April was a bad month for the healthcare industry because of the higher number of data breaches and the people impacted compared to March. The Department of Health and Human Services received 41 reports of healthcare data breaches which resulted to 894,874 healthcare records exposed or stolen.
Healthcare data breaches had increased month over month for the past four months. The top cause of data breaches in April was unauthorized access or disclosure. Although there was obvious improvement in cybersecurity defenses, insiders still cause accidental data breaches and healthcare employees still get involved in malicious acts.
The security incident at the California Department of Developmental Services is responsible for over half of the exposed healthcare records in April. It was reported that thieves stole electronic equipment from the California Department of Developmental Services office and set the place on fire after the break in. Most of the PHI potentially exposed was in physical form but it seems that the burglar did not take any of it. The ePHI contained in the stolen equipment was encrypted and was not exposed.
Hacking usually causes the highest number of stolen/exposed healthcare records. But in April, unauthorized access/disclosure incidents caused the most number of breached records. 11 major breaches happened that had over 10,000 records exposed. There were also phishing attacks that resulted in data breaches. Nine incidents were due to hacking of email accounts. Healthcare organizations really need to improve their technology to prevent the malicious emails from landing in the employees’ inboxes.
|Covered Entity||Entity Type||Records Exposed||Breach Type|
|CA Department of Developmental Services||Health Plan||582,174||Unauthorized Access/Disclosure|
|Center for Orthopaedic Specialists – Providence Medical Institute (PMI)||Healthcare Provider||81,550||Hacking/IT Incident|
|MedWatch LLC||Business Associate||40,621||Unauthorized Access/Disclosure|
|Inogen, Inc.||Healthcare Provider||29,528||Hacking/IT Incident|
|Capital Digestive Care, Inc.||Healthcare Provider||17,639||Unauthorized Access/Disclosure|
|Iowa Health System d/b/a UnityPoint Health||Business Associate||16,429||Hacking/IT Incident|
|Knoxville Heart Group, Inc.||Healthcare Provider||15,995||Hacking/IT Incident|
|Athens Heart Center, P.C.||Healthcare Provider||12,158||Hacking/IT Incident|
|Fondren Orthopedic Group L.L.P.||Healthcare Provider||11,552||Unauthorized Access/Disclosure|
|Kansas Department for Aging and Disability Services||Healthcare Provider||11,000||Unauthorized Access/Disclosure|
|Carolina Digestive Health Associates, PA||Healthcare Provider||10,988||Unauthorized Access/Disclosure|
Healthcare providers reported majority of the breaches in April. Business associates reported five breaches, but they were involved in at least 11 other breach incidents. The state of Illinois reported 6 breaches followed by California with 5 breaches. Texas had 3 breaches while Florida, Kansas, Iowa, Louisiana, Minnesota, Maryland, North Carolina, New Jersey, Wisconsin and Virginia each had 2 breaches. States that reported one breach each were Georgia, Montana, Kentucky, New York, Nebraska, Pennsylvania and Tennessee.
Regarding financial penalties for HIPAA violations, the HHS’ Office for Civil Rights has already issued two in 2018. New Jersey attorney general’s office resolved a state and HIPAA violation case in April against Virtua Medical Group, who agreed to pay $417,816. This breach case involved the exposure of information including names , prescription and diagnoses information of 1,654 residents in New Jersey online because of a misconfigured server. Virtua Medical Group was alleged to have failed to conduct a risk analysis and implement the appropriate security measures, which resulted to the data breach.