According to the Department of Health and Human Services’ Office for Civil Rights breach portal statistics, 2019 saw a 196% increase in healthcare data breaches from 2018. There were 510 healthcare data breaches involving 500 or more records reported last year.
Except for 2015, the number of healthcare data breaches went up each year since October 2009 when the HHS’ Office for Civil Rights first began posting breach summaries.
In 2019, breached records increased by 37.47% from 2018. There were 41,335,889 records in 2019 and 13,947,909 records in 2018.
2019 had more data breaches reported compared to any other year in history including 2009 to 2014. It also had the second-highest number of breached records. In 2019, about 12.55% of the U.S. population had their healthcare records exposed, stolen or impermissibly disclosed.
2019’s Biggest Healthcare Data Breaches
The following list exhibits the top 20 healthcare data breaches of 2019:
1 Optum360, LLC impacted 11,500,000 individuals due to Hacking/IT Incident
2 Laboratory Corporation of America Holdings dba LabCorp impacted 10,251,784 individuals due to Hacking/IT Incident
3 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. impacted 2,964,778 individuals due to Hacking/IT Incident
4 Clinical Pathology Laboratories, Inc. impacted 1,733,836 individuals due to unauthorized access/disclosure
5 Inmediata Health Group, Corp. impacted 1,565,338 individuals due to unauthorized access/disclosure
6 UW Medicine impacted 973,024 individuals due to Hacking/IT Incident
7 Women’s Care Florida, LLC impacted 528,188 individuals due to Hacking/IT Incident
8 CareCentrix, Inc. impacted 467,621 individuals due to Hacking/IT Incident
9 Intramural Practice Plan – Medical Sciences Campus – the University of Puerto Rico impacted 439,753 individuals due to Hacking/IT Incident
10 BioReference Laboratories Inc. impacted 425,749 individuals due to Hacking/IT Incident
11 Bayamon Medical Center Corp. impacted 422,496 individuals due to Hacking/IT Incident
12 Memphis Pathology Laboratory d/b/a American Esoteric Laboratories impacted 409,789 individuals due to unauthorized access/disclosure
13 Sunrise Medical Laboratories, Inc. impacted 401,901 individuals due to Hacking/IT Incident
14 Columbia Surgical Specialist of Spokane Healthcare Provider impacted 400,000 individuals due to Hacking/IT Incident
15 Sarrell Dental impacted 391,472 due to Hacking/IT Incident
16 UConn Health impacted 326,629 individuals due to Hacking/IT Incident
17 Premier Family Medical impacted 320,000 individuals due to Hacking/IT Incident
18 Metro Santurce, Inc. d/b/a Hospital Pavia Santurce and Metro Hato Rey, Inc. d/b/a Hospital Pavia Hato Rey impacted 305,737 due to Hacking/IT Incident
19 Navicent Health, Inc. impacted 278,016 individuals due to Hacking/IT Incident
20 ZOLL Services LLC impacted 277,319 individuals due to Hacking/IT Incident
If a business associate encounters a data breach, it does not always report the incident. Sometimes a business associate and the covered entities experience the same breach but report it separately, like the case with American Medical Collection Agency (AMCA).
In 2019, hackers who accessed the AMCA systems stole sensitive client info. At least 24 organizations had exposed/stolen information because of the hack, namely:
1. Quest Diagnostics/Optum360 – 11,500,000 individuals impacted
2. LabCorp – 10,251,784 individuals impacted
3. Clinical Pathology Associates – 1,733,836 individuals impacted
4. Carecentrix – 467,621 individuals impacted
5. BioReference Laboratories/Opko Health – 425,749 individuals impacted
6. American Esoteric Laboratories – 409,789 individuals impacted
7. Sunrise Medical Laboratories – 401,901 individuals impacted
8. Inform Diagnostics – 173,617 individuals impacted
9. CBLPath Inc. – 141,956 individuals impacted
10. Laboratory Medicine Consultants – 140,590 individuals impacted
11. Wisconsin Diagnostic Laboratories – 114,985 individuals impacted
12. CompuNet Clinical Laboratories – 111,555 individuals impacted
13. Austin Pathology Associates – 43,676 individuals impacted
14. Mount Sinai Hospital – 33,730 individuals impacted
15. Integrated Regional Laboratories – 29,644 individuals impacted
16. Penobscot Community Health Center – 13,299 individuals impacted
17. Pathology Solutions – 13,270 individuals impacted
18. West Hills Hospital and Medical Center / United WestLabs – 10,650 individuals impacted
19. Seacoast Pathology, Inc – 8,992 individuals impacted
20. Arizona Dermatopathology – 5,903 individuals impacted
21. Laboratory of Dermatology ADX, LLC – 4,082 individuals impacted
22. Western Pathology Consultants – 4,079 individuals impacted
23. Natera – 3,035 individuals impacted
24. South Texas Dermatopathology LLC – 15,982 individuals impacted
The AMCA breach had a total of 26,059,725 breached records.
Causes Healthcare Data Breaches in 2019
Healthcare data breaches may fall under one of the following five categories: Hacking/IT incidents, Unauthorized access/disclosures, Theft, Loss and Improper disposal.
Hacking/IT incidents consisted of 59.41% of healthcare data breaches in 2019 and impacted 87.60% of all breached records. Unauthorized access/disclosure incidents consisted of 28.82% of data breaches and impacted 11.27% of all breached records. Loss and theft incidents affecting electronic devices that contain unencrypted electronic protected health information (PHI) or physical records consisted of 10.59% of breaches and impacted 1.07% of breached records. Incidents of improper disposal of physical records and devices with electronic PHI consisted of fo 1.18% of breaches and impacted 0.06% of breached records.
The biggest problem area in 2019 for healthcare organizations is the security of email systems and the prevention of phishing attacks. The email incidents consist of misdirected emails, yet the largest percentage of email incidents were due to phishing and spear-phishing attacks.
Healthcare Data Breaches by Covered Entity in 2019
Healthcare providers reported 77.65% of data breaches or 369 incidents. Health plans reported 11.57% of breaches or 59 incidents, and healthcare clearinghouses reported 0.39% of data breaches or 2 incidents.
23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.
Healthcare Data Breaches by State in 2019
The 48 states, Washington DC, and Puerto Rico had HIPAA-covered entities or business associates reporting data breaches. Texas reported the most number of breaches with 60. Next was California with 42 data breaches reported. North Dakota and Hawaii were the only states that did not report data breaches involving 500 or more records.