Healthcare Data Breach Report for January 2020 Published

The Department of Health and Human Services’ Office for Civil Rights were inundated during January with healthcare data breaches of 500 or more records at a rate of more than one a day.

It has already been widely comment that 2019 was a very bad year for healthcare data breaches with 510 data breaches filed by HIPAA-covered entities and their business associates. That is the same as a rate of 42.5 data breaches monthly. January’s figures are an improvement on the previous mont, with a reporting rate of 1.03 breaches per day and a 15.78% decrease in reported breaches as opposed to December 2019.

healthcare data breaches February 2019 to January 2020

Healthcare data breaches in January

While the number of breaches actually fell, the number of breached records grew by 17.71% from one month to the next, 462,856 healthcare records were impacted across 32 reported data breaches. As the graph below would seem to suggest, the severity of data breaches has increased in the last few years.

Largest Healthcare Data Breaches in January 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
PIH Health CA Healthcare Provider 199,548 Hacking/IT Incident Email
Douglas County Hospital d/b/a Alomere Health MN Healthcare Provider 49,351 Hacking/IT Incident Email
InterMed, PA ME Healthcare Provider 33,000 Hacking/IT Incident Email
Fondren Orthopedic Group L.L.P. TX Healthcare Provider 30,049 Hacking/IT Incident Network Server
Native American Rehabilitation Association of the Northwest, Inc. OR Healthcare Provider 25,187 Hacking/IT Incident Email
Central Kansas Orthopedic Group, LLC KS Healthcare Provider 17,214 Hacking/IT Incident Network Server
Hospital Sisters Health System IL Healthcare Provider 16,167 Hacking/IT Incident Email
Spectrum Healthcare Partners ME Healthcare Provider 11,308 Hacking/IT Incident Email
Original Medicare MD Health Plan 9,965 Unauthorized Access/Disclosure Other
Lawrenceville Internal Medicine Assoc, LLC NJ Healthcare Provider 8,031 Unauthorized Access/Disclosure Email

2019 witnessed a huge increase in healthcare data breaches that were a result of hacking/IT incidents. In 2019, over 59% of data breaches reported to the HHS’ Office for Civil Rights were the due to hacking, malware, ransomware, phishing attacks, and other IT security violations.

Causes of January 2020 Healthcare Data Breaches

Hacking/IT incidents were still the main feature of the breach reports in January and accounted for 59.38% of all breaches reported (19 incidents). 28.13% of reported breaches were classified as unauthorized access/disclosure data breaches (9 incidents), there were two reported theft incidents, both involving physical files, and 2 cases of improper destruction of physical records. Ransomware attacks went on impacting plague the healthcare industry, but phishing attacks are by far the biggest cause of healthcare data breaches. As the above table shows, these attacks can see the PHI of tens of thousands breached.

Hacking/IT incidents are normally to be the most damaging type of breach and involve more healthcare records than other varieties of breach. In January, 416,275 records were breached in hacking/IT incidents. The average breach size was 21,909 records and the median breach size was 6,524 records. 26,450 records were breaches that happened arising out of unauthorized access/disclosure incidents. The average breach size was 26,450 records and the median breach size was 2,939 files.

11,284 records were apprehended in theft incidents with an average breach size of 5,642 records. The two improper disposal of files incidents witnessed 2,812 records discarded without first rendering files unreadable and undecipherable. The average breach size was recorded as 1,406 records. 
Location of breached protected health information

Ongoing security awareness tutorials for staff has been shown to reduce susceptibility to phishing attacks, but hackers are creating more and more complex attacks. It is often hard to  distinguish a phishing email from a genuine message, especially if it is a business email compromise scam.

What is needed to prevent these attacks from occurring is a strong security strategy and no one technical solution will be effective at blocking all phishing campaigns. Defenses should include an advanced spam filter to cut out phishing messages at source, a web filter to restrict access to websites hosting phishing packages, DMARC to spot email impersonation attacks, and multi-factor authentication to prevent impacted details from being used to access email accounts.

Covered Entity Healthcare Data Breaches

Healthcare bodies were the most impacted entities by data breaches in January with 25 reported breaches of 500 or more healthcare records. Five breaches were reported by health plans, and two breaches were made known by business associates of HIPAA-covered group. There were three additional data breaches made known by covered entities that had conducted some business work.

January 2020 Healthcare Data Breaches by Covered Entity

January 2020 Healthcare Data Breaches records exposed covered entity

Healthcare Data Breaches Compared State by State

HIPAA covered outfits and business associates in 23 states reported data breaches in January. California and Texas were the most impacted with three reported breaches in each state. There were two breaches reported in each of Florida, Illinois, Maine, Minnesota, and New York, and one breach was made known in each of Alabama, Arizona, Colorado, Connecticut, Georgia, Iowa, Indiana, Kansas, Maryland, Michigan, North Carolina, New Jersey, Oregon, Pennsylvania, South Carolina, and Virginia.

HIPAA Enforcement During January 2020

There were no HIPAA fines sanctioned on HIPAA-governed entities or business associates by the HHS’ Office for Civil Rights or state attorneys general during January.

There was a significant increase in the amount of legal actions filed against healthcare organizations that have experienced data breaches linked to phishing and ransomware attacks.

January saw a lawsuit initiated against Health Quest over a July 2018 phishing attack, Tidelands Health is being sued in relation to a December 2019 ransomware attack, and a subsequent lawsuit was initiated against DCH Health System over a malware attack involving the Emotet and TrickBot Trojans that took place in October 2019. These lawsuits come after legal action against Kalispell Regional Healthcare and Solara Medical Supplies during December.

The trend has persisted during in February with many law firms trying to be the first to file lawsuits against PIH Health in California over a 2019 phishing attack that exposed the data of more than 200,000 people.

These HIPAA legal actions lawsuits may refer to HIPAA violations, but since there is no private cause of action allowable under HIPAA, legal action is taken in relation to breaches of state laws.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.