HIPAA Breaches of 2018: Largest Incidents Revealed

This post lists the largest healthcare data breaches of 2018: Healthcare data breaches that have lead to the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare files.

2018 has witnessed 18 data breaches that have exposed 100,000 or more healthcare records. eight of those breaches saw more than half a million healthcare records exposed, and three of those breaches involved more than 1 million healthcare records.

Terrible Year for Healthcare Data Breaches

On December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been made aware of 351 data breaches of 500 or more healthcare records. Those breaches have lead to the exposure of 13,020,821 healthcare records.

It is possible that the year will finish on a par with 2017 in relation to the number of reported healthcare data breaches; however, more than double the amount of healthcare records have been exposed in 2018 than in 2017.

In 2017, there were 359 data breaches of 500 or more records made known to OCR. Those breaches lead to the exposure of 5,138,179 healthcare records.

The Biggest Healthcare Data Breaches of 2018

Included below is a summary of some of the largest healthcare data breaches of 2018. A brief description of those breaches has been listed here.

At the time of publishing, OCR is still looking in to all but one of the breaches listed below. Only the LifeBridge Health breach investigation has come to a close.

Causes of the Largest Healthcare Data Breaches of 2018

Further details on the causes of some of the largest healthcare breaches of 2018.

AccuDoc Solutions, Inc.

Morrisville, NC-based AccuDoc Solutions, a billing firm that operates the online payment system used by Atrium Health’s network of 44 hospitals in North Carolina, South Carolina and Georgia, found hat some of its databases had been compromised between September 22 and September 29, 2018. The databases included the records of 2,652,537 patients. While data could have been seen, AccuDoc reports that the databases could not be downloaded. Not only was this the largest healthcare data breach of 2018, it was the largest single healthcare data breach to be reported since September 2016.

UnityPoint Health

A UnityPoint Health phishing attack was noticed on May 31, 2018. The forensic investigation showed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of staff members being tricked in a business email compromise attack. A trusted executive’s email account was spoofed, and several employees answered the messages and disclosed their email credentials. The compromised email accounts included the PHI of 1,421,107 individuals.

Employees Retirement System of Texas

The Employees Retirement System of Texas found a flaw in its ERS OnLine portal that allowed certain people to view the protected health information of other members after logging into the portal. The breach was blamed on to a coding error. Up to 1,248,263 individuals’ PHI was potentially viewed by other health plan subscribers.

CA Department of Developmental Services

The California Department of Developmental Services suffered a break in at its offices. During the time the thieves were in the offices they possibly accessed the sensitive information of approximately 15,000 staff members, contractors, job applicants, and parents of minors who receive DDS services, along with the PHI of 582,174 patients.

MSK Group

Tennessee-based MSK Group, P.C, a group of orthopedic medical practices, found during May 2018 that hackers had gained access to its network. Certain parts of the network had been accessed by the hackers for several months. The records of 566,236 patients, which included personal, health and insurance information, may have been seen or copied by the hackers.

CNO Financial Group, Inc.

Chicago-based health insurer Bankers Life, a division of CNO Financial Group Inc., noticed that hackers obtained access to its systems between May 30 and September 13, 2018 and possibly stole the personal information of 566,217 individuals.

LifeBridge Health, Inc

The Baltimore-based healthcare supplier LifeBridge Health noticed malware had been downloaded on a server that hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems. Those systems included the PHI of 538,127 patients.

Health Management Concepts, Inc.

Health Management Concepts discovered hackers obtained access to a server used for sharing files and downloaded ransomware. The ransom demand was met to unlock the encrypted files; however, HMC reported that the hackers were ‘inadvertently provided’ with a file that included the PHI of 502,416 individuals. It is suspected that the file was unwittingly sent to the hackers to show they could decrypt files.


About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.