January 2020 Healthcare Data Breach Report

Healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day throughout January.

2019 was a very bad year for healthcare data breaches with 510 data breaches made known by HIPAA-covered entities and their business associates. That is the same as a rate of 42.5 data breaches per month. January’s figures are an improvement, with a reporting rate of 1.03 breaches per day and a 15.78% decrease in reported breaches when held up against December 2019.

healthcare data breaches February 2019 to January 2020

Healthcare data breaches in January

While the amount of breaches fell, the number of breached records grew to 17.71% month-over-month. 462,856 healthcare records were accessed, stolen, or impermissibly disclosed across 32 reported data breaches. As the graph below indicates, the extent of data breaches actually grew in recent years.

Biggest Healthcare Data Breaches in January 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
PIH Health CA Healthcare Provider 199,548 Hacking/IT Incident Email
Douglas County Hospital d/b/a Alomere Health MN Healthcare Provider 49,351 Hacking/IT Incident Email
InterMed, PA ME Healthcare Provider 33,000 Hacking/IT Incident Email
Fondren Orthopedic Group L.L.P. TX Healthcare Provider 30,049 Hacking/IT Incident Network Server
Native American Rehabilitation Association of the Northwest, Inc. OR Healthcare Provider 25,187 Hacking/IT Incident Email
Central Kansas Orthopedic Group, LLC KS Healthcare Provider 17,214 Hacking/IT Incident Network Server
Hospital Sisters Health System IL Healthcare Provider 16,167 Hacking/IT Incident Email
Spectrum Healthcare Partners ME Healthcare Provider 11,308 Hacking/IT Incident Email
Original Medicare MD Health Plan 9,965 Unauthorized Access/Disclosure Other
Lawrenceville Internal Medicine Assoc, LLC NJ Healthcare Provider 8,031 Unauthorized Access/Disclosure Email

What Caused January 2020 Healthcare Data Breaches?

2019 saw a huge increase in healthcare data breaches as a result of hacking/IT incidents. In 2019, more than 59% of data breaches reported to the HHS’ Office for Civil Rights were due to hacking, malware, ransomware, phishing attacks, and different IT security breaches.

Causes of January 2020 Healthcare Data Breaches

Hacking/IT incidents still featured heavily in the breach reports in January and accounted for 59.38% of all breaches reported (19 incidents). 28.13% of reported breaches were categorized as unauthorized access/disclosure data breaches (9 incidents), there were two reported theft incidents, both incorporating physical records, and 2 cases of incorrect disposal of physical records. Ransomware attacks went on impacting the healthcare sector, but phishing attacks are, by a distance, the biggest cause of healthcare data breaches. As the above table suggests, these attacks can see the PHI of tens of thousands or even hundreds of thousands of patients exposed or illegally taken.

Hacking/IT incidents are typically the most damaging sort of breach and involve more healthcare records than other breach types. In January, 416,275 records were breached in hacking/IT incidents. The average breach size was 21,909 records and the median breach size was 6,524 records. 26,450 records were breaches due to unauthorized access/disclosure incidents. The average breach size was 26,450 records and the median breach size was 2,939 records.

11,284 records were illegally taken in theft incidents with an average breach size of 5,642 records. The two improper disposal incidents saw 2,812 records discarded without first making documents unreadable and undecipherable. The average breach size was 1,406 files. 
Location of breached protected health information

Constant security awareness training for employees has been shown to minimize susceptibility to phishing attacks, but threat actors are carrying out increasingly complex attacks. It is often hard to distinguish a phishing email from an authentic message, especially in the case of business email compromise campaigns.

What is required to block these attacks is a defense in depth approach and no single technical solution will be effective at preventing all phishing attacks. Defenses should include an advanced spam filter to block phishing messages at source, a web filter to block access to websites hosting phishing kits, DMARC to identify email impersonation attacks, and multi-factor authentication to prevent compromised details from being used to access email accounts.

Covered Entity Healthcare Data Breaches

Healthcare providers were the most heavily affected by data breaches in January with 25 reported breaches of 500 or more healthcare records. Five breaches were made known by health plans, and two breaches were reported by business associates of HIPAA-covered entities. There were another three data breaches reported by covered entities that had some business associate activity.

January 2020 Healthcare Data Breaches by Covered Entity

January 2020 Healthcare Data Breaches records exposed covered entity

State by State Healthcare Data Breaches

HIPAA covered bodies and business associates in 23 states reported data breaches in January. California and Texas were the worst impacted with three reported breaches in each state. There were two breaches reported in states including Florida, Illinois, Maine, Minnesota, and New York, and one breach was reported in each of Alabama, Arizona, Colorado, Connecticut, Georgia, Iowa, Indiana, Kansas, Maryland, Michigan, North Carolina, New Jersey, Oregon, Pennsylvania, South Carolina, and Virginia.

January 2020 HIPAA Enforcement

There were no financial penalties sanctioned against HIPAA covered entities or business associates by the HHS’ Office for Civil Rights or state attorneys general throughout January.

There was a clear rise in the number of lawsuits filed against healthcare groups that have suffered data breaches related to phishing and ransomware attacks.

January saw a legal action submitted against Health Quest over a July 2018 phishing attack, Tidelands Health is being sued over a December 2019 ransomware attack, and a second legal action was filed against DCH Health System over a malware attack involving the Emotet and TrickBot Trojans that occurred in October 2019. These legal actions come after a legal action against Kalispell Regional Healthcare and Solara Medical Supplies in December.

The trend has persisted in February with several law firms racing to be the first to submit legal actions against PIH Health in California over a 2019 phishing attack that exposed the data of more than 200,000 people.

These legal actions may refer to HIPAA breaches, but since there is no private cause of action under HIPAA, legal action is taken over violations of state legislation.