The holiday season is generally slow for most businesses, but that’s not the case for the hacking industry. Hackers unusually ramp up their efforts during the holidays as more people are shopping online. With this, there is an increase in exploitations through phishing attempts, such as when an email seemingly contains a tracking link that is really a malicious link. This contributed to the thirty-five large-scale December 2021 healthcare breaches reported, which affected 2,388,352 patients.
The majority of December 2021 healthcare breaches were classified as hacking incidents with thirty incidents affecting 2,376,836 representing 99.52% of patients affected by breaches that month. This was followed by three incidents of unauthorized access or disclosure of protected health information (PHI), affecting 9,029 patients and representing 0.38% of affected patients. There were an additional two breaches reported one incident of theft affecting 1,553 patients representing 0.07% of total patients affected; and one incident of improper disposal of PHI affecting 934 patients representing 0.04% of total patients affected.
Additionally, most of the breaches reported in December 2021 targeted healthcare providers. There were twenty-two breaches reported by healthcare providers affecting 2,295,063 patients. These breaches represented 96.09% of the total patients affected by breaches that month. There were also six business associate breaches, affecting 73,686 patients (3.09% of affected patients). Lastly, there were seven health plans that reported breaches, affecting 19,603 patients (0.82% of affected patients).
December 2021 Healthcare Breaches and Hacking Incidents
As was the case with the rest of 2021, hacking incidents were the main cause of December’s breaches. Hacking incidents predominantly targeted healthcare providers, with eighteen hacking incidents reported by providers in December 2021. Healthcare provider hacking incidents affected 2,287,656 patients, which comprised 96.25% of patients affected by hacking in December.
There were also six business associate hacking incidents that affected 73,686 patients (3.10% of patients affected by hacking). Six health plans were also targeted by hacking which affected 15,494 patients (0.65% of patients affected by hacking).
When reporting hacking incidents to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), they also ask the reporting entity to list the “location” in which the breach occurred. In December, hacking incidents occurred in two locations, network server and email. December saw twenty-one network server hacks and nine email hacking incidents. Network server hacks affected 1,849,724 patients (77.82% of patients affected by hacking), while email hacking incidents affected 527,112 patients (22.18% of patients affected by hacking).
December 2021 Healthcare Breaches and Unauthorized Access or Disclosure of PHI
There were significantly fewer incidents of unauthorized access or disclosure of PHI reported in December than is typical in any given month. Of the three incidents reported, two were reported by healthcare providers, while one was reported by a health plan. The healthcare provider incidents affected 4,920 patients representing 54.49% of patients affected by these types of incidents. The health plan incident affected 4,109 patients representing 45.51% of patients affected by these types of incidents.
As with the hacking incidents reported, there were different “locations” from which unauthorized access or disclosure occurred. The incident reported by the health plan occurred through email access or disclosure. One of the healthcare provider incidents was through their electronic medical record platform, affecting 883 patients (9.78% patients affected by these types of incidents). The remaining incident was classified as “other,” affecting 4,037 (44.71% patients affected by these types of incidents).
December 2021 Healthcare Breaches, Theft, and Improper Disposal of PHI
There was one incident each of theft and improper disposal, both affecting healthcare providers. The PHI theft occurred when paper medical records were stolen, affecting 1,553 patients (0.07% of patients affected by December healthcare breaches). The improper disposal involved the disposal of an unencrypted electronic portable device, affecting 934 patients (0.04% of patients affected by December healthcare breaches).
Which Entities Reported Breaches?
The OCR publicly posts large-scale breaches on its online breach portal. Below, you can find a list of entities that reported breaches in December of 2021, organized by type of reporting entity and the nature of the incident.
Healthcare Provider Hacks
- Oregon Anesthesiology Group, P.C.: 750,500 patients affected
- Texas ENT Specialists: 535,489 patients affected
- Monongalia Health System, Inc.: 398,164 patients affected
- BioPlus Specialty Pharmacy Services, LLC: 350,000 patients affected
- Southern Orthopaedic Associates d/b/a Orthopaedic Institute of Western Kentucky: 106,910 patients affected
- Fertility Centers of Illinois, PLLC: 79,943 patients affected
- Oregon Eye Specialists: 42,612 patients affected
- Eduro Healthcare, LLC: 8,059 patients affected
- Weddell Pediatric Dental Specialists, LLC: 5,356 patients affected
- Roy Varughese, M.D.: 2,916 patients affected
- Sacramento County Department of Health Services: 2,096 patients affected
- Hope Group LLC: 1,510 patients affected
- Javery Pain Institute: 1,387 patients affected
- OSR Physical Therapy: 714 patients affected
- Surgery Group SC: 500 patients affected
- Northwest Broward Orthopaedics Associates: 500 patients affected
- Apple Blossom Family Practice: 500 patients affected
- Summit Surgical, LLC: 500 patients affected
Business Associate Hacks
- Bansley and Kiener, LLP: 50,119 patients affected
- Bansley and Kiener, LLP: 15,814 patients affected
- Bansley and Kiener, LLP: 2,711 patients affected
- Bansley and Kiener, LLP: 2,297 patients affected
- Peck & Associates, PC: 1,844 patients affected
- Peck & Associates, PC: 901 patients affected
Health Plan Hacks
- Rhode Island Public Transit Authority: 5,015 patients affected
- Great Plains Manufacturing, Inc: 4,110 patients affected
- Andrew Sauchelli, DMD: 3,416 patients affected
- C.E. Niehoff & Company: 1,509 patients affected
- Mertz Manufacturing Inc Health Insurance Plan: 868 patients affected
- UAW Retiree Medical Benefits Trust: 576 patients affected
Healthcare Provider Unauthorized Access or Disclosure of PHI
- Department of Behavioral Health and Developmental Services: 4,037 patients affected
- Baylor Scott & White Medical Center – Waxahachie: 883 patients affected
Health Plan Unauthorized Access or Disclosure of PHI
- Nippon Life Insurance Company of America: 4,109 patients affected
Healthcare Provider Theft
- Skin Care Specialty Physicians: 1,553 patients affected
Healthcare Provider Improper Disposal
- Alabama Department of Rehabilitation Services: 934 patients affected