October was Cybersecurity Awareness Month, but that didn’t stop healthcare breaches from surging with 2,817,162 patients affected by breaches last month. The vast majority of 2021 October healthcare breaches were hacking incidents targeting healthcare providers.

There were a total of 49 healthcare breaches listed on the OCR breach portal in October:

Type of entity breached

  • 37 healthcare providers reported incidents (2,261,319 patients, 80.27% of total patients affected)
  • 6 business associates reported incidents (538,994 patients, 19.13% of total patients affected)
  • 6 health plans reported incidents (16,849 patients, 0.60% of total patients affected)

2021 October Healthcare Breaches

Type of breach reported

  • 24 hacking incidents (2,607,373 patients, 92.55% of total patients affected)
  • 21 unauthorized access or disclosure incidents (200,386 patients, 7.11% of total patients affected)
  • 3 theft incidents (8,575 patients, 0.30% of total patients affected)
  • 1 loss incident (828 patients, 0.03% of total patients affected)

2021 October Healthcare Breaches: Hacking Incidents

One of the biggest threats that face the healthcare industry is hacking. Hackers are increasingly targeting healthcare organizations due to the wealth of information held on patients (protected health information). This information can be used to perpetrate further attacks, commit financial fraud, or steal a patient’s identity. Hackers also target healthcare organizations in ransomware attacks as they know they are likely to pay, “The mere fact of systems being unavailable causes huge disruption to these organizations. And thus, there is probably a perception amongst these actors that despite the bad look of targeting a healthcare organization, a healthcare organization is going to have a stronger argument to potentially pay a ransom in order to get their system online” – Jeremey Kennelly, senior manager and principal analyst at Mandiant.

Hacking incidents continue to be a leading cause behind healthcare breaches, including 2021 October healthcare breaches. These hacks stemmed from different areas:

  • 19 network server hacks (2,383,573 patients, 91.42% of patients affected by hacking)
  • 5 email hacks (223,800 patients, 8.58% of patients affected by hacking)

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With Summer 2024

17 Healthcare Providers Targeted, 2,066,430 Patients, 79.25% of Patients Affected by Hacking

  • Eskenazi Health: 1,515,918 patients
  • ReproSource Fertility Diagnostics, Inc.: 350,000 patients
  • OSF HealthCare System: 53,907 patients
  • Lavaca Medical Center: 48,705 patients
  • Nationwide Laboratory Services: 33,437 patients
  • Syracuse ASC, LLC: 24,891 patients
  • Family of Woodstock: 8,214 patients
  • Viverant PT, LLC: 6,540 patients
  • Drs. Kelley & McDowell PA: 6,204 patients
  • Senior Living, LLC and Pilgrim River, LLC: 3,952 patients
  • North East Ohio Network: 3,555 patients
  • Throckmorton County Memorial Hospital: 3,136 patients
  • Clinical Pathology Diagnostics, LLC: 2,500 patients
  • Seneca Family of Agencies: 2,470 patients
  • Rockbridge Area Community Services Board: 2,000 patients
  • JDC Healthcare Management LLC: 501 patients
  • Missouri Delta Medical Center: 500 patients

2 Business Associates Targeted, 528,826 Patients, 20.28% of Patients Affected by Hacking

  • QRS, Inc.: 319,778 patients
  • UMass Memorial Health Care, Inc.: 209,048 patients

5 Health Plans Targeted, 12,117 Patients, 0.46% of Patients Affected by Hacking

  • Humana Inc: 4,424 patients
  • California Physicians’ Services d/b/a Blue Shield of California: 2,841 patients
  • Painters District Council No. 30 Health and Welfare Fund: 2,157 patients
  • Anthem Inc.: 2,023 patients
  • Blue Cross of California: 672 patients

2021 October Healthcare Breaches: Unauthorized Access or Disclosure

Incidents of unauthorized access or disclosure occur when PHI is accessed without cause, whether it’s by an employee or unauthorized individual. In October 2021, there were 21 incidents of unauthorized access or disclosure, affecting 200,386 patients.

These incidents occurred through several platforms:

  • 15 email incidents (177,923 patients, 88.79% of patients affected by unauthorized access)
  • 3 electronic medical record incidents (12,801 patients, 6.39% of patients affected by unauthorized access)
  • 2 paper/films incidents (7,375 patients, 3.68% of patients affected by unauthorized access)
  • 1 other incident (2,287 patients, 1.14% of patients affected by unauthorized access)

18 Healthcare Providers, 192,826 Patients, 96.23% of Patients Affected by Unauthorized Access

  • Professional Dental Alliance, LLC: 47,173 patients
  • Professional Dental Alliance of Michigan, PLLC: 26,054 patients
  • Professional Dental Alliance of Georgia, PLLC: 23,974 patients
  • Professional Dental Alliance of Florida, LLC: 18,626 patients
  • Professional Dental Alliance of Illinois, PLLC: 16,673 patients
  • Professional Dental Alliance of Tennessee, LLC: 11,217 patients
  • Professional Dental Alliance of New York, PLLC: 10,778 patients
  • University Hospital: 9,329 patients
  • Professional Dental Alliance of Indiana, PLLC: 7,359 patients
  • Professional Dental Alliance of Connecticut, PLLC: 6,237 patients
  • Professional Dental Alliance of Texas, PLLC: 4,235 patients
  • Bryan Health: 2,753 patients
  • Wirt County Health Services Association d/b/a Coplin Health Systems: 2,643 patients
  • Redwoods Rural Health Center: 2,306 patients
  • NADG Hopewell, Inc.: 1,143 patients
  • Jackson County Health Department: 1,000 patients
  • UNC Hospitals: 719 patients
  • Professional Dental Alliance of Massachusetts: 607 patients

2 Business Associates, 2,828 Patients, 1.41% of Patients Affected by Unauthorized Access

  • Limeade, Inc.: 2,287 patients
  • Independent Health Corporation: 541 patients

1 Health Plan, 4,732 Patients, 2.36% of Patients Affected by Unauthorized Access

  • Orange County Health Authority: 4,732 patients

2021 October Healthcare Breaches: Theft and Loss

When unsecured PHI is lost or stolen, the incident must be reported as a breach. These incidents occurred through different forms.

  • 2 electronic devices (2,663 patients, 28.32% of patients affected by loss or theft)
  • 1 paper/films (1,235 patients, 13.13% of patients affected by loss or theft)
  • 1 both (5,505 patients, 58.55% of patients affected by loss or theft)

2 Healthcare Providers, 2,063 Patients, 21.94% of Patients Affected by Loss or Theft

  • Carteret Health Care: 1,235 patients
  • Walmart, Inc.: 828 patients

2 Business Associates, 7,340 Patients, 78.06% of Patients Affected by Loss or Theft

  • Anthem, Inc.: 5,505 patients
  • Foundation for Medical Care of Tulare and Kings Counties: 1,835 patients
Healthcare Compliance Software - CG

Prevent HIPAA Breaches

Don’t fall victim to breaches. Protect your business by becoming compliant today!