Summary of July 2019 Healthcare Data Breaches

It has been another terrible month for healthcare data breaches – The worst of the year to date in terms of the number of breaches and the number of records exposed.

In July, 50 healthcare data breaches of more than 500 records were reported to the HHS’ Office for Civil Rights, making July the worst ever month for healthcare data breaches. The previous record was 46 breaches, which was set in May 2019.

July was also the second worst ever month in terms of the number of healthcare records exposed.  25,375,729 healthcare records were exposed in July.

This month’s breaches bring the total for the year up to 266 data breaches – 53 more than the corresponding period last year. So far in 2019, 35,028,304 healthcare records have been exposed or compromised. That is more records than were exposed in all of 2016, 2017, and 2018 combined.

The increase in data breaches is partly due to the data breach at American Medical Collection Agency (AMCA). AMCA provides billing and collection services to healthcare providers, and as such, requires access to protected health information. Some of that information was accessible through a web payment portal, which was subjected to unauthorized access for a period of around 8 months.

The AMCA data breach has affected at least 22 healthcare organizations and exposed more than 24 million healthcare records. The breaches have been reported individually by each covered entity, 13 of which are included in this month’s breach total.

There were 35 hacking and IT incidents reported in July, 9 unauthorized access/disclosure incidents, 5 loss/theft incidents and once improper disposal incident.

Network server incidents increased considerably in July thanks to the AMCA breach. There were 19 reported network server incidents in July, but the most common location of breached PHI was email. 21 of the 50 breaches (42%) involved PHI stored in email accounts. Most of these email breaches were phishing attacks. There were 5 incidents involving paper copies of PHI, 2 laptop incidents, and 1 breach involving a desktop computer.

39 data breaches were reported by healthcare providers and 3 breaches were reported by health plans. Business associates reported 8 breaches, but business associates were involved in a further 18 breaches.

Covered entities in 26 states and Puerto Rico reported data breaches in July. The worst affected state was Minnesota with 6 breaches.

There was no HIPAA enforcement activity from OCR in July, but state attorneys general have been active. 30 state AGs were involved in a multi-state action against Premera Blue Cross over its 2014 data breach of more than 10.4 million records. The case was settled for $10 million.