May 2018 Healthcare Data Break Report

June 21, 2018

April was a specifically bad month for healthcare data breaks with 41 reported incidents. Although it is certainly good news that there has been a month-over-month reduction in healthcare data breaks, the harshness of some of the breaks reported last month puts May on a par with April.

There were 29 healthcare data breaks reported by healthcare suppliers, health plans, and business associates of covered units in May – a 29.27% month-over-month drop in reported breaks. Nevertheless, 838,587 healthcare records were exposed or thieved in those incidents – just 56,287 records fewer than the 41 incidents in April.

In May, the mean break size was 28,917 records and the median was 2,793 records. In April the mean break size was 21,826 records and the median was 2,553 records.
Reasons of May 2018 Healthcare Data Breaks
Illegal access/disclosure incidents were the most numerous type of break in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two thievery incidents (6.9%). There were no lost unencrypted electronic appliances reported in May and no incorrect disposal incidents.
The 12 hacking/IT incidents reported in May led to the exposure/theft of 738,883 healthcare records – 88.11% of the total for May. Illegal access/disclosure incidents affected 97,439 patients and health plan members – 11.62% of the total. Thievery incidents led to illegal people obtaining the PHI of 2,265 individuals – 0.27% of the monthly total.

Biggest Healthcare Data Breaks Reported in May 2018
The biggest healthcare data break informed in May 2018 – by some distance – was the 538,127-record break at the Baltimore, MD-based healthcare supplier LifeBridge Health Inc. The break was informed in May, even though it happened more than a year and a half earlier in September 2016, when malware was fitted on its server that hosts electronic health files.
In addition to names and contact information, clinical and treatment information, insurance information, and, in some instances, Social Security numbers, were undermined. The scale of the break and the kinds of information exposed makes it one of the most severe healthcare data breaks discovered in 2018.
As the table below demonstrates, hacks and IT occurrences were behind the most serious breaks in May.

Place of Broken Protected Health Information
In May, the most common place of broken protected health information was electronic mail. 11 of the 29 reported breaches involved hacks of electronic mail accounts and misdirected electronic mails. It was a similar story in April when electronic mail was also the main place of breached PHI.
In May there were 7 occurrences affecting network servers – hacks, malware infections, and ransomware incidents – and 7 incidents involving paper records.

Data Breaks by Protected Unit Type
Healthcare suppliers experienced the lion’s share of the healthcare data breaks in May 2018, with 22 occurrences reported. Only two health plans suffered a data break in May.
Five business associates of HIPAA-covered units reported a break, even though a further four breaches had some business associate involvement.

Healthcare Data Breaks by State
California and Ohio were the worst affected by healthcare data breaks in May 2018, with each state having four breaks. Oregon and Texas each experienced two data breaks in May. Nevada saw four breaks reported, but three of those were the same incident, only reported separately by each of the three Dignity Health hospitals affected.
One healthcare data break was reported by a HIPAA-covered unit or business associate based in Arkansas, Nebraska, Minnesota, Michigan, Maryland, Massachusetts, Kansas, Indiana, Georgia, Florida, Colorado, Arizona, and New York.
Financial Penalties for HIPAA Violations
While OCR and state attorneys general carry on to enforce HIPAA Laws and take action against covered units and business associates for noncompliance, there were no financial settlements posted by either in May 2018.
Data Source: The Department of Health and Human Services’ Office for Civil Rights.