Healthcare Data Breach Report for September 2018

September saw 25 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, the lowest monthly total since February. ‘Only’ 134,000 healthcare records were exposed or stolen in those breaches, which represents a 78.5% reduction in breached records compared to August and is the lowest number of exposed healthcare records of any month this year.

Causes of September 2018 Healthcare Data Breaches

The leading cause of healthcare breaches in September was unauthorized access/disclosure incidents, which were 55.55% more numerous in September. Most of those incidents involved paper records rather than ePHI. Although there were fewer hacking/IT incidents, they were more severe and resulted in the exposure/theft of more records. Out of the top ten healthcare data breaches reported in September, six were hacking/IT incidents.

Largest Healthcare Data Breaches Reported in September

1. WellCare Health Plans, Inc. – 26,942 records exposed – Unauthorized Access/Disclosure
2. Reliable Respiratory – 21,311 records exposed – Hacking/IT Incident
3. Toyota Industries North America, Inc. – 19,320 records exposed – Hacking/IT Incident
4. Independence Blue Cross, LLC – 16,762 records exposed – Unauthorized Access/Disclosure
5. Ransom Memorial Hospital – 14,329 records exposed – Hacking/IT Incident
6. Ohio Living – 6,510 records exposed – Hacking/IT Incident
7. University of Michigan/Michigan Medicine – 3,624 records exposed – Unauthorized Access/Disclosure
8. Reichert Prosthetics & Orthotics, LLC – 3,380 records exposed – Theft
9. J.A. Stokes Ltd. – 3,200 records exposed – Hacking/IT Incident
10. J&J Medical Service Network Inc. – 2,500 records exposed – Hacking/IT Incident

Location of Breached Protected Health Information

Many PHI breaches over the past few months have involved email. A large percentage of September breaches were email-related incidents, but the highest number of breaches – 10/25 – involved paper records. Nine of those breaches involved unauthorized access/disclosure of paper records and there was once case of stolen paperwork.

Data Breaches by Covered Entity Type

Health plan data breaches in September increased 150% month-over-month (5 breaches), but healthcare providers still topped the list with 17 breaches in September. Business associates of HIPAA-covered entities reported just 3 data breaches but there were four breaches reported with some business associates involvement.

Healthcare Data Breaches by State

The healthcare data breaches in September were reported in 18 states. Texas had 4 healthcare data breaches reported in September. Massachusetts had three breaches, and California and Kansas had two breaches. The following states reported one breach each: Arizona, Colorado, Indiana, Florida, Michigan, New Jersey, Nebraska, New York, Nevada, Ohio, Oregon, Rhode Island, Pennsylvania and Wisconsin.

HIPAA Enforcement Actions in September

In September, OCR agreed settlements with three hospitals to resolve potential HIPAA violations. All were the result of HIPAA Privacy Rule violations during the filming of footage for the ABCTV show “Boston Med.” OCR determined that there had been a failure to secure PHI and that patients had been filmed with consent only being obtained after the event. Massachusetts General Hospital paid OCR $515,000, Brigham and Women’s Hospital paid $384,000, and Boston Medical Center paid $100,000 to resolve the HIPAA violations.

The Massachusetts state attorney general agreed one settlement in September. UMass Memorial Health Care paid $230,000 to resolve HIPAA violations and violations of state laws after the PHI of 15,000 state residents was accessed and stolen by employees in two separate breaches.