March 2019 had a rate of about one reported healthcare data breach per day. The HHS’ Office for Civil Rights received 30 healthcare data breach reports from HIPAA-covered entities and their business associates. The total of healthcare data breaches is 11% higher in March than the average over the last 60 months.
Month over month, the number of reported breaches dropped by 6.67% and breached healthcare records was 58% lower. The healthcare records of 883,759 people were exposed, stolen or impermissibly disclosed in March because of healthcare data breaches.
Causes of Healthcare Data Breaches in March 2019
The top cause of healthcare data breaches in March were hacking and other IT incidents for instance ransomware and malware. There were 19 hacking / IT incidents reported in March accounting for 83.69% of 739,635 exposed records; 8 unauthorized access/impermissible disclosure incidents with 81,904 healthcare records accessed or impermissibly disclosed; and 4 theft incidents with 23,960 records compromised.
Biggest Healthcare Data Breaches Reported in March 2019
Navicent Health reported the biggest data breach, which involved a phishing attack that resulted to the potential access and copying of 278,016 patient records by the attackers. ZOLL Services reported a data breach of about the same size with 277,319 healthcare records exposed. The breach at ZOLL Services’ business associate, an email archiving company, was due to the accidental removal of its network server’s protection. It is unknown if unauthorized persons accessed the records when the data was accessible.
Location of Breached PHI
March 2019 saw 12 healthcare data breaches involving email incidents, mostly due to phishing attacks. There were 7 hacking/IT incidents, such as hacks, ransomware attacks, and the accidental security solutions deactivation involving network servers.
Healthcare Data Breaches by Covered Entity in March 2019
In March, healthcare providers reported 21 incidents; health plans reported 4 incidents while HIPAA business associates reported 5 data breaches; three breaches additionally involved business associate agreements.
Healthcare Data Breaches by State
There were 18 states that reported data breaches to healthcare organizations/business associates in March 2019. California, Ohio, and Pennsylvania reported three data breaches each. Arizona, Idaho, Masachusetts, Maryland, Minnesota, Oregon, and South Carolina reported two breaches each. Arizona, Connecticut, Georgia, Florida, Indiana, Mississippi, Oklahoma and New York reported one breach each.
HIPAA Enforcement Activities in March 2019
The HHS’ Office for Civil Rights has not issued any fines or settlements in March 2019; but, the Texas Department of Aging and Disability Services has issued a financial penalty over a data breach that transpired in 2015.
Texas approved a settlement of $1.6 million to cover alleged HIPAA violations found while investigating an 8-year data breach reported in June 2015. The settlement is not yet confirmed publicly.
State attorneys general also did not agree with the HIPAA-related financial penalties.