November 2017 Healthcare Data Breach Report
In November 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) received 21 reports of healthcare data breaches that impacted more than 500 individuals; the second consecutive month when reported breaches have fallen.
While the number of breaches was down month on month, the number of individuals impacted by healthcare data breaches increased from 71,377 to 107,143.
Main Causes of November 2017 Healthcare Data Breaches
In November there was an even spread between hacking/IT incidents, unauthorized disclosures, and theft/loss of paper records or devices containing ePHI, with six breaches each. There were also three breaches reported involving the improper disposal of PHI and ePHI. Two of those incidents involved paper records and one involved a portable electronic device.
The two largest data breaches reported in November – the 32,000-record breach at Pulmonary Specialists of Louisville and the 16,474-record breach at Hackensack Sleep and Pulmonary Center – were both hacking/IT incidents. The former involved an unauthorized individual potentially gaining access to electronic medical records, while the latter was a ransomware attack.
Seven of the 21 breaches reported in November impacted more than 5,000 individuals. The mean breach size was 5,102 records. The median breach size was 1,551 records.
Location of Exposed and Stolen Protected Health Information
The OCR breach reports show the importance of implementing physical safeguards to ensure the confidentiality of paper records. In November, one third of reported data breaches (7 incidents) involved paper/films. Last month there were five reported incidents involving paper records.
A recent Accenture/HIMSS Analytics survey revealed email was the most common vector in cyberattacks on healthcare organizations. That was the case in October when email was the common location of breached data. In November, email was the second most common location of breached PHI behind paper films, with four email-related breaches reported. There was an even spread between all other locations of breached PHI.
November 2017 Healthcare Data Breaches by Covered Entity Type
November 2017 saw 19 data breaches reported by healthcare providers and two breaches affecting health plans. The breach reports indicate no business associates of covered entities were involved in any incidents reported in November.
Largest Healthcare Data Breaches of November 2017
| Breached Entity | Entity Type | Breach Type | Individuals Affected |
| Pulmonary Specialists of Louisville, PSC | Healthcare Provider | Hacking/IT Incident | 32,000 |
| Hackensack Sleep and Pulmonary Center | Healthcare Provider | Hacking/IT Incident | 16,474 |
| Shop-Rite Supermarkets, Incorporated | Healthcare Provider | Improper Disposal | 12,172 |
| The Medical College of Wisconsin, Inc. | Healthcare Provider | Hacking/IT Incident | 9,500 |
| Valley Family Medicine | Healthcare Provider | Unauthorized Access/Disclosure | 8,450 |
| Sports Medicine & Rehabilitation Therapy, Inc. | Healthcare Provider | Hacking/IT Incident | 7,000 |
| Humana Inc | Health Plan | Unauthorized Access/Disclosure | 5,764 |
| Alere Toxicology | Healthcare Provider | Unauthorized Access/Disclosure | 2,146 |
| Family & Cosmetic Dentistry of the Rockies | Healthcare Provider | Improper Disposal | 1,850 |
| Aetna Inc. | Health Plan | Unauthorized Access/Disclosure | 1,600 |
November 2017 Healthcare Data Breaches by State
The reported breaches in November were spread across 15 states. The states worst affected were Kentucky and Massachusetts with 3 breaches apiece, followed by Colorado and New Jersey each with 2 breaches. One breach was reported by healthcare organizations based in Alabama, California, Connecticut, Florida, Indiana, New York, Pennsylvania, Texas, Virginia, Washington, and Wisconsin.