Every month we release a summary of the previous month’s healthcare breaches, and determine the leading cause behind that month’s breaches. In May 2021, there were 60 breaches reported, affecting 6,521,871 patients. Of these breaches, 46 affected healthcare providers, 10 affected health plans, 7 affected business associates, and one affected a healthcare clearinghouse. More details regarding May healthcare breaches are discussed below.
2021 May Healthcare Breaches and Hacking Incidents
The leading cause behind May healthcare breaches was hacking incidents, with 46 incidents affecting 6,419,108 patients. Hacking incidents represented 98.42% of patients affected by healthcare breaches in May.
These hacking incidents stemmed from different types of hacks including:
- Network server, affecting 2,962,969 patients, representing 46.16% of patients affected by hacking
- Email, affecting 200,591 patients, representing 3.12% of patients affected by hacking
- Other, affecting 3,255,548 patients, representing 50.72% of patients affected by hacking
37 Healthcare Providers, 1,299,821 patients affected, representing 20.25% of patients affected by hacking:
- Wirt County Health Services Association d/b/a Coplin Health Systems: 2,164 patients affected
- Hoboken Radiology LLC: 80,000 patients affected
- Monroe County Health Center: 500 patients affected
- Williamson Health and Wellness Center, Inc.: 1,688 patients affected
- Five Rivers Health Centers: 155,748 patients affected
- Lafourche Medical Group: 34,862 patients affected
- Sturdy Memorial Hospital: 57,379 patients affected
- Stanford University School of Medicine: 2,200 patients affected
- TidalHealth Peninsula Regional: 4,070 patients affected
- Laird Hospital, Inc.: 1,092 patients affected
- Harper County Community Hospital: 5,725 patients affected
- HC Watkins Memorial Hospital: 634 patients affected
- Westwood Obstetrics and Gynecology (“Westwood”): 12,931 patients affected
- Beech Acres Parenting Center: 500 patients affected
- Massena Hospital: 1,897 patients affected
- Scott Regional Hospital: 1,056 patients affected
- Swedish Covenant Health DBA Swedish Hospital: 4,206 patients affected
- Rehoboth McKinley Christian Health Care Services: 207,195 patients affected
- Southwestern Indiana Regional Council on Aging: 4,250 patients affected
- Bayhealth Medical Center, Inc.: 565 patients affected
- Trinity Health System – Twin City: 9,579 patients affected
- San Diego Family Care: 125,500 patients affected
- CareSouth Carolina, Inc.: 76,035 patients affected
- Internal Medicine Associates of Jasper, PC, dba Prestige Medical Group: 34,203 patients affected
- SAC Health Systems: 28,128 patients affected
- Nocona General Hospital: 3,254 patients affected
- MidMichigan Health Services: 2,800 patients affected
- Charles Cole Memorial Hospital, d/b/a UPMC Cole: 7,376 patients affected
- Our Lady of Lourdes Memorial Hospital Inc., : 1,745 patients affected
- St. Agnes Healthcare Inc.: 2,821 patients affected
- Ascension Standish Hospital: 1,705 patients affected
- Ascension St. Joseph Hospital: 5,807 patients affected
- Brownsville Community Health Center dba New Horizon Medical Center: 4,258 patients affected
- Tyler Family Circle of Care: 1,860 patients affected
- Orthopedic Associates of Dutchess County: 331,376 patients affected
- Monadnock Community Hospital: 14,340 patients affected
- Arizona Asthma and Allergy Institute: 70,372 patients affected
6 Business Associates, 5,112,264 patients affected, representing 79.64% of patients affected by hacking:
- SEIU 775 Benefits Group: 140,000 patients affected
- Dean Health Servicing Company: 1,025 patients affected
- LogicGate: 47,035 patients affected
- 20/20 Eye Care Network, Inc: 3,253,822 patients affected
- Community Access Unlimited: 13,813 patients affected
- NEC Networks, LLC d/b/a CaptureRx: 1,656,569 patients affected
3 Health Plans, 7,023 patients affected, representing 0.11% of patients affected by hacking:
- Arkansas Health and Wellness Health Plan: 3,627 patients affected
- Buckeye Health Plan: 2,334 patients affected
- InVue Security Products, Inc. Employee Group Health Plan : 1,062 patients affected
2021 May Healthcare Breaches and Unauthorized Access or Disclosure of PHI
Unauthorized access or disclosure of protected health information (PHI) occurs any time that PHI is accessed or disclosed without cause. HIPAA requires organizations and their employees to only use or disclose PHI to perform a specific job function. When PHI is accessed or disclosed excessively, or without purpose, that is considered unauthorized access or disclosure. These types of breaches can also occur when PHI is left unattended, and an individual without authorization to view PHI, accesses the information.
In May, there were 9 incidents of unauthorized access or disclosure reported. These incidents affected 17,834 patients, representing 0.27% of patients affected by May healthcare breaches.
There were different formats in which the unauthorized access or disclosures occurred including:
- Paper/films, affecting 8,583 patients, representing 48.13% of patients affected by unauthorized access or disclosure
- Email, affecting 5,908 patients, representing 33.13% of patients affected by unauthorized access or disclosure
- Network server, affecting 1,781 patients, representing 9.99% of patients affected by unauthorized access or disclosure
- Electronic medical record, affecting 1,562 patients, representing 8.76% of patients affected by unauthorized access or disclosure
3 Healthcare Providers, 5,676 patients affected, representing 31.83% of patients affected by unauthorized access or disclosure:
- Washoe Barton Medical Clinic d/b/a Carson Valley Medical Center: 1,115 patients affected
- The Miriam Hospital: 2,999 patients affected
- Shands Teaching Hospitals and Clinics, Inc.: 1,562 patients affected
5 Health Plans, 10,196 patients affected, representing 57.17% of patients affected by unauthorized access or disclosure:
- State of TN Finance & Administration: 947 patients affected
- Aetna ACE: 562 patients affected
- Community Health Choice Inc.: 2,489 patients affected
- UnitedHealth Group Health Plan SACE: 666 patients affected
- SummaCare: 5,532 patients affected
1 Healthcare Clearinghouse, 1,962 patients affected, representing 11.00% of patients affected by unauthorized access or disclosure:
- Master Equity Texas Limited Partnership: 1,962 patients affected
2021 May Healthcare Breaches and Loss, Theft, or Improper Disposal of PHI
A small number of patients’ PHI was compromised by either loss, theft, or improper disposal of patient records.
This included:
- Improper disposal, affecting 64,604 patients, representing 0.99% of patients affected by May healthcare breaches
- Theft, affecting 15,754 patients, representing 0.24% of patients affected by May healthcare breaches
- Loss, affecting 4,571 patients, representing 0.07% of patients affected by May healthcare breaches
The PHI exposed in these incidents was stored in different formats including:
- Paper/films, affecting 69,175 patients, representing 81.45% of patients affected by loss, theft, or improper disposal of PHI
- Laptop, affecting 9,620 patients, representing 11.33% of patients affected by loss, theft, or improper disposal of PHI
- Other portable electronic device, affecting 6,134 patients, representing 7.22% of patients affected by loss, theft, or improper disposal of PHI
4 Healthcare Providers, affecting 75,309 patients, representing 88.67% of patients affected by loss, theft, or improper disposal of PHI:
- Implant and Prosthodontic Associates: 6,134 patients affected
- Exceltox Laboratories: 4,571 patients affected
- New England Dermatology, P.C.: 58,106 patients affected
- Walgreen Co.: 6,498 patients affected
1 Business Associate, affecting 9,620 patients, representing 11.33% of patients affected by loss, theft, or improper disposal of PHI:
- Aspen Dental Management LLC: 9,620 patients affected