Healthcare Data Breach Report for November 2019

In November 2019, 33 healthcare data breaches of 500 or more records were made known to the Department of Health and Human Services’ Office for Civil Rights (OCR). That equates to a 36.5% drop in reported breaches from October – the worst ever month for healthcare data breaches on file since OCR were first listed on its website in October 2009. The fall in breaches is good news, but data breaches are still taking place at a rate higher that one every day.

600,877 healthcare records were impacted, impermissibly shared or illegally taken in November. That makes up a 9.2% decrease in breached healthcare records from October, but the average breach size grew by 30.1% to 18,208 records in November.

Biggest Healthcare Data Breaches in November 2019

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Ivy Rehab Network, Inc. and its affiliated companies Healthcare Provider 125000 Hacking/IT Incident Email
Solara Medical Supplies, LLC Healthcare Provider 114007 Hacking/IT Incident Email
Saint Francis Medical Center Healthcare Provider 107054 Hacking/IT Incident Electronic Medical Record, Network Server
Southeastern Minnesota Oral & Maxillofacial Surgery Healthcare Provider 80000 Hacking/IT Incident Network Server
Elizabeth Family Health Healthcare Provider 28375 Theft Paper/Films
The Brooklyn Hospital Center Healthcare Provider 26312 Hacking/IT Incident Network Server
Utah Valley Eye Center Healthcare Provider 20418 Hacking/IT Incident Desktop Computer
Loudoun Medical Group d/b/a Comprehensive Sleep Care Center (“CSCC”) Healthcare Provider 15575 Hacking/IT Incident Email
Choice Cancer Care Healthcare Provider 14673 Hacking/IT Incident Email
Arizona Dental Insurance Services, Inc. d.b.a. Delta Dental of Arizona Health Plan 12886 Hacking/IT Incident Email

Healthcare Data Breaches Causes in November 2019

Hacking/IT incidents made up the most of November’s breach reports and accounted for 63.6% of data breaches made known in November and 90.75% of the breached records (545,293). The average breach size was 25,966 records and the median breach size was 3,977 records.

There were seven unauthorized access/disclosure breaches reported in November that included 16,586 healthcare records. The mean breach size was 2,369 records and the median breach size was 996 records.

There were four incidents that included the theft of 38,998 individuals’ protected health information. Two of the incidents included electronic devices and two involved paper records. The mean breach size was 7,799 records and the median breach size was 3,237 records.

Phishing is still the most common cause of healthcare data breaches. 17 of the healthcare data breaches made known in November involved PHI stored in email accounts. Most of those breaches were caused by phishing attacks.

November 2019 Healthcare Data Breaches by Covered Entity Type

There were 28 healthcare provider data breaches made known in November and four breaches were made known by health plans. It was an excellent month for business associates, with only one breach reported, although an additional two breaches had some business associate involvement.


November 2019 Healthcare Data Breaches by State

Data breaches were reported by covered outfits in 19 states. California was the worst impacted with 4 breaches, followed by Illinois, Missouri, New York, and Texas with three breaches each. Two breaches were made known by covered entities in Florida, North Carolina, and Pennsylvania, and there was one reported beach in each of Alaska, Arizona, Colorado, Connecticut, Indiana, Maryland, Michigan, Minnesota, Nebraska, Utah, and Virginia.


About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.