For the fourth month now, there has been a drop in the number of reported healthcare data breaches. March 2022 had 43 healthcare data breaches involving 500 and up records reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). This figure is 6.52% less than February and lower than the average 57.75 data breaches per month.
Nevertheless, the number of breached records increased by 36.94% from February. In all the 43 reported data breaches, there were 3,083,988 healthcare records compromised, impermissibly disclosed, or stolen, which is a bit under the 3,424,818 average breached records per month in the last year.
Biggest Healthcare Data Breaches in March 2022
March 2022 had 25 data breach reports submitted to OCR that impacted 10,000 and up persons. All except one were due to hacking. The biggest data breach in March impacted more than 500,000 patients. Christie Business Holdings Company, which manages Christie Clinic in Illinois, found out that unauthorized individuals accessed an employee email account and utilized it in a business email compromise (BEC) attack to attempt to reroute payment to another vendor. BEC attacks may represent a somewhat small percent of healthcare data breaches, however, based on the FBI’s statistics, they are the major reason behind losses due to cybercrime.
SuperCare Health reported a major data breach last July 2021 in which threat actors gained access to its network and likely stole patient information. About two weeks following the data breach announcement, SuperCare Health is confronted with its first lawsuit. There is normally an urgency to file legal cases right after healthcare data breaches, and it’s already typical to have multiple lawsuits filed.
CSI Laboratories submitted a report on a cyberattack that was detected in February. Although the nature of the incident wasn’t revealed, the Conti ransomware group owned responsibility for the incident and posted some of the stolen information on its data leak website to force the laboratory to pay the ransom. It’s now the norm to use double extortion tactics in ransomware attacks, which require payment in exchange for the file’s decryption keys and to stop the posting of stolen information.
1. Christie Business Holdings Company, P.C. – 502,869 individuals affected by the hacked email account
2. Super Care, Inc. dba SuperCare Health CA – 318,379 individuals affected by an unspecified hacking incident
3. Cytometry Specialists, Inc., d/b/a CSI Laboratories GA – 312,000 individuals affected by a ransomware attack (Conti)
4. South Denver Cardiology Associates, PC – 287,652 individuals affected by the unspecified hacking incident
5. Clinic of North Texas, LLP – 244,174 individuals affected by the unspecified hacking incident
6. Taylor Regional Hospital – 190,209 individuals affected by Unspecified hacking incident
7. Chelan Douglas Health District – 188,236 individuals affected by Unspecified hacking and data theft incident
8. Urgent Team Holdings – 166,601 individuals affected by the unspecified hacking incident
9. New Jersey Brain and Spine – 92,453individuals affected by Unspecified hacking incident
10. Duncan Regional Hospital, Incorporated – 86,379 individuals were affected by the unspecified hacking incident
11. Labette Health KS- 85,635 individuals affected by Unspecified hacking incident
12. Law Enforcement Health Benefits, Inc. – 85,282 individuals were affected by a ransomware attack
13. Central Indiana Orthopedics – 83,705 individuals were affected by an unspecified hacking incident
14. Highmark Inc – 67,147 individuals were affected by the hacking incident at the mailing vendor
15. Advanced Medical Practice Management – 56,427 individuals affected by Unspecified hacking and data theft incident
16. Charleston Area Medical Center, Inc. – 54,000 individuals were affected by Hacked email accounts (Phishing)
17. Resources for Human Development – 46,673 individuals were affected by the theft of unencrypted hard drive
18. Cancer and Hematology Centers of Western Michigan – 43,071 individuals were affected by a ransomware attack
19. Horizon Actuarial Services, LLC – 38,418 individuals affected by unspecified hacking and data theft incident
20. Central Minnesota Mental Health Center – 28,725 individuals affected by hacked email accounts
21. Capital Region Medical Center – 17,578 individuals were affected by an unspecified hacking incident
22. Dialyze Direct, LLC – 14,203 individuals affected by the hacked email account
23. Major League Baseball Players Benefit Plan – 13,156 individuals affected by unspecified hacking and information theft occurrence at a business associate
24. Colorado Physician Partners, PLLC – 12,877 individuals affected by the hacked email account
25. Crossroads Health – 10,324 individuals affected by unspecified hacking and information theft incident
Causes of Healthcare Data Breaches in March 2022
The healthcare data breaches reported in March were dominated by hacking/IT incidents, which accounted for 90.7% of all data breaches reported and 98.3% of the breached healthcare records. 3,083,988 individuals were affected by those hacking incidents. The average breach size was 77,766 records and the median breach size was 17,758 records.
Causes of MArch 2022 healthcare data breaches
Although the category “hacking/IT incidents” consists of a wide array of causes, 31 of the data breaches involved threat actors getting access to system servers that store patient information. In 10 incidents, unauthorized individuals acquired access to staff members’ email accounts.
There were only 3 breaches reported as unauthorized access/disclosure incidents that affected 4,447 records. The average and median breach sizes were 1,482 records and 1,682 records, respectively. There was just one theft incident documented involving a hard drive with the data of 46,673 people.
Location of breached PHI
In March 2022, HIPAA-regulated entities from 22 states and Puerto Rico submitted data breach reports. The worst affected states were New Jersey, Pennsylvania & Texas with each state reporting 4 breaches. Colorado, Georgia, Kansas, Indiana, Minnesota, Michigan, Washington, West Virginia, and Puerto Rico reported 2 each. California, Kentucky, Illinois, Maryland, Missouri, Massachusetts, New York, Oklahoma, Ohio, Tennessee, and Utah reported one breach each.
HIPAA Enforcement Activity in March 2022
The HHS’ Office for Civil Rights or state attorneys general did not announce any HIPAA enforcement actions in March 2022.