This is a list of 28 data breaches at healthcare organizations that occurred in the past six months, beginning with the most recent.
1. A staff member at the Lexington (Ky.) VA Medical Center took home patient files, slides, images and data on his laptop without authorization. The data held approximately 1,900 veterans' personal information, including names, the last four digits of Social Security numbers, dates of birth and medical diagnoses.
2. Southern California Medical-Legal Consultants, which represents physicians and hospitals seeking payment from patients receiving workers' compensation, unknowingly had medical files for nearly 300,000 Californians unsecured on the Internet. The records included insurance forms, Social Security number and physicians' notes.
3. St. Francis Hospital in Wilmington, Del., recovered a thumb drive that was misplaced last week, causing the hospital to alert 500 patients to a possible data breach. The information on the drive included the patients' names but not Social Security numbers, addresses, telephone numbers, health insurance or billing information.
4. A Health Net data breach in January may have affected more people than initially thought: Health Net originally said the data breach affected 2 million nationwide, including 124,000 in Oregon. Now, however, Health Net has found that 6,300 more people in Oregon were affected.
5. A data breach at Boston-based Brigham and Women's Hospital and Faulkner Hospital in Jamaica Plain, Mass., may have involved 638 patients' medical records. The physician notified the hospital and said patient information had been downloaded to the drive and then deleted.
6. A mailroom employee at Mills-Peninsula Medical Center in Burlingame, Calif., stole medical records of roughly 1,500 patients. Most of the records contained patient names and diagnostic test results. Fifteen stolen records included patient addresses and either insurance identification of Social Security numbers.
7. One of Boston-based Beth Israel Deaconess Medical Center's computer service vendors failed to restore security settings on a computer, which later was found to have a virus and transmitted data files of 2,021 patients to an unknown location. The computer contained names, genders, birthdates, medical record numbers and names and dates of radiology procedures, but it did not include financial data or Social Security numbers.
8. Winston-Salem, N.C.-based Wake Forest Baptist Medical Center had a data breach of medical records and documents that affected 357 people. Linda Bowden Turner, an employee fired on June 1, had taken pages from 136 patient medical records and 221 employee documents, which included Social Security numbers of past and current employees.
9. A city employee who was working as a nurse at Memorial Hospital in Colorado Spring, Colo., was accused of improperly accessing 2,500 patient medical records. Investigators reported the nurse was most likely not using the information for identity theft but did not disclose any other reason for why she accessed the records.
10. A laptop that contained the names and birth dates of roughly 2,000 patients at Hurley Medical Center in Flint, Mich., went missing. The laptop did not include Social Security numbers or addresses.
11. Approximately 880 patients at Troy (Ala.) Regional Medical Center had some of their personal information improperly accesses and removed from the hospital. Patient data that was taken included name, address, date of birth, Social Security number and medical record number, the release said.
12. The Colorado Department of Health Care Policy and Financing lost personal data on 3,590 medical-aid applicants. While data such as date of birth and Social Security number were not on the lost computer disk, health data protected under HIPAA as well as addresses and state identification numbers for the applicants were.
13. A data breach at the California Department of Public Health affected the personal and workers' compensation information of nearly 9,000 current and former employees. Stolen information included names, addresses, Social Security numbers, birth dates and other personal records.
14. A Colorado nurse who worked occasionally at Boulder (Colo.) Community Hospital improperly accessed information of 74 patients. Cannon Tubb, who has already been indicted on 90 charges of attempted theft, identity theft and theft of medical records at two other Colorado hospitals, is now under investigation for looking up demographic information of BCH patients, although hospital officials were uncertain what specific information had been taken.
15. An employee of Miami-based Jackson Health System accessed confidential patient information of 1,800 people. The employee no longer works for the system and all affected patients were alerted of the situation and offered free fraud protection.
16. A woman stole medical records of approximately 4,500 patients at Trinity Medical Center in Birmingham, Ala. The medical records included names, birth dates and Social Security numbers.
17. Spartanburg (S.C.) Regional Hospital notified thousands of patients of a possible data breach of their personal and medical information after a hospital laptop was stolen from a hospital employee's car. The laptop contained sensitive information including but not limited to addresses and Social Security numbers. The report did not include how many patients were affected.
18. A data breach at Reedsport, Ore.-based Dunes Family Health Care may have affected an undisclosed number of current and former patients of the family health clinic. Many of the stolen files contained patients' Social Security numbers and other personal information. Other files did not include SSNs but may have included a name, date of birth, address or clinical information.
19. A laptop containing protected health information for approximately 6,000 patients was stolen from Speare Memorial Hospital in Plymouth, N.H. Personal health information on the laptop included patient names, address, hospital account numbers, medical record numbers, physician names, dates of service, procedure codes and diagnosis codes.
20. The medical and billing records of approximately 1,200 patients at Minneapolis-based Fairview Health Services went missing during a move to a new office. The medical and billing records included patients' names, birth dates and medical diagnoses.
21. Personal pay stub data of some UMass Memorial Healthcare employees was exposed to unauthorized access for five months during a computer access breach. The potentially exposed personal information included names, bank names, bank transit numbers and bank account numbers but not Social Security numbers or medical records.
22. MidState Medical Center in Meriden, Conn., announced an employee of Hartford Hospital has been dismissed following an investigation into the employee's improper transfer of 93,500 MidState patients' information to a personal hard drive. The hard drive contained patients' names, addresses, birth dates, Social Security numbers and medical record numbers.
23. A hospital computer and television were stolen from Eisenhower Medical Center in Rancho Mirage, Calif. The computer was password protected but not encrypted. It contained an electronic index with limited patient information, including patient names, ages, dates of birth, the last four digits of Social Security numbers and the hospital's medical record number.
24. Portland (Ore.) Veterans Affairs Medical Center may have lost a bundle of patient identification cards that went missing after they were mailed back to the facility. The identification cards have veterans' names, photographs and special eligibility indicators printed on them.
25. Saint Francis Hospital at Broken Arrow (Okla.) experienced a burglary and theft of a computer from a secured information systems room that contained personal information on 84,000 patients. The data contained the names, the Social Security numbers, addresses and diagnostic information on patients who were treated prior to 2004.
26. The private information of 3,655 patients at Charleston (W.V.) Area Medical Center was affected by a data breach. Patients' names, addresses, birth dates, Social Security numbers, patient IDs and other sensitive data were easily accessible on WVChamps.com, a CAMC website relating to respiratory and pulmonary rehabilitation for seniors.
27. The University of Massachusetts Amherst notified University Health Services patients that their protected health information was possibly breached after a workstation was inadvertently infected with a malware program. The data contained 942 patients' names, health insurance company names, medical record numbers and information on prescriptions dispensed between Jan. 2, 2009-Nov. 17, 2009, including the medication, dispensing pharmacist, quantity, length of prescription and physician's name.
28. Three employees at University of Iowa Hospitals and Clinics were fired after a hospital investigation found they inappropriately breached electronic medical records of 13 Iowa football players.
1. A staff member at the Lexington (Ky.) VA Medical Center took home patient files, slides, images and data on his laptop without authorization. The data held approximately 1,900 veterans' personal information, including names, the last four digits of Social Security numbers, dates of birth and medical diagnoses.
2. Southern California Medical-Legal Consultants, which represents physicians and hospitals seeking payment from patients receiving workers' compensation, unknowingly had medical files for nearly 300,000 Californians unsecured on the Internet. The records included insurance forms, Social Security number and physicians' notes.
3. St. Francis Hospital in Wilmington, Del., recovered a thumb drive that was misplaced last week, causing the hospital to alert 500 patients to a possible data breach. The information on the drive included the patients' names but not Social Security numbers, addresses, telephone numbers, health insurance or billing information.
4. A Health Net data breach in January may have affected more people than initially thought: Health Net originally said the data breach affected 2 million nationwide, including 124,000 in Oregon. Now, however, Health Net has found that 6,300 more people in Oregon were affected.
5. A data breach at Boston-based Brigham and Women's Hospital and Faulkner Hospital in Jamaica Plain, Mass., may have involved 638 patients' medical records. The physician notified the hospital and said patient information had been downloaded to the drive and then deleted.
6. A mailroom employee at Mills-Peninsula Medical Center in Burlingame, Calif., stole medical records of roughly 1,500 patients. Most of the records contained patient names and diagnostic test results. Fifteen stolen records included patient addresses and either insurance identification of Social Security numbers.
7. One of Boston-based Beth Israel Deaconess Medical Center's computer service vendors failed to restore security settings on a computer, which later was found to have a virus and transmitted data files of 2,021 patients to an unknown location. The computer contained names, genders, birthdates, medical record numbers and names and dates of radiology procedures, but it did not include financial data or Social Security numbers.
8. Winston-Salem, N.C.-based Wake Forest Baptist Medical Center had a data breach of medical records and documents that affected 357 people. Linda Bowden Turner, an employee fired on June 1, had taken pages from 136 patient medical records and 221 employee documents, which included Social Security numbers of past and current employees.
9. A city employee who was working as a nurse at Memorial Hospital in Colorado Spring, Colo., was accused of improperly accessing 2,500 patient medical records. Investigators reported the nurse was most likely not using the information for identity theft but did not disclose any other reason for why she accessed the records.
10. A laptop that contained the names and birth dates of roughly 2,000 patients at Hurley Medical Center in Flint, Mich., went missing. The laptop did not include Social Security numbers or addresses.
11. Approximately 880 patients at Troy (Ala.) Regional Medical Center had some of their personal information improperly accesses and removed from the hospital. Patient data that was taken included name, address, date of birth, Social Security number and medical record number, the release said.
12. The Colorado Department of Health Care Policy and Financing lost personal data on 3,590 medical-aid applicants. While data such as date of birth and Social Security number were not on the lost computer disk, health data protected under HIPAA as well as addresses and state identification numbers for the applicants were.
13. A data breach at the California Department of Public Health affected the personal and workers' compensation information of nearly 9,000 current and former employees. Stolen information included names, addresses, Social Security numbers, birth dates and other personal records.
14. A Colorado nurse who worked occasionally at Boulder (Colo.) Community Hospital improperly accessed information of 74 patients. Cannon Tubb, who has already been indicted on 90 charges of attempted theft, identity theft and theft of medical records at two other Colorado hospitals, is now under investigation for looking up demographic information of BCH patients, although hospital officials were uncertain what specific information had been taken.
15. An employee of Miami-based Jackson Health System accessed confidential patient information of 1,800 people. The employee no longer works for the system and all affected patients were alerted of the situation and offered free fraud protection.
16. A woman stole medical records of approximately 4,500 patients at Trinity Medical Center in Birmingham, Ala. The medical records included names, birth dates and Social Security numbers.
17. Spartanburg (S.C.) Regional Hospital notified thousands of patients of a possible data breach of their personal and medical information after a hospital laptop was stolen from a hospital employee's car. The laptop contained sensitive information including but not limited to addresses and Social Security numbers. The report did not include how many patients were affected.
18. A data breach at Reedsport, Ore.-based Dunes Family Health Care may have affected an undisclosed number of current and former patients of the family health clinic. Many of the stolen files contained patients' Social Security numbers and other personal information. Other files did not include SSNs but may have included a name, date of birth, address or clinical information.
19. A laptop containing protected health information for approximately 6,000 patients was stolen from Speare Memorial Hospital in Plymouth, N.H. Personal health information on the laptop included patient names, address, hospital account numbers, medical record numbers, physician names, dates of service, procedure codes and diagnosis codes.
20. The medical and billing records of approximately 1,200 patients at Minneapolis-based Fairview Health Services went missing during a move to a new office. The medical and billing records included patients' names, birth dates and medical diagnoses.
21. Personal pay stub data of some UMass Memorial Healthcare employees was exposed to unauthorized access for five months during a computer access breach. The potentially exposed personal information included names, bank names, bank transit numbers and bank account numbers but not Social Security numbers or medical records.
22. MidState Medical Center in Meriden, Conn., announced an employee of Hartford Hospital has been dismissed following an investigation into the employee's improper transfer of 93,500 MidState patients' information to a personal hard drive. The hard drive contained patients' names, addresses, birth dates, Social Security numbers and medical record numbers.
23. A hospital computer and television were stolen from Eisenhower Medical Center in Rancho Mirage, Calif. The computer was password protected but not encrypted. It contained an electronic index with limited patient information, including patient names, ages, dates of birth, the last four digits of Social Security numbers and the hospital's medical record number.
24. Portland (Ore.) Veterans Affairs Medical Center may have lost a bundle of patient identification cards that went missing after they were mailed back to the facility. The identification cards have veterans' names, photographs and special eligibility indicators printed on them.
25. Saint Francis Hospital at Broken Arrow (Okla.) experienced a burglary and theft of a computer from a secured information systems room that contained personal information on 84,000 patients. The data contained the names, the Social Security numbers, addresses and diagnostic information on patients who were treated prior to 2004.
26. The private information of 3,655 patients at Charleston (W.V.) Area Medical Center was affected by a data breach. Patients' names, addresses, birth dates, Social Security numbers, patient IDs and other sensitive data were easily accessible on WVChamps.com, a CAMC website relating to respiratory and pulmonary rehabilitation for seniors.
27. The University of Massachusetts Amherst notified University Health Services patients that their protected health information was possibly breached after a workstation was inadvertently infected with a malware program. The data contained 942 patients' names, health insurance company names, medical record numbers and information on prescriptions dispensed between Jan. 2, 2009-Nov. 17, 2009, including the medication, dispensing pharmacist, quantity, length of prescription and physician's name.
28. Three employees at University of Iowa Hospitals and Clinics were fired after a hospital investigation found they inappropriately breached electronic medical records of 13 Iowa football players.