Healthcare Data Breach Report for Q3, 2017

In the third quarter of 2017, Q3, 2017, HIPPA covered entities reported 99 breaches of healthcare data, each involving more than 500 records, reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). These figures bring the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches affected 1,767,717 patients, who had their PHI exposed or stolen. That makes the total number of Americans affected by healthcare data breaches 4,601,097.

Q3 Data Breaches by Covered Entity

Healthcare providers were the HIPAA covered entity that was the worst hit by data breaches in Q3, as they reported a total of 76 PHI breaches. Next came health plans, who reported 17 breaches, and finally there were the business associates of covered entities, who reported 6 data breaches.

September was the worst month for data breaches in the quarter, totalling 39. July had the next most breaches, with 31, and August had a total of 29. Although August had the fewest number of breaches, it saw the most records exposed – 695,228. September had the least, with nearly 400,000. July had approximately 500,000 stolen.

Largest Healthcare Data Breaches in Q3, 2017

The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents; 36 out of the 50 largest healthcare data breaches in Q3 were attributed to hacking/IT incidents.

  • Women’s Health Care Group of PA, LLC (Healthcare Provider), 300,000, Hacking/IT Incident
  • Pacific Alliance Medical Center (Healthcare Provider), 266,123, Hacking/IT Incident
  • Peachtree Neurological Clinic, P.C. (Healthcare Provider), 176,295, Hacking/IT Incident
  • Arkansas Oral & Facial Surgery Center (Healthcare Provider), 128,000, Hacking/IT Incident
  • McLaren Medical Group, Mid-Michigan Physicians Imaging Center (Healthcare Provider), 106,008, Hacking/IT Incident
  • Salina Family Healthcare Center (Healthcare Provider), 77,337, Hacking/IT Incident
  • Morehead Memorial Hospital (Healthcare Provider), 66,000, Hacking/IT Incident
  • Network Health (Health Plan), 51,232, Hacking/IT Incident
  • St. Mark’s Surgical Center, LLC (Healthcare Provider), 33,877, Hacking/IT Incident
  • Sport and Spine Rehab (Healthcare Provider), 31,120, Hacking/IT Incident

Cause of Healthcare Data Breaches in Q3, 2017

In Q3, 2017, hacking was the biggest cause of healthcare data breaches. This is different to the rest of 2017, when the main cause of healthcare data breaches was unauthorized disclosures by insiders. The incidents involving hacking often took the form of phishing attacks, malware and ransomware incidents, and the hacking of network servers and endpoints. These hacking incidents involved the exposure/theft of considerably more data than all the other breach types combined. In Q3, 1,767,717 healthcare records were exposed/stolen, of which 1,578,666 – 89.3% – were exposed/stolen in hacking/IT incidents.

Location of Breached PHI

Hackers are extraordinarily proficient at finding vulnerabilities in systems. It is therefore essential for HIPAA covered entities and their business associates conduct regular risk assessments to determine whether any vulnerabilities exist. It is recommended that weekly checks should also be conducted by CEs and BAs to make sure the latest versions of operating systems and software are installed and no patches have been missed. Misconfigured servers, unsecured databases, and the failure to apply patches promptly resulted in 31 data breaches in Q3, 2017.

In Q3, 34 incidents were reported that involved email hacking or misuse. While some of those incidents involved misdirected emails and the deliberate emailing of ePHI to personal email accounts, most those breaches saw login details disclosed or ransomware/malware installed because of employees responding to phishing emails.  The high number of phishing attacks reported in Q3 shows highlights the importance of training employees to recognize phishing emails, and setting up an efficient system for reporting suspicious messages. Training should be an ongoing process, involving classroom-based training, CBT sessions, and phishing simulations, with email updates sent to alert employees to specific threats.