September saw 36 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 26.53% decrease in breaches from the previous month.
1,957,168 healthcare records were compromised in those breaches, an increase of 168.11% from August. The large number of breached records is largely down to four reported incidents, each of which involved hundreds of thousands of healthcare records. Three of those incidents have been confirmed as ransomware attacks.
Largest Healthcare Data Breaches in September 2019
The largest breach of the month was due to a ransomware attack on Jacksonville, FL-based North Florida OB-GYN, part of Women’s Care of Florida. 528,188 healthcare records were potentially compromised as a result of the attack. Sarrell Dental also experienced a ransomware attack in which the records of 391,472 patients of its Alabama clinics were encrypted. 320,000 records of patients of Premier Family Medical in Utah were also potentially compromised in a ransomware attack. The University of Puerto Rico reported a network server hacking incident involving 439,753 records of Intramural Practice Plan members. The exact nature of the breach is unclear.
Those four breaches accounted for 85.80% of the healthcare records breached in September.
|Name of Covered Entity||Covered Entity Type||Individuals Affected||Type of Breach||Location of Breached Information|
|Women’s Care Florida, LLC||Healthcare Provider||528188||Hacking/IT Incident||Network Server|
|Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico||Healthcare Provider||439753||Hacking/IT Incident||Network Server|
|Sarrell Dental||Healthcare Provider||391472||Hacking/IT Incident||Network Server|
|Premier Family Medical||Healthcare Provider||320000||Hacking/IT Incident||Network Server|
|Magellan Healthcare||Business Associate||55637||Hacking/IT Incident|
|CHI Health Orthopedics Clinic -Lakeside||Healthcare Provider||48000||Hacking/IT Incident||Desktop Computer, Electronic Medical Record, Network Server|
|Kilgore Vision Center||Healthcare Provider||40000||Hacking/IT Incident||Network Server|
|Peoples Injury Network Northwest||Healthcare Provider||27000||Hacking/IT Incident||Network Server|
|Sweetser||Healthcare Provider||22000||Hacking/IT Incident|
|Perfect Teeth Yale, P.C.||Healthcare Provider||15000||Loss||Other Portable Electronic Device|
Causes of September 2019 Healthcare Data Breaches
Hacking/IT incidents dominated the breach reports in September with 24 incidents reported. There were 9 unauthorized access/disclosure incidents and three cases of loss/theft of physical and electronic records.
1,917,657 healthcare records were compromised in the 24 hacking/IT incidents which accounted for 97.98% of breached records in September. The mean breach size was 958,829 records and the median breach size was 5,255 records.
Unauthorized access/disclosure incidents in September accounted for 1% or 19,741 breached records. The mean breach size was 2,193 records and the median breach size was 998 records. There were two reported theft incidents involving 4,770 physical and electronic records and a single loss incident involving 15,000 records stored on a portable electronic device.
Location of Breached Protected Health Information
Phishing continues to be a major problem area for the healthcare industry. In September, 44.44% of all breaches – 16 incidents – involved PHI stored in email accounts. There were 13 network server incidents, a large percentage of which were ransomware attacks.
September 2019 Healthcare Data Breaches by Covered Entity Type
28 data breaches were reported by healthcare providers in September, four incidents were reported by health plans/health insurers, and four incidents were reported by business associates of HIPAA covered entities. A further four breaches had some business associate involvement but were reported by the covered entity.
States Affected by September 2019 Healthcare Data Breaches
September’s data breaches were reported by entities in 23 states and Puerto Rico. California, Maryland, and Washington were the worst affected with three breaches each. There were two breaches reported by entities based in Arkansas, Arizona, Colorado, Georgia, Indiana, and South Carolina, and one breach was reported in each of Alabama, Florida, Iowa, Illinois, Maine, Michigan, Nebraska, New Jersey, Ohio, Oklahoma, Tennessee, Texas, Utah, West Virginia, and Puerto Rico.
HIPAA Enforcement Activity in September 2019
In September 2019, the HHS’ Office for Civil Rights announced its third HIPAA violation penalty of the year. Bayfront Health St Petersburg in Florida was issued with an $85,000 financial penalty for the failure to provide a patient with a copy of her child’s fetal heart monitor records within a reasonable time frame. It took 9 months and multiple attempts by the patient before she was provided with the records.
This month, OCR Director Roger Severino gave an update on OCR’s main enforcement priorities and confirmed that noncompliance with the HIPAA right of access is still a major focus for OCR. Further financial penalties can be expected over the coming weeks and months for healthcare organizations that fail to provide individuals with copies of their health information within a reasonable time frame and at a reasonable cost.
There were no financial penalties issued by state attorneys general in September over HIPAA violations.