March 2019 Healthcare Data Breach Report

In March 2019, healthcare data breaches continued to be reported at a rate of one a day. 31 healthcare data breaches were reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and their business associates. The March total is almost 14% higher than the average of the past 60 months.


The number of reported breaches fell by 3.12% month over month and there was a 56.79% decrease in the number of breached healthcare records. March saw the healthcare records of 912,992 individuals exposed, impermissibly disclosed, or stolen as a result of healthcare data breaches.

Causes of March 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights groups together hacking and other IT incidents such as malware and ransomware attacks. This category dominated the breach reports in March with 19 incidents reported. Hacking/IT incidents accounted for 88.40% of all compromised records (807,128 records).

There were 8 unauthorized access/disclosure incidents reported in March. 81,904 healthcare records were impermissibly accessed or disclosed. There were also four theft incidents reported, which involved a total of 23,960 records.

The biggest data breach was reported by Navicent Health – A phishing attack in which the records of 278,016 patients were potentially accessed and copied by the attackers. A similarly sized data breach was reported by ZOLL Services, which impacted 277,319 individuals. The ZOLL Services breach occurred at one of its business associates. It’s email archiving company accidentally removed protections in its network server. It is unclear whether those records were accessed by unauthorized individuals during the time the information was accessible.

Largest Healthcare Data Breaches Reported in March 2019

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Navicent Health, Inc. Healthcare Provider 278016 Hacking/IT Incident Email
2 ZOLL Services LLC Healthcare Provider 277319 Hacking/IT Incident Network Server
3 Burrell Behavioral Health Healthcare Provider 67493 Hacking/IT Incident Network Server
4 LCP Transportation, Inc Business Associate 54528 Unauthorized Access/Disclosure Email
5 Superior Dental Care Alliance Business Associate 38260 Hacking/IT Incident Email
6 Superior Dental Care Health Plan 38260 Hacking/IT Incident Email
7 St. Francis Physician Services Healthcare Provider 32178 Hacking/IT Incident Network Server
8 Palmetto Health Healthcare Provider 23811 Hacking/IT Incident Email
9 Gulfport Anesthesia Services, PA Healthcare Provider 20000 Theft Other
10 Women’s Health USA, Inc. Business Associate 17531 Hacking/IT Incident Desktop Computer, Email

Location of Breached Protected Health Information

Email incidents dominated the March 2019 healthcare data breach reports with 12 incidents reported that involved ePHI stored in emails and/or email attachments. The vast majority of those email breaches were phishing attacks. There were 8 hacking/IT incidents involving network servers – A combination of ransomware attacks, hacks, and the accidental deactivation of security solutions.

March 2019 Healthcare Data Breaches by Covered Entity

Healthcare providers reported the most healthcare data breaches in March with 22 reported incidents. 4 breaches were reported by health plans and there were 5 data breaches reported by HIPAA business associates.  A further four breaches had some business associate involvement.

Healthcare Data Breaches by State

Healthcare organizations/business associates based in 19 state reported data breaches in March 2019. Three data breaches were reported in each of California, Ohio, and Pennsylvania. Two breaches were reported in each of Arizona, Idaho, Maryland, Massachusetts, Minnesota, Oregon, and South Carolina. One breach was reported in each of Arizona, Connecticut, Florida, Georgia, Indiana, Mississippi, Missouri, New York, and Oklahoma.

HIPAA Enforcement in March 2019

The HHS’ Office for Civil Rights did not agree any fines or settlements in March 2019; however, the Texas Department of Aging and Disability Services has agreed to a financial penalty over a 2015 data breach.

Texas approved a settlement of $1.6 million to resolve alleged HIPAA violations discovered during the investigation of an 8-year data breach that was reported in June 2015. OCR has yet to confirm the settlement publicly.

There were no HIPAA-related financial penalties agreed with state attorneys general in March 2019.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.