Healthcare Data Breach Report for September 2019 Published

36 healthcare data breaches of more than 500 records were reported to the Department of Health and Human Services’ Office for Civil Rights, during September, a 26.53% drop in the number of breaches from August.

1,957,168 healthcare records were illegally accessed in those breaches, a rise of 168.11% from August. The massive rise in the number of breached records is largely down to four reported incidents, each of which included hundreds of thousands of healthcare records. Three of those incidents have been revealed as ransomware attacks.

Largest Healthcare Data Breaches During September 2019

The largest breach during September was due to a ransomware attack on Jacksonville, FL-based North Florida OB-GYN, part of Women’s Care of Florida. 528,188 healthcare records were possibly compromised due to the attack. Sarrell Dental also suffered a ransomware attack in which the records of 391,472 patients of its Alabama clinics were encrypted. 320,000 records of patients of Premier Family Medical in Utah were also possibly compromised in a ransomware attack. The University of Puerto Rico reported a network server hacking incident including 439,753 records of Intramural Practice Plan members. The exact manner of the breach is unclear.

Those four breaches made up 85.80% of the healthcare records breached during September.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
Magellan Healthcare Business Associate 55637 Hacking/IT Incident Email
CHI Health Orthopedics Clinic -Lakeside Healthcare Provider 48000 Hacking/IT Incident Desktop Computer, Electronic Medical Record, Network Server
Kilgore Vision Center Healthcare Provider 40000 Hacking/IT Incident Network Server
Peoples Injury Network Northwest Healthcare Provider 27000 Hacking/IT Incident Network Server
Sweetser Healthcare Provider 22000 Hacking/IT Incident Email
Perfect Teeth Yale, P.C. Healthcare Provider 15000 Loss Other Portable Electronic Device

Healthcare Data Breaches September 2019 Causes

Hacking/IT incidents made up the most of the breach reports in September with 24 incidents reported. There were nine unauthorized access/disclosure incidents and three cases of loss/theft of physical and digital records.

1,917,657 healthcare records were infiltrated in the 24 hacking/IT incidents which made up 97.98% of breached records in September. The average breach size was 958,829 records and the median breach size was 5,255 records.

Unauthorized access/disclosure incidents in September made up 1% or 19,741 breached records. The mean breach size was 2,193 records and the median breach size was 998 records. There were two reported theft incidents including 4,770 physical and electronic records and a single loss incident involving 15,000 records stored on a portable electronic device.

Breached Protected Health Information Locations

Phishing is still a major issue area for the healthcare sector. In September, 44.44% of all breaches – 16 incidents – involved PHI stored in email accounts. There were 13 network server incidents, a large percentage of which were ransomware attacks.

Healthcare Data Breaches by Covered Entity Type During September 2019

28 data breaches were reported by healthcare groups in September, four incidents were reported by health plans/health insurers, and four incidents were reported by business associates of HIPAA covered outfits. Another four breaches had some business associate involvement but were reported by the covered group.

September 2019 Healthcare Data Breaches States Affected

September’s data breaches were made known by entities in 23 states and Puerto Rico. California, Maryland, and Washington were the worst impacted with three breaches each. There were two breaches made aware by groups located in Arkansas, Arizona, Colorado, Georgia, Indiana, and South Carolina, and one breach was reported in each of Alabama, Florida, Iowa, Illinois, Maine, Michigan, Nebraska, New Jersey, Ohio, Oklahoma, Tennessee, Texas, Utah, West Virginia, and Puerto Rico.

September 2019 HIPAA Enforcement Activity

In September 2019, the HHS’ Office for Civil Rights revealed its third HIPAA violation penalty of the year. Bayfront Health St Petersburg in Florida was sanctioned with an $85,000 financial penalty for the failure to supply a patient with a copy of her child’s fetal heart monitor records within a reasonable time frame. It took nine months and multiple attempts by the patient before she was given the records.


Author: Maria Perez