Almost 2 Million Records Exposed in May 2019 Healthcare Data Breaches

It has been another bad month for the U.S. healthcare industry. Rather than April’s record number of healthcare data breaches being a blip, breaches continued to be reported at elevated levels in May.

In 2018, on average, 29.5 healthcare data breaches were reported each month. In 2019, an average of 37.2 breaches have been reported each month, with April being the worst ever month for breaches with 47 incidents reported.

In May, 44 data breaches were reported. Those breaches resulted in the theft, impermissible disclosure, or exposure of 1,988,376 healthcare records. That makes May 2019 the second worst month for healthcare data breaches since records of breaches first started to be published in 2009.

The Department of Health and Human Services’ Office for Civil Rights publishes details of data breach reports on its breach portal, often referred to as the ‘HIPAA Wall of Shame’. So far in 2019, 186 healthcare data breaches of more than 500 records have been reported to OCR, which is 52% of last year’s record-breaking total. 2019 looks set to break that record once again.

So far in 2019, 6.2 million healthcare records have been compromised. The 20-million record breach at AMCA that was reported in June will take that total to more than 26 million records. Even if there were to be no more data breaches in 2019, this year would still be the second worst ever year for healthcare data breaches in terms of the number of records exposed.

The largest healthcare data breach in May was reported by Inmediata Health Group – A healthcare clearinghouse. As a result of a misconfigured web page, data meant for internal use became accessible over the internet. More than 1,565,000 healthcare records were exposed.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The majority of breaches in May were hacking incidents (22) and unauthorized access/disclosure incidents (18). There were four breaches reported that involved the loss or theft of physical records or electronic devices containing PHI.

225,671 healthcare records were exposed in hacking incidents, 1,752,188 records were compromised in unauthorized access/disclosure incidents, and 10,517 records were compromised as a result of loss or theft.

Phishing attacks continue to cause major problems for healthcare organizations. 22 of the breaches in May involved PHI in email accounts.  Ransomware attacks also increased in May.

In May, breaches were reported by 34 healthcare providers, 5 health plans, 4 business associates, and a healthcare clearinghouse. A further two breaches had some business associate involvement. Breached entities were spread across 17 states, with Texas the worst affected with 7 breaches.

There were three HIPAA enforcement actions in May 2019. OCR agreed to settle two cases with HIPAA-covered entities to resolve HIPAA violations. Touchstone Medical Imaging agreed to a $3 million penalty and Medical Informatics Engineering paid OCR $100,000 to settle its case.

Medical Informatics Engineering also settled a multi-state lawsuit with 16 state attorneys general over its breach and paid an additional $900,000.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: