Health Information Compliance Alert

Published on Thu Jan 11, 2018 PDF

Here is a breakdown of the biggest losses of ePHI.

HIPAA privacy has been at the forefront of healthcare compliance for a long time, and for the most part, data shows that practices understand HIPAA privacy. However, as fears about exposing protected health information (PHI) at the front desk have waned, there's been a marked increase of lost patient information due to the increased use of health IT products.

Over 14.6 million individuals were impacted by HIPAA breaches last year, according to HHS Office for Civil Rights (OCR) breach portal information. Of that large number, more than 75 were for violations that affected more than 10,000 patients per one incident.

Here are the statistics for the five largest losses of electronic protected health information (ePHI) due to HIPAA data breach:

1. Commonwealth Health Corporation. The multi-hospital group Med Center Health, which is part of Commonwealth Health Corporation, out of Bowling Green, Kentucky was listed on what many call the OCR's "Wall of Shame" on March 1, 2017. Reports suggest that a former employee stole the billing information of 697,800 individuals for personal use between 2011 and 2014.

Read the Med Center Health release at: www.chc.net/sites/chc_net/Uploads/Public Notification and Open Letter to the Community.pdf.

2. Airway Oxygen, Inc. A malware attack of the Grand Rapids, Michigan home medical equipment provider's systems left "approximately 550,000 current and past customers" ePHI exposed, noted the organization's breach notice. The cyber hijack happened on April 18, and the OCR added Airway Oxygen, Inc. to the portal on June 16, 2017.

Read the Airway Oxygen, Inc. cyber attack details at: http://security.airwayoxygeninc.com.

3. Women's Health Care Group of Pennsylvania, LLC. With 45 locations across Pennsylvania, the large healthcare organization discovered they were victims of a ransomware attack impacting upwards of 300,000 individuals ePHI at one location after a virus was detected on a computer and server on May 16. Their group information made its way to the OCR portal on July 15, 2017.

Read the Women's Health Care Group of Pennsylvania, LLC release at: www.whcgpa.com/notice-of-security-breach-incident.html.

4. Urology Austin, PLLC. The Texas urology group suffered a ransomware attack that "encrypted the data stored on" its servers - 279,663 patients' ePHI was affected during the Jan. 22, 2017 incident. Its large-scale breach was uploaded by OCR on March 22, 2017.

Read the Urology Austin, PLLC. notification at: http://urologyaustin.com/wp-content/uploads/2017/03/DADOCS01-2525884-v1-Urology-Austin-Substitute-Notice-2.pdf.

5. Pacific Alliance Medical Center. The Los Angeles-based facility alerted authorities of a ransomware hack that impacted 266,123 individuals' ePHI in June of 2017.

Resource: To look at the OCR Breach Portal, visit https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.