Healthcare Data Breach Report for July 2018

July 2018 Healthcare Data Breach Report

July 2018 is by far the worst month in 2018 with respect to healthcare data breaches. There were 33 healthcare data breaches reported in July 2018, and while this was the same number as June, 543.6% more records were exposed in those breaches. In July 2018, 2,292,552 patient healthcare records were exposed, stolen, or impermissibly disclosed. That is 202,859 more records than were exposed in all of April, May, and June combined.

To date, 2018 has already seen 221 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The protected health information (PHI) of  6,112,867 people have been compromised, stolen, or impermissibly disclosed as a result of those breaches. That figure is 974,688 more than the total for all of last year. 2018 is shaping up to be a particularly bad year for healthcare data breaches.

Analysis of July 2018 Healthcare Data Breaches

Unauthorized accessing of PII/PHI by employees and impermissible disclosure of that information are common in the healthcare industry; however, in July there was a 46.6% reduction in these kinds of breaches. There was likewise a decline in the number of breaches that involved the theft or loss of unencrypted electronic devices and physical data in July, falling by 50% month over month.

The leading cause of breaches in July were hacking incidents, ransomware attacks, and other IT incidents such as malware and phishing attacks. There was a 66.7% increase in hacking/IT incidents compared to June. Those incidents were responsible for the exposure of more healthcare records than the combined total of exposed records from all other types of breaches.

7 out of the 15 biggest data breaches in July were phishing attacks. Three incidents involved the failure to secure electronic PHI, two were ransomware attacks, and two were because of improper disposal of physical records. The second leading cause of exposed PHI in July was improper disposal of physical PHI, which included the breach at SSM Health involving 301,000 records. The top cause of exposed PHI in July was phishing attacks. Phishing incidents resulted in the exposure and possible theft of over 1.6 million healthcare records.

In July, 12 healthcare data breaches saw more than 10,000 exposed records and four healthcare data breaches affected more than 100,000 people. Fourteen breaches had between 1,000 and 9,999 records exposed and 7 breaches had 500 to 999 records exposed. Four of the 10 biggest healthcare data breaches in 2018 were reported to OCR in July.

The biggest healthcare data breach in July and in all of 2018 was a phishing attack on Iowa Health System dba UnityPoint Health. The threat actor spoofed the email account of an executive and sent email messages to UnityPoint Health employees. Some employees were tricked into disclosing their login details, which allowed the attacker to access their email accounts. The PHI of over 1.4 million patients were contained in those email accounts.

Considering the high number of phishing attacks that were reported in July, it is no surprise that the primary location of breached PHI was email. That has been the case every month from March. In July, seven incidents were network server related, which included ransomware incidents, unintentional removal of security defenses, malware attacks, and hacking incidents.

Healthcare providers reported 28 breaches, health plans reported two data breaches, and business associates reported three, though nine reported data breaches involved business associates to some degree.

Healthcare companies located in 22 states reported health data breaches in July. Florida and Massachusetts had the most number of breaches reported with three each. Alaska, Missouri, Pennsylvania, New York, Virginia, Texas and Washington experienced two breaches each. Arkansas, Colorado, California, Idaho, Illinois, Indiana, Maryland, Montana, Michigan, Nebraska, New Mexico, New Jersey and Tennessee each had one breach reported.