There were a staggering number of December healthcare breaches reported on the OCR wall of shame, with 48 breaches for the month. The largest of these breaches, an email hacking incident perpetrated against MEDNAX Services, Inc., a business associate, affected more than a million patients. In all, December healthcare breaches affected 4,057,276 patients. More details are discussed below.

December Healthcare Breaches

December Healthcare Breaches: Hacking/IT Incidents

It is not surprising that the majority of December healthcare breaches were the result of hacking/IT incidents, as hacking in healthcare has grown exponentially over the last several months.

December hacking

There were 4,012,987 patients affected by these types of incidents in December, with 26 incidents reported representing 98.8% of December breaches.

Email Hacks Affected 2,023,143 Patients

December email hacks represented 50.41% of the hacking incidents for the month, with 9 organizations affected. The 9 email hacking incidents affected 2,023,143 patients.

Healthcare Providers:

  • Benjamin Rose Institute on Aging: 1,452 affected patients
  • Midwest Geriatric Management, LLC: 4,814 affected patients
  • Holy Redeemer Ambulatory Surgical Center: 1,298 affected patients
  • Sonoma Valley Healthcare District: 69,000 affected patients
  • Meharry Medical College: 20,963 affected patients

Health Plans:

  • Aetna ACE: 484,157 affected patients
  • Community Eye Care, LLC: 149,804 affected patients

Business Associates:

  • MEDNAX Services, Inc.: 1,290,670 affected patients
  • HMC Healthworks, Inc.: 985 affected patients

Network Server Hacks Affected 1,986,344 Patients

Network server hacks represented 49.5% of the hacking incidents in December, with 16 organizations victimized by this type of attack. These 16 network server hacks compromised the protected health information (PHI) of 1,986,344 patients.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Best Software Logo

Healthcare Providers:

  • Five Points Optometrists, P.C. dba Five Points Eye Care: 1,223 affected patients
  • Agency for Community Treatment Services, Inc.: 73,825 affected patients
  • Kristina T Nguyen, DDS, PC: 8,000 affected patients
  • GenRx Pharmacy: 137,110 affected patients
  • Wilmington Surgical Associates, P.A. : 114,834 affected patients
  • Nebraska Methodist Health System: 39,912 affected patients
  • Southeast Health Center of Ripley County: 5,001 affected patients
  • The Presbyterian Homes, Inc.: 1,041 affected patients
  • Texas Tech University Health Sciences Center: 37,000 affected patients
  • Employment Specialists of Maine, Inc.: 1,639 affected patients
  • Family Health Center of Worcester: 566 affected patients
  • Allegheny Health Network: 299,507 affected patients
  • AMITA Health: 261,054 affected patients

Health Plans:

  • Tom Wood, Inc.: 828 affected patients

Business Associates:

Other Hacks Affected 3,500 Patients

Other hacks, as in hacks that weren’t network server or email hacks, represented 0.09% of December hacking incidents. There was one organization that fell into this category, Monroe Surgical Hospital, LLC, a Healthcare Provider. The nature of this hack was a combination of a desktop computer and network hack, affecting 3,500 patients.

December Healthcare Breaches: Unauthorized Access or Disclosures

Unauthorized access or disclosures occur when PHI is accessed without cause, as in outside of the purposes of treatment, payment, or healthcare operations.  There were 14 incidents of unauthorized access or disclosure in December, affecting 34,042 patients, representing 0.84% of December breaches.

Unauthorized Access/Disclosures of Paper/Films Affected 13,398 Patients

December unauthorized access/disclosures

There were five incidents of unauthorized access or disclosures of paper or films affecting 13,398 patients, representing 39.36% of the incidents of unauthorized access or disclosures.

Healthcare Providers:

  • Meade Physicians, Inc.: 695 affected patients

Health Plans:

  • Home State Health Plan, Inc.: 1,020 affected patients
  • Peach State Health Plan: 3,443 affected patients
  • Superior HealthPlan: 3,748 affected patients
  • SSM Health Insurance Company: 4,492 affected patients

Unauthorized Access/Disclosures of Electronic Medical Records Affected 11,869 Patients

There were two incidents of unauthorized access or disclosures of electronic medical records, affecting 11,869 patients, representing 34.87% of December incidents of unauthorized access or disclosures. Both of the incidents affected healthcare providers.

  • Mercy Health: 11,187 affected patients
  • Northwestern Memorial Hospital: 682 affected patients

Unauthorized Access/Disclosures of Email Affected 2,758 Patients

There were three incidents of unauthorized access or disclosures of PHI through email. These incidents affected 2,758 patients, representing 8.1% of unauthorized access or disclosure incidents.

Healthcare Providers:

  • Brigham and Women’s Hospital: 882 affected patients

Health Plans:

  • BlueCross BlueShield of Tennessee, Inc.: 1,340 affected patients
  • Iowa Total Care, Inc.: 536 affected patients

Other Unauthorized Access/Disclosures Affected 6,017 Patients

There were four incidents of unauthorized access or disclosures that were classified as other, as in they didn’t fall easily into another category. These incidents affected 6,017 patients, representing 17.68% of December’s incident of unauthorized access or disclosures.

Healthcare Providers:

  • McLeroy Gibbs and Klein: 3,200 affected patients
  • Central Florida Cardiology Group: 979 affected patients

Health Plans:

  • DMBA Health Plan: 774 affected patients

Business Associates:

  • Mirra Health Care: 1,064 affected patients

December Healthcare Breaches: Loss, Theft, and Improper Disposal of PHI 10,247

There were eight incidents of loss, theft, or improper disposal of PHI affecting 10,247 patients. 54.65% were due to loss, 40.46% were due to theft, while 4.89% were due to improper disposal.

Loss of PHI Affected 5,600 Patients

There were two incidents of loss of PHI affecting 5,600 patients, representing 54.65% of these types of incidents.

Healthcare Providers:

  • Cedar Springs Hospital: 2,283 affected patients

Business Associates:

  • Gainwell Technologies LLC: 3,317 affected patients

Theft of PHI Affected 4,146 Patients

There were five incidents of theft of PHI affecting 4,146 patients, representing 40.46% of these types of incidents. All of the incidents of theft involved healthcare providers.

  • Wellness Pharmacy: 545 affected patients
  • 26th & Lehigh Pharmacy: 549 affected patients
  • Diamond Pharmacy: 616 affected patients
  • RXN, Inc. d/b/a Lancaster Pharmacy : 856 affected patients
  • Liv-On Family Care Center, PA: 1,580 affected patients

Improper Disposal of PHI Affected 501 Patients

There was one incident of improper disposal of PHI representing 4.89% of these types of incidents. TNMO Healthcare, LLC, a healthcare provider, did not dispose of patient PHI in the proper manner affecting 501 patients.

Healthcare Compliance Software - CG

Prevent Healthcare Breaches

Don’t fall victim to breaches. Protect your business with compliance!