There was a 44% month-over-month decrease in the number of reported healthcare data breaches in August 2021. 38 healthcare data breaches of 500 or more records were reported by healthcare providers, health plans, and their business associates in August. August’s reported data breaches takes the total number of healthcare data breaches in the past 12 months to 707 (Sep 2020 to August 2021), with 440 of those data breaches reported in 2021.
While there was a marked fall in the number of reported breaches, 5,120,289 healthcare records were breached across those 38 incidents, which is well above the 12-month average of 3.94 million breached records a month. The high total was largely due to two major ransomware attacks on St. Joseph’s/Candler Health System and University Medical Center Southern Nevada, which involved 2.8 million healthcare records combined.
Largest Healthcare Data Breaches Reported in August 2021
Ransomware gangs continued to target the healthcare industry in August. The attacks can cause disruption to care and can put patient safety at risk. Some of the attacks reported in August have resulted in appointments being postponed and have seen patients redirected to alternative facilities out of safety concerns.
It is now the norm for hackers to exfiltrate sensitive data prior to the use of ransomware and then demand payment for the keys to decrypt data and to prevent stolen data from being published or sold. While some major ransomware operations such as Sodinokibi/REvil and DarkSide appear to have been shutdown, several other operations have taken their place. The Vice Society and Hive ransomware gangs have been targeting the healthcare sector, and this month the Health Sector Cybersecurity Coordination Center (HC3) issued a warning to the health and public health sector about an increased risk of BlackMatter ransomware attacks. Fortunately, this month, past victims of Sodinokibi/REvil ransomware have been given the opportunity to recover encrypted data for free. Bitdefender released a free Sodinokibi/REvil decryptor last week.
In August there were three major ransomware attacks reported by healthcare providers that involved huge amounts of patient data. DuPage Medical Group suffered a ransomware attack in which the protected health information (PHI) of 655,384 patients may have been compromised, while the attack on University Medical Center Southern Nevada affected 1.3 million patients and the St. Joseph’s/Candler Health System attack involved the PHI of 1.4 million patients. Class action lawsuits have already been filed against DuPage Medical Group and St. Joseph’s/Candler Health System on behalf of patients affected by those attacks.
Listed below are the 20 data breaches reported in August that involved the PHI of 10,000 or more individuals. The majority of these data breaches involved ransomware or data stored in compromised email accounts.
| Name of Covered Entity | Covered Entity Type | Individuals Affected | Type of Breach | Cause |
| St. Joseph’s/Candler Health System, Inc. | Healthcare Provider | 1,400,000 | Hacking/IT Incident | Ransomware attack |
| University Medical Center Southern Nevada | Healthcare Provider | 1,300,000 | Hacking/IT Incident | Ransomware attack |
| DuPage Medical Group, Ltd. | Healthcare Provider | 655,384 | Hacking/IT Incident | Ransomware attack |
| UNM Health | Healthcare Provider | 637,252 | Hacking/IT Incident | Unspecified hacking incident |
| Denton County, Texas | Healthcare Provider | 326,417 | Unauthorized Access/Disclosure | Online exposure of COVID-19 vaccination data |
| Metro Infectious Disease Consultants | Healthcare Provider | 171,740 | Hacking/IT Incident | Email accounts compromised |
| LifeLong Medical Care | Healthcare Provider | 115,448 | Hacking/IT Incident | Ransomware attack (Netgain Technologies) |
| CareATC, Inc. | Healthcare Provider | 98,774 | Hacking/IT Incident | Email accounts compromised |
| San Andreas Regional Center | Business Associate | 57,244 | Hacking/IT Incident | Ransomware attack |
| CarePointe ENT | Healthcare Provider | 48,742 | Hacking/IT Incident | Ransomware attack |
| South Florida Community Care Network LLC d/b/a Community Care Plan | Health Plan | 48,344 | Unauthorized Access/Disclosure | PHI emailed to a personal email account |
| Electromed | Healthcare Provider | 47,200 | Hacking/IT Incident | Unspecified hacking incident |
| Queen Creek Medical Center d/b/a Desert Wells Family Medicine | Healthcare Provider | 35,000 | Hacking/IT Incident | Ransomware attack |
| The Wedge Medical Center | Healthcare Provider | 29,000 | Hacking/IT Incident | Unspecified hacking incident |
| Gregory P. Vannucci DDS | Healthcare Provider | 26,144 | Hacking/IT Incident | Unspecified hacking incident |
| Texoma Community Center | Healthcare Provider | 24,030 | Hacking/IT Incident | Email accounts compromised |
| Family Medical Center of Michigan | Healthcare Provider | 21,988 | Hacking/IT Incident | Ransomware attack |
| Central Utah Clinic, P.C. dba Revere Health | Healthcare Provider | 12,433 | Hacking/IT Incident | Email accounts compromised (Phishing) |
| Hospice of the Piedmont | Healthcare Provider | 10,682 | Hacking/IT Incident | Email accounts compromised |
| Long Island Jewish Forest Hills Hospital | Healthcare Provider | 10,333 | Unauthorized Access/Disclosure | Unauthorized medical record access by employee |
Causes of August 2021 Healthcare Data Breaches
Hacking/IT incidents dominated the breach reports in August, accounting for 81.6% of the month’s data breaches and 92.3% of breached healthcare records. There were 31 security breaches classed as hacking/IT incidents involving 4,727,350 healthcare records. The mean breach size was 152,495 records and the median breach size was 12,433 records. The majority of these incidents involved ransomware, malware, or compromised email accounts.
There were 7 incidents classed as unauthorized access/disclosure incidents. Those incidents involved 392,939 healthcare records. The mean breach size was 56,134 records and the median breach size was 4,117 records. There were no reported breaches involving lost or stolen devices or paper records and no reported improper disposal incidents.
Healthcare Data Breaches by State
August’s 38 healthcare data breaches were reported by entities in 24 U.S. states. Texas was the worst affected state with 4 reported breaches, followed by Arizona and Illinois with three reported breaches each.
| State | Number of Reported Data Breaches |
| Texas | 4 |
| Arizona & Illinois | 3 |
| California, Georgia, Michigan, Minnesota, New Hampshire, Oklahoma, & Virginia | 2 |
| Alabama, Delaware, Florida, Iowa, Indiana, Massachusetts, Nevada, New Mexico, New York, Pennsylvania, Tennessee, Utah, West Virginia, & Wisconsin | 1 |
Healthcare Data Breaches by Covered Entity Type
Healthcare providers were the worst affected covered entity type with 30 data breaches reported, 4 of which occurred at business associates but were reported by the healthcare provider. 4 data breaches were reported by health plans, and business associates self-reported 4 breaches.
HIPAA Enforcement Activity in August 2021
The HHS’ Office for Civil Rights (OCR) did not announce any new HIPAA penalties in August and there were no HIPAA enforcement actions announced by state attorneys general. So far in 2021 there have been 8 financial penalties imposed on HIPAA-covered entities and business associates by OCR, and one multi-state action by state attorneys general.
The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on September 20, 2021
The post August 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.