The number of healthcare data breaches increased month-over-month. In March 2018, HIPAA covered entities reported 29 security breaches. February 2018 had 25 breach incidents. Though the number of reported data breaches increased in March, there was a decrease in the number of persons affected by the data breaches. There were 268,210 healthcare records exposed in March 2018. The 308,780 healthcare records exposed in February decreased by 13.13% in March.
The Verizon Data Breach Investigations Report for March confirmed that more insiders than hackers cause the data breaches in the healthcare industry. 19 out of 29 or 65.5% of breaches in March were due to unauthorized access or disclosures (14 incidents), loss of devices or physical records (9 incidents), hacking or IT incidents (5 breaches) and improper disposal of files with PHI.
Ten healthcare data breaches in March had affected over 10,000 persons. The largest data breach reported in March exposed the PHI of 63,551 persons. The breach actually occurred and was discovered in December 2016, but it was reported to the HHS Office for Civil Rights just last month. It was caused by unauthorized access or disclosure.
Business associates of HIPAA-covered entities did not report any data breaches in March. However, the largest data breach in March involving Middletown Medical was caused by a business associate’s subcontractor as noted on the breach notice published in the provider’s website. There may be other security breaches that had some involvement of business associates. Unsurprisingly, the reported breaches by healthcare providers resulted to the highest number of exposed records – 154,325. Business associates/subcontractors had 63,551 records exposed while health plans had 50,334 records. Business associates/subcontractors had the highest number of exposed records per incident (mean = 63,551) followed by health plans (mean = 16,778) and healthcare providers (mean = 6,173).
In March, the location of 9 reported breaches was portable electronic gadgets such as laptops and storage devices. If the devices were encrypted, the breach of ePHI could have been avoided. The next area of concern was email with 8 reported breaches involving phishing incidents and misdirected emails. Five breaches involved failure to secure physical records like paper and films.
Six states reported multiple healthcare data breaches in March 2018 with Massachusetts topping the list with 5 breaches reported. California had 4 data breaches, New York and Missouri had three, Maryland and Texas had two. Other states that had reported one breach include Arkansas, District of Columbia, Colorado, Florida, Iowa, Georgia, Illinois, Mississippi, Minnesota and West Virginia.
For March 2018, the Department of Health and Human Services’ Office for Civil Rights did not issue any civil monetary penalties or settlements for HIPAA violations by covered entities or business associates. But the New York attorney general’s office had one settlement with Virtua Medical Group. The group paid a settlement fee of $417,816 for failure of its business associate to secure an FTP server.