New Wall of Shame Format: HIPAA & HITECH Act Blog by Jonathan P. Tomes


Before discussing the new format, note that almost 800 covered entities are now memorialized, so to speak, on the Big Breacher website (my name for what most HIPAA consultants call the Wall of Shame).

Section 13402(e)(4) of the HITECH Act requires the Department of Health and Human Services (“DHHS”) to post a list of breaches of unsecured (readable) protected health information (“PHI”) affecting 500 or more individuals. According to the DHHS discussion of the new format, the website now posts these breaches in a new format that allows users to search and sort the posted breaches. Additionally, this new format includes brief summaries of the breach cases that the Office for Civil Rights (“OCR”) has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured PHI to the Secretary of Health and Human Services. The following breaches have been reported to the Secretary:

Breach type:

  • Hacking/IT incident.
  • Improper disposal.
  • Loss.
  • Theft.
  • Unauthorized access/disclosure.
  • Unknown.
  • Other.


  • Desktop computer.
  • Email.
  • Electronic medical record.
  • Laptop.
  • Network server.
  • Other portable electronic device.
  • Paper.
  • Other.

Covered entity types:

  • Health plan.
  • Health care clearinghouse.
  • Health care provider.
  • Business associate.

To avoid ending up on the Big Breacher website, with the possibility of civil money penalties, such as the $1.5 million settlement by Blue Cross Blue Shield of Tennessee after it had reported itself to DHHS, consider investing in and using our HIPAA compliance products, training materials, and consulting services, available on our website at


seo by: k.c. seo