The number of reported data breaches to OCR for October is well above average. It was 33.68% less than September’s with 63 reported breaches involving 500 or more records, but it was still 41.82% above the monthly average this year. The higher number of breaches to some extent is still due to continued reports by healthcare companies that were affected by the Blackbaud ransomware attack.
In the 63 breaches reported, the protected health information (PHI) of over 2.5 million people were compromised, which is 74.08% less breached records than September, however, it is still 26.81% above the monthly average this year.
The Top Healthcare Data Breaches in October 2020
1. Luxottica of America Inc. – 829,454 individuals affected due to Hacking/IT Incident – Ransomware Attack
2. AdventHealth Orlando – 315,811 individuals affected due to Hacking/IT Incident – Blackbaud Ransomware
3. Presbyterian Healthcare Services – 193,223 individuals affected due to Hacking/IT Incident – Phishing Attack
4. Sisters of Charity of St. Augustine Health System – 118,874 individuals affected due to Hacking/IT Incident – Blackbaud Ransomware
5. Timberline Billing Service, LLC – 116,131 individuals affected due to Hacking/IT Incident – Ransomware Attack
6. Greenwich Hospital – 95,000 individuals affected due to Hacking/IT Incident – Blackbaud Ransomware
7. OSF HealthCare System – 94,11 individuals affected due to Hacking/IT Incident – Blackbaud Ransomware
8. Geisinger – 86,412 individuals affected due to Hacking/IT Incident – Blackbaud Ransomware
9. CCPOA Benefit Trust Fund – 80,000 individuals affected due to Hacking/IT Incident – Ransomware Attack
10. Ascend Clinical, LLC – 77,443 individuals affected due to Hacking/IT Incident – Phishing and Ransomware Attack
11. Centerstone of Tennessee, Inc. – 50,965 individuals affected due to Hacking/IT Incident – Phishing Attack
12. Georgia Department of Human Services – 45,732 individuals affected due to Hacking/IT Incident – Phishing Attack
13. Connecticut Department of Social Services – 37,000 individuals affected due to Hacking/IT Incident – Phishing Attack
14. State of North Dakota – 35,416 individuals affected due to Hacking/IT Incident – Phishing Attack
15. AdventHealth Shawnee Mission – 28,766 individuals affected due to Hacking/IT Incident – Blackbaud Ransomware
Causes of Healthcare Data Breaches in October 2020
The healthcare sector in the United States was bombarded with ransomware attacks. 66% of the top 15 data breaches documented in October were caused by ransomware. The FBI, CISA, and the HHS gave a joint advisory in October after discovering that the healthcare sector is being targeted by the Ryuk ransomware gang, though there are other ransomware groups performing attacks on the healthcare industry.
Phishing attacks still cause problems for the healthcare sector. Phishing emails are frequently utilized to infect systems with Trojans like Emotet and TrickBot, together with the Bazar Backdoor, which work as ransomware downloaders.
The HHS breach portal categorizes phishing and ransomware attacks as hacking/IT incidents. There were a total of 46 hacking/IT incidents in October or 73% of all reported breaches in October. There were 2,450,645 breached records or 97.39% of all breached records in October. The mean breach size and median breach size were 53,275 records and 13,069 records, respectively.
Of the total breaches, 12 were caused by unauthorized access/disclosure incidents that affected 54,862 healthcare records. The mean breach size and median breach size was 4,572 records, respectively. There were 4 breach reports due to theft of documents or electronic devices that contain PHI. The mean breach size and median breach size were 4,290 records and 1,293 records, respectively. One breach reported was due to improper disposal of computer equipment that stored the ePHI of 4,290 people.
Location of PHI in Healthcare Data Breaches in October 2020
The big number of network server incidents indicates the magnitude of using malware and ransomware in attacks. About 33% of the attacks concerned ePHI located in email accounts, the majority of which were phishing attacks. A number of breaches concerned ePHI located in one or more locations.
Healthcare Data Breaches by Covered Entity Type
Healthcare providers reported 54 breaches in October, health plans reported 3 breaches and a healthcare clearinghouse reported one breach. Although business associates of covered entities reported only 5 data breaches, there were 23 data breaches reported in October that had business associates’ involvement.
Healthcare Data Breaches by State
The 63 data breaches in October were reported from 27 states. Connecticut reported 7 breaches; California and Texas reported 5 breaches each. Florida, Pennsylvania, Ohio, and Virginia reported 4 each. Iowa and Washington reported 3 each. Arkansas, Michigan, New York, New Mexico, Wisconsin, and Tennessee reported 2 each. The following states reported one breach each: Georgia, Hawaii, Indiana, Illinois, Kansas, Louisiana, Minnesota, Maine, Missouri, New Jersey, North Dakota, and South Carolina.