2021 September OCR Breach Reporting: 1.2 Million Patients Compromised

When a healthcare breach affects 500 or more patients, the Office for Civil Rights (OCR) publicly posts the details of the breach on their online breach portal. In September 2021, the OCR posted 38 large-scale breaches on their portal, affecting 1,198,975 patients. More details regarding September OCR breach reporting are discussed below.

September OCR Breach Reporting and Hacking

September’s OCR breach reporting revealed that the majority of the patients affected by breaches that month were compromised by hacking incidents. Of the 38 breaches reported in September, 28 of them were hacking incidents. These 28 hacking incidents compromised the protected health information (PHI) of 1,136,684 patients, representing 94.8% of patients affected by September breaches.

The OCR breach reporting also lists the location of the breached information, as in where the breached information was accessed from.

• There were 17 network hacking incidents, affecting 441,010 patients, representing 38.80% of patients affected by hacking
• There were 9 email hacking incidents, affecting 166,447 patients, representing 14.64% of patients affected by hacking
• There were 2 hacking incidents classified as other, affecting 529,227 patients, representing 529,227 of patients affected by hacking

September OCR Breach Reporting and Theft

The second leading cause behind September’s breaches was theft of unsecured protected health information. There were five incidents of theft reported affecting 55,236 patients, representing 4.61% of patients affected by September healthcare breaches. All of those incidents of theft were reported by healthcare providers, the breaches however, stemmed from different locations. 

• 2 of the incidents of theft were caused by the theft of PHI stored on desktop computers, affecting 50,866 patients, representing 92.09% of patients affected by theft
• 2 of the incidents of theft were caused by the theft of paper/films, affecting 1,535 patients, representing 2.78% of patients affected by theft
• 1 of the incidents of theft was caused by both laptop and paper/films theft, affecting 2,835 patients, representing 5.13% of patients affected by theft

September OCR Breach Reporting and Unauthorized Access

There were an additional five incidents listed, classified as unauthorized access or disclosures of PHI affecting 7,055 patients, representing 0.59% of patients affected by September breaches. Three healthcare providers reported incidents of unauthorized access, affecting 3,148 patients, representing 44.62% of patients affected; while two business associates reported incidents of unauthorized access, affecting 3,907 patients, representing 55.38% of patients affected.

• 2 of the incidents of unauthorized access of PHI were through email, affecting 2,273 patients, representing 32.22% of patients affected by unauthorized access
• 2 of the incidents of unauthorized access of PHI were classified as other, affecting 2,875 patients, representing 40.75% of patients affected by unauthorized access
• 1 of the incidents of unauthorized access of PHI was through paper/films, affecting 1,907 patients, representing 27.03% of patients affected by unauthorized access

Healthcare Providers and Hacking

• The Menninger Clinic: 1,365 patients affected
• McAllen Surgical Specialty Center, Ltd.: 227 patients affected
• Illinois Department of Human Services and Illinois Department of Healthcare and Family Services: 1,960 patients affected
• Horizon House, Inc.: 27,823 patients affected
• Directions for Living Healthcare Provider 19,494
• Simon Eye Management: 144,373 patients affected
• Indian Creek Foundation: 2,405 patients affected
• Buddhist Tzu Chi Medical Foundation: 18,968 patients affected
• Consumer Direct Care Network Arizona: 504 patients affected
• Talbert House: 45,000 patients affected
• Rehabilitation Support Services, Inc.: 23,907 patients affected
• Central Texas Medical Specialists, PLLC dba Austin Cancer Centers: 36,503 patients affected
• Vista Radiology, P.C.: 3,634 patients affected
• Pathology Consultants of New London, P.C.: 835 patients affected
• Eastern Connecticut Pathology Consultants, P.C.: 500 patients affected
• ADEC, Inc.: 2,000 patients affected
• USV Optical, Inc.: 180,000 patients affected

Health Plans and Hacking

• Navistar, Inc. Health Plan and the Navistar, Inc. Retiree Health Benefit and Life Insurance Plan: 49,000 patients affected
• State of Alaska Department of Health & Social Services: 500,000 patients affected
• Aetna ACE: 1,011 patients affected
• Welfare & Pension Administration Service, Inc.: 545 patients affected
• Famous Enterprises Inc. Employee Benefit Plan: 528 patients affected
• City of Joplin: 513 patients affected
• Asarco Health, Dental, Vision, Flexible Spending, Non-Union Employee Benefits, and Retiree Medical Plans : 28,000 patients affected

Business Associates and Hacking

• Eastern Los Angeles Regional Center: 12,921 patients affected
• HBP Financial Services Group, LTD: 938 patients affected
• Sequoia Concepts, Inc.: 2,230 patients affected

Healthcare Clearinghouses and Hacking

• Georgia Department of Human Services: 500 patients affected

Healthcare Providers and Theft

• Orlick & Kasper, M.D.’s, P.A.: 30,000 patients affected
• Samaritan Center of Puget Sound: 20,866 patients affected
• Multnomah County: 709 patients affected
• CVS Pharmacy: 826 patients affected
• Resource Anesthesiology Association of California, a Medical Corporation: 2,835 patients affected

Healthcare Providers and Unauthorized Access

• Cerebral Medical Group: 875 patients affected
• Mankato Clinic: 535 patients affected
• California Department of State Hospitals – Coalinga: 1,738 patients affected

Business Associates and Unauthorized Access

• Zenith American Solutions: 1,907 patients affected
• Dan L. Beaupre: 2,000 patients affected