2020 ended with healthcare data breach reports at the rate of two each day, which is two times the rate of breach reports last January 2020. There was a 31.9% month over month increase in healthcare data breaches compared to the 2020 monthly average.
A number of breaches for 2020 may still be posted to the OCR breach portal, but to date, there were 642 healthcare data breaches involving 500 or more records reported in 2020. That number is the highest per year since OCR began publishing data breach summaries on its web portal.
2020 Healthcare Data Breaches
In terms of the number of breached records, December was the second-worst month in 2020. There were 4,241,603 healthcare records compromised,
exposed, or impermissibly disclosed. December had a 272.35% increase in breached records compared to November and a 92.25% increase compared to the 2020 monthly average.
Biggest Healthcare Data Breaches in December 2020
1. MEDNAX Services, Inc. – 1,290,670 individuals affected due to Hacking/IT Incident
2. Dental Care Alliance, LLC – 1,004,304 individuals affected due to Hacking/IT Incident
3. Aetna ACE CT – 484,157 individuals affected due to Hacking/IT Incident
4. Allegheny Health Network – 299,507 individuals affected due to Hacking/IT Incident
5. AMITA Health – 261,054 individuals affected due to Hacking/IT Incident
6. Community Eye Care, LLC – 149,804 individuals affected due to Hacking/IT Incident
7. GenRx Pharmacy AZ – 137,110 individuals affected due to Hacking/IT Incident
8. Wilmington Surgical Associates, P.A. NC – 114,834 individuals affected due to Hacking/IT Incident
9. Agency for Community Treatment Services, Inc. – 73,825 individuals affected due to Hacking/IT Incident
10. Sonoma Valley Healthcare District – 69000 individuals affected due to Hacking/IT Incident
Two healthcare data breaches in December had affected over 1 million people. The biggest breach was a phishing attack on MEDNAX Services, Inc. in Florida. Hackers acquired access to the company’s Microsoft Office 365-hosted email system because employees responded to phishing email messages. The compromised email accounts held the protected health information (PHI) of 1,290,670 patients.
The other healthcare data breach was associated with Dental Care Alliance in Sarasota, FL, which had over 320 affiliated dental practices in the U.S. Not much is known about the nature of the breach except that hackers accessed its systems and viewed files with patient data.
Causes of Healthcare Data Breaches in December 2020
Ransomware attacks increased significantly in recent months. December had 5 big breaches involving ransomware attacks. A number of healthcare providers also reported breaches due to the Blackbaud ransomware attack in May 2020.
There were 13 data breaches that involved unauthorized access of email accounts after a phishing attack. Although the majority of December’s breaches concerned unauthorized access of electronic PHI, about 18% of December’s breaches affected paper records and films.
December had 33 hacking/IT incidents accounting for 4,173,519 or 98.39% of December’s breached records. The average and the median number of breached records were 126,470 and 8,000 breached records per incident, respectively.
The 21 unauthorized access/disclosure incidents impacted 57,837 records. The average and median breach sizes were 2,754 records and 1,020 records, respectively.
There were 5 theft and 2 loss incidents reported. The average and median breach sizes were 1,392 records and 856 records, respectively. One improper disposal incident that affected 501 records was also reported.
Entities That Reported Data Breaches in December 2020
Healthcare providers reported 39 breaches in December. Health plans reported 17 breaches involving at least 500 records, which is 183% more than in November.
Business associates of HIPAA-covered entities reported 6 data breaches, however, 25 of December’s breaches somehow involved business associates.
December 2020 Healthcare Data Breaches by State
58% of states in the U.S. reported data breaches last December. Florida reported 9 data breaches. Pennsylvania reported 7 breaches. Missouri and Texas reported 4, while Illinois, Tennessee and North Carolina reported 3.
Arizona, Connecticut, California, Georgia, Minnesota, Massachusetts, Ohio, and Wisconsin reported two breaches each. Arkansas, Colorado, California, Delaware, Iowa, Indiana, Louisiana, Kentucky, Mississippi, Maine, Nebraska, Utah, Oregon, Virginia, and West Virginia.
HIPAA Enforcement in December 2020
In 2020, there were more financial penalties enforced on HIPAA covered entities and their business associates because of potential HIPAA violations compared to any other year since HHS started enforcing HIPAA compliance. There were 19 settlements reached to resolve potential HIPAA Rules violations.
OCR issued one financial penalty in December, the 13th under its HIPAA Right of Access initiative. OCR received $36,000 from Peter Wrobel, M.D., P.C., dba Elite Primary Care, to settle a case of failure to give two patients a copy of their medical records promptly.