September 2022 Healthcare Breaches

Each month, we review healthcare breaches posted on the Office for Civil Rights (OCR) online breach portal to determine the leading causes and how the incidents could have been prevented. The OCR publicly posts healthcare breaches that affected 500 or more individuals to ensure that all affected patients know their information could have been potentially compromised.

Covered entities, like healthcare providers and health plans, reported the lion’s share of breaches in September – 2,183,302 breached files. Business associates logged 270,538 breached files. 

Overall, September healthcare breaches affected 2,453,840 records containing protected health information (PHI).

In September 2022, there were 64 large-scale breaches reported, 46 of which affected healthcare providers. These 46 incidents compromised the PHI of 2,101,013 individuals, representing 85.6% of patients affected by the September incidents. 

Business associates reported ten additional incidents that affected 270,538 patients, representing 11% of patients affected. 

Five health plans also reported incidents affecting 82,289 patients, representing 3.4% of affected patients. 

53 breaches resulted from hacking incidents. There were seven breaches caused by unauthorized access or disclosure of PHI, two incidents involving theft, and two resulting from loss of PHI.

September 2022 Healthcare Breaches and Hacking

Cybercriminals are still busy as hacking continued its streak at the top of the list of causes of healthcare breaches in September 2022. The 53 hacking incidents reported in September affected the PHI of 2,424,060 patients. These 53 incidents represented 98.9% of all reported records breached during the month.

Entities affected by hacking:

  • 40 healthcare providers, 2,084,174 patients, 89% of patients affected by hacking
  • 8 business associates, 268,642 patients, 11% of patients affected by hacking
  • 5 health plans, 71,244 patients, 3% of patients affected by hacking

Types of hacking incidents:

  • 41 hacks of network servers and other reasons, 1,558,611 patients, 64.2% of patients affected by hacking
  • 6 email hacks, 258,176 patients, 10.7% of patients affected by hacking
  • 5 electronic medical records systems and EMR/network server hacks, 592,775 patients, 24.5% of patients affected by hacking
  • 1 laptop hack, 1,092 patients, >0.1% of patients affected by hacking

Make Sure You’re HIPAA Compliant

HIPAA and cybersecurity go hand-in-hand. Protect your business, become compliant today!

Become HIPAA Compliant

How to Prevent Hacking Incidents

As hacking incidents have become the leading cause behind healthcare breaches for several years, minimizing your risk of being targeted is crucial.

Security Risk Assessments and Remediation

Security risk assessments (SRAs) are vital for security and compliance. An SRA aims to identify weaknesses and vulnerabilities in your security practices to prepare yourself against potential threats. Once SRAs have been conducted, it is essential to create remediation plans to address any identified deficiencies.

Employee Cybersecurity Training

A significant portion of hacking incidents results from phishing emails. This is why employee cybersecurity training is essential to your organization’s overall security posture. Employees should be trained on recognizing phishing attempts and what to do if they suspect an incident has occurred.

September 2022 Healthcare Breaches and Unauthorized Access or Disclosure

Incidents of unauthorized access or disclosures of PHI can occur in two ways – an authorized employee accesses PHI inappropriately, or an unauthorized party gains access to PHI. September 2022 recorded seven incidents of unauthorized access or disclosure of PHI. These incidents affected 24,639 patients, representing one percent of the breached records reported in September.

Entities affected by unauthorized access or disclosure:

  • 1 business associate, 1,359 patients, 5.5% of patients affected by unauthorized access or disclosure
  • 3 healthcare providers, 12,235 patients, 49.7% of patients affected by unauthorized access or disclosure 
  • 3 health plans, 11,045 patients, 44.8% of patients affected by unauthorized access or disclosure

Types of unauthorized access or disclosure:

  • 2 electronic medical records incidents, 11,447 patients, 46.5% of patients affected by unauthorized access or disclosure
  • 1 email incidents, 778 patients, 3.2% of patients affected by unauthorized access or disclosure
  • 1 paper/films incidents, 8,283 patients, 33.6% of patients affected by unauthorized access or disclosure
  • 3 network server incident, 4,121 patients, 16.7% of patients affected by unauthorized access or disclosure