10 of the Worst Hospital Data Breaches Since 2012

Numerous health care organizations have been cited for HIPAA violations pertaining to the security of patients’ digital health records. Many of them have been required to pay large fines by the Department of Health and Human Services Office of Civil Rights.

The OCR categorizes violations into four fine brackets:1 

Fine Per ViolationViolation
$100-$50,0000
The organization unknowingly allowed the breach and exercised reasonable diligence.
$1,000-$50,000
The breach occurred due to a “reasonable cause.”
$10,000 – $50,000
The breach resulted from willful neglect that was correct in a timely manner.
$50,000
The breach resulted from willful neglect that was not corrected in a timely manner.

This timeline lists 10 of the worst violations of the last five years.

2012
Organization: Alaska Department of Health and Human Services2 
Individuals Affected: 501
Fine: $1.6 million
Theft of USB drive possibly containing electronic protected health information (ePHI).

2013
Organization: Wellpoint3 
Individuals Affected: 612,402
Fine: $1.7 million
Inadequate policies and procedures for authorizing access to ePHI were discovered.

Organization: Anthem Inc.4 
Individuals Affected: 78 million
Fine: Pending
ePHI was leaked.

2014
Organization: Concentra Health Services5 
Individuals Affected: 870
Fine: $1.73 million
Theft of unencrypted laptop.

Organization: Stanford Hospital & Clinics6 
Individuals Affected: >1 million
Fine: $3 million
Unencrypted laptops were stolen

2015
Organization: Premera Blue Cross7 
Individuals Affected: 1 million
Fine: Pending
Claims data hacked.

2016
Organization: St. Joseph Health8 
Individuals Affected: 31,800
Fine: $2.4 million
Protected health information (PHI) was accessible through internet search engines.

Organization: New York Presbyterian Hospital9 
Individuals Affected: 2
Fine: $2.2 million
Patients’ protected information was disclosed to news media.

Organization: Oregon Health & Science University10 
Individuals Affected: 3,000
Fine: $2.7 million
ePHI was breached.

Organization: University of Mississippi11 
Individuals Affected: 10,000
Fine: $2.75 million
A password-protected laptop went missing.

1 “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPPA Rules,” January 25, 2013. Federal Register. Retrieved from: www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the#h-95

2 “Alaska DHSS settles HIPAA security case for $1,700,000,” June 26, 2012. Retrieved from: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/alaska-DHSS/index.html

3 “WellPoint pays HHS $1.7 million for leaving information accessible over Internet,” July 11, 2013. Retrieved from: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/wellpoint/index.html

4 Snell, Elizabeth. “Anthem Health Data Breach Could Compromise PII of 80M.” Health IT Security, February 5, 2015. Retrieved from: healthitsecurity.com/news/anthem-health-data-breach-could-compromise-pii-of-80m

5 U.S. Department of Health and Human Services (HHS), April 22, 2014. Retrieved from: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/concentra-health-services/index.html

6 “A Few Million Reasons to Minimize Security Risks to your Medical Data Storage Devices,” Accessed March 23, 2017. Retrieved from: www.qualityip.com/a-few-million-reasons-to-minimize-security-risks-to-your-medical-data-storage-devices

7 “Premera Blue Cross Says Data Breach Exposed Medical Data,” The New York Times. March 17, 2015. Retrieved from: www.nytimes.com/2015/03/18/business/premera-blue-cross-says-data-breach-exposed-medical-data.html

8 “$2.14 million HIPAA settlement underscores importance of managing security risk,” October 17, 2016. Retrieved from: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sjh

9 “Unauthorized Filming for ‘NY Med’ Results in $2.2 Million Settlement with New York Presbyterian Hospital,” April 21, 2016. Retrieved from: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/new-york-presbyterian-hospital/index.html

10 “Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University,” July 18, 2016. Retrieved from: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ohsu/index.html

11 “Multiple HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center (UMMC),” Accessed March 23, 2017. Retrieved from: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/UMMC/index.html