In September, there was a 23.7% more month-over-month reported cases of healthcare data breaches. The Department of Health and Human Services’ Office for Civil Rights received 47 data breach reports involving 500 and up records. Although that is over 1.5 breaches per day, it is below the monthly average of 55.5 breaches over the last 12 months.
Although there are more data breaches, the number of breached healthcare records decreased. There were only 1,253,258 breached records from the 47 reported data breaches. That is the third-lowest total for 12 months.
Biggest Healthcare Data Breaches in September 2021
September 2021 had 16 healthcare data breach reports involving the compromise, theft, or impermissible disclosure of over 10,000 healthcare data records.
The State of Alaska Department of Health & Social Services reported the biggest breach in September. The breach was at first believed to have led to the stealing of the personal data and protected health information (PHI) of all state residents. The HHS breach report indicated that 500,000 people were affected. It is believed that the cyberattack was executed by a nation-state hacking gang.
Two eye care companies reported two big data breaches. U.S. Vision Optical’s hacking incident resulted in the compromise of the 180,000 individuals’ PHI. Simon Eye Management’s phishing incident resulted in the compromise of the PHI of 144,373 people.
Ransomware is still widely employed in attacks on the healthcare sector. Six attacks in September used ransomware and likely involved PHI theft. A number of ransomware groups, including FIN12 group, have attacked the healthcare industry. Mandiant’s latest analysis of FIN12 attacks showed that 20% of the group’s attacks were on the healthcare sector.
Data breaches are likewise due to insiders who have privileged access to PHI. Premier Management Company reported an insider breach that involved a former employee accessing data after his end of contract. The incident demonstrates the importance of making sure to block access to PHI (and IT systems) immediately after a worker is dismissed, leaves the organization, or when job assignments change that do not need to give an employee PHI access.
1. State of Alaska Department of Health & Social Services – 500,000 individuals affected by nation-state hacking Incident
2. U.S. Vision Optical – 180,000 individuals affected by an unspecified hacking incident
3. Simon Eye Management – 144,373 individuals affected by email account breach (phishing)
4. Navistar, Inc. Health Plan and the Navistar, Inc. Retiree Health Benefit and Life Insurance Plan – 49,000 individuals affected by a ransomware attack
5. Talbert House – 45,000 individuals affected by the unspecified hacking incident (data exfiltration)
6. Premier Management Company – 37,636 individuals affected by insider breach
7. Central Texas Medical Specialists, PLLC dba Austin Cancer Centers – 36,503 individuals affected by malware
8. Orlick & Kasper, M.D. – 30,000 individuals affected by the theft of electronic devices that contain PHI
9. McAllen Surgical Specialty Center, Ltd. – 29,227 individuals affected by a ransomware attack
10. Asarco Health, Dental, Vision, Flexible Spending, Non-Union Employee Benefits, and Retiree Medical Plans – 28,000 individuals affected by a ransomware attack
11. Horizon House, Inc. – 27,823 individuals affected by a ransomware attack
12. Rehabilitation Support Services, Inc. – 23,907 individuals affected by the unspecified hacking incident (data exfiltration)
13. Samaritan Center of Puget Sound – 20,866 individuals affected by the theft of electronic devices containing PHI
14. Directions for Living – 19,494 individuals affected by a ransomware attack
15. Buddhist Tzu Chi Medical Foundation – 18,968 individuals affected by a ransomware attack
16. Eastern Los Angeles Regional Center – 12,921 individuals affected by email account breach (phishing)
Causes of Healthcare Data Breaches in September 2021
Hacking and other IT incidents still top the breach reports. 53.2% of September breaches and 91.6% of breached records are due to hacking and IT incidents. Those incidents had 1,147,383 healthcare records exposed or stolen. The average and median breach sizes are 33,747 records and 2,453 records, respectively.
The number of reports concerning stolen physical records or electronic devices that contain PHI is higher month-over-month. In September, there were 6 theft incidents wherein 60,236 records were exposed. The mean and median breach sizes were 10,039 and 3,918 records, respectively. Four breaches concerned electronic devices, which shouldn’t have happened if encryption was used.
There were 7 data breach reports due to insiders. In those incidents, 45,639 records had been breached. One incident accounted for 37,636 of the breached records. The average and median breach sizes were 6,520 and 1,738 records, respectively.
Location of PHI in Healthcare Data Breaches
The most frequent area that suffers breached PHI is network servers due to ransomware attacks. Email accounts come next as a result of phishing attacks. 13 incidents had something to do with PHI kept in email accounts. The number of units that contain PHI that were stolen emphasizes why using encryption to secure stored information is very important.
Healthcare providers had 30 breach reports. Health plans reported 10 breaches, while business associates reported 6 breaches. A healthcare clearinghouse reported one breach. There were 5 breaches reported by a HIPAA-covered entity however the breach happened at a business associate.
Healthcare Data Breaches by State
Data breach reports came from 25 states. Texas had 6 reported breaches involving 500 and up records. California had 5 breach reports while Connecticut had 4. Florida and Washington had 3 breaches each. Arizona, Georgia, New York, Illinois, Ohio, & Pennsylvania had 2 breaches. Alaska, Indiana, Delaware, Kentucky, Minnesota, Maryland, Missouri, New Mexico, New Jersey, Rhode Island, Oregon, Tennessee, Wisconsin and Virginia
Enforcement Activity in September 2021
There’s a new director at the Department of Health and Human Services’ Office for Civil Rights. It is still unclear as of this time what direction the department will take in terms of HIPAA enforcement actions.
OCR imposed the 20th financial penalty on Children’s Hospital & Medical Center in Omaha, NE for failing to give people access to their healthcare data. The medical center paid $80,000 as a financial penalty. This case is the ninth financial penalty issued by OCR for non-compliance with the HIPAA Regulations. The state attorneys general did not issue andy enforcement activities this September.