February 2018 Healthcare Data Breaches Summary

Our February 2018 healthcare data breach report lists the major data breaches reported by healthcare groups, health plans, and business associates in February 2018.

Even though February is a shorter month, but there was a rise in the number of healthcare data breaches made known to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered bodies and business associates reported 25 breaches – a 19% month on month rise in breaches.

Healthcare Data Breaches by Month

While there were more breaches experienced this month, the number of healthcare records exposed as a result of healthcare data breaches fell by over 100,000. In January 428,643 healthcare records were breached. February 2018 healthcare data breaches saw 308,780 healthcare records breached.

Records exposed in Healthcare Data Breaches

Biggest Healthcare Data Breaches of February 2018

The Biggest healthcare data breaches made known to the Office for Civil Rights in February are included below.

Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of PHI
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident Network Server
Tufts Associated Health Maintenance Organization, Inc. Health Plan 70,320 Unauthorized Access/Disclosure Paper/Films
Triple-S Advantage, Inc. Health Plan 36,305 Unauthorized Access/Disclosure Paper/Films
CarePlus Health Plan Health Plan 11,248 Unauthorized Access/Disclosure Paper/Films
Union Lake Supermarket, LLC Healthcare Provider 9,956 Improper Disposal Other Portable Electronic Device

The top five data breaches accounted for 85% of all exposed healthcare records in February. The largest data breach – a malware-related incident at St. Peter’s Surgery & Endoscopy Center – made up for 43.6% of the exposed healthcare records in February.

February 2018 Healthcare Data Breaches: Main Causes

Unauthorized access/disclosures was at the top of the list of the main causes of healthcare data breaches in February 2018 with 12 incidents and was seen in three of the most serious breaches. Hacking incidents were in close second with nine recorded breaches, followed by three loss/theft incidents and one case of inadequate disposal of ePHI.

Causes of February 2018 Healthcare Data Breaches

Records Breached by Breach Type

Hacking/IT incidents were the second largest causing factor in healthcare data breaches in February, but the incidents lead to the exposure/theft of the largest amount of healthcare data.

Records Exposed by Breach Type

Location of Violated Data

In total, there were more breaches that impacted electronic health data than physical records, although breaches involving paper/films were the most experienced with 6 incidents. The breach reports show that while technological controls are vital in stopping hacks and unauthorized access/disclosures of electronic records, physical security is important for paper records and administrative security measures are necessary to prevent unauthorized access. All six of the breaches that impacted paper/films were unauthorized access/disclosures.

Location of breached healthcare records (February 2018)

Data Breaches by Covered Body

Healthcare suppliers were the hardest hit by data breaches in February with 15 incidents (reported by 14 healthcare providers). There were three breaches submitted by pharmacies in February. 8 data breaches were reported by 7 health plans and two security incidents were reported by business associates.

Data Breaches by Covered Entity (February 2018)

Healthcare provider breaches impacted the most health records in February. 168,732 records were exposed by healthcare suppliers. The mean breach size was 11,248 records and the median breach size was 1,670 records.

Health plans suffered fewer breaches, but the incidents were more severe. 133,580 records were exposed by health plans. The average breach size was 16,698 records and the median breach size was 6,075 records. The mean and median breach size for business associate data breaches was 3,234 records.

Records exposed by covered entity (February 2018)

State by State Healthcare Data Breaches: February 2018

Healthcare groups located in 18 states reported data breaches in February 2018. There were six states that experienced 2 data breaches– Alabama, California, Massachusetts, Mississippi, Rhode Island, and Wisconsin.

Arkansas, Connecticut, Illinois, Kentucky, Maine, Michigan, Missouri, North Carolina, New Jersey, New York, Tennessee, and Virginia each recorded one data breach.

Fines for HIPAA Covered Bodies in February 2018

The Office for Civil Rights (OCR) settled one HIPAA breach case in February. Filefax Inc, agreed to settle possible HIPAA violations with OCR for $100,000. The fine sent a message to HIPAA-covered bodies and their business associates that HIPAA responsibilities do not finish when a business ceases trading. The fine relates to HIPAA breaches that took place after the business closed – the improper disposal of paperwork including protected health information.