In December 2021, there were 56 data breaches involving 500 and up healthcare records reported to the HHS’ Office for Civil Rights (OCR), which showed a 17.64% drop compared to the past month. In 2021, the average data breach report every month is 59. There were 712 reported healthcare data breaches from January 1 to December 31, 2021. The number of healthcare data breaches this year exceeded last year’s number by 70, with an increase of 10.9% from 2020.
December’s 56 data breaches resulted in the exposure or impermissible disclosure of 2,951,901 records, which is 24.52% higher than last month. The OCR breach website showed that there were about 45,706,882 breached healthcare records in 2021. That number is the second-highest since 2009.
The Biggest Healthcare Data Breaches in December 2021
1. Oregon Anesthesiology Group, P.C. – 750,500 individuals affected by ransomware
2. Texas ENT Specialists – 535,489 individuals affected by ransomware
3. Monongalia Health System, Inc. – 398,164 individuals affected by Business Email Compromise/Phishing
4. BioPlus Specialty Pharmacy Services, LLC – 350,000 individuals affected by the hacked network server
5. Florida Digestive Health Specialists, LLP – 212,509 individuals affected by Business Email Compromise/Phishing
6. Daniel J. Edelman Holdings, Inc. – 184,500 individuals affected by hacking/IT incident of business associate
7. Southern Orthopaedic Associates d/b/a Orthopaedic Institute of Western Kentucky – 106,910 individuals affected by the breached email account
8. Fertility Centers of Illinois, PLLC – 79,943 individuals affected by the hacked network server
9. Bansley and Kiener, LLP – 50,119 individuals affected by ransomware
10. Oregon Eye Specialists – 42,612 individuals affected by breached email accounts
11. MedQuest Pharmacy, Inc. – 39,447 individuals affected by the hacked network server
12. Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E. – 20,579 individuals affected by phishing
13. Loyola University Medical Center – 16,934 individuals affected by the breached email account
14. Bansley and Kiener, LLP – 15,814 individuals affected by ransomware
15. HOYA Optical Labs of America, Inc. – 14,099 individuals affected by the hacked network server
16. Wind River Family and Community Health Care – 12,938 individuals affected by breached email account
17. Ciox Health – 12,493 individuals affected by the breached email account
18. A New Leaf, Inc. – 10,438 individuals affected by ransomware
Causes of Healthcare Data Breaches in December 2021
December had 18 reported data breaches involving 10,000 or more records. The largest two involved ransomware attacks that resulted in the compromise and likely theft of 1,285,989 records. Ransomware is still a big threat to healthcare providers. There were a number of successful law enforcement arrests of ransomware gangs in the last few months, the latest of which resulted in the arrest of 14 members of the notorious REvil ransomware operation by Russian authorities. However, there remain a number of ransomware gangs attacking the healthcare industry such as Mespinoza.
Phishing attacks still cause the breach of big volumes of healthcare data. December saw the breach of email accounts that comprised the ePHI of 807,984 persons. The Monongalia Health System phishing attack enabled unauthorized persons to access email accounts that contain 398,164 records.
Eight of the biggest breaches of December were due to compromised email accounts. Two were due to business email compromise attacks that began with a phishing campaign and ended with requests to modify bank account details for pending payments.
All through 2021, the breach reports had been taken over by hacking and other IT incidents. 82.14% of December’s reported breaches were hacking/IT incidents, and resulted in 2,711,080 breached records or 91.84% of breached records in December. The average and median breach sizes were 58,937 and 4,563 records, respectively. The biggest hacking incident led to the exposure of 750,050 individuals’ protected health information (PHI).
There was a lower number of unauthorized access and disclosure incidents in 2021 compared to prior years. In December, only 5 unauthorized access/disclosure incidents that affected 234,476 records had been reported. The average and median breach sizes were 46,895 and 4,109 records, respectively.
Two cases of lost paper/films with 3,081 individuals’ PHI and two cases of stolen paper/films with 2,129 individuals’ PHI had been reported. There was additionally one breach that involved the inappropriate disposal of a portable electronic device made up of 934 patients’ ePHI.
The most frequent location of breached PHI was network servers, and then email accounts.
HIPAA Regulated Entities That Reported Data Breaches in December 2021
Healthcare providers encountered 36 data breaches in December. Health plans reported 11 breaches, and business associates reported 9 breaches. Three healthcare providers and three health plans reported six breaches that happened at business associates.
Healthcare Data Breaches by U.S. State
Illinois had 11 data breach reports. The accountancy company Bansley and Kiener reported four of the breaches, which pertained to the same ransomware attack in December 2020. The company is currently dealing with a lawsuit because of sending of overdue notifications to impacted individuals.
Indiana reported 5 data breaches. Florida, Texas, and Oklahoma reported 4. Arizona reported 3, while California, Kansas, Georgia, Michigan, New York, Oregon, Virginia, and Utah reported 2 each. Alabama, Colorado, Maryland, Kentucky, Rhode Island, North Carolina, West Virginia, Wisconsin, and Wyoming reported 1 breach each.
HIPAA Enforcement Activity in December 2021
The HHS’ Office for Civil Rights did not issue any HIPAA penalties in December. 2021 had a total of 14 financial penalties being paid to OCR by HIPAA-covered entities to resolve HIPAA violations. 13 cases had been settled with OCR, while one had been issued a civil monetary penalty. The 12 OCR enforcement actions involved HIPAA Right of Access violations.
The state attorneys general had issued 4 HIPAA enforcement actions in 2021. 3 of those enforcement actions involved New Jersey. The New Jersey Attorney General issued a $425,000 financial fine on Regional Cancer Care Associates, which involved three different Hackensack healthcare providers, namely Regional Cancer Care Associates LLC, RCCA MD LLC, and RCCA MSO LLC. The case was resolved without admitting liability.