In the previous month, the U.S. Division of Health and Human Services’ OCR got 21 details of healthcare data breaches that affected over 500 people; the second successive month when informed breaches have decreased.
Although the number of breaches was low month on month, the number of people affected by healthcare data breaches rose from 71,377 to 107,143.
Leading Reasons for November 2017 Healthcare Data Breaches
During last month there was an equal spread between IT/hacking events, illegal disclosures, and loss/theft of devices or paper records having ePHI, with 6 breaches each. There were also 3 breaches informed involving the incorrect disposal of ePHI and PHI. Two of those happenings involved paper documents and one involved a moveable electronic appliance.
The two main data breaches informed during last month – the 32,000-record breach at Pulmonary Specialists of Louisville and the 16,474-record breach at Hackensack Sleep and Pulmonary Center – were both IT/hacking happenings. The former included an illegal person possibly accessing electronic medical reports, whereas the latter was an illegal computer software attack.
7 of the 21 breaches informed in November affected over 5,000 people. The mean breach magnitude was 5,102 records. The median breach magnitude was 1,551 records.
Location of Stolen and Exposed Safeguarded Health Information
The OCR breach reports indicate the significance of applying physical protections to make sure the secrecy of paper records. During last month, one-third of informed data breaches (7 cases) involved films/paper. Previous month there were 5 reported cases involving paper files.
A latest Accenture/HIMSS Analytics analysis disclosed email was the greatest common route in cyberattacks on healthcare companies. That was the situation during October when electronic mail was the usual place of breached data. During last month, electronic mail was the 2nd most common place of breached PHI at the back of paper films, with 4 email-related breaches informed. There was an equal span between all other places of breached PHI.
November 2017 Healthcare Data Breaches by Protected Unit Type
Last month saw 19 data breaches informed by healthcare suppliers and two breaches impacting health strategies. The breach reports show no BAs of protected units were implicated in any happenings informed during last month.
Largest Healthcare Data Breaches of November 2017
|Breached Unit||Unit Type||Breach Type||People Affected|
|Pulmonary Specialists of Louisville, PSC||Healthcare Supplier||IT/Hacking Case||32,000|
|Hackensack Sleep and Pulmonary Center||Healthcare Supplier||IT/Hacking Case||16,474|
|Shop-Rite Supermarkets, Incorporated||Healthcare Supplier||Incorrect Removal||12,172|
|The Medical College of Wisconsin, Inc.||Healthcare Supplier||IT/Hacking Case||9,500|
|Valley Family Medicine||Healthcare Supplier||Illegal Disclosure/Access||8,450|
|Sports Medicine & Rehabilitation Therapy, Inc.||Healthcare Supplier||IT/Hacking Case||7,000|
|Humana Inc||Health Strategy||Illegal Disclosure/Access||5,764|
|Alere Toxicology||Healthcare Supplier||Illegal Disclosure/Access||2,146|
|Family & Cosmetic Dentistry of the Rockies||Healthcare Supplier||Incorrect Removal||1,850|
|Aetna Inc.||Health Strategy||Illegal Disclosure/Access||1,600|
November 2017 Healthcare Data Breaches by State
The informed breaches in November were stretched throughout 15 states. The states worst impacted were Massachusetts and Kentucky with 3 breaches each, followed by New Jersey and Colorado each with 2 breaches. One breach was informed by healthcare companies based in Alabama, Washington, Virginia, Texas, Pennsylvania, New York, Indiana, Florida, Connecticut, California, and Wisconsin.