Healthcare Data Breach Report for April 2020

In April 2020, 37 healthcare data breaches involving at least 500 records were reported That number is only one more than the number of breaches in March and is still lower than the average number of data breaches per month in the last 12 months, which is 41.9.

Although there was a slight increase in the number of breaches, the number of breached healthcare records in April is significantly lower. There were 442,943 breached healthcare records in April, which is 46.56% lower than the 828,921 breached records in March. For the second successive month, the number of exposed records has dropped. Although this is unquestionably good news, it must be mentioned that in the last year, there are about 39.92 million breached healthcare records.

Biggest Healthcare Data Breaches in April 2020

  1. Beaumont Health – 112,211 individuals affected by Hacking/IT Incident
  2. Meridian Health Services Corp. – 111,372 individuals affected by Hacking/IT Incident
  3. Arizona Endocrinology Center – 74,122 individuals affected by Unauthorized Access/Disclosure
  4. Advocate Aurora Health – 27,137 individuals affected by Hacking/IT Incident
  5. Doctors Community Medical Center – 18,481 individuals affected by Hacking/IT Incident
  6. Andrews Braces – 16,622 individuals affected by Hacking/IT Incident
  7. UPMC Altoona Regional Health Services – 13,911 individuals affected by Hacking/IT Incident
  8. Colorado Department of Human Services, Office of Behavioral Health – 8,132 individuals affected by Unauthorized Access/Disclosure
  9. Agility Center Orthopedics – 7,000 individuals affected by Hacking/IT Incident
  10. Beacon Health Options, Inc. – 6,723 individuals affected by Loss of Portable Electronic Device

Causes of Healthcare Data Breaches in April

Just like in March, the leading causes of healthcare data breaches are hacking and IT incidents. Other common causes of breaches are unauthorized access/disclosure incidents, which increased by 77.77% compared to last month.

Of the 18 reported hacking/IT incidents, 333,838 records were compromised, which is 75.37% of all breached records in April. The average and median breach size were 18,547 records and 4,631 records, respectively. There were 16 reported breaches due to unauthorized access/disclosure incidents, having an average breach size of 6,171 records and a median breach size of 1,122 records. The total number of breached records from the 16 incidents were 98,737 records.

In April, two theft incidents involving portable electronic devices were reported. The devices contained the records of 3,645 people. Another lost portable electronic device also contained the data of 6,723 patients.

Location of Breached Protected Health Information

Email is certainly the most frequent location of breached health data. Of all reported breaches in April, 48.65% involved PHI contained in email messages and attachments. Most breaches were due to phishing attacks. 80% of the healthcare data breaches involved electronic data; 20% involved paper files and charts.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers reported 30 breaches in April. Health plans reported 4 breaches in April, while business associates of HIPAA-covered entities reported three breaches. But business associates also had some involvement in 8 breaches.

Healthcare Data Breaches by State

In April, 22 states had submitted data breach reports. Florida and Texas each reported 4 breaches. Michigan and Pennsylvania had three data breach reports each. California, Connecticut, Missouri, Minnesota, and Wisconsin each had two breaches reported. Arkansas, Arizona, Delaware, Colorado, Indiana, Maryland, Massachusetts, North Carolina, Nevada, New Mexico, Utah, Tennessee, and Washington reported one breach each.

HIPAA Enforcement Activity in April

The state Attorneys General or the HHS’ Office for Civil Rights did not impose any financial penalties on covered entities or business associates in April.

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at