Healthcare Data Breach Report for November 2019
In November 2019, 33 healthcare data breaches of 500 or more records were made known to the Department of Health and Human Services’ Office for Civil Rights (OCR). That equates to a 36.5% drop in reported breaches from October – the worst ever month for healthcare data breaches on file since OCR were first listed on its website in October 2009. The fall in breaches is good news, but data breaches are still taking place at a rate higher that one every day.
600,877 healthcare records were impacted, impermissibly shared or illegally taken in November. That makes up a 9.2% decrease in breached healthcare records from October, but the average breach size grew by 30.1% to 18,208 records in November.
Biggest Healthcare Data Breaches in November 2019
Name of Covered Entity | Covered Entity Type | Individuals Affected | Type of Breach | Location of Breached PHI |
Ivy Rehab Network, Inc. and its affiliated companies | Healthcare Provider | 125000 | Hacking/IT Incident | |
Solara Medical Supplies, LLC | Healthcare Provider | 114007 | Hacking/IT Incident | |
Saint Francis Medical Center | Healthcare Provider | 107054 | Hacking/IT Incident | Electronic Medical Record, Network Server |
Southeastern Minnesota Oral & Maxillofacial Surgery | Healthcare Provider | 80000 | Hacking/IT Incident | Network Server |
Elizabeth Family Health | Healthcare Provider | 28375 | Theft | Paper/Films |
The Brooklyn Hospital Center | Healthcare Provider | 26312 | Hacking/IT Incident | Network Server |
Utah Valley Eye Center | Healthcare Provider | 20418 | Hacking/IT Incident | Desktop Computer |
Loudoun Medical Group d/b/a Comprehensive Sleep Care Center (“CSCC”) | Healthcare Provider | 15575 | Hacking/IT Incident | |
Choice Cancer Care | Healthcare Provider | 14673 | Hacking/IT Incident | |
Arizona Dental Insurance Services, Inc. d.b.a. Delta Dental of Arizona | Health Plan | 12886 | Hacking/IT Incident |
Healthcare Data Breaches Causes in November 2019
Hacking/IT incidents made up the most of November’s breach reports and accounted for 63.6% of data breaches made known in November and 90.75% of the breached records (545,293). The average breach size was 25,966 records and the median breach size was 3,977 records.
There were seven unauthorized access/disclosure breaches reported in November that included 16,586 healthcare records. The mean breach size was 2,369 records and the median breach size was 996 records.
There were four incidents that included the theft of 38,998 individuals’ protected health information. Two of the incidents included electronic devices and two involved paper records. The mean breach size was 7,799 records and the median breach size was 3,237 records.
Phishing is still the most common cause of healthcare data breaches. 17 of the healthcare data breaches made known in November involved PHI stored in email accounts. Most of those breaches were caused by phishing attacks.
November 2019 Healthcare Data Breaches by Covered Entity Type
There were 28 healthcare provider data breaches made known in November and four breaches were made known by health plans. It was an excellent month for business associates, with only one breach reported, although an additional two breaches had some business associate involvement.
November 2019 Healthcare Data Breaches by State
Data breaches were reported by covered outfits in 19 states. California was the worst impacted with 4 breaches, followed by Illinois, Missouri, New York, and Texas with three breaches each. Two breaches were made known by covered entities in Florida, North Carolina, and Pennsylvania, and there was one reported beach in each of Alaska, Arizona, Colorado, Connecticut, Indiana, Maryland, Michigan, Minnesota, Nebraska, Utah, and Virginia.