Healthcare Data Breach Report in November 2018

Security

In November, 34 healthcare data breaches were reported to OCR, which makes it the second worst month of 2018 for healthcare data breaches, behind June when 41 breaches were reported.

In terms of the number of records exposed, November was by far the worst month of the year to date. 3,230,063 health records were exposed, impermissibly disclosed or stolen in data breaches reported to the HHS’ Office for Civil Rights (OCR) in November. That figure is more than the combined number of exposed records from the 180 data breaches reported to the OCR in the first 6 months of 2018.

Accudoc Solutions reported the biggest healthcare data breach of 2018 in November. That breach caused over 2.65 million medical records to be exposed. Hackers accessed AccuDoc Solutions’ databases for one week in September 2018. While patients PHI could have been viewed, AccuDoc said it was not possible for the databases to be downloaded.

As was the case in October, hacking/IT incidents were the biggest cause of healthcare data breaches in November and those incidents also resulted in the highest number of exposed healthcare records. Covered entities and business associates reported 18 hacking/IT incidents, which impacted 3,138,657 people.

In November, 11 breaches were categorized as unauthorized access/disclosure incidents. Those incidents impacted 65,143 people. 4 breaches were categorized as loss (2)/theft(2) incidents and involved 22,333 medical records. One breach was categorized as an improper disposal incident and involved 3,930 medical records.

Email-related breaches are still a big problem in the healthcare industry. These breaches include phishing attacks, misdirected emails and unauthorized email account access. November saw 11 email-related breaches of PHI.

In November 2018, healthcare providers were the worst affected by data breaches with 29 incidents reported. Business associates of HIPAA-covered entities had 5 breaches, though five more breaches were reported by healthcare providers had involved business associates to some degree. It was a good month for health plans with no breaches reported.

Texas was the worst affected state with 8 reported healthcare data breaches. New York reported three healthcare data breaches while Georgia, Illinois, Iowa, Missouri, North Carolina, Virginia and Utah reported two breaches each. Arizona, California, District of Columbia, Maryland, Massachusetts, Nebraska, New Jersey, Washington and Pennsylvania reported one breach each.

In November, the Department of Health and Human Services’ Office for Civil Rights issued one financial penalty to resolve HIPAA violations. Allergy Associates of Hartford paid OCR a $125,000 HIPAA violation fine due to a doctor’s impermissible PHI disclosure to a TV reporter. The disclosure happened after the Allergy Associates of Hartford Privacy Officer instructed the doctor not to respond to the request for information concerning a patient, or to just say ‘no comment’. Allergy Associates of Hartford also did not take any action over the HIPAA violation committed by the doctor.

New Jersey likewise issued a financial penalty in November. Best Transcription Medical paid £200,000 to resolve a HIPAA violation case stemming from an online breach of the ePHI of 1,650 New Jersey residents.