Summary of January 2019 Healthcare Data Breaches

After a quiet month in terms of healthcare data breaches, breach reports rose again to more normal levels with more than one healthcare data breach reported every day in January 2019. There were 33 healthcare data breaches of 500 or more records reported in January.

While there was a rise in the number of data breaches, for the second consecutive month there was a drop in the number of people affected by healthcare data breaches. In January, 490,937 healthcare records were exposed, stolen or impermissibly shared.

The 10 Biggest Healthcare Data Breaches in January 2019

  1. Centerstone Insurance and Financial Services (BenefitMall) – 111,589 people impacted by a hacking/IT incident
  2. Las Colinas Orthopedic Surgery & Sports Medicine, PA – 76,000 people impacted by a theft incident
  3. Valley Hope Association – 70,799 people impacted by a hacking/IT incident
  4. Roper St. Francis Healthcare – 35,253 people impacted by a hacking/IT incident
  5. Managed Health Services – 31,300 people impacted by a hacking/IT incident
  6. EyeSouth Partners – 24,113 people impacted by
    a hacking/IT incident
  7. Dr. DeLuca Dr. Marciano & Associates, P.C. – 23,578 people impacted by
    a hacking/IT incident
  8. Critical Care, Pulmonary and Sleep Associates, PLLP – 23,377 people impacted by a hacking/IT incident
  9. Valley Professionals Community Health Center – 12,029 people impacted by a hacking/IT incident
  10. Cambridge Healthcare Services, LLC – 10,866 people impacted by a theft incident

Causes of Healthcare Data Breaches in January 2019

The top causes of healthcare data breaches in January 2019 were hacking and IT security incidents such as malware and ransomware attacks. The 17 incidents account for 51.52% of January’s data breaches, including the largest breach reported in January. Hacking/IT incidents accounted for 363,631 breached records or 74.07% of January’s total.

The second main cause of breaches were unauthorized access/impermissible disclosure incidents. The 10 incidents accounted for 30.30% of all breaches in January and saw 19,500 breached records breached – 3.97% of January’s total.

The 5 theft incidents impacted 106,006 people or 21.59% of all breached records in January There was one improper disposal incident which involved 1,800 paper records.

Location of Breached PHI

Healthcare companies still have problems stopping phishing attacks and other email breaches. In the last few months, email was the mail location of breached PHI. The majority of email breaches in January were due to phishing attacks.

Of all the healthcare data breaches in January 2019, 17 incidents or 51.52% involved PHI in emails and email attachments; 5 incidents or 15.15% involved physical PHI, like paper records, films and charts.

Covered Entities Affected by Healthcare Data Breaches

Healthcare providers reported 20 healthcare data breaches in January 2019. Health plans reported 8 breaches, while business associates of HIPAA-covered entities reported five. There were 6 more data breaches reported by HIPAA-covered entities that involved business associates to some extent.

Healthcare Data Breaches Per State

In January, there were four breaches in Texas, 3 in each of Kentucky, Georgia and Indiana, and 2 in each of California, Connecticut, Florida and Kansas.
Colorado, Illinois, Minnesota, Michigan, North Carolina, New Jersey, Nebraska, Pennsylvania, Rhode Island, Tennessee, South Carolina and Washington each saw one breach reported.

Fines for Noncompliance and HIPAA Violations

No financial penalties or settlements were agreed with the HHS’ Office for Civil rights in January 2019; but OCR announced one more settlement had been agreed in December 2018. It was not included in the December 2018.

Cottage Health agreed to pay OCR $3,000,000 to settle HIPAA violations that contributed to the cause of two breaches in 2013 and 2015. Those breaches saw the PHI of 62,500 patients exposed online.

The California Attorney General closed one HIPAA violation case in January 2019. Health insurer Aetna agreed to pay $935,000 to resolve violations of HIPAA and state laws in relation to the impermissible disclosure of PHI of its plan members. In two 2017 mailings, PHI was visible through the windows of envelopes. 1,991 California residents were affected by the incidents and had details of their HIV medications impermissibly disclosed or information related to an AFib diagnosis.