May 2018 Healthcare Data Breach Report

June 22, 2018


April was a specifically bad month for healthcare data breaches with 41 registered occurrences. Although it is definitely good news that there has been a month-over-month decrease in healthcare data breaches, the harshness of some of the breaches registered last month puts May on a par with April.


There were 29 healthcare data breaches registered by healthcare suppliers, health policies, and business associates of protected units in May – a 29.27% month-over-month decrease in registered breaches. Nevertheless, 838,587 healthcare documents were disclosed or thieved in those occurrences – just 56,287 records less than the 41 occurrences in April.


In May, the average breach size was 28,917 records and the median was 2,793 records. In April the average breach size was 21,826 records and the median was 2,553 records.

Reasons for May 2018 Healthcare Data Breaches

Illegal access/disclosure occurrences were the most frequent type of breach in May 2018 with 15 registered occurrences (51.72%). There were 12 hacking/IT occurrences registered (41.38%) and two theft occurrences (6.9%). There were no lost unencrypted electronic appliances registered in May and no incorrect removal occurrences.

The 12 hacking/IT occurrences registered in May led to the theft/exposure of 738,883 healthcare files – 88.11% of the total for May. Illegal disclosure/access occurrences affected 97,439 patients and health plan members – 11.62% of the total. Thievery incidents led to illegal people getting the PHI of 2,265 people – 0.27% of the monthly total.


Biggest Healthcare Data Breaches Registered in May 2018

The biggest healthcare data breach registered in May 2018 – by some distance – was the 538,127-record breach at the Baltimore, MD-based healthcare provider LifeBridge Health Inc. The breach was registered in May, although it occurred in September 2016, when malware was fixed on its server that hosts electronic health records.

Besides names and contact information, insurance information, clinical and treatment information, and, in some cases, Social Security numbers, were undermined. The scale of the breach and the kinds of information disclosed makes it one of the gravest healthcare data breaches exposed in 2018.


Place of Breached PHI

In May, the most popular place of breached PHI was electronic mail. 11 of the 29 registered breaches concerned hacks of electronic mail accounts and misdirected electronic mails. It was a similar level in April when electronic mail was also the main place of breached PHI.

In May there were 7 occurrences affecting network servers – hacks, malware infections, and ransomware occurrences – and 7 occurrences concerning paper records.