Security Breach Notification

SAIC’s recent Motion to Dismiss the Consolidated Amended Complaint filed in federal court in Florida as a putative class action highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach.
Continue Reading Back to the SAIC Breach and a Look Across the Chasm Between Significant Risk and Actual Harm Resulting from a HIPAA Breach

A thoughtful reader commented on a recent blog post in this series by highlighting the importance of evaluating the risk of harm by any covered entity that experiences a PHI security breach.
Continue Reading A Reader’s Comment about a Third Potential Posting on the HHS Breach Parade for Massachusetts Eye and Ear Infirmary

Much has been written about the circumstances surrounding the agreement of Massachusetts Eye and Ear Infirmary (“MEEI”) to pay the U.S. Department of Health and Human Services the sum of $1.5 million to settle potential violations involving an alleged 2010 security breach of PHI under HIPAA. However, relatively little has been written that the 2010 breach was the second of what may be three significant PHI breaches experienced by MEEI within the last three years.
Continue Reading As the Breach Parade Passes 500 Marchers: Should There be a Posting on the HHS List for a Third Massachusetts Eye and Ear Infirmary Breach?

The recent paucity of postings of summaries on the Department of Health and Human Services list of large HIPAA privacy breaches by the federal Office of Civil Rights dampens the educational value that can be derived therefrom by covered entities and business associates.
Continue Reading As the Parade of Major PHI Breaches Marches Ever Onward, Where Have All the OCR Summaries Gone?

Within the last week, The Boston Globe has reported that venerable Boston Children’s Hospital, the primary pediatric teaching hospital of Harvard Medical School, has notified the public media and affected individuals of a large PHI security breach that occurred in Buenos Aires, Argentina.
Continue Reading Boston Children’s Hospital: Reported Large PHI Security Breach in Argentina Gives the Parade a New International Flavor

On March 30, 2012, a large data security breach, which has not yet been posted on the U.S. Department of Health and Human Services list of breaches of unsecured PHI, was experienced by the Utah Department of Technology Services on a computer server that stores Medicaid and Children’s Health Insurance Program claims data.
Continue Reading Utah Department of Health: A Bold Repeat Marcher in the Parade of Major PHI Security Breaches

On February 24, 2012, HHS posted number 400 on its ever-lengthening list of breaches of unsecured PHI affecting 500 or more individuals. Theft of laptops is a recurrent source of such breaches, and the 400th breach was such an incident affecting Triumph, LLC in North Carolina.
Continue Reading The Parade of Major Reported PHI Breaches Hits 400 – A Closer Look at Victim 400 and its Actions in Response to the Breach – Part 2