February was a particularly bad month for healthcare data breaches, so it is no surprise there was a fall in the number of healthcare records exposed in data breaches in March. However, the number of records exposed was still much higher than average. The health records of 912,992 individuals were exposed in March in 31 reported healthcare data breaches.
Hacking and other IT incidents dominated the breach reports in March. Out of the 31 reported breaches, 19 were due to hacks and other IT incidents such as malware and ransomware infections. There were 8 unauthorized access/disclosure incidents and four cases of theft of physical or electronic protected health information.
807,128 healthcare records were exposed or compromised in hacking incidents, 81,904 records were impermissibly accessed or disclosed, and 23,960 records were stolen.
The largest breach reported in March affected Navicent Health, which saw the health records of 278,016 patients exposed as a result of a phishing attack. Multiple email accounts were compromised that contained ePHI in emails and email attachments.
ZOLL Services also experienced a breach on a similar scale. 277,319 individuals’ PHI was exposed as a result of protections being accidentally removed on a server used by its email archiving company.
Burrell Behavioral Health also saw ePHI exposed by a business associate. An internet facing portal had protections removed which allowed electronic images containing patients’ PHI to be exposed online. 67,493 patients were impacted by the attack.
While not one of the largest breaches to be reported in April, a ransomware attack on Brookside ENT and Hearing Center in Battle Creek, MI., proved devastating. The small practice suffered a ransomware attack that saw the PHI of patients first encrypted, and then deleted by the attackers when the company failed to pay the ransom demand. The practice owners decided to take early retirement and close the business as a result of the attack, rather than having to rebuild the business from scratch.
The most common location of breached protected health information in March was email. Email was involved in 12 of the 31 attacks. 8 attacks involved data stored on network servers.
Healthcare providers experienced 22 breaches, four breaches were experienced by health plans and there were 5 breaches reported by business associates. A further 4 breaches involved business associates to some degree.
There were no breaches reported by healthcare organizations based in Texas in March, which is surprising given the population of the state. California, Ohio, and Pennsylvania were the worst affected states with three breaches a piece. Arizona, Idaho, Maryland, Massachusetts, Minnesota, Oregon, and South Carolina each had 2 reported breaches and Arizona, Connecticut, Florida, Georgia, Indiana, Mississippi, Missouri, New York, and Oklahoma each had one reported breach.
There were no HIPAA fines or settlements announced in March 2019.