A Stolen Laptop. A $1.5 Million Fine. One Unlocked Screen.
In 2018, the University of Texas MD Anderson Cancer Center lost a $4.3 million appeal after three separate incidents involving unencrypted ePHI on stolen or lost devices. One was a laptop taken from a researcher's home. Another was a thumb drive that vanished from a break room. The Office for Civil Rights didn't care about intent — it cared about the outcome. Unencrypted patient data was exposed, and that made each incident a reportable breach.
If you've ever wondered which example is a breach of ePHI, that case is a textbook answer. But it's far from the only one. Understanding what actually qualifies as a breach — versus what doesn't — is critical for every covered entity, business associate, and workforce member who handles electronic protected health information.
I've spent years reviewing OCR settlements and helping organizations untangle breach scenarios. What I've found is that most people get the definition wrong. Let me walk you through the real examples, straight from enforcement actions, so you can recognize a breach before it costs your organization everything.
What Exactly Qualifies as a Breach of ePHI?
Under the HIPAA Breach Notification Rule, a breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the information. For ePHI specifically, we're talking about electronic records — EHR data, emails containing patient information, billing databases, even text messages with diagnostic details.
There are three exceptions where an impermissible use or disclosure does not count as a breach:
- An unintentional acquisition or access by a workforce member acting in good faith, within their scope of authority, with no further disclosure.
- An inadvertent disclosure between two people authorized to access PHI at the same covered entity or business associate.
- The covered entity has a good faith belief that the unauthorized person who received the information could not reasonably retain it.
Everything else? It's a breach until you prove otherwise through a documented four-factor risk assessment.
Which Example Is a Breach of ePHI? Five Real Scenarios
Let me break this down with concrete examples — some pulled from actual OCR enforcement actions, others from scenarios I've encountered in the field.
1. An Unencrypted Laptop Gets Stolen from an Employee's Car
This is the most common breach scenario I see. A workforce member leaves a laptop with access to ePHI in their vehicle overnight. The car is broken into. The laptop is gone.
If that device wasn't encrypted, you have a reportable breach. Period. Concentra Health Services paid $1,725,220 in 2014 after an unencrypted laptop was stolen from one of its facilities. OCR found the organization had recognized the encryption risk years earlier but failed to act.
This is a breach of ePHI because an unauthorized person now possesses a device containing patient data, and the lack of encryption means the data is accessible.
2. A Staff Member Snoops Through a Celebrity Patient's Records
A front-desk employee at a hospital hears that a local celebrity was admitted. Out of curiosity, they pull up the patient's electronic medical record, read through it, and tell a friend about it over dinner.
This is a breach on two levels. The access itself was impermissible — the employee had no treatment, payment, or operations reason to view that record. The disclosure to a friend compounds it. UCLA Health System paid $865,500 in 2011 after repeated incidents of employees snooping through celebrity medical records.
3. A Phishing Email Gives Hackers Access to an Email Account with ePHI
A billing coordinator clicks a link in a phishing email. Attackers gain access to their inbox, which contains hundreds of emails with patient names, dates of birth, diagnoses, and insurance information.
This is absolutely a breach. The attacker acquired access to ePHI. It doesn't matter that they may not have specifically targeted medical data — the unauthorized access occurred. In my experience, phishing-related breaches are now the single largest category reported to HHS, and they often affect thousands of patients at once.
4. A Provider Sends Patient Lab Results to the Wrong Email Address
A nurse sends a PDF of lab results to a patient's email address but transposes two digits. The email lands in a stranger's inbox. That stranger reads it and replies, "I think you sent this to the wrong person."
This is a breach of ePHI. The information was disclosed to an unauthorized person. Even though it was accidental, the stranger accessed and read the data. You can't rely on the exception that "the unauthorized person could not reasonably retain it" — they clearly could, and they confirmed they saw it.
5. An IT Vendor Disposes of Old Servers Without Wiping Them
A business associate handling IT decommissioning takes old servers from a clinic and resells them without sanitizing the hard drives. Patient records are later found on the equipment by the buyer.
This is a breach. It's also a violation of the HIPAA Security Rule's device and media controls standard. Affinity Health Plan paid $1,215,780 in 2013 after returning photocopier hard drives to a leasing company without erasing the ePHI stored on them. Over 344,000 patients were affected.
What Doesn't Count as a Breach? The Exceptions Matter
Not every mistake triggers the breach notification process. Here's an example I use in training sessions.
A medical assistant accidentally opens the wrong patient's chart in the EHR, realizes the error immediately, and closes it. They don't read the information, don't share it, and the access was unintentional. Under the first exception to the breach definition — unintentional access by a workforce member acting in good faith within their scope of authority — this likely does not qualify as a breach.
But document it anyway. You need a written record showing you applied the exception analysis. OCR will ask for it.
The Four-Factor Risk Assessment You Must Perform
When a potential breach occurs, HIPAA doesn't let you shrug it off. You're required to perform a risk assessment evaluating four factors:
- The nature and extent of the PHI involved — Did it include Social Security numbers? Diagnoses? Financial data?
- Who accessed or received the information — Was it another covered entity, or a completely unauthorized individual?
- Whether the PHI was actually acquired or viewed — Can you prove it wasn't opened or read?
- The extent of mitigation — Did you get the data back? Was the recipient cooperative?
If this assessment shows a low probability that the ePHI was compromised, you can treat it as a non-breach. But if there's any doubt, you must notify affected individuals, HHS, and potentially the media if 500 or more people are impacted.
The HHS Breach Notification Guidance spells this out clearly. Bookmark it.
Why Your Team Gets This Wrong Without Proper Training
Here's what I've seen in dozens of organizations: the workforce doesn't know what a breach looks like. They think breaches only happen when hackers attack. They don't realize that sending ePHI to the wrong fax number, leaving a workstation unlocked in a shared space, or texting a patient's diagnosis to a colleague on an unsecured app all qualify.
That gap in understanding is exactly how organizations end up on the OCR Wall of Shame.
Every workforce member — from front-desk staff to the CEO — needs scenario-based training that walks through real breach examples. Not a 20-slide deck they click through once a year. Actual case studies that force them to identify what went wrong and what they should have done instead.
Our HIPAA training catalog includes courses built around exactly these kinds of real-world ePHI breach scenarios, designed so your staff can recognize a breach the moment it happens — not three weeks later when the damage is done.
The Mistake That Turns a Small Incident into a Six-Figure Penalty
The breach itself is often survivable. What kills organizations is the cover-up — or more commonly, the sheer ignorance that it needed to be reported.
Under the Breach Notification Rule, you have 60 days from the date of discovery to notify affected individuals. Fail to do that, and you've added a second violation on top of the first. OCR has repeatedly penalized organizations not just for the breach, but for the delayed or absent notification.
Your Privacy Officer needs a clear, rehearsed incident response workflow. Your staff needs to know exactly who to call when they suspect ePHI has been compromised. And everyone needs to understand that reporting internally is not optional — it's required.
If your incident response plan is collecting dust in a binder, now is the time to pull it out, update it, and run a tabletop exercise. Our HIPAA workforce training courses can help build that foundation across your entire organization.
Stop Guessing. Start Documenting.
Every time someone in your organization asks "which example is a breach of ePHI," the answer should come from training, not from a Google search after the fact. Build a culture where people can identify a breach, report it immediately, and trust that the organization will respond correctly.
Because OCR doesn't fine you for having an incident. They fine you for not being prepared for one.