The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) publicly posts breaches affecting 500 or more patients on their online breach portal known colloquially as the “wall of shame.” In August, 2,219,347 patients were affected by these large-scale breaches (not counting breaches affecting less than 500 patients), with 37 breaches reported. More details on the August healthcare breaches are discussed below.

August Healthcare Breaches: Type of Breached Entity

Healthcare breaches are breaches affecting organizations working with protected health information (PHI). While August healthcare breaches predominantly affected healthcare providers, a significant number of patients were also affected by business associate breaches, and a smaller number of patients by health plan breaches.

August healthcare breaches

August Healthcare Breaches: Hacking/IT Incidents

In the month of August, there were 25 hacking/IT incidents affecting 2,179,781 patients. Hacking/IT incidents continue to be the leading cause behind healthcare breaches, pointing to the need for advanced security measures and employee training. Healthcare hacks often occur due to phishing attacks, which are largely caused by human error.

Phishing attacks occur when hackers email an employee of an organization, impersonating a trusted individual or entity, prompting recipients to click on a malicious link or provide sensitive information, such as login credentials. Hackers then use this to enter an organization’s network, often stealing or maliciously encrypting files, demanding a sum of money for the return of files. This is why employee training is an essential part of preventing healthcare breaches. Employees that are trained to recognize phishing emails, are less likely to fall victim to a phishing attempt.

August Email Hacks Affected 270,760 Patients

OrthoSC, LLC: 3,000 patients affected

Ace American Insurance Company: 8,100 patients affected

Utah Pathology Services, Inc.: 112,124 patients affected

Elwyn: 501 patients affected

HealthFirst Bluegrass: 971 patients affected

Imperium Health LLC: 139,114 patients affected

D&S Residential Holdings, LLC: 2,102 patients affected

The Connection, Inc.: 3,736 patients affected

Comanche County Hospital Authority: 1,112 patients affected

August Network Server Hacks Affected 1,908,520 Patients

Quality of Life Medical and Research Center: 6,000 patients affected

Crozer-Keystone Health System: 6,863 patients affected

Spectrum Health: 52,711 patients affected

Northwestern Memorial HealthCare: 55,983 patients affected

Assured Imaging: 244,813 patients affected

Main Line Health: 60,595 patients affected

Waystar Health: 1,021 patients affected

City of Lafayette Fire Department: 15,000 patients affected

MultiCare Health System: 179,189 patients affected

Saint Luke’s Foundation: 360,212 patients affected

Richard J. Caron Foundation: 22,718 patients affected

University of Florida Health: 135,959 patients affected

Dynasplint Systems, Inc.: 102,800 patients affected

Summit Medical Associates: 7,264 patients affected

Northern Light Health: 657,392 patients affected

Other August Hacks Affected 501 Patients

Humana Inc: 501 patients affected

August Healthcare Breaches: Unauthorized Access/Disclosures

The second most common cause of healthcare breaches in August was unauthorized access/disclosures of PHI, with 8 incidents affecting 31,662 patients. These incidents occur when an unauthorized individual accesses PHI, whether in electronic form, or paper records. In some cases, incidents occur when employees are either designated the wrong level of access to PHI, or an employee or entity shares PHI with another employee or entity that should not have access. 

To ensure that employees are aware of the proper uses and disclosures of PHI, it is essential to have policies and procedures dictating when PHI should and should not be accessed or disclosed, and to train employees on your organization’s policies and procedures. In addition, your organization must implement administrative safeguards to ensure adherence to the minimum necessary standard.

August Email Unauthorized Access/Disclosures Affected 12,111 Patients

Washington Department of Social and Health Services: 648 patients affected

Hamilton Health Center, Inc.: 10,393 patients affected

BeneSys, Inc.: 1,070 patients affected

August Paper/Films Unauthorized Access/Disclosures Affected 2,821 Patients

Advocate Aurora Health: 1,907 patients affected

The Iowa Clinic, P.C.: 914 patients affected

August EMR Unauthorized Access/Disclosures Affected 772 Patients

Ashley County Medical Center: 772 patients affected

Other August Unauthorized Access/Disclosures Affected 15,958 Patients

UT Southwestern Medical Center: 15,958 patients affected

August Healthcare Breaches: Loss/Theft

It is understandable that incidents of loss or theft occur. In August, there were 5 incidents of loss/theft affecting 7,904 patients. All of these were the result of a portable electronic device, such as a laptop, with unencrypted protected health information being lost or stolen. When an encrypted device containing PHI is lost or stolen, it is not considered a healthcare breach as the PHI contained on the device cannot be read by unauthorized individuals. This is why it is highly recommended that you encrypt all of your devices that have the potential to access PHI.

August Loss of PHI Affected 3,557 Patients

Cook Children’s Medical Center: 1,768 patients affected

St. Peter’s Health Partners Medical Associates, P.C.: 1,789 patients affected

August Theft of PHI Affected 4,347 Patients

Hoag Clinic: 738 patients affected


Consultant Anesthesiologists, Inc.: 740 patients affected

Healthcare Compliance Software - CG

Prevent HIPAA Breaches

Don’t fall victim to breaches. Protect your business by becoming compliant today!