May 2020 had a noticeable drop in the reports of healthcare data breaches as 28 data breaches involving 500 or more records were submitted to the HHS’ Office for Civil Rights. This number is the lowest since December 2018 with a rate of less than one breach reported per day.
A number of cybersecurity firms reported a rise in COVID-19-related cases, like phishing attacks that utilize COVID-19-themed baits. Although there is solid proof to suggest that the attacks increased from the onset of the pandemic, it seems that the number of cyberattacks roughly stayed the same or went up slightly. Microsoft’s report shows a small increase in attacks signifying a blip and the number of risks and cyberattacks did not change much during the pandemic.
Threat activity doesn’t seem to have decreased, so the reduced number of reported cyberattacks and data breaches might suggest the decision of threat actors not to target healthcare providers helping to fight COVID-19. The Maze ransomware group publicly announced it will not attack healthcare providers all through the COVID-19 crisis, however, a lot of other ransomware groups did not stop their attacks.
It is additionally possible that there’s no drop in cyberattacks and data breaches, but covered entities and business associates failed to detect them or have reported them late. The explanation for the drop in reported breaches will probably be clearer in a few weeks and months when information can tell if it is a new trend or just a blip.
Though the drop in breaches is definitely good news, the number of exposed healthcare records significantly increased. May had 10 fewer data breaches reported than April, but there were 1,064,652 healthcare records breached in May, which is more than double the number of breached records in April.
Biggest Healthcare Data Breaches in May 2020
1. Elkhart Emergency Physicians, Inc., IN – 550,000 individuals affected by improper disposal
2. BJC Health System, MO – 287,876 individuals affected by hacking/IT incident
3. Saint Francis Healthcare Partners, CT – 38,529 individuals affected by hacking/IT incident
4. Everett & Hurite Ophthalmic Association, PA – 34,113 individuals affected by hacking/IT incident
5. Management and Network Services, LLC, OH – 30,132 individuals affected by hacking/IT incident
6. Sanitas Dental Management, FL – 19,000 individuals affected by loss
7. Mediclaim, LLC, MI – 14,931 individuals affected by hacking/IT incident
8. Woodlawn Dental Center, OH – 14,419 individuals affected by hacking/IT incident
9. Mat-Su Surgical Associates, APC, AK – 13,146 individuals affected by hacking/IT incident
10. Mille Lacs Health System, MN – 10,630 individuals affected by hacking/IT incident
Causes of Healthcare Data Breaches in May 2020
The biggest healthcare data breach in May impacted Elkhart Emergency Physicians, Inc., which was due to improper disposal of paper documents by business associate Central Files Inc. The files of 554,876 patients were exposed because of the improper disposal incident. There was another improper disposal incident that happened in May making it the number two biggest reason for data breaches in May. Improper disposal incidents were responsible for 52.17% of May’s breached records. The mean and median breach sizes were 69,434 records and 938 records, respectively.
The 8 reported unauthorized access/disclosure incidents accounted for 2.35% of May’s breached records. The mean breach size and median breach size were 3,124 records and 3,220 records, respectively.
Hacking/IT incidents again lead the list of causes of healthcare data breaches in May. These incidents account for 39.28% of data breaches and 43.69% of breached healthcare records. The mean breach size and median breach size were 42,290 records and 14,419 records, respectively.
One loss incident related to a network server resulted in the exposure of 19,000 patient records.
Location of Breached PHI
For the last few months, breached PHI often occur in email accounts because of a lot of healthcare phishing attacks. Phishing attacks incidents decreased in May, therefore there is a lower number of email-related breaches. There was just one big phishing attack on BJC Health System. The 3 email accounts compromised potentially compromised the PHI of 287,876 patients.
Healthcare Data Breaches by Covered Entity Type
Healthcare providers reported 21 data breaches; health plans only reported one breach; business associates reported 6 data breaches. There were 8 other breaches reported by the covered entity that had business associates involvement.
Healthcare Data Breaches by State
There were 17 data breaches reported by covered entities and business associates in different states. Indiana had 7 reported breaches involving 500 or more records. Michigan and Ohio reported 3 data breaches each. Pennsylvania had two breaches reported while Arizona, Alaska, California, Connecticut, Georgia, Florida, Illinois, Maryland, Missouri, Minnesota, New York, Nebraska, and Texas each had one breach reported.
HIPAA Enforcement Activity in May 2020
The HHS’ Office for Civil Rights or state attorneys general did not announce any HIPAA penalties in May 2020.