In April 2018, 41 healthcare data breaches were reported to the HHS’ Office for Civil Rights. The 29 breaches in May is therefore a considerable improvement. However, while there was a 29.27% month-over-month decrease in healthcare data breaches, the breaches reported in May were more severe than in April. The total number of exposed or stolen healthcare records in May was 838,587 – only 56,287 fewer records than were exposed in April.
The mean breach size in May was 28,917 healthcare records compared to 21,826 in April. The median was 2,793 records in May compared to 2,553 in April. The causes of healthcare data breaches in May were as follows:
- 15 unauthorized access/disclosure incidents (51.72%)
- 12 hacking/IT incidents (41.38%)
- 2 theft incidents (6.9%)
There were no incidents that involved lost unencrypted electronic devices or improper disposal of PHI.
The 12 hacking/IT incidents reported in May saw 738,883 healthcare records compromised or 88.11% of the total exposed healthcare records in the month. Incidents due to unauthorized access/disclosure only affected 97,439 patients and health plan members or 11.62% of the total exposed records. Theft incidents led to the unauthorized access/disclosure of the PHI of 2,265 individuals – 0.27% of the total exposed records.
The biggest healthcare data breach submitted to OCR in May 2018 occurred at LifeBridge Health Inc. in Baltimore, MD. That single incident saw 538,127 electronic health records breached. The breach due to a malware infection in September 2016. Names, contact details, clinical information, treatment data, and medical insurance details were exposed. The Social Security numbers of some patients were also compromised. This breach is considered one of the most serious incidents in 2018 because of its scale and the types of information exposed.
Out of the 29 breaches in May, 11 involved hacking of email accounts or misdirected emails. 7 breaches were due to hacking, malware, and ransomware attacks on network servers and 7 breaches involved paper records. Healthcare providers reported the most number of breaches in May 2018 – 22 out of 29. Health plans reported two incidents and business associates of HIPAA-covered entities reported five. Four other breaches had some business associate involvement.
In May, California and Ohio each had four breaches. Texas and Oregon each had two breaches. Nevada reported four breaches but three refer to the same incident reported by the three different Dignity Health hospitals. Arizona, Arkansas, Colorado, Georgia, Florida, Indiana, Massachusetts, Kansas, Maryland, Minnesota, Michigan, New York and Nebraska each had one breach.
No financial penalties were issued for HIPAA violations by OCR or state attorneys general in May.