Over 30 Data Breach Incidents in Health Care Reported to HHS Thus Far in 2020, Affecting Over 1 Million Individuals
Health care organizations continue to be a popular target for hackers. According to information from the U.S. Department of Health & Human Services (HHS), over 30 reports of data breaches have been filed by health care entities in the first month and a half of 2020. Although a few reported breaches involved theft or improper disposal of information, the majority of the reported breaches involved hacking/IT incidents and unauthorized access or disclosure.
HHS is required to post a list of breaches of unsecured protected health information affecting 500 or more individuals. Cumulatively, the breaches reported through February 13, 2020 potentially affect over 1 million patients. The largest breach involving a hacking/IT incident was reported by PIH Health, a health care provider, with nearly 200,000 individuals affected. Other significant hacking/IT incident breaches reported included one by a hospital in Minnesota affecting over 49,000 individuals, one by a health care provider in Maine affecting 33,000 individuals, one by an orthopedic group in Texas affecting just over 30,000 patients, and another by a rehabilitation provider in Oregon affecting over 25,000 individuals. In most of these larger breaches, hackers targeted emails although one breach involved a network server.
While theft was reported as the cause of breaches in only a handful of cases, it was the cause of the largest health care data breach reported thus far this year. Health Share of Oregon, a health plan, reported that over 650,000 individuals were affected by a breach attributed to the theft of a laptop. This underscores the importance of keeping such devices secure and the data encrypted.
All of these breaches are currently being investigated by the Office for Civil Rights at HHS. Information on reported breaches is regularly updated and available for review on the HHS Breach Portal.