Healthcare Data Breach Report for October 2018

HIPAA Journal’s healthcare data breach report for October 2018 shows an increase in healthcare data breaches month-over-month. HIPAA-covered entities and business associates reported 31 healthcare data breaches in October, which is 6 breaches more than September.

October was a particularly bad month in terms of the number of records exposed. 2,109,730 healthcare records were stolen, exposed or impermissibly disclosed in October, which is 1,474% more than September. In October, the average breach size was 68,055 records and the median breach size was 4,058 records.

Largest Healthcare Data Breaches in October 2018

Eleven healthcare data breaches of more than 10,000 records were reported in October, compared to five such breaches in September. The biggest healthcare data breach in October saw 1.24 million records exposed. It occurred at Employees Retirement System of Texas and involved the disclosure of PHI via its ERS Online portal. Members were able to view the records of other members.

Banker’s Life, a division of CNO Financial Group Inc, also experienced a massive data breach. This was also an unauthorized access/disclosure incident. Stolen employee credentials were used to access company websites. The PHI of 566,217 individuals was potentially accessed.

Breakdown of Healthcare Data Breaches in October 2018

Unauthorized access/disclosure incidents exposed the most records, although there were more hacking/IT incidents in October. October saw 16 hacking/IT incidents, 11 unauthorized access/disclosure incidents and four theft incidents reported. No breaches involving loss of devices or PHI were reported and there were no improper disposal incidents.

In October, there were 9 healthcare breaches involving PHI exposure through email and 9 network server-related breaches.

Healthcare providers had the most data breaches reported in October (20 incidents), followed by health plans/health insurers (7 incidents) and HIPAA business associates (4 incidents). However, three of the business associate breaches were reported by the same business associate, Health Fitness. One further breach also involved a business associate.

1,848,235 healthcare records were exposed in health plan breaches, healthcare provider breaches saw 221,994 healthcare records exposed, and 39,501 healthcare records were exposed in business associate data breaches.

Five data breaches were reported by entities in Texas. California, Connecticut, Illinois, and Washington each had 3 breaches, and Florida, Iowa, Indiana, and Pennsylvania had two breaches each. Minnesota, Missouri, New Mexico, North Carolina, Oregon and Oklahoma each had one breach.

HIPAA Violation Penalties in October

The Department of Health and Human Services’ Office for Civil Rights agreed a settlement with Anthem Inc., in October. Anthem was fined $16,000,000 over its 78.8 million record breach in 2015. This was the largest HIPAA penalty ever issued.

In October, the health insurer Aetna was penalized over the impermissible disclosure of the HIV/AIDS statuses of 13,160 plan members. A total of $640,170 was paid to Connecticut, the District of Columbia and New Jersey. Washington, was also involved in the multi-state action but its settlement amount is yet to be decided.