December was the second-best month of 2018 for healthcare data breaches with only 23 healthcare data breaches reported. November was the second worst month with 34 breaches and was the worst month in terms of the number of exposed healthcare records (3,230,063).
In December 2018, 516,370 healthcare records were exposed, impermissibly shared, or stolen as a result of data breaches. If the Adams County breach report had not been issued later than the 60 day HIPAA deadline, December would have been the best month of 2018 in terms of the number of breaches and the number of records exposed. The Adams County breach happened in March 2018, was verified on June 29, but only reported to OCR on December 11.
The Top 10 Biggest Healthcare Data Breaches of December 2018
- Adams County – unauthorized access/disclosure impacting 258,120 people
- JAND Inc. d/b/a Warby Parker – hacking/IT incident impacting 177,890 people
- University of Vermont Health Network – Elizabethtown Community Hospital – hacking/IT incident impacting 32,470 people
- The Podiatric Offices of Bobby Yee – hacking/IT incident impacting 24,000 people
- Choice Rehabilitation – hacking/IT incident impacting 4,309 people
- Virtual Radiologic Professionals, LLC – hacking/IT incident impacting 2,568 people
- Kent County Community Mental Health Authority – hacking/IT incident impacting 2,284 people
- Butler County Board of County Commissioners – unauthorized access/disclosure impacting 1,912 people
- Barnes-Jewish Hospital – hacking/IT incident impacting 1,643 people
- Tift Regional Medical Center – hacking/IT incident impacting 1,045 people
Causes of Healthcare Data Breaches in December 2018
The healthcare industry experiences more insider breaches than other industries and oftentimes, insider breaches outnumber external attacks. However, in December, there are more hacking/IT incidents than unauthorized/access disclosure incidents. From the top 10 data breaches listed above, eight were due to either ransomware attacks, hacks or other IT incidents.
Though unauthorized access/disclosure incidents typically affect fewer people than hacking breaches, that was not the case in December. The biggest breach in December involved an ex-employee of Adams County, WI, who accessed a network server without authorization.
A total of 264,049 healthcare records were compromised as a result of the 7 unauthorized access/disclosure incidents in December. The mean breach size and median breach size were 37,721 records and 911 records, respectively.
A total of 250,404 healthcare records were compromised as a result of the 13 hacking/IT incidents. The mean breach size and median breach size were 19,261 records and 1,643 records, respectively.
Two theft incidents were reported in December and one incident involved the improper disposal of paper documents.
Location of Breached Protected Health Information (PHI)
Phishing attacks continued to cause problems for healthcare organizations. In December, the biggest phishing incident affected Elizabethtown Community Hospital and affected 32,470 patients. The PHI was saved in a single email account.
In the Kent County Community Mental Health Authority phishing incident, three email accounts were compromised, though only 2,200 individuals’ PHI was compromised.
Email was the most common location of breached PHI in December, but network server breaches were more damaging. Two of the biggest December 2018 healthcare data breaches involved network servers and impacted 436,010 people – Those tow incidents account for 84.43% of December’s total number of breached records.
Types of Covered-Entity Affected by Data Breaches
Six data breaches involved health plans in December, but they were all relatively small. Only the Butler County Board of County Commissioners breach incident impacted over 1,000 plan members (1,912).
One business associate of a HIPAA-covered entity reported a data breach. But three other breaches had some business associate involvement. Healthcare providers reported 16 breaches.
Healthcare Data Breaches by State
In December 2018, 13 states were affected by healthcare data breaches. Minnesota had four data breaches, Arizona had three, two breaches were reported by healthcare organizations from California, New York, Missouri, Ohio, and Wisconsin, and the states of Georgia, Illinois, Kentucky, Michigan, Massachusetts and Pennsylvania had one data breach each.
HIPAA Fines and Settlements
In December 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) agreed settlements with two HIPAA-covered entities to resolve HIPAA violations. That brought the total number of HIPAA fines and settlements in 2018 to 10. The two December settlements were:
- Advanced Care Hospitalists: $500,000
- Pagosa Springs Medical Center: $111,400
State Attorneys General issued two financial penalties in December to resolve HIPAA violations.
- McLean Hospital was fined $75,000 by Massachusetts
- EmblemHealth was fined $575,000 by New Jersey