Healthcare Data Breach Report December 2019

There were an increase of 8.57%, from the previous month, of healthcare data breaches reported during December. 38 breaches of 500 or greater records were made known to the Department of Health and Human Services’ Office for Civil Rights in December 2019.

While the number of breaches was one the rise, there was a major drop in the amount of exposed healthcare records, falling from 607,728 records in November 2019 to 393,189 records in December 2019 – A drop of 35.30%. In December the mean breach size was 10,347 records and the average breach size was 3,650 records.

It has been a very bad year for healthcare data breaches. 2019 was the second worst year on record for healthcare data breaches in terms of the number of patients affected by breaches. 41,232,527 healthcare records were infiltrated, stolen, or impermissibly shared in 2019. That’s 195.61% more than 2018. More healthcare records were breached in 2019 than in the previous three years overall.

healthcare records exposed by year

The amount of reported data breaches also grew 36.12% year-over-year, from 371 breaches in 2018 to 505 breaches in 2019. That means 2019 is the worst every year as regards the number of reported healthcare data breaches.

Healthcare data breaches in 2019

Biggest Healthcare Data Breaches in December 2019

The biggest healthcare data breach reported in December involved Truman Medical Center in Kansas City, MO and impacted the protected health information of 114,466 patients. The records were held on a company-owned laptop computer that was illegally taken from the vehicle of an employee. The laptop was password secured but was not encrypted.

8 of the top 10 breaches registered in December were hacking/IT incidents. The Adventist Health Simi Valley, Healthcare Administrative Partners, Cheyenne Regional Medical Center, SEES Group, and Sinai Health System breaches happened because of phishing attacks. Roosevelt General Hospital identified malware on an imaging server and Children’s Choice Pediatrics suffered a ransomware attack.

The Colorado Department of Human Services breach was due to a coding mistake on a mailing and Texas Family Psychology Associates discovered an unauthorized person had accessed its electronic medical record system.

Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected
Truman Medical Center, Incorporated Healthcare Provider Theft 114,466
Adventist Health Simi Valley Healthcare Provider Hacking/IT Incident 62,000
Roosevelt General Hospital Healthcare Provider Hacking/IT Incident 28,847
Healthcare Administrative Partners Business Associate Hacking/IT Incident 17,693
Cheyenne Regional Medical Center Healthcare Provider Hacking/IT Incident 17,549
SEES Group, LLC Healthcare Provider Hacking/IT Incident 13,000
PediHEalth, PLLC, dba Children’s Choice Pediatrics Healthcare Provider Hacking/IT Incident 12,689
Sinai Health System Healthcare Provider Hacking/IT Incident 12,578
Colorado Department of Human Services Healthcare Provider Hacking/IT Incident 12,230
Texas Family Psychology Associates, P.C. Healthcare Provider Unauthorized Access/Disclosure 12,000

 

Entities Impacted by December 2019 Healthcare Data Breaches

28 healthcare suppliers submitted breaches of 500 or more healthcare records in December. Four health plans were hit by data breaches and 6 business associates of covered entities reported a breach. One other breach had some business associate involvement, but the breach was made known by the covered entity.

December 2019 Healthcare Data Breaches by Covered Entity

Causal Factors of December 2019 Healthcare Data Breaches

There were 21 hacking/IT incidents reported by HIPAA-covered groups and business associates in December. 226,774 healthcare records were exposed or illegally taken in those incidents. The average breach size was 10,798 records and the median breach size was 5,991 records. The incidents mostly were caused by phishing attacks, ransomware and malware infections, and coding mistakes.

There were 11 instances of unauthorized accessing of healthcare data and impermissible sharing of protected health information due to a mix of insider mistakes and malicious actions by employees. These incidents included 46,364 healthcare records. The mean breach size was 4,214 records and the median breach size was 3,500 records.

There were two stealing incidents reported and three incidents where electronic devices were lost and paperwork including protected health information. 118,877 records were lost or stolen in those incidents. The mean breach size was 23,775 records and the median breach size was 1,100 records. There was also one instance of incorrect disposal of paperwork involving documents including the PHI of 1,174 patients.

Causes of December 2019 healthcare data breaches

Breached Protected Health Information Locations

The chart here clearly shows the difficulty healthcare groups have securing their email systems and securing them against unauthorized access. Most of the email incidents in December 2019 were phishing attacks in which unauthorized people obtained the login details of staff members and used them to remotely access their email accounts.

Email security solutions can prevent most phishing and malware-laced emails, but some phishing emails will get through the net. It is therefore important – and a requirement of HIPAA – to supply regular security awareness training to employees to help them spot malicious emails. Multi-factor authentication should also be put in place. In the event to email credentials being stolen by unauthorized individuals, in the vast majority of cases, MFA will stop those details from being used to remotely access email accounts.

Location of Breached PHI - December 2019

State by State December 2019 Healthcare Data Breaches

December data breaches were submitted to the OCR by HIPAA-covered entities and business associates in 22 states and the District of Columbia. Texas suffered worst with 4 breaches, 4 breaches were reported by entities located in California and Illinois, Florida suffered 3 breaches, and two breaches were reported by entities based in Colorado, Georgia, and Tennessee.

A single breach was reported by entities located in Alaska, Connecticut, Louisiana, Maryland, Michigan, Missouri, New Mexico, New York, Ohio, Oklahoma, Pennsylvania, North Carolina, South Carolina, Washington, Wyoming, and District of Columbia.

December 2019 HIPAA Enforcement Activity

The Department of Health and Human Services’ Office for Civil Right ended December with two more enforcement actions against covered entities that were found to have violated the HIPAA Rules.

The first financial penalty of the month to be revealed was a settlement with Korunda Medical LLC. This was the second financial penalty sanctioned on a HIPAA-covered entity under OCR’s HIPAA Right of Access Initiative. OCR examined Korunda Medical following receipt of a complaint from a patient who had not been supplied with a copy of her medical records. OCR issued technical assistance, but an additional patient submitted a similar complaint a few days later and a financial penalty was found to be appropriate. Korunda Medical settled the case for $85,000.

The second penalty was imposed on West Georgia Ambulance for a number of violations of HIPAA Rules. OCR launched an investigation following receipt of a breach notification about the loss of an unencrypted laptop computer. OCR found longstanding noncompliance with several elements of the HIPAA Rules. A risk analysis had not been carried out, there was no security awareness training program for staff, and West Georgia Ambulance had failed to put in place HIPAA Security Rule policies and procedures. West Georgia Ambulance settled the case for $65,000.

2019 HIPAA Enforcement Actions

Overall, there were 10 financial penalties sanctions on covered entities and business associates in 2019, comprising 2 Civil Monetary Penalties and 8 settlements totaling $12,274,000.

Entity Penalty Penalty Type
West Georgia Ambulance $65,000 Settlement
Korunda Medical, LLC $85,000 Settlement
Sentara Hospitals $2,175,000 Settlement
Texas Department of Aging and Disability Services $1,600,000 Civil Monetary Penalty
University of Rochester Medical Center $3,000,000 Settlement
Jackson Health System $2,154,000 Civil Monetary Penalty
Elite Dental Associates $10,000 Settlement
Bayfront Health St Petersburg $85,000 Settlement
Medical Informatics Engineering $100,000 Settlement
Touchstone Medical imaging $3,000,000 Settlement

Figures for this report were estimated from the U.S. Department of Health and Human Services’ Office for Civil Rights Research Report on January 21, 2020.