In August, more than 1.5 healthcare data breaches were reported per day. This is the second consecutive month that there are a lot of reported breaches. Though the number of breaches is not significantly different from last month (49 versus 50), the number of exposed records went down substantially.
There were 729,975 healthcare records breached in August while there were 25,375,729 records breached in July, 3,452,442 in June, and 1,988,376 in May. The remarkably high number of breached records for July was mostly because of the breach at American Medical Collection Agency.
Causes of Healthcare Data Breaches in August 2019
The major cause of breaches in August was hacking/IT incidents. There were 32 breaches reported due to hacking/IT incidents. Breached healthcare records numbered 602,663 or 82.56% of all records breached for the month. The average and mean breach sizes were 18,833 records and 5,248 records, respectively.
There were 12 breaches due to unauthorized access/disclosure incidents impacting 77,316 healthcare records. The average and mean breach size of those incidents were 6,443 records and 1,281 records, respectively. Three breaches were due to loss incidents, which exposed 32,346 records. Two theft incidents caused the potential exposure of 17,650 records.
Location of Breached PHI
Phishing remains a serious problem for healthcare companies. In 46.94% of the 49 reported breaches or 23 breaches, PHI was kept in email accounts. Most of the breached email accounts were because of phishing attacks.
In 9 breaches reported, PHI was kept in network servers and a number of which were attacked by ransomware. Seven breaches that involved paper records/films show the need to improve physical security and administrative control measures.
Portable electronic gadgets like zip drives and laptops were involved in four breaches. Though breaches of this sort have gone down considerably recently because of implementing encryption on portable electronic gadgets containing ePHI.
Biggest Healthcare Data Breaches in August 2019
The top ten healthcare data breaches in August 2019 are listed below. The biggest breach involved a phishing attack on Presbyterian Healthcare Services, which impacted 183,370 healthcare records. Companies that encountered phishing attacks resulting in breaches were the Conway Regional Health System, Source 1 Healthcare Solutions and NorthStar Anesthesia.
Companies that were affected by the hacking of the business associate AMCA included the Wisconsin Diagnostic Laboratories, the Mount Sinai Hospital, and the Integrated Regional Laboratories.
A ransomware attack at Grays Harbor Community Hospital and the loss of a portable storage device at Renown Health resulted in data breaches. There is no confirmation regarding the cause of the Timothee T. Wilkin, D.O. breach.
Top Ten Healthcare Data Breaches in August
- Presbyterian Healthcare Services – 183,370 people affected by hacking/IT incident
- Wisconsin Diagnostic Laboratories – 114,985 people affected by hacking/IT incident
- Grays Harbor Community Hospital – 88,399 people affected by hacking/IT incident
- Conway Regional Health System – 37,000 people affected by unauthorized access/disclosure
- Mount Sinai Hospital – 33730 people affected by hacking/IT incident
- Integrated Regional Laboratories, LLC – 29,644 people affected by hacking/IT incident
- Renown Health – 27,004 people affected by loss
- NorthStar Anesthesia, P.A. – 19,807 people affected by unauthorized access/disclosure
- Source 1 Healthcare Solutions LLC – 15,450 people affected by hacking/IT incident
- Timothee T. Wilkin, D.O. – 15,113 people affected by hacking/IT incident
Healthcare Data Breaches by Covered Entity Type
Healthcare providers reported 42 of the 49 data breaches. Health plans reported three incidents while business associates reported 4 breaches. There were 8 other breaches that had the involvement of a business associate.
Healthcare Data Breaches by State
The healthcare data breaches in August impacted entities located in 26 states. Texas had 5 reported breaches. Washington had 4 reported breaches. Arkansas, New York, and Pennsylvania had three reported breaches each.
States that had 2 reported breaches each included California, Georgia, Illinois, Minnesota, Massachusetts, Missouri, New Mexico, Oregon, Ohio, and Wisconsin. States that had one reported breach each included Connecticut, Iowa, Florida, Kansas, Michigan, New Jersey, Nevada, Oklahoma, Tennessee, Rhode Island, and Virginia.
HIPAA Enforcement Activity in August 2019
August 2019 had no civil monetary penalties or settlements issued by the HHS. The state attorneys general also had no HIPAA-related enforcement activities.
AMCA Data Breach Update
There were 24 healthcare organizations affected by the AMCA data breach. 23 already sent breach reports to the Department of Health and Human Service’ Office for Civil Rights. A total of 26,043,743 records were confirmed to have been breached, A further 16,100 records may be added to the total number.