May 2019 had 46 breaches with over 500 records exposed making it the worst month ever since the HHS’ Office for Civil Rights began reporting breach summaries on its web portal in 2009. But that record was broken last July, which had 50 healthcare data breaches with over 500 records reported. July had 13 more breaches than 2019’s monthly average and 20.5 more breaches than 2018’s monthly average.
July 2019 had 25,375,729 records exposed making it the second-worst month when it comes to healthcare records exposed. 2019 still has 5 months, yet it already had over 35 million healthcare records exposed, which is more compared to the combined total for 2016, 2017, and 2018.
Causes of Healthcare Data Breaches in July 2019
The primary reason for the high number of reported data breaches in July is the American Medical Collection Agency (AMCA) data breach. AMCA is a provider of medical billing and collection services for many clients including the biggest medical testing labs in the U.S. AMCA lost those clients because of the breach.
There is no final victim count or records compromised yet for this breach yet. Thus far, the AMCA breach had impacted 22 healthcare organizations and over 24 million records exposed. There is no breach report submitted to OCR yet by 8 healthcare organizations.
Here’s the list of healthcare providers affected by the AMCA Data Breach
1. Quest Diagnostics/Optum360
2. LabCorp
3 Clinical Pathology Associates
4 Carecentrix
5 American Esoteric Laboratories
6 Inform Diagnostics
7 Laboratory Medicine Consultants
8 Integrated Regional Laboratories
9 West Hills Hospital and Medical Center / United West Labs
10 Seacoast Pathology, Inc
11 Arizona Dermatopathology
12 Western Pathology Consultants
13 Natera
14 Sunrise Medical Laboratories
15 BioReference Laboratories/Opko Health
16 CBLPath Inc.
17 CompuNet Clinical Laboratories
18 Austin Pathology Associates
19 South Texas Dermatopathology PLLC
20 Pathology Solutions
21 Penobscot Community Health Center
22 Laboratory of Dermatology ADX, LLC
Hacking and IT incidents were the causes of 35 breaches in July exposing 23,203,853 healthcare records. The average and mean breach sizes were 662,967 records and 4,559 records, respectively. 9 breaches were due to unauthorized access/disclosure exposing 2,160,699 healthcare records. The average breach and mean breach sizes were 240,077 records and 3,881 records, respectively. Three incidents involved theft which exposed 3,584 records. Two were loss incidents exposing 4,593 records, and one was an improper disposal incident exposing 3,000 records.
The Biggest Healthcare Data Breaches in July 2019
1. Optum360, LLC – hacking/IT incident resulted to 11,500,000 records exposed
2. Laboratory Corporation of America Holdings dba LabCorp – hacking/IT incident resulted to 10,251,784 records exposed
3. Clinical Pathology Laboratories, Inc. – Unauthorized access/disclosure incident resulted to 1,733,836 records exposed
4. CareCentrix, Inc. – Hacking/IT Incident resulted to 467,621 exposed
5. Bayamon Medical Center Corp. – Hacking/IT Incident resulted to e422,496 records exposed
6. Memphis Pathology Laboratory d/b/a American Esoteric Laboratories – Unauthorized Access/Disclosure resulted to 409,789 records exposed
7. Laboratory Medicine Consultants, Ltd. – Hacking/IT Incident resulted to 140,590 records exposed
8. Imperial Health, LLP – Hacking/IT Incident resulted to 116,262 records exposed
9. Puerto Rico Women And Children’s Hospital, LLC – Hacking/IT Incident resulted to 99,943 records exposed
10. Ameritas Life Insurance Corp. Health Plan- Hacking/IT Incident resulted to 39,675 records exposed
Location of Breached Protected Health Information (PHI)
Network server incidents increased in July. The increase was because of the AMCA breach and the ransomware attacks on healthcare companies. Phishing likewise causes problems for healthcare companies. 21 breaches involved PHI located in email accounts.
Healthcare Data Breaches by Covered Entity Type in July 2019
Healthcare providers had reported 39 breaches. Health plans reported three breaches and business associates of HIPAA covered entities reported 8 breaches. In addition, there was business associate involvement in 18 of the data breaches.
Healthcare Data Breaches by State
26 states and Puerto Rico reported the 50 data breaches in July. Minnesota had the most reported breaches – 6 incidents. Healthcare organizations in Michigan, Pennsylvania, and Texas reported four breaches each. Nevada and Tennessee reported three breaches, North Carolina, Ohio, Wisconsin, and Puerto Rico reported two breaches each.
The following states reported only one breach: Alabama, Arizona, Arkansas, California, Connecticut, Georgia, Louisiana, Kentucky, Maine, Massachusetts, Maryland, Missouri, Nebraska, New York, New Hampshire, Oregon, and South Carolina.
HIPAA Enforcement Activity in July 2019
Though the HHS’ Office for Civil Rights had two settlements of HIPAA violations in May 2019, there were no other financial penalties issued.
State Attorneys General had one settlement in July involving Premera Blue Cross and 30 state attorneys general. It was about the 2014 10.4 million-record data breach.
Premera Blue Cross had to pay a financial penalty amounting to $10,000,000 to resolve the HIPAA violations. Besides the $10 million settlement, Premera Blue Cross resolved a class action lawsuit paying $74 million – $42 million for enhancing cybersecurity and $32 million for breach victims claims.