Reported healthcare data breaches in June 2018 increased by 13.8% month-over-month although there were 42.48% fewer exposed/stolen healthcare records than in May 2018. In June, 33 healthcare data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights. The total number of exposed or stolen healthcare records in June 2018 was 356,232, which is the lowest number since March 2018.
The number one cause of healthcare data breaches reported in June 2018 was unauthorized access/disclosure incidents. The second is hacking/IT incidents. The number of data breaches with corresponding causes are as follows:
- 15 unauthorized access/disclosure breaches
- 12 hacking/IT incidents
- 4 cases of theft of electronic devices
- 2 cases of theft if paper records
As for the number of healthcare records exposed according to breach type, there were 157.5% more records exposed as a result of theft incidents in June compared to May 2018. There was a decrease of 56% in the number of exposed or stolen healthcare records due to hacking/IT incidents. Exposed or stolen healthcare records because of unauthorized access/disclosure incidents decreased by 74%.
Eight of the largest healthcare data breaches in June 2018 were due to hacking and phishing attacks. Med Associates, a claims service provider, reported the largest breach which impacted 276,057 persons. The data were stored on a computer that was hacked and accessed remotely. HealthEquity Inc., Black River Medical Center, InfuSystem Inc., the New England Baptist Health, Arkansas Children’s Hospital and RISE Wisconsin also experienced major breaches and reported the incidents in June.
Most of the breaches occurred because of email. In June, 7 out of 9 email-related breaches were due to phishing attacks. One email-related breach occurred as a result of an employee sending PHI to the wrong recipient while the cause of the other email incident is unknown.
Phishing attacks on healthcare organizations are commonplace and underscore the need for employee security awareness training. Training programs should not just be once a year but should be ongoing. When security awareness training is accompanies by phishing simulations it helps to condition employees how to respond and reinforces training. A failed phishing simulation can be turned into a training opportunity.
Six breaches in June 2018 were due to unauthorized accessing and theft of paper healthcare records showing the importance of physical controls.
Twenty-three healthcare data breaches were reported by healthcare providers. Six incidents were reported by health plans. Another six breaches were reported by business associates, although business associates were actually involved in 10 breaches.
California had the most number of healthcare data breaches reported (5). Texas had 4 breaches reported, Michigan had 3 while Florida, Utah, Missouri and Wisconsin had 2 each. Arizona, Arkansas, Iowa, Illinois, Minnesota, Massachusetts, Montana, New Jersey, North Carolina, New York, New Mexico, Pennsylvania and Washington had reported one breach each.
OCR issued one financial penalty in June 2018 to resolve HIPAA violations discovered during the investigation of three data breaches that were reported to OCR in 2012 and 2013.
The University of Texas MD Anderson Cancer Center was ordered to pay OCR $4,348,000 to resolve the HIPAA violations. The penalty for MD Anderson was the fourth largest HIPAA violation penalty ever issued.