2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average.
There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 642 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.
December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached.
Largest Healthcare Data Breaches Reported in December 2020
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Type of Breach | Cause |
| MEDNAX Services, Inc. | FL | Business Associate | 1,290,670 | Hacking/IT Incident | Phishing attack |
| Dental Care Alliance, LLC | FL | Business Associate | 1,004,304 | Hacking/IT Incident | Unspecified hacking incident |
| Aetna ACE | CT | Health Plan | 484,157 | Hacking/IT Incident | Phishing attack (business associate) |
| Allegheny Health Network | PA | Healthcare Provider | 299,507 | Hacking/IT Incident | Ransomware attack (Blackbaud) |
| AMITA Health | IL | Healthcare Provider | 261,054 | Hacking/IT Incident | Ransomware attack (Blackbaud) |
| Community Eye Care, LLC | NC | Health Plan | 149,804 | Hacking/IT Incident | Email account breach |
| GenRx Pharmacy | AZ | Healthcare Provider | 137,110 | Hacking/IT Incident | Ransomware attack |
| Wilmington Surgical Associates, P.A. | NC | Healthcare Provider | 114,834 | Hacking/IT Incident | Ransomware attack |
| Agency for Community Treatment Services, Inc. | FL | Healthcare Provider | 73,825 | Hacking/IT Incident | Ransomware attack |
| Sonoma Valley Healthcare District | CA | Healthcare Provider | 69000 | Hacking/IT Incident | Ransomware attack |
There were two healthcare data breaches reported in December that each impacted more than 1 million individuals. The largest breach was a phishing attack on the Florida-based business associate, MEDNAX Services, Inc. MEDNAX provides revenue cycle management and other administrative services to its affiliated physician practice groups. Hackers gained access to its Microsoft Office 365-hosted email system after employees responded to phishing emails. The compromised accounts contained the protected health information of 1,290,670 patients of its clients.
Dental Care Alliance is a Sarasota, FL-based dental support organization with more than 320 affiliated dental practices in 20 U.S. states. Little information has been released about the exact nature of the cyberattack, other than hackers gaining access to its systems and viewing files containing patient information.
Causes of December 2020 Healthcare Data Breaches
Ransomware gangs continue to target healthcare organizations and attacks have increased considerably in recent months. 5 of the worst data breaches reported in December involved ransomware, as did many of the smaller breaches. Several healthcare providers have only just reported being affected by the ransomware attack on Blackbaud Inc., which was discovered by the cloud service provide in May 2020.
Phishing continues to be a major cause of healthcare data breaches. There were 13 data breaches involving unauthorized accessing of email accounts, the majority of which used credentials stolen in phishing attacks. While most of the month’s breaches involved unauthorized accessing of electronic protected health information, 17.75% of the month’s breaches involved paper records and films, highlighting the importance of also protecting physical records.
33 hacking/IT incidents were reported to OCR in December 2020. Those incidents accounted for 98.39% of the month’s breached records (4,173,519 records). An average of 126,470 records were breached per incident with a median breach size of 8,000 records per incident.
There were 21 unauthorized access/disclosure incidents reported to OCR which involved a total of 57,837 records. The average breach size was 2,754 records and the median breach size was 1,020 records.
There were 7 theft and loss incidents reported (5 theft/2 loss). The average breach size was 1,392 records and the median breach size was 856 records. There was also one incident involving the improper disposal of 501 records.
Entities Reporting Data Breaches in December 2020
Healthcare providers were the worst affected covered entity in December 2020 with 39 breaches reported, but there was a major increase in data breaches reported by health plans. 17 health plans reported breaches of 500 or more records in December, which is a 183% increase from November.
There were 6 data breaches reported by business associates of HIPAA covered entities, but 40% of the month’s breaches (25) had some business associate involvement. In many cases, the breach was experienced by the business associate but was reported by the covered entity.
December 2020 Healthcare Data Breaches by State
HIPAA covered entities and business associates in 58% of U.S. states reported data breaches in December. Florida was the worst affected of the 29 states with 9 reported data breaches. Pennsylvania also had a particularly bad month with 7 reported breaches, followed by Missouri and Texas with 4, and Illinois, North Carolina, and Tennessee with 3.
There were two breaches reported in each of Arizona, Connecticut, Georgia, Massachusetts, Minnesota, Ohio, and Wisconsin, and one breach reported in each of Arkansas, California, Colorado, Delaware, Indiana, Iowa, Kentucky, Louisiana, Maine, Mississippi, Nebraska, Oregon, Utah, Virginia, and West Virginia.
HIPAA Enforcement in December 2020
2020 has been a busy year in terms of HIPAA enforcement. More financial penalties were imposed on HIPAA covered entities and their business associates to resolve potential HIPAA violations in 2020 than in any other year since the HHS was given the authority to enforce HIPAA compliance. 19 settlements were reached to resolve cases where HIPAA Rules appeared to have been violated.
OCR announced one further financial penalty in December – The 13th financial penalty under its HIPAA Right of Access initiative. Peter Wrobel, M.D., P.C., dba Elite Primary Care, agreed to pay OCR a $36,000 to resolve a case involving the failure to provide two patients with timely access to their medical records.
You can read more about 2020 HIPAA enforcement in our end of year summary.
The post December 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.