36 healthcare data breaches of more than 500 records were reported to the Department of Health and Human Services’ Office for Civil Rights, during September, a 26.53% drop in the number of breaches from August.
1,957,168 healthcare records were illegally accessed in those breaches, a rise of 168.11% from August. The massive rise in the number of breached records is largely down to four reported incidents, each of which included hundreds of thousands of healthcare records. Three of those incidents have been revealed as ransomware attacks.
Largest Healthcare Data Breaches During September 2019
The largest breach during September was due to a ransomware attack on Jacksonville, FL-based North Florida OB-GYN, part of Women’s Care of Florida. 528,188 healthcare records were possibly compromised due to the attack. Sarrell Dental also suffered a ransomware attack in which the records of 391,472 patients of its Alabama clinics were encrypted. 320,000 records of patients of Premier Family Medical in Utah were also possibly compromised in a ransomware attack. The University of Puerto Rico reported a network server hacking incident including 439,753 records of Intramural Practice Plan members. The exact manner of the breach is unclear.
Those four breaches made up 85.80% of the healthcare records breached during September.
| Name of Covered Entity | Covered Entity Type | Individuals Affected | Type of Breach | Location of Breached Information |
| Women’s Care Florida, LLC | Healthcare Provider | 528188 | Hacking/IT Incident | Network Server |
| Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico | Healthcare Provider | 439753 | Hacking/IT Incident | Network Server |
| Sarrell Dental | Healthcare Provider | 391472 | Hacking/IT Incident | Network Server |
| Premier Family Medical | Healthcare Provider | 320000 | Hacking/IT Incident | Network Server |
| Magellan Healthcare | Business Associate | 55637 | Hacking/IT Incident | |
| CHI Health Orthopedics Clinic -Lakeside | Healthcare Provider | 48000 | Hacking/IT Incident | Desktop Computer, Electronic Medical Record, Network Server |
| Kilgore Vision Center | Healthcare Provider | 40000 | Hacking/IT Incident | Network Server |
| Peoples Injury Network Northwest | Healthcare Provider | 27000 | Hacking/IT Incident | Network Server |
| Sweetser | Healthcare Provider | 22000 | Hacking/IT Incident | |
| Perfect Teeth Yale, P.C. | Healthcare Provider | 15000 | Loss | Other Portable Electronic Device |
Healthcare Data Breaches September 2019 Causes
Hacking/IT incidents made up the most of the breach reports in September with 24 incidents reported. There were nine unauthorized access/disclosure incidents and three cases of loss/theft of physical and digital records.
1,917,657 healthcare records were infiltrated in the 24 hacking/IT incidents which made up 97.98% of breached records in September. The average breach size was 958,829 records and the median breach size was 5,255 records.
Unauthorized access/disclosure incidents in September made up 1% or 19,741 breached records. The mean breach size was 2,193 records and the median breach size was 998 records. There were two reported theft incidents including 4,770 physical and electronic records and a single loss incident involving 15,000 records stored on a portable electronic device.
Breached Protected Health Information Locations
Phishing is still a major issue area for the healthcare sector. In September, 44.44% of all breaches – 16 incidents – involved PHI stored in email accounts. There were 13 network server incidents, a large percentage of which were ransomware attacks.
Healthcare Data Breaches by Covered Entity Type During September 2019
28 data breaches were reported by healthcare groups in September, four incidents were reported by health plans/health insurers, and four incidents were reported by business associates of HIPAA covered outfits. Another four breaches had some business associate involvement but were reported by the covered group.
September 2019 Healthcare Data Breaches States Affected
September’s data breaches were made known by entities in 23 states and Puerto Rico. California, Maryland, and Washington were the worst impacted with three breaches each. There were two breaches made aware by groups located in Arkansas, Arizona, Colorado, Georgia, Indiana, and South Carolina, and one breach was reported in each of Alabama, Florida, Iowa, Illinois, Maine, Michigan, Nebraska, New Jersey, Ohio, Oklahoma, Tennessee, Texas, Utah, West Virginia, and Puerto Rico.
September 2019 HIPAA Enforcement Activity
In September 2019, the HHS’ Office for Civil Rights revealed its third HIPAA violation penalty of the year. Bayfront Health St Petersburg in Florida was sanctioned with an $85,000 financial penalty for the failure to supply a patient with a copy of her child’s fetal heart monitor records within a reasonable time frame. It took nine months and multiple attempts by the patient before she was given the records.
