In November 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) received 33 healthcare data breach reports with 500 or more records, which is 36.5% less than the reported breaches in October. The lower number of breaches is definitely wonderful, however, more than one data breach still occurred per day.
November had a total of 600,877 healthcare records exposed, stolen or impermissibly disclosed. That is 9.2% less than the breached healthcare records in October. However, November’s average breach size was higher by 30.1% or 18,208 records.
November 2019’s Biggest Healthcare Data Breaches
1. Ivy Rehab Network, Inc. and its affiliated companies affected 125,000 individuals due to Hacking/IT Incident
2. Solara Medical Supplies, LLC affected 114,007 individuals due to Hacking/IT Incident
3. Saint Francis Medical Center affected 107,054 individuals due to Hacking/IT Incident
4. Southeastern Minnesota Oral & Maxillofacial Surgery affected 80,000 individuals due to Hacking/IT Incident
5. Elizabeth Family Health Healthcare Provider affected 28,375 individuals due to Theft
6. The Brooklyn Hospital Center affected 26,312 individuals due to Hacking/IT Incident
7. Utah Valley Eye Center affected 20,418 individuals due to Hacking/IT Incident
8. Loudoun Medical Group d/b/a Comprehensive Sleep Care Center (“CSCC”) affected 15,575 due to Hacking/IT Incident
9. Choice Cancer Care affected 14,673 individuals due to Hacking/IT Incident
10. Arizona Dental Insurance Services, Inc. d.b.a. Delta Dental of Arizona affected 12,886 individuals due to Hacking/IT Incident
Causes of Healthcare Data Breaches in November 2019
Hacking/IT incidents accounted for 63.6% of November’s breach reports and 90.75% of the breached healthcare records (which is 545,293). The average and mean breach sizes were 25,966 records and 3,977 records, respectively.
November also had 7 unauthorized access/disclosure breaches reported with 16,586 breached healthcare records. The mean and median breach sizes were 2,369 records and 996 records, respectively.
Four incidents involved the theft of protected health information (PHI) of 38,998 people. In two incidents, electronic devices were stolen. In the other two incidents, paper records were stolen. The mean and median breach size were 7,799 records and 3,237 records.
Phishing is still the most prevalent reason for healthcare data breaches. Of the 33 healthcare data breaches in November, 17 involved the potential access of PHI located in email accounts due to phishing attacks.
Healthcare Data Breaches by Covered Entity Type
Healthcare providers reported 28 data breaches in November while health plans reported four breaches. Business associates reported only one breach, although there were some business associate involvements in two more breaches.
November 2019 Healthcare Data Breaches by State
Of the 19 states that had data breaches reported, California reported 4 breach reports. Illinois, New York, Missouri, and Texas reported three breaches each. Florida, North Carolina, and Pennsylvania each had two breaches reported. Alaska, Arizona, Connecticut, Colorado, Indiana, Maryland, Minnesota, Michigan, Nebraska, Virginia and Utah reported one breach each.
November 2019 HIPAA Enforcement
The three financial penalties issued to HIPAA-covered entities in November for HIPAA violations involved:
- University of Rochester Medical Center (URMC), which paid OCR $3,000,000.
- Sentara Hospitals, which agreed to pay OCR $2,175,000.
- The Texas Department of Aging and Disability Services (DADS), which paid 1.6 million in financial penalties