April 2019 was the worst month recorded, to date, for healthcare data breaches. More data breaches were made known to the Department of Health and Human Services’ Office for Civil Rights (OCR) during April than other other month since healthcare data breach reports were first reported in October 2009. In April, 46 healthcare data breaches were made known to OCR, which is a 48% increase from March and 67% higher than the average number of monthly HIPAA violations over the past six years.
While breach numbers have risen, the number of impacted healthcare records is down. In April 2019, 694,710 healthcare records were violated – a 23.9% drop from March. While the breaches were lower in March, the increase in breaches is of great concern, especially the increase in the number of healthcare phishing campaigns.
Biggest Healthcare Data Breaches Reported in April 2019
Two 100,000+ record data breaches were made known to the OCR during April. The largest breach of the month was reported by the business associate Doctors Management Services – a ransomware attack that breached the records of 206,695 patients.
The ransomware was used seven months after the attacker had first obtained access to its systems. The initial access was obtained via Remote Desktop Protocol (RDP) on a workstation.
The second biggest data breach was reported by the healthcare supplier Centrelake Medical Group. The breach lead to the exposure of 197,661 patients’ PHI and was also a ransomware attack that stopped patient information from being viewed. While the delay between access to the servers being obtained and the ransomware being deployed went on for a shorter period of time, it also appeared that the hacker had been exploring the network prior to using the malicious software. Access to the server was obtained 6 weeks prior to the ransomware being used. Ransomware was also utilized in the attack on ActivYouth Orthopaedics.
| Covered Body | Body Type | Records Breached | Sort of Breach T | Location of Violated PHI |
| Doctors Management Services, Inc. | Business Associate | 206695 | Hacking/IT Incident | Network Server |
| Centrelake Medical Group, Inc. | Healthcare Provider | 197661 | Hacking/IT Incident | Network Server |
| Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute | Healthcare Provider | 35000 | Unauthorized Access/Disclosure | Electronic Medical Record |
| EmCare, Inc. | Healthcare Provider | 31236 | Hacking/IT Incident | |
| Kim P. Kornegay, DMD | Healthcare Provider | 27000 | Theft | Desktop Computer, Electronic Medical Record, Paper/Films |
| Pediatric Orthopedic Specialties, PA, dba ActivYouth Orthopaedics | Healthcare Provider | 24176 | Hacking/IT Incident | Network Server |
| Health Recovery Services, Inc. | Healthcare Provider | 20485 | Unauthorized Access/Disclosure | Network Server |
| Baystate Health | Healthcare Provider | 11658 | Hacking/IT Incident | |
| Riverplace Counseling Center, Inc. | Healthcare Provider | 11639 | Hacking/IT Incident | Network Server |
| Minnesota Department of Human Services | Healthcare Provider | 10263 | Hacking/IT Incident |
Healthcare Data Breaches: April 2019 Causes
Hacking/IT incidents reported during April 2019 were more than unauthorized access/disclosure incidents by double. 28 of the reported breaches of 500 or more records happened because of hacking/IT incidents. There were 14 unauthorized access/disclosure attempts recorded, two instances of theft of PHI, one reported case of loss of paperwork, and one case of improper disposal of PHI.
While 2018 saw a drop in the number of ransomware attacks across all industry sectors, the amount of ransomware attacks is rising once again, and healthcare is the most attacked sector. Remote Desktop Protocol often exploited to obtain access to servers and workstations to use ransomware.
In May, a Forescout study revealed that the use of vulnerable protocols is typical in the healthcare sector. Risk can be reduced by turning off these protocols, and if RDP must be used, to only use RDP with a VPN.
Phishing attacks also grew massively during April, which highlights just how vulnerable healthcare groups are to this sort of attack. Advanced anti-phishing and anti-spam solutions can lessen the volume of malicious emails that reach inboxes and in tandem with regular security awareness training, risk can be cut.
Deploying multi-factor authentication is also important. In the event of credentials being impacted, MFA will stop those credentials from being used to obtain access to PHI. MFA is not infallible, but it can ensure risk is minimized to a reasonable and acceptable level. According to Verizon, most credential theft attacks would not have lead to in a data breach if MFA been implemented.
Hacking/IT incidents lead to the largest number of compromised records in April 2019 – 384,219 records or 55% of all impacted records in April. The mean breach size was 13,722 records and the median breach size was 4,008 records.
Unauthorized access/disclosure incidents lead to the exposure of 264,016 records or 38% of the month’s total figure. While hacking incidents usually lead to more records being compromised, these incidents were more dangerous and had a mean breach size of 18,858 records. The median breach size was 3,193 records.
31,810 records were impacted because of loss or theft – 4.6% of the month’s total. The mean breach size was 10,603 records and the median breach size was 4,000 records.
Location of Violated Protected Health Information
Email was the most common location of violated PHI in April. Email was experienced in 22 data breaches – 47.8% of all breaches in April 2019. While this category incorporates misdirected emails, most email breaches were due to phishing attacks.
Network servers were seen in 11 breaches – 23.9% of the month’s breaches – which include malware and ransomware attacks.
Physical records likes paperwork, charts, and films were involved in 6 breaches – 13% of the month’s overall total.
April Violations by Covered Entity Type
April was a comparatively good month for business associates of covered bodies with only two breaches reported and one further breach having some business associate involvement, although a business associate breach was the biggest breach of the month.
Six health plans reported breaches in April and the other 38 breaches were reported by healthcare suppliers.
State by State: April 2019 Healthcare Data Breaches
Data breaches were reported by groups located in 21 states in April. California and Texas were the worst impacted, with each state having 5 violations. Florida, Minnesota, and Ohio each had four breaches, and there were 3 breaches reported by groups in Illinois.
Idaho, Massachusetts, New York, Oregon, Tennessee, and Washington each had two breaches and one breach was recorded in each of Alabama, Delaware, Louisiana, North Carolina, New Jersey, Pennsylvania, South Dakota, Utah, and West Virginia.
April 2019: HIPAA Enforcement Activity
There were no fines issued by the HHS’ Office for Civil Rights or state Attorneys General during April 2019.