There were 39 healthcare data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017. Those breaches resulted in the theft/exposure of 473,074 patients’ protected health information.
September 2017 Healthcare Data Breaches
September 2017 healthcare data breaches followed a similar pattern to previous months. Healthcare providers suffered the most breaches with 27 reported incidents, followed by health plans with 10 breaches, and 2 breaches reported by business associates of covered entities.
The biggest cause of healthcare data breaches in September was unauthorized access/disclosures (18 breaches), closely followed by hacking and IT incidents (17 breaches). Three theft incidents were reported and one covered entity reported the loss of an unencrypted device containing ePHI. All of the incidents involving loss or theft of devices related to laptops. One incident also involved a desktop computer and another the theft of physical records. There were no reported cases of improper disposal of PHI.
There were ten attacks on network servers in September, but email attacks topped the list with 13 incidents. 6 of those email incidents were attributed to hacking, including two confirmed phishing attacks and one ransomware incident. The ransomware attack is also understood to have occurred as a result of an employee responding to a phishing email. There were 7 cases of unauthorized access/disclosures via email. One of those incidents involved an employee emailing PHI to a personal email account. Another saw a healthcare employee email PHI to a relative to receive assistance with a work-related action.
Healthcare organizations in 24 states reported data breaches in September. The worst affected state was Texas with four incidents, followed by California, Florida and Wisconsin with three each. Arkansas, Illinois, Minnesota, New York, North Carolina, Pennsylvania, and Washington each had two reported incidents.
Largest Healthcare Data Breaches in September 2017
The largest healthcare data breaches in September 2017 have been detailed in the table below. Six of the top ten breaches in September were the result of hacking/IT incidents.
Hacking/IT incidents resulted in the exposure of 363,364 records – 76.81% of the records exposed in all reported breaches in September. Unauthorized access/disclosures resulted in the exposure of 90,140 records – 19.05% of the total.
The largest reported data breach in September was a ransomware attack that potentially affected 128,000 patients. Data theft was not suspected, although it could not be ruled out with a high degree of certainty.
| Covered Entity | Entity Type | Breached Records | Breach Type | Breach Information |
| Arkansas Oral & Facial Surgery Center | Healthcare Provider | 128,000 | Hacking/IT Incident | Ransomware attack |
| Morehead Memorial Hospital | Healthcare Provider | 66,000 | Hacking/IT Incident | Phishing attack |
| Network Health | Health Plan | 51,232 | Hacking/IT Incident | Phishing attack |
| ABB, Inc. | Healthcare Provider | 28,012 | Hacking/IT Incident | |
| Arkansas Department of Human Services | Health Plan | 26,000 | Unauthorized Access/Disclosure | Employee emailed PHI to a personal account |
| CBS Consolidated, Inc. | Business Associate | 21,856 | Hacking/IT Incident | Server hacked |
| MetroPlus Health Plan, Inc. | Health Plan | 15,212 | Unauthorized Access/Disclosure | Employee emailed PHI outside company |
| Mercy Health Love County Hospital and Clinic | Healthcare Provider | 13,004 | Theft | Paper records stolen from a storage unit |
| The Neurology Foundation, Inc. | Healthcare Provider | 12,861 | Unauthorized Access/Disclosure | Employee stole PHI |
| Hand & Upper Extremity Centers dba Hand Rehabilitation Specialists | Healthcare Provider | 12,806 | Hacking/IT Incident | Data theft and extortion attempt |
The post Summary of September 2017 Healthcare Data Breaches appeared first on HIPAA Journal.