In December 2019, the Department of Health and Human Services’ Office for Civil Rights received 38 reports of healthcare data breaches involving 500 or more records exposed, which is 8.57% more than the reported healthcare breaches in November 2019. There’s a total of 505 data breaches reported to OCR in 2019, which increased by 36.12% from 371 breaches in 2018.
Although the number of breaches is higher, the number of exposed healthcare records decreased by 35.30% from 607,728 records (November 2019) to 393,189 records (December 2019). The mean breach size and the median breach size for December 2019 were 10,347 records and 3,650 records, respectively.
2019 was a bad year in terms of healthcare data breaches and was the second-worst year ever with regards to the number of patients affected by breaches. The number of healthcare records exposed, impermissibly disclosed or stolen in 2019 was 41,232,527, which is 195.61% higher than in 2018. This figure is higher than the combined number of breached healthcare records in the previous three years.
Biggest Healthcare Data Breaches in December 2019
Truman Medical Center in Kansas City, MO reported the biggest healthcare data breach in December, which affected 114,466 patients. The incident involved the theft of a company-owned laptop computer containing patient data from an employee’s vehicle. Though the laptop has password-protection, it was not encrypted.
Of the top 10 breaches reported in December, 8 involved hacking/IT incidents. Particularly, breaches at Adventist Health Simi Valley, Cheyenne Regional Medical Center, Healthcare Administrative Partners, SEES Group, and Sinai Health System were because of phishing attacks. The breach at Roosevelt General Hospital involved malware infection and the breach at Children’s Choice Pediatrics involved a ransomware attack.
The breach at the Colorado Department of Human Services was because of a coding error on a mailing and the breach at Texas Family Psychology Associates was because of unauthorized access to its electronic medical record system.
1. Truman Medical Center, Incorporated had 114,466 individuals affected due to theft
2. Adventist Health Simi Valley had 62,000 people affected due to hacking/IT Incident
3. Roosevelt General Hospital had 28,847 people affected due to hacking/IT Incident
4. Healthcare Administrative Partners had 17,693 people affected due to hacking/IT Incident
5. Cheyenne Regional Medical Center had 17,549 people affected due to hacking/IT Incident
6. SEES Group, LLC Healthcare Provider had 13,000 people affected due to hacking/IT Incident
7. PediHEalth, PLLC, dba Children’s Choice Pediatrics had 12,689 people affected due to hacking/IT Incident
8. Sinai Health System had 12,578 people affected due to hacking/IT Incident
9. Colorado Department of Human Services had 12,230 people affected due to hacking/IT Incident
10 Texas Family Psychology Associates, P.C. had 12,000 people affected due to unauthorized access/disclosure
Healthcare Data Breaches in December 2019 by Covered Entity
Of the 28 healthcare providers that reported breaches involving 500 or more healthcare records, four were health plans and 6 were business associates of covered entities. One breach reported by a covered entity had some involvement of a business associate.
Causes of Healthcare Data Breaches in December 2019
HIPAA-covered entities and business associates reported 21 hacking/IT incidents, which involved 226,774 healthcare records exposed or stolen. The mean breach size and the median breach size were 10,798 records and 5,991 records, respectively. The hacking/IT incidents comprised of phishing attacks, malware and ransomware attacks, and coding errors.
The reported 11 breaches involving unauthorized access to healthcare data and impermissible protected health information (PHI) disclosures were because of insider errors or the malicious actions of employees. There were 46,364 healthcare records exposed with a mean breach size of 4,214 records and a median breach size of 3,500 records.
Two theft incidents were reported and three incidents were reported due to missing electronic devices and paperwork that contains PHI. Those incidents resulted in 118,877 lost or stolen records. The mean breach size and the median breach size were 23,775 records and 1,100 records, respectively. One incident involved improper disposal of paperwork with the PHI of 1,174 individuals.
Location of Breached PHI
Most of the email incidents in December 2019 were due to phishing attacks wherein unauthorized persons acquired the employees’ login credentials and used them for remote access to their email accounts.
Healthcare Data Breaches by State
HIPAA-covered entities and business associates belonging to 22 states and the District of Columbia reported data breaches. Texas, California and Illinois had 4 breaches each; Florida had 3 breaches, while Colorado, Georgia, and Tennessee had two breaches each.
The following states reported one breach each: Alaska, Connecticut, Louisiana, Michigan, Maryland, Missouri, New York, New Mexico, Oklahoma, Ohio, Pennsylvania, South Carolina, North Carolina, Wyoming, Washington, and District of Columbia.
The information stated in this report were obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights Research Report published on January 21, 2020.