The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) reported 32 January healthcare breaches, affecting 462,856 patients. Of the reported incidents, there were 19 breaches due to hacking/IT incidents, 9 breaches from the unauthorized access/disclosure of protected health information (PHI), 2 breaches due to theft, and 2 breaches due to improper disposal of PHI.

January 2020 healthcare breaches

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

Hacking / IT Incidents Causing January Healthcare Breaches

The majority of January healthcare breaches were due to hacking/IT incidents, with 89.9% of the total breaches reported in January caused by this type of incident. Hacking/IT incidents affected 416,275 patients. The following chart depicts the type of hacking/IT incidents that caused January healthcare breaches, including how many patients were affected by each:

January 2020 Hacking IT breach

  • Email Hacks Affected 352,986 Patients
    • MHMR Tarrant County: affected 6,524 patients
    • Hospital Sisters Health System: affected 16,167 patients
    • Village Senior Services Corporation d/b/a VillageCareMAX: affected 2,645 patients
    • Village Center for Care d/b/a VillageCare Rehabilitative and Nursing Center: affected 674 patients
    • REVA, INC.: affected 1,000 patients
    • Phoenix Children’s Hospital: affected 1,860 patients
    • Children’s Hope Alliance: affected 4,564 patients
    • PIH Health: affected 199,548 patients
    • Spectrum Healthcare Partners: affected 11,308 patients
    • InterMed, PA: affected 33,000 patients
    • CAH Holdings, Inc.: affected 1,158 patients
    • Native American Rehabilitation Association of the Northwest, Inc.: affected 25,187 patients
    • Douglas County Hospital dba Alomere Health: affected 49,351 patients
  • EMR/Network Server Hacks Affected 6,120 Patients
    • Virginia Department of Medical Assistance Services: affected 6,120 patients
  • Network Server Hacks Affected 54,109
    • Central Kansas Orthopedic Group, LLC: affected 17,214 patients
    • Manchester Ophthalmology, LLC: affected 6,846 patients
    • Fondren Orthopedic Group L.L.P.: affected 30,049 patients
  • Other Hacks Affected 3,060 Patients
    • Personal Touch Home Services of Dallas, Inc.: affected 1,700 patients
    • Lafayette Regional Rehabilitation Hospital: affected 1,360 patients

Avoid HIPAA fines by becoming HIPAA compliant today!

Unauthorized Access / Disclosures Causing January Healthcare Breaches

The unauthorized access or disclosure of protected health information (PHI) represented 8.2% of the total healthcare breaches in January, affecting 37,949 patients.

January 2020 Unauthorized access or disclosure

  • Email Unauthorized Access / Disclosures Affected 8,719 Patients
    • Cedarbrook Senior Care and Rehabilitation / County of Lehigh: affected 688 patients 
    • Lawrenceville Internal Medicine Assoc, LLC: affected 8,031 patients 
  • EMR Unauthorized Access / Disclosures Affected 1,182 Patients
    • Beaumont Health: affected 1,182 patients 
  • Network Server Unauthorized Access / Disclosures Affected 2,713 Patients
    • Cook County Health: affected 2,713 patients 
  • Paper/Films Unauthorized Access / Disclosures Affected 15,370 Patients
    • Robert S. Smith MD Inc DBA Boston Scientific Pathology: affected 6,940 patients
    • UnitedHealth Group Health Plan Single Affiliated Covered Entity: affected 934 patients
    • Solara Medical Supplies, LLC: affected 1,531 patients
    • RCM Enterprise Services, Inc.: affected 5,965 patients
  • Other Unauthorized Access / Disclosures Affected 9,965 Patients
    • Original Medicare: affected 9,965 patients 

Theft / Improper Disposal Causing January Healthcare Breaches

January healthcare breaches caused by theft of PHI accounted for 0.5% of breaches, affecting 2,497 patients. The improper disposal of PHI represented 1.3% of breaches, affecting 6,135 patients.

How to Protect Against Healthcare Breaches

As healthcare organizations are increasingly targeted by hackers, it is important to understand how you can protect your organization against breaches. 

The Department of Health and Human Services (HHS) recommends the following ten cybersecurity practices:

  1. Email protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.

In addition to implementing the recommended cybersecurity practices, to ensure that these practices are effective, it is essential to train employees. Employee training is required to be conducted annually. Training must be conducted on HIPAA standards, as well as your organization’s internal administrative policies and procedures. Employee training should also include how to recognize phishing emails. A phishing email is an email sent to employees, impersonating a trusted entity, usually prompting recipients to click on a malicious link that enables hackers to access the employee’s computer. This type of attack is occurring more frequently as hackers become more sophisticated. 

Prevent HIPAA Breaches

Don’t fall victim to breaches. Protect your business by becoming compliant today!