May 2019 Healthcare Data Breach Report

April had more healthcare data breaches reported when compared with any other month so far. May continued to have a high number of data breaches, with 44 breaches reported. The number of exposed records in May, which is 1,988,376 healthcare records, increased by 186% compared to April.

The average number of healthcare data breaches reported to the HHS’ Office for Civil Rights per month in 2018 was 29.5, which is about one data breach a day. In 2019, the average breaches reported per month from January to May is 37.2. Until May 31, 2019, there were 186 healthcare data breaches already reported to OCR and over 6 million healthcare records exposed. Both figures are more than 50% of the number reported in 2018. Is this increased number of data breaches temporary or is this the new norm? That remains to be seen.

May should have the same number of records exposed as April if not for a massive 1,565,338-records data breach at Inmediata Health Group, which is the largest to date this year.

Top 10 Healthcare Data Breaches in May 2019

1. Inmediata Health Group, Corp. with 1,565,338 healthcare records exposed
2. Talley Medical Surgical Eyecare Associates, PC with 106,000 healthcare records exposed
3. The Union Labor Life Insurance Company with 87,400 healthcare records exposed
4. Encompass Family and internal medicine group with 26,000 healthcare records exposed
5. The Southeastern Council on Alcoholism and Drug Dependence with 25,148 healthcare records exposed
6. Cancer Treatment Centers of America® (CTCA) at Southeastern Regional Medical Center with 16,819 healthcare records exposed
7. Takai, Hoover, and Hsu, P.A. with 16,542 healthcare records exposed
8. Hematology Oncology Associates, PC with 16,073 healthcare records exposed
9. Acadia Montana Treatment Center with 14,794 healthcare records exposed
10. American Baptist Homes of the Midwest with 10,993 healthcare records exposed

Causes of Healthcare Data Breaches in May 2019

The number one cause of healthcare data breaches in May was hacking/IT incidents, with 22 incidents reported and 225,671 records compromised. The average and median breach size were 10,258 and 4,375 records, respectively.

The number two cause of healthcare data breaches was unauthorized access/disclosure incidents, with 18 incidents reported and 1,752,188 healthcare records exposed. The average and median breach size were 97,344 and 2,418 records, respectively.

The number three cause of healthcare data breaches with three reported incidents was theft incidents. There were 8,624 records stolen and the average breach size was 2,875 records with median size of 3,578 records. One loss incident was also reported with 1,893 records exposed.

Location of Breached PHI

Email was the most common location of breached PHI, accounting for 50% of May’s breaches. Most incidents involved phishing attacks.

The second most common location of breached PHI were network servers. The 11 breaches involved hacks, malware and ransomware attacks. There were 7 breaches involving electronic medical records and unauthorized access/disclosure.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers reported 34 breaches while health plans reported 5 breaches. Business associates of HIPAA-covered entities reported 4 breaches and had some involvement in two other breaches. One healthcare clearinghouse also reported a breach.

Healthcare Data Breaches by State

In May, 17 states had entities that reported healthcare data breaches. Texas had 7 reported breaches, California had 4 while Indiana and New York had 3 each. Connecticut, Florida, Georgia, Minnesota, Maryland, North Carolina, Oregon, Ohio, Washington, and Puerto Rico had 2 breaches reported. Colorado, Kentucky, Illinois, Michigan, Montana, Missouri and Pennsylvania had reported one breach each.

May 2019 HIPAA Enforcement Actions

In May, OCR issued fines worth $3,100,000 to two HIPAA covered entities, Touchstone Medical Imaging ($3,000,000) and Medical Informatics Engineering ($100,000), to settle their HIPAA violations. MIE also agreed to pay $900,000 to resolve a multi-state lawsuit that 16 state attorneys general filed against it.

Touchstone Medical Imaging agreed to settle its HIPAA violation case for $3,000,000. The Franklin, TN-based diagnostic medical imaging services company was investigated after it was discovered that an FTP server was accessible over the internet in 2014.

The settlement resolves 8 alleged HIPAA violations including the lack of a BAA, insufficient access rights, a risk analysis failure, the failure to respond to a security incident, a breach notification failure, a media notification failure, and the impermissible disclosure of the PHI of 307,839 individuals.

Medical Informatics Engineering settled its case with OCR and agreed to pay a financial penalty of $100,000 to resolve alleged HIPAA violations uncovered during the investigation of its 2015 breach of 3.5 million patient records. Hackers had gained access to MIE servers for 19 days in May 2015.

OCR determined there had been a failure to conduct a comprehensive risk analysis and, as a result of that failure, there was an impermissible disclosure of 3.5 million individuals’ PHI.