Healthcare Data Breaches in February 2020: The Largest Breaches
The largest healthcare data breach was made known by the health plan, Health Share of Oregon. An unencrypted laptop computer that was holding the records of 654,362 plan members was stolen from its transportation vendor in an office robbery.
The second largest breach was a ransomware attack on the accounting practice BST & Co. CPAs which saw client records encrypted, including those of the New York medical group, Community Care Physicians. Apart from the network server breach at SOLO Laboratories, the cause of which has not been figured out, the other seven breaches in the top 10 were all due to email security incidents.
Name of Covered Entity | Covered Entity Type | Individuals Affected | Type of Breach | Location of Breached PHI |
Health Share of Oregon | Health Plan | 654,362 | Theft | Laptop |
BST & Co. CPAs, LLP | Business Associate | 170,000 | Hacking/IT Incident | Network Server |
Aveanna Healthcare | Healthcare Provider | 166,077 | Hacking/IT Incident | |
Overlake Medical Center & Clinics | Healthcare Provider | 109,000 | Hacking/IT Incident | |
Tennessee Orthopaedic Alliance | Healthcare Provider | 81,146 | Hacking/IT Incident | |
Munson Healthcare | Healthcare Provider | 75,202 | Hacking/IT Incident | |
NCH Healthcare System, Inc. | Healthcare Provider | 63,581 | Hacking/IT Incident | |
SOLO Laboratories, Inc. | Business Associate | 60,000 | Hacking/IT Incident | Network Server |
JDC Healthcare Management | Healthcare Provider | 45,748 | Hacking/IT Incident | |
Ozark Orthopaedics, PA | Healthcare Provider | 15,240 | Hacking/IT Incident |
Causation Factors February Healthcare Data Breaches
Hacking/IT incidents were the main cause in the breach reports, making up two thirds (66.67%) of all breaches reported in February and 54.78% of breached records (839,226 records). The mean breach size was 32,277 records and the median breach size was 4,126 records. 80.76% of those incidents included some aspect of hacked email accounts.
There were just six unauthorized access/disclosure incidents, four of which involved paper/films, one was an email incident and one targeted a portable electronic device. 15,826 records were impermissibly made available in those incidents. The mean breach size was 3,126 records and the median breach size was 2,548 records.
While there were only three theft incidents made known officially they accounted for 42.78% of breached records. The mean breach size was 327,696 records and the median breach size was 530 records.
There were two incidents involving lost pape files containing the PHI of 5,904 patients and two improper disposal incidents involving paper files including the PHI of 15,507 patients.
Places of Breached Protected Health Information
As the bar chart below shows, the most troubling area for healthcare groups is protecting email accounts. All but one of the email incidents were hacking incidents that took place due to employees responding to phishing emails. The high total shows how vital it is to implement a powerful email security solution and to provide ongoing training to employees to teach them how to spot phishing emails.
Covered Entity Type & Breaches
26 data breaches were officially recorded by HIPAA-covered entities during February. The average breach size was 23,589 records and the median breach size was 3,229 records. Data breaches were officially reported by 8 health plans, with an average breach size of 83,490 records and a median breach size of 2,468 records.
There were 5 data breaches officially reported by business associates and a further 5 breaches that were reported by the covered entity but had some business associate involvement. The mean breach size was 50,124 records and the median breach size was 15,010 records.