outlined minimum requirements to establish causation in a breach/identity theft case before the Eleventh Circuit, says law firm InfoLawGroup.

Nemours Nemours

Children’s health system Nemours discovered in September 2011 that a locked storage cabinet containing backup tapes was missing after a remodeling project. The tape had demographic, diagnosis and SSN information for patients and parents/guardians between 1994 and 2004, and financial information on some employees including bank account numbers. Nemours began encrypting tapes and sending them to secure off-site storage following the breach that affected 1,055,489 individuals. It offered credit monitoring and identity theft protection services.

New York City Health and Hospitals Corp. New York City Health and Hospitals Corp.

The organization notified 1.7 million patients, staff, employees and vendors after backup tapes covering two hospitals and two clinics over 20 years were stolen from a contractor’s truck in December 2010. Social Security numbers were among the compromised information for an undisclosed number of those affected. The hospital offered credit monitoring and fraud resolution services to all affected individuals.

Health Net Health Net

Insurer Health Net initially was slow to give details on a breach after several server drives went missing in January 2011, but the California Department of Managed Healthcare in March told HealthcareInfoSecurity that it affected 1.9 million individuals nationwide. Health Net eventually offered comprehensive protection services, but was slow to even acknowledge the breach, doing so only when pressed by the Connecticut Office of Attorney General. The AG reminded Health Net of an obligation for quick notification of breaches following an earlier major breach that affected 1.5 million in 2009 before the breach notification rule went into effect.

Sutter Health Sutter Health

The theft of a computer at Sutter Health in California in October 2011 affected 4.2 million patients and resulted in 11 class action lawsuits that have been consolidated into one case. Information for 3.3 million patients included name, address, date of birth, phone number and e-mail address if provided. Information on 943,000 other patients also included dates of service and a description of diagnoses and services, and this is the number that HHS/OCR posted on its public Web site.


Contractor SAIC in September 2011 reported the loss of backup tapes covering 4.9 million patients covered under TRICARE, the insurer for the military health system. Compromised information included SSNs, but TRICARE initially declined to offer protection services, saying the risk was low and more investigation was needed. Five weeks later, TRICARE announced that SAIC would pay for credit and fraud protection.

Already a subscriber? Log in here
Please note you must now log in with your email address and password.