September 2018 Healthcare Data Breach Report
The number of healthcare data breaches reported to the Department of Health and Human Service’s Office for Civil Rights (OCR) for September 2018 is down to 25-a decrease of 3 from August (28). This is the second consecutive month in 2018 for which there has been a reduction in the number of reported healthcare breaches. Only breaches in which more than 500 records have been exposed are required to be reported to OCR. January saw the lowest number of breaches reported in any given month this year so far, with only 22 reported, whereas April holds the record for the highest number of breaches reported year (41).
In addition to a decrease in the number of breaches reported to OCR, there has also been a decrease in the overall number of records exposed by the breaches. In fact, September has seen the lowest overall number of records exposed in a given month so far this year, with only 134,000 records exposed. This is only 20% of the number of records breached in August (620,000), a significant reduction. More records were exposed in July than any other month (2.2 million), despite having an average number of breaches (33).
Causes of Data Breaches
Unauthorised access/disclosure incidents were the most numerous type of data breach seen in September, accounting for 14 of the 25 breaches reported. There were 9 hacking/IT incidents, and only 2 accounts of theft of data. There were no reports of lost unencrypted electronic devices, nor any improper disposal incidents.
Although hacking and IT incidents accounted for a lower overall number of breaches, they were responsible for the majority of records stolen. Approximately 70,686 records were stolen due to hacking and IT incidents, 52% of the total. Unauthorised access/disclosure came second, with 59,440 records stolen in incidents of this type (44%), and only 3880 records were breached by theft (2%).
Ten Largest Healthcare Data Breaches in September 2018
Six of the ten largest healthcare breaches in September 2018 were due to hacking/IT incidents.
|Covered Entity||Entity Type||Records Exposed||Breach Type||Location of PHI|
|WellCare Health Plans, Inc.||Health Plan||26942||Unauthorized Access/Disclosure||Paper/Films|
|Reliable Respiratory||Healthcare Provider||21311||Hacking/IT Incident|
|Toyota Industries North America, Inc.||Health Plan||19320||Hacking/IT Incident|
|Independence Blue Cross, LLC||Business Associate||16762||Unauthorized Access/Disclosure||Other|
|Ransom Memorial Hospital||Healthcare Provider||14329||Hacking/IT Incident|
|Ohio Living||Healthcare Provider||6510||Hacking/IT Incident|
|University of Michigan/Michigan Medicine||Healthcare Provider||3624||Unauthorized Access/Disclosure||Paper/Films|
|Reichert Prosthetics & Orthotics, LLC||Healthcare Provider||3380||Theft||Other Portable Electronic Device|
|J.A. Stokes Ltd.||Healthcare Provider||3200||Hacking/IT Incident||Desktop Computer, Electronic Medical Record, Network Server|
|J&J Medical Service Network Inc.||Business Associate||2500||Hacking/IT Incident||Network Server|
Location of Breached Information
In September, the most common location of breached PHI was paper/films. This is unusual, as due to the prevalence of hacking and IT incidents, emails tend to be the most prevalent location of breached PHI. In September, there were 10 incidents of breaches involving paper/films, in comparison to only 8 involving email. Network servers came next with 4 breaches, followed by electronic medical records (2), “other” (2), and desktop computers and other portable electronic devices, with one each.
Breaches by Covered Entity
Healthcare providers were by far the covered entity most affected by data breaches in September 2018, with 17 of the reported incidents pertaining to organisations in this category. This is a 150% month-on-month rise in comparison to August 2018. However, despite the overwhelming majority of cases involving healthcare providers, only 6 of the top 10 breaches in September involved healthcare providers. Health plans were only involved in 5 breaches in September, but took the top spot as the biggest breach of the month (WellCare Health Plans Inc., 26,942 records exposed). Business associates only reported 3 breaches, but were deemed to be involved in another 4, although these were reported to OCR by other organisations.
Healthcare Data Breaches by State
Healthcare organizations based in 18 states reported data breaches in September. Texas was the worst affected with four separate healthcare data breaches in September. There were three breaches reported by healthcare providers in Massachusetts and two reported breaches in California and Kansas. One breach was reported in Arizona, Colorado, Florida, Indiana, Michigan, Nebraska, New Jersey, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, and Wisconsin.