Healthcare organizations reported 31 privacy incidents last month.
July was particularly bad for reported healthcare data breaches. With the data of nearly 860,000 patients compromised, the month stood out among the year’s worst for health privacy, with few others even coming close, according to an analysis of government data.
In total, 31 security incidents placed 858,411 individuals at risk, according to records publicized by the U.S. Department of Health & Human Services’ Office for Civil Rights.
>> READ: WannaCry, NotPetya and Cyberwarfare’s Threat to Healthcare
Two of the three largest data breaches affected patients of providers — Jefferson City, Missouri’s St. Mary’s Hospital and Nebraska’s Boys Town National Research Hospital — each of whom suffered different kinds of incidents. The second largest data breach, meanwhile, stemmed from a networking breakdown in a company called MedEvolve, which sells software to physicians and larger providers.
Here’s how the data breaches, which are currently under investigation by the Office for Civil Rights, played out in terms of numbers and type. (Also, note that not every healthcare data breach is required to be reported, and not all incidents result in harm or loss to patients. Finally, many of these incidents didn’t occur in July, which is the month when they were reported.)
Despite occurring just two times in July, instances of improper disposal affected the most patients, beyond hacking, theft and all of the bogeymen that healthcare is fighting against. (For reference, there have been months when we’ve barely had a word to write about improper disposal.)
So what made July such a rough time for taking out the trash? A single incident at SSM Health St. Mary’s Hospital, Jefferson City, which was reported on July 30 and affected 301,000 patients. The hospital reportedly learned that patient information had been found in corners of its former campus, which was set to be demolished. Medical records, meanwhile, had already been secured and moved to the new building. Most of the documents in question were administrative, but they contained various sensitive data, including clinical information. The health system is investigating the matter.
Across 18 incidents, hackers compromised the data of 291,465 patients, according to the Office for Civil Rights.
Aside from one administrative vendor and two health plans, nearly all of the breached institutions were healthcare providers. These incidents occurred in many states, dotting the map, from California to Texas and Arkansas to New Jersey, with breaches. The number of patients affected in each case ranged from several hundred or several thousand to tens or even hundreds of thousands.
But the largest attack jeopardized 105,309 patients of Boys Town National Research Hospital in Omaha, Nebraska. Reported on July 20, the incident stemmed from an unknown person’s access to a staff member’s email account, which had access to patients’ Social Security numbers, diagnosis and treatment data and any number of additional personal details.
July saw 245,597 patients whose data were caught up in eight unauthorized access/disclosure incidents. Several occurrences affected just a few hundred individuals, but many numbered in the thousands. Like the month’s reported hacks, these worrisome instances took place across the nation.
The majority of affected patients, however, can trace their troubles to Little Rock, Arkansas, where data from 205,434 people were exposed in a network server problem at MedEvolve. The practice-management software developer noticed that a file containing patient information was “inadvertently accessible to the internet,” according to an announcement. How did the file get there? Through an isolated data transfer event.” But the company said no clinical data were exposed; though other personal data, including Social Security numbers, were.
Here, we combined the two categories that typically see the smallest number of patients affected. Rocky Mountain Health Care Services in Colorado reported that a stolen laptop had placed the data of 1,087 people at risk, and Central New York Cardiology had lost documents containing data on 824 individuals.
Get the best insights in healthcare analytics directly to your inbox.
What to Do Before and After a Data Breach
Another Major Healthcare Hack: 1.4M Patients’ Records Compromised