Healthcare Data Breach Summary Report for March 2021

The healthcare data breaches reported in March increased by 38.8%. There were 62 breaches involving at least 500 records reported to the HHS’ Office for Civil Rights, the majority of which were hacking incidents. The large number of reported data breaches is mostly because of a rise in data breaches involving business associates.

The number of breached records additionally went up dramatically as the 62 incidents had 2,913,084 healthcare records compromised or impermissibly disclosed; the figure increased by 135.89% from February.

Biggest Healthcare Data Breaches in March 2021

The 25 biggest healthcare data breaches reported in March were all hacking/IT incidents. 76% occurred in compromised network servers and 24% occurred in compromised email accounts. 60% of the breaches had business associates involvement.

1. Health Net Community Solutions – 686,556 individuals affected by Hacking/IT Incident
2. Health Net of California – 523,709 individuals affected by Hacking/IT Incident
3. Woodcreek Provider Services LLC – 207,000 individuals affected by Hacking/IT Incident
4. Trusted Health Plans, Inc. – 200,665 individuals affected by Hacking/IT Incident
5. Apple Valley Clinic – 157,939 individuals affected by Hacking/IT Incident
6. Saint Alphonsus Health System – 134,906 individuals affected by Hacking/IT Incident
7. The Centers for Advanced Orthopaedics – 125,291 individuals affected by Hacking/IT Incident
8. Cancer Treatment Centers of America at Midwestern Regional Medical Center – 104,808 individuals affected by Hacking/IT Incident
9. SalusCare – 85,000 individuals affected by Hacking/IT Incident
10. California Health & Wellness – 80,138 individuals affected by Hacking/IT Incident
11. Mobile Anesthesiologists – 65,403 individuals affected by Hacking/IT Incident
12. Trillium Community Health Plan – 50,000 individuals affected by Hacking/IT Incident
13. PeakTPA – 50,000 individuals affected by Hacking/IT Incident
14. Sandhills Medical Foundation, Inc. – 39,602 individuals affected by Hacking/IT Incident
15. ProPath Services, LLC – 39,213 individuals affected by Hacking/IT Incident
16. BioTel Heart – 38,575 individuals affected by Hacking/IT Incident
17. Healthgrades Operating Company, Inc. – 35,485 individuals affected by Hacking/IT Incident
18. The New London Hospital Association, Inc. – 34,878 individuals affected by Hacking/IT Incident
19. La Clinica de La Raza, Inc. (La Clinica) – 31,132 individuals affected by Hacking/IT Incident
20. Arizona Complete Health – 27,390 individuals affected by Hacking/IT Incident
21. Health Net Life Insurance Company – 26,637 individuals affected by Hacking/IT Incident
22. Colorado Retina Associates, P.C. – 26,609 individuals affected by Hacking/IT Incident
23. Haven Behavioral Healthcare – 21,714 individuals affected by Hacking/IT Incident
24. Health Prime International – 17,562 individuals affected by Hacking/IT Incident
25. CalViva Health – 15,287 individuals affected by Hacking/IT Incident

Causes of Healthcare Data Breaches in March 2021

43 breaches or 69.35% of the breaches this month were due to hacking/IT incidents involving exposed network servers and email accounts. The hacking incidents resulted in the breach of 2,867,472 records or 98.43% of all breached records in March. The average and median breach sizes were 66,685 records and 26,609 records, respectively. There were 17 breaches or 27.42% of all breaches reported in March due to unauthorized access/disclosure incidents. Those incidents resulted in the breach of 44,395 records or 1.52% of the month’s breaches. The average and median breach sizes were 2,611 records and 1,594 records, respectively. One incident involving 500 healthcare records was reported due to theft and another one affecting 717 persons was due to loss.

A lot of the reported breaches happened at business associates of HIPAA-covered entities and impacted several healthcare clients, for example, the cyberattack on Accellion that impacted its file transfer device. Hackers took advantage of vulnerabilities in the device and stole customer data files. The attackers demanded a ransom payment and issued threats to post the stolen information if no payment was made. The two biggest data breaches in March were because of this breach.

Other business associates attacked by ransomware impacted a number of healthcare companies. Netgain Technology LLC’s, as well as the 3rd and 5th biggest breaches in March, impacted at least 5 covered entities. The Med-Data incident was due to an employee who published files that contain healthcare data on GitHub.

Covered Entities Reporting Data Breaches in March 2021

Healthcare providers reported 40 reported breaches and health plans reported 15 breaches. Although business associates only reported 5 data breaches, 30 of the month’s breaches reported by covered entities had business associates’ involvement. That figure increased by 200% from February.

Distribution of March 2021 Healthcare Data Breaches

The breaches were reported from 30 states. California had 11 data breaches reported. Texas reported 5 breaches; Florida and Massachusetts reported 4 breaches each; Illinois and Maryland reported 3 each; Arkansas, Arizona, Minnesota, Michigan, Missouri, Pennsylvania and Ohio reported 2 breaches each; and Alabama, Connecticut, Colorado, Georgia, Idaho, Louisiana, Kansas, Montana, Nevada, New Hampshire, Oregon, South Carolina, Utah, Tennessee, Wisconsin, West Virginia, and Washington reported one each.

HIPAA Enforcement Activity in March 2021

The HHS’ Office for Civil Rights had two more HIPAA violation settlements in March. Both violations involved the HIPAA Right of Access. To date, there had been 18 settlements associated with OCR’s HIPAA Right of Access enforcement initiative. Arbour Hospital paid $65,000 while Village Plastic Surgery paid $30,000 as a financial penalty to settle the violations.

About Christine Garcia 1295 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA