September 2020 Healthcare Data Breach Report

September is awful in terms of data breaches. HIPAA-covered entities and business associates reported 95 data breaches involving at least 500 records. The increase in breaches is 156.75% compared to last August 2020.

There wasn’t only a huge increase in the number of data breaches in September, there was also a significant increase in the number of exposed records. There were 9,710,520 healthcare records exposed, a 348.07% increase compared to August. 18 entities had breaches involving over 100,000 records. The mean breach size and median breach size were 102,216 records and 16,038 records, respectively.

Causes of Healthcare Data Breaches in September 2020

The reported data breaches increased because of the ransomware attack on Blackbaud. In May 2020, this cloud software company encountered a ransomware attack and hackers were able to access its servers containing its clients’ fundraising databases. Blackbaud’s clients include a lot of third-sector and higher education organizations and many healthcare providers.

Blackbaud managed to limit the breach; but, before the ransomware deployment, the attackers downloaded certain customer information. It was initially thought that the breach only included minimal data related to donors and potential donors, however, deeper investigations showed the attackers also exfiltrated financial data and Social Security numbers.

Blackbaud paid a ransom amount to stop the attackers from publishing or selling the stolen data. Blackbaud said that all stolen information was deleted by the attackers. Blackbaud hired an agency to keep an eye on dark web sites. To date, no data seems to have been made available for sale.

Blackbaud reported the ransomware attack last July 2020 and informed all affected clients. HIPAA-covered entities also began reporting that they were affected by the breach in August up to September.

The number of U.S. health organizations affected by the attack is uncertain at this time. According to Databreaches.net, about 80 healthcare organizations and more than 10 million patient records are confirmed affected by the Blackbaud breach.

It is not surprising to know that hacking/IT incidents took over the breach reports in September. 83 breaches were ascribed to hacking/IT incidents with 9,662,820 breached records, which is 99.5% of all reported breached records in September. The mean breach size and median breach size were 116,420 records and 27,410 records, respectively.

There were 7 reported breaches due to unauthorized access/disclosure where there were a total of 34,995 breached records. The mean breach size and median breach size were 4,942 and 1,818 records. Entities reported 4 loss/theft incidents with 12,029 breached records. The mean breach size and median size were 3,007 and 2,978 records, respectively. One report involved improper disposal impacting 1,076 records.

The majority of the breached records were located on network servers, though a good number of breaches had PHI also stored in email accounts.

Biggest Healthcare Data Breaches Reported in September

1. Trinity Health – 3,320,726 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
2. Inova Health System – 1,045,270 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
3. NorthShore University HealthSystem – 348,746 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
4. SCL Health – Colorado (affiliated covered entity) – 343,493 individuals affected by hacking/IT Incident due to Blackbaud Ransomware Attack
5. Nuvance Health (on behalf of its covered entities) – 314,829 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
6. The Baton Rouge Clinic, A Medical Corporation – 308,169 individuals affected by Hacking/IT Incident due to Ransomware Attack
7. Virginia Mason Medical Center – 244,761 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
8. University of Tennessee Medical Center – 234,954 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
9. Legacy Community Health Services, Inc. – 228,009 individuals affected by Hacking/IT Incident due to Phishing Attack
10. Allina Health – 199,389 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
11. University of Missouri Health Care – 189,736 individuals affected by Hacking/IT Incident due to Phishing Attack
12. The Christ Hospital Health Network – 183,265 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
13. Stony Brook University Hospital – 175,803 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
14. Atrium Health – 165,000 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
15. University of Kentucky HealthCare – 163,774 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
16. Children’s Minnesota – 160,268 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
17. Roswell Park Comprehensive Cancer Center – 141,669 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
18. Piedmont Healthcare, Inc. – 111,588 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
19. SCL Health – Montana (affiliated covered entity) – 93,642 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack
20. Roper St. Francis Healthcare – 92,963 individuals affected by Hacking/IT Incident due to Blackbaud Ransomware Attack

September Data Breaches by Covered Entity Type

Healthcare providers reported 88 data breaches with at least 500 records exposed in September. Health plans reported 2 breaches. Business associates of HIPAA-covered entities reported 5 breaches, but there were 53 other breaches reported by the covered entity that had the involvement of a business associate. Almost all 53 breaches were because of the Blackbaud ransomware attack.

September 2020 Data Breaches by State

Covered entities and business associates from 30 states as well as the District of Columbia submitted data breach reports where 500 and up records were breached.

New York reported 10 breaches. California, Pennsylvania, and Minnesota each reported 6 breaches. Colorado, Texas, and South Carolina each reported 5 breaches. Florida, Massachusetts, Georgia, Ohio, and Virginia each reported 4. Kentucky, Iowa, Louisiana, and Michigan each reported 3. Connecticut, North Carolina, Maryland, Tennessee, and Wisconsin each reported 2.

Alabama, Delaware, Indiana, Illinois, Missouri, New Jersey, New Hampshire, Washington, Oklahoma, and the District of Columbia reported one breach each.

About Christine Garcia 1200 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA