November 2020 Healthcare Data Breach Report
For the second successive month, the number of reported healthcare data breaches has fallen; however, it should be noted that the number of breaches reported in October 2020 was almost three times the average monthly number due, in a large part, to the ransomware attack on the cloud service provider Blackbaud.
November saw 47 data breaches of 500 or more healthcare records reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and business associates, 25.39% fewer than October. Even with that reduction, breaches are still well above the 12-month average of 41 data breaches a month (Median = 38 breaches).
The number of healthcare records exposed in healthcare data breaches similarly fell for the second successive month. In November, 1,139,151 healthcare records were exposed or impermissibly disclosed, a 54.73% fall from October. The average number of monthly breached healthcare records over the past 12 months is 1,885,959 records and the median is 1,101,902 records.
Largest Healthcare Data Breaches Reported in November 2020
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Type of Breach | Cause |
| AspenPointe, Inc. | CO | Healthcare Provider | 295,617 | Hacking/IT Incident | Ransomware attack |
| Lawrence General Hospital | MA | Healthcare Provider | 176,587 | Hacking/IT Incident | Unspecified data security incident |
| Alamance Skin Center | NC | Healthcare Provider | 100,000 | Loss | Ransomware attack |
| Mercy Iowa City | IA | Healthcare Provider | 92,795 | Hacking/IT Incident | Phishing |
| Bayhealth Medical Center, Inc. | DE | Healthcare Provider | 78,006 | Hacking/IT Incident | Blackbaud ransomware attack |
| Tufts Health Plan | MA | Health Plan | 60,545 | Hacking/IT Incident | Phishing attack on vendor |
| Bruce L. Boros, M.D., P.A. DBA Advanced Urgent Care | FL | Healthcare Provider | 58,823 | Unauthorized Access/Disclosure | Ransomware attack |
| Methodist Hospital of Southern California | CA | Healthcare Provider | 39,881 | Hacking/IT Incident | Blackbaud ransomware attack |
| One Touch Point | WI | Business Associate | 28,658 | Unauthorized Access/Disclosure | unknown |
| People Incorporated | MN | Healthcare Provider | 27,500 | Hacking/IT Incident | phishing |
| Chesapeake Regional Healthcare | VA | Healthcare Provider | 24,000 | Hacking/IT Incident | Blackbaud ransomware attack |
| Seeley Enterprises Company | OH | Healthcare Provider | 16,196 | Hacking/IT Incident | Ransomware attack |
| Golden Gate Regional Center | CA | Business Associate | 11,315 | Hacking/IT Incident | Ransomware attack |
| Galstan & Ward Family and Cosmetic Dentistry | VA | Healthcare Provider | 10,759 | Hacking/IT Incident | Ransomware attack |
| Kaiser Foundation Health Plan of Georgia, Inc. | GA | Health Plan | 10,205 | Unauthorized Access/Disclosure | Unknown |
Causes of November 2020 Healthcare Data Breaches
Hacking/IT incidents continue to dominate the breach reports, both in terms of the number of breaches and the number of breached records. There were 23 hacking/IT incidents reported in November – 48.94% of all breaches reported in the month. 867,983 records were exposed or stolen in those breaches – 76.2% of all records breached in November. The average breach size was 37,738 records and the median breach size was 8,000 records.
There were 19 data breaches classed as unauthorized access/disclosure incidents – 40.43% of the month’s data breaches. 166,115 healthcare records were improperly accessed or impermissibly disclosed in those incidents – 14.58% of the breached records in November. The average breach size was 8,723 records and the median breach size was 3,557 records.
There were 4 loss/theft incidents (2/2) reported in November involving 103,053 records – 8.51% of the month’s breaches and 103,053 healthcare records were exposed or stolen in those incidents – 9.05% of records breached in November. The average breach size was 25,763 records and the median breach size was 1,265 records. There was one incident involving the improper disposal of paperwork that contained the PHI of an estimated 2,000 individuals.
The chart below shows the location of breached protected health information. Up until September 2020, email was the most common location of breached patient data, with the majority of those breaches the result of phishing attacks. That changed in September due to the ransomware attack on Blackbaud. Entities impacted by that data breach continue to submit breach reports, albeit at a low level, with network server incidents remaining high due to the healthcare industry continuing to be targeted by ransomware gangs. Phishing attacks continue to be a problem in healthcare, with 13 large data breaches reported involving PHI stored in email accounts.
Healthcare Data Breaches by Covered Entity Type
Healthcare providers were the worst affected covered entity in November. 34 healthcare providers reported data breaches and 6 data breaches were reported by health plans.
7 data breaches were reported by business associates of HIPAA covered entities; however, 16 breaches in total had some business associate involvement, with 9 of those breaches reported by the covered entity.
Healthcare Data Breaches by State
The November data breaches were reported by HIPAA-covered entities and business associates in 23 states and the District of Columbia. Ohio was the worst affected state with 5 breaches reported, followed by Georgia and Maine with 4, and California, Florida, and Texas with 3 breaches.
Two healthcare data breaches of 500 or more records were reported by entities based in Arkansas, Delaware, Illinois, Kentucky, Maryland, Michigan, and Virginia. One breach was reported in each of Alabama, Colorado, Iowa, Idaho, Louisiana, Minnesota, North Carolina, New Mexico, Pennsylvania, Wisconsin, and the District of Columbia.
HIPAA Enforcement Activity in November 2020
There were three HIPAA enforcement actions announced by the HHS’ Office for Civil Rights in November, all of which were part of its HIPAA Right of Access enforcement initiative. OCR announced the new enforcement initiative in 2019 to crack down on healthcare providers that fail to provide patients with timely access to their health records for a reasonable cost-based fee.
In all three cases, the healthcare providers did not provide a copy of the requested records within the 30-day time frame demanded by the HIPAA Privacy Rule.
University of Cincinnati Medical Center settled with OCR and paid a $65,000 penalty, Riverside Psychiatric Medical Group paid a $25,000 penalty, and Dr. Rajendra Bhayani paid a $15,000 penalty. Under this enforcement initiative, OCR has imposed 12 financial penalties on covered entities, 10 of which have been in 2020.