There was a sharp rise in healthcare data breaches in December, reversing a two-month downward trend. There were 38 healthcare data breaches in December 2017 that impacted more than 500 individuals: An increase of 81% from last month.
Unsurprisingly given the sharp increase in reported breaches, the number of records exposed in December also increased month over month. The records of 341,621 individuals were exposed or stolen in December: An increase of 219% from last month.
December saw a similar pattern of breaches to past months, with healthcare providers experiencing the most data breaches; however, there was a notable increase in breaches reported by health plans in December – rising from 2 in November to six in December.
Causes of Healthcare Data Breaches in December 2017
As was the case last month, hacking/IT incidents and unauthorized access/disclosures were the most common causes of healthcare data breaches in December, although there was a notable increase in theft/loss incidents involving portable electronic devices and paper records.
While hacking incidents usually result in the greatest number of records being exposed/stolen, this month saw a major increase in records exposed due to the theft of portable electronic devices. The theft of devices containing PHI – and paper records – resulted in 122,921 patients’ protected health information being exposed. The mean number of records exposed in theft incidents was 20,487 and the median was 15,857 – Both higher than any other cause of data breach.
Network server incidents were the most numerous in December with 12 incidents, although there were 9 incidents involving paper records, showing that while healthcare organizations must ensure appropriate technological defenses are in place to protect electronic data, physical security is also essential to ensure paper records are secured.
10 Largest Healthcare Data Breaches in December 2017
In December, there were 9 data breaches that impacted more than 10,000 individuals reported to the Office for Civil Rights by HIPAA covered entities. In contrast to past months when hacking incidents dominated the top ten breach list, there was an even spread between hacking incidents, unauthorized access/disclosures, and theft of healthcare records and electronic devices.
The largest data breach reported in December affected Oklahoma Department of Human Services. However, this was not a recent data breach. The breach occurred in April 2016, but a breach report was not submitted to the Office for Civil Rights at the time of discovery. It took 18 months after the 60-day deadline for the breach to be reported.
| Name of Covered Entity | Covered Entity Type | Individuals Affected | Type of Breach |
| Oklahoma Department of Human Services | Health Plan | 47000 | Hacking/IT Incident |
| Henry Ford Health System | Healthcare Provider | 43563 | Theft |
| Coplin Health Systems | Healthcare Provider | 43000 | Theft |
| SSM Health | Healthcare Provider | 29579 | Unauthorized Access/Disclosure |
| UNC Health Care System | Healthcare Provider | 27113 | Theft |
| Emory Healthcare | Healthcare Provider | 24000 | Unauthorized Access/Disclosure |
| Franciscan Physician Network of Illinois and Specialty Physicians of Illinois | Healthcare Provider | 22000 | Loss |
| Longs Peak Family Practice, P.C. | Healthcare Provider | 16238 | Hacking/IT Incident |
| Sinai Health System | Healthcare Provider | 11347 | Hacking/IT Incident |
| Golden Rule Insurance Company | Health Plan | 9305 | Unauthorized Access/Disclosure |
December 2017 Healthcare Data Breaches by State
California experienced the most healthcare data breaches in December with 5 reported incidents, followed by Michigan with 4 data breaches.
Eight states experienced two data breaches each – Florida, Illinois, Minnesota, New England, Nevada, New York, Philadelphia and Texas.
13 states each had one reported breach: Colorado, Georgia, Iowa, Indiana, Massachusetts, Missouri, New Jersey, North Carolina, Ohio, Oklahoma, Oregon, Tennessee, and West Virginia.
Data source: Department of Health and Human Services’ Office for Civil Rights.
The post Summary of Healthcare Data Breaches in December 2017 appeared first on HIPAA Journal.