The number of reported healthcare data breaches decreased in March 2020 by 7.69%. The number of breached records also decreased by 45.88%.
In March, there were 36 healthcare data breaches involving 500 and up records reported to the HHS’ Office for Civil Rights (OCR). That figure is about 16% less than the 12-months average cases of monthly breaches. March had 828,921 healthcare records breached. That figure is 194% more than the monthly average number of breached healthcare records.
Biggest Healthcare Data Breaches for March 2020
The genetic testing firm Ambry Genetics Corporation reported the biggest healthcare data breach this March. An unauthorized person accessed an employee’s email account which held the information of 232,772 patients.
The medical device maker Tandem Diabetes Care reported a big phishing attack. The compromise of the email accounts of a number of employees resulted in the exposure of the protected health information (PHI) of 140,781 patients.
Brandywine Urology Consultants reported the third biggest data breach for March. A ransomware attack resulted in the potential compromise of 131,825 patients’ data. The Randleman Eye Center and Affordacare Urgent Care Clinics also had incidents of ransomware attacks.
Golden Valley Health Centers, Washington University School of Medicine, and the Otis R. Bowen Center for Human Services also reported data breaches due to phishing attacks. Stephan C Dean reported a breach due to email hacking not related to a phishing attack. OneDigital Health and Benefits also reported a breach involving laptop computer theft.
1. Ambry Genetics Corporation – 232772 individuals affected due to hacking/IT Incident
2. Tandem Diabetes Care, Inc. – 140781 individuals affected due to hacking/IT Incident
3. Brandywine Urology Consultants, PA – 131825 individuals affected due to hacking/IT Incident
4. Stephan C Dean – 70000 individuals affected due to hacking/IT Incident
5. Affordacare Urgent Care Clinics – 57411 individuals affected due to hacking/IT Incident
6. Golden Valley Health Centers – 39700 individuals affected due to hacking/IT Incident
7. Otis R. Bowen Center for Human Services – 35804 individuals affected due to hacking/IT Incident
8. OneDigital Health and Benefits – 22894 individuals affected due to theft
9. Randleman Eye Center – 19556 individuals affected due to hacking/IT Incident
10. Washington University School of Medicine – 14795 individuals affected due to hacking/IT Incident
Causes of Healthcare Data Breaches
The number one cause of breaches is hacking/IT incidents, with 19 incidents accounting for 52.78% of the total breaches this month. There were 782,407 records breached accounting for 94.38% of all breached records in March. The average and mean breach sizes were 41,179 records and 10,700 records, respectively.
The 9 incidents of unauthorized access/disclosure accounted for 25% of the total breaches this month. The 15,071 breached records made up 1.81% of all breached records this month. The average and median breach sizes were 1,674 records and 910 records, respectively.
The 6 incidents of paperwork/electronic devices theft accounted for 16.66% of the month’s breaches. There were 30,107 stolen patient records, which accounted for 3.63% of all of March’s breached records. The average and median breach sizes were 5,017 records and 1,595 records. Two incidents of loss were reported affecting 1,336 records.
The location of 50% of breached PHI was email accounts, mostly because of phishing emails. Protecting email accounts and stopping phishing attacks is the biggest concern.
Data Breaches by Covered Entity Type
Healthcare providers reported 26 breaches. Health plans reported 3 breaches and a healthcare clearinghouse reported a rare breach.
Business associates of HIPAA covered entities had 6 breaches reported. There were two other breaches that covered entities reported, which had some involvement of a business associate.
Data Breaches by State
22 states reported the 36 data breaches in March. California reported 7 breaches. Georgia and Minnesota reported three breaches each. Hawaii, North Carolina, Texas and Pennsylvania reported two breaches each. Arizona, Colorado, Delaware, Florida, Illinois, Indiana, Massachusetts, Maryland, Missouri, Montana, New Jersey, Nevada, Ohio, Utah, and Virginia reported one breach each.
HIPAA Enforcement in March 2020
The HHS’ Office for Civil Rights or state attorneys general did not issue any enforcement actions in March 2020. However, there was some news reported on the HIPAA enforcement front.
Due to the SARS-CoV-2 Novel Coronavirus crisis, OCR declared an enforcement discretion. No financial penalties will be issued on covered entities and business associates because of noncompliance with specific facets of HIPAA Rules.
OCR announced three Notices of Enforcement Discretion in March associated with
- the good faith provision of telehealth services
good faith engagement in the functions of COVID-19 testing facilities
the PHI uses and disclosures by business associates to public health professionals