There were 36 healthcare data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September. This number represents a 26.53% decrease in breaches from the previous month.
The September breaches had compromised a total of 1,957,168 healthcare records, representing a 168.11% increase from August. The big number of breached data is down to four reported incidents, each of which involved thousands and thousands of medical records. Three of the incidents were confirmed as ransomware attacks.
Biggest Healthcare Data Breaches in September
The biggest breaches of the month were mostly due to ransomware attacks:
- a ransomware attack on North Florida OB-GYN in Jacksonville, FL resulted in the potential compromise of 528,188 healthcare records
- a ransomware attack on Sarrell Dental resulted in the encryption of the medical records of 391,472 patients of its clinics in Alabama
- a ransomware attack on Premier Family Medical in Utah resulted in the potential compromise of medical records of 320,000 patients
- a network server hacking incident at the University of Puerto Rico involved the possible compromise of 439,753 Intramural Practice Plan members records
The compromised healthcare records in those four breaches comprise 85.80% of the total healthcare records compromised in September.
Causes of Healthcare Data Breaches in September 2019
Hacking/IT incidents took over the breach reports in September. There were 24 incidents reported involving hacking/IT incidents. 9 incidents were caused by unauthorized access/disclosure and three cases were due to loss/theft of physical and electronic records.
The 24 hacking/IT incidents resulted in the compromise of 1,917,657 healthcare records, which comprise 97.98% of breached healthcare records in September. The mean breach size and the median breach size were 958,829 records and 5,255 records, respectively.
Unauthorized access/disclosure incidents in September resulted in the breach of 1% or 19,741 healthcare, records. The mean breach size and the median breach size were 2,193 records and 998 records, respectively. Two reported theft incidents involved compromised 4,770 physical and electronic records and a single loss case involved 15,000 records kept in a portable electronic device.
Location of Breached Protected Health Information (PHI)
Phishing is still a big issue for the healthcare market. In September, 44.44% of breaches – 16 cases affected PHI saved in email accounts. A large percentage of the 13 network server incidents were due to ransomware attacks.
Healthcare Data Breaches by Covered Entity Type
In September, healthcare providers reported 28 data breaches, health plans/health insurers reported four incidents, and business associates of HIPAA covered entities reported four incidents. But four breaches reported by covered entities had some involvement of business associates.
States Affected by Healthcare Data Breaches in September 2019
In September, 23 states and Puerto Rico reported the data breaches. California, Maryland and Washington reported three breaches each. Arizona, Arkansas, Colorado, Georgia, Indiana, and South Carolina reported two breaches each. Alabama, Illinois, Iowa, Florida, Michigan, Maine, Nebraska, New Jersey, Oklahoma, Ohio, Tennessee, Texas, West Virginia, Utah, and Puerto Rico each reported one breach.
HIPAA Enforcement Activity in September 2019
The HHS’ Office for Civil Rights announced in September 2019 the third HIPAA violation penalty of the year. OCR issued to Bayfront Health St Petersburg in Florida an $85,000 financial penalty for failing to provide a patient a copy of her child’s fetal heart monitor data within an acceptable time period. The patient had several attempts before receiving the records in a period of 9 months.
State attorneys general did not issue any financial penalties in September over HIPAA violations.