In February,, 39 healthcare data breaches involving at least 500 records were reported representing a 21.9% increase from January. The breached 1,531,855 healthcare records represent a 231% increase from January. February had more breached records compared to the past three months’ total. In February, the average and mean breach sizes were 39,278 records and 3,335 records, respectively.
February 2020’s Biggest Healthcare Data Breaches
The Health Share of Oregon health plan had the biggest healthcare data breach. A stolen laptop computer, which was unencrypted, contained the 654,362 plan members’ records.
The second-biggest breach involved a ransomware attack on BST & Co. CPAs, an accounting firm. The records of its clients, such as those of Community Care Physicians in New York, were encrypted. The third biggest breach involving the network server at SOLO Laboratories had an undetermined cause. The last 7 biggest breaches involved email security breaches.
1. Health Share of Oregon – 654,362 individuals affected by laptop theft
2. BST & Co. CPAs, LLP – 170,000 individuals affected by network server hacking/IT incident
3. Aveanna Healthcare – 166,077 individuals affected by email hacking/IT Incident
4. Overlake Medical Center & Clinics – 109,000 individuals affected by email hacking/IT incident
5. Tennessee Orthopaedic Alliance – 81,146 individuals affected by email hacking/IT incident
6. Munson Healthcare – 75,202 individuals affected by email hacking/IT incident
7. NCH Healthcare System, Inc. – 63,581 individuals affected by email hacking/IT incident
8. SOLO Laboratories, Inc. – 60,000 individuals affected by network server hacking/IT incident
9. JDC Healthcare Management – 45,748 individuals affected by email hacking/IT incident
10. Ozark Orthopaedics, PA – 15,240 individuals affected by email hacking/IT incident
Causes of Healthcare Data Breaches in February
Two thirds or 66.67% of all breaches reported were hacking/IT incidents and there were 839,226 breached records accounting for 54.78% of all breached records. The average breach size and median breach size were 32,277 records and 4,126 records, respectively. 80.76% of these hacking incidents concerned hacked email accounts.
There were 6 unauthorized access/disclosure incidents with specific details as follows: four involved paper/films, one involved a portable electronic device and one involved email. There were 15,826 records impermissibly disclosed with an average breach size of 3,126 records and a median breach size of 2,548 records.
Only three incidents involved theft, which accounted for 42.78% of all breached records. These incidents had an average breach size of 327,696 records and a median breach size of 530 records.
Two incidents involved lost paperwork that contains 5,904 patients’ PHI. Two incidents involved improper disposal of paper files that contain 15,507 patients’ PHI.
Location of Breached Healthcare Records
The biggest challenge for healthcare companies is securing email accounts. All except one of the email incidents involved hacking due to responses to phishing emails. The high number shows how crucial it is to employ an effective email security solution and to give frequent employee HIPAA training on recognizing phishing emails.
Breaches by Covered Entity Type in February
HIPAA-covered entities reported 26 data breaches having an average breach size of 23,589 records and a median breach size of 3,229 records. Health plans reported 8 data breaches having an average breach size and a median breach size of 83,490 records and 2,468 records, respectively.
Business associates reported 5 data breaches. Five more breaches reported by covered entities had some involvement of a business associate. The average breach size and median breach size were 50,124 records and 15,010 records, respectively.
Healthcare Data Breaches by State
Twenty-four states had reports of data breaches in February. Texas had 4 breach reports. Arkansas, California, and Florida had three data breaches reported. Two breaches were reported per the following states: Georgia, Indiana, North Carolina, Michigan, Washington, and Virginia. The following states reported one breach each: Arizona, Hawaii, Iowa, Illinois, Maine, Minnesota, Massachusetts, Missouri, New York, New Mexico, Oregon, Pennsylvania, Wisconsin, and Tennessee.
HIPAA Enforcement Activity in February 2020
Only one HIPAA enforcement action was reported in February. Steven A. Porter, M.D agreed to pay OCR a $100,000 financial penalty to settle a HIPAA violation case. The violations involved Dr. Porter’s medical records company, which was impermissibly using patient health records by blocking access until after receiving a $50,000 payment.
OCR discovered that Dr. Porter had not performed a risk analysis to determine risks to the integrity, confidentiality, and availability of ePHI. The practice had additionally not lessened risks to a good and acceptable level. There was no policy and procedure implemented to stop, identify, control, and correct security violations.