Electronically protected health information (ePHI) has become a target for malicious attack, according to a recent report by Redspin, Inc., a provider of HIPAA risk analysis and IT security assessment services. The report was conducted between August 2009-- when the HITECH breach notification interim final rule (IFR) went into effect---and the end of 2010. The findings were based on 225 security breaches affecting 6,067,751 individuals. Redspin's analysis focuses on single breaches affecting more than 500 people. Such large scale breaches must be reported on a timely basis to individuals, the media and the HHS Secretary according to the HHS Office of Civil Rights' regulations. The regulations also require business associates of covered entities to notify the covered entity of such breaches at or by the business associate.