82,601 Records Exposed in Third HIPAA Breach at Aventura Hospital

by | Sep 19, 2014

Aventura Hospital and Medical Center has announced a new security breach, the third suffered in the last two years, which has affected up to 82,601 individuals. The healthcare provider has only recently discovered the breach, although it started just a single day after the last one was corrected.

Between Oct. 1, 2012 and Dec. 31, 2012, the data of 948 patients was released without permission, with a second HIPAA breach being sufferd between January 1, 2012 and September 12, 2012, affecting 2,560 patients. The third breach started the very next day, September 13, 2012, with access to the data continuing until June 9, 2014.

The latest HIPAA breach was caused by an employee at one of its business associates, Valesco Ventures. The company was alerted about the employee who could have inappropriately accessed patient data in May, although it was not until early June when it was revealed that the employee in question improperly accessed patient names, dates of birth and Social Security numbers of up to of up to 82,601 people, according to a report on Local10.com

Terry Meadows, M.D, the manager of Valesco, confirmed that no financial information or medical data was released during the breach and stated that “Valesco Ventures and Aventura Hospital are assisting law enforcement to identify and prosecute all responsible parties.”

Employee snooping and theft of data for personal gain can be hard to identify and stop, although healthcare providers are able to put in place a number of policies and procedures to reduce the opportunity for employees to steal or inappropriately access data. They should also have the systems set up to rapidly identify individuals who do so.

Since the Omnibus Rule came into existence, Business Associates can be held liable for any data breaches which have resulted from HIPAA violations they have given rise to, such as not having the appropriate technical, administrative and physical measures in place to protect HIPAA-covered data. The body employing a Business Associate is also not exempt from financial penalties, should it be found that it too has violated HIPAA rules and has contributed to the cause of the breach.

The Office for Civil Rights has been policing HIPAA more stringently in recent years and it has already issued a number of major penalties for HIPAA violations that resulted in healthcare data, personal identifiers and Social Security numbers of patients being exposed. The OCR has the authority to issue fines of up to 1.5 million per violation type, per year. In this case that could possiby see a fine of up to 3 million dollars applied.

While such a large scale data exposure is highly concerning, so too is the amount of time taken for Aventura and Valesco Ventures to halt the breach and notify the victims. The company first became aware of a potential HIPAA breach on May 28, 2014, when it was made aware to the fact that an employee “may have improperly accessed the personal identifying information of a number of patients of Aventura Hospital”.

It was not until three months later – Sept 9, 2014 – that the company sent breach notifications to the affected patients. Under HIPAA Breach Notification Rules, covered entities have up to 60 days to report HIPAA breaches to the OCR and notify the people who may have been affected.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy