April 2020 Healthcare Data Breach Report
There were 37 healthcare data breaches of 500 or more records reported in April 2020, up one from the 36 breaches reported in March. As the graph below shows, the number of breaches reported each month has been fairly consistent and has remained well below the 12-month average of 41.9 data breaches per month.
While the number of breaches increased slightly, there was a significant reduction in the number of breached healthcare records in April. 442,943 healthcare records were breached in April, down 46.56% from the 828,921 records breached in March. This is the second successive month where the number of exposed records has fallen. While this is certainly good news, it should be noted that in the past 12 months, 39.92 million healthcare records have been breached.
Largest Healthcare Data Breaches in April 2020
|Name of Covered Entity||Covered Entity Type||Individuals Affected||Type of Breach||Location of Breached Information|
|Beaumont Health||Healthcare Provider||112,211||Hacking/IT Incident|
|Meridian Health Services Corp.||Healthcare Provider||111,372||Hacking/IT Incident|
|Arizona Endocrinology Center||Healthcare Provider||74,122||Unauthorized Access/Disclosure||Electronic Medical Record|
|Advocate Aurora Health||Healthcare Provider||27,137||Hacking/IT Incident||Email, Network Server|
|Doctors Community Medical Center||Healthcare Provider||18,481||Hacking/IT Incident|
|Andrews Braces||Healthcare Provider||16,622||Hacking/IT Incident||Network Server|
|UPMC Altoona Regional Health Services||Healthcare Provider||13,911||Hacking/IT Incident|
|Colorado Department of Human Services, Office of Behavioral Health||Healthcare Provider||8,132||Unauthorized Access/Disclosure||Network Server|
|Agility Center Orthopedics||Healthcare Provider||7,000||Hacking/IT Incident|
|Beacon Health Options, Inc.||Business Associate||6,723||Loss||Other Portable Electronic Device|
Causes of Healthcare Data Breaches in April
As was the case in March, hacking and IT incidents were the leading causes of healthcare data breaches. Unauthorized access/disclosure incidents were the next most common causes of breaches, an increase of 77.77% from the previous month.
333,838 records were compromised in the 18 reported hacking/IT incidents, which account for 75.37% of all records breached in April. The average breach size was 18,547 records and the median breach size was 4,631 records. There were 16 reported unauthorized access/disclosure incidents in April. The average breach size was 6,171 records and the median breach size was 1,122 records. In total, 98,737 records were breached across those 16 incidents.
There were two theft incidents reported in April, both involving portable electronic devices. The records of 3,645 individuals were stored on those devices. There was also one lost portable electronic device containing the records of 6,723 patients.
The bar chart below shows the location of breached protected health information. The chart shows email is by far the most common location of breached health information. 48.65% of all reported breaches in April involved PHI stored in emails and email attachments. The majority of those breaches were phishing attacks. Most healthcare data breaches involve electronic data, but one in five breaches involved PHI in paper files and charts.
Healthcare Data Breaches by Covered Entity Type
Healthcare providers were the worst affected covered entity type in April with 30 breaches reported. 4 health plans reported a breach in April, and three breaches were reported by business associates of HIPAA-covered entities. A further 8 breaches had some business associate involvement.
Healthcare Data Breaches by State
April’s data breaches were reported by covered entities and business associates in 22 states. Florida and Texas were the worst affected with 4 breaches each. There were three data breaches reported in Michigan and Pennsylvania, and two breaches affecting covered entities and business associates based in California, Connecticut, Minnesota, Missouri, and Wisconsin. One breach was reported by entities based in Arkansas, Arizona, Colorado, Delaware, Indiana, Massachusetts, Maryland, North Carolina, New Mexico, Nevada, Tennessee, Utah, and Washington.
HIPAA Enforcement Activity in April
There were no financial penalties imposed on covered entities or business associates by state Attorneys General or the HHS’ Office for Civil Rights in April.