The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) publicly displays breaches affecting 500 or more patients on their breach portal. In October, there were 59 breaches reported, affecting 2,088,686 patients. More details about the October healthcare breaches are discussed.

October Healthcare Breaches: What Type of Entity Was Affected

The majority of October healthcare breaches affected healthcare providers, with 51 incidents affecting 1,038,202 patients. The second most affected group were business associates, with 6 incidents affecting 962,779 patients. Although there were significantly less business associates breaches than healthcare providers, the business associate breaches were of larger scale. Additionally, there was one breached healthcare clearinghouse affecting 45,732 patients, and 3 breached health plans affecting 41,973 patients.

October Healthcare Breaches: Hacking/IT Incidents

Hacking in healthcare has become the leading cause of breaches, and October was no different.

The majority of October healthcare breaches occurred due to hacking/IT incidents, with 43 incidents affecting 2,024,988 patients. Of these incidents, 35 targeted healthcare providers, 5 targeted business associates, 2 targeted health plans, and 1 targeted a healthcare clearinghouse.

Network Server Hacks Affected 1,581,560 Patients

Healthcare Providers:

◈ Yale New Haven Hospital: affected 15,904 patients

◈ AdventHealth Shawnee Mission: affected 28,766 patients

◈ Provider Health Services: affected 1,700 patients

◈ Ascend Clinical, LLC: affected 77,443 patients

◈ OSF HealthCare System: affected 94,171 patients

◈ Arkansas Methodist Medical Center: affected 4,916 patients

◈ Geisinger: affected 86,412 patients

◈ Stamford Hospital: affected 1,050 patients

◈ Bonnie Brae: affected 884 patients

◈ Passavant Memorial Homes, Inc.: affected 25,000 patients

◈ Lawrence + Memorial Hospital: affected 21,617 patients

◈ The Medical College of Wisconsin, Inc.: affected 5,655 patients

◈ Greenwich Hospital: affected 95,000 patients

◈ Froedtert & the Medical College of Wisconsin Community Physicians, Inc.: affected 3,074 patients

◈ The Opportunity Alliance: affected 4,500 patients

◈ Body by RAvi Plastic Surgery and Aesthetics: affected 2,618 patients

◈ Adults and Children with Learning and Developmental Disabilities, Inc.: affected 603 patients

◈ Sisters of Charity of St. Augustine Health System: affected 118,874 patients

◈ First Impressions Orthodontics, a subsidiary of Professional Dental Alliance of Connecticut PLLC: affected 23,000 patients

◈ Kids First Dentistry & Orthodontics, a subsidiary of Professional Dental Alliance of Connecticut, PLLC: affected 5,000 patients

◈ Rady Children’s Hospital – San Diego: affected 19,788

Business Associates:

◈ Timberline Billing Service, LLC: affected 116,131 patients

◈ Luxottica of America Inc.: affected 829,454 patients

Email Hacks Affected 219,367 Patients

Healthcare Providers:

◈ State of North Dakota: affected 35,416 patients

◈ Centerstone of Indiana, Inc.: affected 11,638 patients

◈ Centerstone of Tennessee, Inc.: affected 50,965 patients

◈ Perry County Memorial Hospital: affected 501 patients

◈ Intellirad Imaging, LLC: affected 1,862 patients

◈ DJO, LLC: affected 3,429 patients

◈ Center for Autism and Related Disorders: affected 1,440 patients

◈ Einstein Healthcare Network: affected 1,821 patients

◈ Cedar County, Iowa Board of Supervisors : affected 1,138 patients

◈ Virginia Cancer Institute Incorporated: affected 6,258 patients

Business Associates:

◈ Lycoming-Clinton Joinder Board Programs: affected 14,500 patients

◈ Practice Transformation Solutions, LLC: affected 1,678 patients

◈ Practice Transformation Solutions, LLC: affected 1,016 patients

Health Plans:

◈ Connecticut Department of Social Services: affected 37,000 patients

◈ Milestone Electric, Inc.: affected 4,973 patients

Healthcare Clearinghouse:

◈ Georgia Department of Human Services: affected 45,732 patients

Other Hacks Affected 224,061 Patients

Healthcare Providers:

◈ Northwest Eye Surgeons, P.C. and Sight Partners LLC: affected 20,838 patients

◈ Heavenly Hands Family Medical Clinic: affected 2,000 patients

◈ Presbyterian Healthcare Services: affected 193,223 patients

◈ MK Periodontics and Implants: affected 8,000 patients

October Healthcare Breaches: Unauthorized Access/Disclosures

Incidents of unauthorized access or disclosures occur when protected health information (PHI) is accessed or disclosed for purposes other than for treatment, payment, or healthcare operations. These can either be accidental, when an employee sends patient information to an entity unintentionally, or purposely, when an employee accesses or discloses PHI for personal or financial gain. In October, there were 11 incidents of unauthorized access/disclosures, affecting 52,862 patients, all of which affected healthcare providers.

Unauthorized Access/Disclosures Through Email Affected 32,932 Patients

◈ Tri-State Specialists, LLP: affected 17,050 patients

◈ Allergy & Asthma Center: affected 711 patients

◈ Arkansas Otolaryngology Center, PA: affected 12,000 patients

◈ University of Michigan/Michigan Medicine : affected 1,062 patients

◈ Premier Health Partners: affected 749 patients

◈ Clinical & Forensic Consultation, LLC d/b/a Thriveworks Bristol, Johnson City, and Knoxville: affected 1,360 patients

Unauthorized Access/Disclosures to Paper/Films Affected 14,420 Patients

◈ Community Clinic of Maui: affected 1,784 patients

◈ Beaufort Memorial Hospital: affected 12,636 patients

Other Unauthorized Access/Disclosures Affected 5,510 Patients

◈ Mary Rutan Hospital: affected 1,677 patients

◈ McLaren Oakland: affected 2,219 patients

◈ Mayo Clinic: affected 1,614 patients

October Healthcare Breaches: Other

Other October healthcare breaches were caused by theft of PHI, or improper disposal of PHI. There were 4 incidents of theft affecting 6,546 patients, and one incident of improper disposal affecting 4,290 patients. All of these breaches solely affected healthcare providers.

Theft of PHI Affected 6,546 Patients

◈ WellMed: affected 591 patients

◈ Health and Wellness Clinic, PLLC: affected 885 patients

◈ Coast Dental: affected 1,700 patients

◈ My Choice Housecalls, LLC: affected 3,370 patients

Improper PHI Disposal Affected 4,290 Patients

◈ Jemez Health & Human Services: affected 4,290 patients