July had a big decrease in the amount of data breach reports involving at least 500 healthcare records. July had 36 data breach reports, which was 30.8% month-over-month less than June’s 52 breach reports. But there was a 26.3% increase in the number of breached records, which indicate the severity of some data breaches last month.
There were 1,322,211 healthcare records exposed, impermissibly disclosed or stolen in July. The average breach size and median breach size were 36,728 records and 6,537 records, respectively.
Biggest Healthcare Data Breach Reports in July 2020
There were 14 healthcare data breaches that involved at least 10,000 records, . Two breaches involved more than 100,000 records. The biggest data breach involved Florida Orthopaedic Institute, where a ransomware attack affected 640,000 persons whose data were potentially exposed or stolen. The next 100,000+ record data breach involved Behavioral Health Network in Maine. A “malware” attack on its systems resulted in the inability to access healthcare records and the compromise of 129,871 healthcare records.
1. Florida Orthopaedic Institute – 640,000 individuals affected due to Hacking/IT Incident
2. Behavioral Health Network, Inc. – 129,571 individuals affected due to Hacking/IT Incident
3. NCP Healthcare Management Company – 78,070 individuals affected due to Hacking/IT Incident
4. Walgreen Co. – 72,143 individuals affected due to Theft
5. Allergy and Asthma Clinic of Fort Worth – 69,777 individuals affected due to Hacking/IT Incident
6. WellCare Health Plans – 50,439 individuals affected due to Unauthorized Access/Disclosure
7. Maryland Health Enterprises DBA Lorien Health Services – 47,754 individuals affected due to Hacking/IT Incident
8. Central California Alliance for Health – 35,883 individuals affected due to Hacking/IT Incident
9. University of Maryland Faculty Physicians, Inc. / University of Maryland Medical Center – 33,896 individuals affected due to Hacking/IT Incident
10. Highpoint Foot & Ankle Center – 25,554 individuals affected due to Hacking/IT Incident
11. Accu Copy of Greenville, Incorporated – 21,800 individuals affected due to Hacking/IT Incident
12. CVS Pharmacy – 21,289 individuals affected due to Loss
13. Owens Ear Center – 19,908 individuals affected due to Unauthorized Access/Disclosure
14. University of Utah – 10,000 individuals affected due to Hacking/IT Incident
15. Rite Aid Corporation – 9,200 individuals affected due to Theft
Causes of Healthcare Data Breaches in July 2020
July had 25 incidents or 69.4% of the month’s breaches due to Hacking and other IT incidents. There were 1,141,063 breached records or 86.3% of the total breached records. The mean breach size and median size were 45,643 records and 7,000 records, respectively.
There were 6 reports of unauthorized access/disclosure incidents with 76,553 breached records. The mean breach size and median breach size were 12,759 records and 2,123 records. Four breaches were due to theft that affected 83,306 persons’ PHI/ePHI. The mean breach size and median breach size were 20,827 records and 5,332 records, respectively. One incident was due to loss involving 20,827 persons’ PHI/ePHI.
A lot of pharmacies throughout the United States, including CVS, Walgreens, and Rite Aid pharmacy chains, were robbed during a time of civil unrest after George Floyd died. Besides the thievery of prescription medicines, devices that contain ePHI and paperwork made up of sensitive patient data were likewise stolen in the burglary.
Phishing attacks generally top the healthcare breach reports. Although the most common type of breach last July were email-related breaches, network server breaches were next and usually involve malware or ransomware. The surge in human-operated ransomware attacks is a big concern because they involve patient data theft before file encryption. The attackers threaten to expose or sell patient data if no ransom is paid, moreover, there is no assurance that the attackers will delete the stolen data even after paying the ransom. Phishing and ransomware attacks are most likely to top data breach causes in the upcoming months.
It is important to have web filters, spam filters, multi-factor authentication, and end-user training to reduce vulnerability to phishing attacks. Ransomware and other malware are frequently sent via email and having these tools help block the attacks. It is additionally important to apply patches promptly. A lot of the latest ransomware attacks were due to exploited vulnerabilities despite the availability of patches a few weeks or months prior to the attacks. Brute force tactics are still used on RDP, therefore it is vital to use strong passwords. With human-operated ransomware attacks, the attackers usually get access to healthcare networks a few weeks prior to ransomware deployment. Keeping track of anomalous user behavior in networks and event logs might help to identify and block an attack prior to ransomware deployment.
Healthcare Data Breaches According to Covered Entity Type
Healthcare providers reported 26 data breaches in July 2020. Health plans reported 4, and business associates of HIPAA-covered entities reported 6 breaches, though three other breaches that a covered entity reported were found to have some business associate involvement.
Healthcare Data Breaches by State
HIPAA-covered entities and business associates from 21 states reported the 36 data breaches. California and Texas reported 4 breaches each; Florida and Pennsylvania reported three breaches each; Illinois, Maryland, Massachusetts, North Carolina, and Wisconsin reported two breaches each. The following states reported one breach each: Alaska, Arizona, Connecticut, Colorado, Michigan, New Mexico, Nebraska, New York, Rhode Island, Ohio, West Virginia, and Utah.
HIPAA Enforcement in July 2020
This year, the HHS’ Office for Civil Rights has released several notices of enforcement discretion covering the time of the COVID-19 public health emergency; nevertheless, that doesn’t mean that OCR has reduced HIPAA Rules enforcement. OCR admits there’s difficulty to ensure continued compliance with all HIPAA Rules during these times, however, entities that are found to be in violation of HIPAA Rules can and will eventually face financial penalties.
In July, there were two HIPAA violation case settlements with HIPAA covered entities announced by OCR. Lifespan Health System Affiliated Covered Entity paid $1,040,000 to resolve HIPAA violations found after investigating the 2017 breach report involving an unencrypted laptop theft that affected 20,431 patients’ ePHI. Metropolitan Community Health Services dba Agape Health Services paid $25,000 to resolve violations involving a 2011 data breach affecting 1,263 patient records.