The HHS’ Office for Civil Rights received 37 reports of healthcare data breaches involving 500 or more records in August 2020. The number of breaches continued to be rather constant month-over-month, however, breached records in August increased by 63.9%. There were 2,167,179 records exposed, impermissibly disclosed or stolen. The average breach size and median breach size were 58,572 records and 3,736 records, respectively.
Biggest Healthcare Data Breaches in August 2020
1. Northern Light Health – 657,392 individuals affected due to the Blackbaud ransomware attack
2. Saint Luke’s Foundation – 360,212 individuals affected due to the Blackbaud ransomware attack
3. Assured Imaging – 244,813 individuals affected due to a ransomware attack
4. MultiCare Health System – 179,189 individuals affected due to the Blackbaud ransomware attack
5. Imperium Health LLC – 139,114 individuals affected due to a phishing attack
6. University of Florida Health – 135,959 individuals affected due to the Blackbaud ransomware attack
7. Utah Pathology Services, Inc. – 112,124 individuals affected due to a phishing attack
8. Dynasplint Systems, Inc. – 102,800 individuals affected due to a ransomware attack
9. Main Line Health – 60,595 individuals affected due to the Blackbaud ransomware attack
10. Northwestern Memorial HealthCare – 55,983 individuals affected due to the Blackbaud ransomware attack
11. Richard J. Caron Foundation – 22,718 individuals affected due to the Blackbaud ransomware attack
12. UT Southwestern Medical Center – 15,958 individuals affected due to unauthorized access/disclosure
13. City of Lafayette Fire Department – 15,000 individuals affected due to a ransomware attack
14. Hamilton Health Center, Inc. – 10,393 individuals affected due to unauthorized access/disclosure of misdirected email
Causes of Healthcare Data Breaches in August 2020
The majority of the breach reports in August were hacking/IT incidents. There were 24 hacking/IT incidents, which account for 64.9% of August’s data breaches. In those breaches, 2,127,070 records were compromised accounting for 98.15% of all breached records in August. The average breach size and median breach size were 88,628 records and 11,550 records, respectively.
August also had 8 unauthorized/access disclosure incidents impacting 32,205 records. The average breach size and median breach size were 4,026 records and 992 records, respectively. The other 5 breach reports included 2 loss and 3 theft incidents. The average breach size and median breach size were was 1,581 records and 1,768 records, respectively.
Although phishing attacks typically top the healthcare data breach reports, network server attacks were more prevalent in August. The more common network server attacks is mostly because of ransomware attacks, particularly the attack on Blackbaud, which is a business associate of a lot of healthcare providers in America. Blackbaud provides a variety of services to healthcare organizations, such as patient engagement and digital information storage associated with donors and philanthropy.
From February 7, 2020 to May 20, 2020, hackers were able to access Blackbaud’s systems and acquired backup copies of a number of its customers’ databases prior to ransomware deployment. Blackbaud decided to pay the ransom to make sure the stolen data stolen were deleted.
The attack just affected a small percentage of Blackbaud’s clients, about 57 have confirmed the compromise of their donor data in the attack. So far, over 4.2 million persons are confirmed to have been impacted. That number is not yet final as the deadline for the breach reports is not yet over.
Two major phishing incident reports in August involved Imperium Health and Utah Pathology Services. In the Imperium Health attack, 139, 114 records were likely compromised. In the Utah Pathology Services attack, 112,124 records were affected.
Healthcare Data Breaches by Covered Entity Type
Healthcare providers had 24 data breach reports in August. Health plans reported three and business associates reported five; however, there were 9 breaches where certain business associates were involved.
States Impacted by Data Breaches in August 2020
Data breaches affected 24 states in August. Pennsylvania reported 6 breaches involving at least 500 healthcare records. Kentucky reported 4, Texas reported 3, while Arizona, Ohio, and Washington each reported 2. Arkansas, California, Connecticut, Colorado, Florida, Idaho, Iowa, Illinois, Indiana, Maine, Maryland, Michigan, Missouri, Oklahoma, New York, South Carolina, Wisconsin and Utah each reported one.
August 2020 HIPAA Enforcement Activity
The HHS Office for Civil Rights or state attorneys general did not have any HIPAA enforcement actions in August.