The Department of Health and Human Services’ Office for Civil Rights received 59 healthcare data breach reports involving 500 or higher records in October. The number of healthcare breaches in October is 25.5% higher than in September. Over the last 12 months, there were 655 healthcare data breach reports involving 500 or more records. 2021 had recorded 546 breach reports.
The protected health information (PHI) of 3,589,132 people was compromised, stolen, or impermissibly exposed with the 59 reported data breaches. The breached records this month is 186% higher than September. In the last 12 months, there was 39,938,418 individuals’ PHI exposed or stolen. The PHI of 34,557,664 people was breached in 2021.
Biggest Healthcare Data Breaches Reported in October 2021
In October, 18 reported data breaches impacted 10,000 and up individuals.
1. Eskenazi Health – 1,515,918 individuals affected due to Hacking/IT Incident,
2. Sea Mar Community Health Centers – 688,000 individuals affected due to Hacking/IT Incident
3. ReproSource Fertility Diagnostics, Inc. – 350,000 individuals affected due to Hacking/IT Incident
4. QRS, Inc. – 319,778 individuals affected due to Hacking/IT Incident
5. UMass Memorial Health Care, Inc. – 209,048 individuals affected due to Hacking/IT Incident,
6. OSF HealthCare System – 53,907 individuals affected due to Hacking/IT Incident
7. Educators Mutual Insurance Association – 51,446 individuals affected due to Hacking/IT Incident
8. Lavaca Medical Center – 48,705 individuals affected due to Hacking/IT Incident
9. Professional Dental Alliance, LLC – 47,173 individuals affected due to Unauthorized Access/Disclosure
10. Nationwide Laboratory Services – 33,437 individuals affected due to Hacking/IT Incident
11. Professional Dental Alliance of Michigan, PLLC – 26,054 individuals affected due to Unauthorized Access/Disclosure
12. Syracuse ASC, LLC – 24,891 individuals affected due to Hacking/IT Incident
13. Professional Dental Alliance of Georgia, PLLC – 23,974 individuals affected due to Unauthorized Access/Disclosure
14. Professional Dental Alliance of Florida, LLC – 18,626 individuals affected due to Unauthorized Access/Disclosure
15. Professional Dental Alliance of Illinois, PLLC – 16,673 individuals affected due to Unauthorized Access/Disclosure
16. Professional Healthcare Management, Inc. – 12,306 individuals affected due to Hacking/IT Incident
17. Professional Dental Alliance of Tennessee, LLC – 11,217 individuals affected due to Unauthorized Access/Disclosure
18. Professional Dental Alliance of New York, PLLC – 10,778 individuals affected due to Unauthorized Access/Disclosure
Ransomware attacks still trouble healthcare companies and endanger patient safety. 50 % of the top 10 data breaches had something to do with ransomware, such as the top three data breaches in October’s report.
The most awful breach of October happened at Eskenazi Health. More than 1.5 million patients’ PHI was compromised and patient information is regarded as stolen during the attack. Sea Mar Community Health Centers additionally reported a big ransomware attack. The first compromise of its systems happened in December 2020, but identified the ransomware attack in March 2021. In June, Sea Mar received notification regarding the publishing of patient information on a darknet marketplace. Notifications to affected people were issued only in late October.
Hackers frequently obtain access to healthcare systems via phishing attacks, and phishing continues to be the primary attack vector during ransomware attacks. Big volumes of sensitive information are frequently saved in email accounts and could quickly be stolen when employees reply to phishing emails. The UMass Memorial Health Care phishing attack led to the compromise of the PHI of 209,048 people. The phishing attack on the Professional Dental Alliance’s vendor compromised the PHI of over 174,000 people.
Causes of Healthcare Data Breaches in October 2021
Data breaches categorized as hacking/IT incidents, including ransomware attacks, were the primary reason for 57.63% of data breaches last month. 94.14% of all breached records, which is 3,378,842 records, were subjected to hacking/IT incidents. The average and median breach sizes were 99,378 records and 5,212 records.
There were 22 breaches categorized as unauthorized access/disclosure incidents. The PHI of 200,887 people was affected. The phishing attack that impacted the Professional Dental Alliance is one of the breaches. The average and median breach sizes were 9,131 records and 4,484 records.
Only 4 breaches were reported due to the loss or theft of physical records or electronic devices that contain PHI. Three were due to theft and 1 was due to a missing laptop. The PHI of 9,403 people was exposed because of those occurrences. The average and mean breach sizes were 2,351 records and 1,535 records.
Healthcare Data Breaches According to Type of HIPAA-Regulated Entity
Healthcare companies reported 43 breaches. Business associates of HIPAA-covered entities reported 8 of them. Health plans also reported 8 cases. A lot of data breaches take place at business associates of HIPAA-covered entities however the affected covered entity reports them.
Healthcare Data Breaches According to State
HIPAA-regulated entities in 26 states submitted healthcare data breach reports. Pennsylvania reported 12 breaches, but 11 of the breaches were due to the phishing attack on the vendor of Professional Dental Alliance reported independently by all the impacted HIPAA-covered entities. California reported 5 breaches. Indiana, Illinois, & Texas reported 4 breaches each. New York and Washington reported 3 each. Connecticut, Florida, New Jersey, Massachusetts, North Carolina, and Tennessee reported 2 breaches each. Alabama, Arkansas, Kentucky, Kansas, Mississippi, Minnesota, Nebraska, Ohio, Utah, South Carolina, Virginia, and West Virginia reported 1 breach each.
HIPAA Enforcement Activity in October 2021
Only one HIPAA enforcement action was issued in October. The New Jersey Attorney General decided to resolve the investigation into the Diamond Institute for Infertility and Menopause’s reported data breach that exposed the PHI of 14,663 New Jersey locals.
The New Jersey Department of Law and Public Safety Division of Consumer Affairs discovered that 29 conditions of the HIPAA Privacy and Security Rules, and the New Jersey Consumer Fraud Act were violated. Besides paying the civil monetary penalties and investigation fees of $495,000, Diamond decided to employ extra measures to strengthen data security.