In January, there are more than one healthcare data breaches involving at least 500 records per day reported to the Department of Health and Human Services’ Office for Civil Rights.
According to the 2019 Healthcare Data Breach Report, 2019 was a notably bad year in terms of healthcare data breaches. HIPAA-covered entities and business associates reported 510 data breaches, which translates to a rate of 42.5 healthcare data breaches each month. January’s reporting rate of 1.03 breaches per day is better, which reflects a 15.78% less reported breaches than December 2019.
Healthcare Data Breaches in January 2020
Although the number of breaches decreased, the number of breached records went up by 17.71% month-over-month. There were 462,856 healthcare records that were exposed, impermissibly disclosed or stolen in 32 reported healthcare data breaches.
January 2020’s Biggest Healthcare Data Breaches
1. PIH Health in CA – 199,548 individuals affected due to Hacking/IT Incident
2. Douglas County Hospital d/b/a Alomere Health in MN – 49,351 individuals affected due to Hacking/IT Incident
3. InterMed, PA in ME – 33,000 individuals affected due to Hacking/IT Incident
4. Fondren Orthopedic Group L.L.P. in TX – 30,049 individuals affected due to Hacking/IT Incident
5. Native American Rehabilitation Association of the Northwest, Inc. in OR – 25,187 individuals affected due to Hacking/IT Incident
6. Central Kansas Orthopedic Group, LLC in KS – 17,214 individuals affected due to Hacking/IT Incident
7. Hospital Sisters Health System in IL – 16,167 individuals affected due to Hacking/IT Incident
8. Spectrum Healthcare Partners in ME – 11,308 individuals affected due to Hacking/IT Incident
9. Original Medicare in MD – 9,965 individuals affected due to Unauthorized Access/Disclosure
10. Lawrenceville Internal Medicine Assoc, LLC in NJ – 8,031 individuals affected due to Unauthorized Access/Disclosure
Causes of Healthcare Data Breaches in January 2020
More than 59.38% (19 incidents) of data breaches reported to OCR were due to hacking, ransomware, malware, phishing attacks, and some other IT security breaches.
28.13% (9 incidents) of data breaches reported were categorized as unauthorized access/disclosure data breaches. Two of the nine were theft of physical records, and two were improper disposal of physical records.
Ransomware attacks still cause problems for the healthcare sector, however, phishing attacks are still the biggest cause of healthcare data breaches. The PHI of hundreds of thousands of patients could be stolen or exposed.
Hacking/IT incidents seem to be the most harmful type of breach and result in more breached healthcare records compared to other types of breaches. In January, hacking/IT incidents resulted in 416,275 breached records. The mean and median breach sizes were 21,909 records and 6,524 records, respectively. Unauthorized access/disclosure incidents resulted in 26,450 breached records. The mean and median breach sizes were 26,450 records and 2,939 records, respectively.
Theft incidents resulted in 11,284 stolen records having an average breach size of 5,642 records. The two improper disposal incidents resulted in 2,812 exposed records having an average breach size of 1,406 records.
Location of Breached Protected Health Information (PHI)
Giving employees regular security awareness training was found to lessen susceptibility to phishing attacks, however, threat actors are doing more and more advanced attacks. It is generally difficult to identify a phishing email from a legit message, particularly in the event of business email compromise (BEC) scams.
What is required to stop these attacks is in-depth security. One technical solution is not effective enough at preventing all phishing attacks. Security must include the following:
- an innovative spam filter to stop phishing messages at the source
- DMARC to recognize email impersonation attacks
- a web filter to deter accessing of websites hosting phishing kits
- multi-factor authentication to stop the use of compromised credentials to access email accounts
Healthcare Data Breaches by Covered Entity
Healthcare providers reported 25 breaches involving at least 500 healthcare records. Health plans reported five breaches, and business associates of HIPAA-covered entities reported two breaches. Three other data breaches reported by covered entities also had some involvement of business associates.
Healthcare Data Breaches by State
HIPAA covered entities and business associates from 23 states submitted data breach reports in January. California and Texas had reported three breaches each. Florida, Illinois, Minnesota, Maine, and New York each had two breaches reported. Alabama, Arizona, Connecticut, Colorado, Georgia, Indiana, Iowa, Kansas, Michigan, Maryland, New Jersey, North Carolina, Pennsylvania, Oregon, South Carolina, and Virginia each had one breach reported.
HIPAA Enforcement in January 2020
The HHS’ Office for Civil Rights or the state attorneys general issued no financial penalties on HIPAA covered entities or business associates in January.
However, the number of legal cases filed against healthcare companies that have encountered data breaches associated to phishing and ransomware attacks had notably increased.
- January saw a legal action filed against Health Quest because of a July 2018 phishing attack
- Tidelands Health is facing charges because of a ransomware attack in December 2019
- DCH Health System faced a second lawsuit because of a malware attack associated with the Emotet and TrickBot Trojans that happened in October 2019. These legal cases follow the legal action versus Solara Medical Supplies and Kalispell Regional Healthcare in December.
February still has several law firms about to file legal cases against PIH Health in California because of a 2019 phishing attack that compromised the information of over 200,000 people.
These legal cases may involve HIPAA violations, however HIPAA does not have a private cause of action, lawsuits are filed because of state laws violations.