There were a staggering number of December healthcare breaches reported on the OCR wall of shame, with 48 breaches for the month. The largest of these breaches, an email hacking incident perpetrated against MEDNAX Services, Inc., a business associate, affected more than a million patients. In all, December healthcare breaches affected 4,057,276 patients. More details are discussed below.
December Healthcare Breaches: Hacking/IT Incidents
It is not surprising that the majority of December healthcare breaches were the result of hacking/IT incidents, as hacking in healthcare has grown exponentially over the last several months.
There were 4,012,987 patients affected by these types of incidents in December, with 26 incidents reported representing 98.8% of December breaches.
Email Hacks Affected 2,023,143 Patients
December email hacks represented 50.41% of the hacking incidents for the month, with 9 organizations affected. The 9 email hacking incidents affected 2,023,143 patients.
Healthcare Providers:
- Benjamin Rose Institute on Aging: 1,452 affected patients
- Midwest Geriatric Management, LLC: 4,814 affected patients
- Holy Redeemer Ambulatory Surgical Center: 1,298 affected patients
- Sonoma Valley Healthcare District: 69,000 affected patients
- Meharry Medical College: 20,963 affected patients
Health Plans:
- Aetna ACE: 484,157 affected patients
- Community Eye Care, LLC: 149,804 affected patients
Business Associates:
- MEDNAX Services, Inc.: 1,290,670 affected patients
- HMC Healthworks, Inc.: 985 affected patients
Network Server Hacks Affected 1,986,344 Patients
Network server hacks represented 49.5% of the hacking incidents in December, with 16 organizations victimized by this type of attack. These 16 network server hacks compromised the protected health information (PHI) of 1,986,344 patients.
Healthcare Providers:
- Five Points Optometrists, P.C. dba Five Points Eye Care: 1,223 affected patients
- Agency for Community Treatment Services, Inc.: 73,825 affected patients
- Kristina T Nguyen, DDS, PC: 8,000 affected patients
- GenRx Pharmacy: 137,110 affected patients
- Wilmington Surgical Associates, P.A. : 114,834 affected patients
- Nebraska Methodist Health System: 39,912 affected patients
- Southeast Health Center of Ripley County: 5,001 affected patients
- The Presbyterian Homes, Inc.: 1,041 affected patients
- Texas Tech University Health Sciences Center: 37,000 affected patients
- Employment Specialists of Maine, Inc.: 1,639 affected patients
- Family Health Center of Worcester: 566 affected patients
- Allegheny Health Network: 299,507 affected patients
- AMITA Health: 261,054 affected patients
Health Plans:
- Tom Wood, Inc.: 828 affected patients
Business Associates:
- Dental Care Alliance, LLC: 1,004,304 affected patients
- Beacon Health Solutions, LLC: 500 affected patients
Other Hacks Affected 3,500 Patients
Other hacks, as in hacks that weren’t network server or email hacks, represented 0.09% of December hacking incidents. There was one organization that fell into this category, Monroe Surgical Hospital, LLC, a Healthcare Provider. The nature of this hack was a combination of a desktop computer and network hack, affecting 3,500 patients.
December Healthcare Breaches: Unauthorized Access or Disclosures
Unauthorized access or disclosures occur when PHI is accessed without cause, as in outside of the purposes of treatment, payment, or healthcare operations. There were 14 incidents of unauthorized access or disclosure in December, affecting 34,042 patients, representing 0.84% of December breaches.
Unauthorized Access/Disclosures of Paper/Films Affected 13,398 Patients
There were five incidents of unauthorized access or disclosures of paper or films affecting 13,398 patients, representing 39.36% of the incidents of unauthorized access or disclosures.
Healthcare Providers:
- Meade Physicians, Inc.: 695 affected patients
Health Plans:
- Home State Health Plan, Inc.: 1,020 affected patients
- Peach State Health Plan: 3,443 affected patients
- Superior HealthPlan: 3,748 affected patients
- SSM Health Insurance Company: 4,492 affected patients
Unauthorized Access/Disclosures of Electronic Medical Records Affected 11,869 Patients
There were two incidents of unauthorized access or disclosures of electronic medical records, affecting 11,869 patients, representing 34.87% of December incidents of unauthorized access or disclosures. Both of the incidents affected healthcare providers.
- Mercy Health: 11,187 affected patients
- Northwestern Memorial Hospital: 682 affected patients
Unauthorized Access/Disclosures of Email Affected 2,758 Patients
There were three incidents of unauthorized access or disclosures of PHI through email. These incidents affected 2,758 patients, representing 8.1% of unauthorized access or disclosure incidents.
Healthcare Providers:
- Brigham and Women’s Hospital: 882 affected patients
Health Plans:
- BlueCross BlueShield of Tennessee, Inc.: 1,340 affected patients
- Iowa Total Care, Inc.: 536 affected patients
Other Unauthorized Access/Disclosures Affected 6,017 Patients
There were four incidents of unauthorized access or disclosures that were classified as other, as in they didn’t fall easily into another category. These incidents affected 6,017 patients, representing 17.68% of December’s incident of unauthorized access or disclosures.
Healthcare Providers:
- McLeroy Gibbs and Klein: 3,200 affected patients
- Central Florida Cardiology Group: 979 affected patients
Health Plans:
- DMBA Health Plan: 774 affected patients
Business Associates:
- Mirra Health Care: 1,064 affected patients
December Healthcare Breaches: Loss, Theft, and Improper Disposal of PHI 10,247
There were eight incidents of loss, theft, or improper disposal of PHI affecting 10,247 patients. 54.65% were due to loss, 40.46% were due to theft, while 4.89% were due to improper disposal.
Loss of PHI Affected 5,600 Patients
There were two incidents of loss of PHI affecting 5,600 patients, representing 54.65% of these types of incidents.
Healthcare Providers:
- Cedar Springs Hospital: 2,283 affected patients
Business Associates:
- Gainwell Technologies LLC: 3,317 affected patients
Theft of PHI Affected 4,146 Patients
There were five incidents of theft of PHI affecting 4,146 patients, representing 40.46% of these types of incidents. All of the incidents of theft involved healthcare providers.
- Wellness Pharmacy: 545 affected patients
- 26th & Lehigh Pharmacy: 549 affected patients
- Diamond Pharmacy: 616 affected patients
- RXN, Inc. d/b/a Lancaster Pharmacy : 856 affected patients
- Liv-On Family Care Center, PA: 1,580 affected patients
Improper Disposal of PHI Affected 501 Patients
There was one incident of improper disposal of PHI representing 4.89% of these types of incidents. TNMO Healthcare, LLC, a healthcare provider, did not dispose of patient PHI in the proper manner affecting 501 patients.
