The Office for Civil Rights in the Department of Health and Human Services has added five more organizations to a Web page listing covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. OCR launched the page in February with the listings of 47 organizations.
The posting is mandated under the HHS breach notification rule that was authorized under the HITECH Act. Under the rule, notification within 60 days to HHS and the media is required when a breach affects more than 500 individuals. Smaller breaches must be annually reported to HHS. Business associates of HIPAA-covered entities must notify the affected covered entity of breaches.
The five new listings are:
- Montefiore Medical Center, New York, 625 affected individuals, theft of a laptop;
- Private Practice, San Antonio, 21,000 affected individuals, theft of a portable device;
- Thrivent Financial for Lutherans, Wisconsin, 9,500 affected individuals, theft of a laptop;
- Wyoming Department of Health, 9,023 affected individuals, unauthorized access of a network server; and
- Aspen Dental Care P.C., Colorado, 2,500 affected individuals, theft of an undisclosed nature.
Private practices are not individually identified in the listing, in compliance with the federal Privacy Act. HHS is working to permit the naming of private practices. The full list of large breaches, which the OCR will regularly update, is available at hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html.
This article can also be found at HealthDataManagement.com.