Sentara Health Data Breach Exposes 696 Patients' Paper Records

Sentara Health, a major healthcare provider in Virginia, recently reported a data breach affecting 696 patients to the U.S. Department of Health and Human Services (HHS). The incident, reported on September 3, 2025, involved unauthorized access and disclosure of patient information stored in paper documents and films.

What Happened

On September 3, 2025, Sentara Health filed a breach notification with the HHS Office for Civil Rights (OCR), as required under the HIPAA Breach Notification Rule (45 CFR §164.408). The breach involved unauthorized access to and disclosure of protected health information (PHI) contained in physical documents and medical films.

While specific details about how the breach occurred remain limited, the incident classification as "unauthorized access/disclosure" suggests that patient information was improperly accessed, viewed, or shared without proper authorization. The fact that the breach involved paper and film records indicates this was not a typical cyberattack but rather involved physical documents.

Sentara Health operates multiple hospitals and healthcare facilities across Virginia and northeastern North Carolina, making this breach particularly concerning for patients throughout the region.

Who Is Affected

The breach impacted 696 individuals who received care from Sentara Health. While this number may seem relatively small compared to major cyber breaches affecting millions of patients, any unauthorized disclosure of PHI represents a serious violation of patient privacy rights under HIPAA regulations.

Affected patients likely include individuals who:

• Received medical care at Sentara Health facilities
• Had their medical information stored in paper format or on medical films
• May have had their PHI accessed without proper authorization

Under HIPAA's Breach Notification Rule, Sentara Health is required to notify affected patients within 60 days of discovering the breach, unless law enforcement requests a delay.

Breach Details

Key Facts:

• Healthcare Provider: Sentara Health
• Location: Virginia
• Patients Affected: 696 individuals
• Breach Type: Unauthorized access/disclosure
• Medium: Paper documents and films
• Discovery/Report Date: September 3, 2025
• Business Associate Involvement: None reported

HIPAA Compliance Context

This breach falls under HIPAA's definition of a breach as outlined in 45 CFR §164.402, which defines a breach as the "acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule."

The involvement of paper records and films highlights an often-overlooked aspect of healthcare data security. While much attention focuses on cybersecurity threats, physical document security remains crucial for HIPAA compliance.

What This Means for Patients

Immediate Concerns

Patients affected by this breach may face several risks:

1. Privacy Violation: Personal medical information may have been inappropriately accessed or shared
2. Identity Theft Risk: Depending on the information disclosed, patients could face increased risk of medical identity theft
3. Medical Record Integrity: Questions about the security of their ongoing medical records

Legal Protections

Under HIPAA's Privacy Rule (45 CFR §164.502), patients have specific rights regarding their PHI, including:

• The right to know how their information is used and shared
• The right to request restrictions on PHI use
• The right to file complaints with the covered entity or HHS OCR

Potential Consequences for Sentara Health

The healthcare provider may face:

• HIPAA penalties ranging from $100 to $50,000 per violation
• Mandatory corrective action plans
• Ongoing OCR monitoring
• Potential civil lawsuits from affected patients

How to Protect Yourself

If you're a Sentara Health patient or concerned about healthcare data security, consider these steps:

Immediate Actions

1. Wait for Official Notification: Sentara Health must notify affected patients within 60 days
2. Review Medical Records: Request copies of your medical records to ensure accuracy
3. Monitor Medical Benefits: Watch for suspicious activity on insurance statements
4. Credit Monitoring: Consider enrolling in credit monitoring services if Social Security numbers were involved

Ongoing Protection

1. Exercise HIPAA Rights: Request an accounting of disclosures from your healthcare providers
2. Limit PHI Sharing: Ask providers about their information-sharing practices
3. Secure Communications: Use patient portals instead of unsecured email for medical communications
4. Regular Reviews: Periodically review your medical records for accuracy

Reporting Concerns

Patients can file HIPAA complaints with:

• Sentara Health's Privacy Officer directly
• HHS Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint
• Virginia Department of Health for state-level concerns

Prevention Lessons for Healthcare Providers

This incident offers several important lessons for healthcare organizations:

Physical Security Measures

1. Access Controls: Implement strict access controls for areas containing PHI
2. Document Tracking: Maintain logs of who accesses physical records
3. Secure Storage: Ensure locked storage for all PHI-containing documents
4. Disposal Protocols: Establish proper procedures for destroying outdated records

HIPAA Compliance Best Practices

1. Regular Training: Conduct ongoing HIPAA training for all staff
2. Risk Assessments: Perform regular security assessments of both digital and physical PHI storage
3. Incident Response Plans: Develop comprehensive breach response procedures
4. Vendor Management: Even though no business associate was involved in this breach, proper vendor oversight remains crucial

Administrative Safeguards

Under HIPAA's Security Rule (45 CFR §164.308), covered entities must:

• Assign security responsibilities to specific individuals
• Implement workforce training and access management
• Establish information access management procedures
• Maintain security incident procedures

The Importance of Documentation

Healthcare providers must maintain detailed documentation of:

• Security policies and procedures
• Employee training records
• Access logs and audit trails
• Incident response activities

This Sentara Health breach serves as a reminder that HIPAA compliance requires comprehensive attention to both digital and physical security measures. While cyber threats often dominate headlines, protecting paper records and films remains equally important for maintaining patient privacy and avoiding costly penalties.

Healthcare organizations must remain vigilant in implementing proper administrative, physical, and technical safeguards to protect patient information in all formats. Regular risk assessments, employee training, and incident response planning are essential components of effective HIPAA compliance programs.

Learn how HIPAA Agent can help protect your practice.