Skip to main content

Reported data breaches - 2016, HHS

In 2016, the Office of Civil Rights at Health and Human Services is expected to conduct HIPAA Phase 2 audits at about 350 Covered Entities. They will check to see that a robust security policy is in place. For more details, see our post about these audits.

The U.S. Department of Health and Human Services, Office for Civil Rights, maintains a database of data breaches of protected health information affecting 500 or more individuals. The table we provided on this page is a summary of a search of the database for breach records pulled for 2015 as of January 14, 2017. It is often the case that HHS will post additional breach reports for previous years as the information comes available, so the number of breaches and affected individuals may rise.

Type of Reported Breach
Jan 1, 2016 - Dec 31, 2016, reported as of 1/14/17
Individuals Affected Covered Entities Impacted
Hacking/IT Incident 12,521,559 90
Improper Disposal 2,000 1
Loss 63,471 10
Theft 823,551 39
Unauthorized Access/Disclosure 1,057,414 47
Grand Total 14,467,995 187

You can search the database yourself at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. The organizations that make up the 11 "losses" or "improper disposal" that caused potential data breaches are listed here:

Name of Covered Entity State
Linda J White, DDS, PC VA
Aetna Inc. CT
OptumHealth New Mexico MN
Briar Hill Management MS
MGA Home Healthcare Colorado, Inc. AZ
The Outer Banks Hospital NC
Edwin Shaw Rehabilitation OH
W. Christopher Bryant DDS PC MI
Karmanos Cancer Center MI
Grx Holdings, LLC dba Medicap Pharmacy IA
New West Health Services d/b/a New West Medicare MT


Cascade also maintains a list of data breaches related to poorly managed IT Asset Disposition programs. If you want justification for managing a comprehensive and effective data destruction program, use this information to support your position.