In November 2019, 33 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). That represents a 36.5% decrease in reported breaches from October – The worst ever month for healthcare data breaches since OCR started listing breaches on its website in October 2009. The fall in breaches is certainly good news, but data breaches are still occurring at a rate of more than one a day.
600,877 healthcare records were exposed, impermissibly disclosed, or stolen in November. That represents a 9.2% decrease in breached healthcare records from October, but the average breach size increased by 30.1% to 18,208 records in November.
Largest Healthcare Data Breaches in November 2019
| Name of Covered Entity | Covered Entity Type | Individuals Affected | Type of Breach | Location of Breached PHI |
| Ivy Rehab Network, Inc. and its affiliated companies | Healthcare Provider | 125000 | Hacking/IT Incident | |
| Solara Medical Supplies, LLC | Healthcare Provider | 114007 | Hacking/IT Incident | |
| Saint Francis Medical Center | Healthcare Provider | 107054 | Hacking/IT Incident | Electronic Medical Record, Network Server |
| Southeastern Minnesota Oral & Maxillofacial Surgery | Healthcare Provider | 80000 | Hacking/IT Incident | Network Server |
| Elizabeth Family Health | Healthcare Provider | 28375 | Theft | Paper/Films |
| The Brooklyn Hospital Center | Healthcare Provider | 26312 | Hacking/IT Incident | Network Server |
| Utah Valley Eye Center | Healthcare Provider | 20418 | Hacking/IT Incident | Desktop Computer |
| Loudoun Medical Group d/b/a Comprehensive Sleep Care Center (“CSCC”) | Healthcare Provider | 15575 | Hacking/IT Incident | |
| Choice Cancer Care | Healthcare Provider | 14673 | Hacking/IT Incident | |
| Arizona Dental Insurance Services, Inc. d.b.a. Delta Dental of Arizona | Health Plan | 12886 | Hacking/IT Incident |
Causes of Healthcare Data Breaches in November 2019
Hacking/IT incidents dominated November’s breach reports and accounted for 63.6% of data breaches reported in November and 90.75% of the breached records (545,293). The average breach size was 25,966 records and the median breach size was 3,977 records.
There were 7 unauthorized access/disclosure breaches reported in November involving 16,586 healthcare records. The mean breach size was 2,369 records and the median breach size was 996 records.
There were 4 incidents involving the theft of 38,998 individuals’ protected health information. Two of the incidents involved electronic devices and two involved paper records. The mean breach size was 7,799 records and the median breach size was 3,237 records.
Phishing continues to be the most common cause of healthcare data breaches. 17 of the healthcare data breaches reported in November involved PHI stored in email accounts. The majority of those breaches were due to phishing attacks.
November 2019 Healthcare Data Breaches by Covered Entity Type
There were 28 healthcare provider data breaches reported in November and four breaches were reported by health plans. It was a good month for business associates, with only one breach reported, although a further two breaches had some business associate involvement.
November 2019 Healthcare Data Breaches by State
Data breaches were reported by covered entities in 19 states. California was the worst affected with 4 breaches, followed by Illinois, Missouri, New York, and Texas with three breaches each. Two breaches were reported by covered entities in Florida, North Carolina, and Pennsylvania, and there was one reported beach in each of Alaska, Arizona, Colorado, Connecticut, Indiana, Maryland, Michigan, Minnesota, Nebraska, Utah, and Virginia.
HIPAA Enforcement in November 2019
There were three financial penalties imposed on HIPAA-covered entities in November to resolve HIPAA violations.
University of Rochester Medical Center (URMC) settled its HIPAA violation case with OCR for $3,000,000. OCR launched an investigation after receiving two notifications about breaches due to lost or stolen devices. OCR investigated URMC in 2010 after the first device was lost and provided technical assistance. At the time, URMC recognized the high risk of storing ePHI on devices and the need for encryption, yet this was not implemented, and unencrypted portable electronic devices continued to be used. When OCR investigated the subsequent theft of a laptop computer, its investigators found URMC had failed to conduct an organization-wide risk analysis, risks had not been reduced to a reasonable and appropriate level, and URMC had not implemented appropriate device media controls.
Sentara Hospitals agreed to settle its HIPAA violation case with OCR for $2,175,000. OCR launched a compliance investigation in response to a complaint from a patient in April 2017. The patient had received a bill from Sentara containing another patient’s protected health information. Sentara Hospitals reported the breach as affecting 8 individuals, but OCR found that 577 letters had been misdirected to 16,342 different guarantors. Sentara Hospitals refused to update its breach report with the new total. OCR also found Sentara Hospitals had failed to enter into a business associate agreement with one of its vendors.
A substantial financial penalty was also imposed on The Texas Department of Aging and Disability Services (DADS). DADS had reported a breach of 6,617 patients’ ePHI to OCR in 2015. An error in a web application allowed ePHI to be accessed over the internet by individuals unauthorized to view the data. ePHI had been exposed for around 8 years. OCR investigated and found that DADS had failed to conduct an organization-wide risk analysis, there was a lack of access controls, and DADS failed to monitor information system activity. DADS settled the HIPAA violation case and paid a penalty of $1.6 million.
The post November 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.