In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights which represents a 17.86% month-over-month decline in data breaches. The number of stolen or exposed healthcare records also declined from 2,292,522 in July to 623,688 healthcare records in August – a fall of 267.56%.
Hacking incidents were the top cause of healthcare data breaches in August accounting for 53.57% of all data breaches reported to OCR. Those incidents involved 95.73% of all exposed or compromised health records in the month. Out of the top ten largest breaches, eight were caused by hacks, ransomware or malware attacks.
There were nine insider breaches in August, which account for 32.14% of all healthcare data breaches for the month. 18,488 healthcare records were compromised as a result of these insider breaches – 2.96% of all exposed health records in the month.
Two breaches involved the loss of PHI – one involved physical records while the other one involved electronic protected health information. Two cases of theft of paper records were also reported in August.
The largest healthcare data breaches reported in August 2018 are as follows:
- A hacking/IT Incident at AU Medical Center, Inc impacted 417,000 persons
- A hacking/IT Incident at Fetal Diagnostic Institute of the Pacific impacted 40,800 persons
- A hacking/IT Incident at Legacy Health impacted 38,000 persons
- A hacking/IT Incident at Acadiana Computer Systems, Inc. impacted 31,151 persons
- A hacking/IT Incident Carpenters Benefit Funds of Philadelphia impacted 20,015 persons
- A hacking/IT Incident at University Medical Center Physicians impacted 18,500 persons
- A hacking/IT Incident at Simon Orthodontics impacted 15,129 persons
- An unauthorized Access/Disclosure incident at Wells Pharmacy Network impacted 10,000 persons
- A loss of PHI incident at St. Joseph’s Medical Center impacted 4,984 persons
- A hacking/IT Incident at Central Colorado Dermatology PC impacted 4,065 persons
There were 14 email-related data breaches in August. Many of these data breaches were due to phishing attacks that resulted to unauthorized individuals accessing healthcare employees’ email accounts. There were six breaches that involved PHI kept on network servers. Five breaches involved PHI in paper records.
Twenty-one breaches in August were reported by healthcare providers, two breaches were reported by health plans, and 5 breaches were reported by business associates of HIPAA-covered entities. One other breach also involved a business associate but was reported by the healthcare provider.
The healthcare data breaches reported in August affected organizations in 19 states. Oregon suffered four breaches, California and Florida suffered three breaches each, Colorado and Texas both experienced two breaches and there was one breach reported in Arizona, Georgia, Hawaii, Indiana, Illinois, Louisiana, Michigan, Maryland, New York, Nevada, Ohio, Pennsylvania, Virginia and Tennessee.
There were no settlements agreed with the HHS’ Office for Civil Rights in August and neither any civil monetary penalties issued. One HIPAA-covered entity settled HIPAA violations with the New York attorney general in August – The Arc of Erie County – and paid a financial penalty of $200,000.