August 2021 Healthcare Data Breach Report

By | September 21, 2021

There was a 44% month-over-month decrease in the number of reported healthcare data breaches in August 2021. 38 healthcare data breaches of 500 or more records were reported by healthcare providers, health plans, and their business associates in August. August’s reported data breaches takes the total number of healthcare data breaches in the past 12 months to 707 (Sep 2020 to August 2021), with 440 of those data breaches reported in 2021.

Healthcare data breaches in the past 12 months

While there was a marked fall in the number of reported breaches, 5,120,289 healthcare records were breached across those 38 incidents, which is well above the 12-month average of 3.94 million breached records a month. The high total was largely due to two major ransomware attacks on St. Joseph’s/Candler Health System and University Medical Center Southern Nevada, which involved 2.8 million healthcare records combined.

healthcare records breached in the past 12 months

Largest Healthcare Data Breaches Reported in August 2021

Ransomware gangs continued to target the healthcare industry in August. The attacks can cause disruption to care and can put patient safety at risk. Some of the attacks reported in August have resulted in appointments being postponed and have seen patients redirected to alternative facilities out of safety concerns.

It is now the norm for hackers to exfiltrate sensitive data prior to the use of ransomware and then demand payment for the keys to decrypt data and to prevent stolen data from being published or sold. While some major ransomware operations such as Sodinokibi/REvil and DarkSide appear to have been shutdown, several other operations have taken their place. The Vice Society and Hive ransomware gangs have been targeting the healthcare sector, and this month the Health Sector Cybersecurity Coordination Center (HC3) issued a warning to the health and public health sector about an increased risk of BlackMatter ransomware attacks. Fortunately, this month, past victims of Sodinokibi/REvil ransomware have been given the opportunity to recover encrypted data for free. Bitdefender released a free Sodinokibi/REvil decryptor last week.

In August there were three major ransomware attacks reported by healthcare providers that involved huge amounts of patient data. DuPage Medical Group suffered a ransomware attack in which the protected health information (PHI) of 655,384 patients may have been compromised, while the attack on University Medical Center Southern Nevada affected 1.3 million patients and the St. Joseph’s/Candler Health System attack involved the PHI of 1.4 million patients. Class action lawsuits have already been filed against DuPage Medical Group and St. Joseph’s/Candler Health System on behalf of patients affected by those attacks.

Listed below are the 20 data breaches reported in August that involved the PHI of 10,000 or more individuals. The majority of these data breaches involved ransomware or data stored in compromised email accounts.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Cause
St. Joseph’s/Candler Health System, Inc. Healthcare Provider 1,400,000 Hacking/IT Incident Ransomware attack
University Medical Center Southern Nevada Healthcare Provider 1,300,000 Hacking/IT Incident Ransomware attack
DuPage Medical Group, Ltd. Healthcare Provider 655,384 Hacking/IT Incident Ransomware attack
UNM Health Healthcare Provider 637,252 Hacking/IT Incident Unspecified hacking incident
Denton County, Texas Healthcare Provider 326,417 Unauthorized Access/Disclosure Online exposure of COVID-19 vaccination data
Metro Infectious Disease Consultants Healthcare Provider 171,740 Hacking/IT Incident Email accounts compromised
LifeLong Medical Care Healthcare Provider 115,448 Hacking/IT Incident Ransomware attack (Netgain Technologies)
CareATC, Inc. Healthcare Provider 98,774 Hacking/IT Incident Email accounts compromised
San Andreas Regional Center Business Associate 57,244 Hacking/IT Incident Ransomware attack
CarePointe ENT Healthcare Provider 48,742 Hacking/IT Incident Ransomware attack
South Florida Community Care Network LLC d/b/a Community Care Plan Health Plan 48,344 Unauthorized Access/Disclosure PHI emailed to a personal email account
Electromed Healthcare Provider 47,200 Hacking/IT Incident Unspecified hacking incident
Queen Creek Medical Center d/b/a Desert Wells Family Medicine Healthcare Provider 35,000 Hacking/IT Incident Ransomware attack
The Wedge Medical Center Healthcare Provider 29,000 Hacking/IT Incident Unspecified hacking incident
Gregory P. Vannucci DDS Healthcare Provider 26,144 Hacking/IT Incident Unspecified hacking incident
Texoma Community Center Healthcare Provider 24,030 Hacking/IT Incident Email accounts compromised
Family Medical Center of Michigan Healthcare Provider 21,988 Hacking/IT Incident Ransomware attack
Central Utah Clinic, P.C. dba Revere Health Healthcare Provider 12,433 Hacking/IT Incident Email accounts compromised (Phishing)
Hospice of the Piedmont Healthcare Provider 10,682 Hacking/IT Incident Email accounts compromised
Long Island Jewish Forest Hills Hospital Healthcare Provider 10,333 Unauthorized Access/Disclosure Unauthorized medical record access by employee

Causes of August 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, accounting for 81.6% of the month’s data breaches and 92.3% of breached healthcare records. There were 31 security breaches classed as hacking/IT incidents involving 4,727,350 healthcare records. The mean breach size was 152,495 records and the median breach size was 12,433 records. The majority of these incidents involved ransomware, malware, or compromised email accounts.

Causes of Healthcare Data Breaches Reported in August 2021

There were 7 incidents classed as unauthorized access/disclosure incidents. Those incidents involved 392,939 healthcare records. The mean breach size was 56,134 records and the median breach size was 4,117 records. There were no reported breaches involving lost or stolen devices or paper records and no reported improper disposal incidents.

Location of breached PHI in August 2021 healthcare data breaches

Healthcare Data Breaches by State

August’s 38 healthcare data breaches were reported by entities in 24 U.S. states. Texas was the worst affected state with 4 reported breaches, followed by Arizona and Illinois with three reported breaches each.

State Number of Reported Data Breaches
Texas 4
Arizona & Illinois 3
California, Georgia, Michigan, Minnesota, New Hampshire, Oklahoma, & Virginia 2
Alabama, Delaware, Florida, Iowa, Indiana, Massachusetts, Nevada, New Mexico, New York, Pennsylvania, Tennessee, Utah, West Virginia, & Wisconsin 1

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 30 data breaches reported, 4 of which occurred at business associates but were reported by the healthcare provider. 4 data breaches were reported by health plans, and business associates self-reported 4 breaches.

August 2021 healthcare data breaches by covered entity type

HIPAA Enforcement Activity in August 2021

The HHS’ Office for Civil Rights (OCR) did not announce any new HIPAA penalties in August and there were no HIPAA enforcement actions announced by state attorneys general. So far in 2021 there have been 8 financial penalties imposed on HIPAA-covered entities and business associates by OCR, and one multi-state action by state attorneys general.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on September 20, 2021

 

The post August 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.