January witnessed a 48% month-over-month drop in the number of large healthcare data breaches, down from 62 breach incidents in December to 32 in January, according to an analysis by HIPAA Journal. While this is well beneath the 38 data breaches that are reported on average each month, it is still more than 1 data breach every day.
There would have been a major drop in the amount of breached records were it not for a major data breach identified by Florida Healthy Kids Corporation that impacted 3.5 million people. With that breach, 4,467,098 records were reported as compromised or exposed in January, which was more than December’s overall total by approximately 225,000 records.
Biggest Healthcare Data Breaches Reported in January 2021
The breach reported by Florida Healthy Kids Corporation was one of the biggest healthcare data breaches ever. The breach was reported by the healthcare plan, but actually took place at one of its business associates. The health plan contracted an IT company for hosting its website and an application for applications for insurance coverage. The company did not implement patches for seven years, which allowed a hacker to gain access to sensitive data.
Hendrick Health had a major data breach as a result of a ransomware attack; one of many reported by healthcare delivery organizations since September 2020 when ransomware actors increased their attacks on the healthcare sector. The County of Ramsey breach was also due to a ransomware attack at one of its technology partners.
Email-based attacks such as business email compromise (BEC) and phishing attacks were prevalent during January, and were the cause of 4 of the top ten breaches.
Covered Entity | Entity Type | Individuals Impacted | Breach Type | Breach Location |
Florida Healthy Kids Corporation | Health Plan* | 3,500,000 | Hacking/IT Incident:
Website and Web Application Hack |
Network Server |
Hendrick Health | Healthcare Provider | 640,436 | Hacking/IT Incident:
Ransomware |
Network Server |
Roper St. Francis Healthcare | Healthcare Provider | 189,761 | Hacking/IT Incident:
Phishing attack |
|
Precision Spine Care | Healthcare Provider | 20,787 | Hacking/IT Incident:
BEC attack |
|
Walgreen Co. | Healthcare Provider | 16,089 | Unauthorized Access/Disclosure:
Unknown |
|
The Richards Group | Business Associate | 15,429 | Hacking/IT Incident:
Phishing attack |
|
Florida Hospital Physician Group Inc. | Healthcare Provider | 13,759 | Hacking/IT Incident:
EHR System |
Electronic Medical Record |
Managed Health Services | Health Plan* | 11,988 | Unauthorized Access/Disclosure:
Unconfirmed |
Paper/Films |
Bethesda Hospital | Healthcare Provider | 9,148 | Unauthorized Access of EMR by employee | Electronic Medical Record |
County of Ramsey | Healthcare Provider* | 8,687 | Hacking/IT Incident:
Ransomware |
Network Server |
*Breach reported by covered entity but occurred at a business associate.
January 2021 Healthcare Data Breach Causes
Hacking and other IT breaches are a still the main cause of healthcare data breaches. January witnessed 20 hacking/IT incidents, which made up 62.5% of the month’s data breaches. The protected health information of 4,413,762 individuals was exposed in those breaches – 98.8% of all breached records in January. The average breach size was 220,688 records and the median breach size was 2,464 records.
There were 11 reported unauthorized access and disclosure incidents reported and 50,996 individuals were affected. The average breach size was 4,636 records and the median breach size was 1,680 records. There was a single reported incident involving the loss of an unencrypted laptop computer including 2,340 records.
As the bar chart below indicates, most attacks involve PHI stored in email accounts, mostly due to the high number of phishing attacks. This was just ahead of network server incidents, which mostly were due to malware or ransomware infections.
Healthcare Data Breaches by Covered Entity Type
The covered entity type worst affected was healthcare providers, with 23 reported data breaches followed by health plans with six reported breaches. Three data breaches were made known by business associates of HIPAA covered entities, although an additional seven took place at business associates but were reported by the covered entity, including the largest data breach of the month.
Business associate data breaches have been rising in recent months. These incidents often include affect several covered entities, such as the data breach at Blackbaud in 2020 which led to the data of more than 10 million individuals across around four dozen healthcare companies being compromised. A study by CI Security determined that 75% of all breached healthcare records in the second half of 2020 were the result of data breaches at business associates.
Healthcare Data Breaches by State
January’s 32 data breaches took place in 18 different states, with Florida the worst impacted with six reported breaches. There were three breaches in Texas and Wyoming, and 2 reported in each of Louisiana, Massachusetts, and Minnesota.
Illinois, Indiana, Maryland, Missouri, Nevada, North Carolina, Ohio, Pennsylvania, South Carolina, Vermont, Virginia, and Washington each had one HIPAA breach reported.