HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported

Many people will be glad to see the back of 2016. It has been a difficult year, especially for healthcare organizations. Ransomware attacks have increased, hacking incidents are up, and more data breaches have been reported this year than in any other year since records started to be kept by the Department of Health and Human Services’ Office for Civil Rights (OCR).

The year is certainly not ending well. November saw the highest number of healthcare data breaches of any month in 2016, including August; a particularly bad month for the healthcare industry when 42 protected health information (PHI) breaches were reported by covered entities.

However, November’s total was 35% higher than August and 60% higher than October, according to the November Breach Barometer Report from Protenus. Last month, 57 healthcare data breaches reported which is almost two incidents per day.

Fortunately, the breaches that were reported were relatively small and the downward trend in the number of exposed/stolen records continued for the second month in a row. In total, 458,639 healthcare records were exposed in November, down 317,894 from the previous month.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

November was something of an atypical month due to the nature of reporting of healthcare data breaches. Had the data breaches at Ambucor Health Solutions and EMR4All/Rehab Billing Solutions been reported as single breaches, the breach total for the month would have stood at 39. Still a particularly bad month, but not as bad as August.

As it was, the incidents were reported to OCR separately by each organization that was affected. There were 11 incidents reported by organizations impacted by the Ambucor Health Solutions breach and a further 9 reported by entities affected by the breach at EMR4All/RBS, according to DataBreaches.net, which provided the data for the Protenus report.

Recent surveys have suggested IT professionals are more concerned about insider breaches than cyberattacks by hackers and with good reason. The Breach Barometer report shows how serious the threat of insider breaches is. In November, 54.4% of healthcare data breaches were caused by insiders. 17 breaches were accidental breaches by healthcare employees and 14 were the result of malicious actions by employees with access to PHI.

There were 9 incidents that involved hackers, which was an improvement on October when 14 incidents were attributed to hacking. Ransomware was involved in 3 security breaches reported in November. TheDarkOverlord, who has previously attempted to extort money from a number of healthcare providers after stealing their data, was involved in one incident.

Healthcare providers once again were the worst hit, registering 40 incidents – 70% of incidents – followed by health plans with 11. Business associates reported three breaches, although they were involved to some degree in at least 44% of the breaches reported in November.

Protenus calculated the average time taken to report incidents to OCR to be 135 days from the date of discovery. 65% of breaches were reported after the 60-day window allowed by the HIPAA Breach Notification Rule, most of which were entities affected by the Ambucor breach. The breaches in November were also widespread, with affected entities based in 24 different states.

According to Databreaches.net, the entities involved in the breaches in November were:

Entity Entity Type
Aetna Signature Administrators Business Associate
AON Hewitt Business Associate
Austin Pulmonary Consultants Healthcare Provider
Bay Sleep Clinic Healthcare Provider
Berkshire Medical Center Healthcare Provider
Best Health Physical Therapy, LLC Healthcare Provider
Biomechanics LLC Healthcare Provider
Briar Hill Management Business Associate
Briar Hill Management Business Associate
Broward Health: Broward Health Imperial Point Healthcare Provider
Camas Center Clinic, Kalispel Tribe of Indians Healthcare Provider
Carolina Cardiology Consultants (Greenville Health System) Healthcare Provider
Charleston Area Medical Center Healthcare Provider
CHI Franciscan Health Healthcare Provider
Cleveland Clinic Akron General Healthcare Provider
Command Marketing Innovations Business Associate
Conemaugh Physician Group Cardiology Healthcare Provider
Consultants in Neurological Surgery, LLP Healthcare Provider
Darlingten Business Associate
Darlingten Healthcare Provider
EMR4All/RBS Business Associate
Eye Institute of Marin Healthcare Provider
GHI (Emblem Health) Health Plan
Glendale Adventist Healthcare Provider
Harrisonburg OB GYN Associates, P.C. Healthcare Provider
Horizon BCBS & UnitedHealth Group Health Plan
Horizon Blue Cross Blue Shield of New Jersey Health Plan
HP Enterprise Services, LLC Business Associate
Indiana Family and Social Services Administration -Indiana Health Coverage Program Health Plan
Irvine Company Business Associate
Kaiser Foundation Health Plan Health Plan
Kaiser Permanente Health Plan – N. Cal Health Plan
Kaiser Permanente Health Plan- S. Cal Health Plan
KinetoRehab Physical Therapy, PLLC Healthcare Provider
La Gloria Pharmacy Healthcare Provider
LCS Westminster Partnership IV, LLP d/b/a Sagewood Healthcare Provider
Lebanon Cardiology Associates, PC (now known as WellSpan Cardiology) Healthcare Provider
Lenox Hill Heart and Vascular Institute Healthcare Provider
Lister Healthcare Healthcare Provider
Louisiana Health Cooperative, Inc. in Rehabilitation Health Plan
Luque Chiropractic Healthcare Provider
Main Line Health Healthcare Provider
Managed Health Services Health Plan
Marin Medical Practice Concepts, Inc. Business Associate
New Mexico Heart Institute Healthcare Provider
North Texas Heart Center, P.A Healthcare Provider
OC Gastrocare Healthcare Provider
OptumHealth New Mexico Health Plan
Pikeville Medical Center Healthcare Provider
Pinellas County Board of County Commissioners Health Plan
Primerica Business Associate (Financial Services)
Seguin Dermatology Healthcare Provider
Stony Brook Internists, University Faculty Practice Corporation VA Eastern Colorado Health Care System Healthcare Provider
Unnamed cleaning service Business Associate
Unnamed vendor Business Associate
Unnamed vendor + UPS Business Associate
Vanderbilt U. Psychological & Counseling Center Healthcare Provider
Vascular Surgical Associates Healthcare Provider
Vein Specialists of Northwest Georgia Healthcare Provider
Vision Care Florida, LLC Healthcare Provider
WADA and USADA Anti-Doping Agency
Wal-Mart Stores, Inc. Healthcare Provider
Washington Department of Social and Health Services- Aging and Disability Services Healthcare Provider
Watsonville Chiropractic (David W. Christie, D.C.) Healthcare Provider
Wentworth-Douglass Hospital Healthcare Provider
Young Adult Institute, Inc. Healthcare Provider

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.