The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) publicly posts reported breaches affecting 500 or more patients. In September, there were 77 healthcare breaches posted to the OCR breach portal. These large-scale breaches affected 9,057,414 patients. More details on September healthcare breaches are discussed below.

September healthcare breaches

September Healthcare Breaches: 9 Million Patients Affected by Hacking Incidents

The majority of September healthcare breaches were the result of hacking incidents, with 70 healthcare organizations targeted, accounting for 99.54% of breaches. These types of breaches exposed 9,015,461 patients’ protected health information (PHI).

Organizations that fell victim to hacking incidents included healthcare providers (92.86% of hacking incidents), business associates (5.71% of hacking incidents), and a health plan (1.43% of hacking incidents). Of the 70 hacking incidents in September, 55 were network server hacks, 12 were email hacks, one was an Electronic Medical Records hack, and 2 were classified as other.

Network Server Hacks Affected 8,656,782 Patients

North Memorial Health: affected 21,236 patients

MedStar Health, Inc.: affected 668 patients

Magnolia Pediatrics: affected 12,861 patients

OrthoAtlanta, LLC: affected 5,600 patients

Sheltering Arms Physical Rehabilitation Centers: affected 683 patients

Accents on Health: affected 2,000 patients

Catholic Health System: affected 61,267 patients

Nuvance Health (on behalf of its covered entities): affected 314,829 patients

Gillette Children’s Specialty Healthcare: affected 1,766 patients

Bluegrass Care Navigators: affected 2,343 patients

Devereux Advanced Behavioral Health: affected 1,758 patients

Joslin Diabetes Center: affected 71,160 patients

Life Enriching Communities: affected 2,345 patients

Trinity Health: affected 3,320,726 patients

University of Tennessee Medical Center: affected 234,954 patients

Iowa Health System dba UnityPoint Health Affiliated Covered Entity: affected 27,410 patients

June E. Nylen Cancer Center: affected 500 patients

Prelude Behavioral Services: affected 699 patients

Christiana Care Health Services, Inc.: affected 1,229 patients

Connecticut Children’s Medical Center: affected 2,633 patients

The Christ Hospital Health Network: affected 183,265 patients

Texas Children’s Hospital: affected 1,987 patients

Roswell Park Comprehensive Cancer Center: affected 141,669 patients

UMass Memorial Medical Center: affected 87,420 patients

USA Health: affected 52,344 patients

University Health Systems of Eastern Carolina, Inc. dba Vidant Health: affected 77,942 patients

Lehigh Valley Health Network: affected 81,487 patients

Veterans Health Administration: affected 44,308 patients

Catholic Medical Center: affected 18,623 patients

Mount Sinai Health System: affected 87,535 patients

Augusta Health Care, Inc. d/b/a Augusta Health: affected 3,061 patients

Allina Health: affected 199,389 patients

Community Medical Centers: affected 43,667 patients

Hebrew SeniorLife, Inc.: affected 27,244 patients

Riverside Health System: affected 54,151 patients

Piedmont Healthcare, Inc.: affected 111,588 patients

Adventist HealthCare: affected 13,041 patients 

Medical University of South Carolina: affected 54,869 patients

Community Health Network, Inc.: affected 81,118 patients

Children’s Minnesota: affected 160,268 patients

Enloe Medical Center: affected 33,575 patients

SCL Health – Colorado (affiliated covered entity): affected 343,493 patients

SCL Health – Montana (affiliated covered entity): affected 93,642 patients

SCL Health – Kansas (affiliated covered entity): affected 3,845

Inova Health System: affected 1,045,270 patients

Baylor College of Medicine : affected 4,500 patients 

University of Kentucky HealthCare: affected 163,774 patients

Virginia Mason Medical Center: affected 244,761 patients

The Guthrie Clinic: affected 92,064 patients

Roper st. Francis Healthcare: affected 92,963 patients

Regions Hospital: affected 52,795 patients

NorthShore University HealthSystem: affected 348,746 patients

The Baton Rouge Clinic, A Medical Corporation: affected 308,000 patients

Atrium Health: affected 165,000 patients

Spectrum Health: affected 52,711 patients

Email Hacks Affected 321,845 Patients

Oaklawn Hospital: affected 26,861 patients

Seven Counties Services, Inc.: affected 13,375 patients

UCare Minnesota: affected 4,806 patients

University of Missouri Health Care: affected 189,736 patients

Alameda Health System: affected 2,691 patients

Piedmont Cancer Institute, P.C.: affected 5,226 patients

SOUTHERN INDIAN HEALTH COUNCIL, INC.: affected 695 patients

Specialized Alternatives for Families & Youth of America, Inc.: affected 58,123 patients

Mental Health Center of Boulder County Inc. dba Mental Health Partners: affected 2,650 patients

Lycoming-Clinton Joinder Board Programs: affected 3,905 patients

Starling Physicians, PC: affected 7,777 patients

Roper St. Francis Healthcare: affected 6,000 patients

Electronic Medical Record Hacks Affected 2,850 Patients

Mono County: affected 2,850 patients

Other Hacks Affected 33,984 Patients 

Our Lady of the Lake: affected 31,166 patients

George West Mental Health Foundation dba Skyland Trail: affected 2,818 patients

September Healthcare Breaches: 41,953 Patients Affected by Other Incidents

There were 7 incidents that occurred that weren’t related to hacking, all of which affected healthcare providers. These 7 incidents represented 0.45% of September healthcare breaches, with 0.33% due to unauthorized access/disclosure, 0.07% due to theft, 0.05% due to loss, and 0.01% due to improper disposal of PHI.

Unauthorized Access/Disclosure Affected 29,983 Patients

Advocate Aurora Health: affected 2,979 patients

Total Urology Care of New York PLLC: affected 23,000 patients

Montefiore Medical Center: affected 4,004 patients

Theft Affected 5,956 Patients

H. Lee Moffitt Cancer Center & Research Institute: affected 4,056 patients

Lifetime Middleton LLC: affected 1,900 patients

Loss Affected 4,938 Patients

Erlanger Health System: affected 4,938 patients

Improper Disposal Affected 1,076 Patients

Carnegie Tri-County Municipal Hospital: affected 1,076 patients

Prevent HIPAA Breaches

Don’t fall victim to breaches. Protect your business by becoming compliant today!