April Was the Cruelest Month for Healthcare Data Breaches

HealthITSecurity Thinkstock


April Was the Cruelest Month for Healthcare Data Breaches

April brings rain and HIPAA breaches, with April being the worst month for healthcare data breaches so far this year, according to the data posted on the OCR’s Breach Portal.

For the month of April, 42 cyber incidents were reported to OCR, affecting 896,532 individuals. This compares with 29 incidents affecting 847,230 individuals in May, the next most prolific breach month.

Of the 42 incidents in April, 17 involved unauthorized access/disclosure, 14 involved hacking/IT incidents, and 11 involved theft/loss.

For May’s 29 incidents, 14 involved unauthorized access/disclosure, 13 involving hacking/IT incident, and 2 involved theft/loss.

In March, there were 27 incidents affecting 323,165 individuals; in June, 24 incidents affecting 342,919; in February, 22 incidents affecting 284,133 individuals; and in January, 21 incidents affecting 489,767.

For the first half of 2018, 165 cyber incidents were reported to OCR, affecting 3.2 million individuals. Of those 165 incidents, 70 involved unauthorized access/disclosure, 59 involved hacking/IT incident, 32 involved theft/loss, and 4 involved improper disposal.

Below is a list of the top 10 largest breaches in the first half of this year.

The largest data breach involved California Department of Developmental Services, which experienced the theft of 12 computers containing medical records on 582,174 individuals.

Close behind was the breach at LifeBridge Health, which suffered a malware attack on one of its servers that exposed PHI on 538,127 individuals. LifeBridge Health detected in March that malware on the server that hosts EMRs of Potomac Physicians, one of its physician practices, and the shared registration and billing system for some other LifeBridge Health providers, had been breached by an unauthorized third party back in September 2016.

The third largest breach in the first half of 2018 was Oklahoma State University Center for Health Sciences, which experienced a network server hack that affected 279,865 individuals. The center said in January that it learned that there had been unauthorized computer network access by a third party on November 7, 2017, and the third party removed folders containing Medicaid data from the network on November 8.

The fourth largest was Med Associates, a Latham, NY-based health billing company, which reported that an unauthorized individual had accessed an employee’s workstation, exposing PHI on 276,057 people.

The fifth largest was New York-based St. Peter’s Ambulatory Surgery Center, DBA, St. Peter’s Surgery & Endoscopy Center, which experienced a network server hack that affected 134,512 individuals. An unauthorized third party gained access on January 8, 2018, to its servers, which may have contained patients’ names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes, insurance information and, in some instances, Medicare information.

The sixth largest was California-based Center for Orthopaedic Specialists, which experienced a cybersecurity incident similar to a ransomware attack that put PHI of 81,550 individuals at risk.

Tufts Associated Health Maintenance Organization, which experienced a vendor error that affected 70,320 individuals, was the seventh largest breach. A vendor that handles the mailing of member identification (ID) cards reportedly sent out envelopes with patient information visible in the mailing window, which created a Tufts Health Plan data breach.

Number eight went to the Oregon Clinic, which had an email hack that affected 64,487 individuals. Oregon Clinic announced May 9 that hacker gained access to an employee email account and may have accessed PHI on that account. PHI that may have been compromised included names, dates of birth, medical record numbers, diagnosis information, medical condition, diagnostic tests performed, prescription information, and/or health insurance information.

The ninth place largest was the Florida Agency for Persons with Disabilities, which experienced an email hack affecting 63,627 people. Information that was exposed included names, addresses, birth dates, health information, telephone numbers, and Social Security numbers. The agency said that it has no evidence that the information has been misused.

And the tenth largest breach in the first half of 2018 was Middletown Medical, which experienced an unauthorized access to its EMR that affected 63,551 people. NY-based healthcare provider Middletown Medical announced March 29, 2018, that a data breach in January 2018 could have exposed names, birth dates, client IDs, and treatment information, such as radiology reports, on an undisclosed number of patients.