April was a particularly bad month for healthcare data breaches with both the number of breaches and the number of individuals impacted by breaches both substantially higher than in March.
There were 41 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in April. Those breaches resulted in the theft/exposure of 894,874 healthcare records.
Healthcare Data Breach Trends
For the past four months, the number of healthcare data breaches reported to OCR has increased month over month.
For the third consecutive month, the number of records exposed in healthcare data breaches has increased.
Causes of Healthcare Data Breaches in April 2018
The healthcare industry may be a big target for hackers, but the biggest cause of healthcare data breaches in April was unauthorized access/disclosure incidents. While cybersecurity defences have been improved to make it harder for hackers to gain access to healthcare data, there is still a major problem preventing accidental data breaches by insiders and malicious acts by healthcare employees.
Largest Healthcare Data Breaches in April 2018
More than half of the healthcare records exposed in April were the result of a single security incident at the California Department of Developmental Services. Thieves broke into California Department of Developmental Services offices, stole electronic equipment, and started a fire. Digital copies of PHI on the stolen equipment were encrypted and were therefore not exposed. Most of the PHI was in physical form and it does not appear any paperwork was taken by the burglars.
While hacking usually results in the highest number of exposed/stolen records, in April the most serious breaches in terms of the number of individuals affected, were unauthorised access/disclosure incidents. In April there were 11 major breaches involving the theft/exposure of more than 10,000 records.
|Covered Entity||Entity Type||Records Exposed||Breach Type|
|CA Department of Developmental Services||Health Plan||582,174||Unauthorized Access/Disclosure|
|Center for Orthopaedic Specialists – Providence Medical Institute (PMI)||Healthcare Provider||81,550||Hacking/IT Incident|
|MedWatch LLC||Business Associate||40,621||Unauthorized Access/Disclosure|
|Inogen, Inc.||Healthcare Provider||29,528||Hacking/IT Incident|
|Capital Digestive Care, Inc.||Healthcare Provider||17,639||Unauthorized Access/Disclosure|
|Iowa Health System d/b/a UnityPoint Health||Business Associate||16,429||Hacking/IT Incident|
|Knoxville Heart Group, Inc.||Healthcare Provider||15,995||Hacking/IT Incident|
|Athens Heart Center, P.C.||Healthcare Provider||12,158||Hacking/IT Incident|
|Fondren Orthopedic Group L.L.P.||Healthcare Provider||11,552||Unauthorized Access/Disclosure|
|Kansas Department for Aging and Disability Services||Healthcare Provider||11,000||Unauthorized Access/Disclosure|
|Carolina Digestive Health Associates, PA||Healthcare Provider||10,988||Unauthorized Access/Disclosure|
Location of Breached PHI
One of the main causes of healthcare breaches in April was phishing attacks. There were nine data breaches involving the hacking of email accounts in April. The high number of phishing attacks highlights the need for healthcare organizations to invest in technology to prevent malicious emails from being delivered to employees’ inboxes and to improve security awareness of the workforce.
Data Breaches by Covered Entity
The majority of breaches in April were reported by healthcare providers, followed by health plans and business associates. While five breaches were reported by business associates, there was business associate involvement in at least 11 incidents in April.
Healthcare Data Breaches by State
California is the most populated state and often tops the list for healthcare data breaches, although in April Illinois was the worst affected state with 6 reported breaches. California was second worst with 5 breaches, followed by Texas with 3 breaches.
Florida, Iowa, Kansas, Louisiana, Maryland, Minnesota, North Carolina, New Jersey, Virginia, and Wisconsin each has two breaches reported, while Georgia, Kentucky, Montana, Nebraska, New York, Pennsylvania, and Tennessee each had one reported breach in April.
Financial Penalties for HIPAA Covered Entities
The HHS’ Office for Civil Rights has only issued two financial penalties for HIPAA violations so far in 2018, with no cases resolved since February.
There was one HIPAA violation case resolved by a state attorney general in April. Virtua Medical Group agreed to resolve violations of state and HIPAA laws with the New Jersey attorney general’s office for $417,816.
The breach that triggered the investigation exposed the names, diagnoses, and prescription information of 1,654 New Jersey residents. The information was accessible over the Internet as a result of a misconfigured server.
A Division of Consumer Affairs investigation alleged Virtua Medical Group had failed to conduct a thorough risk analysis and did not implement appropriate security measures to reduce risk to a reasonable and acceptable level.