March Healthcare Breaches Affected 2.9 Million Patients

March Healthcare Breaches and Hacking Incidents

While health plans were most affected by March healthcare breaches, the most common cause behind all of March’s breaches were hacking incidents. In March 2021, there were 43 hacking incidents reported to the Department of Health and Human Services’ (HHS’) Office for Civil Rights (OCR). These types of incidents represented 98.43% of patients affected by March breaches, with 2,867,472 patient files exposed through hacking.

56.48% of Hacks Targeted Health Plans Affecting 1,619,535

• Trusted Health Plans, Inc.: 200,665 affected patients
• Health Net of California: 523,709 affected patients
• Health Net Life Insurance Company: 26,637 affected patients
• Health Net Community Solutions: 686,556 affected patients
• CalViva Health: 15,287 affected patients
• California Health & Wellness: 80,138 affected patients
• Citywide Health Plan: 3,321 affected patients
• Solis Health Plans, Inc.: 2,649 affected patients
• Mott Community College: 1,612 affected patients
• Brandman Centers for Senior Care: 522 affected patients
• West Virginia Senior Advantage: 1,049 affected patients
• Trillium Community Health Plan: 50,000 affected patients
• Arizona Complete Health: 27,390 affected patients

31.89% of Hacks Targeted Healthcare Providers Affecting 914,554

• Epilepsy Florida: 1,832 affected patients
• La Clinica de La Raza, Inc. (La Clinica): 31,132 affected patients
• Midland Care Connection Inc : 1,364 affected patients
• Apple Valley Clinic: 157,939 affected patients
• BioTel Heart: 38,575 affected patients
• The Centers for Advanced Orthopaedics: 125,291 affected patients
• Insulet Corporation: 9,050 affected patients
• Cancer Treatment Centers of America at Midwestern Regional Medical Center: 104,808 affected patients
• SalusCare: 85,000 affected patients
• Total Life Healthcare: 528 affected patients
• North Oaks Health System: 642 affected patients
• Colorado Retina Associates, P.C: 26,609 affected patients
• Sandhills Medical Foundation, Inc.: 39,602 affected patients
• Mobile Anesthesiologists: 65,403 affected patients
• The New London Hospital Association, Inc.: 34,878 affected patients
• Child Focus, Inc.: 2,716 affected patients
• Dyras Dental: 2,745 affected patients
• Walmart Inc.: 2,067 affected patients
• ProPath Services, LLC: 39,213 affected patients
• Saint Alphonsus Health System: 134,906 affected patients
• Family Health Services MN d/b/a Entira Family Clinics: 1,975 affected patients
• Liberation Programs, Inc: 7,406 affected patients
• New Bedford Jewish Convalescent Home, Inc.: 873 affected patients

11.63% of Hacks Targeted Business Associates Affecting 333,383

• Health Prime International: 17,562 affected patients
• Healthgrades Operating Company, Inc.: 35,485 affected patients
• Haven Behavioral Healthcare : 21,714 affected patients
• Reliant Rehabilitation: 614 affected patients
• Woodcreek Provider Services LLC: 207,000 affected patients
• PeakTPA: 50,000 affected patients
• ProComp Software Consultants, Inc.: 1,008 affected patients

March Healthcare Breaches and Unauthorized Access or Disclosure of PHI

Incidents of unauthorized access or disclosure of protected health information (PHI) occur when PHI is accessed or disclosed without necessity. These types of incidents can occur when an employee accesses a patient’s medical records outside of their job duties, or when an unauthorized entity accesses patient information. For example, if a doctor’s office leaves paper charts in an area that can be accessed by non staff members, and someone views those records, that is a reportable incident of unauthorized access or disclosure. 

In March 2021, there were 17 incidents of unauthorized access or disclosure of PHI representing 1.52% of reported incidents. These types of incidents affected 44,395 patients.

76.69% of Unauthorized Access or Disclosure Incidents Were by Healthcare Providers Affecting 34,045

• University Medical Center Southern Nevada: 1,833 affected patients
• Memorial Hermann Health System: 1,893 affected patients
• Three Lower Counties Community Services, Inc. d/b/a Chesapeake Health Care: 2,505 affected patients
• Proteus Molecular and Clinical Lab, LLC: 670 affected patients
• VA Northern California Health Care System: 645 affected patients
• Dallas County Hospital District d/b/a Parkland Health & Hospital System: 1,594 affected patients
• River City Whole Health, Ltd.: 2,714 affected patients
• Stavros Center for Independent Living Inc.: 2,447 affected patients
• California Department of State Hospitals: 4,933 affected patients
• Sleep Medicine Associates of Texas, P.A.: 994 affected patients
• Hoyman Hong, M.D. A Prof Med Corp: 600 affected patients
• VNA Home Health and Hospice: 517 affected patients
• Serenity Care PACE: 658 affected patients
• Walworth County Department of Health and Human Services: 907 affected patients
• UPMC St. Margaret: 11,135 affected patients

23.31% of Unauthorized Access or Disclosure Incidents Were by Health Plans Affecting 10,350

• Illinois Department of Healthcare and Family Services: 8,848 affected patients
• Florida PACE Centers, Inc: 1,502 affected patients

March Healthcare Breaches and Loss or Theft

Loss or theft incidents that must be reported to the HHS’ OCR include incidents affecting unencrypted devices containing PHI or paper records. There was one incident of theft and one incident of loss in March 2021, both the result of paper/films exposure, compromising the PHI of  1,217, representing 0.04% of March’s incidents. Both incidents also affected healthcare providers.

• Miracle-Ear: 500 affected patients
• Arizona Oncology Associates, PC: 717 affected patients