Hacking/IT incidents top the HC breach reports for the month of April

by | May 24, 2021 | Cyber Security

April 2021 Healthcare Data Breach Report (hipaajournal.com)

April was another particularly bad month for healthcare data breaches with 62 reported breaches of 500 or – the same number as March 2021. That is more than 2 reported healthcare data breaches every day, and well over the 12-month average of 51 breaches per month.

Healthcare data breaches in the past 12 months

High numbers of healthcare records continue to be exposed each month. Across the 62 breaches, 2,583,117 healthcare records were exposed or compromised; however, it is below the 12-month average of 2,867,243 breached records per month. 34.4 million healthcare records have now been breached in the past 12 months, 11.2 million of which were breached in 2021.

Healthcare records breached in the past 12 months

Largest Healthcare Data Breaches Reported in April 2021

There were 19 reported data breaches in April that involved more than 10,000 records, including 7 that involved more than 100,000 records with all but one of the top 10 data breaches due to hacking incidents.

Ransomware attacks continue to occur at high levels, with many of the reported attacks affecting business associates of HPAA-covered entities. These incidents, which include attacks on Netgain Technologies, Accellion, and CaptureRX, have affected multiple healthcare provider clients.

The majority of ransomware attacks now involve data theft prior to file encryption, with the stolen data used as leverage to get breach victims to pay. Large quantities of data are stolen in the attacks. The top three data breaches of the month all involved the use of ransomware and involved 1.3 million healthcare records.

There has been some positive news this month. In the wake of the ransomware attack on Colonial Pipeline, multiple ransomware gangs appear to have ceased operations and at least two have now taken the decision not to attack healthcare organizations. This news should naturally be taken with a large pinch of salt, as similar promises were made by certain ransomware gangs at the start of the pandemic and attacks continued at high levels.

Name of Covered EntityCovered Entity TypeBusiness Associate InvolvementIndividuals AffectedType of BreachReported Cause of Breach
Trinity HealthBusiness AssociateYes586,869Hacking/IT IncidentRansomware (Accellion)
Bricker & Eckler LLPBusiness AssociateYes420,532Hacking/IT IncidentRansomware
Health Center Partners of Southern CaliforniaBusiness AssociateYes293,516Hacking/IT IncidentRansomware (Netgain Technologies)
Total Health Care Inc.Health PlanNo221,454Hacking/IT IncidentPhishing
Wyoming Department of HealthHealth PlanNo164,010Unauthorized Access/DisclosureExposure of PHI over Internet
Home Medical Equipment Holdco, LLCHealthcare ProviderNo153,013Hacking/IT IncidentPhishing
Health Aid of Ohio, Inc.Healthcare ProviderNo141,149Hacking/IT IncidentUnspecified hacking and data exfiltration attack
Woodholme GastroenterologyHealthcare ProviderNo50,000Hacking/IT IncidentUnspecified hacking and data exfiltration attack
Neighborhood HealthcareHealthcare ProviderYes45,200Hacking/IT IncidentRansomware (Netgain Technologies)
Crystal Lake Clinic PCHealthcare ProviderNo37,331Hacking/IT IncidentNot confirmed
RiverSpring Health PlansHealth PlanNo31,195Hacking/IT IncidentPhishing
Middletown Medical ImagingHealthcare ProviderNo29,945Hacking/IT IncidentExposure of PHI over Internet
St. John’s Well Child and Family Center, Inc.Healthcare ProviderNo29,030Hacking/IT IncidentUnspecified hacking and data exfiltration attack
MailMyPrescriptions.com Pharmacy CorporationHealthcare ProviderNo24,037Hacking/IT IncidentPhishing
Squirrel Hill Health CenterHealthcare ProviderNo23,869Hacking/IT IncidentMalware
Eastern Shore Rural Health System Inc.Healthcare ProviderYes23,282Unauthorized Access/DisclosureNot confirmed
Faxton St. Luke’s HealthcareHealthcare ProviderYes17,656Hacking/IT IncidentRansomware (CaptureRX)
Midwest Transplant Network, Inc.Healthcare ProviderNo17,580Hacking/IT IncidentRansomware
Baptist Health ArkansasHealthcare ProviderYes16,765Hacking/IT IncidentHacking of business associate (Foley & Lardner, LLP)

Causes of April 2021 Healthcare Data Breaches

Hacking/IT incidents, which include malware and ransomware attacks, dominated the breach reports in April 2021 and accounted for 67.74% of all reported breaches (42 incidents). These incidents involved 85.93% of all breached records in April. The mean breach size was 52,851 records and the median breach size was 6,563 records.

There were 17 incidents classed as unauthorized access/disclosures involving 358,870 records – 13.89% of all records breached in April. The mean breach size was 21,110 records and the median breach size was 2,704 records.

Loss and theft incidents continue but only at very low levels. There were just two reported cases of theft of devices containing PHI and one loss incident reported. 4,500 records were breached in these 3 incidents.

April 2021 Healthcare Data Breach causes

Network server incidents, most of which involved ransomware or malware, have overtaken phishing as the main cause of healthcare data breaches, although it should be noted that phishing emails are often the root cause of many ransomware attacks. There were 19 reported incidents involving PHI in email accounts, the majority of which were due to phishing or other forms of credential theft. One of the largest reported breaches in April was due to phishing and resulted in the exposure and potential theft of the PHI of 221,454 individuals.

April 2021 Healthcare Data Breaches - location of PHI

According to the Verizon 2021 Data Breach Investigations Report, phishing attacks increased globally by 11% in 2020 and ransomware attacks increased by 6%. The report shows insider breaches in healthcare have continued to fall and are now not even in the top three breach causes. In 2020, 61% of healthcare data breaches were due to external threat actors and 39% were caused by insiders.

April 2021 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 30 data breaches of 500 or more records reported by the provider and a further 13 reported by a vendor. Business associate data breaches continue to be reported at high levels. There were 24 breaches involving business associates, with 10 of those breaches reported by the covered entity. 9 branches were reported by health plans in April, with one breach affecting a health plan reported by its business associate.

States Affected by Healthcare Data Breaches

HIPAA-covered entities and business associates based in 28 states reported breaches of protected health information in April. California was the worst affected state with 7 breaches reported followed by Michigan and Texas with 5 breaches. Florida, New York, and Wisconsin had 4 breaches, and there were 3 reported breaches in Massachusetts and Ohio.

Wyoming, the least populated U.S. state, only had one reported breach, but it affected a quarter of state residents.

StateNo. Reported Data Breaches
California7
Michigan and Texas5
Florida, New York, & Wisconsin4
Massachusetts & Ohio3
Georgia, Illinois, Minnesota, Missouri, New Mexico, Pennsylvania, and Vermont2
Alabama, Arkansas, Colorado, Kansas, Maryland, Montana, North Carolina, New Hampshire, New Jersey, Oregon, Tennessee, Virginia, & Wyoming1

HIPAA Enforcement Activity in April 2021

It has been a busy year of HIPAA enforcement by the HHS’ Office for Civil Rights with 6 financial penalties imposed to resolve violations of the HIPAA Rules; however, there were no new settlements or civil monetary penalties announced in April, nor any enforcement actions by state Attorneys General.

 

Trish Breingan

Trish Breingan

Vice President of HIPAA Compliance and Co-Founder of SPIN Compliance Solutions