For three successive months, there has been an increase in the number of reported healthcare data breaches involving at least 500 records. June had 70 data breaches involving at least 500 records reported to the HHS’ Office for Civil Rights, which reflects an 11% increase from the previous month. It is the highest number of breaches in a month since September 2020 and is higher than the average 56 breaches per month in the past 12 months.
Although the number of reported breaches went up, the total number of breached healthcare records dropped by 80.24% from last month. There were 1,290,991 breached records or over 43,000 breached records per day in June.
Over 40 million healthcare records were compromised or impermissibly disclosed in the last 12 months due to 674 reported breaches. The average from July 2020 to June 2021 is 3,343,448 breached healthcare records per month.
June 2021 Biggest Healthcare Data Breaches
In June, there were 19 healthcare data breaches involving at least 10,000 records reported. Ransomware still presents problems for healthcare companies, as 6 out of the top 10 breaches were ransomware attacks. A number of healthcare companies reported ransomware attacks in June that happened at third-party providers. The number of healthcare companies affirmed as being impacted by the ransomware attacks on companies such as CaptureRx, Elekta, and Netgain Technologies keeps on growing.
The biggest healthcare data breach in June’s report was a phishing attack on MultiPlan , a medical payment billing service provider. The attacker obtained access to an email account that contains the protected health information (PHI) of 214,956 people.
The ransomware attack on Elekta Inc., a Swedish radiation therapy and radiosurgery solution provider, affected Renown Health and Northwestern Memorial HealthCare. That attack impacted 42 healthcare companies in the U.S.
1. MultiPlan – 214,956 individuals affected due to Phishing attack
2. Northwestern Memorial HealthCare – 201,197 individuals affected due to Elekta ransomware attack
3. Scripps Health – 147,267 individuals affected due to Ransomware attack
4. San Juan Regional Medical Center – 68,792 individuals affected due to unspecified hacking and data exfiltration incident
5. Renown Health – 65,181 individuals affected due to Elekta ransomware attack
6. Minnesota Community Care – 64,855 individuals affected due to Netgain ransomware attack
7. Francisco J. Pabalan MD, INC – 50,000 individuals affected due to Hacking/IT Incident (Unknown)
8. Prominence Health Plan – 45,000 individuals affected due to ransomware attack
9. NYC Health + Hospitals – 43,727 individuals affected due to CaptureRx ransomware attack
10. UofL Health, Inc. – 42,465 individuals affected due to misdirected email
11. Peoples Community Health Clinic – 40,084 individuals affected due to phishing attack
12. Reproductive Biology Associates, LLC and its affiliate My Egg Bank, LLC – 38,000 individuals affected due to ransomware attack
13. Hawaii Independent Physicians Association – 18,770 individuals affected due to phishing attack
14. UW Medicine – 18,389 individuals affected due to Hacking/IT Incident (Unknown)
15. Cancer Care Center – 18,000 individuals affected due to Hacking/IT Incident (Unknown)
16. Temple University Hospital, Inc. – 16,356 individuals affected due to Hacking/IT Incident (Unknown)
17. Walmart Inc. – 14,532 individuals affected due to Loss of paper/films
18. Discovery Practice Management, Inc. – 13,611 individuals affected due to phishing attack
19. Jawonio – 13,313 individuals affected due to phishing attack
Causes of Healthcare Data Breaches in June 2021
The breach reports in June 2021 were mostly hacking/IT incidents, a large percentage of which were ransomware attacks. 58 reports were due to hacking/IT incidents, in which the PHI of 1,190,867 people was exposed – 92.24% of all breached information in June. The mean and median breach sizes were 20,532 records and 2,938 records, respectively.
9 reports of unauthorized access/disclosure incidents involved the impermissible disclosure of the PHI of 81,764 people. The mean and median breach sizes were 9,085 records and 5,509 records, respectively.
One incident reported involved missing paperwork that contains the PHI of 14,532 people, one incident of theft of portable electronic device impacting 1,166 patients, and one incident of improper disposal affecting 2,662 physical records.
42 hacking incidents involved PHI saved on network servers, the majority of which were data access and exfiltration cases involving ransomware. 19 email security breaches involved PHI stored in email accounts, the majority of which were phishing cases.
Covered Entities Reporting Data Breaches in June 2021
Healthcare providers reported 53 data breaches. Health plans reported 9 breaches, and business associates of HIPAA-covered entities reported 8. HIPAA-covered entities frequently report breaches at third-party vendors that can hide the scope of attack by hackers on the business associates. Adjusted figures taking this into account present the scope to which business associates are experiencing data breaches. 36 data breach reports involved business associates.
June 2021 Healthcare Data Breaches by State
HIPAA-covered entities and business associates located in 32 states reported large healthcare data breaches. California had 8 reported breaches, New York had 6. Illinois, Pennsylvania, and Washington reported 4 each. Georgia, New Jersey, Oregon, Ohio, and Texas reported 3 each. Arkansas, Kentucky, Mississippi, Michigan, Nevada, Tennessee, and Wisconsin reported 2 each. The following states reported 1 each: Alaska, Arizona, Connecticut, Colorado, Florida, Hawaii, Iowa, Massachusetts, Maryland, Montana, Minnesota, New Mexico, Oklahoma, Rhode Island, and South Carolina.
HIPAA Enforcement Activity in June 2021
The HHS’ Office for Civil Rights had one HIPAA enforcement action last June under its HIPAA Right of Access enforcement initiative. The Diabetes, Endocrinology & Lipidology Center, Inc. in Martinsburg, West Virginia was required to pay $5,000 as a financial penalty to settle its HIPAA Right of Access case and consented to undertake a solid corrective action plan to make sure that patients are given prompt access to their health records. There were no HIPAA enforcement actions issued by the state Attorneys General in June.