February 2018 Healthcare Data Breaches Summary

by | Mar 20, 2019

Our February 2018 healthcare data breach report lists the major data breaches reported by healthcare groups, health plans, and business associates in February 2018.

Even though February is a shorter month, but there was a rise in the number of healthcare data breaches made known to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered bodies and business associates reported 25 breaches – a 19% month on month rise in breaches.

Healthcare Data Breaches by Month

While there were more breaches experienced this month, the number of healthcare records exposed as a result of healthcare data breaches fell by over 100,000. In January 428,643 healthcare records were breached. February 2018 healthcare data breaches saw 308,780 healthcare records breached.

Records exposed in Healthcare Data Breaches

Biggest Healthcare Data Breaches of February 2018

The Biggest healthcare data breaches made known to the Office for Civil Rights in February are included below.

Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of PHI
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident Network Server
Tufts Associated Health Maintenance Organization, Inc. Health Plan 70,320 Unauthorized Access/Disclosure Paper/Films
Triple-S Advantage, Inc. Health Plan 36,305 Unauthorized Access/Disclosure Paper/Films
CarePlus Health Plan Health Plan 11,248 Unauthorized Access/Disclosure Paper/Films
Union Lake Supermarket, LLC Healthcare Provider 9,956 Improper Disposal Other Portable Electronic Device

The top five data breaches accounted for 85% of all exposed healthcare records in February. The largest data breach – a malware-related incident at St. Peter’s Surgery & Endoscopy Center – made up for 43.6% of the exposed healthcare records in February.

February 2018 Healthcare Data Breaches: Main Causes

Unauthorized access/disclosures was at the top of the list of the main causes of healthcare data breaches in February 2018 with 12 incidents and was seen in three of the most serious breaches. Hacking incidents were in close second with nine recorded breaches, followed by three loss/theft incidents and one case of inadequate disposal of ePHI.

Causes of February 2018 Healthcare Data Breaches

Records Breached by Breach Type

Hacking/IT incidents were the second largest causing factor in healthcare data breaches in February, but the incidents lead to the exposure/theft of the largest amount of healthcare data.

Records Exposed by Breach Type

Location of Violated Data

In total, there were more breaches that impacted electronic health data than physical records, although breaches involving paper/films were the most experienced with 6 incidents. The breach reports show that while technological controls are vital in stopping hacks and unauthorized access/disclosures of electronic records, physical security is important for paper records and administrative security measures are necessary to prevent unauthorized access. All six of the breaches that impacted paper/films were unauthorized access/disclosures.

Location of breached healthcare records (February 2018)

Data Breaches by Covered Body

Healthcare suppliers were the hardest hit by data breaches in February with 15 incidents (reported by 14 healthcare providers). There were three breaches submitted by pharmacies in February. 8 data breaches were reported by 7 health plans and two security incidents were reported by business associates.

Data Breaches by Covered Entity (February 2018)

Healthcare provider breaches impacted the most health records in February. 168,732 records were exposed by healthcare suppliers. The mean breach size was 11,248 records and the median breach size was 1,670 records.

Health plans suffered fewer breaches, but the incidents were more severe. 133,580 records were exposed by health plans. The average breach size was 16,698 records and the median breach size was 6,075 records. The mean and median breach size for business associate data breaches was 3,234 records.

Records exposed by covered entity (February 2018)

State by State Healthcare Data Breaches: February 2018

Healthcare groups located in 18 states reported data breaches in February 2018. There were six states that experienced 2 data breaches– Alabama, California, Massachusetts, Mississippi, Rhode Island, and Wisconsin.

Arkansas, Connecticut, Illinois, Kentucky, Maine, Michigan, Missouri, North Carolina, New Jersey, New York, Tennessee, and Virginia each recorded one data breach.

Fines for HIPAA Covered Bodies in February 2018

The Office for Civil Rights (OCR) settled one HIPAA breach case in February. Filefax Inc, agreed to settle possible HIPAA violations with OCR for $100,000. The fine sent a message to HIPAA-covered bodies and their business associates that HIPAA responsibilities do not finish when a business ceases trading. The fine relates to HIPAA breaches that took place after the business closed – the improper disposal of paperwork including protected health information.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy