October 2018 Healthcare Data Breach Statement

Nov 23, 2018

 

Our October 2018 healthcare data breach report demonstrates there has been a month-over-month rise in healthcare data breaches with October seeing more than one healthcare data breach reported daily.

31 healthcare data breaches were informed by HIPAA-covered units and their business partners in October – 6 occurrences more than the preceding month. It must be noted that one breach at a business associate was informed to OCR as three separate breaches.

The number of breached records in September (134,006) was the lowest total for 6 months, however, the descending tendency didn’t continue in October. There was a huge rise in disclosed protected health information (PHI) in October. 2,109,730 records were disclosed, stolen or impermissibly disclosed – 1,474% more than the preceding month. In October, the average breach size was 68,055 records and the mean was 4,058 records.

There were 11 healthcare data breaches of over 10,000 records reported in October – A 120% increase from the five 10,000+ record breaches in September. The biggest healthcare data breach in October led to the exposure of 1.24 million records. Worker identifications were stolen and used to gain access to company websites, leading to the exposure and possible theft of policyholder and applicant information.

 

Rank Name of Covered Unit Covered Entity Type People Affected Kind of Breach
1 Workers Retirement System of Texas Health Plan 1248263 Illegal Access/Disclosure
2 CNO Financial Group, Inc. Health Plan 566217 Illegal Access/Disclosure
3 Health First, Inc Healthcare Supplier 42000 Hacking/IT Occurrence
4 Jones Eye Center, P.C. Healthcare Supplier 39605 Hacking/IT Occurrence
5 Gold Coast Health Plan Business Associate 37005 Hacking/IT Occurrence
6 The May Eye Care Center Healthcare Supplier 30000 Hacking/IT Occurrence
7 CJ Elmwood Partners, L.P. Healthcare Supplier 22416 Hacking/IT Occurrence
8 Minnesota Division of Human Services Health Plan 20800 Hacking/IT Occurrence
9 Catawba Valley Medical Center Healthcare Supplier 20000 Hacking/IT Occurrence
10 National Ambulatory Hernia Institute Healthcare Supplier 15974 Hacking/IT Occurrence

Reasons for October 2018 Healthcare Data Breaches

Illegal access/disclosure breaches led to the maximum number of compromised records, however, hacking/IT occurrences were more common in October. October saw 16 hacking/IT occurrences reported, 11 illegal access/disclosure occurrences, and four theft occurrences. There were no reports of lost PHI/ePHI and no wrong dumping occurrences.

Healthcare Records Disclosed by Breach Cause

Site of Breached Protected Health Information

Phishing is arguably the main cyber threat faced by healthcare companies and October saw several phishing attacks reported by healthcare suppliers. In October, there were 9 occurrences involving PHI exposure through electronic mail. There were also 9 network server-related breaches, which contained hacks, malware, and ransomware attacks.

 

Data Breaches by Covered-Entity Kind

In terms of the number of occurrences, healthcare suppliers were the worst hit by data breaches in October with 20 informed breaches, followed by health plans/health insurers with 7. Four HIPAA business associate breaches were informed, three of which were by the same business associate – HealthFitness. One further breach had some business associate involvement.

In terms of the number of disclosed records, health plans/insurers fared worse than other HIPAA-covered units. 1,848,235 healthcare records were disclosed at health plans/insurers, 221,994 healthcare records were disclosed in healthcare supplier breaches, and 39,501 records disclosed by business associates.

Healthcare Data Breaches by State

Texas was worst affected by healthcare data breaches in October. 5 breaches were informed by protected entities/business associates based in Texas. California, Connecticut, Illinois, and Washington each had 3 breaches informed. There were two breaches informed in each of Florida, Oklahoma, New Mexico, North Carolina, Missouri, Minnesota, Indiana, Iowa, Pennsylvania, and Oregon had one breach apiece.

Fines for HIPAA Violations in October

After a period of silence on the HIPAA penalty front, the Division of Health and Human Services’ Office for Civil Rights announced three settlements in September related to filming patients without approval.

The Anthem Inc., HIPAA violation fine was expected, and given the scale of the breach (78.8 million records), the fine was likely to be big. After evaluating the level of HIPAA violations, the scale of the breach, and its impact, OCR penalized Anthem $16,000,000. The preceding biggest ever HIPAA fine was $5,550,000 (Advocate Health Care Network, 2016)

In October, a multi-state action against the health insurer Aetna was settled and settlements were reached to resolve the HIPAA violations. The fines linked to the impermissible exposure of 13,160 plan members’ HIV/AIDS diagnoses through a mailing. Settlements were reached with Connecticut, New Jersey, and the District of Columbia totalling $640,170. Washington was also part of the multi-state action, however, the settlement amount has not yet been settled.