Summary of Healthcare Data Breach Reports for June 2018

According to the healthcare data breach report for June 2018, healthcare data breaches increased by 13.8% from last month. However the data breaches were not as serious with 42.48% less exposed or stolen healthcare records compared to in May 2018. There were 33 healthcare data breaches reported in June to the Department of Health and Human Services’ Office for Civil Rights. The 356,232 healthcare records exposed or stolen this month is the least number since March of this year.

The leading reason for healthcare data breaches this June 2018 was unauthorized access/disclosure of data with 15 incidents. The next involves hacking IT with 12 incidents. Four involved theft of electronic devices while 2 were paper records incidents.

Regarding the number of healthcare records compromised based on breach type, June had 157.5% more records exposed because of unauthorized people in theft incidents than May 2018. The number of exposed or stolen healthcare records caused by hacking/IT incidents diminished by 56%. Exposed or stolen healthcare records resulting from unauthorized access/disclosure incidents diminished by 74%.

The eight biggest healthcare data breaches in June 2018 were caused by hacking and phishing. The largest breach was reported by Med Associates, which is a claims service provider to healthcare companies. The computer of a Med Associates employee was hacked and accessed remotely compromising the PHI of 276,057 people. The other healthcare companies that experienced data breaches were InfuSystem Inc., HealthEquity Inc., Arkansas Children’s Hospital, Black River Medical Center, the New England Baptist Health and RISE Wisconsin.

Many of the breaches happened via email. 7 of the 9 email-related breaches were due to phishing attacks. Unauthorized people were able to access the email accounts of the healthcare employees because of responding to the phishing attacks. One email-related breach happened as a result of transmitting PHI to the incorrect person whilst another one has no confirmed reason. Phishing attacks upon healthcare companies have gone up which stresses the benefits of employee security training programs. Training the employees on security awareness must not be just one time a year but continuous. Simulating phishing attacks could aid in teaching the personnel what to undertake in cases of breaches. Physical controls must likewise be heightened. Six of the breaches in June were caused by unauthorized use and theft of paper medical records.

Healthcare providers reported twenty-three data breaches. Six cases were submitted by health plans. Business associates reported six breaches, though they were in fact involved with 10 data breaches.

The most number of reported healthcare data breaches (5) came from California. Four breaches came from Texas. Michigan reported 3 breaches while Utah, Missouri, Florida and Wisconsin reported 2 each. Iowa, Illinois, Arizona, Arkansas, Minnesota, Montana, Massachusetts, New Jersey, New Mexico, North Carolina, New York, Pennsylvania and Washington reported one data breach each.

One covered entity was fined by OCR in June 2018 for HIPAA violations. The University of Texas MD Anderson Cancer Center had to pay $4,348,000, the fourth biggest HIPAA violation penalty ever since. OCR carried out investigations on MD Anderson following three healthcare data breaches reported from 2012 to 2013. The incidents resulted in the impermissible exposure of 34,883 healthcare records.