Healthcare Data Breach Report for April 2019

April 2019 was the worst month recorded, to date, for healthcare data breaches. More data breaches were made known to the Department of Health and Human Services’ Office for Civil Rights (OCR) during April than other other month since healthcare data breach reports were first reported in October 2009. In April, 46 healthcare data breaches were made known to OCR, which is a 48% increase from March and 67% higher than the average number of monthly HIPAA violations over the past six years.

While breach numbers have risen, the number of impacted healthcare records is down. In April 2019, 694,710 healthcare records were violated – a 23.9% drop from March.  While the breaches were lower in March, the increase in breaches is of great concern, especially the increase in the number of healthcare phishing campaigns.

Biggest Healthcare Data Breaches Reported in April 2019

Two 100,000+ record data breaches were made known to the OCR during April. The largest breach of the month was reported by the business associate Doctors Management Services – a ransomware attack that breached the records of 206,695 patients.

The ransomware was used seven months after the attacker had first obtained access to its systems. The initial access was obtained via Remote Desktop Protocol (RDP) on a workstation.

The second biggest data breach was reported by the healthcare supplier Centrelake Medical Group. The breach lead to the exposure of 197,661 patients’ PHI and was also a ransomware attack that stopped patient information from being viewed. While the delay between access to the servers being obtained and the ransomware being deployed went on for a shorter period of time, it also appeared that the hacker had been exploring the network prior to using the malicious software. Access to the server was obtained 6 weeks prior to the ransomware being used. Ransomware was also utilized in the attack on ActivYouth Orthopaedics.

Covered BodyBody TypeRecords BreachedSort of Breach TLocation of Violated PHI
Doctors Management Services, Inc.Business Associate206695Hacking/IT IncidentNetwork Server
Centrelake Medical Group, Inc.Healthcare Provider197661Hacking/IT IncidentNetwork Server
Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions InstituteHealthcare Provider35000Unauthorized Access/DisclosureElectronic Medical Record
EmCare, Inc.Healthcare Provider31236Hacking/IT IncidentEmail
Kim P. Kornegay, DMDHealthcare Provider27000TheftDesktop Computer, Electronic Medical Record, Paper/Films
Pediatric Orthopedic Specialties, PA, dba ActivYouth OrthopaedicsHealthcare Provider24176Hacking/IT IncidentNetwork Server
Health Recovery Services, Inc.Healthcare Provider20485Unauthorized Access/DisclosureNetwork Server
Baystate HealthHealthcare Provider11658Hacking/IT IncidentEmail
Riverplace Counseling Center, Inc.Healthcare Provider11639Hacking/IT IncidentNetwork Server
Minnesota Department of Human ServicesHealthcare Provider10263Hacking/IT IncidentEmail

Healthcare Data Breaches: April 2019 Causes

Hacking/IT incidents reported during April 2019 were more than unauthorized access/disclosure incidents by double. 28 of the reported breaches of 500 or more records happened because of hacking/IT incidents. There were 14 unauthorized access/disclosure attempts recorded, two instances of theft of PHI, one reported case of loss of paperwork, and one case of improper disposal of PHI.

While 2018 saw a drop in the number of ransomware attacks across all industry sectors, the amount of ransomware attacks is rising once again, and healthcare is the most attacked sector. Remote Desktop Protocol often exploited to obtain access to servers and workstations to use ransomware.

In May, a Forescout study revealed that the use of vulnerable protocols is typical in the healthcare sector. Risk can be reduced by turning off these protocols, and if RDP must be used, to only use RDP with a VPN.

Phishing attacks also grew massively during April, which highlights just how vulnerable healthcare groups are to this sort of attack. Advanced anti-phishing and anti-spam solutions can lessen the volume of malicious emails that reach inboxes and in tandem with regular security awareness training, risk can be cut.

Deploying multi-factor authentication is also important. In the event of credentials being impacted, MFA will stop those credentials from being used to obtain access to PHI. MFA is not infallible, but it can ensure risk is minimized to a reasonable and acceptable level. According to Verizon, most credential theft attacks would not have lead to in a data breach if MFA been implemented.

Hacking/IT incidents lead to the largest number of compromised records in April 2019 – 384,219 records or 55% of all impacted records in April. The mean breach size was 13,722 records and the median breach size was 4,008 records.

Unauthorized access/disclosure incidents lead to the exposure of 264,016 records or 38% of the month’s total figure. While hacking incidents usually lead to more records being compromised, these incidents were more dangerous and had a mean breach size of 18,858 records. The median breach size was 3,193 records.

31,810 records were impacted because of loss or theft – 4.6% of the month’s total. The mean breach size was 10,603 records and the median breach size was 4,000 records.

April 2019 healthcare data breaches - breach cause

Location of Violated Protected Health Information

Email was the most common location of violated PHI in April. Email was experienced in 22 data breaches – 47.8% of all breaches in April 2019. While this category incorporates misdirected emails, most email breaches were due to phishing attacks.

Network servers were seen in 11 breaches – 23.9% of the month’s breaches – which include malware and ransomware attacks.

Physical records likes paperwork, charts, and films were involved in 6 breaches – 13% of the month’s overall total.

April 2019 healthcare data breaches - location of PHI

April Violations by Covered Entity Type

April was a comparatively good month for business associates of covered bodies with only two breaches reported and one further breach having some business associate involvement, although a business associate breach was the biggest breach of the month.

Six health plans reported breaches in April and the other 38 breaches were reported by healthcare suppliers.

April 2019 healthcare data breaches by covered entity type

State by State: April 2019 Healthcare Data Breaches

Data breaches were reported by groups located in 21 states in April. California and Texas were the worst impacted, with each state having 5 violations. Florida, Minnesota, and Ohio each had four breaches, and there were 3 breaches reported by groups in Illinois.

Idaho, Massachusetts, New York, Oregon, Tennessee, and Washington each had two breaches and one breach was recorded in each of Alabama, Delaware, Louisiana, North Carolina, New Jersey, Pennsylvania, South Dakota, Utah, and West Virginia.

April 2019: HIPAA Enforcement Activity

There were no fines issued by the HHS’ Office for Civil Rights or state Attorneys General during April 2019.

Author: Security News