Healthcare Data Breach Report February 2020

During February there were 39 healthcare data breaches of 500 or more records  reported and 1,531,855 records were breached, which is the same as a 21.9% month-over-month increase in data breaches and a 231% increase in breached records. There was a higher number of records breached in February than in the past three months pu together. During February, the mean breach size was 39,278 records and the mean breach size was 3,335 records.

Healthcare Data Breaches in February 2020: The Largest Breaches

The largest healthcare data breach was made known by the health plan, Health Share of Oregon. An unencrypted laptop computer that was holding the records of 654,362 plan members was stolen from its transportation vendor in an office robbery.

The second largest breach was a ransomware attack on the accounting practice BST & Co. CPAs which saw client records encrypted, including those of the New York medical group, Community Care Physicians. Apart from the network server breach at SOLO Laboratories, the cause of which has not been figured out, the other seven breaches in the top 10 were all due to email security incidents.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Health Share of Oregon Health Plan 654,362 Theft Laptop
BST & Co. CPAs, LLP Business Associate 170,000 Hacking/IT Incident Network Server
Aveanna Healthcare Healthcare Provider 166,077 Hacking/IT Incident Email
Overlake Medical Center & Clinics Healthcare Provider 109,000 Hacking/IT Incident Email
Tennessee Orthopaedic Alliance Healthcare Provider 81,146 Hacking/IT Incident Email
Munson Healthcare Healthcare Provider 75,202 Hacking/IT Incident Email
NCH Healthcare System, Inc. Healthcare Provider 63,581 Hacking/IT Incident Email
SOLO Laboratories, Inc. Business Associate 60,000 Hacking/IT Incident Network Server
JDC Healthcare Management Healthcare Provider 45,748 Hacking/IT Incident Email
Ozark Orthopaedics, PA Healthcare Provider 15,240 Hacking/IT Incident Email

Causation Factors February Healthcare Data Breaches

Hacking/IT incidents were the main cause in the breach reports, making up two thirds (66.67%) of all breaches reported in February and 54.78% of breached records (839,226 records). The mean breach size was 32,277 records and the median breach size was 4,126 records. 80.76% of those incidents included some aspect of hacked email accounts.

There were just six unauthorized access/disclosure incidents, four of which involved paper/films, one was an email incident and one targeted a portable electronic device. 15,826 records were impermissibly made available in those incidents. The mean breach size was 3,126 records and the median breach size was 2,548 records.

While there were only three theft incidents made known officially they accounted for 42.78% of breached records. The mean breach size was 327,696 records and the median breach size was 530 records.

There were two incidents involving lost pape files containing the PHI of 5,904 patients and two improper disposal incidents involving paper files including the PHI of 15,507 patients.

Places of Breached Protected Health Information

As the bar chart below shows, the most troubling area for healthcare groups is protecting email accounts. All but one of the email incidents were hacking incidents that took place due to employees responding to phishing emails. The high total shows how vital it is to implement a powerful email security solution and to provide ongoing training to employees to teach them how to spot phishing emails.

Covered Entity Type & Breaches

26 data breaches were officially recorded by HIPAA-covered entities during February. The average breach size was 23,589 records and the median breach size was 3,229 records. Data breaches were officially reported by 8 health plans, with an average breach size of 83,490 records and a median breach size of 2,468 records.

There were 5 data breaches officially reported by business associates and a further 5 breaches that were reported by the covered entity but had some business associate involvement. The mean breach size was 50,124 records and the median breach size was 15,010 records.