HHS Finds HIPAA Breaches Cost $6.2 Billion Annually & Hospitals $408 Per Record; Save the Date for Nat'l HIPAA Summit XXIX
  • A Hybrid Conference and Internet Event
  • March 3 - 5, 2020
  • Media Partners: Harvard Health Policy Review and Health Affairs
  • Onsite at the Hyatt Regency Crystal City, Arlington, VA
  • Online in Your Own Office or Home Live via the Internet with 24/7 Access for Six Months
  • www.HIPAASummit.com
Phone: 800-503-7417
Email: registration@hcconferences.com
Website: www.HIPAASummit.com
Roger Severino, JD, Director, Office for Civil Rights, US DHHS, Former Director, DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, Heritage Foundation, Former Trial Attorney, Civil Rights Division, US DOJ, Washington, DC

Speaker/Presentation Proposals for the HIPAA Summit may be submitted through our online form.
- Click Here -


The U.S. healthcare system lost $6.2 billion in 2016 due to data breaches, with the average data breach costing healthcare organizations' $2.2 million, and an average cost to hospitals $408 per record according to an HHS report, which includes data between 2016 and 2018.


Below are the 10 most common HIPAA violations, according to the HIPAA Journal.

  1. Snooping on healthcare records.
  2. Failure to perform an organization-wide risk analysis.
  3. Failure to manage security risks/Lack of a risk management process.
  4. Failure to enter into a HIPAA-compliant business associate agreement.
  5. Insufficient ePHI access controls.
  6. Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices.
  7. Exceeding the 60-day deadline for issuing breach notifications.
  8. Impermissible disclosure of protected health information.
  9. Improper disposal of PHI.
  10. Denying patient access to health records/exceeding timescale for providing access.



  1. Quest Diagnostics notified 11.9 million patients of a data breach that happened at one of its billing collections vendors.
  2. Medical testing company Laboratory Corp. of America learned 7.7 million of its patients may have had their data exposed in the same vendor breach as Quest Diagnostics.
  3. Nine employees within Oregon's Department of Human Services opened a phishing email on Jan. 8 that may have exposed around 645,000 people.
  4. Cancer Treatment Centers of America learned that an email account of an employee at its Atlanta-based Southeastern Regional Medical Center was the target in a phishing attack that may have exposed 16,819 patients.
  5. Forsyth, Ga.-based Monroe County Hospital mailed letters to 10,970 patients to alert them that their personal health information may have been exposed.
  6. Humana has notified 5,569 members of a security incident that may have exposed members' personal information.
  7. UMass Memorial Health Care's behavior health service in Worcester sent letters to 4,598 patients notifying them of an April 18 data breach.
  8. Crown Point, Ind.-based Franciscan Health sent letters to 2,200 patients that an employee had viewed their records "without a business reason."
  9. Grand Rapids, Mich.-based Mercy Health notified approximately 1,000 patients on May 24 about a data breach that may have exposed patient data.
  10. Vision and dental insurer Dominion National notified an unknown number of members of a data security incident that may have caused personal information to be exposed.
  11. Meditab, an EMR and practice management software provider, has notified two healthcare providers in Maryland that their patients' personal health information may have been exposed.
  12. Both Olean (N.Y.) Medical Group and Seneca Nation Health System in Salamanca, N.Y., lost access to their computer and EHR systems following recent cyberattacks on the organizations.
  13. Lake City, Fla., officials agreed to pay cybercriminals $426,000 on June 24 after a ransomware attack locked them out of systems.
  14. A Boardman, Ohio-based urology program was cyberattacked on June 10, with hackers demanding $75,000 in bitcoin for the encrypted files.
  15. Kingman (Ariz.) Regional Medical Center notified patients of a potential security incident that affected its website.
  16. Opko Health was the third healthcare company to learn its patients were affected in the American Medical Collection Agency data breach.
  17. Some personal information from University of Chicago Medicine patients and donors was mistakenly exposed on June 3.


  1. Inmediata Health Group, a healthcare clearinghouse company, has notified its customers of a data breach that may have exposed the personal information of more than 1.5 million people.
  2. Gulfport (Miss.) Anesthesia Services sent letters to 14,000 patients alerting them that their files had gone missing from the practice's storage facility.
  3. An employee at Independent Health emailed the information of 7,600 members on March 19 to an unauthorized individual.
  4. Centennial, Colo.-based Centura Health began notifying 7,515 patients in May that their information may have been exposed due to a phishing attack.
  5. Cincinnati-based TriHealth has alerted 2,433 patients that their data may have been shared with a student mentee in June 2018.
  6. Seattle-based Bloodworks, Northwest is notifying 1,893 patients of a March data breach that may have exposed patients' personal information.
  7. St. Joseph, Mich.-based Spectrum Health Lakeland is notifying 1,100 patients about a data breach at its billing services vendor that may have put patients' personal information at risk.
  8. Philadelphia-based Penn Medicine alerted around 900 patients that their information may have been improperly viewed by a former medical assistant at the hospital.
  9. Houston-based Memorial Hermann Health System is notifying more than 600 patients that their financial information may have been exposed.
  10. An employee at Toledo, Ohio-based ProMedica stole patient data between April 2017 and March 2019, the U.S. Secret Service alleges.
  11. Columbus (Wis.) Community Hospital began notifying patients May 24 that a phishing attack at one of its vendors may have exposed their data.
  12. Microsoft is alerting users of its operating systems that a bug, which it has since released patches for, could be used as a cyber-weapon similar to the WannaCry worm.
  13. Hackers stole more than $40 million worth of bitcoin on May 4 from one of the world's largest cryptocurrency exchanges.
  14. A Paramus, N.J.-based orthopedic surgeon is alerting patients that their personal information may have been exposed due to a ransomware attack in January at his practice.
  15. A phishing attack on an employee's email account at Oregon State Hospital may have exposed patients' protected health information.
  16. The Department of Homeland Security and Philips issued an alert that the information technology vendor's EMR system Tasy has a cross-site scripting vulnerability that could put patient information at risk.
  17. Security researchers uncovered two vulnerabilities in Cisco enterprise routers that could allow hackers to remotely and fully compromise a router's network without alerting the user.


  1. A cyberattack last July on Macon, Ga.-based Navicent Health's employee email account system may have affected 278,016 patients' personal information.
  2. Ontario, Calif.-based Centrelake Medical Group is alerting 197,661 patients that their personal health information may have been exposed because of a computer virus.
  3. Personally identifiable data for approximately 145,000 patients at the Levittown, Pa.-based Steps to Recovery addiction treatment facility and the Ohio Addiction Recovery Center in Columbus was exposed in a searchable online database.
  4. Columbia, S.C.-based Palmetto Health, now known as Prisma Health, was targeted in a phishing attack that may have put the information of 23,000 patients at risk.
  5. Springfield, Mass.-based Baystate Health notified about 12,000 patients of a Feb. 7 phishing attack.
  6. Blue Cross of Idaho is notifying 5,600 members of a March 21 data breach that allowed an unauthorized user to gain access to the organization's online provider portal.
  7. AltaMed Health Services Corp. has sent letters to 5,500 patients about a security breach that may have impacted their personal health information.
  8. The Veterans Health Administration is notifying 4,882 veterans who were treated at the Martinsburg (W.Va.) VA Medical Center that their personal health information may have been mailed out in letters to other patients.
  9. Humana told 522 members that a limited amount of their personal data may have been exposed during a data security incident at the beginning of 2019.

April, continued...

  1. Bangor, Maine-based Northern Light Acadia Hospital mistakenly emailed the names of 300 patients who had prescriptions for Suboxone.
  2. Physician staffing company EmCare is alerting patients, employees and contractors about a Feb. 19 data breach that exposed their personal data.
  3. Microsoft emailed an unknown number of users April 12 across its Outlook, MSN and Hotmail platforms alerting them of a data breach that occurred between Jan. 1 and March 28.
  4. A Cleveland-based University Hospitals Rainbow Babies and Children's Hospital employee emailed a message to a group of patients, inadvertently allowing the recipients to see each other's email addresses.
  5. Anchorage-based University of Alaska is alerting individuals about a computer data breach that may have affected email accounts.


  1. The Oregon Department of Human Services reported an email phishing attack on 2 million agency emails that may have exposed the medical information of more than 350,000 people.
  2. Medical device and software developer Zoll has notified 277,319 patients of a security incident that put their personal and medical information at risk from Nov. 8 to Dec. 28, 2018.
  3. Health Alliance Plan and Blue Cross Blue Shield of Michigan have alerted nearly 270,000 members combined that their personal information may have been compromised after a data breach at the payers' mailing service vendor in September 2018.
  4. Chicago-based Rush University Medical Center sent letters to as many as 45,000 patients notifying them of a potential data security incident in May 2018.
  5. A security breach at the former medical center of Greenville, S.C.-based St. Francis Physician Services may have compromised data from more than 32,000 patients.
  6. Elizabeth City, N.C.-based Pasquotank-Camden Emergency Medical Services posted a notice about a February cybersecurity incident that may have affected 20,420 people.
  7. A ransomware attack on a Grand Haven, Mich.-based North Ottawa Community Health System's vendor may have compromised data from about 15,000 patients.
  8. Concord, Mass.-based Emerson Hospital sent letters to 6,314 patients alerting them of a May 2018 cybersecurity attack that may have affected their information.
  9. Officials within Arizona's Medicaid program reportedly sent personal health information of 3,146 patients to incorrect home addresses.
  10. A fax server error within Meditab, a company that develops software for EHRs, left thousands of physicians’ notes and patient information vulnerable for anyone to access.


  1. Seattle-based UW Medicine sent letters to 974,000 patients notifying them of a Dec. 4, 2018, data error that allowed patient information to come up in internet searches.
  2. Farmington-based University of Connecticut Health sent letters to up to 326,000 patients notifying them of a recent data security incident. UConn Health discovered several employee email accounts were attacked on Dec. 24, 2018.
  3. Springs, Fla.-based AdventHealth notified 42,161 patients about an August 2017 data breach that may have exposed personal information.
  4. Memorial Hospital at Gulfport (Miss.) sent letters to roughly 30,000 patients Feb. 15 notifying them of a data breach. The hospital discovered an employee's email account was victim to a phishing attack Dec. 17, 2018.
  5. Nearly 24,000 patients may have had their protected health information breached in a recent hacking incident at Dr. DeLuca & Dr. Marciano Eye Associates, the Prospect, Conn.-based optometry practice.
  6. Pawnee City, Neb.-based Pawnee Country Memorial Hospital notified 7,175 patients that some of their protected health information may have been exposed when a hospital employee was tricked by a phishing email in November 2018.
  7. Blue Earth, Minn.-based United Hospital District notified 2,143 patients about a June 2018 phishing scheme. A hospital employee's email account was compromised in a phishing attack June 10-27, 2018.
  8. Colorado Springs, Colo.-based Rocky Mountain Health Care Services sent letters to 971 patients alerting them that an employee's laptop was stolen May 15, 2018.
  9. Chicago-based Rush University Medical Center inadvertently exposed the names of 908 patients in a paper mailing announcing the retirement of a certified nurse practitioner at its Epilepsy Center.
  10. Rutland (Vt.) Regional Medical Center said it planned to mail letters to an undisclosed number of affected patients notifying them of a recent data breach. The hospital discovered the breach after an employee noticed an increased number of spam emails being sent from his or her account Dec. 21, 2018.
  11. Box Elder, Mont.-based Rocky Boy Health Center posted a security breach notice on its website, alerting patients of a Jan. 14 incident that may have put medical records at risk.
  12. Roper St. Francis Healthcare in Charleston, S.C., posted a notice to its website Jan. 29, warning patients about a potential compromise of their protected health information that resulted from a November 2018 data breach.
  13. Valley Professionals Community Health Center, a federally qualified health center headquartered in Cayuga, Ind., notified patients of a potential October 2018 data breach involving their protected health information.


  1. Alaskan officials upped their tally of individuals likely affected in a June 2018 data breach at the state's health department from 501 victims to 700,000.
  2. Two separate data breaches disclosed in December 2018 exposed the protected health information of 31,876 plan members of Managed Health Services, which runs Indiana's Hoosier Healthwise and Hoosier Care Connect Medicaid programs.
  3. Critical Care, Pulmonary and Sleep Associates in Lakewood, Colo., notified 23,377 patients about a potential exposure of their protected health information after an unauthorized individual gained access to an employee's email account.
  4. Integrity House, a nonprofit substance use disorder treatment facility in Newark, N.J., notified 7,206 of its patients of a data security incident after a number of business computers and tablets were stolen from its offices in November.
  5. An employee at Lebanon (Pa.) VA Medical Center emailed a veteran's family member a document that contained the protected health information of up to 1,002 elderly patients.
  6. Sacred Heart Rehabilitation Center, a drug and alcohol addiction treatment facility in Richmond, Mich., notified "a limited number of patients" after a phishing scheme compromised an employee's email account in April.
  7. Officials at the Delaware Department of Insurance said five health insurers and about 650 of their members were affected by a data breach at a third-party administrator in October.
  8. Verity Health System, a six-hospital system in Redwood City, Calif., notified an undisclosed number of individuals about a potential exposure of their protected health information stemming from three incidents.

WASHINGTON DC USA -- HEALTHCARE UPDATE NEWS SERVICE™ -- JULY 5, 2019: The Twenty-Ninth National HIPAA Summit, www.HIPAASummit.com, will be held March 3 - 5, 2020 at the Hyatt Regency Crystal City, Arlington, VA. The Summit will be offered both onsite and live and archived for 6 months over the Internet.


Deven McGraw, JD
General Counsel & Chief Regulatory Officer, Ciitizen Corporation, Former Deputy Director, Health Information Privacy, OCR, Former Director, Health Privacy Project, Center for Democracy & Technology, Redwood City, CA

Roger Severino, JD
Director, Office for Civil Rights, US DHHS, Former Director, DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, Heritage Foundation, Former Trial Attorney, Civil Rights Division, US DOJ, Washington, DC

Daniel J. Solove, JD
John Marshall Harlan Research Professor of Law, George Washington University Law School, Founder, TeachPrivacy, Author, Understanding Privacy; Information Privacy Law; The Future of Reputation: Gossip, Rumor, and Privacy on the Internet; and The Digital Person: Technology and Privacy in the Information Age, Washington, DC


Adam Greene, JD, MPH
Partner and Co-chair, Health Information & HIPAA Practice, Davis Wright Tremaine LLP, HIPAA Summit Distinguished Service Award Winner, Former Senior Health Information Technology and Privacy Specialist, Office for Civil Rights, HHS, Washington, DC

Kirk J. Nahra, Esq.
Partner and Co-chair of the Privacy and Cybersecurity Practice, Wilmer Hale, Washington, DC

John C. Parmigiani
President, John C. Parmigiani and Associates, LLC, HIPAA Summit Distinguished Service Award Winner, Former Director of Enterprise Standards, HCFA, Ellicott City, MD

Iliana Peters, JD, LLM
Shareholder, Polsinelli, Former Acting Deputy Director, Health Information Privacy, Office for Civil Rights, US Department of Health and Human Services, Washington, DC

Robert M. Tennant, MA
Director, HIT Policy, Medical Group Management Association, Washington, DC




The HIPAA Summit is now offering a limited number of partial and full Tuition Scholarships to qualifying representatives of local, state and federal government, consumer advocate organizations, safety net providers, academics, students and health services research organizations.

Click here for more information.


Tweet using #HIPAASummit

March 3 - 5, 2020

Hyatt Regency Crystal City
Arlington, VA

In your own office or home live via the Internet
with 24/7 access for six months

Simply register, travel to the conference city and attend in person.

Pros: subject matter immersion; professional networking opportunities; faculty interaction

This website is certified by Health On the Net Foundation. Click to verify. This site complies with the HONcode standard for trustworthy health information:
verify here.

Watch the conference in live streaming video of plenary sessions and listen to audio of preconference and track sessions over the Internet and at your convenience at any time 24/7 for six months following the event.

The archived conference includes speaker Video and Audio and coordinated PowerPoint presentations.

Pros: Live digital feed and 24/7 Internet access for the next six months; accessible in the office, at home or anywhere worldwide with Internet access; avoid travel expense and hassle; no time away from the office.


Click here for a sample stream


For Summit registration information, visit www.HIPAASummit.com/registration/, email registration@hcconferences.com, or call 800-503-7417.


For sponsorship and exhibit information, visit www.HIPAASummit.com/promotional-opportunities/, or contact Justin Sorensen, Exhibit Manager, at 206-452-0609 phone, 206-319-5303 fax, or exhibits@hcconferences.com.