The clear decline in healthcare data breaches observed in May turned out to be temporary, with June having a big increase in data breaches. June had 52 breach reports submitted by HIPAA covered entities as well as business associates. Reported breaches had an 85.71% month-over-month increase.
The number of people affected by healthcare data breaches did not change significantly in spite of the big increase in cases. Breached records dropped by 1.65% month-over-month to 1,047,015 records, which is still higher than the monthly average breached records of 896,374 in 2020.
June 2020’s Biggest Healthcare Data Breaches
The biggest healthcare data breach report in June is by Benefit Recovery Specialists, Inc. (BRS), a billing and collections agency in Texas. The malware was noticed on its systems that possibly allowed unauthorized people to have access to the protected health information (PHI) of over 250,000 people.
There was a bigger data breach in June that impacted over 365,000 persons, but each entity impacted by the breach submitted individual reports. Magellan Health experienced a ransomware attack which also impacted around 9 healthcare companies, health plans, and business associates, particularly Merit Health Insurance Company, National Imaging Associates, the University of Florida Health Jacksonville, Magellan Complete Care of Florida, Magellan Rx Pharmacy, Magellan Complete Care of Virginia,, Magellan Healthcare in Maryland, UF Health Shands, and UF Health. The ransomware attack is the third biggest healthcare data breach to date in 2020.
1. Benefit Recovery Specialists, Inc. – Hacking/IT incident had 274,837 individuals affected
2. Merit Health Insurance Company – Hacking/IT incident had 102,748 individuals affected
3. Magellan Complete Care of Florida – Hacking/IT incident had 76,236 individuals affected
4. Healthcare Fiscal Management Inc. – Hacking/IT incident had 58,000 individuals affected
5. UF Health Jacksonville – Hacking/IT incident had 54,002 individuals affected
6. Magellan Healthcare – Hacking/IT incident had 50,410 individuals affected
7. Providence Health Plan – Unauthorized Access/Disclosure had 49,511 individuals affected
8. American Medical Technologies – Hacking/IT incident had 47,767 individuals affected
9. Oral and Maxillofacial Surgery Associates, P.A. – Hacking/IT Incident had 35,498 individuals affected
10. City of Philadelphia – Hacking/IT Incident had 33,376 individuals affected
11. Magellan Rx Pharmacy – Hacking/IT incident had 33,040 individuals affected
12. Cano Health – Hacking/IT incident had 28,268 individuals affected
13. National Imaging Associates – Hacking/IT incident had 22,560 individuals affected
14. Legacy Community Health Services – Hacking/IT incident had 19,000 individuals affected
15. Human Affairs International of California – Hacking/IT Incident had 15,843 individuals affected
16. UF Health Shands – Hacking/IT incident had 13,146 individuals affected
17. North Shore Pain Management – Hacking/IT incident had 12,472 individuals affected
18. Choice Health Management Services, LLC – Hacking/IT incident had 11,650 individuals affected
19. Iowa Total Care, Inc. – Unauthorized Access/Disclosure had 11,581 individuals affected
20. The Kroger Co. – Hacking/IT Incident had 10,974 individuals affected
Causes of Healthcare Data Breaches in June 2020
37 hacking/IT incidents were reported in June, which made up 71.15% of the breaches in June. Those breaches had 957,082 exposed or stolen records making up 91.14% of breached records in June. The average and median breach sizes were 25,867 records and 9,271 records, respectively.
June had 11 unauthorized access/disclosure incident reports which affected 85,580 people. The average and median breach sizes were 7,780 records and 1,650 records, respectively. There were 4,353 people affected by 4 loss/theft incident reports. The average and median breach sizes were 1,088 records and 910 records, respectively.
Email was the most frequent location of breached PHI. About 63.46% of the breaches had ePHI located in emails and email attachments, while 36.53% of breaches had ePHI located in network servers. Most of the email breaches were caused by phishing attacks, where network servers were infected with malware and ransomware.
Healthcare Data Breaches by State
HIPAA-covered entities and business associates from 21 states reported data breaches involving 500 or higher records. California reported 9 breaches, Florida reported 7, Texas reported 5, Maryland and New York each reported 4, and Illinois reported three.
The following states each reported two breaches: Arkansas, North Carolina, Oregon, Ohio, and Pennsylvania. The following reported one breach each: Connecticut, Colorado, Iowa, Kentucky, Michigan, Massachusetts, Missouri, Tennessee, South Carolina, and Utah.
Healthcare Data Breaches by Covered Entity Type
Healthcare providers reported 33 data breaches in June. Health plans reported 9 data breaches, and business associate reported 10 breaches. However, there were 7 other breaches reported by covered entities that had business associates involvement.
June 2020 HIPAA Enforcement
State attorneys general or the HHS’ Office for Civil Rights did not announce any HIPAA enforcement action in June 2020. The HHS has mentioned that it is ready to be versatile with HIPAA investigations during the outbreak. Hence, the no enforcement action in 2020 may just be a late imposition of penalties until the COVID-19 pandemic is controlled.
The Secretary of the Department of Health and Human Services, Alex Azar announced on July 23, 2020 the extension of the public health emergency for another 90 days. Therefore, OCR’s Notices of Enforcement Discretion that cover good faith uses and disclosures of PHI in connection with telehealth and the operations of COVID-19 testing centers, and the waivers under Section 1135(b)(7) of the Social Security Act are still in place.