Healthcare Data Breach Report for September 2019 Published

36 healthcare data breaches of more than 500 records were reported to the Department of Health and Human Services’ Office for Civil Rights, during September, a 26.53% drop in the number of breaches from August.

1,957,168 healthcare records were illegally accessed in those breaches, a rise of 168.11% from August. The massive rise in the number of breached records is largely down to four reported incidents, each of which included hundreds of thousands of healthcare records. Three of those incidents have been revealed as ransomware attacks.

Largest Healthcare Data Breaches During September 2019

The largest breach during September was due to a ransomware attack on Jacksonville, FL-based North Florida OB-GYN, part of Women’s Care of Florida. 528,188 healthcare records were possibly compromised due to the attack. Sarrell Dental also suffered a ransomware attack in which the records of 391,472 patients of its Alabama clinics were encrypted. 320,000 records of patients of Premier Family Medical in Utah were also possibly compromised in a ransomware attack. The University of Puerto Rico reported a network server hacking incident including 439,753 records of Intramural Practice Plan members. The exact manner of the breach is unclear.

Those four breaches made up 85.80% of the healthcare records breached during September.

Name of Covered EntityCovered Entity TypeIndividuals AffectedType of BreachLocation of Breached Information
Women’s Care Florida, LLCHealthcare Provider528188Hacking/IT IncidentNetwork Server
Intramural Practice Plan – Medical Sciences Campus – University of Puerto RicoHealthcare Provider439753Hacking/IT IncidentNetwork Server
Sarrell DentalHealthcare Provider391472Hacking/IT IncidentNetwork Server
Premier Family MedicalHealthcare Provider320000Hacking/IT IncidentNetwork Server
Magellan HealthcareBusiness Associate55637Hacking/IT IncidentEmail
CHI Health Orthopedics Clinic -LakesideHealthcare Provider48000Hacking/IT IncidentDesktop Computer, Electronic Medical Record, Network Server
Kilgore Vision CenterHealthcare Provider40000Hacking/IT IncidentNetwork Server
Peoples Injury Network NorthwestHealthcare Provider27000Hacking/IT IncidentNetwork Server
SweetserHealthcare Provider22000Hacking/IT IncidentEmail
Perfect Teeth Yale, P.C.Healthcare Provider15000LossOther Portable Electronic Device

Healthcare Data Breaches September 2019 Causes

Hacking/IT incidents made up the most of the breach reports in September with 24 incidents reported. There were nine unauthorized access/disclosure incidents and three cases of loss/theft of physical and digital records.

1,917,657 healthcare records were infiltrated in the 24 hacking/IT incidents which made up 97.98% of breached records in September. The average breach size was 958,829 records and the median breach size was 5,255 records.

Unauthorized access/disclosure incidents in September made up 1% or 19,741 breached records. The mean breach size was 2,193 records and the median breach size was 998 records. There were two reported theft incidents including 4,770 physical and electronic records and a single loss incident involving 15,000 records stored on a portable electronic device.

Breached Protected Health Information Locations

Phishing is still a major issue area for the healthcare sector. In September, 44.44% of all breaches – 16 incidents – involved PHI stored in email accounts. There were 13 network server incidents, a large percentage of which were ransomware attacks.

Healthcare Data Breaches by Covered Entity Type During September 2019

28 data breaches were reported by healthcare groups in September, four incidents were reported by health plans/health insurers, and four incidents were reported by business associates of HIPAA covered outfits. Another four breaches had some business associate involvement but were reported by the covered group.

September 2019 Healthcare Data Breaches States Affected

September’s data breaches were made known by entities in 23 states and Puerto Rico. California, Maryland, and Washington were the worst impacted with three breaches each. There were two breaches made aware by groups located in Arkansas, Arizona, Colorado, Georgia, Indiana, and South Carolina, and one breach was reported in each of Alabama, Florida, Iowa, Illinois, Maine, Michigan, Nebraska, New Jersey, Ohio, Oklahoma, Tennessee, Texas, Utah, West Virginia, and Puerto Rico.

September 2019 HIPAA Enforcement Activity

In September 2019, the HHS’ Office for Civil Rights revealed its third HIPAA violation penalty of the year. Bayfront Health St Petersburg in Florida was sanctioned with an $85,000 financial penalty for the failure to supply a patient with a copy of her child’s fetal heart monitor records within a reasonable time frame. It took nine months and multiple attempts by the patient before she was given the records.


Author: Security News