4.8 Million Patients Affected by 2021 July Healthcare Breaches

There were a staggering 4,774,165 patients affected by July’s 58 healthcare information breaches. The majority of these breaches were reported by healthcare providers, representing 65% of the total number of breaches for the month, and 71% of the total number of patients affected. And while it’s unsurprising, hacking incidents were the leading cause behind the month’s breaches, representing 72% of reported breaches, and 96% of patients affected by July’s breaches. Read more about 2021 July healthcare information breaches below.

Leading Cause Behind 2021 July Healthcare Breaches – Hacking

Hacking incidents can occur in different “locations,” as the HHS refers to it. These “locations” include network server, email, electronic medical record, laptops, desktops, or a combination. 87.30% of patient information exposed by hacking occurred through a compromised network server, with 25 incidents exposing 4,012,855 patients. There were 15 email hacking incidents, affecting 499,283 patients, representing 10.86% of patients affected by hacking. There were two more incidents reported classified as “other” affecting 84,736 patients, representing 1.84% of patients affected by hacking.

Unauthorized Access or Disclosure of PHI

Unauthorized access or disclosure of protected health information (PHI) occurs when patient information is used or disclosed without cause. Under HIPAA regulations, PHI access must be limited and only authorized parties should have access. When PHI is accessed outside the norm, this is considered a HIPAA violation. 

In July 2021, there were 13 incidents of unauthorized access or disclosure of PHI. Ten incidents were reported by healthcare providers, two by health plans, and one by a business associate. The incidents reported by healthcare providers affected 48,297 patients, representing 91.69% of patients affected by these types of incidents; incidents reported by health plans affected 1,672 patients, representing 3.17% of patients affected by these types of incidents; and the incidents reported by the business associate affected 2,707 patients, representing 5.14% of patients affected by these types of incidents.

Unauthorized access or disclosure of PHI can occur through an organization’s network server, email, paper/films, electronic medical record, laptops, desktops, or any other device that has access to PHI. 

In July 2021, there were:

• 3 network server incidents, affecting 2,428 patients and representing 4.61% of patients
• 4 email incidents, affecting 4,319 patients and representing 8.20% of patients
• 4 paper/films incidents, affecting 5,143 and representing 9.76% of patients
• 3 classified as “other”, affecting 40,786 and representing 77.43% of patients

Improper Disposal and Theft of PHI

Improper disposal of PHI occurs when a healthcare organization disposes of PHI in a manner that leaves it vulnerable to unauthorized access. In July, one healthcare provider reported an incident of improper disposal, affecting 122,340 patients. There were two incidents of theft of PHI, one reported by a healthcare provider that affected 1,717 patients, and one reported by a business associate that affected 558 patients.

Organizations Affected by 2021 July Healthcare Breaches

Find the list of organizations affected by 2021 July healthcare breaches below. They have been categorized by the type of organization (healthcare provider, business associate, health plan) and the type of incident.

3,200,815 Patients Affected by Healthcare Provider Hacking Incidents

• Medi-Lynx Cardiac Monitoring: 1,841 patients affected
• Ascension Via Christi ACE: 1,977 patients affected
• West Holt Memorial Hospital: 541 patients affected
• North Oklahoma County Mental Health Center d/b/a NorthCare: 500 patients affected
• Prestera Center: 2,152 patients affected
• Orlando Family Physicians, LLC: 447,426 patients affected
• UNC Hospitals: 10,832 patients affected
• The University of North Carolina at Chapel Hill School of Medicine: 10,832 patients affected
• The Cancer Center of Greenwood Leflore Hospital: 2,700 patients affected
• Intermountain Healthcare: 28,628 patients affected
• Adena Fayette Medical Center: 1,389 patients affected
• McLaren Health Care Corporation: 64,600 patients affected
• Advocate Aurora Health: 68,707 patients affected
• Nystrom & Associates : 985 patients affected
• King County Public Hospital District No. 2 d/b/a EvergreenHealth: 22,579 patients affected
• Starling Physicians: 2,808 patients affected
• Saint Peter’s University Hospital: 585 patients affected
• Osborn Cancer Care: 4,614 patients affected
• Forefront Dermatology, S.C.: 2,413,553 patients affected
• Lake County Health Department and Community Health Center: 705 patients affected
• Florida Heart Associates: 45,148 patients affected
• Coastal Family Health Center, Inc: 62,342 patients affected
• CentraCare Health System: 842 patients affected
• St. Vincent’s Services, Inc. D/B/A HeartShare St. Vincent’s Services: 1,927 patients affected
• HeartShare Wellness, LTD: 586 patients affected
• Wayne County Hospital: 2,016 patients affected

48,297 Patients Affected by Healthcare Provider Incidents of Unauthorized Access or Disclosure of PHI

• Harris County: 26,000 patients affected
• siParadigm, LLC: 1,654 patients affected
• Texas Health Presbyterian Hospital Flower Mound: 781 patients affected
• Southwest Nebraska Public Health Department: 13,500 patients affected
• The George Washington University Medical Faculty Associates: 576 patients affected
• Bakersfield Hematology Oncology Inc.: 1,286 patients affected
• Oklahoma Heart Hospital, LLC: 1,038 patients affected
• Triangle Women’s Center: 978 patients affected
• Hope Medical LLC: 500 patients affected
• Hot Springs Health Program: 1,984 patients affected

122,340 Patients Affected by Healthcare Provider Incidents of Improper Disposal of PHI

• HealthReach Community Health Centers: 122,340 patients affected

1,717 Patients Affected by Healthcare Provider Incidents of Theft

• Sierra Nevada Primary Care Physicians: 1,717 patients affected

1,337,932 Patients Affected by Business Associate Hacking Incidents

• Mobile County Commission: 1,337 patients affected
• Thomas Jefferson University Hospital: 1,273 patients affected
• Academic HealthPlans, Inc.: 2,330 patients affected
• Dynamic Health Care, Inc.: 947 patients affected
• Guidehouse: 84,220 patients affected
• City of Lincoln Aging Partners: 1,513 patients affected
• CSI Financial Services, LLC (“ClearBalance”): 5,156 patients affected
• University of Maryland, Baltimore: 30,468 patients affected
• Professional Business Systems, Inc., d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp., (“Practicefirst”): 1,210,688 patients affected

2,707 Patients Affected by Business Associate Incidents of Unauthorized Access or Disclosure of PHI

• Standard Modern Company, Inc.: 2,707 patients affected

558 Patients Affected by Business Associate Incidents of Theft

• Synergic Healthcare Solutions, Inc. dba TGH Urgent Care powered by Fast Track: 558 patients affected

58,127 Patients Affected by Health Plan Hacking Incidents

• NCH Corporation: 11,427 patients affected
• Electrical Workers Local 369: 662 patients affected
• Aetna ACE: 8,664 patients affected
• On Lok Senior Health Services: 1,700 patients affected
• Oscar Insurance Company of Florida : 516 patients affected
• CNA Financial Corporation: 5,095 patients affected
• Florida Blue: 30,063 patients affected

1,672 Patients Affected by Health Plan Incidents of Unauthorized Access or Disclosure of PHI

• UnitedHealth Group Single Affiliated Covered Entity: 774 patients affected
• Cook County Health: 898 patients affected