The feds' dishonor roll of entities that have sustained a HIPAA breach of 500 individuals or more has topped 2,000 for the first time.
If you go directly to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information -- informally known as the Wall of Shame -- you'll find that there are 1,674 resolved reports of HIPAA breaches involving 500 or more individuals, and 357 such breach reports that are currently under investigation, for a grand total of 2,031 since 2009.
Various sources, including
HIPAA Journal and
the McDonald Hopkins law firm, noted the milestone earlier this month. HIPAA breaches are impermissible uses or disclosures under the HIPAA Privacy Rule that compromise the security or privacy of protected health information (PHI).
This doesn't count the
tens of thousands of breaches affecting fewer than 500 individuals. which are
also reportable, though these affected entitites have up to 60 days after discovery to tell OCR about it, while 500-and-over breaches must be reported to both OCR and the affected individuals immediately -- and are more likely to draw an OCR press release and a
huge fine (and a spot on the Wall).
It's worth remembering, though, that you can be fined millions of dollars for small breaches if the breach is egregious enough -- as when a Texas hospital
outed an undocumented immigrant's PHI in 2015 and had to pay $2.4 million.