Twenty one reports of healthcare data breaches with over 500 affected individuals were submitted to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in November 2017. Of the 21 breach reports, seven impacted over 5,000 persons. The number of reported breaches decreased this month but the number of impacted individuals increased from 71,377 to 107,143.
What were the main causes of healthcare data breaches? There were six breaches reported each for hacking/IT incidents, unauthorized disclosures and loss or theft of PHI / ePHI. There were three breaches that involved improper disposal of PHI / ePHI. Two of the largest data breaches reported last November were hacking/IT cases. The breach at Pulmonary Specialists of Louisville impacting 32,000 individuals involved an unauthorized access of electronic medical records. The breach at Hackensack Sleep and Pulmonary Center that impacted 16,474 individuals involved a ransomware attack.
The November breach reports show how important implementing the proper physical safeguards is to keeping the confidentiality of paper records. Seven of the data breaches in November actually involved paper records. The second most common vector of breaches next to paper records was email. There were four breaches that involved email.
Nineteen of the reported data breaches in November came from healthcare providers while two came from health plans. Business associates of covered entities were not involved in any of the breach incidents. The data breaches happened in 15 states. Kentucky and Massachusetts had 3 breach cases each. New Jersey and Colorado had 2 each while Alabama, Connecticut, California, Florida, Indiana, Pennsylvania, New York, Texas, Virginia, Wisconsin and Washington had one each.
For a report on the largest healthcare data breaches in November 2017, see the list below.
- Pulmonary Specialists of Louisville, PSC — Hacking/IT Incident — 32,000 Impacted
- Hackensack Sleep and Pulmonary Center — Hacking/IT Incident — 16,474 Impacted
- Shop-Rite Supermarkets, Incorporated — Improper Disposal — 12,172 Impacted
- The Medical College of Wisconsin, Inc. — Hacking/IT Incident — 9,500 Impacted
- Valley Family Medicine — Unauthorized Access/Disclosure — 8,450 Impacted
- Sports Medicine & Rehabilitation Therapy, Inc. — Hacking/IT Incident — 7,000 Impacted
- Humana Inc — Unauthorized Access/Disclosure — 5,764 Impacted
- Alere Toxicology — Unauthorized Access/Disclosure — 2,146 Impacted
- Family & Cosmetic Dentistry of the Rockies — Improper Disposal — 1,850 Impacted
- Aetna Inc. — Unauthorized Access/Disclosure — 1,600 Impacted