May: Another Banner Month for OCR-Reported Data Breaches (In a Bad Way)

Updated 6/4/2018

Even with a number of incidents likely yet to be reported, May is already shaping up to be a banner month for healthcare data breaches (in the bad way).

According to the Department of Health and Human Services’ Office for Civil Right (OCR) breach reporting portal, more than 800,000 patients were put at risk of having their protected health information compromised in just 23 incidents. As is often the case, a single sweeping incident carried much of that total, but 7 incidents involved 10,000 or more patients.

Hacking/IT Incidents: 726,305 Patients

Alluded to earlier, the colossal total here falls largely on 1 breach. In March, Maryland’s LifeBridge Health detected a cyberattack that exposed information about over 538,000 patients (healthcare entities must report breaches to OCR within 60 days of discovery). The event actually occurred in September of 2016. According to the Baltimore Sun, a hacker broke into the health system via one of its physician practices and may have proceeded to take information from its patient registration and billing platform. Insurance information, names, addresses, and Social Security numbers all might be at risk, although LifeBridge posed its patient warnings and OCR reporting as precautionary.

But so far there are 9 other posted hacking incidents that might have exposed patient information, ranging from a 600-person event at an Oregon-based Care Partners Hospice and Palliative Care facility to a 64,000+ patient hack against another Oregon clinic (fittingly known as the Oregon Clinic).

One particularly noteworthy case is that of a 42,200-patient event reported by Michigan’s Holland Eye Surgery and Laser Center. The hacker reportedly reached out to cybersecurity watchdog, however, claming to have stolen more than 5 times that number of records—and that the health system was aware that he did for nearly 2 years before it reported the incident (more on that bizarre case here). Healthcare Analytics News™ has made multiple attempts to reach Holland Eye for details about the incident, but has not received a response.

Aultman Hospital in Ohio also suffered a 42,000+-patient breach as a result of a phishing attack.

Other events affected Ohio’s USACS Management Group (15,552 patients), Florida Hospital (12,274 patients), Minnesota’s Associates in Psychiatry and Psychology (reportedly a ransomware attack—6,546 patients), California’s Capitol Administrators, Inc. (a business associate; 1,733 patients), and the Trustees of Purdue University in Indiana (1,711 patients).

Unauthorized Access/Disclosure Incidents: 85,272 Patients

The Cerebral Palsy Research Foundation of Kansas (CPRF) notified patients who participated in the organization’s work between 2001 and 2010 that their data may be at risk. On March 10^th, CPRF staff noticed that a previously-used database containing client data had been “vulnerable for a period of 10 months” after a change in servers that temporarily left data unsecured. The group says it moved quickly to resecure the information. Potentially-identifying PHI was contained in the exposed files, though no financial information reportedly was. In all, CPRF reported that the incident put 8,300 patients at risk.

Three separate locations of Nevada’s Dignity Health St. Rose Dominican health system reported potential unauthorized access incidents involving paper records, affecting 2,174, 2,098, and 1,764 patients, respectively. Another Nevada institution, business associate Cambridge Dental Consulting Group, reported a 3,758-person breach in the “other” category.

Remaining unauthorized access incidents were reported to OCR by Arizona’s Baptist Health (3,453 patients), Texas’s UT Physicians (2,793 patients), the New York City Human Resources Administration (2,078 patients), and Ohio’s OrthoWest Ltd. (2,300 patients) and Hancock County Board of Developmental Disabilities (607 patients).

Another entity called Dignity Health, this one based in California, reported an email-based unauthorized access incident on the last day of the month. It affected 55,947 patients, nearly doubling the total from the other 10 incidents combined.

Theft/Loss: 2,265 Patients

In March, Heritage Court Post Acute of Scottsdale, Arizona realized that “certain paper files” had been stolen from a locked storage area.

“The documents included varying information belonging to residents, including demographic information and, in some cases, diagnoses, and information about medical treatments and procedures the residents were receiving,” the health system wrote in an issued statement. “A limited number of the documents stolen contained financial information including Social Security and Medicare numbers.”

The health network says it is not aware of any misuse, but it notified 1,765 patients of the incident. Baystate Family Dental, Inc., also reported a paper- or film-based data theft of the minimum number of affected patients required for OCR reporting: 500.

At least no one has reported a stolen hard drive or laptop (yet).

Related Coverage:

Printing is Increasing Post-EHR Adoption...and So Are the Security Risks

April's OCR-Reported Data Breaches: 766,000* Patients at Risk (So Far)

Device Maker Inogen Reports Data Breach That May've Affected 30,000 Patients