June is a better month than the last two months in terms of data breaches reported. Compared to the 1.5 healthcare data breaches per day reported in April and May, June only had 30 breaches involving over 500 healthcare records. That is 31.8% less than the reports in May.
Although there is a drop in the number of data breaches reported, June had 73.6% more health records exposed. In the 30 healthcare data breaches, there were 3,452,442 healthcare records exposed.
Largest Healthcare Data Breaches in June 2019
There were more exposed records because of a major breach at Dominion Dental Services (Dominion National Insurance Company), a dental health plan provider. An unauthorized person accessed its systems and patient information for 9 years resulting to the theft of the protected health information (PHI) of 2,964,778 people. This data breach is the largest reported healthcare data breach in 2019 until June only as it was surpassed already by the breach at American Medical Collection Agency.
Here is the list of the top 10 largest healthcare data breaches in Jun 2019. 9 were hacking/IT incidents. Six were network server breaches, three were email security breaches and one was improper disposal of PHI.
1. Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. – 2,964,778 people impacted by hacking/IT Incident of the network server
2. Inform Diagnostics, Inc. -173,617 people impacted by hacking/IT Incident of the network server
3. EyeCare Partners, LLC [on behalf of affiliated covered entitiies) – 141,165 people impacted by hacking/IT incident
4. Network Server TenX Systems, LLC dba ResiDex Software – 90,000 people impacted by hacking/IT Incident of its network server
5. Shingle Springs Health and Wellness Center – 21,513 people impacted by hacking/IT Incident of its network server
6. Desert Healthcare Services, LLC – 8,000 people impacted by hacking/IT Incident of its network server
7. Summa Health – 7,989 people impacted by hacking/IT Incident of its email system
8. Community Physicians Group – 5,400 people impacted by hacking/IT Incident of its email system
9. Community Healthlink – 4,598 people impacted by hacking/IT Incident of its email system
10. Adventist Health Physician Services- 3,797 people impacted by improper disposal of Paper/Films records
2019 seem to be a bad year for healthcare data breaches. After 6 months, reports show that 9,652,575 records of Americans were exposed, stolen or impermissibly disclosed. This figure is about double of what is reported in 2017 and it doesn’t even include yet the reports from the American Medical Collection Agency data breach.
Causes of Healthcare Data Breaches in June 2019
The number of incidents caused by hacking/IT incidents and unauthorized access/disclosure incidents are almost equal, accounting for 83% of all the reported breaches. The 12 unauthorized access/disclosure incidents reported affected 18,165 patients. The mean breach size was 1,813 records and the median breach size was 1,502 records.
There were 13 hacking/IT incidents reported in June. While these breaches only accounted for 43% of all incidents reported in June, 3,424,422 healthcare records were compromised in those breaches – 99.19% of all records breached in June. The mean and median breach size were 263,417 records and 7,995 records, respectively.
Three theft incidents affected 3,424 records with a mean breach size of 1,141 records and median breach size of 1,282 records. One report attributed the breach to a loss incident impacting 2,634 patients and one more to improper disposal incident impacting 3,797 patients.
Location of Breached PHI
Phishing attacks and ransomware continue to cause problems in the healthcare industry. Ransomware attacks sharply increased in Q1 and continued to do so in Q2. Cybercriminals may have dropped ransomware attacks in 2018, but they’re back in 2019. Breached PHI usually involve email, but this June, breached PHI involved networks server almost as much as email. The number of ransomware and malware attacks accounted for the number of network server incidents.
Healthcare Data Breaches by Covered Entity Type in June 2019
Healthcare providers reported 24 data breaches, a health plan reported one and a healthcare clearinghouse reporte one. Though only one business associate reported a data breach, business associates were involved in 7 other data breaches.
Healthcare Data Breaches by State in June 2019
Covered entities in 20 states reported healthcare data breaches. Arizona and California had three breach reports each. Florida, Maryland, Massachusetts, Missouri, Minnesota, and Ohio each had two breach reports. Arkansas, Illinois, Iowa, Indiana, Michigan, Kentucky, Nevada, Texas, Pennsylvania, Vermont, Virginia, and Wyoming each had one breach report.
HIPAA Enforcement Actions in June 2019
There was one HIPAA enforcement action concluded in June. Premera Blue Cross settled a multi-state lawsuit involving the breach of 10.4 million records in 2017. The case was headed by Washington State Attorney General Bob Ferguson and got settled for $10,000,000.
No financial penalty over HIPAA violation was issued by the Department of Health and Human Services’ Office for Civil Rights in June.