HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

March 2022 Healthcare Data Breach Report

For the fourth successive month, the number of reported healthcare data breaches has fallen. In March 2022, 43 healthcare data breaches of 500 or more records were reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which is a 6.52% fall from February and well below the 12-month average of 57.75 data breaches a month.

healthcare data breaches past 12 months - March 2022

However, there was a 36.94% increase in the number of breached records compared to February. Across the 43 reported breaches, 3,083,988 healthcare records were exposed, stolen, or impermissibly disclosed, which is slightly below the average of 3,424,818 breached records a month over the past 12 months.

number of breached healthcare recovers over the past 12 months - March 2022

Largest Healthcare Data Breaches in March 2022

In March 2022, there were 25 data breaches reported to OCR that affected 10,000 or more individuals, all but one of which were hacking incidents. The largest data breach of the month affected over half a million patients. Christie Business Holdings Company, which operates Christie Clinic in Illinois, discovered an employee email account had been accessed by unauthorized individuals and was used in a business email compromise (BEC) attack to try to divert payment to a third-party vendor. BEC attacks may account for a relatively small percentage of healthcare data breaches, but according to figures from the FBI, they are the biggest cause of losses to cybercrime.

SuperCare Health reported a major breach from July 2021 where hackers accessed its network and potentially stole patient data. Around two weeks after announcing the data breach the first lawsuit against SuperCare Health was filed. There is often a rush to file lawsuits following healthcare data breaches, and it is now common for multiple lawsuits to be filed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

CSI Laboratories reported a cyberattack that was discovered in February. While the nature of the attack was not disclosed, the Conti ransomware gang claimed responsibility for the attack and published a sample of the stolen data on its data leak site to pressure the lab into paying the ransom. Double extortion tactics, where payment is required for the keys to decrypt files and to prevent the publication of stolen data, are now the norm in ransomware attacks.

Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacked email account
Super Care, Inc. dba SuperCare Health CA Healthcare Provider 318,379 Unspecified hacking incident
Cytometry Specialists, Inc., d/b/a CSI Laboratories GA Healthcare Provider 312,000 Ransomware attack (Conti)
South Denver Cardiology Associates, PC CO Healthcare Provider 287,652 Unspecified hacking incident
Clinic of North Texas, LLP TX Healthcare Provider 244,174 Unspecified hacking incident
Taylor Regional Hospital KY Healthcare Provider 190,209 Unspecified hacking incident
Chelan Douglas Health District WA Healthcare Provider 188,236 Unspecified hacking and data theft incident
Urgent Team Holdings TN Healthcare Provider 166,601 Unspecified hacking incident
New Jersey Brain and Spine NJ Healthcare Provider 92,453 Unspecified hacking incident
Duncan Regional Hospital, Incorporated OK Healthcare Provider 86,379 Unspecified hacking incident
Labette Health KS Healthcare Provider 85,635 Unspecified hacking incident
Law Enforcement Health Benefits, Inc. PA Health Plan 85,282 Ransomware attack
Central Indiana Orthopedics IN Healthcare Provider 83,705 Unspecified hacking incident
Highmark Inc PA Health Plan 67,147 Hacking incident at mailing vendor
Advanced Medical Practice Management NJ Business Associate 56,427 Unspecified hacking and data theft incident
Charleston Area Medical Center, Inc. WV Healthcare Provider 54,000 Hacked email accounts (Phishing)
Resources for Human Development PA Healthcare Provider 46,673 Theft of unencrypted hard drive
Cancer and Hematology Centers of Western Michigan MI Healthcare Provider 43,071 Ransomware attack
Horizon Actuarial Services, LLC GA Business Associate 38,418 Unspecified hacking and data theft incident
Central Minnesota Mental Health Center MN Healthcare Provider 28,725 Hacked email accounts
Capital Region Medical Center MO Healthcare Provider 17,578 Unspecified hacking incident
Dialyze Direct, LLC NJ Healthcare Provider 14,203 Hacked email account
Major League Baseball Players Benefit Plan MD Health Plan 13,156 Unspecified hacking and data theft incident at a business associate
Colorado Physician Partners, PLLC CO Healthcare Provider 12,877 Hacked email account
Crossroads Health OH Healthcare Provider 10,324 Unspecified hacking and data theft incident

Causes of March 2022 Healthcare Data Breaches

The healthcare data breaches reported in March were dominated by hacking/IT incidents, which accounted for 90.7% of all data breaches reported and 98.3% of the breached healthcare records. 3,083,988 individuals were affected by those hacking incidents. The average breach size was 77,766 records and the median breach size was 17,758 records.

Causes of MArch 2022 healthcare data breaches

While the category “hacking/IT incidents” covers a broad range of causes, 31 of the incidents involved hackers gaining access to network servers where patient data was stored. 10 incidents involved unauthorized individuals gaining access to employee email accounts.

 

There were just three breaches reported as unauthorized access/disclosure incidents which involved a total of 4,447 records. The average breach size was 1,482 records and the median was 1,682 records. There was only one theft incident reported – a hard drive containing the records of 46,673 individuals was stolen.

Location of breached PHI in March 2022 healthcare data breaches

March 2022 Healthcare Data Breaches by State

HIPAA-regulated entities in 22 states and Puerto Rico reported data breaches in March 2022. New Jersey, Pennsylvania & Texas were the worst affected states with 4 breaches reported in each state.

State Number of Reported Data Breaches
New Jersey, Pennsylvania & Texas 4
Colorado, Georgia, Indiana, Kansas, Michigan, Minnesota, Washington, West Virginia, and Puerto Rico 2
California, Illinois, Kentucky, Maryland, Massachusetts, Missouri, New York, Ohio, Oklahoma, Tennessee, and Utah 1

HIPAA Enforcement Activity in March 2022

In late March, the Department of Health and Human Services announced that four investigations of HIPAA-regulated entities resulted in financial penalties for non-compliance, three of which were settlements and one was a civil monetary penalty.

A civil monetary penalty of $50,000 was imposed on the dental practice Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., over an impermissible disclosure of protected health information on social media, after responding to a negative Google review. The dental practitioner Dr. Donald Brockley D.D.M settled with OCR and agreed to pay a financial penalty of $30,000 to resolve a HIPAA Right of Access violation, the psychiatric medical services provider, Jacob & Associates, settled wth OCR and paid a $28,000 penalty to resolve a HIPAA Right of Access violation. OCR also discovered the notice of privacy practices was not compliant and the practice had not appointed a HIPAA privacy officer.

Northcutt Dental-Fairhope settled his case with OCR and paid a $62,500 penalty for the impermissible disclosure of patients’ PHI to a third party for use in marketing, related to running for State Senator. OCR also found a HIPAA privacy officer had not been appointed and policies and procedures related to the HIPAA Privacy and Breach Notification Rules had not been implemented until well after the compliance deadline for doing so.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.