Summary Report of Healthcare Data Breaches for May 2018

Covered entities reported a total of 41 healthcare data breaches in April and 29 in May. Even though the healthcare data breaches decline by 29.27% month-over-month, the breaches documented last May were equally serious as with April. The sum of compromised or stolen medical records in May was 838,587, which was 56,287 less compared to April.

The mean breach size in May was 28,917 healthcare records in contrast to 21,826 in April. The median was 2,793 healthcare records in May in contrast to 2,553 in April. The reasons for the occurrence of these healthcare data breaches in May are the following: unauthorized access/disclosure  for 15 incidents (51.72%); hacking/IT for 11 incidents (41.38%) and theft for two incidents (6.9%). No incident due to missing unencrypted electronic gadgets or inappropriate PHI disposal was reported.

The twelve hacking/IT events documented in May brought about the exposure of 738,883 healthcare files or 88.11% of the overall exposed healthcare documents for May. Breaches caused by unauthorized access/disclosure just impacted 97,439 patients and health plan members or 11.62% of the overall compromised data. Burglary incidents resulting in the unauthorized PHI access of 2,265 individuals or 0.27% of all the exposed records.

LifeBridge Health Inc. in Baltimore, MD reported the greatest healthcare data breach report to OCR in May 2018 resulted to 538,127 EHRs exposed.  The breach caused by malware infection took place in September 2016 however was reported to OCR only in May.  The exposed information included names, contact details, clinical data, treatment data, and health insurance details. The Social Security numbers of a few patients were also exposed. This breach is identified as one of the most severe breaches in 2018 due to the enormity and the kinds of information compromised.

In May, the majority of the breach incidents happened due to email. Of the 29 breaches, 11 were due to hacked email accounts or misdirected emails. There were 7 incidents resulting from network server hacking, ransomware and malware attack and another 7 breaches involved paper documents. Healthcare providers submitted the highest number of breaches, 22 of 29. Health plans submitted two breaches. Business associates of HIPAA-covered entities submitted five. But four other breaches reported in May had some business associates involved.

The states breach reports show that California and Ohio each submitted four breaches. Texas and Oregon each submitted two breaches.  Nevada submitted four breaches although three breaches were reports of the same incident by three different Dignity Health hospitals. Arizona, Arkansas, Georgia, Colorado, Florida, Indiana,  Kansas, Massachusetts, Maryland, Michigan, Minnesota, New York and Nebraska each submitted one breach report.

Regarding financial fees and penalties for violating HIPAA guidelines, none was issued in May 2018. This doesn’t mean though that the state attorneys general or the OCR didn’t do anything to enforce the HIPAA rules on covered entities and business associates.