November 2017 Healthcare Files Breach Report

In the previous month, the U.S. Division of Health and Human Services’ OCR got 21 details of healthcare data breaches that affected over 500 people; the second successive month when informed breaches have decreased.


Although the number of breaches was low month on month, the number of people affected by healthcare data breaches rose from 71,377 to 107,143.


Leading Reasons for November 2017 Healthcare Data Breaches

During last month there was an equal spread between IT/hacking events, illegal disclosures, and loss/theft of devices or paper records having ePHI, with 6 breaches each. There were also 3 breaches informed involving the incorrect disposal of ePHI and PHI. Two of those happenings involved paper documents and one involved a moveable electronic appliance.

The two main data breaches informed during last month – the 32,000-record breach at Pulmonary Specialists of Louisville and the 16,474-record breach at Hackensack Sleep and Pulmonary Center – were both IT/hacking happenings. The former included an illegal person possibly accessing electronic medical reports, whereas the latter was an illegal computer software attack.

7 of the 21 breaches informed in November affected over 5,000 people. The mean breach magnitude was 5,102 records. The median breach magnitude was 1,551 records.


Location of Stolen and Exposed Safeguarded Health Information

The OCR breach reports indicate the significance of applying physical protections to make sure the secrecy of paper records. During last month, one-third of informed data breaches (7 cases) involved films/paper. Previous month there were 5 reported cases involving paper files.

A latest Accenture/HIMSS Analytics analysis disclosed email was the greatest common route in cyberattacks on healthcare companies. That was the situation during October when electronic mail was the usual place of breached data. During last month, electronic mail was the 2nd most common place of breached PHI at the back of paper films, with 4 email-related breaches informed.  There was an equal span between all other places of breached PHI.


November 2017 Healthcare Data Breaches by Protected Unit Type

Last month saw 19 data breaches informed by healthcare suppliers and two breaches impacting health strategies. The breach reports show no BAs of protected units were implicated in any happenings informed during last month.


Largest Healthcare Data Breaches of November 2017


Breached Unit Unit Type Breach Type People Affected
Pulmonary Specialists of Louisville, PSC Healthcare Supplier IT/Hacking Case 32,000
Hackensack Sleep and Pulmonary Center Healthcare Supplier IT/Hacking Case 16,474
Shop-Rite Supermarkets, Incorporated Healthcare Supplier Incorrect Removal 12,172
The Medical College of Wisconsin, Inc. Healthcare Supplier IT/Hacking Case 9,500
Valley Family Medicine Healthcare Supplier Illegal Disclosure/Access 8,450
Sports Medicine & Rehabilitation Therapy, Inc. Healthcare Supplier IT/Hacking Case 7,000
Humana Inc Health Strategy Illegal Disclosure/Access 5,764
Alere Toxicology Healthcare Supplier Illegal Disclosure/Access 2,146
Family & Cosmetic Dentistry of the Rockies Healthcare Supplier Incorrect Removal 1,850
Aetna Inc. Health Strategy Illegal Disclosure/Access 1,600


November 2017 Healthcare Data Breaches by State

The informed breaches in November were stretched throughout 15 states. The states worst impacted were Massachusetts and Kentucky with 3 breaches each, followed by New Jersey and Colorado each with 2 breaches. One breach was informed by healthcare companies based in Alabama, Washington, Virginia, Texas, Pennsylvania, New York, Indiana, Florida, Connecticut, California, and Wisconsin.