HIPAA-covered entities and their business associates are still reporting big numbers of healthcare data breaches. July had 70 reported data breaches involving at least 500 records, which means having 2 or more data breaches reported per day.
July had a somewhat lower number of breaches compared to June. However, the number of exposed records in those breaches is 5,570,662 records, an increase of 331.5% month-over-month.
Over the past year, from August 2020 to July 2021, 706 healthcare data breaches involving 500 or more records had been reported. The healthcare information of 44,369,781 people was exposed. The average is 58.8 data breaches per month and approximately 3.70 million records breached per month.
Biggest Healthcare Data Breaches in July 2021
Two healthcare data breaches stick out because of the large number of healthcare records exposed – and possibly stolen. In July, the Wisconsin healthcare provider Forefront Dermatology reported the biggest healthcare data breach, which was a hacking/IT incident. There is no disclosure about the specific nature of the attack, therefore it is uncertain if ransomware was employed. Hackers obtained access to areas of its system that kept the protected health information (PHI) of 2.4 million people. Practicefirst, a New York business associate of several HIPAA-covered entities reported the second biggest data breach. The ransomware attack resulted in the potential exfiltration of the healthcare data of 1.2 million people.
1. Forefront Dermatology, S.C. – 2,413,553 individuals affected by Hacking/IT Incident
2. Professional Business Systems, Inc., dba Practicefirst Medical Management Solutions/PBS Medcode Corp – 1,210,688 individuals affected by Hacking/IT Incident and ransomware attack
3. UF Health Central Florida – 700,981 individuals affected by Hacking/IT Incident
4. Orlando Family Physicians, LLC – 447,426 individuals affected by Hacking/IT Incident
5. HealthReach Community Health Centers – 122,340 individuals affected by Improper Disposal
6. Guidehouse – 84,220 individuals affected by Hacking/IT Incident and Ransomware attack at Accellion FTA
7. Advocate Aurora Health – 68,707 individuals affected by Hacking/IT Incident and ransomware attack (Elekta)
8. McLaren Health Care Corporation – 64,600 individuals affected by Hacking/IT Incident and ransomware attack (Elekta)
9. Coastal Family Health Center, Inc – 62,342 individuals affected by Hacking/IT Incident and Ransomware attack
10. Florida Heart Associates – 45,148 individuals affected by Hacking/IT Incident
11. A2Z Diagnostics, LLC – 35,587 individuals affected by Hacking/IT Incident
12. University of Maryland, Baltimore – 30,468 individuals affected by Hacking/IT Incident
13. Florida Blue – 30,063 individuals affected by Hacking/IT Incident
14. Intermountain Healthcare – 28,628 individuals affected by Hacking/IT Incident and ransomware attack (Elekta)
Causes of Healthcare Data Breaches in July 2021
Ransomware is still widely utilized in cyberattacks on healthcare companies and their business associates. Those attacks could quickly bring about the stealing of big amounts of healthcare information. Most ransomware groups (and their RaaS affiliates) are currently exfiltrating sensitive information before deploying ransomware for file encryption. Victims must pay to avoid the exposure or vending of the stolen information and to get the file decryption keys.
To help fight the surge of double extortion ransomware attacks, the Cybersecurity and Infrastructure Security Agency released new guidance. The National Institute of Standards and Technology (NIST) has additionally modified its cybersecurity guidance on creating strong computer systems, with the focus today moving away from perimeter defenses to presuming that attackers have already obtained access to the system. Systems consequently must be put in place to minimize the problems that may be created.
Hacking/IT incidents, mostly involving ransomware, top July’s breach reports. In the 52 hacking/IT incidents reported, the PHI of 5,393,331 people was possibly breached. That number makes up 96.82% of all breached records in July.
There were 13 unauthorized access/disclosure incidents reported such as mailing errors, misdirected email messages, and snooping by medical staff. 52,676 healthcare records had been impermissibly accessed or shared to unauthorized people in all those occurrences. There were two incidents of theft reported that affected 2,275 records and one incident of improper disposal that affected 122,340 electronic health records.
The bulk of incidents concerned the network servers hacking; nonetheless, a lot of email accounts are still compromised. 21 breaches affected PHI kept in email accounts. Most email incidents involved the stealing of employee information in phishing attacks.
Data Breaches by Covered Entity Type
In July, 47 healthcare providers reported data breaches, business associates reported 11 breaches and health plans reported 10 breaches; nevertheless, the reporting entity is not the basis of where the breaches happened. In a lot of cases, a business associate experienced the breach, but a covered entity reported it.
When this is considered, the statistics show that data breaches at the healthcare provider and business associate data breaches are of the same level, 30 breaches each in July.
July 2021 Healthcare Data Breaches by State
HIPAA-covered entities and business associates located in 32 states and the District of Columbia reported healthcare data breaches in July. Florida reported 6; California, New York and Texas reported 5 breaches each; Illinois & North Carolina reported 4 each; Connecticut, Minnesota, New Jersey and Nebraska reported 3 each; Mississippi, Oklahoma, Wisconsin and Washington reported 2 each. The following states reported one breach each: Alabama, Georgia, Indiana, Iowa, Kentucky, Kansas, Maine, Massachusetts, Maryland, Michigan, Montana, Missouri, Ohio, Pennsylvania, South Carolina, Utah, West Virginia, Virginia, and the District of Columbia.
HIPAA Enforcement Activity in July 2021
The HHS’ Office for Civil Rights (OCR), the principal enforcer of HIPAA compliance, had no new enforcement actions issued against HIPAA-covered entities or business associates this month of July. State Attorneys General had no enforcement actions as well.
To date, the OCR had issued 8 financial penalties totaling $5,570,100 this year. State attorneys general just imposed one financial penalty. $21 million was paid by American Medical Collection Agency (AMCA).