July 2022 had 66 healthcare data breaches affecting 500 and up records reported to the Department of Health and Human Services Office for Civil Rights. This figure is 5.71% less than the 70 data breach report in June 2022 and July 2021. Although the number of data breaches dropped a bit from June, the average monthly rate of data breaches being reported is above 57 breaches every month.
For two consecutive months, the number of compromised or impermissibly exposed healthcare records reached 5 million. 66 reported incidents involved 5,331,869 breached records, which is higher than the 3,499,029 average per month. July had 8.97% fewer breached records compared to June 2022 and 7.67% less compared to July 2021.
Biggest Healthcare Data Breaches in July 2022
July had 25 data breaches involving 10,000 and up records reported. 15 of the breaches happened at business associates of HIPAA-covered entities. The biggest data breach involved a ransomware attack on the Professional Finance Company, an accounts receivable management provider. Just as in the PFC breach, cyberattacks on business associates could impact a lot of different HIPAA-covered entities. In this case, 657 HIPAA-covered entities had been impacted. PFC reported the breach as impacting over 1.9 million persons, though a number of those clients have submitted separate data breach reports. It is not clear how many patient records in total had been compromised in the ransomware attack.
The second biggest data breach happened at OneTouchPoint, a mailing vendor in Wisconsin. OneTouchPoint reported this ransomware attack as impacting over 1 million persons. However, as what happened in the ransomware attack at PFC, some of its healthcare company customers self-reported the data breach, which includes Aetna ACE Health Plan. Another healthcare company, Goodman Campbell Brain and Spine, likewise encountered a big ransomware attack. The healthcare company based in Indiana confirmed that the threat actors had published the stolen information on their data leak website.
1. Professional Finance Company, Inc. – 1,918,941 individuals were affected by a ransomware attack
2. OneTouchPoint, Inc. – 1,073,316 individuals were affected by a ransomware attack
3. Goodman Campbell Brain and Spine – 362,833 individuals affected by ransomware attack with data leak
4. Aetna ACE CT – 326,278 individuals affected by a ransomware attack on the mailing vendor, OneTouchPoint
5. Synergic Healthcare Solutions, LLC dba Fast Track Urgent Care Center – 258,411 individuals affected by hacking incident at its billing vendor PracticeMax
6. Avamere Health Services, LLC – 197,730 individuals affected by the hacking incident with data theft
7. BHG Holdings, LLC dba Behavioral Health Group – 197,507 individuals affected by hacking incident with data theft
8. Premere Infinity Rehab, LLC – 183,254 individuals were affected by a hacking incident at its business associate, Avamere Health Services, with data theft
9. Carolina Behavioral Health Alliance, LLC – 130,922 individuals affected by a hacking incident
10. Family Practice Center PC – 83,969 individuals affected by a hacking incident
11. Kaiser Foundation Health Plan, Inc. (Southern California) – 75,010 individuals were affected by the theft of a device during a break-in at a storage center
12. Magie Mabrey Hughes Eye Clinic, P.A. also called Arkansas Retina – 57,394 individuals affected by a ransomware attack on EHR vendor (Eye Care Leaders)
13. McLaren Port Huron – 48,957 individuals were affected by a hacking incident at its business associate, MCG Health with data theft
14. Southwest Health Center – 46,142 individuals affected by the hacking incident with data theft
15. WellDyneRx, LLC – 43,523 individuals affected by email account breach
16. Associated Eye Care – 40,793 individuals were affected by a ransomware attack on its EHR vendor, Eye Care Leaders
17. Zenith American Solutions – 37,146 individuals affected by mailing error
18. Benson Health – 28,913 individuals were affected by a hacking incident
19. Healthback Holdings, LLC – 21,114 individuals affected by a breach of email accounts
20. East Valley Ophthalmology – 20,734 individuals were affected by a ransomware attack on its EHR vendor, Eye Care Leaders
21. Arlington Skin – 17,468 individuals were affected by a hacking incident at the EHR management firm, Virtual Private Network Solutions
22. The Bronx Accountable Healthcare Network – 17,161 individuals affected by a breach of email accounts
23. Granbury Eye Clinic – 16,475 individuals were affected by a ransomware attack on its EHR vendor, Eye Care Leaders
24. CHRISTUS Spohn Health System Corporation – 15,062 individuals affected by ransomware attack with data leak
25. Central Maine Medical Center – 11,938 individuals were affected by the hacking incident at its business associate, Shields Healthcare Group
Causes of Healthcare Data Breaches in July 2022
In July, hacking/IT incidents topped the breach reports. 55 data breaches were categorized as hacking/IT incidents, and ransomware attacks are still a challenge for the healthcare sector. Of the top 25 breaches, 9 were due to ransomware attacks, though HIPAA-covered entities usually don’t divulge the exact nature of cyberattacks and if they involved ransomware. In all the hacking incidents, 5,195,024 (97.43%) individual records were exposed. The average and median breach sizes were 94,455 and 4,447 records, respectively.
July had 8 unauthorized access/disclosure incidents that affected 59,784 records. The average and median breach sizes were 7,473 and 1,920 records, respectively. Three incidents involved the loss of devices/physical records affecting 77,061 records. The average and median breach sizes were 25,687 and 1,201 records, respectively. There was also one theft incident.
The breaches in July were mostly hacking incidents. 56% affected PHI kept on network servers. 12 incidents were a combination of phishing and brute force attacks resulting in unauthorized access to email accounts.
Hybrid phishing attacks on the healthcare sector increased in recent months. The attacks involved the sending of non-malicious emails with a telephone number controlled by the threat actor. Based on Agari, Q2 of 2022 had an increase of hybrid phishing attacks by 625%. The preliminary contact was through email and the scam happened over the telephone. A number of ransomware groups have used this strategy as the primary means of getting preliminary access to the network of victims. The baits employed in the email messages are usually notifications concerning forthcoming charges that are going to be placed when the recipient doesn’t call the telephone number to stop the transaction for the renewal of a product subscription or a software solution or service’s free trial that is about to end. With these attacks, the victim is fooled into starting a remote access session with the threat actor.
HIPAA Regulated Entities Impacted by Data Breaches
Typically, breaches affect healthcare providers the most every month. However, in July, business associates are the worst affected. There were 39 healthcare providers that reported data breaches, 15 of which happened at business associates. There were 10 health plans that reported breaches, 4 of which happened at business associates. There were also 17 business associates that self-reported breaches.
Healthcare Data Breaches Per State
HIPAA-regulated entities in 29 states reported data breaches involving 500 and up records. Texas reported 10 data breaches. Pennsylvania and Virginia reported 5 each. California, North Carolina, Florida, and Wisconsin reported 4 each. Arizona, Connecticut, Illinois, Georgia, New Hampshire, Ohio, Oregon and Oklahoma reported 2 each. Arkansas, Alabama, Colorado, Iowa, Indiana, Maine, Michigan, Massachusetts, Missouri, Minnesota, New York, Rhode Island, Wyoming, and Washington reported one each.
HIPAA Enforcement Activity in July 2022
The HHS’ Office for Civil Rights only announced 4 enforcement actions from January to June; but in July, HHS OCR announced 12 enforcement actions with payment of financial penalties to settle HIPAA violations. OCR is also working on its HIPAA Right of Access enforcement initiative. There were 11 penalties imposed for the inability to give patients prompt access to their health records. The 10 enforcement actions had been settled, and one was settled with payment of the civil monetary penalty.
In July, one investigation resolved with OCR involved multiple alleged HIPAA Rules violations that were discovered in association with the investigation of a data breach involving 279,865 records at Oklahoma State University – Center for Health Sciences.
State attorneys general did not announce any HIPAA enforcement actions in July.
List of enforcement actions announced in July:
1. ACPM Podiatry paid $100,000 as Civil Monetary Penalty for HIPAA Right of Access failure
2. Oklahoma State University – Center for Health Sciences (OSU-CHS) paid $875,000 as settlement for violations associated with failure to comply with the required risk analysis, security incident response and reporting, assessment, audit controls, breach notifications, & the impermissible exposure of the PHI of 279,865 persons
3. Memorial Hermann Health System paid $240,000 as settlement for HIPAA Right of Access failure
4. Southwest Surgical Associates paid $65,000 as settlement for HIPAA Right of Access failure
5. Hillcrest Nursing and Rehabilitation paid $55,000 as settlement for HIPAA Right of Access failure
6. MelroseWakefield Healthcare paid $55,000 as settlement for HIPAA Right of Access failure
7. Erie County Medical Center Corporation paid $50,000 as settlement for HIPAA Right of Access failure
8. Fallbrook Family Health Center paid $30,000 as settlement for HIPAA Right of Access failure
9. Associated Retina Specialists paid $22,500 as settlement for HIPAA Right of Access failure
10. Coastal Ear, Nose, and Throat paid $20,000 as settlement for HIPAA Right of Access failure
11. Lawrence Bell, Jr. D.D.S paid $5,000 as settlement for HIPAA Right of Access failure
12. Danbury Psychiatric Consultants paid $3,500 as settlement for HIPAA Right of Access failure