The number of entities reporting breaches of unsecured PHI affecting at least 500 individuals to the Office for Civil Rights, the enforcer of the HIPAA privacy and security rules, reached 265 as of Friday.
By the middle of March, 249 entities had reported breaches, meaning a spike of 16 in the last 45 days, behind the pace established since OCR began posting the breaches more than a year ago.
OCR, per a provision in the Health Informational Technology for Economic and Clinical Health (HITECH) Act, began posting the entities and information about their large breaches in February 2010. In 15 months, an average of about 18 reports per month – or a little more than one every other day -- has surfaced on the OCR website.
Health insurance giant Health Net, Inc. earned the spot as the largest on the list after it reported its potential breach affecting the health records of 1.9 million past and current enrollees to OCR in March. On the Health Net report, the "type of breach" is "unknown," and the "location of breached info" is listed as "other."
At No. 2 is a breach in Manhattan that affected 1.7 million patients. On February 9, The New York City Health and Hospitals Corporation (HHC) reported that it began to notify the affected patients, staff, contractors, vendors, and others who were treated by and/or provided services during the past 20 years.
Prior to that, the breach affecting the most individuals for a large chunk of time was AvMed, Inc. of Florida, whose Dec. 10, 2009, breach involving a laptop affected 1.22 million individuals.