theDataMap

Documenting all the places
personal data goes.

healthDataMap


Legend: with your name, without your name.
Click on a circle above for names of organizations and details of data shared.


Your healthcare provider (e.g., your physician or hospital) provides you with direct medical care, may store records with a health information technology company, and submit bills to your insurance company for payment using coding services and clearing houses.

A Physician may send your bodily samples to a clinical laboratory for assessment, information about your case to a consulting physician, and voice recordings of notes about your case to a transcription service.

Healthcare Providers have to be accredited, and accrediting organizations often require a sample of patient files for review.

Public Health Laws require healthcare providers to report details of some diseases directly to public health.

Healthcare providers are required by law to report births and deaths to vital statistics offices.

Most states have a state law that requires a copy of some information about your visit to a healthcare provider be sent to the State. This state discharge data includes your demographics, diagnoses, procedures, and a summary of payments and charges.

Hospitals may share patient data with suppliers for equipment manufacturers and intensive care unit management, or with other companies for analytics. The data are sometimes provided to de-identification companies for certification of HIPAA compliance.

Researchers may receive some patient data from Healthcare Providers.

Pharmaceutical companies may send salespeople to your provider with information about your prescriptions.

Malpractice lawyers may also demand patient information, even beyond the patient who may be the subject of the lawsuit, from healthcare providers.

See also: dental and vision and consulting physician.

Examples

Bon Secours Health System is a private $3.3 billion not-for-profit Catholic health system based in Marriottsville, Maryland. They purchase statewide personal hospital discharge data from at least 3 states: NJ, NY, PA [source]. The purchased data does not contain the person's name, but it is possible to match some people by name [source].

  

A Honolulu hospital had a data breach in 2009, in Hawaii. In June 2009, a Hawaii woman was sentenced to a year in prison for illegally accessing another womans medical records and posting on MySpace that she had HIV. The State of Hawaii brought charges under a state law that criminalizes unauthorized access to a computer as a class B felony. The defendant was employed by a hospital and had access to patient medical records. [source].

  

The Hospital Corporation of America, or HCA, is a Nashville, Tennessee-based company that has more than 160 hospitals and 11 surgery centers throughout the U.S. and England. HCA purchases statewide personal hospital discharge data from at least 3 states: CA, FL, WA. [source]. The purchased data does not contain the person's name, but it is possible to match some people by name [source].

  

ABQ Health Partners had a data breach in 2012, in New Mexico. A laptop computer was discovered lost or stolen. It contained a spreadsheet of patient names, dates of birth, health plan ID numbers, and diagnosis information. [source].

  

21St Century Oncology purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Affordable Medical and Surgical Services had a data breach in 2012, in Kansas. A woman found over 1,000 detailed abortion records in a dumpster when she went to dump her recycling near a local elementary school. The records included names, Social Security numbers, birth dates, telephone numbers, emergency family contacts, patient health histories, number of children, term of pregnancies, number of previous abortions, reasons for failing to go through with the abortion procedures, and fees paid for the procedures. Many of the records were from 2001 and 2002. The physician who ran the practice admitted to dumping the records without attempting to properly destroy them. His clinic had closed in 2005 after he lost his medical license. The county district attorney commented that he will most likely not pursue a criminal case against the former physician. (1000 records involved) [source].

  

Academic Medical Center Information System purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Akron Childrens Hospital had a data breach in 2009, in Ohio. A 38-year-old Avon Lake, Ohio, man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman hed had a relationship with ended up infecting computers at Akron Childrens Hospital. He allegedly sent the spyware to the womans Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her pC. But instead, she opened the spyware on a computer in the hospitals pediatric cardiac surgery department, creating a regulatory nightmare for the hospital. Between March 19 and March 28 the spyware sent more than 1,000 screen captures via e-mail. They included details of medical procedures, diagnostic notes and other confidential information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital employees as well, the plea agreement states. [source].

  

Alameda Hospital purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Akron Childrens Hospital had a data breach in 2006, in Ohio. Overseas hackers broke into two computers at Childrens Hospital. One contains private patient data (including Social Security numbers) and the other holds billing and banking information. (235903 records involved) [source].

  

Albany Medical Center purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Albany Medical Center had a data breach in 2007, in New York. A laptop was stolen from the Employee Health Services center. It contained software used to track information required for N95 fit testing at Albany Med. Staff names and Social Security numbers were also exposed. Anyone who had N95 fit testing at Albany Med between January 2005 and February 2007 may have had their personal information exposed. [source].

  

All Childrens Hospital purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Albert Einstein Healthcare Network had a data breach in 2010, in Pennsylvania. The October 21 theft of a desktop computer may have exposed the protected health information of patients. [source].

  

Altamed Health Services Corp. purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Allina Hospitals and Clinics had a data breach in 2011, in Connecticut. Twenty-eight employees from Unity Hospital and four from Mercy Hospital were fired for snooping. The employees each accessed patient medical information without authorization. Eleven teens and young adults were taken to the two hospitals on March 17 after overdosing at a party. Allegations that employees were accessing electronic medical records for no legitimate reason first surfaced in April.UPDATE(6/1/2011): It appears that a total of 32 employees, including 15 nurses, were fired in a single day for snooping. [source].

  

Archbold Medical Center purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Allina Hospitals and Clinics had a data breach in 2006, in Minnesota. A laptop stolen from a nurses car on October 8 contains the names and SSNs of individuals in approximately 17,000 households participating in the Allina Hospitals and Clinics obstetric home-care program since June 2005. (17000 records involved) [source].

  

Arrowhead Orthopaedics purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Amerigroup Community Care of New Mexico, Inc. had a data breach in 2011, in New Mexico. Papers were discovered stolen on or around July 15, 2011. [source].

  

Ascent Surgical Partners purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Ankle and Foot Center of Tampa Bay, Inc. had a data breach in 2011, in Florida. The Center experienced a hacking or IT incident on or around November 10 of 2010. The protected health information of patients was exposed.UPDATE (2/3/2011): Names, Social Security numbers, dates of birth, home addresses, account numbers, and health care services and related diagnostic codes may have also been exposed. (156000 records involved) [source].

  

Atlantic Health System purchases statewide personal hospital discharge data from at least NJ [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Apothecary of Colorado had a data breach in 2010, in Colorado. A man handling recyclables near his home found a conspicuous binder in a dumpster. It turned out that medical marijuana records had been placed there. The names, Social Security numbers, dates of birth, addresses and phone numbers of patients were in the binder. The current owners believe the records are from the previous owner or owners. Dozens of people were affected. [source].

  

Auburn Regional Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Applegate Valley Family Medicine had a data breach in 2012, in Oregon. A stolen laptop contained patient information. The theft occurred sometime between December 1, 2011 and December 17, 2011. [source].

  

Banner Health purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Arista OB-GYN Clinic had a data breach in 2010, in Georgia. Private medical records were dumped outside a closed office. A news team found several hundred documents that appeared to mostly be patient records with names, addresses, sonograms, copies of checks and detailed medical information. The dumpster was confiscated and searched by police. Files were also found under the dumpster. The doctor could face felony charges. [source].

  

Baptist Health purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Arizona Biodyne had a data breach in 2005, in Arizona. A safe with computer backup tapes containing financial, personal and medical records was stolen from Arizona Biodyne. Policyholders addresses, phone numbers, dates of birth and Social Security numbers were among the personal information lost. Partial treatment histories and doctor information for some patients was also lost. (57000 records involved) [source].

  

Bassett Healthcare purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Arizona Oncology had a data breach in 2012, in Arizona. A dishonest employee obtained and misused the personal information of patients during her employment. She pleaded guilty to one count of aggravated identity and will be sentenced in October. She faces between two and 8.75 years in prison for using the credit card information of cancer patients to make fraudulent purchases. (15 records involved) [source].

  

Bay Care Health System purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Ashley and Gray DDS had a data breach in 2010, in Missouri. Patients were notified on that a computer or laptop was stolen. The protected health information of patients was on the computer. The location of the theft was not reported. [source].

  

Baylor Health Care System purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Athens Regional Health Services had a data breach in 2007, in Georgia. A computer missing from a Regional First Care clinic in Watkinsville held the personal information of more than 1,400 people, according to Athens Regional Health Services. Workers first noticed on Sept. 24 that the computer was missing. The computer held Social Security numbers for 85 people, some health information for 545 people and the name, address and/or telephone numbers of 811 people. No credit card or other financial information was stored on the computer, which was a backup server for the Watkinsville clinic. (85 records involved) [source].

  

Bellevue Hospital (Nyc) purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Atlanta Perinatal Associates had a data breach in 2011, in Georgia. A former employee hacked into APAs database, copied patient information, and deleted APAs list. It is not clear exactly how the former employee was able to access the database, but the purpose was to benefit the former employees new employer. Names, telephone numbers, and addresses of APA patients were taken. APAs competitor, SeeBaby, used the information to create a direct-mail marketing list.UPDATE(1/10/2012): The former employee was sentenced to serve 13 months in prison for hacking into the competitors computer in order to lure away patients. [source].

  

Bert Fish Medical Center purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Atlanta Veterans Affairs Medical Center had a data breach in 2010, in Georgia. An assistant allegedly recorded two sets of patient data on to a personal laptop for research purposes. One set included three years worth of patient data and another held 18 years of medical information. The physician assistants laptop was never connected to the VA network and any data she recorded on her laptop was hand entered. The department has not disclosed the number of patients involved in the incident, what kind of personal data was copied, or whether it plans to notify the veterans whose records were downloaded. [source].

  

Beth Israel Deaconess Medical Center purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Ault Chiropractic Center had a data breach in 2010, in Indiana. The September 15 theft of a computer may have resulted in the exposure of the protected health information of patients. [source].

  

Bethesda Healthcare System purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Aultman Health Foundation had a data breach in 2010, in Ohio. On June 7, a laptop was stolen. Patient information from the Aultman Healthcare in Your Home program may have been exposed. This information included names, insurance identification numbers, health information, telephone numbers, addresses, dates of birth and Social Security numbers. (13,800 records involved) [source].

  

Bjc Health System purchases statewide personal hospital discharge data from at least IL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Aurora St. Lukes Medical Center had a data breach in 2009, in Wisconsin. 6,400 people who were in-patients at St. Lukes are being warned that their name, Social Security number and other information may have landed in the hands of thieves, due to a stolen laptop computer. All of the at-risk individuals were cared for there at some point by a hospitalist, a physician other than the patients primary care doctor, who works for an independent physician group called Cogent Healthcare. The computer was stolen from a locked office in a secure physician office building that is located adjacent to the hospital; the computer belonged to an employee of Cogent Healthcare of Wisconsin. (6,400 records involved) [source].

  

Boca Raton Community Hospital purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Avalon Center had a data breach in 2010, in New York. Sensitive medical information was dumped outside of a DMV office. The medical information came from a eating disorder clinic that had recently closed. Patient information such as medical treatment and Social Security number was exposed. It is unknown how the information ended up in the dumpster. [source].

  

Borland-Groover Clinic purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Awklein had a data breach in 2012, in California. Sensitive health information in an unspecified format was stolen or discovered stolen on or around February 1, 2011.The incident was posted on the HHS website on June 8. (Dr. Arnold William Klein http://drarnoldklein.com/) [source].

  

Boston Medical Center purchases statewide personal hospital discharge data from at least NJ [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Back and Joint Institute of Texas had a data breach in 2007, in Texas. Twenty boxes containing Social security numbers, photocopies of drivers license numbers, addresses, phone numbers and private medical history of chiropractic patients were found in a dumpster. [source].

  

Bringham Womens Hospital purchases statewide personal hospital discharge data from at least NJ [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Baptist Health had a data breach in 2008, in Arkansas. Due to a breach by an unauthorized person in its information systems, there is a possibility that personal information, such as name, address, date of birth, Social security number, and reason for coming to Baptist Health were compromised. Apparently, no information in the patients medical records and no information about the patients diagnoses or prognoses was accessed. A former employee was arrested for attempting to open a credit account at a retail merchant. (1800 records involved) [source].

  

Bronx-Lebanon Hospital Center purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Baptist Medical Center had a data breach in 2009, in Alabama. Many folders that were found in a landfill dump site were labeled Radiology Department, Baptist Medical Center. Hundreds of medical records were out in the open, all with sensitive information. Sensitive patient information that was thrown out included names, x-rays, ultrasounds, MRIs, and Social Security numbers. Files from at least five other facilities were found at the same site; however Baptist Medical Center is believed to be the source of the breach.UPDATE (8/5/08):A former employee of Baptist Hospital has been sentenced to two years and one day in federal prison for wire fraud and stealing the identities of patients, according to a Department of Justice press release. Adrienne Denise Stovall, 30, pled guilty in January to one count of wire fraud and one count of aggravated identity theft, which carries a mandatory sentence of two years. Stovall worked at Montgomerys Baptist Hospital from August 2006 to early 2007. Her position gave her access to the hospitals computer system. The system contained confidential information including patient names, dates of birth, and Social Security numbers. Stovall used the information to apply for credit lines and credit cards. http://www.justice.gov/usao/alm/press/currentpress/20100505stovall.pdf [source].

  

Broward Health/North Broward Hosp. Dist. purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Baptist Memorial Hospital had a data breach in 2011, in Tennessee. A number of patients were notified after a breach occurred on November 27, 2010. [source].

  

Cary Medical Center purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Baptist Physicians Lexington had a data breach in 2012, in Kentucky. A device with patient information was discovered lost or stolen on August 15. [source].

  

Cascade Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Barnes-Jewish Hospital, The Siteman Cancer Center, Washington University had a data breach in 2011, in Montana. A laptop containing unencrypted patient information was stolen during the weekend of December 4, 2010. It contained the names, Social Security numbers, dates of birth, addresses, phone numbers, email addresses, medical records, diagnoses, lab results, insurance information and employment information. The Siteman Cancer Center is a joint venture between Washington University and Barnes-Jewish Hospital. A group of patients is suing all three groups for notifying patients eight weeks after the theft. At least one patient experienced identity theft as a result of the breach. [source].

  

Cascade Valley Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Battleground Urgent Care/Prompt Med had a data breach in 2009, in North Carolina. Medical files were found in a dumpster. It seems a third party moving company was hired to transfer the boxes from one warehouse to another. It is unknown at this time how the files ended up in the dumpster. The information in the files contained Social Security numbers, drivers license copies, medical histories, and employers.UPDATE (5/24/10): Prompt Med agreed to pay a $50,000 fine to the state of North Carolina. (623 records involved) [source].

  

Catholic Health Services purchases statewide personal hospital discharge data from at least FL NY ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Bay Pines VA Medical Center had a data breach in 2010, in Florida. Up to 800 police files were left in an area where the general public could easily access them. Some of the files contained Social Security numbers, patient addresses, and treatment information. [source].

  

Cedars-Sinai Medical Center purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Baylor Health Care System Inc. had a data breach in 2008, in Texas. A laptop computer containing limited health information on 100,000 patients was stolen from an employees car. Included were 7,400 patients whose Social Security numbers were stored on the computer. (100000 records involved) [source].

  

Central & Western Maine Regional PHO purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Baylor Health Care Systems, Baylor Heart and Vascular System, Baylor University Medical Center had a data breach in 2011, in Texas. A portable ultrasound machine was stolen from the Baylor Jack and Jane Hamilton Heart and Vascular Hospital in Dallas. The machine was stolen from a patients room sometime between December 2 and December 3. Patients who were seen at the hospital between December 26 of 2006 and the date of the theft may have had their names, dates of birth, blood pressure, height, weight and ultrasound images of their hearts on the machine. It is believed that only a fraction of the 8,000 patients who are at risk actually had their information on the machine at the time of the theft. [source].

  

Central Maine Health Care Corporation purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Baystate Medical Center had a data breach in 2009, in Massachusetts. Several laptops were stolen from baystate Medical Centers Pediatrics department. Some of those computers had patient information on them. All of the information is password protected and the computers had no financial or Social Security information on them. [source].

  

Central Washington Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Beacon Medical Services had a data breach in 2007, in Colorado. Detailed, personally identifiable medical records of thousands of Colorado residents were viewable on a publicly accessible Internet site for an uncertain period of time. the data included details of patients visits to emergency rooms -- what ailments they complained of, diagnoses, treatments, and medical histories, along with the patients names, occupations, addresses, phone numbers, insurance providers, and in some cases, Social Security numbers. The company is trying to determine the exact number of patients affected, but Beck says the number looks to be fewer than 5,000. [source].

  

Childrens Hospital & Research Center- Oakland purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Beacon Medical Services had a data breach in 2007, in Colorado. Private medical and financial information including patient records from at least 10 Colorado clinics and hospitals, and one hospital in Peoria, Illinois that should have been only accessible through VPN access were inadvertently available on the Internet. (5000 records involved) [source].

  

Childrens Hospital DC purchases statewide personal hospital discharge data from at least MD [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Bear Valley Community Hospital had a data breach in 2012, in California. An employee was fired after an investigation revealed that patient records were accessed without legitimate cause. The breach was discovered during a routine audit. (102 records involved) [source].

  

Childrens Hospital KC purchases statewide personal hospital discharge data from at least MD [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Beebe Medical Center had a data breach in 2011, in Florida. An employee placed a briefcase with sensitive documents in her car. The briefcase was stolen from the employees car on January 1. It contained the names and Medicaid numbers of patients seen at the Beebe Medical Center in Lewes, Delaware. Only a small number of people who were seen between 2005 and 2009 were affected. Around 35 of the patients affected by the breach are deceased. (113 records involved) [source].

  

Childrens Hospital Of Central California purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Behavioral Health Services of Pickens County had a data breach in 2011, in South Carolina. A man who purchased a used computer hard drive discovered that it had detailed clinical assessments for patients referred to Behavioral Health Services of Pickens County and a monthly monitoring list of patient referrals from the Pickens County Department of Social Services. Information about patient drug and emotional problems and pending litigations was on the hard drive. (200 records involved) [source].

  

Childrens Hospital PA purchases statewide personal hospital discharge data from at least MD NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Bellin Health had a data breach in 2008, in Wisconsin. Patients received notification that their Social Security numbers may have been exposed. Invoices mailed from Bellin Healths unnamed bill processor had viewable Social Security numbers. (650 records involved) [source].

  

Childrens Medical Center TX purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Bend Ophthamology had a data breach in 2011, in Oregon. Five desktop computers were stolen from the Bend office during a robbery sometime between January 26 and 27. The office is located in the Pilot Butte Medical Clinic. How much information and the kinds of information exposed were not reported. [source].

  

Childrens Hospital Boston purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Beth Israel Deaconess Medical Center had a data breach in 2011, in Massachusetts. A vendor failed to restore computer security controls following routine maintenance. A virus was later discovered on a computer that contained names, medical record numbers, genders, dates of birth, and the date and name of radiology procedures for patients. The virus transmitted encrypted data files to an unknown location. The computer was cleaned and had its software re-installed to clear the virus. [source].

  

Childrens Hospital La purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Beth Israel Deaconess Medical Center, Affiliated Physicians Group (APG) had a data breach in 2007, in Massachusetts. On October 20, a briefcase was stolen from the vehicle of a physician. The briefcase contained patient encounter forms with names, addresses, Social Security numbers, telephone numbers and insurance information. (53 records involved) [source].

  

Chilton Hospital purchases statewide personal hospital discharge data from at least NJ [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Blount memorial Hospital had a data breach in 2012, in Tennessee. A password-protected laptop was stolen from an employees home on August 25. It contained two groups of patient data. Patient names, dates of birth, responsible party names, patient addresses, physician names, and billing information for 22,000 patients were on the laptop. An additional 5,000 patients had similar information exposed as well as their Social Security numbers and other non-medical information. (5000 records involved) [source].

  

Choc Childrens Hospital purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Boca Raton Regional Hospital had a data breach in 2013, in Florida. Eight people were charged for participating in an identity theft ring. One of the members was employed as a scheduler at Boca Raton Regional Hospital. She passed along patient information in exchange for payments. One member allegedly filed 57 fraudulent tax returns with the stolen information in attempt to get $306,720 in refunds. Another member is accused of filing 75 fraudulent returns for $750,469 in refunds. [source].

  

Cincinnati Childrens Hospital Medical Center purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Bon Secours Hampton Roads Health System, Bon Secours Mary Immaculate Hospital had a data breach in 2013, in Virginia. An April 2013 audit revealed that a patients medical record had been accessed in a way that was inconsistent with hospital policy. A further investigation revealed that two team members of the patient care team had accessed the records of multiple patients in ways that were inconsistent with their job function. The employees were fired. Patient names, dates and times of service, provider and facility names, Social Security numbers, internal hospital medical records and account numbers, dates of birth, diagnosis, medications, vital signs, and other treatment information may have been accessed. (5,000 records involved) [source].

  

Citrus Valley Medical Center purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Bonney Lake Medical Center had a data breach in 2011, in Washington. An August 12 office burglary resulted in the loss of several computers and a main computer server with patient information. Patient names, Social Security numbers, addresses, insurance information, and medical records may have been exposed. (2,370 records involved) [source].

  

City Of Hope National Medical Center purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Boston Childrens Hospital had a data breach in 2012, in Argentina. A Boston Childrens Hospital employee misplaced an unencrypted laptop during a conference in Buenos Aires. It contained the names, dates of birth, diagnoses, and treatment information of patients were exposed. [source].

  

Clallam County Hospital District #1 purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Boulder Community Hospital had a data breach in 2011, in Colorado. A contract nurse is accused of accessing patient information without authorization. He faces a 90-count felony indictment. He allegedly used the Social Security numbers and other private information found in patient files to open credit cards in patients names. The nurse was hired through a staffing agency. He worked at Boulder Community between May 1, 2010 and January 7, 2011. Police later notified Boulder Community on May 11, 2011 that the former employee was suspected of stealing patient demographic information from other hospitals.UPDATE(9/27/2011): The nurse faces five counts of identity theft and 46 counts of theft of medical records in connection to this incident. The former employee worked at a staffing agency and performed work for numerous Centura Health facilities, the Platte Valley Medical Center, and Boulder Community Hospital. UPDATE (12/6/2011): The nurse was sentenced to six years probation after being charged with multiple felony counts of identity theft and theft of medical records. It was also revealed that the dishonest employee worked at St. Anthonys Hospital in Lakewood, Colorado. (74 records involved) [source].

  

Cleveland Clinic purchases statewide personal hospital discharge data from at least MD [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Boulder Community Hospital, Family Medical Associates had a data breach in 2010, in Colorado. Anonymous letters were sent to at least 14 patients of the Family Medical Associates clinic in Lafayette. The letters contained Social Security numbers, medical records, dates of birth and names. The sender claimed that the clinic was improperly disposing patient personal information. (14 records involved) [source].

  

College Hospital Cerritos purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Brandywyne Healthcare Center had a data breach in 2011, in Florida. A nurse was arrested and charged with grand larceny, ID theft, and scheming to defraud several elderly patients. The nurse collected patient information and texted it to a co-conspirator. The co-conspirator then used the information to obtain fraudulent tax returns in the names of the victims. Over 30 of the 83 victim records found at the co-conspirators home were from the Brandywyne Health Center. (83 records involved) [source].

  

Columbia Valley Community Health purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Brentwood Primary Care Clinic had a data breach in 2013, in Florida. A dishonest intern was caught using a cell phone to illegally photograph patient Social Security numbers and names. The photos were then sent to another person; presumably for fraudulent activity. The office intern was charged with fraudulent use of personal identification information. It is unclear when the breach was discovered since the photos were taken between May 7 and June 19. (261 records involved) [source].

  

Community Hospital Of The Monterey Peninsula purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Brigham and Womens Hospital had a data breach in 2012, in Massachusetts. The October 16 theft of a desktop computer may have resulted in the exposure of patient information.UPDATE(12/28/2012): The computer was stolen from the Brigham and Womens Hospital office. Medical record numbers, age, medications, laboratory values and other clinical information may have been on the computer. Up to 615 people may have been affected by the theft. (615 records involved) [source].

  

Community Oriented Correctional Health Services,In purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Brooke Army Medical Center had a data breach in 2010, in Texas. An Army three-ring binder that may have included detailed information on soldiers and families being treated at Brooke Army Medical Center was stolen on Oct. 16 from a car belonging to a case manager. Names, phone numbers and health information of 1,272 patients being treated at hospitals may have been breached by the car break-in. (1,272 records involved) [source].

  

Community Regional Medical Center purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Broward County School Board, Private Medical Practices had a data breach in 2011, in Florida. Two former employees from different private medical practice offices were charged with providing confidential patient information to other members of an identity theft and fraud ring. Both of these people participated in the identity theft and fraud ring from early 2009 until February 2, 2011. A former employee who worked for the Broward County School board passed along information from a teacher certification database, which included names, Social Security numbers and dates of birth. The information was used to fraudulently add people as authorized users to the victims credit card and bank accounts. The bank accounts of victims were depleted and one person discovered fraudulent credit card charges of $128,000. In addition to the three former employees, eight other people and the ringleader were also indicted on March 15, 2011.UPDATE(9/30/2011): The former Broward School District employee was sentenced to just over five years in federal prison for accessing and selling teacher personal information to identity theives. At least 42 people in Florida had their information stolen; the fraudulent credit card charges that resulted totalled $408,000. The former employee admitted to selling five to 10 Social Security numbers and dates of birth at a time for $100. [source].

  

Community Regional Medical Center-Fresno purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

California Therapy Solutions had a data breach in 2011, in California. The November 15 theft of a device resulted in the exposure of protected patient health information. [source].

  

Connally Memorial Medical Center purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Cancer Care Group had a data breach in 2012, in Indiana. An employees computer bag was stolen on July 19. The bag contained a computer server back-up that had patient and employee names, Social Security numbers, dates of birth, insurance information, medical record numbers, limited clinical information, and addresses. (55000 records involved) [source].

  

Cook Childrens Health Care System purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Cancer Care Northwest had a data breach in 2011, in Washington. A January mistake in mailing led to brochures being mailed to the wrong current and former patients. Everyone who was meant to receive a brochure did; but patients were able to see the name and address of another patient. The brochure and letter provided information on a breast education and support program. [source].

  

Coral View Surgery Center, Llc purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Capron Rescue Squad District had a data breach in 2011, in Illinois. Unauthorized access or disclosure of patient information resulted after a breach involving a laptop. The breach was discovered on or around February 5, 2011. [source].

  

Coulee Community Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Cardiology Consultant Inc. had a data breach in 2010, in Florida. Cardiology Consultants Inc. today reported that a laptop used to process ultrasound images was stolen from one of its Pensacola offices. The computer did not contain patient financial information or Social Security numbers. The stolen computer did contain the first and last names, dates of birth, medical record numbers, exam dates and in some cases, the reason for the ultrasound. [source].

  

Crozer-Keystone purchases statewide personal hospital discharge data from at least MD [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Carle Clinic Association had a data breach in 2010, in Illinois. An impostor posing as a representative of the organizations recycling service removed several barrels of purged x-ray films and film jackets. The health information included approximately 1,300 patient names, dates of birth, gender, clinic medical numbers, internal accession numbers, site locations, physician or provider names, and internal provider numbers. [source].

  

Dallas Regional Medical Center purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Carolinas HealthCare System had a data breach in 2012, in North Carolina. An unauthorized electronic intrusion may have affected up to 6,300 patients from Carolinas Medical Center-Randolph. The intruder accessed a providers email account and could have obtained patient names, dates and times of service, dates of birth, diagnosis and prognosis information, medications, results, and referrals. The Social Security numbers of five patients who had their Social Security numbers sent through or received by the email account may have also been obtained.The issue was discovered on October 8 and the intruder is believed to have accessed emails from the account between March 11, 2012 and October 8, 2012. (5 records involved) [source].

  

Dartmouth-Hitchcock Medical Center purchases statewide personal hospital discharge data from at least NY ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Carrell Clinic had a data breach in 2009, in Texas. An Arlington security guard was arrested on federal charges for hacking into hospitals computer system. The defendant allegedly posted video of himself compromising a hospitals computer system on YouTube. The system and computers contained confidential patient information.UPDATE (3/18/2011): Phiprivacy.net reports that the former security guard was sentenced to nine years in prison for installing malware. Jesse William McGraw was employed by the security company United Protection Service while working as a security guard for Carrell Clinic. He was also the leader of a hacker gang. [source].

  

Dayton General Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

CBIZ Medical Management Professionals had a data breach in 2009, in Tennessee. The office of CBIZ Medical was broken into on Feb. 23. Among the items stolen was a computer belonging to the hospital with stored radiology reports related to some patients. patients between December 2007 and Feb. 23, 2009, may have had records saved on the stolen computer. [source].

  

Deaconess Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

CCS Medical had a data breach in 2012, in Georgia. An employee reported that another employee appeared to have been misusing patient information. The dishonest employee may have accessed, recorded, and disclosed Social Security numbers and other personal information for the purpose of obtaining fraudulent tax returns. The employee was reported on September 20 and the possibility that the employee had engaged in dishonest behavior was confirmed on October 17. Patient information that was maintained by CCS Medical between May 1, and September 21, 2012 may have been accessed. Notifications were sent to patients on December 7, 2012. At least 23 New Hampshire residents may have been affected. The total number of affected patients nationwide was not reported. (23 records involved) [source].

  

Doctors Hospital At Renaissance purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Cedars-Sinai Medical Center had a data breach in 2008, in California. A former billing department employee is in custody on $895,000 bail for allegedly stealing the personal information of 1,000 hospital patients and using it to bilk insurance companies. (1000 records involved) [source].

  

Driscoll Childrens Hospital purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Central Brooklyn Medical Group PC, Preferred Health Partners had a data breach in 2011, in New York. On August 3, 2010 paper records were discovered stolen. It is not clear who the paper records belonged to, where they were stolen from, and what type of information the records contained. [source].

  

East Adams Rural Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Central Florida Regional Hospital had a data breach in 2008, in Florida. The medical records of Central florida Regional Hospital patients were sold last month at a Salt lake City surplus store for about $20. The records were sold to a local school teacher looking for scrap paper for her fourth-grade class. The records contained detailed medical histories, phone numbers, addresses, Social Security numbers and insurance information. They were lost en route to a Medicare auditor in Las Vegas, NV. (28 records involved) [source].

  

East Texas Medical Center purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Central New England HealthAlliance had a data breach in 2008, in Massachusetts. Personal data could be at risk of exposure after a home health nurse reported that her handheld computer was missing. The unencrypted data include names, Social Security numbers, and health insurance records. (384 records involved) [source].

  

Eastern Maine Health Systems purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Centro de Ortodancia had a data breach in 2011, in Puerto Rico. Paper records were found to have been exposed to unauthorized parties on or around May 6, 2010. [source].

  

Eastside Midwives purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Charleston Area Medical Center (CAMC) had a data breach in 2011, in West Virginia. Someone discovered that they could find information about a relatives name, address, patient ID, date of birth, Social Security number and other sensitive information through an online search that brought up WVChamps.com. WVChamps.com is a CAMC website relating to respiratory and pulmonary rehabilitation for seniors. The information was accidentally posted in a report on September 1, 2010 and appears to have been accessed a total of 94 times. The error was discovered on February 8 of 2011. The breach occurred within the CAMC subsidiary CAMC Health Education Research Institute.UPDATE(5/5/2011): Five patients who were affected by the breach filed a lawsuit seeking class action status for all affected patients. The lawsuit alleges four counts against the hospital: breach of the duty of confidentiality, invasion of privacy by intrusion upon the seclusion of the plaintiffs, invasion of privacy by unreasonable publicity into the plaintiffs private life, and negligence. (3655 records involved) [source].

  

Enumclaw Community Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Charlie Norwood VA Medical Center had a data breach in 2012, in Georgia. The March 30 theft of a physicians laptop resulted in the exposure of personal information. The physician had violated VA policy by placing the personal information on his own laptop. Veterans may have had the last four digits of their Social Security number, discharge date, and medical provider name exposed. [source].

  

Evergreen Healthcare purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Chattanooga Family Practice Associates had a data breach in 2010, in Tennessee. A missing portable device had the names, dates of birth and purposes of visits for a limited number of patients. [source].

  

Evergreen Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Chesapeake Wound Care Center had a data breach in 2012, in Maryland. A podiatrist licensed in the state of Maryland operated a podiatry practice called Chesapeake Wound Care Center from his home. Between April 1, 2002 and October 11, 2004, he submitted 80 fraudulent claims to Medicare for podiatry services that had not been performed at nursing facilities. The podiatrist signed a Settlement Agreement with the government on October 30, 2007 after being caught, but then fraudulently billed Medicare advantage plans between October 31, 2007 and July 20, 2010. The podiatrist admitted to submitting false bills for podiatry care by misusing the names and personal information of about 200 nursing home patients. He was subsequently charged with health care fraud and aggravated identity theft. He was sentenced to 54 months in prison, three years of supervised release, and ordered to pay $1,122,992.08 in restitution for the fraudulent billing of Medicare. (200 records involved) [source].

  

Fairchild Medical Center purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Childrens Health Council had a data breach in 2005, in California. A tape containing sensitive information was stolen from a Childrens Health Council office. The tape contained names, Social Security numbers, and detailed medical information for around 6,000 current and former clients. Payroll information for 700 current and former employees was also on the tape. The agency alerted those who may be at risk of identity theft. (6,700 records involved) [source].

  

Faith Health Care purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Childrens Hospital and Research Center at Oakland had a data breach in 2010, in California. Approximately 1,000 patients received information about themselves and other patients in the mail. According to the Hospitals website equipment designed to generate, fold and stuff documents for mailing was programmed to fold and stuff two pages rather than one. This programming error caused guarantor billing statements prepared on May 25 and May 26 to be collated and mailed incorrectly. [source].

  

Ferry County Public Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Childrens Hospital of Orange County had a data breach in 2010, in California. The Hospital is checking its database for accuracy after discovering that patient files have been faxed to the wrong location at least twice. Patient records were faxed to an auto shop in 2009, and the wrong doctor on a separate occasion. [source].

  

Floria Hospital purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Childrens Hospital of Philadelphia had a data breach in 2009, in Pennsylvania. A laptop computer containing Social Security Numbers and other personal information was stolen from a car outside an employees home on Oct. 20. The billing information on the computer was password-protected, but an analysis found it was possible to decode the security controls on the laptop and gain access to the personal information. (942 records involved) [source].

  

Florida Hospital purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Christus Health Care had a data breach in 2008, in Texas. Two computer back-up tapes were stolen. Someone broke into a car in a Houston parking lot and took the tapes. The information on the tapes included patient names, Social security numbers, demographic information, and in some cases, diagnosis codes. [source].

  

Florida Hospital - Heartland Division purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

CHRISTUS St. John Hospital had a data breach in 2012, in Texas. An unencrypted flash drive was discovered lost or stolen on September 25. It contained patient names, Social Security numbers, dates of birth, health insurance information, diagnoses, and progress notes. The information came from patients who participated in the St. John Sports Medicine Program and were treated between January 1, 2011 and July 31, 2012. [source].

  

Florida Hospital Memorial Medical Center purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Christus St. Josephs Hospital had a data breach in 2005, in Texas. Two computers used for converting paper medical records into digital files were stolen. One of the computers contained Social Security numbers and medical records for hundreds of patients. Letters were sent to about 16,000 patients. (16,000 records involved) [source].

  

Florida Hospital Waterman, Accounting Dept. purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Cincinnati Childrens Hospital Medical Center had a data breach in 2010, in Ohio. A laptop containing the names, medical record numbers, and medical services provided of patients was stolen from an employees car while it was parked at his or her home. As a precaution, no additional laptops will be allowed outside the hospital unless they are encrypted. [source].

  

Forks Community Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Cleveland Clinic had a data breach in 2006, in Florida. A clinic employee stole personal information from electronic files and sold it to her cousin, owner of Advanced Medical Claims, who used it to file fraudulent Medicare claims totaling more than $2.8 million. Information included names, sSNs, birthdates, addresses and other details. Both individuals were indicted. (1100 records involved) [source].

  

Franklin Memorial Hospital purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Coliseum Hospital had a data breach in 2010, in Georgia. A former employee was able to enter a secured area and log onto a hospital computer while attending a social event. The former employees access code had been left active and patient records were viewed during the incident. [source].

  

Garfield County Hospital District purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Colorado Mental Health Institute Fort Logan had a data breach in 2006, in Colorado. A briefcase with paper files was taken from an employees car while it was at a park on April 21. The briefcase contained paper files with the information of 40 employees and 247 patients. Only 29 employees and 40 patients had their Social Security numbers exposed. Other information included names, addresses, gender and birth dates. Those affected were notified in early June. (69 records involved) [source].

  

Good Samaritan purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Colorado Springs Hospital - Memorial Health System had a data breach in 2011, in Colorado. A nurse from the occupational health clinic accessed the records of 2,500 Memorial Hospital patients without cause. The nurse had access to patient records through Physician Link, but was not a Memorial employee, and had no medical or work-related reason for accessing the records. She was fired and claims to have used the database to look up contact information for family and friends, as well as for other reasons. The nurse also feels that she was singled out and claims that many other employees in the medical community use databases in this way. [source].

  

Good Shepherd Medical Center purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Columbia University Medical Center had a data breach in 2010, in New York. Patients treated in the Intensive Care Unit at New York-Presbyterian Hospital and Columbia University Medical Center may have had their information accessed on the Internet during July. The personal information may have included name, age, surgical status, medications and lab results. It appears that a hospital employees computer files were Internet accessible. (10 records involved) [source].

  

Goodall Hospital purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Columbia-St. Marys Ozaukee Hospital had a data breach in 2011, in Wisconsin. A janitor sold patient records to gang members. The janitor was able to use a master key to access boxes of sensitive information that were due to be shredded. Some of the locks to the restricted boxes were also broken. The scheme went on for up to eight months and investigators were able to seize nearly 30 patient records. [source].

  

Grays Harbor Community Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Community Health Network, Community Health Medcheck had a data breach in 2013, in Indiana. A dishonest employee of Community Health Medcheckaccessed the medical records of up to 180 people between mid-March and mid-April. Social Security numbers, dates of birth, credit card numbers, and other information may have been exposed. (180 records involved) [source].

  

Gritman Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Compass Health had a data breach in 2006, in Washington. Compass Health notified some of its clients that a laptop containing personal information, including SSNs, was stolen June 28. The agency serves people who suffer from mental illness. [source].

  

Group Health Cooperative purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Concentra Medical Center, Concentra Health had a data breach in 2012, in Missouri. An office burglary resulted in the theft of an unencrypted laptop. It contained the names, Social Security numbers, and pre-employment work-fitness tests of Concentra patients from the Springfield area. The Concentra Springfield Medical Center will not encrypt all equipment as a result of this breach. (870 records involved) [source].

  

Hackensak University Medical Center purchases statewide personal hospital discharge data from at least NJ NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Concord Hospital had a data breach in 2011, in New Hampshire. An audit of Concords system revealed that an employee accessed the records of 40 patients without proper authorization. It appears that the employee was checking the files of friends and family. Concord discovered the breach on May 11. (13 records involved) [source].

  

Halifax Health - Finance Dept. purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Conway Regional Medical Center had a data breach in 2011, in Arizona. CDs with personal information were discovered lost on or around August 24, 2011. Other items with personal information may have been lost as well. [source].

  

Halifax Medical Center purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Cook County Health and Hospital Systems had a data breach in 2010, in Illinois. A desktop computer was found to be missing on or around November 1. It contained the medical record identification numbers, names, dates of birth, clinic names, physician names, and lab results of some patients. [source].

  

Harbor-University Of Californiala Pediatric Cardiology purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Cook County Health and Hospital Systems (CCHHS) had a data breach in 2010, in Illinois. On June 1, a laptop with patient information was stolen from a locked office in an administration building. The password protected-computer included names, dates of birth and Social Security numbers. (7,000 records involved) [source].

  

Harborview Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Cumberland County Emergency Medical Service had a data breach in 2006, in North Carolina. Portable computer containing personal information of more than 24,000 people was stolen from ambulance of Cumberland Co. Emergency Medical Services on June 8th. It contained information on people treated by the EMS, including names, addresses, and birthdates, plus SSNs of 84% of those listed. (24,350 records involved) [source].

  

Harris County Hospital Dist purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Cumberland Gastroenterology P.S.C. had a data breach in 2010, in Kentucky. Paper records were stolen on September 18. The records contained protected health information. [source].

  

Harrison Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Dayton VA Medical Center had a data breach in 2012, in Ohio. Documents with Social Security numbers, dates of birth, and other sensitive information were found in the home of a deceased VA employee in May. The records were found in a box in the attic of the home. It is unclear why the employee took the information home. (16 records involved) [source].

  

Hca Far West Division purchases statewide personal hospital discharge data from at least CA FL WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Deaconess Hospital had a data breach in 2006, in Indiana. A computer missing from the hospital holds personal information, including SSNs, of 128 respiratory therapy patients. (128 records involved) [source].

  

Health Trends purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Dean Clinic and St. Marys Hospital had a data breach in 2010, in Wisconsin. A laptop was stolen during a home invasion on or around November 8. Patient names, dates of birth, medical record numbers, dates and types of procedures, diagnoses, and some pathology data were on the laptop. [source].

  

Helen Ellis Memorial Hospital purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

DeKalb Medical - Hillandale had a data breach in 2011, in Georgia. Patient information was stolen from the Hillandale facility and used to file fraudulent tax returns with the Internal Revenue Service. Patients who visited DeKalbs Hillandale facility between July and October 2010 may have had their information exposed. It appears that affected individuals between the ages of 17 and 20 were the group affected by the filing of fraudulent tax returns. The United States Secret Service alerted DeKalb and it is believed that the breach was just one of many similar breaches in Georgia and Alabama. DeKalb did not reveal how the information was taken. (7,500 records involved) [source].

  

Henry Mayo Memorial Hospital purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Delta Dental had a data breach in 2012, in California. The unauthorized disclosure of paper records sometime around December 22, 2011 may have resulted in the exposure of protected health information. [source].

  

Hernando Endoscopy & Surgery Center purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

DENT Neurologic Institute of Amherst had a data breach in 2013, in New York. An administrative error led to the personal information of 10,200 patients being emailed to 200 patients. Names, addresses, date of last appointment, visit type, primary care physician, referring physician, email addresses, and whether or not the patient was actively receiving treatment were in an Excel attachment of an email that was sent to unspecified parties. The recipients were called and instructed to delete the email. [source].

  

Highline Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

DENT Neurological Institute had a data breach in 2013, in New York. DENT Neurological Institute accidentally emailed the private information of more than 10,000 patients. No sensitive medical files or Social Security numbers were involved. [source].

  

Hoag Memorial Hospital Presbyterian purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Dentistry at the Crest had a data breach in 2011, in Colorado. Hundreds of sensitive dental patient records were found by a street sweeper. They were scattered near a dumpster behind a shopping center. The records appear to be from a dental practice in Lone Tree, a 20 mile journey. The party responsible for the breach is unknown. Billing records with patient names, Social Security numbers, dates of birth, and addresses were exposed. [source].

  

Holy Family Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Department of Veterans Affairs had a data breach in 2011, in District Of Columbia. The inspector general at the VA found that IT contractors had accessed the VAs electronic health record system without appropriate security clearances. An tipster had left a message about the situation on a departmental hotline in the summer of 2010. Contractor personnel were found to be improperly sharing user accounts when accessing VA networks and the Veterans Health Information System and Technology Architecture systems. Employees of the contracting company were unaware of proper IT security protocol. [source].

  

Homestead Hospital purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Department of Veterans Affairs had a data breach in 2011, in North Carolina. A dishonest VA worker used his tax return preparation business to submit fraudulent tax returns. VA patient personal information such as names, Social Security numbers and birth dates were used to create fake dependents on peoples tax returns. The VA worker then collected fees from customers in exchange for fraudulently increasing the dollar amount of their tax returns. He was convicted in February and sentenced to 11 years in federal prison. The employee handled information from VA patients in North Carolina and Virginia. [source].

  

Hospital For Joint Diseases purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

DePaul Medical Center, Radiation Therapy Department had a data breach in 2006, in Virginia. Two computers were stolen, one on August 28 and the other Sept. 11. Personal data included names, date of birth, treatment information, and some SSNs. (100 records involved) [source].

  

Inland Counties Regional Perinatal Prgm purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Dermatology Clinic had a data breach in 2011, in North Carolina. A log book with patient appointment information was discovered missing. Patients had their names, last four digits of Social Security number, telephone numbers and names of procedures scheduled exposed. Two searches did not lead to the recovery of the log book; there is a possibility that a patient took the book. [source].

  

Inland Northwest Health Services purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Desert AIDS Project (D.A.P.) had a data breach in 2012, in California. An April 12, 2012 office burglary resulted in the theft of a laptop with sensitive information. The computer assigned to the receptionist was stolen and contained a spreadsheet with client name, client status (active, discharged, etc.), internal client identification number, date of birth, and assigned staff person. However the document was not labeled as a D.A.P. document. If someone saw the spreadsheet by itself they would not know it was linked to D.A.P.UPDATE(05/30/2013): Approximately 4,400 patients were affected. [source].

  

Inland Northwest Health Services & St Lukes Rehab purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Diabetes Direct Inc had a data breach in 2010, in Florida. A former employee is accused of stealing patient information to commit identity theft. The former employee also had multiple drivers licenses and was able to open utility, bank and credit accounts. [source].

  

Inova Health purchases statewide personal hospital discharge data from at least MD [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Doshi Diagnostic Center had a data breach in 2012, in New York. Sensitive documents were placed in public trash bags. The bags were opened and the documents were found scattered across a sidewalk. Confidential patient records which included names, Social Security numbers, unemployment compensation records, copies of benefits cards, and other patient personal information were exposed. Patients dating back to 2006 were affected. [source].

  

Intuitive Surgical Inc purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Dr, Charles Kay of Orchard Family Practice had a data breach in 2006, in Colorado. Sheriffs deputies evicting dr. Charles Kay put files from his office in a nearby parking lot. in a news report, Dr. Kay said he had removed the patient files but not the business files. (100 records involved) [source].

  

Jackson Health System purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Dr. Baceskis office, internal medicine had a data breach in 2007, in Pennsylvania. A hard drive was stolen containing personal information on hundreds of patients. [source].

  

John C. Fremont purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

DRC Physical Therapy Plus had a data breach in 2010, in New York. Officials have seized hundreds, perhaps thousands, of files containing Social Security numbers and other private patient information found dumped outside the shuttered office of DRC Physical Therapy Plus. The manila folders, dating back to at least 1998, include information sheets showing the names, addresses and birth dates of patients and, in some cases, Social Security numbers. Deputies impounded a dump truck loaded with patient files and about a dozen or so boxes stacked inside the bucket of a front-loader. [source].

  

John Muir Health purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Duke University Health System (DUHS) had a data breach in 2012, in North Carolina. ON or around January 25, DUHS received notice that its billing subsidiary staff attached copies of outstanding billing statement(s) for services provided by DUHS facilities and/or DUHS-affiliated physicians to support proofs of claim filed in Chapter 13 bankruptcy actions by patients of DUHS. Patient and patient dependent names, addresses, DUHS medical record number, health insurance carriers, and clinical information were exposed. Some patients and patient dependents had their Social Security numbers and dates of birth exposed as well. Notification letters were mailed on March 23 and again on May 18. [source].

  

Kadlec Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Duke University Medical Center had a data breach in 2005, in North Carolina. A hacker broke into the computer system, stealing thousands of passwords and fragments of Social Security numbers. Fourteen thousand affected people were notified, including 10,000 employees of Duke University Medical Center. [source].

  

Kaiser Permanante purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Dunes Family Health Care P.C. had a data breach in 2011, in California. The March 11 theft of an external hard drive used for backing up the Clinics electronic files may have exposed patient information. The hard drive was stored in a locked, fire-protected building with very limited access. Many of the files contained patient Social Security numbers in addition to names, dates of birth, addresses and other clinical information. There was a delay in notification due to the fact that there were duplicate files and patient contact information had to be updated. The Clinic has begun to encrypt records and raised the physical security of the files since the incident. [source].

  

Kaweah Delta Healthcare District purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

E-Pro Tax Service, Emory Healthcare had a data breach in 2011, in Illinois. An investigation into a few stolen Social Security checks that had been fraudulently deposited into Duluth banks uncovered three separate identity theft rings. At least six conspirators managed to defraud 5,779 people. A former real estate broker created a tax service company in order to access credit reports from a third-party credit reporting agency. Names, dates of birth and Social Security numbers were exposed. The former real estate agent then made about $2.5 million by stealing Social Security checks, filing 393 fraudulent tax returns and passing counterfeit checks. After police linked her to the stolen Social Security checks, they searched her home and found boxes of financial documents which included old mortgage applications, tax forms and HUD documents. Investigators have not charged any other conspirators and do notbelieve that the woman was the head of the operations.UPDATE (10/24/2011): More organizations were linked to the breach when investigators searched the dishonest employees home. The dishonest employee had a connection with a someone who used to work as a clerk at the hospital. More than 3,000 patient bills containing names, Social Security numbers, dates of birth, and other confidential information were printed by the inside contact. The hospital bills of at least 32 Emory orthopedic clinic patients were stolen and used to file fraudulent tax returns. Nine patients became identity theft victims. Emory notified 7,300 employees of the breach and had fired the dishonest clerk in July. (13,079 records involved) [source].

  

Kennewick General Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Eastmoreland Surgical Clinic and Vein Center had a data breach in 2010, in Oregon. Desktop computers were stolen from the office around July 5. The computers had patient names, addresses, Social Security numbers, phone numbers, reason for visit and insurance carrier information. (4,328 records involved) [source].

  

Kitsap Couty Health District purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Ecco Health, LLC, Colon & Digestive Health Specialists had a data breach in 2012, in Arizona. A vendor working with patient data for digital conversion from Colon & Digestive lost a flash drive on or around July 16. It contained patient names, Social Security numbers, dates of birth, addresses, telephone numbers, account numbers, diagnoses, and other protected health information. [source].

  

Kittitas Valley Community Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Eisenhower Medical Center (EMC) had a data breach in 2011, in California. The March 11 theft of a desktop resulted in the exposure of patient names, dates of birth, ages, Eisenhower medical record numbers and the last four digits of patient Social Security numbers. A television was also stolen during the burglary. Patient information from as far back as the 1980s may have been exposed. (514,330 records involved) [source].

  

Klickitat Valley Health Service purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

El Centro Regional Medical Center had a data breach in 2012, in California. El Centro Regional Medical Center is claiming that they were defrauded by an unnamed company. The company was responsible for digitizing El Centro Regionals x-rays, but never returned the digitized version. The process should have been completed by the end of July. The original x-rays were most likely taken and destroyed to extract silver.UPDATE(05/18/2013): The information on the records was as recent as February 2011. El Centro Regional Medical Center learned of the issue on March 22, 2013. Patients were notified on May 13. (189,489 records involved) [source].

  

Lake Chelan Community Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Emory Healthcare had a data breach in 2011, in Georgia. Seventy-seven patients had their Social Security numbers stolen and used for fraudulent tax returns. Patient names and possibly addresses, dates of birth, clinic numbers, limited health information and health insurance companies were exposed. Patients who were seen in orthopaedics between May of 2008 and January of 2009 for something other than physical therapy were affected. (2400 records involved) [source].

  

Laser & Surgery Center Of The Palm Beaches purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Emory Healthcare, Emory University Hospital had a data breach in 2012, in Georgia. Emory Healthcare revealed that 10 backup discs that contained patient information are missing from a storage location at Emory University Hospital. The discs were determined to have been removed sometime between February 7, 2012, and February 20, 2012. The patient information was related to surgery and included names, Social Security numbers, diagnoses, dates of surgery, procedure codes or the name of the surgical procedures, surgeon names, anesthesiologist names, device implant information, and other protected health information. Patients treated at Emory University Hospital, Emory University Hospital Midtown (formerly known as Emory Crawford Long Hospital) and Emory Clinic Ambulatory Surgery Center between September of 1990 and April of 2007 were affected.UPDATE(6/09/2012): A suit seeking class action status was filed on June 4. The suit seeks unspecified damages over the loss of 10 computer disks containing the personal and health information of between 250,000 and 315,000 patients treated between 1999 and 2007. (228,000 records involved) [source].

  

Lawrence Hospital Center purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Ephrata Community Hospital had a data breach in 2013, in Pennsylvania. An employee inappropriately accessed patient information. The incident or incidents were discovered on April 16. Patient clinical and other medical information may have been exposed. No Social Security numbers were exposed. [source].

  

Legacy Health System purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Erlanger Health System, Erlanger Hospital had a data breach in 2013, in Tennessee. Erlanger Health System sent notes to 87 families and apologized for an incident that left the patient records of children exposed. The records contained names, Social Security numbers, phone numbers, and dianosis information. Erlanger has not been made aware of the records being used in an unauthorized manner. (87 records involved) [source].

  

Lehigh Valley Health Network purchases statewide personal hospital discharge data from at least NJ [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Excela Health had a data breach in 2011, in Pennsylvania. A computer was stolen from the radiology department of the Jeannette campus of Excela. It contained patient names, dates of birth and types of exam performed. [source].

  

Leiden University Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Fairview and North Memorial Hospitals, Accretive had a data breach in 2011, in Minnesota. The July 25 theft of a laptop resulted in the exposure of patient information. It was stolen from a rental car parked in the parking lot of a Minneapolis restaurant. The laptop was in the possession of an employee of the contractor Accretive. It contained the names, addresses, dates of birth, medical information, and Social Security numbers of patients. A total of 14,000 Fairview patients were affected. Approximately 2,800 North Memorial patients were affected, but did not have their Social Security numbers exposed.UPDATE(1/20/2012): A lawsuit was filed against Accretive Health, Inc. as a result of the breach.Approximately 23,500 patients in Minnesota were affected by the breach.The Minnesota Attorney General claims that Accretive failed to protect patient health care records and failed to disclose its extensive involvement in patient health care. According to the Minnesota Attorney General, Accretive gained access to sensitive patient data through contracts with the two hospitals and numerically scored patients risk of hospitalization and medical complexity, graded their frailty, compiled per-patient profit and loss reports, and identified patients deemed to be outliers. The physical and mental health information included a checklist of 22 different chronic medical conditions that patients did or did not have. This was without the knowledge or consent of patients and the Attorney General argues that patients had the right to know how their information was being used and to have it kept confidential.Accretive tells investors that its contracts with hospitals include risk scoring patients, reducing avoidable hospital admissions, identifying the sickest and most impact-able patients for proactive management, and identifying real-time interventions with significant revenue or cost impact. The lawsuit alleges that Accretive violated state and federal health privacy laws, state debt collection laws, and state consumer protection laws. It seeks an order requiring Accretive to fully disclose to patients: 1) what information it has about Minnesota patients; 2) what information it has lost about Minnesota patients; 3) where and to whom it has sent information about Minnesota patients; and 4) the purposes for which it amasses and uses information about Minnesota patients. In addition, the lawsuit asks Accretive to disclose whether it has sent health data about Minnesota patients to an offshore site in new Delhi, India and requests that restrictions be applied to how Accretive treats and uses patient data.The press release from the Office of Minnesota Attorney General Lori Swanson can be found here.UPDATE(08/24/2012): A settlement agreement with Accretive Health was announced at the end of July. The settlement requires Accretive to stop doing business in Minnesota for two years and to pay approximately $2.5 million to the State of Minnesota, a portion of which will be used to compensate patients. (14000 records involved) [source].

  

Lincoln Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Fairview Health Services had a data breach in 2011, in Minnesota. About 1,200 patient records were stored in a box and marked for shipping to a new office location. The box never arrived and was reported missing on February 21, 2011. Patient billing records with names, dates of birth and medical information may have been exposed. The records are used to process insurance claims. Any patient admitted to Fairview Southdale Hospital in Edina between April of 2010 and February of 2011 may have had their information exposed. [source].

  

Loma Linda University Medical Center purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Family Care Center had a data breach in 2010, in Washington. A thief or thieves entered the physical therapy office on June 12th. Cash, other items, and a laptop containing encrypted patient information such as names and account numbers were stolen. It appears that a door was left unlocked. [source].

  

Long Island Health Network purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Family Chiropractic Center had a data breach in 2012, in Indiana. Between 400 and 450 medical records were stolen from a chiropractic clinic during a January 2 burglary. Files for patients with last names ending in DOD through DRI; ending in ELL through GAT; and ending in GIF through HAL and who had been to the clinic since January 1, 2008 were taken. [source].

  

Long Island Jewish Medical Center purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Family Health Center had a data breach in 2010, in Virginia. Boxes containing patient information ended up in a dump. The easily accessible information included health history, surgeries performed, test results, pictures, insurance cards, bank account information and addresses. The boxes were traced back to Family Health Center on Town Center Parkway. [source].

  

Los Angeles Brain & Spine Institute purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Family Health Center of Clark County had a data breach in 2006, in Indiana. Two computers stolen from an Indiana state health department contractor, the Family Health Center of Clark Count, contained the names, addresses, birth dates, SSNs and medical and billing information for more than 7,500 women. The data were collected as part of the states Breast and Cervical Cancer Program. (7700 records involved) [source].

  

Lourdes Health Network purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Fayetteville Veterans Affairs Medical Center had a data breach in 2013, in North Carolina. Optical shop consultation reports were placed in a publicly accessible recycling bin over a period of three months rather than properly disposed. The documents contained names, Social Security numbers, addresses, dates of birth, and prescriptions. The issue was discovered on April 17 and most likely started in January of 2013. (1,093 records involved) [source].

  

Lucile Packard Childrens Hospital purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Fletcher Allen Health Care had a data breach in 2011, in Vermont. A physician pleaded guilty to unlawfully obtaining the private medical information of another person. The former employee accessed the records of several women who were not his patients. In one case, he was in a sexual relationship with a woman and accessed her information to check if she carried sexually transmitted diseases. The crime occurred in 2008. The physician is scheduled to be sentenced on March 26, 2012 and faces a maximum sentence of one year in prison and a $50,000 fine. [source].

  

Maine Coast Memorial Hospital purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Flex Physical Therapy had a data breach in 2012, in Washington. Three computers were stolen on December 30, 2011. One of the computers contained the protected health information of patients. [source].

  

Maine Medical Center purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Florida Hospital had a data breach in 2011, in Florida. Patients who visited emergency departments of three Central Florida county Florida Hospitals between January 1, 2010 and August 15, 2011 may have had their information improperly accessed by one or more employees. Patient names, Social Security numbers, dates of birth and insurance information were exposed. Several employees were fired for misconduct, but one employee was fired for viewing patient information without authorization for the purpose of identifying motor vehicle accident victims. The hospital launched an investigation after a car-accident victim felt that a soliciting attorney had somehow obtained his medical information.UPDATE (10/19/2011): The FBI is now investigating the disclosure of patient information. It appears that three employees sold accident victim data to an attorney referral service. Former patients have also been contacted by funeral homes and at least one patient became an identity theft victim.UPDATE(08/18/2012): One dishonest employee who worked at Florida Hospital Celebration allegedly viewed the emergency room records of 763,000 patients. A total of 12,000 patients from the group of 763,000 were contacted by the Hospital and notified of the risk of identity theft.UPDATE(10/22/2012): The former employee worked at Florida Hospital from July 2006 until July 2011 and was responsible for registering emergency patients. The scam involved patient phone referrals to a lawyer or chiropractor who knew details about car accidents and hospital treatments. The dishonest employee had illegally gathered the patient information during emergency visits. He pleaded guilty to conspiracy to obtain health information and wrongful disclosure of health information.UPDATE(01/07/2013): A man associated with Metro Chiropractic and Wellness Center and City Lights Medical Center pleaded guilty to charges related to illegally obtaining patient information from two spouses who worked at Florida Hospital Celebration. He was charged with one count of conspiracy to defraud the United States and four counts of makinga payment to a non-licensed physician.UPDATE(04/12/2013): One former patient affected by the breach has brought a lawsuit against Adventist Health System/Sunbelt, Inc. Florida Hospital Celebration and 36 other hospitals compose the Adventist network. The former patient is alleging that their privacy rights as a patient were violated when Adventist Health System/Sunbelt Inc. failed to prevent emergency room works from selling access to their medical records. (12000 records involved) [source].

  

MaineCoast Memorial Hospital purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Florida Hospital Tampa (formerly University Community Hospital Medical Center), Crothall Healthcare, Naval Medical Center (Bob Wilson Naval Hospital) had a data breach in 2012, in Florida. Three people were arrested for their roles in filing 225 fraudulent tax returns. They face charges of conspiracy, theft of government property, and aggravated identity theft. About $555,000 in refund money was obtained. One of the defendants worked at Florida Hospital Tampa through a maintenance and housekeeping company. Information came from a variety of medical centers in California and Florida. There was an incident where the dishonest worker provided her co-conspirators with a list of names and Social Security numbers from patients seen at Florida Hospital Tampa on January 17 of 2012 and another incident where ER patient names, Social Security numbers, and other information was stolen from Crothall Healthcare in January. (45 records involved) [source].

  

MaineGeneral Medical Center purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Foothills Nephrology Associates had a data breach in 2011, in South Carolina. A company laptop was stolen from physicians vehicle on the night of April 27. Patient names, dates of birth and clinical information were on the laptop. It did not contain Social Security numbers or financial information. [source].

  

Marin General Hospital purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Fort Worth Allergy and Asthma Associates had a data breach in 2010, in Texas. The June 29th theft of four computers resulted in patient records being exposed. The patient records contained addresses, Social Security numbers and dates of birth. (25,000 records involved) [source].

  

Marshall Medical Center purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Foundation Medical Partners had a data breach in 2012, in New Hampshire. A total of 771 patient records may have been exposed as a result of a breach that occurred on November 19, 2011. No further details were disclosed. [source].

  

Martins Point purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Franciscan Medical Group had a data breach in 2011, in Washington. A computer that contained the protected health information of patients was stolen on or around November 18, 2010. [source].

  

Mason General Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Freda J. Bowman MD, PA had a data breach in 2011, in Texas. Protected health information from a network server was breached on or around August 8, 2011. The incident may have been an unintended disclosure which allowed unauthorized users to view information, or it may ahve been a hacking attack. [source].

  

Mayo Clinic purchases statewide personal hospital discharge data from at least CA ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Friendship Center Dental Office had a data breach in 2011, in Florida. A laptop that contained the protected health information of patients was stolen on or around December 20, 2010. [source].

  

Mcgee Medical purchases statewide personal hospital discharge data from at least NJ [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Froedtert Health had a data breach in 2013, in Wisconsin. A computer virus was discovered on an employees work computer account on December 14, 2012. One of the files on the employees computer contained patient names, addresses, telephone numbers, dates of birth, medical record numbers, names of health insurers, diagnoses, and other clinical information. A limited number of Social Security numbers were also exposed. (800 records involved) [source].

  

Medstar Health purchases statewide personal hospital discharge data from at least MD [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Gail Gillespie and Associates, LLC had a data breach in 2011, in Texas. On or around June 25, 2011, a breach involving a laptop, a computer, and a network server was discovered. Patient information was exposed as a result of the breach. [source].

  

Memorial Hermann purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Gastroenterology Consultants had a data breach in 2010, in Nebraska. A local news station responded to a report about patient files being left in a recycling dumpster outside of the clinic. Hundreds of documents with patient names, Social Security numbers, addresses and detailed medical information were found and secured by KMTV Action 3 News. The files appear to be from 2002 and 2003. [source].

  

Memorial Medical Center purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Geisinger Health System had a data breach in 2010, in Pennsylvania. A former physician emailed patient medical information to his home email account in an unencrypted manner. The information included patient names, medical record numbers, procedures and indications. The physician deleted the information from his computer, home network and servers. The incident occurred on or around November 3. [source].

  

Memorial Sloan-Kettering Cancer Center purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

General Internal Medicine of Lancaster had a data breach in 2008, in Pennsylvania. A laptop was stolen from a doctors office containing the Social Security numbers of patients. The clinic is notifying 12,000 potential-affected patients. [source].

  

Mercy Hospital purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Georgetown University Hospital had a data breach in 2012, in District Of Columbia. A technicians USB thumb drive with patient information was misplaced at Georgetown University Hospital. People who were associated with the Department of Laboratory Medicine and visited the Hospital between September of 2004 and September of 2009 may have had their names, medical record numbers, dates of birth, blood types, dates of blood tests, blood test results, summary of clinical histories, and clinician names exposed. The thumb drive was last seen on September 9, 2011, and was discovered missing on the morning of September 14, 2011. [source].

  

Meridian Health (Jersey Sh. Umc, Ocean Mc & Riverview Mc) purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Georgia Health Sciences University had a data breach in 2012, in Georgia. A laptop was stolen from the home of a nurse on January 18, 2012. It contained the names, dates of birth, partial diagnosis information, and internal codes associated with patients laboratory tests. The information is from patients of the Adult Sickle Cell Clinic. [source].

  

Methodist Health System purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Georgia Obstetrical and Gynecological Society had a data breach in 2012, in Georgia. Two laptops with member information were stolen during an office burglary. Financial and other administrative information were also on the laptops. The laptops did not contain any patient information. It is unclear if the theft of the equipment was politically motivated.UPDATE(3/26/2012): The breach appears to have been politically motivated. Two other OB-GYNs had laptops stolen from their offices after speaking out against a controversial Georgia bill. [source].

  

Mid Coast Health Services purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Gibson General Hospital had a data breach in 2012, in Indiana. The November 27 theft of a laptop may have resulted in the exposure of patient information. Names, Social Security numbers, addresses, and clinical information may have been exposed. Patients who have received services since 2007 may have been affected. (29,000 records involved) [source].

  

Mid Coast Hospital purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Good Samaritan Hospital had a data breach in 2011, in Maryland. A man posing as a vendor took two barrels of old X-ray film. The film contained medical data from over five years ago. It had been put aside for destruction or recycling. Authorities believe the thief wanted to extract the silver contained in the films. [source].

  

Mid-Valley Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Grady Memorial Hospital had a data breach in 2008, in Georgia. Hospital records were stolen, although it remains unknown how many patient records were compromised, which patients were affected or how the records were stolen. The records pertained to recorded physician comments that Grady sent to a vendor to transcribe into medical notes. The records were stolen from a subcontractor employed by the vendor. [source].

  

Midland Memorial Hospital purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Granger Medical Clinic had a data breach in 2013, in Utah. A total of 2,600 medical appointment records disappeared before they could be shredded. The records contained patient names, dates of appointments, times of appointments, and reason for appointment. No medical claim information, financial information, or Social Security numbers were exposed. [source].

  

Morton General Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Grays Harbor Pediatrics had a data breach in 2011, in Washington. A backup tape was stolen from an employees car sometime around November 23. The device was used for storing copies of paper records. Patients may have had their names, Social Security numbers, insurance details, drivers license information, immunization records, medical history forms, previous doctor records and patient medical records scanned and placed on the backup tape. (12000 records involved) [source].

  

Mount Desert Island Hospital purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Greater Detroit Hospital had a data breach in 2007, in Michigan. Its a repeat of a problem that emerged late last year at the Greater Detroit Hospital where metal thieves stripped everything from copper piping to windows, exposing rows of abandoned patient files. Neighbors said there are hundreds of boxes of patient files and payroll records inside, full of credit card and Social Security numbers. [source].

  

Mount Sinai purchases statewide personal hospital discharge data from at least MD [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Greensboro Gynecology Associates had a data breach in 2008, in North Carolina. A backup tape of patient information was stolen from an employee who was taking the tape to an off-site storage facility for safekeeping. The stolen information included patients names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members. (47000 records involved) [source].

  

Mountainside Hospital purchases statewide personal hospital discharge data from at least NJ [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Greenville Hospital System University Medical Center, Allen Bennett Memorial Hospital had a data breach in 2011, in South Carolina. Exposed boxes of patient information were reported to Greenville Hospital System on December 31, 2010 by someone wishing to remain anonymous. The boxes were in a storage structure behind the building of an abandoned hospital. The hospital was Allen Bennett Memorial Hospital; it closed in August of 2008. Greenville Hospital System collected the boxes and notified patients in February. The 22 boxes contained information from Allen Bennett Memorial dating from 1990 to 1999. The information in the boxes included patient names, reasons and dates for visits, amount paid, patient insurance information with diagnosis and treatment, and admission reports with patient dates of birth and some Social Security numbers. An investigation revealed that the information in the boxes was probably not used for criminal purposes and that no one was sure how the boxes had gotten there. [source].

  

Multicare Good Samaritan Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Greil Memorial Psychiatric Hospital had a data breach in 2008, in Alabama. Index cards containing patients personal information, names, dates of birth, even Social Security numbers are gone. Hundreds of records have simply disappeared. [source].

  

Multicare Health Systems purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Gressler Clinic had a data breach in 2012, in Florida. A May 3 office burglary resulted in the theft of sensitive documents. The stolen documents were charge tickets and contained Social Security numbers, addresses, phone numbers, dates of birth, insurance information, and diagnosis and treatment information. (1,400 records involved) [source].

  

Nemours Childrens Hospital purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Griffin Hospital had a data breach in 2010, in Connecticut. A former employee appears to have continued accessing patient names, medical information, dates of birth and medical record numbers. Patients received soliciting phone calls from a physician at another hospital.UPDATE(06/212012): The physician and radiologist responsible for the breach has been fined $20,000 for downloading patient information and using it to promote radiology services at Advanced Mobile Imaging Radiology. [source].

  

Nemours Foundation purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Group Health Cooperative Health Care System had a data breach in 2007, in Washington. Two laptops containing names, addresses, Social Security numbers and Group Health ID numbers of local patients and employees have been reported missing. (31000 records involved) [source].

  

New York Presbyterian Hospital purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Gulf Coast Health Care Services had a data breach in 2012, in Florida. A network security incident resulted in the expose of patient information. The breach occurred on August 17.UPDATE(11/26/2012): An employee accessed and downloaded patient information without authorization or a legitimate purpose on five occasions between June 29 and September 20 of 2012. Gulf Coast Health Care Services discovered the issue on September 26. Patients who were seen between 1992 and September 20, 2012 may have had their names, addresses, dates of birth, and phone numbers accessed. It appears that the employee was accessing the data for the purpose of helping outside practitioners recruit patients to their own practices. The incident was reported to the FBI, the Sarasota Police Department, and the Florida Department of Law Enforcement.This entry on the Privacy Rights Clearinghouse Chronology of Data Breaches was previously listed as a hack and was reclassified as an insider breach based on new information. [source].

  

Newport Community Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Gulf Coast Medical Center had a data breach in 2007, in Florida. Patient information including names and Social Security numbers were compromised when a computer went missing in February in Tallahassee, FL. A very similar and previously uncovered breach happened in November of 2006. (8000 records involved) [source].

  

North Bay Healthcare purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Gulf Coast Medical Center had a data breach in 2007, in Tennessee. Patient information including names and Social Security numbers were compromised when a computer went missing in November 2006 from Nashville, TN. This breach drew media attention when an additional 8,000 patients information was compromised during a February 2007 breach in Tallahassee, FL. (1,900 records involved) [source].

  

North Broward Hospital District purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Gulf Pines Hospital had a data breach in 2010, in Florida. Former employees are concerned that the hospital was not properly cleared before being sold. People reported abandoned files in the middle of the hospital. An emergency room log, drivers license information, Social Security numbers and other personal files were left in the hospital. Patient medical records were removed. The buyer of the property was contacted, but did not return phone calls. [source].

  

North Florida Surgery Center purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Gundersen Lutheran Medical Center had a data breach in 2006, in Wisconsin. A Medical Center employee used patient information, including SSNs and dates of birth, to apply for credit cards in their names. As patient liaison, her duties included insurance coverage, registration, and scheduling appointments. She was arrested for 37 counts of identity theft, and was convicted of identity theft and uttering forged writing, according to the criminal complaint. [source].

  

North Valley Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Hackensack University Medical Center had a data breach in 2012, in New Jersey. On September 26, 2011, Hackensack University Medical Center became aware that a dishonest employee had accessed patient information prior to September 1, 2011. A former employee working as a clerk took confidential patient files from an outpatient clinic. The files contained names, Social Security numbers, addresses, dates of birth, drivers license numbers, health insurance cards, and other insurance information. No medical records were taken. (445 records involved) [source].

  

Northwest Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Halifax Health had a data breach in 2009, in Florida. A laptop computer from a Halifax health employees vehicle in Orange County was stolen -- which might have contained password protected patient information. (33,000 records involved) [source].

  

Northwestern University Feinberg School Of Medicin purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Hanger Prosthetics and Orthotics Group had a data breach in 2010, in Texas. A laptop was stolen from a human resources employee on November 4. The laptop contained employee names, Social Security numbers, health information and addresses.UPDATE(2/15/11): HHS shows that the breach affected 4,486 people. (4486 records involved) [source].

  

Ny Downtown Hospital purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Harris County Hospital had a data breach in 2008, in Texas. A lower-level Harris County Hospital district administrator downloaded medical and financial records for patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen. This may have been a violation of law. The data on the device included the patients names, medical record numbers, billing codes, the facilities where the office visits occurred and other billing information. It also included the patients medicaid or Medicare numbers, which can indicate their Social Security numbers or those of their spouses. (1200 records involved) [source].

  

Nyu Medical Center purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Harris County Hospital District had a data breach in 2012, in Texas. The Harris County Hospital District was alerted to an issue when they received a grand jury subpoena on February 11, 2011. A dishonest employee was immediately fired for viewing and possibly sharing patient names, Social Security and member numbers, medical record numbers, addresses, phone numbers, dates of birth, sexes, emergency contact information, payer information, and other medical care information. The Harris County Hospital District decided to send patients notifications on July 20, 2012 after receiving additional information about the breach. The former employee was indicted and will be tried on criminal charges related to the stolen and misused information on September 24, 2012. [source].

  

OConnor Hospital purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Hartford Hospital, VNA HealthCare, Greenplum had a data breach in 2012, in California. An employee of Greenplum was robbed of a laptop during a home burglary on or around June 26. Greenplum is a subsidiary of a hospital vendor known as EMC Corp. The laptop contained the information of 7,461 VNA HealthCare patients and 2,097 Hartford Hospital patients. Patients had their names, Social Security numbers, addresses, dates of birth, marital status, Medicaid and Medicare numbers, medical record numbers, and certain diagnosis and treatment information exposed. (9,558 records involved) [source].

  

Ocean Beach Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Harvard University Health Services, Anna Jacques Hospital, Lowell General Hospital, Saints Medical Center had a data breach in 2011, in Massachusetts. Two men were arrested for posing as employees of an X-ray removal company in order to steal old X-ray films. The two men hit multiple locations. It is believed that their primary focus was the silver contained in the films, however patient medical and personal information was also linked to the X-ray films. Around 1,000 X-rays were stolen from Harvard University Health Services and a barrel of X-rays was taken from Anna Jaques Hospital. The men were charged with conspiracy and larceny from a building. The thefts occurred in August, but it is unclear how many other organizations were affected. The men were also linked to a crime or crimes in New Hampshire.UPDATE(03/05/2012): The men were tied to thefts and theft attempts at Anna Jaques Hospital in Newburyport and Saints Medical Center in Lowell. [source].

  

Olympic Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Hazleton Community Ambulance Association had a data breach in 2011, in Pennsylvania. Hundreds of sheets were found inside of folders in improperly discarded boxes. The sheets were easily visible and accessible through sliding doors on either side of the dumpster and a firefighter alerted a local newspaper to the incident. The records contained names, Social Security numbers, payroll information, addresses, phone numbers, insurance information, dates of birth, and medical histories from employees and former patients of the Ambulance Association. It appears that all of the records are from 2003 and 2004. An Ambulance Association officer admitted to placing the boxes in a dumpster rather than following usual procedure and shredding them. [source].

  

Orange Coast Memorial Medical Center purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

HCA, Inc. Hospital Corporation of America had a data breach in 2006, in Tennessee. 10 computers containing medicare and Medicaid billing information and records of employees and physicians from 1996-2006 were stolen from one of the companys regional offices. Some patient names and SSNs were exposed, but details are vague. Records for patients in hospitals in the following states were affected: CO, KS, LA, MS, OK, OR, TS, WA. [source].

  

Orlando Health purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Head Injury Association had a data breach in 2012, in New York. A former manager was indicted for stealing the identities of patients. He faces a 48-count indictment alleging grand larceny in the third degree, identity theft in the second degree, offering a false instrument for filing in the first degree, and possession of a forged instrument in the second degree. He allegedly used the names and Social Security numbers of patients to e-file fraudulent tax returns and obtain over $200,000 in federal, New York, and New Jersey tax refunds. The scam occurred in 2006 and 2007. It was not discovered until recently since those who were affected were unable to work with investigators. The manager was convicted for similar crimes in the past. He used the information of a deceased and developmentally disabled individual froma Nassau County group hometo obtain a fraudulent debit card and was also arrested for credit card fraud near Atlanta, Georgia.UPDATE(12/19/2012): The former manager pleaded guilty to 20 counts of second-degree identity theft and offering a falseinstrument for filing, as well as six counts of criminal possession of a forged instrument and additional charges. He will pay $20,000 in restitution. His sentencing is expected to be on January 25, 2013 and he faces up to four years in prison. (56 records involved) [source].

  

Othello Community Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Healing Hands Chiropractic had a data breach in 2007, in Colorado. Hundreds of medical records containing the personal information of chiropractic patients including Social Security numbers, birth dates, addresses and, in some cases, credit card information were thrown into a dumpster ã–due to lack of office space.ãù [source].

  

Overlake Hospital Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Health and Sports Rehab, Inc. had a data breach in 2012, in Massachusetts. A dishonest intern stole personal information while working at the clinic. The information was used to create and cash fraudulent checks and the dishonest intern pled guilty. [source].

  

Palo Alto Va Healthcare System purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Health Research Institute, Inc., Pfeiffer Treatment Center had a data breach in 2011, in Illinois. The July 1, 2011 theft of a desktop computer and network server resulted in the exposure of patient information. [source].

  

Paris Regional Medical Center purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Healthcare Partners had a data breach in 2011, in California. Nineteen computers were stolen during an office burglary on Monday, April 18. Administrative information such as names, addresses, dates of birth, medical record numbers, and health insurance plan ID numbers were exposed. Sensitive medical information such as treating physician names, diagnoses, treatment plans, progress notes, prescriptions, referrals, and authorizations were also exposed. A safe with 16 patient checks and 60 patient credit card receipts was also stolen. (16 records involved) [source].

  

Parrish Medical Center purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Henry Ford Health Center had a data breach in 2011, in Michigan. An employee misplaced a flash drive with sensitive patient information. The flash drive was lost on January 31 and investigators began the process of determining what happened and what information was on the flash drive on February 8. Patients tested for urinary tract infections between July and October of 2010 may have had their names, medical record numbers, test information and results exposed. [source].

  

Peacehealth purchases statewide personal hospital discharge data from at least WA NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Henry Ford Health System had a data breach in 2011, in Michigan. A computer with sensitive patient information was stolen sometime between August 5 and August 7. It held patient names, physician names, medical record numbers, and genotype test results. [source].

  

Penobscot Bay Medical Center purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Henry Ford Health System had a data breach in 2010, in Michigan. An employees laptop was stolen on September 24. It contained the information of patients who received prostate services between 1997 and 2008. The laptop was stolen from an unlocked urology medical office. No Social Security numbers, full medical records or health insurance identification numbers were on the stolen laptop. Patient names, medical record numbers, dates of birth and treatment information were on the laptop.UPDATE (11/23/10): The breach affected 3,700 patients. [source].

  

Phoebe Putney Memorial Hospital purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Heyman HospiceCare, Floyd Medical Center had a data breach in 2013, in Georgia. The theft of a password-protected laptop from an employees car may have resulted in the exposure of patient information. The theft occurred on January 4, 2013 and was reported immediately. Patients who were treated between July 1, 2006 and January 3, 2013 may have had their names, Social Security numbers, addresses, phone numbers, dates of birth, insurance policy numbers, diagnoses, visit notes, physician names, caregiver names, and advance directives exposed. [source].

  

Pmmc purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

High Point Regional Health System, Premier Imaging LLC had a data breach in 2011, in North Carolina. A former employee was fired after taking patient files home sometime between September 14 and October 6. The files contained patient names, Social Security numbers, dates of birth, addresses, drivers license numbers and insurance information. A total of 47 patient records were returned, but it is unclear if the employee may still have others. (47 records involved) [source].

  

Pomona Valley Hospital Medical Center purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Highland Hospital (Rochester, NY) had a data breach in 2007, in New York. Two laptop computers, one containing patient information including Social Security numbers, were stolen from a business office. The computers were sold on eBay, and the one containing personal information was recovered. (13000 records involved) [source].

  

Portsmouth Regional Hospital purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Highlandtown Community Health Center, Johns Hopkins Hospital had a data breach in 2012, in Maryland. At least four people were involved in an identity theft ring that affected over 250 people. One member of the ring was employed by Highlandtown Community Health Center and provided personal and financial patient information that he accessed through his position. The information was used by other ring members to create counterfeit checks and fraudulent state identification cards. The fraud occurred between August and October of 2009.Another member of the ring was employed by Johns Hopkins Hospital and provided the information of doctors who applied for fellowships there. Several ring members rented apartments under the identities of doctors. Two of the members pleaded guilty to conspiring to commit wire fraud and aggravated identity theft. The four members of the ring are required to collectively pay restitution for fraudulently obtained cash, merchandise, and services worth over $188,000. (250 records involved) [source].

  

Prosser Memorial Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Holy Cross Hospital, Office of Dr. Elliot Stein had a data breach in 2010, in Florida. A criminal investigation uncovered 38 patient files. The files contained names, addresses, Social Security numbers, dates of birth and descriptions of initial diagnosis from Emergency Room visits. An investigation that began in June showed that an employee was responsible; that employee was fired. The employee may have inappropriately accessed 1,500 patient files between April 2009 and September of 2010. The Hospital now limits the amount of key personal data included in the type of documents involved in the incident.UPDATE(2/17/2011): Five other suspects have been arrested within the past month. Authorities learned of the fraud ring in May of 2010.UPDATE(4/15/2011):A former Holy cross Hospital employee was sentenced to prison for disclosing patient information. The woman was sentenced to 24 months in prison with 12 months of home confinement, followed by three years of supervised release. after being caught selling patient information from her employer, she pleaded guilty to disclosing individually identifiable health information.UPDATE(6/21/2011): It was revealed that one of the other suspects is being charged with selling information from the office of Dr. Elliot Stein in Aventura. A criminal investigation uncovered lists of patient information from Dr. Stein that included names, Social Security numbers, addresses, dates of birth, and health information. (1500 records involved) [source].

  

Providence Everett Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Hospital Auxilio Mutuo had a data breach in 2010, in Puerto Rico. The Hospital experienced a breach of one or more computers on or around November 19. The exact nature of the breach was not reported and could have been theft, unauthorized access, hacking, or an IT incident. [source].

  

Providence Health Services purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Howard University Hospital had a data breach in 2012, in District Of Columbia. A dishonest employee working as a technician in the surgery department at Howard University Health Sciences sold patient information between August 2010 and December of 2011. The employee was charged with one count of wrongful disclosure of individually identifiable health information. Patient names, Medicare numbers, addresses, and dates of birth may have been exposed.UPDATE(09/24/2012): The dishonest employee was sentenced to 100 hours of community service and three years of probation. The probation term includes six months in a halfway house followed by six months of home confinement. She was also fined $2,100. Her illegal activities involved taking the records of hospital patients, selling their names, addresses, dates of birth, and medical numbers to an unauthorized party, and providing blank hospital prescription forms as well. The dishonest employee was paid between $500 and $800 in cash for each transaction. The information was used for fraudulent oxycodone prescriptions. (40 records involved) [source].

  

Providence Hospital purchases statewide personal hospital discharge data from at least MD [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Howard University Hospital had a data breach in 2012, in District Of Columbia. The January 27 theft of a laptop from a former contractors vehicle resulted in the loss of patient information. The patient files included Social Security numbers, names, addresses, identification numbers, medical record numbers, dates of birth, admission dates, diagnosis-related information, and discharge dates. The majority of those affected were patients who were treated at the Hospital between December 2010 and October 2011. Some patients who received treatment as far back as 2007 were also affected. The patient files had been downloaded onto the contractors personal laptop in violation of the Hospitals policy. The contractor stopped working for the hospital in December of 2011.UPDATE(09/21/2012): The number of patients who were notified was revised from 34,503 to 66,601. (66601 records involved) [source].

  

Providence Saint Peter Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Huntsville Hospital had a data breach in 2012, in Alabama. A thief or thieves entered Huntsville Hospital and impersonated a vendor in order to collect old barrels of X-rays. Thieves commonly use this tactic to obtain X-rays. The X-rays are then stripped for silver. The X-rays contained patient names, dates of birth, and medical records. There were over 1,000 X-rays, but only 125 to 175 patients were affected. [source].

  

Providence Sw Washington Service Area purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Hurley Medical Center had a data breach in 2011, in Michigan. A laptop was discovered missing in May. It was held in a locked room in Hurley, but it was not encrypted or password protected. The laptop contained the names, heights, weights, dates of birth, medical record numbers and lung function test results of 1,938 patients who visited Hurley between 2007 and May of 2011. A total of 10 out of 150 of Hurleys laptops were not encrypted at the time of the discovery. [source].

  

Puget Sound Health Alliance purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Hutcheson Medical Center had a data breach in 2010, in Tennessee. Anyone who peered inside the mixed paper bin at the Dupont Recycling Center in May of 2009 got an eyeful. Files, in plain sight, which contained sensitive medical and identity information. Authorities dont know how those thousands of files got there. Some of the records came from Hutcheson and a plastic surgery office in the area. The information inside those files included graphic photos, and Social Security numbers. [source].

  

Puget Sound Surgical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Independence Physical Therapy had a data breach in 2012, in Connecticut. A desktop computer was stolen or discovered stolen on August 1, 2011. It contained protected health information. The incident was disclosed on July 3. [source].

  

Pullman Regional Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Indiana Internal Medicine Consultants had a data breach in 2012, in Indiana. The February 11, 2012 theft of a laptop resulted in the exposure of protected health information. [source].

  

Quincy Valley Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Indiana Regional Medical Center had a data breach in 2011, in Pennsylvania. A former employee stole more than 500 patient records for the purpose of using them as evidence in a legal dispute with a physician. The theft occurred in September of 2010 and included the medical information of three or four patients, as well as administrative information related to hundreds of other patients. [source].

  

Redington Fairview General Hospital purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Indiana University Health Arnett had a data breach in 2013, in Indiana. The theft of an employees unencrypted laptop resulted in the exposure of patient information. The laptop was stolen from an employees car on April 9 and contained email records. Patient names, medical record numbers, dates of birth, physician names, diagnoses, and dates of service may have been exposed. [source].

  

Redwood Regional Medical Group purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Indiana University Medical Group had a data breach in 2012, in Indiana. A concerned citizen found a box of sensitive medical documents in a dumpster and contacted a local news team. The box contained hundreds of documents that included copies of drivers licenses, prescriptions, signatures, and other patient information. The box was removed by Indiana University Medical Group before investigators arrived. Indiana University Medical Group claimed that the information was accidentally discarded rather than shredded. The documents were properly disposed after being collected. [source].

  

Rhode Island Hospital purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Indiana University School of Medicine had a data breach in 2011, in Indiana. A laptop with sensitive information was stolen from a physicians car on Tuesday, August 16 of 2011. It contained patient information such as name, age, sex, diagnosis, medical record number, and in 178 cases, Social Security numbers. Individuals were notified on September 2. (178 records involved) [source].

  

Sacred Heart Health System purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

InStep Foot Clinic had a data breach in 2011, in Minnesota. Electronic medical records may have been exposed as a result of the theft of a laptop on or around August 28, 2011. [source].

  

Sacred Heart Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

IntraCare North Hospital had a data breach in 2012, in Texas. A former employee used patient information to file false income tax returns. The information of 741 patients was accessible in a binder. The employee worked as an intake coordinator at the Hospital from March 15 to August 18 of 2011. The breach was not discovered until April 18 of 2012. [source].

  

Samaritan Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Israel Deaconess Medical Center had a data breach in 2012, in Massachusetts. The May 22 office theft of a physicians laptop resulted in the exposure of patient information. It is unclear what type of information was on the laptop, but the chief information officer said that nothing that would be used from an identity theft perspective was on the laptop. [source].

  

Samaritan Medical Cener purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Jackson health System had a data breach in 2013, in Florida. A box that contained patient medical records was determined to have been missing since January. Patient medical diagnoses, surgical procedures, and other personal health information may have been exposed. The missing records were either on their way to be electronically scanned or returning from being scanned. [source].

  

San Antonio Community Hospital purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Jackson Memorial Hospital had a data breach in 2009, in Florida. A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims.UPDATE (10/26/10): Ruben E. Rodriquez was sentenced to 11 years in prison for selling patient records to lawyers for injury claims. Rodriquez stole 3,350 patient records in 2008 and 2009. He may have also sold information in 2007. The information included name, contact information and medical diagnoses. [source].

  

Santa Barbara Cottage Hospital purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Jackson Memorial Hospital, Jackson Health System had a data breach in 2011, in Florida. An unidentified former employee inappropriatelyaccessed the the financial information of hospital patients. The employee was fired and the department they worked in was not revealed. (1,800 records involved) [source].

  

Santa Clara Valley Medical purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Jackson North Medical Center, Jackson Health System had a data breach in 2012, in Florida. A dishonest volunteer was caught passing patient information to people who used it to file fraudulent tax returns. The volunteer used his smart phone to capture patient records while working in an emergency room. Around 1,200 photos of 566 patient records were found on his phone. The breach was discovered when three men were caught using free wi-fi at McDonalds to file fraudulent tax returns in March.UPDATE(01/11/2013): Jackson Health banned volunteers from using cell phone in patient areas in order to prevent similar events from occurring. (566 records involved) [source].

  

Santa Rosa Memorial Hospital purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Jacobi Medical Center, North Central Bronx Hospital, Tremont Health Center, and Gunhill Health Center had a data breach in 2011, in New York. The New York City Health & Hospitals Corporations North Bronx Healthcare Network experienced a breach. Backup tapes were stolen from an unsecured and unlocked van during transport by GRM Information Management Services. The theft occurred during December of 2010. The information on the tapes was from patients, staff members and associated employees and dated back to 1991. Names, Social Security numbers, addresses, patient health information and other patient and employee information may have been exposed. (1700000 records involved) [source].

  

Sarasota Memorial Hospital purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Jacobs Neurological Institute had a data breach in 2006, in New York. The laptop of a research doctor was stolen from her locked office at the Institute. It included records of patients and her research data. [source].

  

Scripps Health purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

James A. Haley VA Hospital had a data breach in 2011, in Florida. A camera from the Plastic Surgery Clinic was discovered missing in November of 2010. It contained Social Security numbers and graphic photos of female patients before and after surgery for breast cancer. The same investigation that uncovered the missing camera also revealed that laptops, televisions, thumb drives, microscopes, a hospital surveillance system, and other equipment had been lost or stolen within the past two years. One missing thumb drive contained additional patient information. [source].

  

Seattle Cancer Care Alliance purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

James A. Haley Veterans Hospital had a data breach in 2011, in Florida. Hundreds of paper patient forms were compromised in May. An off-duty Tampa police officer discovered the records in a Motel 6 in May. The occupants of the motel room were detained on identity theft charges. The forms contained patient names, Social Security numbers, and dates of birth. The papers included Turbo Tax cards, receipts, and medical records from the Veterans Affairs hospital. At least one veteran had a fraudulent debit card charge. [source].

  

Seattle Childrens Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Jefferson Center for Mental Health had a data breach in 2011, in Colorado. A list with patient information was stolen from an employees locked car on December 13, 2010. The employees purse and work bag were also stolen. [source].

  

Sentara purchases statewide personal hospital discharge data from at least MD [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Jewish Hospital Catheterization Lab had a data breach in 2010, in Kentucky. Two stolen laptops contained personal information on patients who were treated between June 2, 2009 and July 16. 2010. Patient names, Social Security numbers, dates of birth, medical record numbers, addresses, phone numbers, patient account numbers, and insurance carriers. (2,089 records involved) [source].

  

Seton Healthcare Family purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

John Muir Physician Network had a data breach in 2010, in California. John Muir Health, the Walnut Creek-based hospital system, has begun notifying 5,450 patients by mail of a potential breach of their personal and health information. Two months ago two laptop computers at the John Muir Physician Network Perinatal office in Walnut Creek were stolen. The laptops were password protected and contained data in a format that would not be readily accessible. External vendors and internal experts discovered that the missing laptops contained personal and health information going back more than three years. (5,450 records involved) [source].

  

Shands Healthcare Planning purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Johns Hopkins Hospital had a data breach in 2009, in Maryland. An investigation suggests a former employee who worked in patient registration may have been linked to a scheme to create fake drivers licenses in Virginia. The employee had access to information such as name, address, telephone number, mother and fathers names, dates of birth and Social Security numbers, but not to any health or medical information.UPDATE (10/1/10 via PHIPrivacy.net): The former employee and four others were indicted for fraud and aggravated identity theft. They are charged with using patient information to create fraudulent credit accounts. The former employee worked at the hospital between August 2007 and March of 2009. It is believed that around 600 patients may have been targets for identity theft, but only 50 incidents were linked to the former employee. (10200 records involved) [source].

  

Shannon Medical Center purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Johns Hopkins Hospital had a data breach in 2008, in Maryland. On December 21, a briefcase with sensitive documents was stolen from an employees car. The documents included names, Social Security numbers, addresses, dates of birth, phone numbers, physical and mental health information, medical ID numbers and demographic information. Current and former members of a program called Creative Alternatives were affected. (190 records involved) [source].

  

Sharp Healthcare purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Johns Hopkins Hospital had a data breach in 2007, in Maryland. A desktop computer containing the personal information of 5,783 Johns Hopkins Hospital patients was stolen. The computer included patients names, Social security numbers, birth dates and medical histories. (5,783 records involved) [source].

  

Sherman/Grayson Hospital, Llc purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Johns Hopkins Medicine had a data breach in 2009, in Maryland. A woman who worked as a patient services coordinator for Johns Hopkins Medicine has been sentenced to 18 months in prison for stealing patient information. The 31 year-old woman of Baltimore was also ordered to pay more than $200,000 in restitution. According to her plea agreement and court documents, from August 2005 to April 2007, the woman provided a conspirator with names, Social Security numbers and other identifying information of more than 100 current and former patients of Johns Hopkins. That information was used to apply for credit. (100 records involved) [source].

  

Shriners Hospital - Spokane purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Johns Hopkins University and Johns Hopkins Hospital had a data breach in 2007, in Maryland. Johns Hopkins reported the disappearance of 9 backup computer tapes containing personal information of employees and patients. Eight of the tapes contained payroll information on 52,000 past and present employees, including sSNs and in some cases bank account numbers. The 9th tape contained less sensitive information about 83,000 hospital patients. (135000 records involved) [source].

  

Shriners Hospital For Children N Ca purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Julie A. Kennedy, D.M.D. had a data breach in 2011, in Florida. A network server was discovered to have been stolen on or around September 30, 2011. It may have contained patient information. [source].

  

Skagit Valley Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Kadlec Regional Medical Center had a data breach in 2011, in Washington. A computer server that contained brain scan and other patient studies was hacked sometime around September 15. Patient names, dates of birth, ages, genders, medical record numbers and doctors names were exposed. The breach was discovered on November 11 during routine monitoring of computer network backups. The server was removed from service and a firm was hired to investigate the issue. [source].

  

South Lake Hospital purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Kaiser Medical Center had a data breach in 2007, in California. A doctors laptop was stolen from the Medical Center containing medical information of 22,000 patients. but only 500 records contained SSNs. (500 records involved) [source].

  

Southeast Georgia Health System purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

KCI USA, Inc. had a data breach in 2012, in Texas. A portable electronic device was discovered to have been stolen on or around September 8, 2011. The device may have contained health and/or other personal information. [source].

  

Southern Maine Medical Center purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Keck School of Medicine, University of Southern California (USC) had a data breach in 2005, in California. A computer server containing names and Social Security numbers of patients, donors and employees was stolen from a campus computer room. (50,000 records involved) [source].

  

Spine Centers Of America purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Keith & Fisher, DDS, PA had a data breach in 2011, in North Carolina. On February 16, 2011, an IT incident caused patient information to be exposed. It is not known if the breach resulted from a hack or an accidental release of information. The type of patient information exposed was not revealed. [source].

  

St Agnes Medical Center purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Kern Medical Center had a data breach in 2012, in California. A resident physician printed out the records of 1,500 patients for research purposes. The paper records were stored in a computer bag and the bag was stolen from the physicians car on February 25. The records contained names, health information, and test results. They may have also contained the insurance information of some patients.UPDATE(4/20/2012): Medical record numbers, dates of treatments, diagnoses sites, cocci clinical numbers, and test results for HIV, AIDS, Hepatitis, and pregnancy may have also been exposed. [source].

  

St Davids Healthcare purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Kern Medical Center had a data breach in 2010, in California. The California Department of Public Health fined Kern Medical Center in Bakersfield, CA, $250,000 for allegedly keeping patient records in an outside, unlocked locker, allowing for the theft of 596 patient records in 2009. For several months in 2009 a Kern Medical Center employee placed the daily lab reports in the broken locker outside the hospital until they were stolen one night. Six additional health facilities were also fined: Biggs Gridley Memorial Hospital, Gridley, Butte County; Childrens Hospital of Orange, Orange, Orange County; Delano Regional Medical Center, Delano, Kern County; Kaweah Manor Convalescent Hospital, Visalia, Tulare County; Oroville Hospital, Oroville, Butte County; Pacific Hospital of Long Beach, Long Beach, Los Angeles County. The total amount of fines for the seven health facilities was $792,000. (596 records involved) [source].

  

St Joseph Hospital purchases statewide personal hospital discharge data from at least WA CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Kern Medical Center had a data breach in 2010, in California. An employee opened an email that subsequently affected the entire hospital system in late July. The Kern Medical Center temporarily removed itself from the county computer network to prevent the spread of the attack. Patient records were eventually secured, but it is unknown if any were affected by the 16-day malware attack. [source].

  

St Jude Medical Center purchases statewide personal hospital discharge data from at least CA WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Kindred Healthcare Inc. (Kindred Transitional Care and Rehabilitation) had a data breach in 2012, in Indiana. An office burglary sometime around June 4 resulted in the theft of a safe. The safe held tapes used for backing up Kindred data related to past, present, and prospective patients. Diagnosis information, Social Security numbers, clinical information, bank account and other financial information, addresses, dates of birth, insurance numbers, dates that services were received from Kindred, discharge locations, daily activities, collections letters, and medications received may have been exposed. People admitted between 2009 and 2012 may have been exposed. (1504 records involved) [source].

  

St Louise Regional Hospital purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Kindred Transitional Care and Rehabilitation-Highgate had a data breach in 2012, in Massachusetts. An office burglary resulted in the theft of a safe on January 26. The safe contained unencrypted backup tapes that require specialized software and equipment to read. The tapes contained patient names, dates of birth, genders, diagnoses, and progress notes. [source].

  

St Luke Rehabilitation Institute purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Kings County Hospital Center had a data breach in 2010, in New York. The August 22 theft of a desktop computer may have exposed the protected health information of patients. [source].

  

St Lukes Hospital Roosevelt purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Kingsbrook Jewish Medical Center had a data breach in 2006, in New York. A personal computer was stolen from the Hospitals outpatient billing office on December 26, 2005. It is likely that the computer contained spreadsheets with patient names and Social Security numbers embedded in insurance numbers. Those affected were notified May 26, 2006. (34863 records involved) [source].

  

St. Joseph Regional Health Center purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Knox Community Hospital had a data breach in 2011, in Ohio. X-ray records were discovered to have been improperly disposed of on or around October 1, 2011. Patient information may have been exposed. [source].

  

St. Lukes Episcopal Hospital purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Knoxville Medical Clinic, DRD Management had a data breach in 2012, in Tennessee. A former employee took paper documents with patient information without permission. It is unclear if the former employee meant to use the information for fraud purposes. Patient names, dates of clinic visits, dates for scheduled opiate addiction dosages, and the dosage amounts were in the paper documents. The documents were recovered. [source].

  

St. Marys Health System purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Kunz Opera House had a data breach in 2011, in Illinois. A physician kept 14 boxes of medical records from former patients in the front window of his building. A fire that struck the building, the Kunz Opera House, damaged the records and personal property. Some records were found in the street. An unspecified number of the damaged records were then buried in a secure location. (4200 records involved) [source].

  

St. Vincents Healthcare purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Lady of the Lake Regional Medical Center had a data breach in 2012, in Louisiana. A laptop went missing from a physicians office sometime between March 16 and March 20 of 2012. The laptop contained patient outcomes data from patients in the adult ICU from 2000 to 2008. Patient names, race, age, dates of admission and discharge from the Intensive Care Unit, and results of treatment may have been exposed. [source].

  

Stanford Hospital & Clinics purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Lahey Clinic had a data breach in 2012, in Massachusetts. The loss of a physicians unencrypted, password-free Blackberry at an airport on July 1 resulted in the exposure of patient names, dates of birth, medical record numbers, diagnosis information, procedure names, and test results. Lahey Clinic was able to remove all data from the device remotely on July 6. Affected patients were notified in late August. [source].

  

Sunnyside Community Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Lake Woods Nursing and Rehabilitation Center had a data breach in 2011, in Michigan. The December 28 theft of a computer may have exposed the health information and other types of information of certain individuals. [source].

  

Suny Downstate Medical Center purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Lakeview Medical Center had a data breach in 2012, in Wisconsin. More than 500 patients of Lakeview Medical Center homecare and hospice programs had their personal information exposed by the theft of a laptop. The laptop was stolen from a car belonging to a Lakeview nurse. It contained names, Social Security numbers, dates of birth, home addresses, medicare ID numbers, and diagnostic information. It is unclear when the laptop was stolen, but the nurse who was involved no longer works for Lakeview. (500 records involved) [source].

  

Swedish Edmonds purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Lana Medical Care had a data breach in 2012, in Florida. The August 18th theft of a laptop resulted in the exposure of patient information. [source].

  

Swedish Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Landmark Medical Center had a data breach in 2012, in Rhode Island. The office theft of a laptop resulted in the exposure of patient information. A spreadsheet with sensitive information that could be easily accessed was on the stolen laptop. It is unclear what type of information was exposed, but Social Security numbers, addresses, and medical information were not involved.UPDATE(12/21/2012): A Health and Human Services (HHS) notice reveals that the theft occurred on October 1. A total of 683 patients were affected by the breach. (683 records involved) [source].

  

Tacoma General Allenmore/Mary Bridge purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Lebanon Internal Medicine Associates, P.C. had a data breach in 2011, in Pennsylvania. Contractors responsible for cleaning out the medical office after a storm improperly disposed of a computer that contained sensitive patient information. Lebanon Internal Medicine Associates left no specific instructions for the removal of the damaged computer. Patient information dating between November 1999 and August 25, 2011 was exposed and included full names, Social Security numbers, dates of birth, home addresses, account numbers, diagnoses, laboratory test results, and medical insurance information. It is believed that the information was inaccessible due to security measures within the server and flood damage. [source].

  

Texas Health Resources purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Lee Miller Rehab Associates had a data breach in 2013, in Maryland. A network server was stolen or discovered stolen on January 15, 2012. The incident appeared on the HHS website in February of 2013. [source].

  

Texoma Medical Center purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Legacy Health System had a data breach in 2007, in Oregon. A primary care physician practice has discovered the theft of $13,000 in cash and personal data for patients. Patient receipts, credit card transaction slips and checks are also missing, in addition to Social Security numbers and dates of birth for patients. The investigation indicated it was a dishonest insider. (747 records involved) [source].

  

The Methodist Hospital System purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Lexington Clinic had a data breach in 2012, in Kentucky. A December 7 overnight office burglary resulted in the theft of a laptop with patient data. It contained names, contact information, and diagnoses of patients receiving services within the neurology department. The locks to the neurology department were changed after the theft was discovered. [source].

  

Titus Regional Medical Center purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Lincoln Medical and Mental Health Center had a data breach in 2010, in New York. Multiple CDs containing patient personal information were lost in transit by FedEx. Information included dates of birth, drivers license numbers, descriptions of medical procedures, addresses, and Social Security numbers. Siemens Medical Solutions USA, the Hospitals billing contractor, shipped the CDs around March 16th. They were never received. (130,495 records involved) [source].

  

Tri State Memorial Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Littleton Regional Hospital had a data breach in 2009, in New Hampshire. A patient complaint in March of 2009 resulted in the firing of an employee. An audit revealed that the employee inappropriately accessed patient records for unknown reasons at least three times between 2008 and May of 2009. The records contained names, contact information, dates of birth, insurance information and other health information. uPDATE (8/10/10): Another employee was fired for a similar unauthorized access incident during May of 2010. [source].

  

University Medical Center purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Living Healthy Clinic, University of Wisconsin - Oshkosh College of Nursing had a data breach in 2011, in Wisconsin. A computer security breach that occurred in July may have exposed the information of uninsured Winnebago County residents who sought health services. The information included names, Social Security numbers, addresses, and the health records of a limited number of people. The breach was discovered when University technology staff identified evidence of a computer virus on a desktop computer. There was no indication that unauthorized parties attempted to download information. (3,000 records involved) [source].

  

University Medical Center Of El Paso purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Lockerman Family Chiropractic had a data breach in 2011, in Louisiana. Dr. Christopher Lockerman was arrested and charged with eight counts of financial identity fraud and one count of theft by deception. Victims lost over $264,000 due to identity theft. Patients of Lockermans clinic had fraudulent J.P. Morgan Chase lines of credit established in their names. The period during which this took place was not revealed. [source].

  

University of Connecticut Health Center purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Logan County Emergency Ambulance Service Authority (LEASA) had a data breach in 2011, in West Virginia. A laptop was discovered missing on October 1, 2011. It was either lost or stolen. It contained names, Social Security numbers, addresses, and health information from patients. The laptop appears to have not been used to connect to the internet since October 1 and LEAS is attempting to block potential use of the device. (12563 records involved) [source].

  

University Of Miami, Sylvester Cancer Center purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Logic World Medical had a data breach in 2010, in Texas. The owner and operator of Logic World Medical used the names, addresses, and account numbers of Medicaid beneficiaries to file false claims for payment of services and goods that he never provided. Approximately $1,101,865.37 was fraudulently claimed between April of 2004 and August of 2006. [source].

  

University Of Washington Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Loma Linda Medical University had a data breach in 2011, in California. An employee was fired after taking sensitive documents home on or around December 19. Medical records and other documents with patient dates of birth, addresses, drivers license numbers, medical record numbers, and in some cases, Social Security numbers were removed from the hospital against hospital policy. The records were recovered. [source].

  

Va Boston Healthcare System purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Loma Linda University Medical Center had a data breach in 2010, in California. A thief has stolen personal information regarding more than 500 surgical patients of Loma Linda University Medical Center, according to hospital officials. A desktop computer containing the information disappeared April 5 from the department of surgerys administrative office on Campus Street. The missing information includes each patients name, medical record number, diagnosis, surgery date, and the type of procedure. (584 records involved) [source].

  

VA Medical Center purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

LoneStar Audiology Group had a data breach in 2010, in Texas. The August 11 theft of a laptop resulted in the exposure of patient health information. [source].

  

Valley General Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Long Chiropractic had a data breach in 2012, in Ohio. A November 26 office burglary may have resulted in the theft of patient records. A safe with computer disks and a laptop computer were stolen. It is unclear if either contained sensitive patient information. The burglars were in the office for 15 minutes and may have taken or viewed sensitive patient information in other areas. [source].

  

Valley Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Louisiana State University (LSU) Hospital System had a data breach in 2012, in Louisiana. A dishonest employee working in the billing department used her position to access account information. She scanned checks and identification information from the LSU hospital system database and passed them on to at least four women. The scheme was discovered when the four women were allegedly caught on camera making purchases with fake checks. Handwritten Social Security numbers, check and ID card printing items, computers, and copies of scanned checks were found when the womens homes were searched.At least seven people face charges that include identity theft, conspiracy to commit identity theft, conspiracy to commit monetary abuse, and possession of fraudulent documents for identification purposes. The dishonest employee was charged with 377 counts of identity theft.UPDATE(01/02/2013): LSU Health notified 416 patients after a hospital employee discovered fraudulent activity on her checking account. (416 records involved) [source].

  

Veterans Hospital/Ucla purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Loyola University Medical Center had a data breach in 2011, in Illinois. A flash drive was stolen from an employees car. It contained the names, dates of birth, Social Security numbers, addresses and phone numbers of fewer than 100 patients. [source].

  

Virginia Mason Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

LSU Health Shreveport, Siemens Healthcare had a data breach in 2013, in Louisiana. A computer data entry error resulted in a mailing error that exposed patient information. The names and treatment information of certain patients were mistakenly mailed to other patients. No Social Security numbers, dates of birth, or financial account numbers were exposed. [source].

  

Virtua purchases statewide personal hospital discharge data from at least MD [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Lucile Packard Childrens Hospital had a data breach in 2013, in California. Between May 2 and May 8, a non-functional laptop computer was stolen from a secured area of the hospital. The laptop was password protected and contained names, ages, medical record numbers, telephone numbers, scheduled surgical procedures, and names of physicians involved in procedures between 2009 and 2012. [source].

  

Walla Walla Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Lucile Packard Childrens Hospital at Stanford University had a data breach in 2010, in California. A former employee took a hospital desktop computer with patient records home around January 11 of 2010. In February it was determined that the computer could not be recovered and patients were notified of the incident. The hospital was fined $250,000 by the California Department of Public Health for the delay in reporting the incident. As of September 9 2010, the hospital was in the process of appealing the fine.UPDATE(9/10/10): The desktop did contain patient Social Security numbers, medical record numbers, names, insurance information, diagnoses and treatment information. (532 records involved) [source].

  

Wellspan purchases statewide personal hospital discharge data from at least MD [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Lutheran Community Services Northwest had a data breach in 2012, in Washington. An office burglary that occurred on or around March 30, 2012 resulted in the theft of several computers and electronic devices. The computers and devices may have contained the names, Social Security numbers, addresses, phone numbers, email addresses, dates of birth, drivers license numbers, Washington state ID numbers, income or payment information about services, conditions, treatments, or diagnosis information about clients, volunteers, and staff. (756 records involved) [source].

  

Wenatchee Valley Medical Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Madrona Medical Group had a data breach in 2006, in Washington. On Dec. 17, 2005, a former employee accessed and downloaded patient files onto his laptop computer. files included name, address, SSN, and date of birth. The former employee has since been arrested. (6,000 records involved) [source].

  

Whidbey General Hosptial purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Mahaska County Hospital had a data breach in 2010, in Iowa. Two patient-orders coordinators were fired for separate incidents of snooping. One inappropriately accessed at least two patients data. The other employee inappropriately accessed the data of multiple family members. [source].

  

Willapa Harbor Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Manhattan Veterans Affairs Medical Center, New York Harbor Health Care System had a data breach in 2006, in New York. On Sept. 6, an unencrypted laptop computer containing veterans names, Social Security numbers, and medical diagnosis, was stolen from the Hospital. Veterans who receive pulmonary care were affected. (1600 records involved) [source].

  

Yakima Regional Medical & Cardiac Center purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Mankato Clinic had a data breach in 2010, in Minnesota. A laptop was stolen from the car of a registered nurse sometime between November 1 and 2. It contained a spreadsheet with patient names, dates of birth, medical record numbers, health provider names and diagnosis information. Patients were notified in late December because it took nearly two months to notify patients because the Clinic was determining what was on the laptop. [source].

  

Yakima Valley Memorial Hospital purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Manor Care of Indy (South), LLC had a data breach in 2010, in Indiana. The protected health information of 845 individuals may have been viewed or obtained by an unauthorized person or persons. [source].

  

Yale New Haven Health System purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Marian Medical Center had a data breach in 2009, in California. Recent patients of the emergency room and Urgent Care Center have been alerted that a Blackberry containing patient information was stolen from the hospital. The Blackberry contained an email message that included patient information, such as Social Security numbers, dates of birth and medical histories. (3200 records involved) [source].

  

York Hospital purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Martin Luther King Jr. Multi-Service Ambulatory Care Center had a data breach in 2010, in California. A janitor removed 14 boxes of patient records and sold them to a recycling center. The records had names, genders, dates of birth, addresses, medical record numbers and financial batch numbers. Patients who received services from the outpatient facility between January and October of 2008 were affected. The files were discovered missing on July 29 of 2010 and the custodial worker admitted to selling them. The custodian is being charged with one count of felony commercial burglary. Those affected will be mailed notifications during the week of September 20 of 2010. [source].

  
  

(return to health DataMap)



Copyright © 2012-2016 President and Fellows Harvard University.