There were an increase of 8.57%, from the previous month, of healthcare data breaches reported during December. 38 breaches of 500 or greater records were made known to the Department of Health and Human Services’ Office for Civil Rights in December 2019.
While the number of breaches was one the rise, there was a major drop in the amount of exposed healthcare records, falling from 607,728 records in November 2019 to 393,189 records in December 2019 – A drop of 35.30%. In December the mean breach size was 10,347 records and the average breach size was 3,650 records.
It has been a very bad year for healthcare data breaches. 2019 was the second worst year on record for healthcare data breaches in terms of the number of patients affected by breaches. 41,232,527 healthcare records were infiltrated, stolen, or impermissibly shared in 2019. That’s 195.61% more than 2018. More healthcare records were breached in 2019 than in the previous three years overall.
The amount of reported data breaches also grew 36.12% year-over-year, from 371 breaches in 2018 to 505 breaches in 2019. That means 2019 is the worst every year as regards the number of reported healthcare data breaches.
Biggest Healthcare Data Breaches in December 2019
The biggest healthcare data breach reported in December involved Truman Medical Center in Kansas City, MO and impacted the protected health information of 114,466 patients. The records were held on a company-owned laptop computer that was illegally taken from the vehicle of an employee. The laptop was password secured but was not encrypted.
8 of the top 10 breaches registered in December were hacking/IT incidents. The Adventist Health Simi Valley, Healthcare Administrative Partners, Cheyenne Regional Medical Center, SEES Group, and Sinai Health System breaches happened because of phishing attacks. Roosevelt General Hospital identified malware on an imaging server and Children’s Choice Pediatrics suffered a ransomware attack.
The Colorado Department of Human Services breach was due to a coding mistake on a mailing and Texas Family Psychology Associates discovered an unauthorized person had accessed its electronic medical record system.
| Name of Covered Entity | Covered Entity Type | Type of Breach | Individuals Affected |
| Truman Medical Center, Incorporated | Healthcare Provider | Theft | 114,466 |
| Adventist Health Simi Valley | Healthcare Provider | Hacking/IT Incident | 62,000 |
| Roosevelt General Hospital | Healthcare Provider | Hacking/IT Incident | 28,847 |
| Healthcare Administrative Partners | Business Associate | Hacking/IT Incident | 17,693 |
| Cheyenne Regional Medical Center | Healthcare Provider | Hacking/IT Incident | 17,549 |
| SEES Group, LLC | Healthcare Provider | Hacking/IT Incident | 13,000 |
| PediHEalth, PLLC, dba Children’s Choice Pediatrics | Healthcare Provider | Hacking/IT Incident | 12,689 |
| Sinai Health System | Healthcare Provider | Hacking/IT Incident | 12,578 |
| Colorado Department of Human Services | Healthcare Provider | Hacking/IT Incident | 12,230 |
| Texas Family Psychology Associates, P.C. | Healthcare Provider | Unauthorized Access/Disclosure | 12,000 |
Entities Impacted by December 2019 Healthcare Data Breaches
28 healthcare suppliers submitted breaches of 500 or more healthcare records in December. Four health plans were hit by data breaches and 6 business associates of covered entities reported a breach. One other breach had some business associate involvement, but the breach was made known by the covered entity.
Causal Factors of December 2019 Healthcare Data Breaches
There were 21 hacking/IT incidents reported by HIPAA-covered groups and business associates in December. 226,774 healthcare records were exposed or illegally taken in those incidents. The average breach size was 10,798 records and the median breach size was 5,991 records. The incidents mostly were caused by phishing attacks, ransomware and malware infections, and coding mistakes.
There were 11 instances of unauthorized accessing of healthcare data and impermissible sharing of protected health information due to a mix of insider mistakes and malicious actions by employees. These incidents included 46,364 healthcare records. The mean breach size was 4,214 records and the median breach size was 3,500 records.
There were two stealing incidents reported and three incidents where electronic devices were lost and paperwork including protected health information. 118,877 records were lost or stolen in those incidents. The mean breach size was 23,775 records and the median breach size was 1,100 records. There was also one instance of incorrect disposal of paperwork involving documents including the PHI of 1,174 patients.
Breached Protected Health Information Locations
The chart here clearly shows the difficulty healthcare groups have securing their email systems and securing them against unauthorized access. Most of the email incidents in December 2019 were phishing attacks in which unauthorized people obtained the login details of staff members and used them to remotely access their email accounts.
Email security solutions can prevent most phishing and malware-laced emails, but some phishing emails will get through the net. It is therefore important – and a requirement of HIPAA – to supply regular security awareness training to employees to help them spot malicious emails. Multi-factor authentication should also be put in place. In the event to email credentials being stolen by unauthorized individuals, in the vast majority of cases, MFA will stop those details from being used to remotely access email accounts.
State by State December 2019 Healthcare Data Breaches
December data breaches were submitted to the OCR by HIPAA-covered entities and business associates in 22 states and the District of Columbia. Texas suffered worst with 4 breaches, 4 breaches were reported by entities located in California and Illinois, Florida suffered 3 breaches, and two breaches were reported by entities based in Colorado, Georgia, and Tennessee.
A single breach was reported by entities located in Alaska, Connecticut, Louisiana, Maryland, Michigan, Missouri, New Mexico, New York, Ohio, Oklahoma, Pennsylvania, North Carolina, South Carolina, Washington, Wyoming, and District of Columbia.
December 2019 HIPAA Enforcement Activity
The Department of Health and Human Services’ Office for Civil Right ended December with two more enforcement actions against covered entities that were found to have violated the HIPAA Rules.
The first financial penalty of the month to be revealed was a settlement with Korunda Medical LLC. This was the second financial penalty sanctioned on a HIPAA-covered entity under OCR’s HIPAA Right of Access Initiative. OCR examined Korunda Medical following receipt of a complaint from a patient who had not been supplied with a copy of her medical records. OCR issued technical assistance, but an additional patient submitted a similar complaint a few days later and a financial penalty was found to be appropriate. Korunda Medical settled the case for $85,000.
The second penalty was imposed on West Georgia Ambulance for a number of violations of HIPAA Rules. OCR launched an investigation following receipt of a breach notification about the loss of an unencrypted laptop computer. OCR found longstanding noncompliance with several elements of the HIPAA Rules. A risk analysis had not been carried out, there was no security awareness training program for staff, and West Georgia Ambulance had failed to put in place HIPAA Security Rule policies and procedures. West Georgia Ambulance settled the case for $65,000.
2019 HIPAA Enforcement Actions
Overall, there were 10 financial penalties sanctions on covered entities and business associates in 2019, comprising 2 Civil Monetary Penalties and 8 settlements totaling $12,274,000.
| Entity | Penalty | Penalty Type |
| West Georgia Ambulance | $65,000 | Settlement |
| Korunda Medical, LLC | $85,000 | Settlement |
| Sentara Hospitals | $2,175,000 | Settlement |
| Texas Department of Aging and Disability Services | $1,600,000 | Civil Monetary Penalty |
| University of Rochester Medical Center | $3,000,000 | Settlement |
| Jackson Health System | $2,154,000 | Civil Monetary Penalty |
| Elite Dental Associates | $10,000 | Settlement |
| Bayfront Health St Petersburg | $85,000 | Settlement |
| Medical Informatics Engineering | $100,000 | Settlement |
| Touchstone Medical imaging | $3,000,000 | Settlement |
Figures for this report were estimated from the U.S. Department of Health and Human Services’ Office for Civil Rights Research Report on January 21, 2020.