For the 3rd consecutive month, there is a decrease in the number of data breaches submitted to the HHS’ Office for Civil Rights (OCR). February had 46 healthcare data breaches involving 500 and up records – a decrease of 8% from January. This figure is the lowest number of data breaches reported in the last 5 months. Despite the decrease in breaches, usually, there are over 2 healthcare data breaches reported per day in the last year. From March 1, 2021 to February 28, 2022, 723 data breaches involving 500 and up records were reported.
In February’s 46 cases, the records of 2,525,023 people were compromised – a 2.28% drop from the preceding month – which is substantially less than the 3,506,400 records breached every month, on average, in the period between March 1, 2021 and February 28, 2022. About 42,076,805 healthcare records were compromised in that time period. In February, the average and median breach sizes were 48,957 records and 7,014 records, respectively.
February 2022 Biggest Healthcare Data Breaches Reported
In February, there were 22 HIPAA-regulated entities that reported breaches involving 10,000 and up healthcare records. Morley Companies reported the biggest breach this month, a hacking incident that saw the exposure and likely theft of the PHI of 521,046 health plan members.
Monongalia Health System announced a big hacking incident that possibly led to the stealing of 492,861 individuals’ PHI. The breach was uncovered a couple of days after the health system reported a prior data breach that involved a phishing and business email compromise attack impacting around 398,164 people.
1. Morley Companies, Inc. MI – 521,046 individuals affected by Hacking/IT Incident
2. Monongalia Health System, Inc. WV – 492,861 individuals affected by Hacking/IT Incident
3. Norwood Clinic AL -228,000 individuals affected by Hacking/IT Incident
4. Logan Health Medical Center MT – 213,543 individuals affected by Hacking/IT Incident
5. South Shore Hospital Corporation IL – 115,670 individuals affected by Hacking/IT Incident
6. Comprehensive Health Services FL – 106,752 individuals affected by Hacking/IT Incident
7. US Radiology Specialists, Inc. NC – 87,552 individuals affected by Hacking/IT Incident
8. Memorial Village ER TX – 80,000 individuals affected by Hacking/IT Incident
9. Montrose Regional Health CO – 52,632 individuals affected by Hacking/IT Incident
10. Cross Timbers Health Clinics dba AccelHealth TX – 48,126 individuals affected by Hacking/IT Incident
11. Jacksonville Spine Center, P.A. FL – 38,000 individuals affected by Hacking/IT Incident
12. The Puerto Rican Organization to Motivate, Enlighten, and Serve Addicts, Inc. NY – 30,220 individuals affected by Hacking/IT Incident
13. EPIC Pharmacy Network, Inc. VA – 28,776 individuals affected by Hacking/IT Incident
14. Ascension Michigan (single affiliated covered entity) ACE MI – 27,177 individuals affected by Unauthorized Access/Disclosure
15. Bako Diagnostics GA – 25,745 individuals affected by Hacking/IT Incident
16. Ultimate Care, Inc. NY – 15,788 individuals affected by Hacking/IT Incident
17. Alliance Physical Therapy Group, LLC MI – 14,970 individuals affected by acking/IT Incident
18. University Medical Center Southern Nevada NV – 12,230 individuals affected by Hacking/IT Incident
19. Seneca Nation Health System NY – 12,000 individuals affected by Hacking/IT Incident
20. CareOregon Advantage OR – 10,467 individuals affected by Unauthorized Access/Disclosure
21. Extend Fertility NY -10,373 individuals affected by Hacking/IT Incident
22. Houston Health Department TX – 10,291 individuals affected by Unauthorized Access/Disclosure
Causes of Healthcare Data Breaches in February 2022
Hacking incidents took over the February breach reports. 39 data breaches were hacking/IT incidents, most of which allowed unauthorized persons to hack into systems and view and/or copy sensitive information. It is typical for breached entities to expose hacking incidents, however, not openly reveal information regarding the precise nature of the attacks, for example, if there was malware or ransomware used. In the 39 breaches, the records of 2,184,973 people were breached. The average and median breach sizes were 56,025 records and 6,221 records, respectively.
There were 6 unauthorized access/disclosure incidents reported in February involving the records of 62,550 individuals. The average breach size was 10,425 records and the median breach size was 8,953 records. There was one loss incident involving a desktop computer that contained the PHI of 4,500 individuals. There were no reported theft or improper disposal incidents.
Healthcare Data Breaches by State
HIPAA-regulated entities from 23 states submitted data breach reports in February. New York had the most reported breaches with 6, next at 5 each were Florida, New Jersey, and Michigan. Texas and Virginia reported 3 each; Pennsylvania and West Virginia reported two each. The following states each had one report: Arizona, Alabama, Colorado, Connecticut, Illinois, Georgia, Massachusetts, Montana, North Carolina, Nevada, Oklahoma, Oregon, Utah, Rhode Island, and Washington.
Healthcare Data Breaches Reported by HIPAA-Regulated Entity Type
Healthcare providers reported 35 data breaches that affected 1,597,155 individuals’ records. Health plans reported 6 data breaches involving 21,284 records, and business associates of HIPAA-covered entities reported 5 data breaches involving the data of 633,584 persons.
There were 10 breaches that happened at business associates; however, the affected covered entity reported the affected covered breaches.
February 2022 HIPAA Enforcement Actions
The HHS’ Office for Civil Rights or state Attorneys General did not announce any HIPAA enforcement actions last month. Actually, no financial penalties had been issued in 2022 for HIPAA violations.