HIPAA Horror Stories

The Leisurely Lapse

one-minute read

One of the largest health care providers in the state of Illinois failed to report a data breach, leading to the compromise of hundreds of patient records and a massive federal penalty.

Giant Health Care Provider Loses Surgical Schedule

On October 22, 2013, Presence Health, which operates about 150 health care facilities including 11 hospitals and 27 long-term-care centers, misplaced a paper operating room schedule. The document included patient names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia scheduled for Presence St. Joseph Hospital in Joliet, Illinois. The schedule contained the Protected Health Information (PHI) of 836 patients.

A Breach And A Slow Response

Allowing unauthorized parties access to PHI is a violation of the Health Insurance Portability and Accountability Act (HIPAA). More egregious was Presence Health’s failure to notify, in a timely manner, the Office for Civil Rights (OCR) or any of the 836 patients of the breach. The federal Breach Notification Rule requires any privacy breach to be reported to the OCR and affected patients within 60 days. For breaches affecting more than 500 people, the HIPAA-covered entity must also notify major media outlets.

Presence Health waited until January 31, 2014, to notify the OCR. The violation was avoidable.

The OCR investigation was the first involving a charge of slow breach notification.

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said then-OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

A Costly Failure

As a result of Presence Health’s slow response to the PHI breach, the OCR settled its case with a whopping $475,000 monetary charge. In addition to paying nearly half a million dollars for its failure, Presence Health was forced to adhere to a lengthy Corrective Action Plan.

Is your organization prepared for a breach? Have you performed a HIPAA Risk Analysis? If you’re not 100 percent certain, we can help.

Photo by Nick Abrams on Unsplash


The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
Saint Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free