HIPAA Breach News

Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack

Posted by HIPAA Journal

Multiple class action lawsuits have been filed against the Californian healthcare provider San Diego Health over a data breach involving the protected health information of 496,949 patients.

On March 12, 2021, San Diego Health identified suspicious activity in employee email accounts and launched an investigation. On April 8, 2021, it was determined multiple email accounts containing patients’ protected health information had been accessed by unauthorized individuals between December 2, 2020 and April 8, 2021. A review of the compromised email accounts confirmed them to contain protected health information such as names, addresses, dates of birth, email addresses, medical record numbers, government ID numbers, Social Security numbers, financial account numbers, and health information such as test results, diagnoses, and prescription information.

HIPAA requires covered entities to issue notifications to affected individuals within 60 days of the discovery of a breach. San Diego Health published a substitute breach notice on its website on July 27, 2021 and started issuing individual notifications to patients on September 9, 2021. Patients have been offered complimentary credit monitoring and identity theft protection services for 12 months and coverage under a $1 million identity theft insurance policy.

A lawsuit was filed against San Diego Health on behalf of patient Denise Menezes on September 20 alleging negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, breach of confidence, and violations of the California Consumer Privacy, California Confidentiality of Medical Information Act, and a violation of California Unfair Competition Law.

The lawsuit alleges San Diego Health failed to comply with its obligations to protect patient data as required by the HIPAA Security Rule. It is alleged that appropriate, industry-standard cybersecurity measures such as spam filtering including SPF and DMARC was not implemented to prevent hackers from gaining access to email accounts where patients’ protected health information was stored. Also, that sufficient security awareness training had not been provided to employees to help them identify and avoid phishing attempts. Additionally, the lawsuit alleges negligence for failing to detect the breach for 4 months and for failing to notify affected individuals within a reasonable amount of time.

A second lawsuit, which also seeks class action status, was filed on behalf of patient Richard Hartley on September 22. The lawsuit also alleges negligence for the same failures, and also states that a potential data breach was detected by San Diego Health on March 12, but it took until April 8 to expel the unauthorized individuals from its email environment.

The lawsuit alleges negligence, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, and violations of the California Consumer Privacy Act and California Confidentiality of Medical Information Act.

The plaintiff claims to have suffered actual injury as a result of the breach. Alleged injuries include anxiety caused by the theft of his personal information and paying monies to San Diego Health for goods and services that required a disclosure of PHI which would not have been made if he was aware inadequate security measures were in place to protect that information. The plaintiff also alleges damages to and diminution of the value of sensitive information, loss of privacy, impending and imminent injury due to identity theft, and the time and expense of mitigating the effects of the breach.

The lawsuits seek unspecified damages for the plaintiffs and all other class members whose personal and medical information may have been compromised in the attack, a jury trial, and an injunction compelling San Diego Health to enhance cybersecurity to prevent similar breaches in the future.

The post Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack appeared first on HIPAA Journal.

Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack

Posted by HIPAA Journal

While there have been no reported cases of American patients dying as a direct result of a ransomware attack, a new study suggests patient mortality does increase following a ransomware attack on a healthcare provider. According to a recent survey conducted by the Ponemon Institute, more than one fifth (22%) of healthcare organizations said patient mortality increased after a ransomware attack.

Ransomware attacks on healthcare providers often result in IT systems being taken offline, phone and voicemail systems can be disrupted, emergency patients are often redirected to other facilities, and routine appointments are commonly postponed. The recovery process can take several weeks, during which time services continue to be disrupted.

While some ransomware gangs have a policy of not attacking healthcare organizations, many ransomware operations target healthcare. For instance, the Vice Society ransomware operation has conducted around 20% of its attacks on the healthcare sector and attacks on healthcare organizations have been increasing. During the past 2 years, 43% of respondents said their organization had suffered a ransomware attack, and out of those, 67% said they had one while 33% said they had more than one.

The study, which was sponsored by Censinet, involved a survey of 597 healthcare organizations including integrated delivery networks, community hospitals, and regional health systems. The cost of ransomware attacks on the healthcare industry had been determined in a previous Ponemon Institute survey, with the data presented in the IBM Security Cost of a Data Breach Report. In 2021, costs had risen to an average of $9.23 million per incident. The Censinet study sought to determine whether these attacks had a negative impact on patient safety while also seeking to understand how COVID-19 has impacted the ability of healthcare organizations to protect patient care and patient information from ransomware attacks.

COVID-19 introduced many new risk factors, such as an increase in remote working and new IT systems to support those workers. Patient care requirements increased, and COVID-19 caused staff shortages. The survey confirmed that COVID-19 has affected the ability of healthcare organizations to defend against ransomware attacks and other increasingly virulent cyberattacks. Prior to COVID-19, 55% of healthcare organizations said they were not confident they would be able to mitigate the risks of ransomware, whereas now, 61% of healthcare organizations said they are not confident or have no confidence in their ability to mitigate the risks of ransomware.

These attacks were found to be negatively affecting patient safety. 71% of respondents said ransomware attacks resulted in an increased length of stay in hospitals and 70% said delays in testing and medical procedures due to ransomware attacks resulted in poor patient outcomes. Following an attack, 65% of respondents said there was an increase in the number of patients being redirected to alternative facilities, 36% said they had increases in complications from medical procedures, and 22% said they had an increase in mortality rate after an attack.

One of the factors that has contributed to a higher risk of a ransomware attack occurring is the increased reliance on business associates for digitizing and distributing healthcare information and providing medical devices. On average, respondents said they work with 1,950 third parties and that number is expected to increase over the next 12 months by around 30% to an average of 2,541.

Business associates of healthcare organizations are being targeted by ransomware gangs and other cybercriminal organizations. Cybersecurity at business associates is often weaker than their healthcare clients, and one attack on a business associate could provide access to the networks of multiple healthcare clients.

Even though working with third parties increases risk, 40% of respondents said they do not always complete a risk assessment of third parties prior to entering into a contract. Even when risk assessments are conducted, 38% of respondents said those risk assessments were often ignored by leaders. Once contracts have been signed, over half (53%) of respondents said they had no regular schedule of conducting further risk assessments or that they were only conducted on demand.

Censinet recommends creating an inventory of all vendors and protected health information. It is only possible to ensure systems and data are secured if accurate inventories are maintained. Workflow automation tools are useful for establishing a digital inventory of all third parties and PHI records. These tools should also be used for creating an inventory of medical devices. Medical devices can provide an easy entry point into healthcare networks, so it is essential that these devices are secured. Only 36% of respondents said their organization knew where all medical devices were located, and only 35% said they were aware when those devices would reach end-of-life and would no longer be supported.

The report recommends conducting a thorough risk assessment of a vendor prior to entering into a contract, and then conducting periodic risk assessments thereafter and ensuring action is taken to address any issues identified. Further investment in cybersecurity is required specifically to cover re-assessments of high-risk third parties, as currently, only 32% of critical and high-risk third parties are assessed annually, and just 27% are reassessed annually.

The report also strongly recommends assigning risk accountability and ownership to one role, which will help to ensure an effective enterprise-risk management strategy can be adopted and maintained.

The post Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack appeared first on HIPAA Journal.

Data Breaches Reported by Vista Radiology, Indian Creek Foundation & Mankato Clinic

Posted by HIPAA Journal

Vista Radiology Reports Breach of the PHI of up to 3,634 Individuals

Knoxville, TN-based Vista Radiology has notified 3,634 patients about a ransomware attack experienced on July 11, 2021 which took part of its network offline. A leading computer forensics firm was engaged to conduct a full investigation into the attack. And the initial investigation appeared to suggest the sole purpose of the attack was to encrypt its systems, and that data exfiltration was not involved. However, Vista Radiology was informed on July 15 that some evidence had been found that files or folders containing patient data had been accessed and viewed.

The investigation confirmed files were encrypted in the evening of July 10 with a subset of those files accessed prior to encryption. The files that had been viewed only contained a limited amount of patient data and no significant amount of data were exfiltrated by the attackers. It was not possible to determine if the PHI of any specific patients had been accessed, so notification letters were sent to all patients potentially affected by the attack. The investigation indicates protected health information was not acquired or misused.

Vista Radiology said the encrypted data had been backed up and could be restored and that it did not negotiate with the malicious third party. Steps have since been taken to improve the security of its network environment, which involved a complete rebuild and redesign of network security. All affected patients have been notified and offered 12-months of complimentary identity and credit monitoring services.

Indian Creek Foundation Breach Affects 2,405 Patients

Indian Creek Foundation has notified 2,405 patients about a ransomware attack that occurred on February 6, 2021. Steps were immediately taken to contain the attack and third-party computer forensics specialists were engaged to investigate the security breach.

The investigation confirmed certain files and folders may have been exfiltrated from its systems prior to the use of ransomware to encrypt files. On or around April 15, 2021, a programmatic and manual review of all affected files was conducted to determine which patients were affected and what data was involved. It was confirmed on or around July 14 that patient was included in compromised files and folders. It took until August 24 to verify contact information for those individuals and notification letters have now been sent to all affected patients.

The data potentially viewed or exfiltrated by the attackers included names, Social Security number, driver’s license number, health insurance information, medical treatment/diagnosis information, and financial account information. Complimentary access to credit monitoring and identity restoration services have been offered to those individuals.

Indian Creek Foundation said policies and procedures have been revied and updated and additional safeguards have been implemented to reduce the likelihood of a similar events in the future.

Mankato Clinic Privacy Breach Affects 535 Patients

Mankato, MN-based Mankato Clinic has discovered a breach of the protected health information of 535 patients. On August 3, 2021, a spreadsheet containing patient data was emailed to an external email account in error by an employee. The error was detected within a few minutes and the recipient was contacted and told to delete the email and spreadsheet.

The recipient confirmed that the email had been deleted and the spreadsheet had not been opened; however, the email was not encrypted so there is a small probability that it could have been intercepted in transit. The spreadsheet contained the following types of patient information: Name, address, phone number, email address, date of birth, sex, medical record number, healthcare provider’s name, diagnosis information, and primary insurance carrier.

The investigation into the incident confirmed the error occurred due to the use of the email auto-complete feature. All employees have been provided with HIPAA training, so the employee in question knew the incident was a HIPAA breach and self-reported the error.

The post Data Breaches Reported by Vista Radiology, Indian Creek Foundation & Mankato Clinic appeared first on HIPAA Journal.

Vice Society Ransomware Gang Attacks United Health Centers of San Joaquin Valley

Posted by HIPAA Journal

The Vice Society ransomware gang claims to have conducted a ransomware attack on the California healthcare provider United Health Centers of San Joaquin Valley. United Health Centers operates more than 20 community health centers in Fresno, Kings, and Tulare counties.

The Vice Society ransomware gang emerged mid-2021 and is believed to be a spin-off of the HelloKitty ransomware operation. The gang is known to use a variety of methods to gain access to victims networks, including exploiting vulnerabilities such as the PrintNightmare bugs.

The gang is known for exfiltrating data from victims’ systems prior to the use of ransomware to encrypt files. Data are then published on its data leak site to pressure victims into paying the ransom. This attack appears to be no exception. Bleeping Computer reports it was notified on August 31, 2021 about the ransomware attack on United Health Centers by a trusted member of the cybersecurity community who said the healthcare provider’s entire network was shut down as a result of the attack.

The cyberattack has yet to appear on the HHS’ Office for Civil Rights Breach Portal or the website of the California Attorney General and United Health Centers has not published any notification on its website at the time of writing. Under HIPAA, regulated entities have up to 60 days to issue notifications about a data breach.

Bleeping Computer reports the Vice Society gang has already leaked data allegedly obtained in the attack on its data leak website, some of which contains patients’ protected health information (PHI). Databreaches.net has reviewed some of the dumped files and confirmed they contained PHI such as names, dates of birth, insurance information, dates of service, diagnostic codes, and treatment and service codes, along with a folder containing files of patients who had fallen into arrears on their accounts and were referred to debt collection agencies in 2012. Some of those files included patients’ Social Security numbers, diagnosis information, and other types of PHI.

Bleeping Computer said its source said the attack caused major disruption to its IT systems, although the healthcare provider had backups that were not impacted in the attack.  United Health Centers has reportedly started re-imaging computers and restoring data from backups. That, along with the data dump, suggests the ransom was not paid.

Both Bleeping Computer and Databreaches.net said they reached out to United Health Centers multiple times but have yet to receive a response about the attack.

While several ransomware-as-a-service operations place restrictions on industry sectors that can be attacked and avoid the healthcare industry, Vice Society certainly does not fall into that group. Around a fifth of its attacks are conducted on the healthcare sector.

The post Vice Society Ransomware Gang Attacks United Health Centers of San Joaquin Valley appeared first on HIPAA Journal.

Email Breaches Reported by Eastern Los Angeles Regional Center & Mercy Grace Private Practice

Posted by HIPAA Journal

Eastern Los Angeles Regional Center has discovered the email account of an employee has been accessed by an unauthorized individual. Suspicious activity was detected in the email account on July 15, 2021. A password reset was performed to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach.

It was confirmed that the account was accessed for a limited period of time on July 15, 2021 and that the email account contained the protected health information of 12,921 individuals, including first and last names, Social Security numbers, ELARC-issued client identifier numbers, Tax ID numbers, medical histories, treatment or diagnosis information, and health insurance information.

Eastern Los Angeles Regional Center said it found no evidence to suggest any information in the email account was exfiltrated or subjected to actual or attempted misuse.

Additional technical safeguards have been implemented to further enhance the security of sensitive information and affected individuals have been offered 12 months of complimentary credit monitoring services through Kroll.

Mercy Grace Private Practice Notifies 4,450 Patients About Data Breach

On August 30, 2021, Mercy Grace Private Practice in Gilbert, AZ notified 4,450 patients about a business email compromise attack in December 2020 involving a fraudulent wire transfer.

A third-party computer forensics firm was engaged to perform a comprehensive analysis of its entire email environment. That investigation confirmed that two employee email accounts had been compromised.

A review of the two email accounts confirmed they contained patient data such as names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, and limited health information.  The purpose of the attack appears to have been to defraud the practice rather than obtain patient data. Mercy Grace Private Practice is unaware of any actual or attempted misuse of patient data as a result of the security breach.

In response to the breach, security protocols have been enhanced and further cybersecurity training has been provided to employees.

The post Email Breaches Reported by Eastern Los Angeles Regional Center & Mercy Grace Private Practice appeared first on HIPAA Journal.

K and B Surgical Center & Healthpointe Medical Group Notify Patients About Hacking Incidents

Posted by HIPAA Journal

K and B Surgical Center in Beverley Hills, CA has discovered an unauthorized individual gained access to its computer network. The security breach was detected on March 30, 2021, with the third-party forensic investigation confirming its network was compromised between March 25 and March 30.

Upon discovery of the breach, steps were taken to prevent further unauthorized access and an investigation was launched to determine the extent of the breach. The investigation concluded on April 27, 2021 that the attacker gained access to parts of the network that contained the protected health information of patients.

Data mining was performed on the affected servers to determine which types on information had been exposed and the patients that had been affected. K and B Surgical Center said in its September 3, 2021 breach notification letters that it took until July 27 to obtain a finalized list of affected patients.

The types of information potentially accessed and/or exfiltrated included the following data elements: Names, addresses, phone numbers, driver’s license numbers, diagnoses, treatment and prescription information, provider names, patient IDs, Medicare/Medicaid numbers, lab test results, health insurance information, and treatment cost information. At the time of issuing notification letters, no reports had been received of any cases of actual or attempted misuse of patient data as a result of the security breach.

In total, notification letters have been sent to 14,772 individuals. K and B Surgical Center has offered 12 months of complimentary credit monitoring and identity theft restoration services to affected individuals as a precaution against identity theft and fraud.

Following the security breach, passwords were changed for all user accounts, VPN connections, and email accounts and new anti-virus security systems and threat monitoring programs were installed on all computers. The workforce has been retrained on security, its Security Rule risk analysis has been updated, and periodic security audits will be conducted to identify potential vulnerabilities.

Healthpointe Medical Group Notifies Patients About Hacking Incident

Healthpointe Medical Group in Portland, OR has notified certain patients about a hacking incident and the exposure of their protected health information.

Healthpointe discovered suspicious activity on certain servers on or around June 9, 2021. Steps were promptly taken to secure its IT systems and a leading computer forensics firm was engaged to investigate the nature and scope of the breach. On or around July 7, 2021, the investigation confirmed the attacker had gained access to files or folders that contained patient data. A review of those files and folders was completed on July 27 and confirmed they contained names, addresses, and Social Security numbers. Notification letters started to be sent to affected individuals in late August.

Healthpointe has performed a company-wide password reset, updated its firewalls, expanded the use of multi-factor authentication, and took other steps to enhance its security protocols. Affected individuals have been told they can avail of 12 months of identity theft protection services through IDX at no cost and will be protected by a $1 million identity theft insurance policy.

The post K and B Surgical Center & Healthpointe Medical Group Notify Patients About Hacking Incidents appeared first on HIPAA Journal.

Ransomware Attacks Reported by Family Medical Center of Michigan & Buddhist Tzu Chi Medical Foundation

Posted by HIPAA Journal

Temperance, MI-based Family Medical Center of Michigan (FMC) has notified 21,988 patients about a July 2020 ransomware attack in which their protected health information was compromised.

FMC said the attack appeared to have been conducted by a cybercriminal gang operating out of Ukraine. The attackers encrypted FMC’s financial files which prevented its employees from accessing patients’ financial information. A ransom demand of $30,000 in cryptocurrency was issued for the digital key to unlock the encrypted files.

FMC said it worked with a third-party computer security firm – IDX – to investigate the breach and help secure its digital environment. IDX advised paying the ransom as part of a strategy to determine the scope of the attack. FMC CEO, Ed Larkins said it complied with the demand and paid the ransom a week after the attack occurred. The attackers took two weeks to send the key to decrypt files.

The investigation into the attack confirmed only financial information was affected and patient medical records were not compromised in the attack. Patients affected by the attack had received medical services at some point in the past 14 years.

Following the attack, steps were taken to improve security and harden defenses to prevent further attacks. IDX is continuing to manage the response to the incident and has not detected any attempted or actual misuse of patient data since the attack. FMC has offered complimentary credit monitoring services to patients whose financial information was compromised.

Ransomware Attack Reported by Buddhist Tzu Chi Medical Foundation

Buddhist Tzu Chi Medical Foundation in West Sacramento, CA is notifying 18,968 patients that some of their protected health information has potentially been compromised in a recent cyberattack.

The attack was detected on July 15, 2021 when parts of its network became inaccessible. The affected server was immediately taken offline, and emergency protocols were implemented, with the staff switching to pen and paper to record patient data. A forensic investigation was conducted to determine the nature and scope of the breach, which confirmed that parts of the network accessed by the attackers contained patient data.

It was not possible to determine whether any patient data were viewed or exfiltrated by the attackers, only that data access was possible. The files potentially compromised in the attack contained names, dates of birth, and diagnosis information, which included dental x-rays for dental patients. No other patient data was stored on the affected server and computers.

Due to the nature of data exposed, there is believed to be a very low risk of misuse of the information; however, as a precaution, affected patients have been advised to monitor their estimate of benefits and other health information for any suspicious activity.

The post Ransomware Attacks Reported by Family Medical Center of Michigan & Buddhist Tzu Chi Medical Foundation appeared first on HIPAA Journal.

U.S. Vision Subsidiary Reports Hacking Incident Affecting 180,000 Individuals

Posted by HIPAA Journal

The U.S. Vision Inc. subsidiary, USV Optical Inc. has announced unauthorized individuals have gained access to certain servers and systems that contained patients’ protected health information.  The unauthorized access was detected on May 12, 2021, with the subsequent forensic investigation confirming the hackers had access to its systems for almost a month from April 20, 2021 to May 17, 2021, when its systems were secured.

Third-party computer forensics specialists are continuing to investigate the breach to determine the full extent and scope of the intrusion but have concluded that unauthorized individuals potentially viewed and exfiltrated patient data in the attack.

It has been confirmed that the following types of employee and patient data have been exposed: Names, eyecare insurance information, and eyecare insurance application and/or claims information. A subset of individuals may also have had the following data exposed: Address, date of birth, and/or other individual identifiers. No reports have been received to date of any cases of attempted or actual misuse of personal and protected health information as a result of the security breach.

The data breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 180,000 individuals. Notifications are being sent to those individuals along with advice on steps that can be taken by breach victims to protect their identities, should they deem those steps to be appropriate.

USV Optical said it worked diligently to investigate and respond to the incident is currently working to identify and notify potentially impacted individuals. A review is being conducted of policies related to data protection and these will be enhanced to better protect patient data.

This is the second major data breach to be reported by an eye care provider in the past few days. Simon Eye Management recently reported an email security breach in which the protected health information of 144,000 individuals was exposed.

The post U.S. Vision Subsidiary Reports Hacking Incident Affecting 180,000 Individuals appeared first on HIPAA Journal.

August 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 44% month-over-month decrease in the number of reported healthcare data breaches in August 2021. 38 healthcare data breaches of 500 or more records were reported by healthcare providers, health plans, and their business associates in August. August’s reported data breaches takes the total number of healthcare data breaches in the past 12 months to 707 (Sep 2020 to August 2021), with 440 of those data breaches reported in 2021.

Healthcare data breaches in the past 12 months

While there was a marked fall in the number of reported breaches, 5,120,289 healthcare records were breached across those 38 incidents, which is well above the 12-month average of 3.94 million breached records a month. The high total was largely due to two major ransomware attacks on St. Joseph’s/Candler Health System and University Medical Center Southern Nevada, which involved 2.8 million healthcare records combined.

healthcare records breached in the past 12 months

Largest Healthcare Data Breaches Reported in August 2021

Ransomware gangs continued to target the healthcare industry in August. The attacks can cause disruption to care and can put patient safety at risk. Some of the attacks reported in August have resulted in appointments being postponed and have seen patients redirected to alternative facilities out of safety concerns.

It is now the norm for hackers to exfiltrate sensitive data prior to the use of ransomware and then demand payment for the keys to decrypt data and to prevent stolen data from being published or sold. While some major ransomware operations such as Sodinokibi/REvil and DarkSide appear to have been shutdown, several other operations have taken their place. The Vice Society and Hive ransomware gangs have been targeting the healthcare sector, and this month the Health Sector Cybersecurity Coordination Center (HC3) issued a warning to the health and public health sector about an increased risk of BlackMatter ransomware attacks. Fortunately, this month, past victims of Sodinokibi/REvil ransomware have been given the opportunity to recover encrypted data for free. Bitdefender released a free Sodinokibi/REvil decryptor last week.

In August there were three major ransomware attacks reported by healthcare providers that involved huge amounts of patient data. DuPage Medical Group suffered a ransomware attack in which the protected health information (PHI) of 655,384 patients may have been compromised, while the attack on University Medical Center Southern Nevada affected 1.3 million patients and the St. Joseph’s/Candler Health System attack involved the PHI of 1.4 million patients. Class action lawsuits have already been filed against DuPage Medical Group and St. Joseph’s/Candler Health System on behalf of patients affected by those attacks.

Listed below are the 20 data breaches reported in August that involved the PHI of 10,000 or more individuals. The majority of these data breaches involved ransomware or data stored in compromised email accounts.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Cause
St. Joseph’s/Candler Health System, Inc. Healthcare Provider 1,400,000 Hacking/IT Incident Ransomware attack
University Medical Center Southern Nevada Healthcare Provider 1,300,000 Hacking/IT Incident Ransomware attack
DuPage Medical Group, Ltd. Healthcare Provider 655,384 Hacking/IT Incident Ransomware attack
UNM Health Healthcare Provider 637,252 Hacking/IT Incident Unspecified hacking incident
Denton County, Texas Healthcare Provider 326,417 Unauthorized Access/Disclosure Online exposure of COVID-19 vaccination data
Metro Infectious Disease Consultants Healthcare Provider 171,740 Hacking/IT Incident Email accounts compromised
LifeLong Medical Care Healthcare Provider 115,448 Hacking/IT Incident Ransomware attack (Netgain Technologies)
CareATC, Inc. Healthcare Provider 98,774 Hacking/IT Incident Email accounts compromised
San Andreas Regional Center Business Associate 57,244 Hacking/IT Incident Ransomware attack
CarePointe ENT Healthcare Provider 48,742 Hacking/IT Incident Ransomware attack
South Florida Community Care Network LLC d/b/a Community Care Plan Health Plan 48,344 Unauthorized Access/Disclosure PHI emailed to a personal email account
Electromed Healthcare Provider 47,200 Hacking/IT Incident Unspecified hacking incident
Queen Creek Medical Center d/b/a Desert Wells Family Medicine Healthcare Provider 35,000 Hacking/IT Incident Ransomware attack
The Wedge Medical Center Healthcare Provider 29,000 Hacking/IT Incident Unspecified hacking incident
Gregory P. Vannucci DDS Healthcare Provider 26,144 Hacking/IT Incident Unspecified hacking incident
Texoma Community Center Healthcare Provider 24,030 Hacking/IT Incident Email accounts compromised
Family Medical Center of Michigan Healthcare Provider 21,988 Hacking/IT Incident Ransomware attack
Central Utah Clinic, P.C. dba Revere Health Healthcare Provider 12,433 Hacking/IT Incident Email accounts compromised (Phishing)
Hospice of the Piedmont Healthcare Provider 10,682 Hacking/IT Incident Email accounts compromised
Long Island Jewish Forest Hills Hospital Healthcare Provider 10,333 Unauthorized Access/Disclosure Unauthorized medical record access by employee

Causes of August 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, accounting for 81.6% of the month’s data breaches and 92.3% of breached healthcare records. There were 31 security breaches classed as hacking/IT incidents involving 4,727,350 healthcare records. The mean breach size was 152,495 records and the median breach size was 12,433 records. The majority of these incidents involved ransomware, malware, or compromised email accounts.

Causes of Healthcare Data Breaches Reported in August 2021

There were 7 incidents classed as unauthorized access/disclosure incidents. Those incidents involved 392,939 healthcare records. The mean breach size was 56,134 records and the median breach size was 4,117 records. There were no reported breaches involving lost or stolen devices or paper records and no reported improper disposal incidents.

Location of breached PHI in August 2021 healthcare data breaches

Healthcare Data Breaches by State

August’s 38 healthcare data breaches were reported by entities in 24 U.S. states. Texas was the worst affected state with 4 reported breaches, followed by Arizona and Illinois with three reported breaches each.

State Number of Reported Data Breaches
Texas 4
Arizona & Illinois 3
California, Georgia, Michigan, Minnesota, New Hampshire, Oklahoma, & Virginia 2
Alabama, Delaware, Florida, Iowa, Indiana, Massachusetts, Nevada, New Mexico, New York, Pennsylvania, Tennessee, Utah, West Virginia, & Wisconsin 1

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 30 data breaches reported, 4 of which occurred at business associates but were reported by the healthcare provider. 4 data breaches were reported by health plans, and business associates self-reported 4 breaches.

August 2021 healthcare data breaches by covered entity type

HIPAA Enforcement Activity in August 2021

The HHS’ Office for Civil Rights (OCR) did not announce any new HIPAA penalties in August and there were no HIPAA enforcement actions announced by state attorneys general. So far in 2021 there have been 8 financial penalties imposed on HIPAA-covered entities and business associates by OCR, and one multi-state action by state attorneys general.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on September 20, 2021

 

The post August 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.