Each month, we publish our monthly breach report in which we examine the previous month’s breaches, and determine the leading cause behind them. In November 2021, there were 64 large-scale healthcare breaches, affecting a total of 2,289,046 patients. The majority of 2021 November healthcare breaches were classified as hacking or IT incidents (52 incidents, representing 98.24% of the patients affected). More details are discussed below.
2021 November Healthcare Breaches and Hacking
Hacking incidents continue to plague the healthcare industry, and have long been the main cause behind breaches of protected health information (PHI). November 2021 saw 52 hacking incidents, affecting 2,248,714 patients. These incidents stemmed from different, in what the Department of Health and Human Services (HHS) refers to as, “locations.”
There were:
- 38 Network Server hacks that affected 1,950,010 patients, representing 86.72% of patients affected by hacking;
- 11 Email hacking incidents that affected 147,544 patients, representing 6.56% of patients affected by hacking; and
- 3 Electronic Medical Record hacking incidents that affected 151,160 patients, representing 6.72% of patients affected by hacking.
These incidents targeted:
- 39 Healthcare Providers
- 7 Business Associates
- 6 Health Plans
2021 November Healthcare Breaches and Unauthorized Access or Disclosure
While the majority of November 2021 healthcare breaches were due to hacking, there were also 11 incidents of unauthorized access or disclosure. These types of incidents occur when an individual that is not authorized to access PHI does, even when it’s an employee of the organization. HIPAA dictates specific instances in which it is appropriate to access PHI, and when employees access the information without cause, it is considered a breach. This can also occur when PHI is left unattended, and patients or employees who are not permitted to view PHI, can.
Just as with hacking, unauthorized access or disclosures of PHI can occur in different “locations.”
There were:
- 4 incidents of unauthorized access/disclosure through email, affecting 8,944 patients and representing 23.76% of patients affected by these types of incidents;
- 3 incidents of unauthorized access/disclosure through paper/films, affecting 4,076 patients and representing 10.83% of patients affected by these types of incidents;
- 2 incidents of unauthorized access/disclosure through electronic medical records, affecting 13,871 patients and representing 36.85% of patients affected by these types of incidents; and
- 2 incidents of unauthorized access/disclosure through “other,” affecting 10,755 patients and representing 28.57% of patients affected by these types of incidents.
These incidents affected:
- 8 Healthcare Providers
- 2 Business Associates
- 1 Health Plan
2021 November Healthcare Breaches and Theft
Theft of PHI occurs when paper records, or an unencrypted device that has access to electronic PHI, is stolen. In November 2021, there was one occurrence of PHI theft that involved both paper records and a stolen laptop. This incident targeted a healthcare provider, compromising the PHI of 2,686 patients, representing 0.12% of patients affected by November 2021 healthcare breaches.