This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). On February 24, 2012, HHS posted number 400 in the ever-lengthening parade of List Breaches.

The first postings on the HHS List occurred on March 4, 2010.  Therefore, it took almost exactly two years to reach the 400 level, which means that an average of 200 postings of List Breaches have been occurring each year.


A closer look at the 400 List Breaches reveals that there are an appreciable number of repeat entrants into the parade. This blog series has reported on a number of them, such as Henry Ford Health System with 3 List Breaches and University of Rochester Medical Center with 2 List Breaches. (In some cases assumptions had to be made as to repeat entrants because the names of some covered entities on the HHS List were similar but not identical to others or appeared to be different divisions of the same covered entity.) 


Based on the assumptions and the review, there were 28 covered entities with 2 List Breaches, 16 covered entities with three List Breaches and 1 covered entity with four List Breaches (counting multiple divisions as one covered entity). Therefore, there were 337 separate covered entities that reported the total of 400 List Breaches.


Of the total of 400 List Breaches, 223 of them attributed the cause or partial cause of the breach to be “Theft.” As a matter of fact the 400th List Breach was reported by Triumph, LLC as a theft on December 13, 2011 of a laptop affecting 2,000 individuals at several of its North Carolina behavioral and psychiatric facilities.


While the Parade of List Breaches continues to grow, there are many more PHI data breaches involving fewer than 500 individuals that are occurring as well. As this blog series has emphasized in the past, it is more a question of when a covered entity will suffer a PHI data breach and how severe the breach will be, rather than if it will suffer a breach.