August 2021 had 44% less number of reported healthcare data breaches. Healthcare providers, health plans, and their business associates reported 38 healthcare data breaches involving 500 or more records. Including August’s reported data breaches, the total number of healthcare data breaches for the past 12 months is 707. The reported data breaches for 2021 are 440.
Although there was a noticeable drop in the number of reported breaches, the breached healthcare records numbering 5,120,289 is higher than the average in 12 months, which is 3.94 million per month. The high number was mostly because of two big ransomware attacks on University Medical Center Southern Nevada and St. Joseph’s/Candler Health System, which included 2.8 million healthcare records put together.
Biggest Healthcare Data Breaches Reported in August 2021
Ransomware groups went on targeting the healthcare sector in August. A number of the attacks documented in August resulted in postponed appointments and some patients were taken to other facilities to get treatment.
It is currently typical for attackers to exfiltrate sensitive information before using ransomware and then require ransom payment in exchange for the keys to decrypt data and to avoid exposure of the stolen data. Although a number of big ransomware operations like the DarkSide and the Sodinokibi/REvil seem to have been shut down, many other campaigns took their place. For example, the Vice Society and Hive ransomware gangs targeted the healthcare industry, and this September, the Health Sector Cybersecurity Coordination Center (HC3) released a notice to the health and public health industry regarding a growing threat of BlackMatter ransomware attacks. Thankfully, this month, the Sodinokibi/REvil ransomware gang victims were given the chance to get back encrypted files without charge. Bitdefender published a free Sodinokibi/REvil decryptor the past week.
In August, healthcare providers reported three big ransomware attacks that affected substantial amounts of patient information. DuPage Medical Group experienced a ransomware attack wherein 655,384 patients’ protected health information (PHI) were potentially compromised, whereas the attack on University Medical Center Southern Nevada impacted 1.3 million patients and the St. Joseph’s/Candler Health System attack affected the PHI of 1.4 million individuals. Class action lawsuits were already filed against DuPage Medical Group as well as St. Joseph’s/Candler Health System on behalf of patients impacted by the attacks.
The list below includes the 20 data breaches reported in August that impacted the PHI of 10,000 or more persons. Most of these data breaches had something to do with ransomware or information kept in breached email accounts.
1. St. Joseph’s/Candler Health System, Inc. – 1,400,000 individuals affected by Hacking/IT Incident.
2. University Medical Center Southern Nevada – 1,300,000 individuals affected by Hacking/IT Incident
3. DuPage Medical Group, Ltd. – 655,384 individuals affected by Hacking/IT Incident
4. UNM Health – 637,252 individuals affected Hacking/IT Incident.
5. Denton County, Texas – 326,417 people were affected by unauthorized Access/disclosure of COVID-19 vaccination information
6. Metro Infectious Disease Consultants – 171,740 individuals affected hacking/IT Incident
7. LifeLong Medical Care – 115,448 individuals affected by Hacking/IT Incident
8. CareATC, Inc. – 98,774 individuals affected by Hacking/IT Incident
9. San Andreas Regional Center – 57,244 individuals affected by Hacking/IT Incident
10. CarePointe ENT – 48,742 individuals affected by Hacking/IT Incident
11. South Florida Community Care Network LLC d/b/a Community Care Plan – 48,344 individuals affected by Unauthorized Access/Disclosure of PHI emailed to an individual email account
12. Electromed – 47,200 individuals affected by Hacking/IT Incident
13. Queen Creek Medical Center d/b/a Desert Wells Family Medicine – 35,000 individuals affected by Hacking/IT Incident
14. The Wedge Medical Center – 29,000 individuals affected by Hacking/IT Incident
15. Gregory P. Vannucci DDS – 26,144 individuals affected by Hacking/IT Incident
16. Texoma Community Center – 24,030 individuals affected by Hacking/IT Incident
17. Family Medical Center of Michigan – 21,988 individuals affected by Hacking/IT Incident
18. Central Utah Clinic, P.C. dba Revere Health – 12,433 individuals affected by Hacking/IT Incident
19. Hospice of the Piedmont – 10,682 individuals affected by hacking/IT Incident
20. Long Island Jewish Forest Hills Hospital – 10,333 individuals affected by Unauthorized Access/Disclosure
Causes of Healthcare Data Breaches in August 2021
The 31 data breaches or 81.6% of August’s data breaches and 4,727,350 breached healthcare records or 92.3% of
August’s total breached records were due to Hacking/IT incidents. The mean breach size and median breach size were 152,495 records and 12,433 records, respectively. Ransomware, malware, or compromised email accounts were involved in most of these incidents.
Seven incidents were classified as unauthorized access/disclosure incidents. There were 392,939 breached healthcare records. The mean breach size and median breach size were 56,134 records and 4,117 records, respectively. No report of breaches that involve lost or stolen gadgets or paper records and no report of improper disposal incidents were received.
Healthcare Data Breaches by State
There were 24 U.S. states that had entities report healthcare data breaches. Texas reported 4 data breaches. Arizona and Illinois reported three breaches each. California, Georgia, Minnesota, Michigan, New Hampshire, Oklahoma, and Virginia reported 2 each. Alabama, Florida, Delaware, Indiana, Iowa, Massachusetts, Nevada, New York, New Mexico, Pennsylvania, Tennessee, Utah, Wisconsin and West Virginia reported one each.
Healthcare Data Breaches by Covered Entity Type
Healthcare providers reported 30 data breaches, but 4 of the breaches happened at business associates. Health plans, and business associates reported 4 data breaches each.
HIPAA Enforcement Activity in August 2021
The HHS’ Office for Civil Rights (OCR) didn’t announce any new HIPAA penalties. State attorneys general didn’t announce any HIPAA enforcement actions either. To date, OCR issued 8 financial penalties issued on HIPAA-covered entities and business associates in 2021, and state attorneys general issued one multi-state action.
The source of this information is the U.S. Department of Health and Human Services’ Office for Civil Rights on September 20, 2021.