There is a 15.25% increase (compared to October) in the number of healthcare data breaches reported to the HHS’ Office for Civil Rights. November had 68 data breaches involving 500 and up records reported. For the period of January 1 to November 30, there were a total of 614 data breaches reported to the OCR. It’s likely that 2021 will be the worst year ever in terms of healthcare data breaches.
The number of data breaches went up, however the number of breached health records substantially declined. 2,370,600 healthcare records had been exposed, impermissibly disclosed or stolen in the 68 reported breaches. This number is 33.95% lower than October and the monthly average of 3,430,822 breached records.
Biggest Healthcare Data Breaches Reported in November 2021
November had 30 data breach reports involving 10,000 and up records submitted to the HHS’ Office for Civil Rights. Four of the breaches involved the exposure/stealing of over 100,000 records. The average breach and the median breach sizes in November were 34,862 records and 5,403 records, respectively.
The worst breach last month resulted in the exposure of the protected health information (PHI) of 582,170 people after hackers acquired access to the system of Utah Imaging Associates. Hackers also obtained access to Planned Parenthood’s network resulting in a major data breach, exfiltrating data prior to deploying ransomware for file encryption.
Sound Generations, a non-profit organization helping older adults and disabled adults get affordable healthcare services, alerted its patients concerning two ransomware attacks that happened in 2021. The incidents resulted in the compromise and likely theft of 103,576 persons’ PHI.
1. Utah Imaging Associates, Inc. – 582,170 individuals affected by Hacking/IT Incident
2. Planned Parenthood Los Angeles – 409,759 individuals affected by Hacking/IT Incident
3. The Urology Center of Colorado – 137,820 individuals affected by Hacking/IT Incident
4. Sound Generations – 103,576 individuals affected by Hacking/IT Incident
5. Mowery Clinic LLC – 96,000 individuals affected by Hacking/IT Incident
6. Howard University College of Dentistry – 80,915 individuals affected by Hacking/IT Incident
7. Sentara Healthcare – 72,121 individuals affected by Hacking/IT Incident
8. Ophthalmology Associates – 67,000 individuals affected by Hacking/IT Incident
9. Maxim Healthcare Group – 65,267 individuals affected by Hacking/IT Incident
10. True Health New Mexico – 62,983 individuals affected by Hacking/IT Incident
11. TriValley Primary Care – 57,468 individuals affected by Hacking/IT Incident
12. Broward County Public Schools – 48,684 individuals affected by Hacking/IT Incident
13. Consociate, Inc. – 48,583 individuals affected by Hacking/IT Incident
14. Doctors Health Group, Inc. – 47,660 individuals affected by Hacking/IT Incident
15. Baywood Medical Associates, PLC dba Desert Pain Institute – 45,262 individuals affected by Hacking/IT Incident
16. Medsurant Holdings, LLC – 45,000 individuals affected by hacking/IT Incident
17. One Community Health – 39,865 individuals affected by Hacking/IT Incident
18. Educators Mutual Insurance Association – 39,317 individuals affected by Hacking/IT Incident
19. Victory Health Partners – 30,000 individuals affected by Hacking/IT Incident
20. Commission on Economic Opportunity – 29,454 individuals affected by Hacking/IT Incident
Causes of Healthcare Data Breaches in November 2021
Hacking/IT incidents topped the breach reports with 50 cases reported in November. Ransomware is still widely utilized in attacks on healthcare companies and business associates. Then, stolen sensitive data is often seen published on data leak sites. Lawsuits are often associated with the theft of patient information in these attacks. Planned Parenthood, for instance, faced a class action lawsuit a couple of days after sending notification letters to impacted individuals.
In November, 2,327,353 healthcare records had been exposed or stolen through the hacking incidents, accounting for 98.18% of the month’s breached records. The average breach size and median breach size were 42,316 records and 11,603 records, respectively.
November had 11 unauthorized access/disclosure breaches, which is just 50% of the number of unauthorized access/disclosure breaches in October. There were 37,646 records impermissibly accessed or disclosed in those breaches. The average breach size and the median breach size were 3,422 records and 1,553 records, respectively. There were additionally two reported incidents of theft of portable electronic devices that contain the electronic PHI of 5,601 persons.
Healthcare Data Breaches by Covered Entity Type in November
Healthcare providers had reported 50 breaches, but four of those happened at business associates and the healthcare provider reported them. Health plans reported 8 data breaches, but 3 of those happened at business associates. Business associates reported 10 data breaches.
November Healthcare Data Breaches by State
HIPAA-regulated entities located in 32 states and the District of Columbia reported healthcare data breaches involving 500 and up records. California & New York reported 7 breaches; Maryland and Pennsylvania reported 4 breaches; Colorado, Kentucky, Ohio, and Utah reported 3 breaches; Indiana, Illinois, Michigan, New Mexico, Minnesota, Texas, Tennessee, Virginia, and the District of Columbia reported 2 breaches each. Alabama, Arkansas, Arizona, Florida, Georgia, Kansas, Idaho, Missouri, Massachusetts, Nebraska, New Jersey, New Hampshire, North Carolina, Oregon, Washington, and South Carolina reported one each.
HIPAA Enforcement Activity in November 2021
In November, there was a sudden HIPAA enforcement activity as federal and state regulators imposed financial penalties. The HHS’ Office for Civil Rights issued 5 additional financial penalties (listed below) to settle alleged HIPAA Right of Access violations. In all instances, the healthcare companies were unable to deliver to patients a copy of their needed PHI in the proper time.
1. Rainrock Treatment Center LLC (dba Monte Nido Rainrock) – $160,000 to resolve HIPAA Right of Access violation
2. Advanced Spine & Pain Management – $32,150 to resolve HIPAA Right of Access violation
3. Denver Retina Center – $30,000 to resolve HIPAA Right of Access violation
4. Wake Health Medical Group – $10,000 to resolve HIPAA Right of Access violation
5. Dr. Robert Glaser – $100,000 Civil Monetary Penalty for HIPAA Right of Access violation
The New Jersey Attorney General and the Division of Consumer Affairs reported in November a settlement with two printing companies in New Jersey, Command Marketing Innovations, LLC and Strategic Content Imaging LLC for their HIPAA and the New Jersey Consumer Fraud Act violations. The violations were discovered while investigating a data breach that involve the PHI of 55,715 New Jersey locals.
The breach was because of a printing error that resulted in the attachment of the last page of a person’s benefit statement to another person’s benefit statement. The Division of Consumer Affairs confirmed that the companies did not ensure PHI confidentiality, failed to use enough PHI safety measures, and did not evaluate security measures after changing procedures. The two firms got a financial penalty of $130,000. The $65,000 was suspended and won’t be payable unless all the security failures were addressed by the companies.