April's OCR-Reported Data Breaches: 766,000* Patients at Risk (So Far)

Image courtesy Wikimedia Commons user Cjp24. Image has been stylized.

In April, 24 different healthcare organizations reported breaches reported potential health data breaches to the Department of Health and Human Services Office of Civil Rights (OCR). In those incidents, 184,059 patients may have been affected.

A 25^th organization also reported a potential breach—that’s where the asterisk and huge number in the headline come into play. The OCR’s online reporting portal shows that the California Department of Developmental Services reported a breach that alone could have affected an astounding 582,174 people.

>>READ: 3 Things That Healthcare Must Understand About Cybersecurity

They did so out of abundance of caution: It was reported as an Unauthorized Access/Disclosure incident, stemming from a February 11^th break-in during which a dozen government computers were stolen and burglars may have had access to that many health records—the bulk of which were reported to be paper records, making it unlikely that bad actors could have accessed that many. Hence, the asterisk, but the Department is following protocol. Entities that suffer a breach impacting 500 or more patients have to tell the OCR within 60 days of detection.

Some of the events in our monthly roundup may have occurred a bit before April. Reports also trickle in days or weeks after the month had ended, so the number may still grow.

Unauthorized Access/Disclosure: 618,787* Patients

If you exclude the 582,000+ from that California disclosure, this category would fall to second in April. There were 10 other reported events covered 36,613 people.

The second-largest of the breaches came out of Fondren Orthopedic Group in Houston, Texas: 11,552 patients had potentially had their protected health information (PHI) exposed in paper or film form, though little additional information about the event is available.

The Kansas Department for Aging and Disability Services continued a trend of state agency data breaches, reporting that as many as 11,000 people had their PHI put at risk by an errant email to a business associate that contained the information in an attachment. The event mirrors a similar mistake reported by the Mississippi State Department of Health, which may have compromised 30,000 patients and was reported in March.

Integrated Rehab Consultants in Illinois reported a breach affecting 4,292 patients, although that appears to have been reported well outside the required timeframe: The company recently admitted that the breach occurred in 2016 and it became aware of the situation in late 2017.

Other reported unauthorized access breaches of 1,000+ patients came from a Virginia-based healthcare business associate (listed as MAXIMUS, Inc./Business Ink, Co., 3,029 patients); a California health plan (Blue Shield of California, 1,717 patients); a Florida hospital (West Kendall Baptist, 1,480 patients); a Kentucky optometrist (MorshedEye, 1,100 patients); an Iowa health plan (Polk County Health Services, 1,071 patients). Two other breaches of 839 and 533 patients’ records, respectively, round out the category.

Hacking Incidents: 141,156 Patients

Nearly 100,000 more patients were put at risk by healthcare hacking incidents reported in April compared to those reported the month prior.

The total was driven by in large part by a huge ransomware hit that locked up the information of over 80,000 patients. California-based Center for Orthopedic Specialists, which has 3 locations, reported that “an unauthorized party gained access to the computer system used to house patient information, and then encrypted that information in an attempt to extort a monetary payment.” The organization doesn’t believe unauthorized party viewed or exported patient data. The attack occurred in late February.

Device maker Inogen took second place in the “Largest Hacking Incident Reported in April” category. An unauthorized party accessed an employee email account at some point between January 2^nd and March 14^th, and an external investigator found that that names, addresses, telephone numbers, email addresses, dates of birth, dates of death, Medicare identification numbers, insurance policy information, and medical equipment usage may’ve been involved in the breach. The company notified 29,528 people their information may have been involved.

UnityPoint Health in Iowa followed, suffering from a phishing attack that may have compromised 16,429 people’s PHI through employee email accounts.

ATI Holdings made its second consecutive appearance on this list. The business associate suffered a breach of 1,776 patients’ data. Other organizations reporting hacks to OCR included a New Jersey dentist (Michael Gruber DMD, 4624 patients); a Texas provider (Texas Health Physicians Group, 3,808 patients); a Pennsylvania business associate (Worldwide Insurance Services, 1,692 patients); a Montana provider (Billings Clinic, 949 patients); and a North Carolina radiology company (Diagnostic Radiology & Imaging, 800 patients).

Loss/Theft: 6,290 Patients

It was a light month for incidents of loss and theft—actually, no losses were report, but 5 organizations reported patients put at risk by stolen materials.

The largest hit Chesapeake Regional Healthcare in Virginia. About 2,100 patients may have had their PHI exposed when 2 portable hard drives went missing.

Quality-Care Pharmacy in California also reported 2,000 patients potentially compromised thanks to some type of larceny—the OCR breach portal lists “Desktop Computer, Other, Other Portable Electronic Device, Paper/Films,” as the location of the stolen materials.

In Illinois, a Walgreen’s reported a theft, marked “Other,” that may have affected 910 patients, while Riverside Medical Center reported 501 could have their PHI at risk due to a stolen computer.

The Wisconsin Department of Health and Human Services continued the state agency data breach theme, reporting that information about 779 patients might be on a laptop that was stolen.

Related Coverage:

March's Reported Data Breaches: Another 120,000 Patients at Risk (So Far)

The MyFitnessPal Data Breach Must Resonate Beyond Its Userbase

Newly-Reported Incidents Put February's Compromised Patient Record Total Over 300k