March 2019 Healthcare Data Breach Report
In March 2019, healthcare data breaches continued to be reported at a rate of one a day. 31 healthcare data breaches were reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and their business associates. The March total is almost 14% higher than the average of the past 60 months.
The number of reported breaches fell by 3.12% month over month and there was a 56.79% decrease in the number of breached healthcare records. March saw the healthcare records of 912,992 individuals exposed, impermissibly disclosed, or stolen as a result of healthcare data breaches.
Causes of March 2019 Healthcare Data Breaches
The HHS’ Office for Civil Rights groups together hacking and other IT incidents such as malware and ransomware attacks. This category dominated the breach reports in March with 19 incidents reported. Hacking/IT incidents accounted for 88.40% of all compromised records (807,128 records).
There were 8 unauthorized access/disclosure incidents reported in March. 81,904 healthcare records were impermissibly accessed or disclosed. There were also four theft incidents reported, which involved a total of 23,960 records.
The biggest data breach was reported by Navicent Health – A phishing attack in which the records of 278,016 patients were potentially accessed and copied by the attackers. A similarly sized data breach was reported by ZOLL Services, which impacted 277,319 individuals. The ZOLL Services breach occurred at one of its business associates. It’s email archiving company accidentally removed protections in its network server. It is unclear whether those records were accessed by unauthorized individuals during the time the information was accessible.
Largest Healthcare Data Breaches Reported in March 2019
|Rank||Name of Covered Entity||Covered Entity Type||Individuals Affected||Type of Breach||Location of Breached Information|
|1||Navicent Health, Inc.||Healthcare Provider||278016||Hacking/IT Incident|
|2||ZOLL Services LLC||Healthcare Provider||277319||Hacking/IT Incident||Network Server|
|3||Burrell Behavioral Health||Healthcare Provider||67493||Hacking/IT Incident||Network Server|
|4||LCP Transportation, Inc||Business Associate||54528||Unauthorized Access/Disclosure|
|5||Superior Dental Care Alliance||Business Associate||38260||Hacking/IT Incident|
|6||Superior Dental Care||Health Plan||38260||Hacking/IT Incident|
|7||St. Francis Physician Services||Healthcare Provider||32178||Hacking/IT Incident||Network Server|
|8||Palmetto Health||Healthcare Provider||23811||Hacking/IT Incident|
|9||Gulfport Anesthesia Services, PA||Healthcare Provider||20000||Theft||Other|
|10||Women’s Health USA, Inc.||Business Associate||17531||Hacking/IT Incident||Desktop Computer, Email|
Location of Breached Protected Health Information
Email incidents dominated the March 2019 healthcare data breach reports with 12 incidents reported that involved ePHI stored in emails and/or email attachments. The vast majority of those email breaches were phishing attacks. There were 8 hacking/IT incidents involving network servers – A combination of ransomware attacks, hacks, and the accidental deactivation of security solutions.
March 2019 Healthcare Data Breaches by Covered Entity
Healthcare providers reported the most healthcare data breaches in March with 22 reported incidents. 4 breaches were reported by health plans and there were 5 data breaches reported by HIPAA business associates. A further four breaches had some business associate involvement.
Healthcare Data Breaches by State
Healthcare organizations/business associates based in 19 state reported data breaches in March 2019. Three data breaches were reported in each of California, Ohio, and Pennsylvania. Two breaches were reported in each of Arizona, Idaho, Maryland, Massachusetts, Minnesota, Oregon, and South Carolina. One breach was reported in each of Arizona, Connecticut, Florida, Georgia, Indiana, Mississippi, Missouri, New York, and Oklahoma.
HIPAA Enforcement in March 2019
The HHS’ Office for Civil Rights did not agree any fines or settlements in March 2019; however, the Texas Department of Aging and Disability Services has agreed to a financial penalty over a 2015 data breach.
Texas approved a settlement of $1.6 million to resolve alleged HIPAA violations discovered during the investigation of an 8-year data breach that was reported in June 2015. OCR has yet to confirm the settlement publicly.
There were no HIPAA-related financial penalties agreed with state attorneys general in March 2019.