theDataMap

Documenting all the places
personal data goes.

healthDataMap


Legend: with your name, without your name.
Click on a circle above for names of organizations and details of data shared.


Public Health Agencies receive health information from state discharge data holders, other government agencies, vital statistics offices and providers (hospital, physician). Data they receive is often required by reporting laws. They provide data to the CDC, other government entities, and researchers.

Examples

Arkansas Department of Health collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Alabama Department of Public Health had a data breach in 2007, in Alabama. The personal information, including the names, ages and Social Security numbers of families enrolled in the states ALL Kids health care coverage program, were accidentally sent to the wrong families last week. 1,554 affected families were alerted that some of their confidential information might have been released. (1,554 records involved) [source].

  

Delaware Health Statistics Center, Division of Public Health collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Alaska Department of Health and Social Services (DHSS) had a data breach in 2009, in Alaska. A portable electronic device that may have contained protected health information was stolen from the vehicle of a DHSS employee on or around October 12, 2009. The Health and Human Services (HHS) Office for Civil Rights (OCR) began an investigation after the incident. OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI. DHSS was also found to have not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule. Alaska DHSS agreed to pay a $1,700,000 settlement. [source].

  

Illinois Department of Public Health collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

American Cancer Society (ACS) had a data breach in 2006, in Kentucky. An unspecified number of laptop computers were stolen from the Louisville offices of the american Cancer Society. It is not clear what personal information was exposed, if any. [source].

  

Mississippi Dept of Health, Office of Health Informatics collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Baltimore County Department of Health had a data breach in 2007, in Maryland. A laptop containing personal information including names, date of birth, Social Security numbers, telephone numbers and emergency contact information of patients who were seen at the clinic between Jan. 1, 2004 and April 12 was stolen. (6000 records involved) [source].

  

Missouri Department of Health and Senior Services collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Cabinet for Health and Family Services had a data breach in 2012, in Kentucky. An employee was the victim of a phishing attack via email sent by a hacker. The employees account was then compromised. Unauthorized activity was identified on the account within half an hour and the account was immediately disabled. [source].

  

New Hampshire Department of Health & Human Services collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

California Department of Health Services had a data breach in 2007, in California. Benefit notification letters containing names addresses, Medicare Part D plan names and premium payment amounts of some individuals enrolled in the California aIDS Drug Assistance Program (ADAP) were erroneously mailed to another enrollee. (54 records involved) [source].

  

New Jersey Department of Health & Senior Services collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

California Department of Public Health had a data breach in 2010, in California. A magnetic tape was lost during shipping between West Covina and Sacremento on or around September 27. The health care facility staff and residents who were determined to have been affected were notified on November 23. Employee emails, employee background reports, investigative reports, names and diagnosis information on health care facility residents and Social Security numbers for CDPH workers were on the tape. [source].

  

New Mexico Department of Health collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

California Department of Public Health (CDPH) had a data breach in 2013, in California. A reel containing images of 2,000 State of California Birth Records from May through September of 1974 was found in a publicly accessible location. Names, Social Security numbers, addresses, and certain types of medical information were in the birth record images. People in Santa Clara, Santa Cruz, Shasta, Siskiyou, Solano, Sonoma, Stanislaus, Sutter, or Tehama counties and who were born or had a child born in 1974 between May and September were affected. (2,000 records involved) [source].

  

New York State Dept of Health collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

California Department of Public Health, Bakersfield Memorial Hospital had a data breach in 2012, in California. The theft of a binder from an employees car resulted in the exposure of sensitive patient information. The binder was stolen on or around May 7 and had information from a survey conducted at the Bakersfield Memorial Hospital. Patient names, dates of birth, ages, medications, room numbers, and medical record numbers were exposed. [source].

  

North Dakota Department of Health collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Colorado Health Department had a data breach in 2005, in Colorado. A laptop containing Social Security numbers, medical records, family medical history, and addresses was stolen from an employees car. The State Health Department is not monitoring the affected group and has only contacted some of the families involved. (1,600 records involved) [source].

  

Oklahoma State Department of Health collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Department of Medical Assistance Services, Affiliated Computer Services (ACS), Inc. had a data breach in 2012, in Virginia. The unauthorized disclosure of paper records may have resulted in the exposure of the protected health information of people associated with Department of Medical Assistance Services (DMAS). The incident related to DMASs relationship with Affiliated Computer Services (ACS) and occurred sometime between November 2, 2011 and November 16, 2011. [source].

  

Rhode Island Department of Health collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Department of Social and Health Services had a data breach in 2013, in Washington. A private contractor working for the Department of Social and Health Services discovered that their laptop had been stolen on February 4. The laptop was recovered in a pawn shop on February 14. It contained the names, ID numbers, psychological evaluations, dates of birth, diagnoses, dates of services, addresses, and last four digits of Social Security numbers of clients. (652 records involved) [source].

  

Office of Health Statistics, Tennessee Department of Health collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Detroits Health Department had a data breach in 2009, in Michigan. Police are investigating two incidents in which patients medical records -- including social security numbers -- were stolen from the citys health department. The first theft occurred in late October when a flash drive was stolen from a health department employees car. It contained files with birth certificate information for babies born in 2008 and the first half of 2009 whose parents reside in the 48202 and 48205 zip codes. Also a part of the files were information on the mothers names and health conditions, the fathers names, addresses, Medicaid numbers and social security numbers. The second incident happened over the Thanksgiving break when five computers were stolen from the immunization program at the departments Herman Kiefer Health Complex. One of the computers contained Medicare and Medicaid seasonal flu billing information for 2008. (5,000 records involved) [source].

  

Texas Health Care Information Collection, Center for Health Statistics, Texas Department of State Health Services collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Florida Department of Children and Families had a data breach in 2008, in Florida. Social Security numbers, birth dates and other information about day-care workers in Orange, Seminole and Osceola counties were among the data on five laptop computers that were stolen from the DCF office near Orlando. (1,200 records involved) [source].

  

Office of Health Care Statistics, Utah Department of Health collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Florida Department of Health had a data breach in 2013, in Florida. Information on personal drug prescriptions from the Florida Department of Health somehow ended up in the hands of prosecution lawyers. Names, addresses, phone numbers, pharmacies, and drug dosages were obtained by lawyers involved in six prescription-drug fraud cases. The American Civil Liberties Union of Florida began an investigation into how the records were exposed. [source].

  

Washington State Department of Health collects, sells or gives away statewide, person-specific information about hospital discharges [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Georgia Division of Public Health had a data breach in 2007, in Georgia. The GA Dept. of Human Resources notified parents of infants born between 4/1/06 and 3/16/07 that paper records containing parents SSNs and medical histories -- but not names or addresses -- were discarded without shredding. (140000 records involved) [source].

  

Alameda County Public Health Department purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Gila County Health and Emergency Services (Payson WIC Office) had a data breach in 2012, in Arizona. A woman found thousands of applications for Women, infants, and Children (WIC) support in a dumpster.Around 1,000 documents were originally reported in the dumpster. Additional documents were discovered when a local news team joined the woman at the dumpster a few days later.The applications included copies of drivers licenses, Social Security numbers, medical information, and many other types of sensitive information. An employee of the state agency said that the forms would normally be properly shredded, but were thrown out in a hurry without being checked. (1000 records involved) [source].

  

Anne Arundel County Health Department purchases statewide personal hospital discharge data from at least MD [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Green River District Health Department, Fox Technology Group (now part of Intergranetics) had a data breach in 2011, in Kentucky. The personal information of people who visited Green River District Health Department was accidentally placed online by Fox Technology. A resident notified the Department after discovering personal information online. Many visitor names were given with dates of birth; around half included Social Security information as well. The information was exposed sometime in October of 2010 or before. The problem was fixed soon after the Department was notified.UPDATE(3/16/2011): There were 18,871 visitors who were affected, not 9,986. [source].

  

Austin/Travis County Health and Human Services Department (HHSD) purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Hillsborough Health Department had a data breach in 2012, in Florida. An employee printed and removed sensitive client information for unknown purposes. The employee was dismissed and steps were taken to reduce the risk of similar employee thefts occurring. The employee removed the documents on February 15, 2012 and was not discovered until Hillsborough County Health Department was notified on May 25. Client names, Social Security numbers, dates of birth, phone numbers, patient identification numbers, type of visit, and other protected health information were exposed. (291 records involved) [source].

  

Broward Regional Health Planning Council purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Human Services Agency of San Francisco had a data breach in 2011, in California. A former city employee emailed the information of her caseload to her personal computer, two attorneys and two union representatives. The former employee wanted proof that she was fired for low performance because she had been given an unusually high number of cases. Certain MediCal recipients in San Francisco had their names, Social Security numbers and other personal information exposed. (2400 records involved) [source].

  

Ca Dept Of Public Health purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Illinois Department of Healthcare and Family Services had a data breach in 2012, in Illinois. The August 31 theft of a briefcase from the home of a contractor resulted in the exposure of nursing home residents. The briefcase contained names, Social Security numbers, Medicaid recipient numbers, and dates of birth. (508 records involved) [source].

  

California Department Of Healthcare Services purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Kanawha-Charleston Health Department had a data breach in 2009, in West Virginia. People who received flu shots from the agency since October are being warned that their personal information may have been stolen by a former department temporary worker. Information included their names, Social Security numbers, addresses and other personal information. (11000 records involved) [source].

  

Cdph Child And Adolescent Health purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Montana Public Health and Human Services Department had a data breach in 2006, in Montana. A state government computer was stolen from the office of a drug dependency program during a 4th of July break-in. It was not known if sensitive information such as SSNs was compromised. [source].

  

Center For Community Health, Monroe Cnty Doh purchases statewide personal hospital discharge data from at least NY [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

New Hampshire Department of Health and Human Services had a data breach in 2008, in New Hampshire. Health and Human Services mistakenly released the Social Security numbers and other personal information of Medicare Part D recipients. The information was mistakenly attached to an e-mail to health care organizations including nursing homes. (9300 records involved) [source].

  

County Of La- Dept Of Health Services purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

New Jersey Department of Health had a data breach in 2012, in New Jersey. Over 480 registered medical marijuana patients received an email from the New Jersey Department of Health. The email instructed them not to call New Jersey or the dispensary in Montclair to make an appointment. The email did not hide the email addresses of the recipients. [source].

  

County Of San Bernardino Public Health purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

North Carolina Department of Health and Human Services had a data breach in 2011, in North Carolina. A set of computer disks may have been accidentally discarded during an office renovation. The disks contained data from the Division of Services for the Deaf and Hard of Hearing and would have been taken to a landfill if they were accidentally discarded. Those who applied for services from the Divisions Equipment Distribution Service between January of 2005 and December of 2008 may have had their information exposed. [source].

  

Department Of Public Health purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

North Carolina Dept. of Health and Human Services had a data breach in 2008, in North Carolina. A laptop computer belonging to a Division of Aging and Adult Services employee was stolen. The computer contained information about people receiving home and community services. [source].

  

DHMH purchases statewide personal hospital discharge data from at least MD [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Office of the New York City Public Advocate had a data breach in 2011, in New York. The group Anonymous claimed responsibility for hacking and publishing a data base. The database consisted of names, addresses, telephone numbers, email addresses, medical conditions, domestic violence and abuse reports, descriptions of financial hardship, complaints about residential issues, and other very personal details of people who submitted this information via the public advocates website. The submissions for assistance date from April 2010.UPDATE(12/28/2011): The NYC Office of the Public Advocate released a public notice. [source].

  

Department of Health FL purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Palm Beach County Health Department had a data breach in 2013, in Florida. A senior desk clerk was arrested for obtaining and releasing patient information for identity theft purposes. The dishonest employee took home client lists with names, Social Security numbers, and dates of birth. Patients born between 1991 and 1996 may have had their personal information misused. (2800 records involved) [source].

  

Department of Health FL, Bureau Of Environmental Public Health Medicine purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Palm Beach County Health Department had a data breach in 2012, in Florida. An employee was fired in May for creating and attempting to mail a list of names and Social Security numbers for purposes of identity fraud. It is unclear if the dishonest employee disclosed the information of other people before being caught. Some patients had already experienced fraudulent activity. People who may have been a patient in one of the Health Department Health Centers could have been affected. UPDATE(01/09/2013): The employee worked as a records clerk and was arrested on January 5, 2013. She had worked for Palm Beach County Health Department since 2006 and was charged with several counts of fraud. (86 records involved) [source].

  

Department of Health, Childrens Medical Services purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Pennsylvania Public Welfare Department had a data breach in 2007, in Pennsylvania. Two computers containing the mental health histories of more than 300,000 medical-assistance recipients were stolen. The computer work stations were taken during an overnight break-in at an office. The mental health information on the computers identified people by codes and not by name. The information also was protected by multiple passwords, but full names and Social security numbers of nearly 2,000 people were also on the computers. (2,000 records involved) [source].

  

Doh, Office Of Trauma purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Pima County Health Department had a data breach in 2006, in Arizona. Vaccination records on 2,500 clients had been left in the trunk of a car that was stolen Sept. 12. The car and records have since been recovered. Records included names, dates of birth and ZIP codes, but no SSNs or addresses. [source].

  

Dshs-Adult Chronic Disease purchases statewide personal hospital discharge data from at least TX [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Public Health - Seattle and King County had a data breach in 2013, in Washington. A custodian improperly disposed of client medical information on March 7. The records were from the Refugee Screening, WIC, and Needle Exchange programs. Patient names, dates of birth, phone numbers, addresses, medical record numbers, appointment dates, and medical condition or treatment may have been accessed. [source].

  

Florida Department Of Health purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Skagit County Health Department had a data breach in 2011, in Washington. A student ran a Google search on her own name in mid-September and discovered some of her private information online. Skagit County Health Department was notified. People who used services at other county departments also had information exposed. The types of information did not include credit card numbers, Social Security numbers, dates of birth, or addresses, but did include information from receipts for department services. [source].

  

Governors Office of Health Care Policy and Finance ME purchases statewide personal hospital discharge data from at least ME [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Tennessee Department of Human Services had a data breach in 2009, in Tennessee. Doctors offices in Tennessee have been accidentally sending patient information, including Social security numbers and medical histories, to an Indiana businessmans fax machine for the past three years. The sensitive medical information was supposed to be sent to the Tennessee Department of Human Services, but the owner of SunRise Solar Inc. in Indiana, says hundreds of confidential medical faxes having been coming to him. [source].

  

Health Planning Council Of Northeast Florida purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Texas Department of Health and Human Services had a data breach in 2008, in Texas. Information, including Social security numbers that could be used to steal Medicaid clients identity may have been stored on two computers stolen during a burglary. Computers could have contained personal information only on e-mails. The e-mails, however, would normally contain only an individuals case number. it is unlikely those e-mails would have listed Social Security numbers. [source].

  

Humboldt County Hhs-Phb purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Texas Health and Human Services had a data breach in 2011, in Texas. The theft of a laptop from a nurses car may have exposed names, dates of birth, genders, Medicaid client identification numbers, procedure codes, diagnoses codes, and other health information. The theft took place on March 10, 2011, but it was not until August that the risk to patient privacy was discovered. A notice was sent on September 9. [source].

  

Kern County Health purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Utah Department of Health, Goold Health Systems had a data breach in 2013, in Utah. An employee of Goold Health Systems lost an unencrypted USB memory stick that contained the information of around 6,000 Medicaid recipients in Utah. Goold Health Systems is a contractor for the Utah Department of Health. Medicaid recipient names, Medicaid identification numbers, ages, and recent prescription drug use were on the memory stick. The memory stick was lost during travel between Salt Lake City, Denver, and Washington. The loss was confirmed on Tuesday, January 15. [source].

  

King County Communicable Disease purchases statewide personal hospital discharge data from at least WA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Wellesley Health Department had a data breach in 2008, in Massachusetts. Information in an envelope that had been mailed by the towns health department to a Medicare office in Boston say when the envelope arrived, it was open and the contents were missing. The material included social security numbers, addresses and dates of birth of seniors who had received flu shots from the town last fall. (480 records involved) [source].

  

La County Department Of Public Health purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Wisconsin Department of Health and Family Services had a data breach in 2008, in Wisconsin. Social Security numbers were printed on about 260,000 informational brochures sent by a vendor hired by the state, Electronic Data Systems Inc. (EDS), to recipients of SeniorCare, badgerCare and Medicaid. The company agreed to pay $250,000 to the state for the mistake, as well as paying for an identity theft monitoring service for the affected individuals, for a total of about $1 million. (260,000 records involved) [source].

  

La County Dept Of Health Svcs purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Yates County Public Health had a data breach in 2006, in New York. A laptop computer used for Child Health Plus, Medicaid and Family Health Plus plans was stolen from a vehicle on October 20. It contained application information which included name, Social Security number, date of birth, drivers license number, bank account and personal checking information and employer information. At least 68 New York residents were affected, but the total number of affected individuals nationwide was not revealed. (68 records involved) [source].

  

Leon County Health & Human Services purchases statewide personal hospital discharge data from at least FL [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Yuba County Health and Human Services had a data breach in 2007, in California. A laptop stolen from a building contained personally identifiable information of individuals whose cases were opened before May 2001. The laptop was being used as a backup system for the countys computer system. The data include social Security numbers, birth dates, drivers license numbers and other private information. (70,000 records involved) [source].

  
  

(return to health DataMap)



Copyright © 2012-2016 President and Fellows Harvard University.