There were 36 healthcare data breaches involving over 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September. This figure presents a 26.53% reduction in breaches compared to the last month.

The September breaches had exposed a total of 1,957,168 medical records, which represents a 168.11% rise from August. The huge number of breached files is down to four reported breaches, each of which had a lot of medical documents. Three of the breaches were affirmed as ransomware attacks.

Major Healthcare Data Breaches in September

The major breaches of the month were mostly due to ransomware attacks:

a ransomware attack on North Florida OB-GYN based in Jacksonville, FL resulted in the likely exposure of 528,188 medical records

a ransomware attack on Sarrell Dental brought about the encryption of the healthcare records of 391,472 patients of its dental clinics in Alabama

a ransomware attack on Premier Family Medical in Utah resulted in the possible exposure of healthcare records of 320,000 patients

a network server hacking event at the University of Puerto Rico had the potential compromise of 439,753 Intramural Practice Plan members data

The exposed healthcare records in those four breaches made up 85.80% of the total healthcare records exposed in September.

Reasons for Healthcare Data Breaches in September 2019

Hacking/IT incidents led the data breach reports in September. There were 24 breaches reported that involved hacking/IT incidents. Nine cases were due to unauthorized access/disclosure and 3 incidents were caused by loss/theft of electronic and physical records.

The 24 hacking/IT cases caused the exposure of 1,917,657 patient records. This made up 97.98% of breached medical records in September with a mean breach size of 958,829 records and a median breach size of 5,255 records.

Unauthorized access/disclosure cases in September caused the compromise of 1% or 19,741 medical records. The breached records had mean size of 2,193 records and a median size of 998 records. Two theft cases had exposed 4,770 physical and electronic records while the one-loss case impacted 15,000 records held in a mobile electronic gadget.

Location of Compromised Protected Health Information (PHI)

Phishing remains to be a significant area of concern for the healthcare sector. In September, 16 incidents or 44.44% of all breaches impacted PHI located in email accounts. A big proportion of the 13 network server cases were because of ransomware attacks.

Healthcare Data Breaches by Covered Entity Type

In September, healthcare providers submitted 28 data breach reports, health plans/health insurers submitted four reports, and business associates of HIPAA covered entities submitted four reports. But four breaches submitted by covered entities had some business associates involvement.

States Impacted by Healthcare Data Breaches in September 2019

In September, 23 states and Puerto Rico reported the data breaches. California, Washington and Maryland reported three data breaches each. Arizona, Colorado, Arkansas, Georgia, South Carolina and Indiana reported two data breaches each. Alabama, Illinois, Florida, Iowa, Michigan, Nebraska, Maine, New Jersey, Oklahoma, Tennessee, Ohio, West Virginia, Texas Utah, and Puerto Rico each had one breach report.

HIPAA Enforcement Activity in September 2019

The HHS’ Office for Civil Rights declared in September the number 3 HIPAA violation penalty of the year. OCR required Bayfront Health St Petersburg located in Florida an $85,000 financial fine for not give a patient a copy of her child’s fetal heart monitor information within a sensible period of time. The patient took many attempts prior to obtaining the medical records in a span of 9 months.

State attorneys general didn’t announce any financial fines in September related to HIPAA violations.