It has been another bad month for the U.S. healthcare industry. Rather than April’s record number of healthcare data breaches being a blip, breaches continued to be reported at elevated levels in May.
In 2018, on average, 29.5 healthcare data breaches were reported each month. In 2019, an average of 37.2 breaches have been reported each month, with April being the worst ever month for breaches with 47 incidents reported.
In May, 44 data breaches were reported. Those breaches resulted in the theft, impermissible disclosure, or exposure of 1,988,376 healthcare records. That makes May 2019 the second worst month for healthcare data breaches since records of breaches first started to be published in 2009.
The Department of Health and Human Services’ Office for Civil Rights publishes details of data breach reports on its breach portal, often referred to as the ‘HIPAA Wall of Shame’. So far in 2019, 186 healthcare data breaches of more than 500 records have been reported to OCR, which is 52% of last year’s record-breaking total. 2019 looks set to break that record once again.
So far in 2019, 6.2 million healthcare records have been compromised. The 20-million record breach at AMCA that was reported in June will take that total to more than 26 million records. Even if there were to be no more data breaches in 2019, this year would still be the second worst ever year for healthcare data breaches in terms of the number of records exposed.
The largest healthcare data breach in May was reported by Inmediata Health Group – A healthcare clearinghouse. As a result of a misconfigured web page, data meant for internal use became accessible over the internet. More than 1,565,000 healthcare records were exposed.
The majority of breaches in May were hacking incidents (22) and unauthorized access/disclosure incidents (18). There were four breaches reported that involved the loss or theft of physical records or electronic devices containing PHI.
225,671 healthcare records were exposed in hacking incidents, 1,752,188 records were compromised in unauthorized access/disclosure incidents, and 10,517 records were compromised as a result of loss or theft.
Phishing attacks continue to cause major problems for healthcare organizations. 22 of the breaches in May involved PHI in email accounts. Ransomware attacks also increased in May.
In May, breaches were reported by 34 healthcare providers, 5 health plans, 4 business associates, and a healthcare clearinghouse. A further two breaches had some business associate involvement. Breached entities were spread across 17 states, with Texas the worst affected with 7 breaches.
There were three HIPAA enforcement actions in May 2019. OCR agreed to settle two cases with HIPAA-covered entities to resolve HIPAA violations. Touchstone Medical Imaging agreed to a $3 million penalty and Medical Informatics Engineering paid OCR $100,000 to settle its case.
Medical Informatics Engineering also settled a multi-state lawsuit with 16 state attorneys general over its breach and paid an additional $900,000.