October 2020 Healthcare Data Breach Report

October saw well above average numbers of data breaches reported the HHS’ Office for Civil Rights. There were 63 reported breaches of 500 or more records, which is a 33.68% reduction from September but still 41.82% more breaches than the monthly average over the last 12 months. The elevated numbers of breaches can be partly explained by continued reports from healthcare organizations that were impacted by the ransomware attack on the cloud software firm Blackbaud.

Healthcare data breaches Sept 2019 to Oct 2020

The protected health information of more than 2.5 million individuals were exposed or compromised in those 63 breaches, which is 74.08% fewer records than September, but still 26.81% more than the monthly average number of breached records over the past 12 months.

Healthcare records breaches in the past 12 months

Largest Healthcare Data Breaches Reported in October 2020

Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected Breach Cause
Luxottica of America Inc. Business Associate Hacking/IT Incident 829,454 Ransomware Attack
AdventHealth Orlando Healthcare Provider Hacking/IT Incident 315,811 Blackbaud Ransomware
Presbyterian Healthcare Services Healthcare Provider Hacking/IT Incident 193,223 Phishing Attack
Sisters of Charity of St. Augustine Health System Healthcare Provider Hacking/IT Incident 118,874 Blackbaud Ransomware
Timberline Billing Service, LLC Business Associate Hacking/IT Incident 116,131 Ransomware Attack
Greenwich Hospital Healthcare Provider Hacking/IT Incident 95,000 Blackbaud Ransomware
OSF HealthCare System Healthcare Provider Hacking/IT Incident 94,171 Blackbaud Ransomware
Geisinger Healthcare Provider Hacking/IT Incident 86,412 Blackbaud Ransomware
CCPOA Benefit Trust Fund Health Plan Hacking/IT Incident 80,000 Ransomware Attack
Ascend Clinical, LLC Healthcare Provider Hacking/IT Incident 77,443 Phishing and Ransomware Attack
Centerstone of Tennessee, Inc. Healthcare Provider Hacking/IT Incident 50,965 Phishing Attack
Georgia Department of Human Services Healthcare Clearing House Hacking/IT Incident 45,732 Phishing Attack
Connecticut Department of Social Services Health Plan Hacking/IT Incident 37,000 Phishing Attack
State of North Dakota Healthcare Provider Hacking/IT Incident 35,416 Phishing Attack
AdventHealth Shawnee Mission Healthcare Provider Hacking/IT Incident 28,766 Blackbaud Ransomware

Causes of October 2020 Healthcare Data Breaches

As the above table shows, the healthcare industry in the United States has faced a barrage of ransomware attacks. Two thirds of the largest 15 data breaches reported in October involved ransomware. CISA, the FBI, and the HHS issued a joint alert in October after credible evidence emerged indicating the Ryuk ransomware gang was targeting the healthcare industry, although that is not the only ransomware gang that is conducting attacks on the healthcare sector.

Phishing attacks continue to plague the healthcare industry. Phishing emails are often used to deliver Trojans such as Emotet and TrickBot, along with the Bazar Backdoor, which act as ransomware downloaders.

Phishing and ransomware attacks are classed as hacking/IT incidents on the HHS breach portal. In total there were 46 hacking/IT incidents reported to the HHS’ Office for Civil Rights in October – 73% of all reported breaches in October – and 2,450,645 records were breached in those incidents – 97.39% of all records breached in the month. The mean breach size was 53,275 records and the median breach size was 13,069 records.

There were 12 unauthorized access/disclosure incidents reported in October involving 54,862 healthcare records. The mean breach size was 4,572 records and the median breach size was 1,731 records. There were 4 reported cases of theft of paperwork or electronic devices containing PHI. The mean breach size was 4,290 records and the median breach size was 1,293 records. One incident was reported that involved the improper disposal of computer equipment that contained the ePHI of 4,290 individuals.

causes of October 2020 Healthcare Data Breaches

The graph below shows where the breached records were located. The high number of network server incidents shows the extent to which malware and ransomware was used in attacks. Almost a third of the attacks involved ePHI stored in email accounts, most of which were phishing attacks. Several breaches involved ePHI stored in more than one location.

Location of PHI in October 2020 Healthcare Data Breaches

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in October with 54 breaches reported, followed by health plans with 3 breaches and one breach at a healthcare clearinghouse. While there were only 5 data breaches reported by business associates of covered entities, business associates were involved in 23 data breaches in October, with 18 of the incidents being reported by the affected covered entity.

October 2020 Healthcare Data Breaches by Covered Entity Type

Healthcare Data Breaches by State

October’s 63 data breaches were spread across 27 states. Connecticut was the worst affected state with 7 breaches, followed by California and Texas with 5 each, Florida, Ohio, Pennsylvania, and Virginia with 4 apiece, Iowa and Washington with 3, and Arkansas, Michigan, New Mexico, New York, Tennessee, and Wisconsin with 2. A single breach was reported in each of Georgia, Hawaii, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Missouri, North Dakota, New Jersey, and South Carolina.

HIPAA Enforcement Activity in October 2020

2020 has seen more financial penalties imposed on covered entities and business associates than any other year since the HIPAA Enforcement Rule gave OCR the authority to issue financial penalties for noncompliance.  There have been 15 settlements agreed between OCR and covered entities/business associates between January 1, 2020 and October 31, 2020, including 4 financial penalties announced in October. The previous record was in 2016, when 13 penalties were announced.

The health insurer Aetna paid a $1,000,000 penalty to resolve multiple HIPAA violations that contributed to the exposure of HIV medication information in a mailing. OCR investigators found issues with the technical and nontechnical evaluation in response to environmental or operational changes affecting the security of PHI, an identity check failure, a minimum necessary information failure, insufficient administrative, technical, and physical safeguards, and an impermissible disclosure of the PhI of 18,849 individuals.

The City of New Haven, CT paid a $202,400 penalty to resolve its HIPAA case with OCR that stemmed from a failure to promptly restrict access to systems containing ePHI following the termination of an employee. That failure resulted in an impermissible disclosure of the ePHI of 498 individuals. OCR also determined there had been a risk analysis failure and a failure to issue unique IDs to allow system activity to be tracked.

Two of the penalties were issued as part of OCR’s HIPAA Right of Access enforcement initiative, with the fines imposed for the failure to provide patients with timely access to their medical records at a reasonable cost. Dignity Health, dba St. Joseph’s Hospital and Medical Center, settled its case with OCR and paid a $160,000 penalty and NY Spine settled for $100,000.

State attorneys general also play a role in the enforcement of HIPAA compliance. October saw Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC settle a multi-state action related to a breach of the ePHI of 6.1 million individuals in 2014. The investigators determined there had been a failure to implement and maintain reasonable security practices. The case was settled for $5 million.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.