Healthcare Data Breach Report for October 2019

October saw a 44.44% month-over-month rise in healthcare data breaches. The HHS’ Office for Civil Rights received 52 breach reports having 661,830 healthcare records exposed, stolen or impermissibly disclosed.

Including this month’s report, the total figure of breached healthcare records for 2019 is over 38 million. That translates to 11.64% of the United States population.

October 2019 Largest Healthcare Data Breaches

1. Betty Jean Kerr People’s Health Centers with 152,000 individuals affected due to hacking/IT Incident
2. Kalispell Regional Healthcare with 140,209 individuals affected due to hacking/IT Incident
3. The Methodist Hospitals, Inc. with 68,039 individuals affected due to hacking/IT Incident
4. Children’s Minnesota with 37,942 individuals affected due to unauthorized access/disclosure
5. Tots & Teens Pediatrics with 31,787 individuals affected due to hacking/IT Incident
6. University of Alabama at Birmingham with 19,557 individuals affecte due to hacking/IT Incident
7. Prisma Health – Midlands with 19,060 individuals affected due to hacking/IT Incident
8. South Texas Dermatopathology Laboratory with 15,982 individuals affected due to hacking/IT Incident
9. Central Valley Regional Center with 15,975 individuals affected due to hacking/IT Incident
10. Texas Health Harris Methodist Hospital Fort Worth with 14,881 individuals affected due to unauthorized access/disclosure

Causes of Healthcare Data Breaches in October 2019

  • In October, the following incidents were reported:
    18 hacking/IT incident reports involved 501,847 individual healthcare records. The average breach size and median breach size were 27,880 records and 9,413 records, respectively.
  • 28 breach reports due to unauthorized access/disclosure incidents involved 134,775 records. The mean breach size and median breach size were 4,813 records and 2,135 records, respectively. Those breaches consist of 15 different reports from Texas Health Resources.
  • 5 loss/theft incidents involved 13,454 records. The mean breach size and median breach size were 2,350 records and 2,752 records, respectively. There was one improper disposal incident, which involved 11,754 records.

Location of Breached Health Data

Phishing still causes challenges for healthcare companies. Healthcare providers struggle in blocking phishing attacks and not detecting them quickly. A number of phishing attacks were reported that took weeks to identify.

Though multi-factor authentication could help to lower the risk of cybercriminals stealing and using credentials o gain access to corporate email accounts, a lot of healthcare companies simply use this vital security control after the occurrence of a phishing attack.

This increased number of “other” breaches is because of the mailing error incident at Texas Health, which resulted in 15 of the 19 breach incidents belonging to the other category.

Most of the network server breaches were because of ransomware attacks, including the biggest healthcare data breach in October. That breach shows how crucial it is to have a backup copy of all data, which is tested to ensure data recovery and to have one backup copy kept on a device that is not networked or exposed online.

Data Breaches by Covered Entity Type

There were 45 data breaches reported by healthcare providers. Health plans reported three breaches, and business associates of HIPAA-covered entities reported four breaches. Four breaches were also tainted by business associate involvement though the covered entity reported them.

Healthcare Data Breaches by State
There were 24 states where healthcare providers and business associates reported data breaches. The following is the tally of breach reports by state:

  • Texas reported 17 incidents with 15 breach reports from Texas Health
  • Ohio reported 4 breaches
  • California reported 3 breaches
  • Arkansas, Florida, Maryland, Louisiana, South Carolina, New Mexico, and Virginia reported two breaches each
  • Arizona, Alabama, Georgia, Indiana, Illinois, Kentucky, Minnesota, Mississippi, Missouri, Montana, Oregon, New York, South Dakota, and Washington reported 1 breach each

HIPAA Enforcement Actions in October 2019

The HHS’ Office for Civil Rights announced two financial penalties for HIPAA violations in October – One was a settlement and one was a civil monetary penalty.

OCR investigated Elite Dental Associates after receiving a complaint from a patient whose PHI was publicly disclosed in a Yelp review. OCR discovered that her PHI wasn’t the only one disclosed in that way. OCR likewise found out that the practice does not provide sufficient information in its notice of privacy practices and therefore did not comply with the HIPAA Privacy Regulation. Elite Dental Associates settled this HIPAA violation case by paying OCR $10,000.

OCR investigated Jackson Health System after the media disclosure of PHI. A photo of an operating room containing the health data of two people including a popular NFL star was published. The OCR investigation revealed several violations of the Security Rule, Privacy Rule, and Breach Notification Rule in a span of several years. OCR charged Jackson Health System with a civil monetary penalty worth $2,154,000.