Summary Report of Healthcare Data Breaches in February 2018

Healthcare Data Breaches

February may have the least number of days in a month, but the number of reported healthcare data breaches this February 2018 increased month on month by 19%. There were a total of 25 breaches reported to the Department of Health and Human Services’ Office for Civil Rights by HIPAA covered entities and business associates. Although the number of breaches increased, the number of exposed healthcare records decreased by over 100,000. January had 428,643 exposed healthcare records while February had 308,780 exposed healthcare records.

The largest healthcare data breach reported to OCR was due to a malware attack at St. Peter’s Surgery and Endoscopy Center. This incident was responsible for 43.6% of the exposed healthcare records in February. The top 5 data breaches in February were responsible for 85% of the exposed healthcare records last month.

The top cause of data breaches in February 2018 was unauthorized access or disclosure. It was responsible for 12 data breaches, three of which were really serious breaches. The other breaches can be attributed to the following causes: 9 breaches were due to hacking/IT incidents; 3 were because of loss/theft incidents; and 1 was due to improper disposal of ePHI.  

When it comes to the number of exposed healthcare data, the largest number was due to loss or theft incidents. Also, more ePHI were involved in the breaches than physical health records, but 6 incidents involved unauthorized access or disclosure of paper/films. This data shows that technological controls are indeed very important for the prevention of hacks and unauthorized access or disclosures. But physical security should not be neglected as it still plays an important role in keeping paper records safe from unauthorized access.

The worst hit group of the healthcare industry were the healthcare providers accounting for 15 data breaches and 168,732 healthcare records exposed. The mean breach size was 11,248 records. The median was 1,670 records. The next are the health plans with 8 data breaches, followed by business associates with 2 data breaches. Though health plans only had a few data breaches, the incidents were more severe exposing 133,589 health records. The mean breach size was 16,698 records and the median breach size was 6,075 records. The mean breach size for business associates was 3,234 records.

There were 18 states affected by data breaches in February 2018. Six states, namely Alabama, Wisconsin, California, Massachusetts, Rhode Island and Mississippi reported 2 data breaches each. Thirteen states including Arkansas, Illinois, Connecticut, Maine, Kentucky, Michigan, North Carolina, Missouri, New York, New Jersey, Tennessee and Virginia, only reported one data breach.

As for financial penalties, the Office for Civil Rights fined Filefax Inc. the amount of $100,000 to settle potential HIPAA violations. Filefax failed to dispose of files with PHI properly. The fact that the HIPAA violation happened after the business closed down reminds covered entities and business associates that HIPAA duties continue even after the business has stopped operations.  .