The number of healthcare data breaches reported dropped again last November; however, take note that the number of reported breaches in October 2020 was thrice the average monthly number mostly because of the ransomware attack on Blackbaud.
HIPAA-covered entities and business associates reported 47 data breaches involving 500 or more healthcare records in November. That is 25.39% less than October but still higher than the 12-month average number of breaches, which is 41 per month.
The number of healthcare records breached in data breaches likewise dropped in November. There were 1,139,151 healthcare records exposed, which is 54.73% less than October. It is also less than the 12-month average number of breached healthcare records, which is 1,885,959 records.
Biggest Healthcare Data Breaches in November 2020
1. AspenPointe, Inc. – 295,617 individuals affected due to hacking/IT Incident or ransomware attack.
2. Lawrence General Hospital – 176,587 individuals affected due to unspecified data security incident
3. Alamance Skin Center – 100,000 individuals affected due to loss or ransomware attack
4. Mercy Iowa City – 92,795 individuals affected due to phishing attack
5. Bayhealth Medical Center, Inc. – 78,006 individuals affected due to the Blackbaud ransomware attack
6. Tufts Health Plan – 60,545 individuals affected due to phishing attack on a vendor
7. Bruce L. Boros, M.D., P.A. dba Advanced Urgent Care – 58,823 individuals affected due to unauthorized access/disclosure and ransomware attack
8. Methodist Hospital of Southern California – 39,881 individuals affected due to the Blackbaud ransomware attack
9. One Touch Point – 28,658 individuals affected due to unauthorized access/disclosure
10. People Incorporated – 27,500 individuals affected due to phishing attack
11. Chesapeake Regional Healthcare – 24,000 individuals affected due to Blackbaud ransomware attack
12. Seeley Enterprises Company – 16,196 individuals affected due to ransomware attack
13. Golden Gate Regional Center – 11,315 individuals affected due to ransomware attack
14. Galstan & Ward Family and Cosmetic Dentistry – 10,759 individuals affected due to ransomware attack
15. Kaiser Foundation Health Plan of Georgia, Inc. – 10,205 individuals affected due to Unauthorized Access/Disclosure
Causes of Healthcare Data Breaches in November 2020
Hacking/IT incidents still lead the breach reports in November with 23 hacking/IT incidents (48.94% of all breaches reported) and 867,983 exposed or stolen records (76.2% of all breached records). The average and median breach sizes were 37,738 records and 8,000 records, respectively.
Unauthorized access/disclosure incidents resulted in 19 data breaches (40.43% of breaches reported) and 166,115 healthcare records exposed (14.58% of all breached records). The average and median breach sizes were 8,723 records and 3,557 records, respectively.
Loss/theft incidents resulted in 4 data breaches, 2 of each case (8.51% of all breaches reported) and 103,053 healthcare records exposed or stolen (9.05% of all breached records) in November. The average and median breach sizes were 25,763 records and 1,265 records, respectively. One incident involved improper paper documents disposal that exposed 2,000 records.
Location of Breached Protected Health Information
Entities impacted by the Blackbaud data breach still send breach reports, although not much. Network server incidents are still high because the healthcare industry is still targeted by ransomware groups. Phishing attacks also continue to impact healthcare, as 13 big data breaches involving PHI contained in email accounts were reported.
Healthcare Data Breaches by Covered Entity Type
There were 34 healthcare providers that reported data breaches in November. Health plans reported 6 data breaches. Business associates of HIPAA-covered entities reported 7 data breaches, but there were actually 16 breaches that involved business associates. Covered entities reported the other 9 breaches.
Healthcare Data Breaches by State
HIPAA-covered entities and business associates from 23 states plus the District of Columbia reported data breaches. Ohio reported 5 breaches, Georgia and Maine reported 4 breaches. California, Texas and Florida reported 3 breaches. Arkansas, Delaware, Kentucky, Illinois, Michigan, Maryland, and Virginia each had two healthcare data breaches reported, while Alabama, Colorado, Idaho, Iowa, Louisiana, Minnesota, North Carolina, New Mexico, Pennsylvania, Wisconsin, and the District of Columbia each reported one healthcare data breach.
HIPAA Enforcement Activity in November 2020
The HHS’ Office for Civil Rights announced three HIPAA enforcement actions in November. All cases were connected with the HIPAA Right of Access enforcement initiative. The healthcare providers failed to give the patient a copy of the requested information in the 30 days as required by the HIPAA Privacy Rule.
University of Cincinnati Medical Center paid a $65,000 penalty to OCR. Riverside Psychiatric Medical Group paid $25,000, while Dr. Rajendra Bhayani paid $15,000. So far, OCR has issued 12 financial penalties on covered entities in line with this enforcement initiative. 10 cases were announced in 2020.