March 2022 Healthcare Data Breach Report
For the fourth successive month, the number of reported healthcare data breaches has fallen. In March 2022, 43 healthcare data breaches of 500 or more records were reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which is a 6.52% fall from February and well below the 12-month average of 57.75 data breaches a month.
However, there was a 36.94% increase in the number of breached records compared to February. Across the 43 reported breaches, 3,083,988 healthcare records were exposed, stolen, or impermissibly disclosed, which is slightly below the average of 3,424,818 breached records a month over the past 12 months.
Largest Healthcare Data Breaches in March 2022
In March 2022, there were 25 data breaches reported to OCR that affected 10,000 or more individuals, all but one of which were hacking incidents. The largest data breach of the month affected over half a million patients. Christie Business Holdings Company, which operates Christie Clinic in Illinois, discovered an employee email account had been accessed by unauthorized individuals and was used in a business email compromise (BEC) attack to try to divert payment to a third-party vendor. BEC attacks may account for a relatively small percentage of healthcare data breaches, but according to figures from the FBI, they are the biggest cause of losses to cybercrime.
SuperCare Health reported a major breach from July 2021 where hackers accessed its network and potentially stole patient data. Around two weeks after announcing the data breach the first lawsuit against SuperCare Health was filed. There is often a rush to file lawsuits following healthcare data breaches, and it is now common for multiple lawsuits to be filed.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
CSI Laboratories reported a cyberattack that was discovered in February. While the nature of the attack was not disclosed, the Conti ransomware gang claimed responsibility for the attack and published a sample of the stolen data on its data leak site to pressure the lab into paying the ransom. Double extortion tactics, where payment is required for the keys to decrypt files and to prevent the publication of stolen data, are now the norm in ransomware attacks.
|Name of Covered Entity||State||Covered Entity Type||Individuals Affected||Breach Cause|
|Christie Business Holdings Company, P.C.||IL||Healthcare Provider||502,869||Hacked email account|
|Super Care, Inc. dba SuperCare Health||CA||Healthcare Provider||318,379||Unspecified hacking incident|
|Cytometry Specialists, Inc., d/b/a CSI Laboratories||GA||Healthcare Provider||312,000||Ransomware attack (Conti)|
|South Denver Cardiology Associates, PC||CO||Healthcare Provider||287,652||Unspecified hacking incident|
|Clinic of North Texas, LLP||TX||Healthcare Provider||244,174||Unspecified hacking incident|
|Taylor Regional Hospital||KY||Healthcare Provider||190,209||Unspecified hacking incident|
|Chelan Douglas Health District||WA||Healthcare Provider||188,236||Unspecified hacking and data theft incident|
|Urgent Team Holdings||TN||Healthcare Provider||166,601||Unspecified hacking incident|
|New Jersey Brain and Spine||NJ||Healthcare Provider||92,453||Unspecified hacking incident|
|Duncan Regional Hospital, Incorporated||OK||Healthcare Provider||86,379||Unspecified hacking incident|
|Labette Health||KS||Healthcare Provider||85,635||Unspecified hacking incident|
|Law Enforcement Health Benefits, Inc.||PA||Health Plan||85,282||Ransomware attack|
|Central Indiana Orthopedics||IN||Healthcare Provider||83,705||Unspecified hacking incident|
|Highmark Inc||PA||Health Plan||67,147||Hacking incident at mailing vendor|
|Advanced Medical Practice Management||NJ||Business Associate||56,427||Unspecified hacking and data theft incident|
|Charleston Area Medical Center, Inc.||WV||Healthcare Provider||54,000||Hacked email accounts (Phishing)|
|Resources for Human Development||PA||Healthcare Provider||46,673||Theft of unencrypted hard drive|
|Cancer and Hematology Centers of Western Michigan||MI||Healthcare Provider||43,071||Ransomware attack|
|Horizon Actuarial Services, LLC||GA||Business Associate||38,418||Unspecified hacking and data theft incident|
|Central Minnesota Mental Health Center||MN||Healthcare Provider||28,725||Hacked email accounts|
|Capital Region Medical Center||MO||Healthcare Provider||17,578||Unspecified hacking incident|
|Dialyze Direct, LLC||NJ||Healthcare Provider||14,203||Hacked email account|
|Major League Baseball Players Benefit Plan||MD||Health Plan||13,156||Unspecified hacking and data theft incident at a business associate|
|Colorado Physician Partners, PLLC||CO||Healthcare Provider||12,877||Hacked email account|
|Crossroads Health||OH||Healthcare Provider||10,324||Unspecified hacking and data theft incident|
Causes of March 2022 Healthcare Data Breaches
The healthcare data breaches reported in March were dominated by hacking/IT incidents, which accounted for 90.7% of all data breaches reported and 98.3% of the breached healthcare records. 3,083,988 individuals were affected by those hacking incidents. The average breach size was 77,766 records and the median breach size was 17,758 records.
While the category “hacking/IT incidents” covers a broad range of causes, 31 of the incidents involved hackers gaining access to network servers where patient data was stored. 10 incidents involved unauthorized individuals gaining access to employee email accounts.
There were just three breaches reported as unauthorized access/disclosure incidents which involved a total of 4,447 records. The average breach size was 1,482 records and the median was 1,682 records. There was only one theft incident reported – a hard drive containing the records of 46,673 individuals was stolen.
March 2022 Healthcare Data Breaches by State
HIPAA-regulated entities in 22 states and Puerto Rico reported data breaches in March 2022. New Jersey, Pennsylvania & Texas were the worst affected states with 4 breaches reported in each state.
|State||Number of Reported Data Breaches|
|New Jersey, Pennsylvania & Texas||4|
|Colorado, Georgia, Indiana, Kansas, Michigan, Minnesota, Washington, West Virginia, and Puerto Rico||2|
|California, Illinois, Kentucky, Maryland, Massachusetts, Missouri, New York, Ohio, Oklahoma, Tennessee, and Utah||1|
HIPAA Enforcement Activity in March 2022
In late March, the Department of Health and Human Services announced that four investigations of HIPAA-regulated entities resulted in financial penalties for non-compliance, three of which were settlements and one was a civil monetary penalty.
A civil monetary penalty of $50,000 was imposed on the dental practice Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., over an impermissible disclosure of protected health information on social media, after responding to a negative Google review. The dental practitioner Dr. Donald Brockley D.D.M settled with OCR and agreed to pay a financial penalty of $30,000 to resolve a HIPAA Right of Access violation, the psychiatric medical services provider, Jacob & Associates, settled wth OCR and paid a $28,000 penalty to resolve a HIPAA Right of Access violation. OCR also discovered the notice of privacy practices was not compliant and the practice had not appointed a HIPAA privacy officer.
Northcutt Dental-Fairhope settled his case with OCR and paid a $62,500 penalty for the impermissible disclosure of patients’ PHI to a third party for use in marketing, related to running for State Senator. OCR also found a HIPAA privacy officer had not been appointed and policies and procedures related to the HIPAA Privacy and Breach Notification Rules had not been implemented until well after the compliance deadline for doing so.