theDataMap

Documenting all the places
personal data goes.

healthDataMap


Legend: with your name, without your name.
Click on a circle above for names of organizations and details of data shared.


Health payers receive information from you, the patient, statewide discharge data holders, pharmacy benefits managers, employer wellness programs, disease management organizations, de-identification companies and analytics firms and exchange information with researchers.

In general, Health Payers receive detailed medical bills from physicians, hospitals, and clinical laboratories. Bills typically include your name, address, policy number, date of birth, diagnoses, and procedures. Often providers submit bills to insurance companies through clearing houses.

Additionally, a Benefits Manager may play the role of a payer for self-insured employers.

There are many types of insurers:

A common payer is a health insurance company offers insurance against the risk of your personally incurring major medical expenses. By estimating the overall risk of health expenses among a targeted group, the insurance company pays your medical bills and you pay monthly premiums. Often your employer contributes significantly to your monthly premiums and feedback to the employer from the insurance company should be aggregate information that does not include your name. When your employer and your health payer are the same, they are called a Self-Insured Employer.

In comparison, a managed care organization aims to lower healthcare costs by re-organizing and negotiating arrangements directly with physicians. A common variation is Health Maintenance Organizations, which require members to select a primary physician as a doctor who acts as a gate keeper to recommend and approve medical services. Another variation is a Preferred Provider Organization is an organization of physicians, hospitals, and other health care providers who work with an insurer to provide health care at reduced rates.

The largest payer is Medicare, which is a federal program for senior citizens. Medicaid assists at the state level.

Examples

OptumInsight (Ingenix), a division of Minnetonka, Minn.-based UnitedHealth Group Inc., the biggest private U.S. health insurer, owns one of the deepest pools of health data on the planet. Its patient profiles link records from health plans, lab tests, hospital claims, pharmacies and physicians, even demographic information on patients' race, income and net worth. Sales were $2.88 billion last year. OptumInsight purchases statewide personal hospital discharge data from at least 10 states: CA, FL, IL, MD, MA, NJ, NY, PA, TX, WA [source]. The purchased data does not contain the person's name, but it is possible to match some people by name [source].

  

Aetna of Connecticut had a data breach in 2010, in Connecticut. A number of insured customers were affected by an unauthorized access or accidental disclosure of personal information in September. [source].

  

Ingenix (OptumInsight), a division of Minnetonka, Minn.-based UnitedHealth Group Inc., the biggest private U.S. health insurer, owns one of the deepest pools of health data on the planet. Its patient profiles link records from health plans, lab tests, hospital claims, pharmacies and physicians, even demographic information on patients' race, income and net worth. Sales were $2.88 billion last year. They purchase statewide personal hospital discharge data from at least 10 states: CA, FL, IL, MD, MA, NJ, NY, PA, TX, WA [source]. The purchased data does not contain the person's name, but it is possible to match some people by name [source].

  

Aetna, Nationwide, WellPoint Group Health Plans, Humana Medicare, Mutual of Omaha Insurance Company, Anthem Blue Cross Blue Shield via Concentra Preferred Systems had a data breach in 2006, in Ohio. A lockbox holding personal information of health insurance customers was stolen Oct. 26. Thieves broke into an office building occupied by insurance company vendor, concentra Preferred Systems. The lockbox contained computer backup tapes of medical claim data for Aetna and other Concentra health plan clients. Exposed data includes member names, hospital codes, and either sSNs or Aetna member ID numbers. SSNs of 750 medical professionals were also exposed. Officials downplay the risk by stating that the tapes cannot be used on a standard PC. UPDATE (12/23/06): The lockbox also contained tapes with personal information of 42,000 NY employees insured by Group Health Insurance Inc.) uPDATE(1/24/07): Personal data of 28,279 Nationwides Ohio customers were also compromised. 2/11/10 Total changes to 396,279 to reflect final total of records breached in all of the affected companies. (396279 records involved) [source].

  

Acs Government Healthcare purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Affinity Health Plan had a data breach in 2010, in New York. Affinity Health Plan, a New York managed care service, is notifying more than 400,000 current and former customers employees that their personal data might have been leaked through the loss of an unerased digital copier hard drive. Some personal records were found on the hard drive of a copier found in a New Jersey warehouse. The copier had previously been leased by Affinity and was then returned to the leasing company. Affinity Health Plan says it has not had a chance to review the data found on the copier. The figure of 409,262 notifications includes former and current employees, providers, applicants for jobs, members, and applicants for coverage. (409,262 records involved) [source].

  

Aetna purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

American Association of Retired Persons, AARP Insurance had a data breach in 2010, in District Of Columbia. A client received another clients information in an insurance policy letter. He attempted to trace the mistake and notified the organization that underwrites AARPs life insurance program, New York Life Insurance. It is unknown how this error occurred and client names, phone numbers, policy numbers, check account information and dates of birth could have been exposed. [source].

  

AHCA purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

American Fidelity Assurance Company had a data breach in 2010, in Oklahoma. Storage containers with Social Security numbers, names, dates of birth and other information were left on a curb in Edmond, Oklahoma. A couple went to the local news after having stored the hundreds of documents for a few years. The insurance papers are from 2003 and 2004 and have information on employees of multiple companies. [source].

  

America Health Insurance Plans Center For Policy And Research purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

American International Group (AIG), Indiana Office of Medical Excess, LLC had a data breach in 2006, in New York. The computer server was stolen on March 31 containing personal information including names, social Security numbers, birth dates, and some medical and disability information. UPDATE(1/12/2010) A 28-year-old Indianapolis man was sentenced today to two years in state prison for trying to extort $208,00 from an insurance company after stealing a computer server. In March 2006, the man burglarized the indianapolis office of AIG Medical Excess, threatening to release clients personal data on the Internet. The server contained the names of more than 900,000 insured persons, as well as their personal identifying information, and confidential medical information and e-mail communications. At the time of the burglary, the man was an employee of a private security firm that provided security services to the insurance company. On July 23, 2008, Stewart delivered a package to the insurance company. The package included a letter stating that he possessed the stolen server and its confidential data. He asked for $1,000 a week for four years, but the FBI and others intervened. The indiana State Police, the Indiana Department of Natural Resources, indianapolis Metropolitan Police Department, and Attorney General also were part of the investigation. (930,000 records involved) [source].

  

Anthem BC/BS of Maine purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Ameritas Life Insurance Corp. had a data breach in 2012, in Nebraska. A laptop was stolen or discovered stolen sometime around March 21, 2012. It contained the sensitive health information of 3,000 people. The incident was posted on the HHS website on June 8.UPDATE(08/03/2012): An official notice states that an employee notified Ameritas that their laptop and other items were stolen from their car on March 21. The laptop contained information used to provide group dental and vision quotes, as well as individual member enrollment information for employer-sponsored group health plans. The laptop was password protected but not encrypted. Names, Social Security numbers, addresses, dates of birth, and places of employment may have been exposed. (3,000 records involved) [source].

  

Anthem Blue Cross/ Wellpoint Inc purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Anthem Blue Cross had a data breach in 2011, in California. Letters soliciting dental and vision coverage were mailed to current Anthem customers. A priority code composed of the customers Social Security number and two extra digits was printed on the outside of each envelope. One customer noticed the error and contacted the media. Anthem admits that an error occurred, but did not reveal the cause. Anthem is working to prevent this type of breach from happening again and was in the process of notifying customers of the error as of May 12.UPDATE(10/01/2012): Anthem experienced the marketing mailer error on April 27, 2011. The State of California settled with Anthem in September of 2012. Anthem agreed to pay $150,000 and to make significant improvements to its data security procedures to prevent future errors of a similar type.. (31,125 records involved) [source].

  

Av Med Health Plans purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Anthem Blue Cross, WellPoint had a data breach in 2010, in California. More than 200,000 Anthem Blue Cross customers this week received letters informing them that their personal information might have been accessed during a security breach of the companys website. Only customers who had pending insurance applications in the system are being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed. Anthem Blue Cross merged with WellPoint in 2004.UPDATE (6/29/2010): Around 470,000 customers in 10 states were notified of the breach. The original story states that only applicants were affected, but existing customers also received notification of a possible breach of their information.UPDATE (7/12/2010): 20,000 Louisville, Kentucky residents received notification that a security mistake online resulted in the exposure of their Social Security numbers and financial information. It is unclear whether these residents are included in the original 470,000 customers. Only customers who were self insured were affected. WellPoint is claiming that this and other recent breaches were committed by an attorney or attorneys attempting to gain information for a lawsuit against WellPoint.UPDATE (9/17/2010): An Anthem applicant whose information was exposed by the breach filed a lawsuit against Anthem at the Los Angeles County Superior Court. The lawsuit claims that the breach exposed applicants and clients to identity theft. An applicant behind the lawsuit is seeking class action status.UPDATE (10/29/2010): The office of the Attorney General of Indiana is suing WellPoint Inc. because of the companys delay in notifying customers of the breach. WellPoint is accused of violating an Indiana law that requires businesses to provide notification of breaches in a timely manner and faces $300,000 in fines. State officials believe WellPoint was aware of the exposure in late February, but waited until June to notify customers.UPDATE(7/5/2011): WellPoint Inc. will pay Indiana a $100,000 settlement for violating a 2009 data breach notification law. Customer data was accessible between October 23, 2009 and March 8, 2010. One or more consumers informed WellPoint of the problem on February 22, 2010 and again on March 8, 2010. WellPoint began notifying consumers on June 18, 2010. (470,000 records involved) [source].

  

Blue Cross & Blue Shield Of Florida purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

AvMed Health Plans had a data breach in 2010, in Florida. AvMed Health Plans announced that personal information of some current and former subscribers may have been compromised by the theft of two company laptops from its corporate offices in Gainesville. The information included names, addresses, phone numbers, Social Security numbers and protected health information. The theft was immediately reported to local authorities but attempts to locate the laptops have been unsuccessful. AvMed determined that the data on one of the laptops may not have been protected properly, and approximately 80,000 of AvMeds current subscribers and their dependents may be affected. An additional approximate 128,000 former subscribers and their dependents, dating back to April 2003, may also have been affected.UPDATE (06/03/2010): The theft of the laptops compromised the identity data of 860,000 more Avmed members than originally thought. The total now nears 1.1 million.UPDATE (11/17/2010): Five AvMed Health Plans customers filed a class-action lawsuit against the health insurer on behalf of the 1.2 million people who were affected by the breach. At least two of them believe that their personal information was misused as a result of this particular breach.UPDATE (09/24/2012): An appeals court ruled that the plaintiffs were explicitly able to prove a link between the breach and ID theft they incurred. The case had been thrown out by a lower court in August 2011, but the appeal ruling may allow victims of identity theft to make it easier to prove that the identity theft was caused by a data breach. (1,220,000 records involved) [source].

  

California Medical Assistance Commission purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Ayuda Medical Case Management had a data breach in 2012, in Texas. Thousands of patient records were found in an unsecured trash can. They contained names, Social Security numbers, addresses, phone numbers, medical conditions, and treatment information. The boxes of medical records were traced to Ayuda, whose owner claimed to have been doing little or no business after losing a state contract in September. The boxes were auctioned off after the owner failed to pay the rental fee on a storage unit. (2000 records involved) [source].

  

Capital District Physicians Health Plan purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

BB&T Insurance had a data breach in 2008, in Virginia. A BB&T Insurance laptop containing the personnel information of some Harrisonburg City Schools employees was stolen. The laptop, used by an outside sales representative to develop an insurance proposal for the school system, was stolen from a car. The information contained names, dates of birth, Social Security numbers, and, in some cases, medical history. [source].

  

Capital Health Plan purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Benefits Resources, Inc. had a data breach in 2011, in Ohio. A portable electronic device was lost or stolen on or around November 22, 2010. It contained the PHI of patients. [source].

  

Centene Corporation purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Blue Cross and Blue Shield of Florida (BCBSF) had a data breach in 2011, in Florida. An April 2011 mailing error caused 3,500 member healthcare statements to be mailed to incorrect addresses. The statements were mailed to the former addresses of members and contained names, insurance numbers, diagnoses codes and descriptions, procedure codes and descriptions, prescription names and provider names. [source].

  

Childrens Healthcare Of Atlanta purchases statewide personal hospital discharge data from at least FL WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Blue Cross and Blue Shield of Georgia had a data breach in 2008, in Georgia. Benefit letters containing personal and health information were sent to the wrong addresses last week. the letters included the patients name and ID number, the name of the medical provider delivering the service, and the amounts charged and owed. A small percentage of letters also contained the patients social Security numbers. (202000 records involved) [source].

  

Coventry Health Care purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Blue Cross and Blue Shield of North Carolina had a data breach in 2006, in North Carolina. Social Security numbers of members were printed on the mailing labels of envelopes with information about a new insurance plan. Those who were affected were contacted immediately. (629 records involved) [source].

  

Dirigo Health Agency purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Blue Cross and Blue Shield of Rhode Island (BCBSRI) had a data breach in 2010, in Rhode Island. A filing cabinet containing survey information from approximately 12,000 BlueCHIP for Medicare members was donated to a local nonprofit organization. The surveys were from 2001 to early 2004 and contained information such as names, Social Security numbers, telephone numbers, addresses and Medicare Identification numbers. (12,000 records involved) [source].

  

DMHC purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Blue Cross Blue Shield Association had a data breach in 2010, in Illinois. An error in the quarterly address update process resulted in the mailing of approximately 15,000 individuals protected health information to incorrect addresses. The information in the letters included demographic information, explanation of benefits, clinical information, and diagnoses. The returned mail was collected and the organization verified whether or not it had been delivered. [source].

  

Empire Health purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Blue Cross Blue Shield Florida had a data breach in 2011, in Florida. A system error caused mail to be sent to the wrong addresses. Current and former addresses were mixed up and mail containing an explanation of benefits was sent to incorrect (former) addresses.UPDATE(4/15/2011): The mailing error occurred on October 16, 2010 and was discovered in late January of 2011. [source].

  

Harris County Healthcare Alliance purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Blue Cross Blue Shield of Alabama had a data breach in 2010, in Alabama. A dishonest employee was charged with identity theft. The employee fraudulently obtained credit by using the health insurance information of at least 15 clients. (15 records involved) [source].

  

Harvard Pilgrim Health Care purchases statewide personal hospital discharge data from at least NY ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Blue Cross Blue Shield of Massachusetts (BCBS) had a data breach in 2012, in Massachusetts. A BCBS vendor misused BCBS employee information. The misuse appears to have been limited to one instance. Names, Social Security numbers, dates of birth, compensation information, and bank account information may have been exposed. (15000 records involved) [source].

  

Health First, Inc. purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Blue Cross Blue Shield of Michigan (BCBSM), Tstream Software had a data breach in 2011, in Michigan. A BCBSM website created by Tstream was the source of a breach. A BCBSM found her personal information online when searching her name. People applying for individual health insurance between 2006 and an unclear date had their names, Social Security numbers, addresses and dates of birth exposed. BCBSM was notified of the error on November 17, 2010. The information was accessible for an unspecified amount of time. Though 6,500 BCBSM members were notified, only 2,979 were affected. (2979 records involved) [source].

  

Health Scope Inc purchases statewide personal hospital discharge data from at least CA NJ FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Blue-Cross Blue-Shield of Western New York had a data breach in 2008, in New York. A laptop hard-drive containing vital information about members has gone missing. Blue-Cross Blue-Shield of Western New York says it is notifying its members about identity theft concerns after one of its company laptops went missing. (40,000 records involved) [source].

  

HFN, Inc. purchases statewide personal hospital discharge data from at least IL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

BlueCross Blue Shield of North Carolina had a data breach in 2012, in North Carolina. A mailing software error caused the private information of current and former Blue Cross Blue Shield members to be mailed to other members. The error was discovered on April 12. The records were more than 10 years old and included patient names, Social Security numbers, type of medical care received, and other protected health information. (100 records involved) [source].

  

Horizon Healthcare Innovations purchases statewide personal hospital discharge data from at least NJ [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

BlueCross BlueShield (BCBST) had a data breach in 2010, in Tennessee. The theft of 57 hard drives from a BlueCross BlueShield of Tennessee training facility last October has put at risk the private information of approximately 500,000 customers in at least 32 states. The hard drives contained 1.3 million audio files and 300,000 video files. The files contained customers personal data and protected health information that was encoded but not encrypted, including: names and BlueCross ID numbers. In some recordings-but not all-diagnostic information, date of birth, and/or a Social Security number were exposed. BCBS of TN estimates that the Social Security numbers of approximately 220,000 customers may be at risk. UPDATE (4/29/10): The number of plan members whose data were exposed has grown from 521,761, an estimate made in March, to nearly one million, as of April 2, according to a report issued by Mary Thompson, spokeswoman for the Tennessee Blues.UPDATE (11/3/10): According to a letter sent to the New Hampshire Attorney Generals Office, the total number of individuals affected was 1,023,209. BCBS used a three-tier system to categorize individuals affected by the breach. The total includes 451,274 clients whose Social Security numbers were involved, 319,325 clients whose personal and diagnostic health information was involved and 239,730 clients who had personally identifiable information that was neither medical nor their Social Security number. BlueCross Blue Shield also reported receiving fewer than 10 requests for credit restoration services from those who had their Social Security numbers exposed.UPDATE(3/14/2012): Blue Cross Blue Shield of Tennessee (BCBST) reached a $1.5 million resolution agreement with the U.S. Department of Health and Human Services. BCBS of Tennessee kept the drives and network data closet in a facility that was secured by a property management company. The closet was secured by biometric and keycard scan security with a magnetic look and an additional door with a keyed lock. BCBST eventually vacated most of the leased office space. Thieves may have taken the opportunity to steal the 57 unencrypted hard drives from the closet while the space was not fully occupied. (451,274 records involved) [source].

  

Jefferson Healthcare purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

BlueCross BlueShield of Western New York, HealthNow New York Inc., Administrative Services of Kansas had a data breach in 2006, in New York. The laptop of an employee of HealthNows outside claims vendor Administrative Services of Kansas was stolen during the lunch break of a presentation. The laptop had potential member names and Social Security numbers. The theft occurred sometime around June 19 and notification letters were sent on October 16. (96 records involved) [source].

  

Kaiser Foundation Health Plan purchases statewide personal hospital discharge data from at least CA WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Buckeye Community Health Plan had a data breach in 2006, in Ohio. Four laptop computers containing customer names, Social Security numbers, and addresses were stolen from the Medicaid insurance provider. (72,000 records involved) [source].

  

Maine Community Health Options purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Cahaba Government Benefit Administrators LLC had a data breach in 2011, in Alabama. On April 11, 2011, someone discovered that sensitive paper records had been disclosed to outside parties or accessed without authorization. Centers for Medicare and Medicaid Services (CMS) uses Cahaba for administration of Medicare fee-for-service programs. [source].

  

Maine Health purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

CalOptima had a data breach in 2009, in California. Personally identifiable information on members of CalOptima, a Medicaid managed care plan, may have been compromised after several CDs containing the information went missing. the unencrypted data on the CDs includes member names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member iD numbers, and an unspecified number of Social Security numbers. the discs had been put in a box and sent via certified mail to CalOptima by one of its claims-scanning vendors, according to a statement by the health plan. CalOptima received the external packaging material minus the box of discs. (68,000 records involved) [source].

  

Maine Health Alliance purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Catalyst Health Solutions, Alliant Health Plans, Inc. had a data breach in 2012, in Georgia. An unauthorized disclosure resulted in the exposure of protected health information. The breach occurred on or around January 1, 2012 and was reported on April 17. This incident was reported on the HHS website. [source].

  

Medicaid and CHIP Payment and Access Commission (MACPAC) purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Centers for Medicare & Medicaid Services (CMS) had a data breach in 2012, in Maryland. The CMS experienced 13 breaches between September 23, 2009 and December 31, 2011. The CMS failed to notify beneficiaries of seven of the breaches in a timely manner. The HHSs Office of the Inspector General (OIG) also alleges that the notifications mailed to beneficiaries did not disclose what type of information had been exposed, the date the breach occurred, or how CMS was working to prevent future breaches. [source].

  

Northwest Washington Medical Bureau purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Centra had a data breach in 2010, in Georgia. A laptop was stolen from the trunk of an employees rental car overnight on November 11. Patient names and billing information were on the laptop. The delay in notification occurred because of the time it took to determine what information was on the stolen laptop.UPDATE (1/14/11): The total number of affected individuals was changed from 13,964 to 11,982. [source].

  

NovaHealth purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Central States Southeast and Southwest Areas Health and Welfare Fund had a data breach in 2012, in Illinois. An incident occurred on July 31 that may have caused sensitive health information to be exposed. The information was in the form of paper records that were exposed in some undisclosed way. [source].

  

Pacific Business Group On Health purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

City of Virginia Beach, Flexible Benefits Administrators had a data breach in 2007, in Virginia. A former employee allegedly stole Virginia Beach city and school district employees personal information and used it to commit prescription fraud. Police discovered a list of names and Social Security numbers at the employees home. (2,000 records involved) [source].

  

Pacificare Health System purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Colorado Department of Health Care Policy and Financing had a data breach in 2010, in Colorado. A hard drive containing personal information for clients enrolled in state-provided health insurance was stolen from the Colorado Office of Information Technology. The information included names, state ID number and the name of the clients program. The Agency is certain that contact information, financial information and Social Security numbers were not involved. [source].

  

Pacificare Of Washington purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Colorado Department of Health Care Policy and Financing (HCPF) had a data breach in 2011, in Colorado. A disk with the information of medical-aid applicants was lost on its way between HCPF and another agency. It contained applicant names, state identification numbers, and addresses. The disk was discovered missing on May 6. [source].

  

Parkland Health & Hospital System purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Colt Express Outsourcing Services, CNET Networks had a data breach in 2008, in California. Burglars stole computer systems from the offices of the company that administers the Internet publishers benefit plans. The computers contained names, birth dates, Social Security numbers and employment information of the beneficiaries of CNETs health insurance plans. CNET was only one of several clients affected. uPDATE (8/26/08): Among the companies whose staffers have been exposed by the Colt break-in in Walnut Creek, California: Google, Bebe Stores, Alston & Bird, and the California Bankers Assn. (17241 records involved) [source].

  

Premera Blue Cross purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Commerce Banc Insurance Services (CBIS) had a data breach in 2007, in New Jersey. A CBIS vendor had a laptop stolen. CBIS employees may have had their names, Social Security numbers, and possibly health information exposed. (12876 records involved) [source].

  

Regence Blue Shield purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Concordia Plan Services (CPS) had a data breach in 2011, in Missouri. Microfilm that contained the plan enrollment information of benefits members was lost by a delivery service sometime between February and May of 2011. It contained names, addresses, dates of birth and in some cases Social Security numbers and limited medical information from the 1960s and 1970s. A vendor received the microfilm from CPS on February 3rd. The vendor attempted to transfer the microfilm to another company, but learned that the microfilm had been misplaced sometime prior to or during May. CPSs vendor informed them of the situation on August 23. [source].

  

Tricare Interactive purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Connextions, Anthem Blue Cross Blue Shield of Indiana, Anthem Blue Cross Blue Shield of Ohio, Empire Blue Cross Blue Shield of Indiana had a data breach in 2013, in Florida. A Connextions employee used Social Security numbers from a number of other organizations for criminal activity. At least four members of Anthem Blue Cross and Blue Shield were affected by the criminal activity. The breach was reported on HHS as affecting 4,814 patients, but more were affected. (6,000 records involved) [source].

  

Scott & White Health System purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Cover Tennessee had a data breach in 2007, in Tennessee. A computer error at the Cover Tennessee health insurance program caused small business owners who chose not to print out their forms from the Web site to have their personal information including Social Security numbers added to the next users printout request. (279 records involved) [source].

  
  

(return to health DataMap)



Copyright © 2012-2016 President and Fellows Harvard University.