April 2019 Was the Worst Ever Month for Healthcare Data Breaches

April was a record-breaking month for healthcare data breaches. More data breaches were reported by healthcare organizations in the United States than any other month since the HHS’ Office for Civil Rights started listing data breaches on its website in 2009. There were 46 breaches reported in April and 694,710 healthcare records were exposed.

10 of the 46 breaches resulted in the exposure of more than 10,000 healthcare records, with two of those breaches involving more than 100,000 records. The largest breach of the month was a ransomware attack on Doctor’s Management Services (DMS) which saw 206,695 healthcare records potentially exposed.

While ransomware attacks are often solely concerned with encrypting files to obtain a ransom payment, this breach saw the attacker gain access to DMS systems 7 months prior to ransomware being deployed. What the attacker did over those 7 months is unknown, although PHI access is a strong possibility.

The second largest breach was reported by Centrelake Medical Group, which also involved ransomware. That breach potentially exposed the records of 197,661 individuals.

Ransomware attacks, malware infections, and hacks – grouped together as hacking/IT incidents by OCR – dominated the breach reports in April 2019. 28 of the 46 reported data breaches were in this category and these incidents accounted for 55% of all exposed records in April (384,219 records).

There were 14 unauthorized access/disclosure incidents reported, which resulted in the exposure of 38% of healthcare records in April (264,016 records). There were two theft incidents, one reported loss of PHI, and one improper disposal incident.

As has been the case in most months over the past year, the most common location of breached PHI was email. 22 of the 46 breaches involved PHI stored in email accounts. Most of the email breaches in April were due to phishing attacks. Network servers were involved in 11 incidents and there were 6 breaches involving paper records. The remaining breaches involved desktop computers (3), EMRs (2), laptop computers (1), and other portable electronic devices (1).

Healthcare providers reported 38 incidents, 6 were reported by health plans, and there were two incidents reported by business associates. The breaches were spread across 21 states, with California and Texas topping the list with 5 breaches each.

2019 has been a quiet month for HIPAA enforcement. Up until April, OCR had not issued any financial penalties to resolve HIPAA violations. The first financial penalty was issued in May. A $3 million settlement was reached with Touchstone Medical Imaging to resolve multiple HIPAA violations, mostly concerning a delayed breach response.