Our February 2018 healthcare data breach report lists the major data breaches reported by healthcare groups, health plans, and business associates in February 2018.
Even though February is a shorter month, but there was a rise in the number of healthcare data breaches made known to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered bodies and business associates reported 25 breaches – a 19% month on month rise in breaches.
While there were more breaches experienced this month, the number of healthcare records exposed as a result of healthcare data breaches fell by over 100,000. In January 428,643 healthcare records were breached. February 2018 healthcare data breaches saw 308,780 healthcare records breached.
Biggest Healthcare Data Breaches of February 2018
The Biggest healthcare data breaches made known to the Office for Civil Rights in February are included below.
| Covered Entity | Covered Entity Type | Individuals Affected | Type of Breach | Location of PHI |
| St. Peter’s Surgery & Endoscopy Center | Healthcare Provider | 134,512 | Hacking/IT Incident | Network Server |
| Tufts Associated Health Maintenance Organization, Inc. | Health Plan | 70,320 | Unauthorized Access/Disclosure | Paper/Films |
| Triple-S Advantage, Inc. | Health Plan | 36,305 | Unauthorized Access/Disclosure | Paper/Films |
| CarePlus Health Plan | Health Plan | 11,248 | Unauthorized Access/Disclosure | Paper/Films |
| Union Lake Supermarket, LLC | Healthcare Provider | 9,956 | Improper Disposal | Other Portable Electronic Device |
The top five data breaches accounted for 85% of all exposed healthcare records in February. The largest data breach – a malware-related incident at St. Peter’s Surgery & Endoscopy Center – made up for 43.6% of the exposed healthcare records in February.
February 2018 Healthcare Data Breaches: Main Causes
Unauthorized access/disclosures was at the top of the list of the main causes of healthcare data breaches in February 2018 with 12 incidents and was seen in three of the most serious breaches. Hacking incidents were in close second with nine recorded breaches, followed by three loss/theft incidents and one case of inadequate disposal of ePHI.
Records Breached by Breach Type
Hacking/IT incidents were the second largest causing factor in healthcare data breaches in February, but the incidents lead to the exposure/theft of the largest amount of healthcare data.
Location of Violated Data
In total, there were more breaches that impacted electronic health data than physical records, although breaches involving paper/films were the most experienced with 6 incidents. The breach reports show that while technological controls are vital in stopping hacks and unauthorized access/disclosures of electronic records, physical security is important for paper records and administrative security measures are necessary to prevent unauthorized access. All six of the breaches that impacted paper/films were unauthorized access/disclosures.
Data Breaches by Covered Body
Healthcare suppliers were the hardest hit by data breaches in February with 15 incidents (reported by 14 healthcare providers). There were three breaches submitted by pharmacies in February. 8 data breaches were reported by 7 health plans and two security incidents were reported by business associates.
Healthcare provider breaches impacted the most health records in February. 168,732 records were exposed by healthcare suppliers. The mean breach size was 11,248 records and the median breach size was 1,670 records.
Health plans suffered fewer breaches, but the incidents were more severe. 133,580 records were exposed by health plans. The average breach size was 16,698 records and the median breach size was 6,075 records. The mean and median breach size for business associate data breaches was 3,234 records.
State by State Healthcare Data Breaches: February 2018
Healthcare groups located in 18 states reported data breaches in February 2018. There were six states that experienced 2 data breaches– Alabama, California, Massachusetts, Mississippi, Rhode Island, and Wisconsin.
Arkansas, Connecticut, Illinois, Kentucky, Maine, Michigan, Missouri, North Carolina, New Jersey, New York, Tennessee, and Virginia each recorded one data breach.
Fines for HIPAA Covered Bodies in February 2018
The Office for Civil Rights (OCR) settled one HIPAA breach case in February. Filefax Inc, agreed to settle possible HIPAA violations with OCR for $100,000. The fine sent a message to HIPAA-covered bodies and their business associates that HIPAA responsibilities do not finish when a business ceases trading. The fine relates to HIPAA breaches that took place after the business closed – the improper disposal of paperwork including protected health information.
