The number of healthcare data breaches involving 500 or more records in January 2021 decreased by 48% month-over-month. There were 32 data breaches reported in January compared to December’s 62. Although this is below the monthly average number of reported data breaches in the last 12 months (38), the rate is still over 1 data breach daily.
The number of breached records should have declined significantly if not for the big data breach at Florida Healthy Kids Corporation that impacted 3.5 million persons. There were a total of 4,467,098 breached records in January — that’s 225,000 records more than December’s.
Biggest Healthcare Data Breaches in January 2021
Florida Healthy Kids Corporation reported one of the biggest breaches ever. The health plan employed an IT firm to host its webpage and an insurance coverage application. But the company did not implement patches for 7 years, and so unauthorized persons were able to exploit the vulnerabilities and get access to sensitive information.
A ransomware attack on Hendrick Health resulted in a major data breach; this happened at a time when ransomware actors accelerated attacks on healthcare companies. Another ransomware attack was on a technology vendor that affected the County of Ramsey.
Four of the top ten breaches in January were due to email-based attacks like business email compromise (BEC) and phishing attacks.
1. Florida Healthy Kids Corporation – 3,500,000 individuals affected due to hacking/IT Incident
2. Hendrick Health – 640,436 individuals affected due to hacking/IT Incident
3. Roper St. Francis Healthcare – 189,761 individuals affected due to Hacking/IT Incident:
4. Precision Spine Care – 20,787 individuals affected due to hacking/IT Incident- BEC attack
5. Walgreen Co. – 16,089 individuals affected due to Unauthorized Access/Disclosure
6. The Richards Group – 15,429 individuals affected due to hacking/IT Incident – Phishing attack
7. Florida Hospital Physician Group Inc. – 13,759 individuals affected due to hacking/IT Incident
8. Managed Health Services – 11,988 individuals affected due to Unauthorized Access/Disclosure
9. Bethesda Hospital – 9,148 individuals affected due to Unauthorized Access of EMR by employee
10. County of Ramsey – 8,687 individuals affected due to hacking/IT Incident
Causes of Healthcare Data Breaches in January 2021
The majority of healthcare data breaches are still caused by hacking and other IT incidents. The 20 hacking/IT incidents reported in January accounted for 62.5% of the total data breaches. The 4,413,762 breached records accounted for 98.8% of the month’s breached records. The average and median breach sizes were 220,688 records and 2,464 records, respectively.
There were 11 healthcare data breaches and 50,996 breached records due to unauthorized access and disclosure incidents. The average and median breach sizes were 4,636 records and 1,680 records, respectively.
One healthcare data breach was due to the loss of an unencrypted laptop computer that contains 2,340 records. There were no reported breaches due to improper disposal or data theft incidents.
Location of PHI in January 2021 Healthcare Data Breaches
Breached PHI mostly involved emails and phishing attacks. Next, breached PHI involved network server incidents and malware or ransomware.
January 2021 Healthcare Data Breaches by Entity Type
Healthcare providers reported 23 data breaches. Health plans reported 6 breaches. Business associates of HIPAA-covered entities reported three data breaches, but there were 7 breaches reported by the covered entity that happened at business associates.
There has been an increase in the number of breaches reported by business associates recently. These incidents frequently involve several covered entities, like the Blackbaud data breach, which affected over 10 million people associated with four dozens of healthcare companies. Research by CI Security revealed that data breaches at business associates make up 75% of the total breached healthcare records in the latter half of 2020.
January 2021 Healthcare Data Breaches by State
The data breaches in January were reported from 18 states. Florida had 6 reported breaches. Texas and Wyoming had 3 reported breaches, while Louisiana, Massachusetts, and Minnesota had 2 reported breaches. The following states had 1 reported breach each: Indiana, Illinois, Maryland, Missouri, North Carolina, Nevada, Ohio, Pennsylvania, South Carolina, Virginia, Vermont, and Washington.
January 2021 HIPAA Enforcement Activity
2020 had 19 settlements that resolved HIPAA cases. HIPAA enforcement actions continued in January with two settlements reached that resolved violations of the HIPAA Rules by covered entities. Excellus Health Plan settled a potential multiple HIPAA Rules violations case without liability admission by paying a $5,100,000 financial penalty. Banner Health paid a $200,000 financial penalty for non-compliance with the HIPAA Right of Access.