In June 2022, 70 healthcare data breaches involving 500 or higher records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). This number is two less than May and one less than June 2021. Between July 2021 and June 2022, there were 692 big healthcare data breaches reported with 42,431,699 records of persons impermissibly disclosed or exposed.
This is the third month that had an increased number of exposed records. In June, there were 5,857,143 breached healthcare records reported. That is the biggest monthly total to date in 2022. Breached records in June are 32.48% higher than the May and 65.64% higher than the last 12 months’ monthly average.
Although there is a big number of breached healthcare records, less records (20,191,930) were breached in the first 6 months of 2022 than last year’s first (27,600,651 breached records) or second (22,239,769 breached records) half of 2021.
June 2022 Biggest Healthcare Data Breaches Reported
June had 31 reported breaches involving 10,000 or higher healthcare records, which is the same as in May 2022. Two breaches impacted over 1.2 million persons. A number of healthcare companies sent breach reports in June 2022 due to the ransomware attack on Eye Care Leaders, a HIPAA business associate. A minimum of 37 healthcare companies are now identified to have been impacted by that ransomware attack and over 3 million records were compromised in the attack.
1. Texas Tech University Health Sciences Center – 1,290,104 individuals were affected due to Eye Care Leaders’ ransomware attack
2. Baptist Medical Center – 1,243,031 individuals were affected due to ransomware attack
3. MCG Health, LLC – 793,283 individuals were affected due to unspecified hacking and data theft incident
4. Yuma Regional Medical Center – 737,448 individuals were affected due to ransomware attack
5. Stokes Regional Eye Centers – 266,170 individuals were affected due to Eye Care Leaders ransomware attack
6. Spectrum Eye Physicians – 175,000 individuals were affected due to Eye Care Leaders ransomware attack
7. 90 Degree Benefits, Inc. – 172,450 individuals were affected due to an Unspecified hacking incident
8. Michigan Avenue Immediate Care – 144,104 individuals were affected due to unspecified hacking and data theft incident
9. Mattax Neu Prater Eye Center, Inc. – 92,361 individuals were affected due to Eye Care Leaders ransomware attack
10. Sight Partners Physicians, P.C. – 86,101 individuals affected due to Eye Care Leaders ransomware attack
11. Clinivate LLC – 77,652 individuals were affected due to an unspecified hacking incident
12. Kaiser Foundation Health Plan of Washington – 69,589 individuals were affected due to compromised email account
13. Carolina Eyecare Physicians, LLC – 68,739 individuals were affected due to Eye Care Leaders ransomware attack
14. Precision Eye Care, Ltd. – 58,462 individuals were affected due to Eye Care Leaders ransomware attack
15. Resolute Health Hospital – 54,239 individuals were affected due to a ransomware attack
16. Aloha Laser Vision – 43,263 individuals were affected due to Eye Care Leaders ransomware attack
17. Center for Sight, Inc. – 41,041 individuals were affected due to Eye Care Leaders ransomware attack
18. McCoy Vision Center – 33,930 individuals were affected due to Eye Care Leaders ransomware attack
19. Chesapeake Eye Center PA – 32,770 individuals affected due to Eye Care Leaders ransomware attack
20. Kevin Wolf, DPM d/b/a Goldsboro Podiatry – 30,669 individuals were affected due to an Unspecified hacking incident
22. Long Vision Center – 29,237 individuals were affected due to Eye Care Leaders ransomware attack
23. Foxhall Ob-Gyn Associates – 27,000 individuals affected
24. Alabama Eye &Cataract, P.C. – 26,000 individuals were affected due to Eye Care Leaders ransomware attack
25. Lori A. Harkins MD, P.C. dba Harkins Eye Clinic – 23,993 individuals were affected due to Eye Care Leaders ransomware attack
26. DialAmerica Marketing, Inc. – 19,796 individuals were affected due to an Unspecified hacking incident
27. Central Florida Inpatient Medicine – 19,625 individuals were affected due to compromised email account
28. Yale New Haven Hospital – 19,496 individuals were affected due to data exposed on a public-facing website
29. Cherry Creek Eye Physicians and Surgeons, P.C. – 17,732 individuals were affected due to Eye Care Leaders ransomware attack
30. Bayhealth Medical Center, Inc – 17,481 individuals were affected due to ransomware attack on Professional Finance Company (business associate)
31. Kernersville Eye Surgeons, P.C. – 13,412 individuals were affected due to Eye Care Leaders ransomware attack
32. Phelps County Regional Medical Center d/b/a Phelps Health – 12,602 individuals were affected due to data breach at MCG Health (business associate)
Causes of Healthcare Data Breaches in June 2022
High numbers of ransomware attacks on healthcare companies were reported. 20 of the 31 data breaches involving 10,000 or higher individuals were ransomware attacks. When these attacks happen at business associates, many HIPAA-covered entities can be affected. The ransomware attack on Eye Care Leaders has impacted a minimum of 37 eye care companies. The ransomware attack on Professional Finance Company impacted 657 of its healthcare company clients.
Ransomware attacks on healthcare companies will likely not slow down. CISA recently cautioned the health and public health industry that North Korean state-sponsored attackers will be targeting the industry and are employing ransomware to extort.
Hacking incidents still lead the breach reports, as all except 2 the top 31 breaches related to hacking. 81% of the breaches or 57 incidents were hacking/IT incidents and breached the records of 5,784,009 persons, which is 98.75% of all of June’s breached records. The average and median breach sizes were 101,474 records and 12,602 records, respectively.
Six incidents involved unauthorized access/disclosure data breaches affecting 59,224 records. The average and median breach sizes were 9,871 records and 5,672 records, respectively. There were 4 thefts and 1 loss incident reported affecting 12,184 records. The average and median breach sizes were 2,437 records and 1,126 records, respectively. Lastly, two improper disposals of paper/films incidents were reported affecting 1,726 records.
Location of Breached Protected Health Information (PHI)
The large number of network server breaches shows the scope to which hackers are attacking healthcare companies. A lot of the attacks involved ransomware. The majority of data breaches do not impact electronic health records. Those involving EHRs are because of the ransomware attack on Eye Care Leaders, which gives access to the EHRs of eye care companies.
Data Breaches by HIPAA-Regulated Entity Type
55 healthcare providers and 4 health plans were affected by data breaches involving 500 or higher records. Business associates of HIPAA-covered entities only reported 11 data breaches; but, 29 data breaches happened at business associates though reported by the impacted covered entity.
Breached Entities by State
HIPAA-regulated entities from 29 states and the District of Columbia reported data breaches involving 500 or higher records as follows:
- Washington reported 5 data breaches
- California, North Carolina, New Jersey, Ohio, South Carolina, Virginia & Texas reported 4 data breaches.
- Alabama, Nebraska, Missouri & New York reported 3 data breaches
- The District of Columbia, Delaware, Kansas, Illinois, Michigan, Maryland, Pennsylvania, and Tennessee reported 2 data breaches.
- Arizona, Connecticut, Colorado, Delaware, Florida, Hawaii, Georgia, Mississippi, Massachusetts, & Wisconsin reported 1 breach each.
HIPAA Enforcement Activity
The OCR or state attorneys general did not announce any HIPAA enforcement action in June 2022. But OCR reported this month (July) about 12 HIPAA penalties issued, 11 of which involved HIPAA Right of Access violations.