Report on Healthcare Data Breaches for January 2018

The January 2018 Healthcare Data Breach report is now available. Based on the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights, there were 21 security breaches in January 2018. The number of incidents this January is lesser compared to December 2017 which recorded 39 incidents.

The number of healthcare data breaches in January dropped by 46.15%, but the number of exposed or stolen records increased by 87,022. For the third consecutive time, breached records increased month over month.

The mean breach size was 20,412 records in January. December 2017’s mean breach size is very close to that number at 10,487 records. Nonetheless, the data breaches in January were less severe compared in December. Median breach size was 1,500 records in January and 15,857 records in December.

Only four breaches in January impacted over 10,000 individuals. December 2017 had 9 such incidents. The largest data breaches, 5 of 6 of them, were due to hacking, malware infections and ransomware attacks.

The most number of breaches (11 of 21) in January were because of employee errors and insider wrongdoing. The 4 of 5 theft/loss incidents associated with portable electronic devices could have been easily avoided if the files were encrypted. Seven incidents were because of unauthorized access or disclosure.

Here’s a breakdown of the causes of breaches and the number of exposed records:

  • 7 hacking/IT incidents exposed 394,787 healthcare records
  • 5 loss/theft incidents (both physical and digital records) exposed 13,329 healthcare records
  • 7 unauthorized access or disclosure exposed 13,329 healthcare records

More breaches involving electronic health data were reported in January. Nonetheless, healthcare organizations need to reinforce physical security and access controls to stop theft and unauthorized access of paper records. Staff must be trained to dispose of physical records of PHI properly. Two breach incidents in January were because of improper disposal of physical records.

Exposed healthcare records in January involved 13,514 paper/film records and 310,593 records in network servers. Other exposed PHI was contained in laptop computers, in emails and in EMRs. Of the 21 breaches in January, 19 involved healthcare providers and two involved health plans. There wasn’t any business associate involvement.

The January data breach report listed 15 states where covered entities experienced breaches impacting over 500 persons. The states and respective number of breaches are as follows:

  • California – 5 breaches
  • Tennessee and Wyoming – 2 breaches each
  • Florida, Kentucky, Illinois, Maryland, Massachusetts, Nevada, New Mexico, Oklahoma, Ohio, Pennsylvania, Washington and Utah – 1 each

OCR did not announce any HIPAA fines or settlements in January. But New York Attorney General’s office received $1.15 million from Aetna to resolve HIPAA rules and state laws violations.