37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average.
The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.
Largest Healthcare Data Breaches Reported in August 2020
|Name of Covered Entity||Covered Entity Type||Individuals Affected||Type of Breach||Location of Breached PHI||Incident|
|Northern Light Health||Business Associate||657,392||Hacking/IT Incident||Network Server, Other||Blackbaud ransomware attack|
|Saint Luke’s Foundation||Healthcare Provider||360,212||Hacking/IT Incident||Network Server||Blackbaud ransomware attack|
|Assured Imaging||Healthcare Provider||244,813||Hacking/IT Incident||Network Server||Ransomware attack|
|MultiCare Health System||Healthcare Provider||179,189||Hacking/IT Incident||Network Server||Blackbaud ransomware attack|
|Imperium Health LLC||Business Associate||139,114||Hacking/IT Incident||Phishing attack|
|University of Florida Health||Healthcare Provider||135,959||Hacking/IT Incident||Network Server||Blackbaud ransomware attack|
|Utah Pathology Services, Inc.||Healthcare Provider||112,124||Hacking/IT Incident||Phishing attack|
|Dynasplint Systems, Inc.||Healthcare Provider||102,800||Hacking/IT Incident||Network Server||Ransomware attack|
|Main Line Health||Healthcare Provider||60,595||Hacking/IT Incident||Network Server||Blackbaud ransomware attack|
|Northwestern Memorial HealthCare||Healthcare Provider||55,983||Hacking/IT Incident||Network Server||Blackbaud ransomware attack|
|Richard J. Caron Foundation||Healthcare Provider||22,718||Hacking/IT Incident||Network Server||Blackbaud ransomware attack|
|UT Southwestern Medical Center||Healthcare Provider||15,958||Unauthorized Access/Disclosure||Other||Unconfirmed|
|City of Lafayette Fire Department||Healthcare Provider||15,000||Hacking/IT Incident||Network Server||Ransomware attack|
|Hamilton Health Center, Inc.||Healthcare Provider||10,393||Unauthorized Access/Disclosure||Misdirected Email|
Causes of August 2020 Healthcare Data Breaches
Hacking/IT incidents dominated the breach reports in August, with the 24 reported incidents making up 64.9% of the month’s data breaches. 2,127,070 records were compromised in those breaches, which is 98.15% of all records breached in August. The average breach size was 88,628 records and the median breach size was 11,550 records.
There were 8 unauthorized/access disclosure incidents involving 32,205 records. The average breach size was 4,026 records and the median breach size was 992 records. There were 5 loss (2) and theft (3) incidents reported. The average breach size was 1,581 records and the median breach size was 1,768 records.
While phishing attacks usually dominate the healthcare data breach reports, in August, attacks on network servers were more common. The increase in network server attacks is largely due to ransomware attacks, notably, an attack on Blackbaud, a business associate of many healthcare organizations in the United States. Blackbaud offers a range of services to healthcare providers, including patient engagement and digital data storage related to donors and philanthropy.
Between February 7, 2020 and May 20, 2020, hackers had access to Blackbaud’s systems and obtained backups of several of its clients’ databases before deploying ransomware. Blackbaud paid the ransom to ensure data stolen in the attack were destroyed.
Only a small percentage of its clients were affected by the attack, but so far at least 52 healthcare organizations have confirmed that their donor data were compromised in the attack. We have data for 17 of those attacks and so far, more than 3 million individuals are known to have been affected. That number is likely to grow significantly over the next few weeks now the deadline for reporting the breach is approaching.
There were also two major phishing incidents reported in August. Imperium Health suffered an attack in which the records of 139, 114 individuals were potentially compromised, and Utah Pathology Services suffered an attack involving the records of 112,124 individuals.
Healthcare Data Breaches by Covered Entity Type
Healthcare providers were the worst affected covered entity with 24 data breaches reported in August. Three breaches were reported by health plans and five breaches were reported by business associates; however, a further 9 breaches had some business associate involvement.
States Affected by August 2020 Data Breaches
Data breaches were reported by entities in 24 states in August. Pennsylvania was the worst affected state with 6 breaches of 500 or more healthcare records, followed by Kentucky with 4, Texas with 3, and Arizona, Ohio, and Washington with 2. One breach was reported in each of Arkansas, California, Colorado, Connecticut, Florida, Iowa, Idaho, Illinois, Indiana, Maryland, Maine, Michigan, Missouri, New York, Oklahoma, South Carolina, Utah, and Wisconsin.
HIPAA Enforcement Activity in August 2020
There were no HIPAA enforcement actions announced in August by either the HHS Office for Civil Rights or state attorneys general.