In February 2021, reported data breaches involving 500 or more healthcare records increased by 40.63%. There were 45 data breaches reported to the Department of Health and Human Services’ Office for Civil Rights, almost all involved hacking incidents.
In the last two successive months, there were over 4 million records breached every month. This month, there was a 72.35% drop in the number of breached records. The 45 breaches had 1,234,943 records breached, impermissibly disclosed, or stolen.
Biggest Healthcare Data Breaches in February 2021
1. The Kroger Co. – 368,100 individuals affected by Hacking/IT Incident
2. BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) – 100,487 individuals affected by hacking/IT Incident
3. RF EYE PC dba Cochise Eye and Laser – 100,000 individuals affected by hacking/IT Incident
4. Gore Medical Management, LLC- 79,100 individuals affected by hacking/IT Incident
5. Summit Behavioral Healthcare – 70,822 individuals affected by Unauthorized Access/Disclosure
6. Humana Inc – 62,950 individuals affected by Unauthorized Access/Disclosure
7. Nevada Orthopedic & Spine Center – 50,000 individuals affected by Hacking/IT Incident
8. Fisher Titus Health, Inc. – 49,636 individuals affected by Hacking/IT Incident
9. Covenant HealthCare – 47,178 individuals affected by Hacking/IT Incident
10. UPMC – 36,086 individuals affected by Hacking/IT Incident
11. Grand River Medical Group – 34,000 individuals affected by Hacking/IT Incident
12. AllyAlign Health, Inc. – 33,932 individuals affected by Hacking/IT Incident
13. Harvard Eye Associates – 29,982 individuals affected by Hacking/IT Incident
14. Texas Spine Consultants, LLP – 25,728 individuals affected by Unauthorized Access/Disclosure
15. UPMC Health Plan – 19,000 individuals affected by Hacking/IT Incident
Causes of Healthcare Data Breaches in February 2021
February had three breaches of over 100,000 records reported. Kroger supermarkets and pharmacies reported the biggest healthcare data breach of February. The breach was caused by a CLOP ransomware attack on Accellion and stealing of the protected health information (PHI) of 368,100 customers. The Accellion breach affected Kroger.
Elara Caring, a major provider of home-based health care, reported that unauthorized individuals accessed a number of employee email accounts that contain PHI after responding to phishing emails. Cochise Eye and Laser also suffered a ransomware attack that resulted in the theft of 100,000 individuals’ PHI.
Phishing attacks were the most prevalent reason for the occurrence of data breaches in February, followed by network server incidents. These typically involved hacking and the use of ransomware or malware. 71.1% of the month’s breaches were hacking incidents and 85.7% of all records were breached. The average and median breach sizes of a hacking breach were 30,239 records and 8,849 records, respectively.
There were 10 reported unauthorized access/disclosure incidents in February that involved 172,799 records. The average and median breach sizes were 17,280 records and 2,497 records, respectively. Two incidents of theft and 1 loss were reported that affected 3,773 paper records.
Entities Reporting Healthcare Data Breaches in February 2021
Healthcare providers reported 35 breaches in February. Health plans reported 5 breaches and business associates of HIPAA-covered entities reported 5 breaches. There were also 5 breaches reported by covered entities that had the involvement of some business associates.
Healthcare Data Breaches by State
Twenty states received reports of healthcare data breaches involving 500 or more records in February 2021. California and Texas each had six breaches reported. Pennsylvania had 5 breaches reported. Florida and Michigan each had 4 breaches reported. Nevada, North Carolina, Ohio, Virginia, and Tennessee each had 2 breaches. Arizona, Colorado, Iowa, Georgia, Kentucky, Louisiana, North Dakota, Minnesota, Utah, and Wyoming each had 1 breach reported.
HIPAA Enforcement Activity in February 2021
The HHS’ Office for Civil Rights reached two settlements with HIPAA-covered entities to resolve potential HIPAA Rules violations. The two enforcement actions were associated with complaints from patients who were not given timely access to their healthcare records. Sharpe Healthcare paid a $70,000 penalty while Renown Health paid a $75,000 penalty.
OCR began a new enforcement action in late 2019 to target healthcare providers who were not following the HIPAA Right of Access terms of the HIPAA Privacy Rule. There was 3 Right of Access enforcement actions that reached settlements in 2021 to date. Including the latest settlements, the total is 16 settlements under this enforcement initiative.