Healthcare Data Breach Report for April 2018

Data Breach

April was a bad month for the healthcare industry because of the higher number of data breaches and the people impacted compared to March. The Department of Health and Human Services received 41 reports of healthcare data breaches which resulted to 894,874 healthcare records exposed or stolen.

Healthcare data breaches had increased month over month for the past four months.  The top cause of data breaches in April was unauthorized access or disclosure. Although there was obvious improvement in cybersecurity defenses, insiders still cause accidental data breaches and healthcare employees still get involved in malicious acts.

The security incident at the California Department of Developmental Services is responsible for over half of the exposed healthcare records in April. It was reported that thieves stole electronic equipment from the California Department of Developmental Services office and set the place on fire after the break in. Most of the PHI potentially exposed was in physical form but it seems that the burglar did not take any of it. The ePHI contained in the stolen equipment was encrypted and was not exposed.

Hacking usually causes the highest number of stolen/exposed healthcare records. But in April, unauthorized access/disclosure incidents caused the most number of breached records. 11 major breaches happened that had over 10,000 records exposed.  There were also phishing attacks that resulted in data breaches. Nine incidents were due to hacking of email accounts. Healthcare organizations really need to improve their technology to prevent the malicious emails from landing in the employees’ inboxes.

Covered Entity Entity Type Records Exposed Breach Type
CA Department of Developmental Services Health Plan 582,174 Unauthorized Access/Disclosure
Center for Orthopaedic Specialists – Providence Medical Institute (PMI) Healthcare Provider 81,550 Hacking/IT Incident
MedWatch LLC Business Associate 40,621 Unauthorized Access/Disclosure
Inogen, Inc. Healthcare Provider 29,528 Hacking/IT Incident
Capital Digestive Care, Inc. Healthcare Provider 17,639 Unauthorized Access/Disclosure
Iowa Health System d/b/a UnityPoint Health Business Associate 16,429 Hacking/IT Incident
Knoxville Heart Group, Inc. Healthcare Provider 15,995 Hacking/IT Incident
Athens Heart Center, P.C. Healthcare Provider 12,158 Hacking/IT Incident
Fondren Orthopedic Group L.L.P. Healthcare Provider 11,552 Unauthorized Access/Disclosure
Kansas Department for Aging and Disability Services Healthcare Provider 11,000 Unauthorized Access/Disclosure
Carolina Digestive Health Associates, PA Healthcare Provider 10,988 Unauthorized Access/Disclosure

Healthcare providers reported majority of the breaches in April. Business associates reported five breaches, but they were involved in at least 11 other breach incidents. The state of Illinois reported 6 breaches followed by California with 5 breaches. Texas had 3 breaches while Florida, Kansas, Iowa, Louisiana, Minnesota, Maryland, North Carolina, New Jersey, Wisconsin and Virginia each had 2 breaches. States that reported one breach each were Georgia, Montana, Kentucky, New York, Nebraska, Pennsylvania and Tennessee.

Regarding financial penalties for HIPAA violations, the HHS’ Office for Civil Rights has already issued two in 2018. New Jersey attorney general’s office resolved a state and HIPAA violation case in April against Virtua Medical Group, who agreed to pay $417,816. This breach case involved the exposure of information including names , prescription and diagnoses information of 1,654 residents in New Jersey online because of a misconfigured server. Virtua Medical Group was alleged to have failed to conduct a risk analysis and implement the appropriate security measures, which resulted to the data breach.