April was really bad for healthcare data breaches. The number of reported data breaches this month is higher than any other month since October 2009 when the Department of Health and Human Services’ Office for Civil Rights began publishing reports of healthcare data breaches. There were 46 healthcare data breaches reported, which increased by 48% from March and is 67% higher than the last 6 years’ average of monthly breaches.
Though the number of healthcare data breaches increased in April 2019, the number of healthcare records exposed decreased. There were 694,710 healthcare records exposed, which is 23.9% lower than March.
April 2019 Biggest Healthcare Data Breaches
April had two 100,000+ record data breaches reported. The business associate Doctors Management Services reported the largest breach of the month, which involved a ransomware attack resulting to 206,695 patient records exposed. The attacker first accessed the systems via Remote Desktop Protocol (RDP) 7 months before deploying the ransomware.
Centrelake Medical Group reported the second largest data breach, which was also a ransomware attack resulting to the exposure of 197,661 patients’ PHI. There was a 6-week time difference between the first access to the servers and the deployment of the ransomware. The breach at ActivYouth Orthopaedics was also because of a ransomware attack.
April 2019 Causes of Healthcare Data Breaches
The causes of data breaches with at least 500 records are as follows: 28 breaches due to hacking/IT incidents; 14 breaches due to unauthorized access/disclosure incidents, two breaches due to theft, one breach due to loss of paperwork, and one breach due to improper disposal of PHI.
The ransomware attacks in 2018 decreased across all industries. But this year, ransomware attacks increased again hitting most the healthcare industry. Attackers used Remote Desktop Protocol to access servers and workstations and deploy ransomware.
In May, Forescout revealed in a study that using vulnerable protocols is prevalent in the healthcare industry. Disabling these protocols can reduce the risk. If it is necessary to use RDP, use it only with a VPN.
In April, there was also an increase in phishing attacks. The following security controls can reduce the risk of attacks:
- Using advanced anti-phishing and anti-spam solutions to block malicious emails getting delivered to inboxes
- Giving employees regular security awareness training
- Using multi-factor authentication to minimize the use of stolen credentials to access PHI
In April 2019, Hacking/IT incidents caused the compromise of 384,219 records, which is 55% of April’s total compromised records. The mean and median breach sizes were 13,722 records and 4,008 records, respectively.
Unauthorized access/disclosure incidents caused the exposure of 264,016 records, which is 38% of April’s total. The mean and median breach sizes of these incidents were more serious, 18,858 records and 3,193 records, respectively.
PHI loss or theft caused 31,810 records to be exposed, 4.6% of the April’s total. The mean and median breach sizes were 10,603 records and 4,000 records., respectively.
Location of Breached Protected Health Information
In April, the most common breach location was email involving 22 data breaches, which is 47.8% of April’s breaches. The breaches involved misdirected emails, but mostly email breaches caused by phishing attacks.
There were 11 breaches involving network servers, which is 23.9% of the total breaches. The breaches were due to malware and ransomware attacks.
Only 6 breaches involved physical records such as paperwork, charts, and films, which is 13% of the total breaches.
Breaches by Covered Entity Type
In April, only two breaches involved business associates of covered entities and only one breach had some business associate involvement. Even so, the largest breach of the month was reported by a business associate. Health plans reported 6 breaches and healthcare providers reported the remaining 38 breaches.
Healthcare Data Breaches by State
In April, 21 states reported data breaches. California and Texas each had 5 breaches reported. Florida, Ohio and Minnesota each had four breaches reported, and Illinois had 3 breaches reported. The states that had 2 breaches were Idaho, Massachusetts, Oregon, New York, Tennessee, and Washington. The states that had one breach reported were Alabama, Delaware, Louisiana, New Jersey, North Carolina, Pennsylvania, South Dakota, West Virginia and Utah.
HIPAA Enforcement Activity in April 2019
The HHS’ Office for Civil Rights or state Attorneys General issued no financial penalty in April 2019. The first OCR financial penalty of $3,000,000 was issued in May 2019 to Touchstone Medical Imaging for delaying its response to a data breach affecting 307,839 patients records.
Besides the delayed response, Touchstone also failed in the following: issuing breach notifications promptly; notifying the media concerning the breach; two BAAs failures, lack of access rights, and not conducting a risk analysis.