October 2019 Healthcare Breaches

Phishing Expedition
November 26, 2019
SEC FAQ for Form CRS
December 5, 2019
Show all

October 2019 Healthcare Breaches

October 2019 sets record as second-largest data breach since 2015

October was a rough month for data breaches in healthcare, according to the monthly report issued by HIPAA Journal over Thanksgiving weekend. The Journal’s reported that October saw a 44.44% month-over-month increase in healthcare data breaches. Fifty-two breaches were reported to the Health and Human Services’ Office for Civil Rights (HHS OCR), for exposing, impermissibly disclosing, or outright stealing 661,830 healthcare records in those breaches.

The Journal noted that October boosted the total number of breached healthcare records in 2019 over the 38 million-mark, ranking 2019 in second place behind the largest breach record set in 2015 when more than 114 million records were exposed. Nonetheless, 2019, with two more months, has seen breaches equating to 11.64% of the US population.

Where’s your patient’s data?

Hopefully protected. But even the best-laid plans can still suffer exposures. Most of the largest data breaches in October 2019 were due to hackers. Got a Bitcoin account, anyone?

Breached Entity Entity Type Individuals Affected Type of Breach
Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident
Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident
The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident
Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure
Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident
University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident
Prisma Health – Midlands Healthcare Provider 19,060 Hacking/IT Incident
South Texas Dermatopathology Laboratory Healthcare Provider 15,982 Hacking/IT Incident
Central Valley Regional Center Business Associate 15,975 Hacking/IT Incident
Texas Health Harris Methodist Hospital Fort Worth Healthcare Provider 14,881* Unauthorized Access/Disclosure

According to the Journal’s report, hackers hit Betty Jean Kerr People’s Health Centers with a ransomware attack. The healthcare provider decided not to pay the ransomware demand, but data from 152,000 patients was locked, and backup files could not restore lost data.

In some instances, the breach did not occur at the healthcare provider level, but with a vendor. South Texas Dermatopathology Laboratory reported that a data breach at the collection agency, AMCA, impacted 15,982 records. However, the total number of individuals impacted by the AMCA breach overall currently is 26,059,725.

Moreover, the October data breach reported by Texas Health Resources makes the monthly top 10 list of the most healthcare records exposed (82,577), but the October breach is just the tip of the iceberg. The breach was reported to the HHS’ Office for Civil Rights as 15 separate breaches, with one breach report submitted for each of its affected facilities. Had the incident been reported as a single incident, the month’s total would stand at 38 breaches – two more than September.

Where did all these healthcare data breaches come from?

Eighteen were hacking/IT incidents involving 501,847 healthcare records. The Journal recorded 28 reported unauthorized access/disclosure incidents involving a total of 134,775 records. These include the 15 separate breach reports from Texas Health Resources. Loss/theft was responsible for five incidents involving 13,454 records. And there was an incident of improper disposal involving 11,754 records.

Scary, isn’t it?

What about exposing patient data as revenge?

Not a good idea. When a patient complained that some of her patient health information (PHI) was publicly disclosed following her Yelp review of Elite Dental Associates, the HHS OCR launched an investigation. The investigators found that this was not a single incident. OCR also found that the dental practice’s notice of privacy practices was not compliant with the HIPAA Privacy Rule. Elite Dental Associates settled its violation case for $10,000.

Far more costly was the OCR’s investigation of Jackson Health System following disclosure of PHI in the media. The health information of two individuals (one of whom was a well-known NFL star) appeared in a photograph of an operating room display. The OCR’s investigation uncovered multiple violations over several years and the cost to Jackson Health System was a civil penalty of $2,154,000. Ouch!

Compliant collection/protection of email and other data

Regardless of industry or in some cases, geography (Healthcare/Financial Services/Insurance – in the US or Canada), no one is immune from oversight and regulatory compliance. Nor is it possible to completely eliminate bad actors. However, a vigilant, well-run compliance system can spot irregularities and give an attentive compliance team a chance to nip exposures before they get out of hand. That’s where Patrina can help. We’ve built our business based on helping organizations keep track of “bad apples,” and stay on the “straight and narrow” efficiently and cost-effectively. So, let’s talk. Call 212-233-1155 to ask about Patrina’s cost-effective, designated third-party services, our comprehensive 8-module compliance solution, and compliant data capture & file storage, and records archiving specifically designed for the healthcare, insurance, and financial services community. Be smart. Be covered. Let’s talk.