U.S. Healthcare Data Breach Report for January 2021

January witnessed a 48% month-over-month drop in the number of large healthcare data breaches, down from 62 breach incidents in December to 32 in January, according to an analysis by HIPAA Journal. While this is well beneath the 38 data breaches that are reported on average each month, it is still more than 1 data breach every day.

January 2021 Healthcare Data Breaches

There would have been a major drop in the amount of breached records were it not for a major data breach identified by Florida Healthy Kids Corporation that impacted 3.5 million people. With that breach, 4,467,098 records were reported as compromised or exposed in January, which was more than December’s overall total by approximately 225,000 records.

January 2021 Healthcare Data Breaches - Records Exposed

Biggest Healthcare Data Breaches Reported in January 2021

The breach reported by Florida Healthy Kids Corporation was one of the biggest healthcare data breaches ever. The breach was reported by the healthcare plan, but actually took place at one of its business associates. The health plan contracted an IT company for hosting its website and an application for applications for insurance coverage. The company did not implement patches for seven years, which allowed a hacker to gain access to sensitive data.

Hendrick Health had a major data breach as a result of a ransomware attack; one of many reported by healthcare delivery organizations  since September 2020 when ransomware actors increased their attacks on the healthcare sector. The County of Ramsey breach was also due to a ransomware attack at one of its technology partners.

Email-based attacks such as business email compromise (BEC) and phishing attacks were prevalent during January, and were the cause of 4 of the top ten breaches.

Covered Entity Entity Type Individuals Impacted Breach Type Breach Location
Florida Healthy Kids Corporation Health Plan* 3,500,000 Hacking/IT Incident:

Website and Web Application Hack

Network Server
Hendrick Health Healthcare Provider 640,436 Hacking/IT Incident:

Ransomware

Network Server
Roper St. Francis Healthcare Healthcare Provider 189,761 Hacking/IT Incident:

Phishing attack

Email
Precision Spine Care Healthcare Provider 20,787 Hacking/IT Incident:

BEC attack

Email
Walgreen Co. Healthcare Provider 16,089 Unauthorized Access/Disclosure:

Unknown

Email
The Richards Group Business Associate 15,429 Hacking/IT Incident:

Phishing attack

Email
Florida Hospital Physician Group Inc. Healthcare Provider 13,759 Hacking/IT Incident:

EHR System

Electronic Medical Record
Managed Health Services Health Plan* 11,988 Unauthorized Access/Disclosure:

Unconfirmed

Paper/Films
Bethesda Hospital Healthcare Provider 9,148 Unauthorized Access of EMR by employee Electronic Medical Record
County of Ramsey Healthcare Provider* 8,687 Hacking/IT Incident:

Ransomware

Network Server

*Breach reported by covered entity but occurred at a business associate.

January 2021 Healthcare Data Breach Causes

Hacking and other IT breaches are a still the main cause of healthcare data breaches. January witnessed 20 hacking/IT incidents, which made up 62.5% of the month’s data breaches. The protected health information of 4,413,762 individuals was exposed in those breaches – 98.8% of all breached records in January. The average breach size was 220,688 records and the median breach size was 2,464 records.

There were 11 reported unauthorized access and disclosure incidents reported and 50,996 individuals were affected. The average breach size was 4,636 records and the median breach size was 1,680 records. There was a single reported incident involving the loss of an unencrypted laptop computer including 2,340 records.

Causes of January 2021 Healthcare Data Breaches

As the bar chart below indicates, most attacks involve PHI stored in email accounts, mostly due to the high number of phishing attacks. This was just ahead of network server incidents, which mostly were due to malware or ransomware infections.

Location of PHI in January 2021 Healthcare Data Breaches

Healthcare Data Breaches by Covered Entity Type

The covered entity type worst affected was healthcare providers, with 23 reported data breaches followed by health plans with six reported breaches. Three data breaches were made known by business associates of HIPAA covered entities, although an additional seven took place at business associates but were reported by the covered entity, including the largest data breach of the month.

Business associate data breaches have been rising in recent months. These incidents often include affect several covered entities, such as the data breach at Blackbaud in 2020 which led to the data of more than 10 million individuals across around four dozen healthcare companies being compromised. A study by CI Security determined that 75% of all breached healthcare records in the second half of 2020 were the result of data breaches at business associates.

January 2021 healthcare data breaches by covered entity type

Healthcare Data Breaches by State

January’s 32 data breaches took place in 18 different states, with Florida the worst impacted with six reported breaches. There were three breaches in Texas and Wyoming, and 2 reported in each of Louisiana, Massachusetts, and Minnesota.

Illinois, Indiana, Maryland, Missouri, Nevada, North Carolina, Ohio, Pennsylvania, South Carolina, Vermont, Virginia, and Washington each had one HIPAA breach reported.

 

Author: Maria Perez