November 24, 2018
Our October 2018 healthcare data breach report demonstrates there has been a month-over-month rise in healthcare data breaches with October seeing more than one healthcare data breach informed per day.
31 healthcare data breaches were informed by HIPAA-covered units and their business associates in October – 6 incidents more than the preceding month. It should be noted that one breach at a business associate was reported to OCR as three separate breaches.
The number of breached records in September (134,006) was the lowest total for 6 months, however, the downward tendency didn’t carry on in October. There was a huge surge in disclosed protected health information (PHI) in October. 2,109,730 records were exposed, stolen or impermissibly exposed – 1,474% more than the preceding month. In October, the average breach size was 68,055 records and the average was 4,058 records.
Biggest Healthcare Data Breaches in October 2018
There were 11 healthcare data breaches of over 10,000 records reported in October – A 120% increases from the five 10,000+ record breaches in September. The biggest healthcare data breach in October led to the disclosure of 1.24 million records: An illegal access/disclosure incident at Workers Retirement System of Texas. A fault in its ERS Online portal permitted members to see the PHI of other members.
566,217 records were disclosed in a breach at Banker’s Life, a department of CNO Financial Group Inc., also an illegal access/disclosure incident. Worker identifications were stolen and used to gain access to company websites, leading to the disclosure and potential theft of policyholder and applicant information.
|Rank||Name of Protected Unit||Protected Unit Type||People Affected||Kind of Breach|
|1||Workers Retirement System of Texas||Health Plan||1248263||Illegal Access/Disclosure|
|2||CNO Financial Group, Inc.||Health Plan||566217||Illegal Access/Disclosure|
|3||Health First, Inc||Healthcare Supplier||42000||Hacking/IT Incident|
|4||Jones Eye Center, P.C.||Healthcare Supplier||39605||Hacking/IT Occurrence|
|5||Gold Coast Health Plan||Business Associate||37005||Hacking/IT Occurrence|
|6||The May Eye Care Center||Healthcare Supplier||30000||Hacking/IT Occurrence|
|7||CJ Elmwood Partners, L.P.||Healthcare Supplier||22416||Hacking/IT Occurrence|
|8||Minnesota Division of Human Services||Health Plan||20800||Hacking/IT Occurrence|
|9||Catawba Valley Medical Center||Healthcare Supplier||20000||Hacking/IT Occurrence|
|10||National Ambulatory Hernia Institute||Healthcare Supplier||15974||Hacking/IT Occurrence|
Reasons of October 2018 Healthcare Data Breaches
Illegal access/disclosure breaches led to the maximum number of compromised records, however, hacking/IT occurrences were more common in October. October saw 16 hacking/IT occurrences reported, 11 illegal access/disclosure occurrences, and four theft occurrences. There were no reports of lost PHI/ePHI and no improper disposal occurrences.
Healthcare Records Disclosed by Breach Cause
Place of Breached Protected Health Information
Phishing is possibly the main cyber threat confronted by healthcare companies and October saw several phishing attacks reported by healthcare suppliers. In October, there were 9 occurrences involving PHI disclosure through electronic mail. There were also 9 network server-related breaches, which included hacks, malware, and ransomware attacks.
Data Breaches by Covered-Entity Type
In terms of the number of occurrences, healthcare suppliers were the worst hit by data breaches in October with 20 reported breaches, followed by health plans/health underwriters with 7. Four HIPAA business associate breaches were informed, three of which were by the same business associate – HealthFitness. One more breach had some business associate involvement.
In terms of the number of disclosed records, health plans/insurers fared worse than other HIPAA-covered units. 1,848,235 healthcare records were disclosed at health plans/insurers, 221,994 healthcare records were disclosed in healthcare supplier breaches, and 39,501 records disclosed by business associates.
Healthcare Data Breaches by State
Texas was worst affected by healthcare data breaches in October. 5 breaches were informed by protected entities/business associates based in Texas. California, Connecticut, Illinois, and Washington each had 3 breaches informed. There were two breaches informed in each of Florida, Iowa, Indiana, and Pennsylvania. Minnesota, Missouri, North Carolina, New Mexico, Oklahoma, and Oregon had one breach each.
Fines for HIPAA Violations in October
After a period of quiet on the HIPAA fine front, the Division of Health and Human Services’ Office for Civil Rights declared three settlements in September linked to filming patients without approval. These were followed up in October with a huge penalty for Anthem Inc.
The Anthem Inc., HIPAA violation fine was expected, and given the level of the breach (78.8 million records), the fine was likely to be big. After evaluating the extent of HIPAA violations, the level of the breach, and its impact, OCR penalized Anthem $16,000,000. The preceding biggest ever HIPAA fine was $5,550,000 (Advocate Health Care Network, 2016)
In October, a multi-state action against the health underwriter Aetna was resolved and settlements were reached to resolve the HIPAA violations. The fines linked to the impermissible exposure of 13,160 plan members’ HIV/AIDS diagnoses through a mailing. Resolutions were reached with Connecticut, New Jersey, and the District of Columbia totaling $640,170. Washington was also part of the multi-state action, however, the settlement amount has not yet been decided.