The HIPAA “Wall Of Shame”

If you’re already following HIPAA compliance-related news, you’re probably already familiar with the “Wall of Shame.” If you’re just getting started, read on. The HIPAA Breach Notification Rule requires Covered Entities and Business Associates to report breaches of protected health information (PHI) to the U. S. Department of Health and Human Services (HHS). Breach means the acquisition, access, use or disclosure of protected health information in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the protected health information. HHS then investigates the breaches and the outcome can range from minor corrective actions to big monetary fines.

But that’s not all. Under the HITECH Act passed in 2009, the Secretary of HHS must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are posted online at the HHS’ website for the world to see. This list is known in HIPAA circles as the “Wall of Shame.” The website link — Click Here – allows the download of the list into Microsoft Excel and includes information such as the name of the covered entity responsible for the breach, when it was reported, the number of individuals affected by the breach and brief summaries of the breach cases that OCR has investigated and closed.

Breach reporting began September 23, 2009. As of December 19, 2016, there were 1,775 breaches disclosed on the Wall of Shame, each representing the unauthorized disclosure of the PHI of at least 500 individuals. An example of a breach summary available on the WALL OF SHAME is this record of a breach that was submitted July 11, 2016:

Health Incent, the covered entity (CE), discovered on June 8, 2016 that a patient database containing electronic protected health information (ePHI) was available on the internet through web searches.  The breach affected 1,100 individuals and the types of ePHI involved in the breach included patient names, dates of birth, email addresses, and mailing addresses.  The CE provided timely breach notification to HHS, affected individuals, and the media.  The CE successfully contacted all affected individuals who did not receive the initial notification.  In response to the breach, CE sanctioned those responsible for the breach and created a new process for uploading files to its website.  OCR obtained assurances from CE that it implemented the corrective actions noted above.

A review of the 1,775 records in the WALL OF SHAME yields some interesting facts:

  • Individual’s Impacted To-Date: 169,839,784 individuals
  • Average Size of Breaches: 95,684 individuals affected per breach
  • Top 5 Breaches To-Date:
    • Anthem, Inc. (health plan)—Unauthorized disclosure of the PHI of 78,800,000 individuals in a hacking/IT incident reported March 13, 2015.
    • Premera Blue Cross (health plan)—Unauthorized disclosure of the PHI of 11,000,000 individuals in a hacking/IT incident reported March 17, 2015.
    • Excellus Health Plan, Inc. (health plan)—Unauthorized disclosure of the PHI of 10,000,000 individuals in a hacking/IT incident reported September 9, 2015.
    • Science Applications International Corporation (SAIC) (business associate)—Unauthorized disclosure of the PHI of 4,900,000 individuals in a loss incident reported November 4, 2011.
    • In a tie for 5th place, Community Health Systems Professional Services Corporation (business associate) and University of California, Los Angeles Health (healthcare provider) exposed the PHI of 4,500,000 individuals each in separate incidents—one a theft and the other a hacking/IT incident reported August 20, 2014 and July 11, 2015, respectively.
  • Cause of Breaches: The #1 cause of breaches is the combination of “Theft” (762 occurrences) and “Loss” (148 occurrences) totaling 910 breaches. The top three types of breach include:
    • 910—Theft/Loss (of a device or hardcopy records)
    • 425—Unauthorized Access/Disclosure
    • 250—Hacking/IT

Now you know why it is so important to encrypt the hard drives of laptops, workstations and other devices that contain or may PHI as they are so easily stolen!

In summary, the Wall of Shame is an embarrassing place to be if your organization is listed. But it also serves a useful purpose as a place where covered entities and business associates can learn from the mistakes of others and course-correct before it happens to them.

Related blog post: HIPAA Record Retention Requirements: How Long Should We Retain ePHI Data?

Leave a Reply

Your email address will not be published. Required fields are marked *