Top 5 HIPAA Wall of Shame Breaches

Image of content creator smiling for camera
Written by Katherine Zheng, PhD, BSN Content Writer, IntelyCare
Image of content creator for bio page
Reviewed by Aldo Zilli, Esq. Senior Manager, B2B Content, IntelyCare
A healthcare professional looking at medical files.

Breaching patient privacy and confidentiality can have long-lasting consequences. Not only are healthcare facilities subject to legal penalties, but they also risk the infamy of joining the HIPAA wall of shame, which places investigated facilities under public scrutiny.

But, what exactly is the wall of shame and why does it exist? We’ll describe the history of this accountability tool and walk through the top reasons why facilities may find themselves there.

HIPAA Background and Overview

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 to help protect the privacy and security of patients. More specifically, it outlines practices that regulate the access, exchange, and use of both paper and electronic protected health information (PHI).

All healthcare organizations that handle PHI are expected to comply with HIPAA regulations. Facilities must implement appropriate measures in order to prevent sensitive information from being used without a patient’s consent or knowledge. If facilities fail to comply with these requirements, they’re at increased risk of facing penalties resulting from HIPAA violations.

What Is the Wall of Shame? HIPAA Summary

In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in efforts to improve electronic information exchange across facilities. As part of these regulations, the Department of Health and Human Services was required to create a website listing HIPAA security breaches affecting 500 or more people. The “wall of shame” became an unofficial nickname for this repository, which is more formally known as the Office for Civil Rights (OCR) breach portal.

The public can access information about all filed security breaches directly on the OCR wall of shame for two years, with older cases being archived indefinitely. This information includes:

  • Name of the organization.
  • Type of entity (e.g., insurer, provider, or business associate).
  • State where the incident occurred.
  • Number of affected individuals.
  • Date the breach was reported.
  • Type of breach.
  • Breach format (e.g., database, email, hardcopy).

What’s the Purpose of the HIPAA Wall of Shame?

The OCR portal, or wall of shame website, has been quite controversial since some experts believe that public shaming overshadows the efforts of facilities trying to improve their security practices. However, others believe that publicizing the HIPAA wall of shame cases can increase accountability and incentivize better adherence to regulatory standards.

Top 5 HIPAA Wall of Shame Examples

Security breaches can be attributed to any party that handles PHI in the healthcare industry. Here are the top five reasons why a facility could join the wall of shame, illustrated with HIPAA breach examples.

Infographic showing the top 5 common types of HIPAA Wall of Shame breaches.

1. Hacking/IT Incidents

The most common type of breach that makes it onto the wall of shame involves wide-scale cybersecurity attacks. This happens when hackers infiltrate a facility’s electronic systems to access or steal personal PHI.

Example:

A health insurance entity was the victim of a wide-scale cybersecurity attack where an unauthorized party accessed over 200,000 patient names, addresses, dates of birth, drivers’ license numbers, Social Security numbers, financial information, and medical information.

Key Takeaway:

With the rapid advancement of healthcare technology, it’s important for facilities to implement effective technical safeguards to protect against old and new types of cyber threats.

2. Unauthorized Access/Disclosure

Unauthorized access or disclosure of PHI is another common breach that can occur either intentionally or unintentionally. This involves access or sharing of patient PHI without proper consent.

Example:

An employee at a healthcare company accidentally placed sensitive health information of over 9,000 patients on the outside of mailing envelopes. The PHI included names, addresses, and diagnoses.

Key Takeaway:

Mistakes can happen. While they can’t always be prevented, facilities can take steps to ensure that errors aren’t repeated by implementing protocols for risk assessment, management, and incident reporting.

3. Improper PHI Disposal

HIPAA requires the destruction of PHI that’s expired or no longer necessary for care. Facilities that fail to dispose of PHI in a secure manner can also risk unauthorized use or access.

Example:

A healthcare clinic reported that paper records of over 7,000 patients were not properly shredded and disposed of in secure bins. These records contained names, addresses, dates of birth, Social Security numbers, and other sensitive medical information.

Key Takeaway:

Beyond simply disposing of PHI, employees must understand how to get rid of information safely and securely. Ensure staff are thoroughly trained and educated on best practices for PHI disposal.

4. Theft of PHI

If PHI falls into the wrong hands, this may be posted as a case of theft on the HIPAA wall of shame. Theft is when unauthorized individuals steal hard-copy documents or electronic devices containing patient information.

Example:

An employee working at a health insurance company reported their laptop being stolen from their vehicle. The laptop contained the names, Social Security numbers, and health insurance information of over 4,500 enrollees.

Key Takeaway:

If employees must use portable devices to carry out their job duties, educate them on best security practices. Staff should be trained to never leave devices unattended or unsecured in accessible places.

5. Loss/Misplacement of PHI

One unintentional breach often carried out by healthcare staff is the misplacement of PHI. This is especially common in facilities that use paper-based documentation or portable electronic storage devices.

Example:

A healthcare facility reported misplacing an external USB drive that contained the names, dates of birth, diagnoses, and other treatment information of over 2,000 patients. The USB drive was unable to be recovered.

Key Takeaway:

When possible, PHI should only be stored in systems securely located within your facility. If portable devices are absolutely necessary to conduct work, ensure additional measures are taken to encrypt and secure devices.

Want More Resources to Support HIPAA Compliance?

To avoid joining the HIPAA wall of shame, it’s important to keep up with regulations governing your facility’s security practices. Don’t miss out on other HIPAA compliance tips and guides through IntelyCare’s free newsletter.

Legal Disclaimer: This article contains general legal information, but it is not intended to constitute professional legal advice for any particular situation and should not be relied on as professional legal advice. Any references to the law may not be current, as laws regularly change through updates in legislation, regulation, and case law at the federal and state level. Nothing in this article should be interpreted as creating an attorney-client relationship. If you have legal questions, you should seek the advice of an attorney licensed to practice in your jurisdiction.

Related Articles

Credentialing With Insurance Companies: 5 Mistakes to Avoid
What Is an LTAC vs. SNF? Overview and FAQ
Avoiding a Breach of Duty of Care: 5 Tips for Healthcare Facilities
What Is the No Surprises Act? Facility Guide and FAQ
The SUPPORT Act and Healthcare Facilities: 5 Key Takeaways

Stay in the know

with the latest industry
insights and trends

SIGN UP