Healthcare Data Breach Report for September 2018

September 2018 Healthcare Data Breach Report

The number of healthcare data breaches reported to the Department of Health and Human Service’s Office for Civil Rights (OCR) for September 2018 is down to 25-a decrease of 3 from August (28). This is the second consecutive month in 2018 for which there has been a reduction in the number of reported healthcare breaches. Only breaches in which more than 500 records have been exposed are required to be reported to OCR. January saw the lowest number of breaches reported in any given month this year so far, with only 22 reported, whereas April holds the record for the highest number of breaches reported year (41).  

In addition to a decrease in the number of breaches reported to OCR, there has also been a decrease in the overall number of records exposed by the breaches. In fact, September has seen the lowest overall number of records exposed in a given month so far this year, with only 134,000 records exposed. This is only 20% of the number of records breached in August (620,000), a significant reduction. More records were exposed in July than any other month (2.2 million), despite having an average number of breaches (33). 

Causes of Data Breaches 

Unauthorised access/disclosure incidents were the most numerous type of data breach seen in September, accounting for 14 of the 25 breaches reported. There were 9 hacking/IT incidents, and only 2 accounts of theft of data. There were no reports of lost unencrypted electronic devices, nor any improper disposal incidents. 

Although hacking and IT incidents accounted for a lower overall number of breaches, they were responsible for the majority of records stolen. Approximately 70,686 records were stolen due to hacking and IT incidents, 52% of the total. Unauthorised access/disclosure came second, with 59,440 records stolen in incidents of this type (44%), and only 3880 records were breached by theft (2%). 

Ten Largest Healthcare Data Breaches in September 2018

Six of the ten largest healthcare breaches in September 2018 were due to hacking/IT incidents. 

Covered Entity Entity Type Records Exposed Breach Type Location of PHI
WellCare Health Plans, Inc. Health Plan 26942 Unauthorized Access/Disclosure Paper/Films
Reliable Respiratory Healthcare Provider 21311 Hacking/IT Incident Email
Toyota Industries North America, Inc. Health Plan 19320 Hacking/IT Incident Email
Independence Blue Cross, LLC Business Associate 16762 Unauthorized Access/Disclosure Other
Ransom Memorial Hospital Healthcare Provider 14329 Hacking/IT Incident Email
Ohio Living Healthcare Provider 6510 Hacking/IT Incident Email
University of Michigan/Michigan Medicine Healthcare Provider 3624 Unauthorized Access/Disclosure Paper/Films
Reichert Prosthetics & Orthotics, LLC Healthcare Provider 3380 Theft Other Portable Electronic Device
J.A. Stokes Ltd. Healthcare Provider 3200 Hacking/IT Incident Desktop Computer, Electronic Medical Record, Network Server
J&J Medical Service Network Inc. Business Associate 2500 Hacking/IT Incident Network Server

Location of Breached Information 

In September, the most common location of breached PHI was paper/films. This is unusual, as due to the prevalence of hacking and IT incidents, emails tend to be the most prevalent location of breached PHI. In September, there were 10 incidents of breaches involving paper/films, in comparison to only 8 involving email. Network servers came next with 4 breaches, followed by electronic medical records (2), “other” (2), and desktop computers and other portable electronic devices, with one each. 

Breaches by Covered Entity 

Healthcare providers were by far the covered entity most affected by data breaches in September 2018, with 17 of the reported incidents pertaining to organisations in this category. This is a 150% month-on-month rise in comparison to August 2018. However, despite the overwhelming majority of cases involving healthcare providers, only 6 of the top 10 breaches in September involved healthcare providers. Health plans were only involved in 5 breaches in September, but took the top spot as the biggest breach of the month (WellCare Health Plans Inc., 26,942 records exposed). Business associates only reported 3 breaches, but were deemed to be involved in another 4, although these were reported to OCR by other organisations. 

Healthcare Data Breaches by State

Healthcare organizations based in 18 states reported data breaches in September. Texas was the worst affected with four separate healthcare data breaches in September. There were three breaches reported by healthcare providers in Massachusetts and two reported breaches in California and Kansas. One breach was reported in Arizona, Colorado, Florida, Indiana, Michigan, Nebraska, New Jersey, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, and Wisconsin.

About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at