After four consecutive months of decreasing figures of data breaches, reported data breaches increased by 30.2%. In April 2022, the Department of Health and Human Services’ Office for Civil Rights (OCR) received 56 data breaches involving 500 and up records.
Although the figure of reported breaches rose month-over-month, there was a 30% decrease in the number of exposed or impermissibly disclosed healthcare records to 2,160,194 – the smallest number per month starting October 2021. The average and median breach sizes in April 2022 were 38,575 records, and 6,546 records, respectively.
April 2022 Biggest Healthcare Data Breaches
April 2022 had 22 healthcare data breaches reported that impacted 10,000 and up persons. The most serious breach was a hacking incident at Adaptive Health Integrations, a company offering software and billing/revenue services to doctor offices, laboratories and other healthcare organizations. Over 500,000 healthcare patients were impacted. The Arkansas healthcare company ARcare experienced a malware attack that interrupted its systems and possibly enabled hackers to get access to the data of 345,353 persons. Refuah Health Center submitted a hacking and data theft report in April, which had happened about one-year earlier in May 2021 and impacted around 260,740 individuals.
Illinois Gastroenterology Group, PLLC submitted a hacking incident report where the threat actors got access to the data of 227,943 persons, and Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown were impacted by a data breach that happened at the cloud-EHR vendor Eye Care Leaders (ECL), which compromised the data of 194,035 persons. In the ECL cyber attack, the attackers had erased databases and system configuration files of one cloud service. A dozen eye care providers had been affected by the cyberattack and over 342,000 records had been exposed.
1. Adaptive Health Integrations – 510,574 individuals affected by hacking incident with possible information theft
2. ARcar – 345,353 individuals affected by malware infection
3. Refuah Health Center – 260,740 individuals affected by the hacking incident and information theft
4. Illinois Gastroenterology Group, PLLC – 227,943 individuals affected by a hacking incident along with possible data theft
5. Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown – 194,035 individuals affected by hacking incident at EHR provider
6. Healthplex, Inc. – 89,955 individuals affected by email account breach
7. Optima Dermatology Holdings, LLC – 59,872 individuals affected by unspecified email incident
8. SUMMIT EYE ASSOCIATES P.C. – 53,818 individuals affected by hacking incident at EHR company
9. Newman Regional Health – 52,224 individuals affected by email account breach
10. WellStar Health System, Inc. – 30,417 individuals affected by WellStar Health System
11. Central Vermont Eye Care – 30,000 individuals were affected by an unspecified hacking incident
12. Frank Eye Center – 26,333 individuals affected by the hacking incident at EHR provider
13. New Creation Counseling Center – 24,029 individuals were affected by a ransomware attack
14. Georgia Pines CSB – 24,000 individuals affected by the theft of laptop computers
15. The Guidance Center, Inc. – 23,104 individuals affected by email account breach
16. Allied Eye Physicians and Surgeons, Inc. – 20,651 individuals affected by the hacking incident at EHR company
17. King County Public Hospital District No. 2 also known as EvergreenHealth – 20,533 individuals affected by hacking incident at EHR company
18. Onehome Health Solutions – 15,401 individuals affected by the theft of laptop computers
19. Southern Ohio Medical Center – 15,136 individuals affected by the hacking incident with possible information theft
20. Arkfeld, Parson, and Goldstein, P.C. also known as ilumin – 14,984 individuals affected by hacking incident at EHR company
21. Pediatric Associates, P.C. – 13,000 individuals affected by hacking incident at EHR company
22. County Implants and Periodontics, LLC – 10,502 individuals affected by email account breach
Causes of April 2022 Healthcare Data Breaches
73.2% of the reported healthcare data breaches and 97.1% of the breached healthcare records in April 2022 were due to hacking and IT incidents. 2,098,390 people had been impacted by those hacking incidents and possibly had their protected health information (PHI) stolen. The average and median breach sizes were 51,180 records and 9,969 records, respectively. 16 hacking incidents concerned unauthorized persons getting access to the email accounts of employees, and 7 hacking incidents involved the EHR at Eye Care Leaders.
Breaches reported due to unauthorized access/disclosure incidents impacted 20,391 records. The average and median breach sizes were 1,854 records and 820 records, respectively. Two theft incidents involved laptops and one loss incident involved a mobile electronic device. With the three loss/theft cases, 40,298 individual records were possibly exposed. These three breaches might have been avoided if the information was encrypted. One improper disposal incident affected 1,115 paper records.
Healthcare Data Breaches by Covered Entity Type
Healthcare providers reported 39 breaches in April. Health plans reported 7 data breaches, and business associates reported 10 data breaches. Nevertheless, 17 data breaches happened at business associates although the respective covered entity reported them.
Healthcare Data Breaches by State
HIPAA-regulated entities located in 26 states submitted breach reports in April 2022. New York had 7 data breaches reported while Ohio had 6. California had 4 breaches reported while Arizona, Kansa, Georgia, Michigan, Virginia and Tennessee reported 3 each. Florida, North Carolina, New Hampshire and Maryland had 2 data breaches reported each. Arkansas, Alabama, Colorado, Connecticut, Nebraska, Illinois, North Dakota, South Carolina, Pennsylvania, Utah, Washington, West Virginia and Vermont reported 1 each.
HIPAA Enforcement Activity in April 2022
the HHS’ Office for Civil Rights or State Attorneys General did not announce any HIPAA enforcement activities in April 2022. To date, there are 4 financial penalties imposed to settle HIPAA violations.