April was notably an awful month for healthcare data breaches as 62 breaches involving at least 500 records were reported. March 2021 had the same number of healthcare data breaches. April had more than 2 healthcare data breaches reported per day and had more breaches than the 12-month average of 51 breaches each month.
In the 62 breaches, there were 2,583,117 healthcare records exposed or compromised; but, this number is below the 12-month average of 2,867,243 breached records each month. In the past 12 months, there were 34.4 million healthcare records breached and 11.2 million of that happened in 2021.
Biggest Healthcare Data Breaches in April 2021
April had 19 reported data breaches involving over 10,000 records, 7 of which involved over 100,000 breached records. 9 of the top 10 data breaches were caused by hacking incidents.
Ransomware attacks still happen at great levels, with a lot of the reported attacks impacting business associates of HPAA-covered entities. The attacks on Netgain Technologies, CaptureRX and Accellion, have impacted the clients of several healthcare providers.
Most ransomware attacks today occur with data theft before file encryption, and the stolen information are employed as leverage to pressure breach victims to give ransom payments. Big quantities of information are stolen during the attacks. April’s top three data breaches all entailed the use of ransomware and affected 1.3 million healthcare records.
There were some good news this month. After the Colonial Pipeline ransomware attack, several ransomware gangs seem to have stopped operations with at least two gangs deciding not to target healthcare companies. This information should of course be taken with caution, as certain ransomware gangs have made the same promises at the beginning of the pandemic and still attacks persisted at high levels.
1. Trinity Health – 586,869 individuals affected by Hacking/IT Incident involving ransomware (Accellion)
2. Bricker & Eckler LLP – 420,532 individuals affected by Hacking/IT Incident involving ransomware
3. Health Center Partners of Southern California – 293,516 individuals affected by Hacking/IT Incident involving ransomware (Netgain Technologies)
4. Total Health Care Inc. – 221,454 individuals affected by Hacking/IT Incident involvingPhishing
5. Wyoming Department of Health – 164,010 individuals affected by Unauthorized Access/Disclosure exposing PHI online
6. Home Medical Equipment Holdco, LLC – 153,013 individuals affected by Hacking/IT Incident involving phishing
7. Health Aid of Ohio, Inc. – 141,149 individuals affected by Hacking/IT Incident involving unspecified hacking and data exfiltration attack
8. Woodholme Gastroenterology – 50,000 individuals affected by Hacking/IT Incident involving unspecified hacking and data exfiltration attack
9. Neighborhood Healthcare – 45,200 individuals affected by Hacking/IT Incident involving Ransomware (Netgain Technologies)
10. Crystal Lake Clinic PC – 37,331 individuals affected by Hacking/IT Incident
11. RiverSpring Health Plans – 31,195 individuals affected by Hacking/IT Incident involving phishing
12. Middletown Medical Imaging – 29,945 individuals affected by Hacking/IT Incident involving exposure of PHI online
13. St. John’s Well Child and Family Center, Inc. – 29,030 individuals affected by Hacking/IT Incident involving unspecified hacking and data exfiltration attack
14. MailMyPrescriptions.com Pharmacy Corporation – 24,037 individuals affected by Hacking/IT Incident involving phishing
15. Squirrel Hill Health Center – 23,869 individuals affected by Hacking/IT Incident involving malware
16. Eastern Shore Rural Health System Inc. -23,282 individuals affected by Unauthorized Access/Disclosure
17. Faxton St. Luke’s Healthcare – 17,656 individuals affected by Hacking/IT Incident involving ransomware (CaptureRX)
18. Midwest Transplant Network, Inc. – 17,580 individuals affected by Hacking/IT Incident involvingn ransomware
19. Baptist Health Arkansas – 16,765 individuals affected by Hacking/IT Incident involving hacking of business associate (Foley & Lardner, LLP)
Causes of Healthcare Data Breaches in April 2021
April 2021’s breach reports showed that 67.74% of reported breaches (42 incidents) were due to Hacking/IT incidents, including malware and ransomware attacks. 17 incidents were caused by unauthorized access/disclosures that involved 358,870 records. There were only two reports of healthcare breaches caused by theft of devices with PHI and one that was due to loss. The 3 breaches resulted in teh breach of 4,500 records.
Most network server incidents involved ransomware or malware, though phishing emails are still frequently the main cause of a lot of ransomware attacks. 19 reported breaches involving PHI in email accounts were the result of phishing or other types of credential theft. One of April’s biggest reported breaches was because of phishing. The PHI of 221,454 people were compromised and potentially stolen because of this incident.
Location of PHI in April 2021’s Healthcare Data Breaches
Based on the Verizon 2021 Data Breach Investigations Report, phishing attacks had an 11% increase worldwide in 2020 while ransomware attacks had a 6% increase. The report reveals that insider breaches in healthcare continued to go down and is no longer among the top three cause of breaches. 61% of healthcare data breaches in 2020 were because of external threat actors and 39% were because of insiders.
Healthcare Data Breaches by Covered Entity Type in April 2021
Healthcare providers reported 30 data breaches involving 500 or more records while 13 were reported by vendors. Business associates were involved in 24 data breaches; 10 of the breaches were reported by the covered entity, 9 were reported by health plans and one breach that affected a health plan was reported by its business associate.
States Affected by Healthcare Data Breaches
In April, 28 states had data breaches reported. California had 7 breaches reported while Michigan and Texas had 5 breaches reported. Florida, Wisconsin and New York each had 4 breaches reported, while Massachusetts and Ohio had 3 reported breaches. Georgia, Illinois, Missouri, Minnesota, New Mexico, Pennsylvania, and Vermont reported 2 breaches each. Arkansas, Alabama, Colorado, Kansas, Montana, Maryland, North Carolina, New Jersey, New Hampshire, Oregon, Tennessee, Wyoming and Virginia reported 1 breach each.
HIPAA Enforcement Activity in April 2021
The HHS’ Office for Civil Rights already issued 6 financial penalties to resolve HIPAA violations this year. No new settlements or civil monetary penalties were issued in April; state Attorneys General did not issue any enforcement actions as well.