May was 2021’s worst month thus far in terms of healthcare data breaches. The Department of Health and Human Services’ Office for Civil Rights recorded 63 breaches involving 500 or more records in May. For the past quarter, there were more than 2 breaches reported per day. The average number per month now is 54.67.
May was additionally the worst month when it comes to the severity of breaches. There were 6,535,130 healthcare records breached in all 63 cases. The average number of breached healthcare records per month is now 3,323,116. In 2021, 17,733,372 healthcare records had been exposed or impermissibly disclosed. The last 12 months had nearly 40 million records (39.87M) breached already.
Biggest Healthcare Data Breach Reports in April 2021
19 healthcare data breaches involved 10,000 or more records; 7 out of the 19 involved 100,000 or more records. 18 breaches were due to a hacking incident or concerned the compromise of IT systems by other means.
The biggest healthcare data breach of the month involved 20/20 Eye Care Network, which is a vision and hearing benefits administrator. There were over 3.25 million records of individuals kept in an AWS S3 bucket, which an unauthorized person accessed. The attacker downloaded the data before deleting it. SEIU 775 Benefits Group is another benefits administrator that experienced a breach involving sensitive data deletion. That breach affected the PHI of 140,000 people.
In the last two months, about 26 healthcare providers have reported the exposure of PHI due to a ransomware attack on CaptureRx, a third-party administration service provider. This month, CaptureRx sent its breach notification to the HSS confirming that the breach impacted 1,656,569 persons. This month, a number of healthcare companies also reported the impact of the Netgain Technologies ransomware attack on their company. The following table exhibits the magnitude of ransomware attacks on the healthcare sector.
1. 20/20 Eye Care Network, Inc – 3,253,822 individuals affected by Hacking/IT Incident
2. NEC Networks, LLC d/b/a CaptureRx – 1,656,569 individuals affected by Hacking/IT Incident
3. Orthopedic Associates of Dutchess County – 331,376 individuals affected by Hacking/IT Incident
4. Rehoboth McKinley Christian Health Care Services – 207,195 individuals affected by Hacking/IT Incident
5. Five Rivers Health Centers – 155,748 individuals affected by Hacking/IT Incident
6. SEIU 775 Benefits Group – 140,000 individuals affected by Hacking/IT Incident
7. San Diego Family Care – 125,500 individuals affected by Hacking/IT Incident
8. Hoboken Radiology LLC – 80,000 individuals affected by Hacking/IT Incident
9. CareSouth Carolina, Inc. – 76,035 individuals affected by Hacking/IT Incident
10.Arizona Asthma and Allergy Institute – 70,372 individuals affected by Hacking/IT Incident
11. New England Dermatology, P.C. – 58,106 individuals affected by Improper Disposal
12. Sturdy Memorial Hospital – 57,379 individuals affected by Hacking/IT Incident
13. LogicGate – 47,035 individuals affected by Hacking/IT Incident due to unsecured AWS S3 Bucket
14. Lafourche Medical Group – 34,862 individuals affected by Hacking/IT Incident
15. Internal Medicine Associates of Jasper, PC, dba Prestige Medical Group – 34,203 individuals affected by Hacking/IT Incident
16. SAC Health Systems – 28,128 individuals affected by Hacking/IT Incident
17. Monadnock Community Hospital – 14,340 individuals affected by Hacking/IT Incident
18. Community Access Unlimited – 13,813 individuals affected by Hacking/IT Incident
19. Westwood Obstetrics and Gynecology – 12,931 individuals affected by Hacking/IT Incident
Causes of Healthcare Data Breaches in May 2021
Hacking/IT incidents topped the breach reports in May 2021. Of the 63 breach reports, 47 or 74.60% were hacking/IT incidents, which led to the compromise or theft of 6,432,367 records. The average and median breach sizes were 131,273 and 4,250 records, respectively.
Nine reported breaches involved unauthorized access/disclosure incidents, which affected 17,834 records. The average and median breach sizes were 1,982 and 1,562 records, respectively. The 3 loss/theft incidents affected 20,325 records and the two improper disposal incidents involved the PHI of 64,604 persons.
Although the healthcare industry had been overwhelmed by phishing attacks over the last few years, network server incidents currently lead the breach reports. There were 41 breaches involving compromised network servers this month, and only 9 incidents involved email.
Healthcare Data Breaches by Covered Entity Type
There were 47 healthcare providers that submitted data breach reports in May 2021, but 27 of those incidents were because of breaches at a business associate that affected the healthcare provider. Business associates of HIPAA-covered entities reported 7 data breaches, although there were a total of 31 breaches that involved business associates. Health plans reported 8 breaches, 4 of which were due to some business associate involvement. A healthcare clearinghouse reported one breach.
States Impacted by Healthcare Data Breaches
HIPAA-covered entities and business associates located in 32 U.S. states reported healthcare data breaches. The breakdown is as follows:
Texas – 6
Ohio and New York – 5
Illinois, California, West Virginia – 4
Missouri and Mississippi – 3
Florida, Massachusetts, Maryland, New Jersey, and Oklahoma – 2
Arkansas, Arizona, Connecticut, Delaware, Georgia, Indiana, Louisiana, Minnesota, Maine, North Carolina, Nevada, New Mexico, New Hampshire, Pennsylvania, Rhode Island, South Carolina, Tennessee, Wisconsin and Washington, – 1
HIPAA Enforcement in May 2021
The HHS’ Office for Civil Rights announced one HIPAA enforcement action in May, so the total for 2021 is 8. The settlement announced in May was for multiple HIPAA Security Rule violations.
OCR conducted a compliance investigation after the Department of Veteran Affairs reported a data breach involving its business associate Authentidate Holding Corporation (AHC).
That investigation was settled with no financial fine; but then OCR found out that AHC had signed a reverse merger with Peachstate Health Management, LLC, which is a CLIA-certified lab that supplies clinical and genetic tests services via its publicly traded parent firm, AEON Global Health Corporation (AGHC).
OCR made the decision to do a compliance evaluation of Peachstate’s clinical labs to check Privacy and Security Rule compliance and uncovered multiple HIPAA Security Rule violations. OCR identified potential violations associated with risk audits, risk management, audit controls, and insufficiency of paperwork of HIPAA Security Rule policies and guidelines. The case was resolved for $25,000.