Dedicated to providing the latest
HIPAA compliance news

November 2017 Healthcare Data Breach Report

Share this article on:

In November 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) received 21 reports of healthcare data breaches that impacted more than 500 individuals; the second consecutive month when reported breaches have fallen.

healthcare data breaches by month (November 2017)

While the number of breaches was down month on month, the number of individuals impacted by healthcare data breaches increased from 71,377 to 107,143.

breached healthcare records November 2017

Main Causes of November 2017 Healthcare Data Breaches

In November there was an even spread between hacking/IT incidents, unauthorized disclosures, and theft/loss of paper records or devices containing ePHI, with six breaches each. There were also three breaches reported involving the improper disposal of PHI and ePHI. Two of those incidents involved paper records and one involved a portable electronic device.

The two largest data breaches reported in November – the 32,000-record breach at Pulmonary Specialists of Louisville and the 16,474-record breach at Hackensack Sleep and Pulmonary Center – were both hacking/IT incidents. The former involved an unauthorized individual potentially gaining access to electronic medical records, while the latter was a ransomware attack.

Seven of the 21 breaches reported in November impacted more than 5,000 individuals. The mean breach size was 5,102 records. The median breach size was 1,551 records.

 

causes of healthcare data breaches November 2017

records exposed by breach type

Location of Exposed and Stolen Protected Health Information

The OCR breach reports show the importance of implementing physical safeguards to ensure the confidentiality of paper records. In November, one third of reported data breaches (7 incidents) involved paper/films. Last month there were five reported incidents involving paper records.

A recent Accenture/HIMSS Analytics survey revealed email was the most common vector in cyberattacks on healthcare organizations. That was the case in October when email was the common location of breached data. In November, email was the second most common location of breached PHI behind paper films, with four email-related breaches reported.  There was an even spread between all other locations of breached PHI.

Location of PHI in November 2017 healthcare data breaches

 

November 2017 Healthcare Data Breaches by Covered Entity Type

November 2017 saw 19 data breaches reported by healthcare providers and two breaches affecting health plans. The breach reports indicate no business associates of covered entities were involved in any incidents reported in November.

 November 2017 Healthcare Data Breaches by Covered Entity Type

 

Largest Healthcare Data Breaches of November 2017

 

Breached Entity Entity Type Breach Type Individuals Affected
Pulmonary Specialists of Louisville, PSC Healthcare Provider Hacking/IT Incident 32,000
Hackensack Sleep and Pulmonary Center Healthcare Provider Hacking/IT Incident 16,474
Shop-Rite Supermarkets, Incorporated Healthcare Provider Improper Disposal 12,172
The Medical College of Wisconsin, Inc. Healthcare Provider Hacking/IT Incident 9,500
Valley Family Medicine Healthcare Provider Unauthorized Access/Disclosure 8,450
Sports Medicine & Rehabilitation Therapy, Inc. Healthcare Provider Hacking/IT Incident 7,000
Humana Inc Health Plan Unauthorized Access/Disclosure 5,764
Alere Toxicology Healthcare Provider Unauthorized Access/Disclosure 2,146
Family & Cosmetic Dentistry of the Rockies Healthcare Provider Improper Disposal 1,850
Aetna Inc. Health Plan Unauthorized Access/Disclosure 1,600

 

November 2017 Healthcare Data Breaches by State

The reported breaches in November were spread across 15 states. The states worst affected were Kentucky and Massachusetts with 3 breaches apiece, followed by Colorado and New Jersey each with 2 breaches. One breach was reported by healthcare organizations based in Alabama, California, Connecticut, Florida, Indiana, New York, Pennsylvania, Texas, Virginia, Washington, and Wisconsin.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On