50 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR) in January 2022. January was the second successive month where the number of reported data breaches fell, although 38.9% more breaches were reported last month than in January 2020.
The protected health information of 2,304,607 individuals was exposed or impermissibly disclosed across those 50 breaches – 22% fewer records than December 2021, and well below the 12-month average of 3.51 million records a month. 726 data breaches of 500 or more records were reported to OCR in the 12 months from February 2021 to January 2022, and 42,175,121 records were breached across those 726 incidents.
Largest Healthcare Data Breaches in January 2022
18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in January 2022, including one major data breach that affected more than 1.35 million Broward Health patients.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Type of Breach | Location of Breached Information | Breach Cause |
| North Broward Hospital District d/b/a Broward Health | FL | Healthcare Provider | 1,351,431 | Hacking/IT Incident | Network Server | Unspecified hacking and data theft incident |
| Medical Review Institute of America | UT | Business Associate | 134,571 | Hacking/IT Incident | Network Server | Ransomware attack |
| Medical Healthcare Solutions, Inc. | MA | Business Associate | 133,997 | Hacking/IT Incident | Network Server | Ransomware attack |
| Ravkoo | FL | Healthcare Provider | 105,000 | Hacking/IT Incident | Other | Cyberattack on cloud prescription portal |
| TTEC Healthcare Solutions | CO | Business Associate | 86,305 | Hacking/IT Incident | Network Server | Ransomware attack |
| Advocates, Inc. | MA | Healthcare Provider | 68,236 | Hacking/IT Incident | Network Server | Unspecified hacking and data theft incident |
| iRise Florida Spine and Joint Institute, LLC | FL | Healthcare Provider | 61,595 | Hacking/IT Incident | Email accounts accessed by unauthorized individuals | |
| Suncoast Skin Solutions | FL | Healthcare Provider | 57,730 | Hacking/IT Incident | Network Server | Ransomware attack |
| Hospital Authority of Valdosta and Lowndes County Georgia | GA | Healthcare Provider | 41,692 | Unauthorized Access/Disclosure | Desktop Computer | Unauthorized access and PHI theft by former employee |
| Family Christian Health Center | IL | Healthcare Provider | 31,000 | Hacking/IT Incident | Network Server | Ransomware attack |
| Lakeshore Bone & Joint Institute, PC | IN | Healthcare Provider | 23,627 | Hacking/IT Incident | Email account accessed by unauthorized individual | |
| South City Hospital | MO | Healthcare Provider | 21,601 | Theft | Network Server, Other | Burglary |
| Pace Center for Girls | FL | Healthcare Provider | 18,300 | Unauthorized Access/Disclosure | Network Server | Unspecified hacking and data theft incident |
| County of Kings, a political subdivision of the State of California | CA | Healthcare Provider | 16,590 | Hacking/IT Incident | Network Server | Misconfigured web server |
| Philadelphia FIGHT Community Health Centers | PA | Healthcare Provider | 15,000 | Hacking/IT Incident | Network Server | Unspecified hacking incident |
| Catholic Hospice, Inc. | FL | Healthcare Provider | 14,986 | Hacking/IT Incident | Email accounts accessed by unauthorized individuals | |
| Houston Area Community Services, Inc. d/b/a Avenue 360 Health and Wellness | TX | Healthcare Provider | 12,186 | Hacking/IT Incident | Email accounts accessed by unauthorized individuals | |
| Spencer Gifts LLC Health and Welfare Benefit Plan | NJ | Health Plan | 10,023 | Hacking/IT Incident | Network Server | Unspecified hacking and data theft incident |
Causes of January 2022 Healthcare Data Breaches
Hacking incidents continue to dominate the breach reports and accounted for 76% of the month’s data breaches and 95.57% of the month’s breached records. The average breach size was 57,962 records and the median breach size was 6,174 records. The largest healthcare data breach of the month resulted in the theft of the protected health information of more than 1.35 million patients of Broward Health in Florida. A hacker gained access to the Broward Health network via a third-party medical provider that had been given access rights to Broward Health’s systems.
Ransomware is still being extensively used in cyberattacks on healthcare organizations. 5 of the month’s top 10 data breaches were reported as ransomware attacks, with several others likely to have involved ransomware. Ransomware attacks have become highly sophisticated, with the attackers using a variety of methods to gain access to healthcare networks. CISA, the FBI, and the NSA recently issued a joint threat brief warning about the increased risk of ransomware attacks on critical infrastructure firms and provided mitigations that can be implemented to improve resilience to ransomware attacks.
Phishing attacks are also common. 12 of the month’s data breaches involved compromised email accounts. Combatting phishing attacks requires a combination of email security solutions and end user training. While HIPAA does not specify anti-phishing training for employees, HIPAA-regulated entities should go beyond the requirements of HIPAA and ensure the workforce receives regular security awareness training, including instruction on how to identify phishing emails. When combined with phishing simulation exercises, susceptibility to phishing attacks can be significantly reduced.
There were 11 unauthorized access/disclosure incidents reported to OCR in January, across which the protected health information of 80,456 individuals was impermissibly accessed or disclosed. One of the incidents reported in January involved the theft of the protected health information of 41,692 patients by a former employee. That individual was arrested and charged in connection to the incident. The average size of these breaches was 7,314 records, and the median breach size was 1,125 records. There was also one theft incident reported – a burglary – involving the theft of a network server that contained the protected health information of 21,601 patients.
Data Breaches by HIPAA-Regulated Entity Type
Data breaches were reported by 31 healthcare providers, 6 health plans, and 13 business associates in January; however, a further 5 breaches occurred at business associates but were reported by the HIPAA-covered entity. The pie chart below shows the adjusted figures for where the data breach occurred.
Healthcare Data Breaches by State
Healthcare data breaches were reported by HIPAA-regulated entities in 22 states, with Florida the worst affected with 7 data breaches.
| State | Number of Reported Data Breaches |
| Florida | 7 |
| Pennsylvania | 6 |
| California | 4 |
| Illinois, Massachusetts, New Jersey & New York | 3 |
| Colorado, Georgia, Ohio, Tennessee, Texas, & Utah | 2 |
| Arkansas, Connecticut, Idaho, Indiana, Minnesota, Missouri, Oklahoma, South Carolina, & Wisconsin | 1 |
HIPAA Enforcement in January 2022
There were no HIPAA enforcement actions announced by the HHS’ Office for Civil Rights or state attorneys general in January 2022.
The post January 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.