February 2019 saw healthcare data breaches reported at a ate of more than one a day, as was the case in January. There were 32 healthcare data breaches of more than 500 records reported b HIPAA-covered entities in February, one more than in January.
February may have had 3% fewer breaches, but more than 2.11 million healthcare records were compromised in February. 330% more than January.
Causes of Healthcare Data Breaches in February 2019
Most months see similar numbers of hacking/IT incidents and unauthorized access/disclosure incidents, but in February there were significantly more hacking and IT incidents reported. Ransomware attacks may be declining in general, but that doesn’t seem to be the case in healthcare which continues to experience more than its fair share of attacks.
24 incidents or 75% of all reported breaches in February were hacking/IT incidents. These incidents resulted in the exposure or theft of 96.25% of all breached records in February. Nine of the top ten healthcare data breaches reported in February were hacking and IT incidents.
Four incidents were unauthorized access/disclosure breaches and 4 incidents were theft incidents. 3.1% of breached records were due to unauthorized access/disclosure incidents and 0.65% of records were breached in theft incidents.
Biggest Healthcare Data Breaches in February 2019
The biggest healthcare data breach reported in February was due to the accidental removal of security measures on a network server used by UW Medicine. The breach saw the protected health information (PHI) of over 973,000 UW Medicine patients exposed online. Search engines had indexed the files, allowing the information to be found through simple Google searches. The files were accessible online for more than 3 weeks.
The second biggest data breach was a ransomware attack on Columbia Surgical Specialist of Spokane. Although patient data may have been compromised, there was no evidence found to indicate any patient information was stolen in the attack.
UConn Health experienced a phishing attack which saw 326,629 records potentially compromised. The email accounts of multiple employees were breached in the attack. A phishing attack on Rutland Regional Medical Center was also reported. That breach saw the records of 72,000 patients compromised.
- UW Medicine Hacking/IT Incident – 973,024 records
- Columbia Surgical Specialist of Spokane Hacking/IT Incident – 400,000 records
- UConn Health Hacking/IT Incident – 326,629 records
- Rutland Regional Medical Center Hacking/IT Incident – 72,224 records
- Delaware Guidance Services for Children and Youth, Inc. Hacking/IT Incident – 50,000 records
- Rush University Medical Center Unauthorized Access/Disclosure – 44,924 records
- AdventHealth Medical Group Hacking/IT Incident – 42,161 records
- Reproductive Medicine and Infertility Associates, P.A. Hacking/IT Incident – 40,000 records
- Memorial Hospital at Gulfport Hacking/IT Incident – 30,642 records
- Pasquotank-Camden Emergency Medical Service Hacking/IT Incident – 20,420 records
Location of Breached PHI
Email is the most common location of breach PHI, but in February it was network servers. Of all reported breaches in February, 46.88% of breaches saw ePHI on network servers compromised, 25% of breaches saw ePHI in email accounts compromised, and 12.5% of breaches saw electronic healthcare records compromised.
Healthcare Data Breaches by Covered Entity Type
Healthcare providers reported 24 data breaches in February, five breaches were reported by health plans, and three breaches were reported by business associates of HIPAA-covered entities. Seven more breaches were linked to business associate in some way.
Healthcare Data Breaches by State
22 states reported healthcare data breaches in February. California and Florida reported three breaches each. Illinois, Kentucky, Minnesota, Maryland, Texas, and Washington reported two breaches each. Arizona, Connecticut, Colorado, Delaware, Georgia, Kansas, Massachusetts, Montana, Mississippi, North Carolina, Virginia, West Virginia and Wisconsin reported one breach each.
February 2019 HIPAA Enforcement Actions
There were no HIPAA enforcement actions by the Department of Health and Human Services’ Office for Civil Rights or state attorneys general in February 2019.