As noted in recent months, we’ve reached that unhappy stage where we are seeing an average of one or more breach disclosures every day. If this just represented greater transparency, that would be great, but it may also represent an increase in the number of breaches.
On a positive note: almost all of the entities for whom we had date of breach or discovery and date of report reported their breaches within 60 days from date of discovery. Protenus understandably wonders whether that could indicate that a recent $475,000 settlement between HHS and Presence Health over late notification might be getting entities more calendar-conscious.
Some breaches are still taking too long to discover, however, as three breaches that were first disclosed in March had gone undetected for more than one year. Two of those three incidents involved insider-wrongdoing.
As in past months, insider breaches represented a significant percentage (44%) of all reported incidents, but did not account for the bulk of breached records. As we have seen before, hacking accounted for a smaller percentage of incidents but a larger percentage of breached records. This month, there were 11 reports to HHS submitted as “Hacking/IT incidents.” Four of those entities specifically described their hacking incidents as ransomware incidents in their notifications. A fifth entity declined to answer the question of whether their incident involved ransomware. Several other entities reported “hacking” incidents, but did not respond to inquiries from this site requesting more information.
The largest – or second largest – incident of the month was a ransomware incident reported by Urology Austin as impacting almost 280,000 patients. It’s not clear what the largest incident of the month was because there was a contradiction between what Commonwealth Health Corporation in Kentucky reported to HHS and what Med Center Health reported to the media. On March 1, CHC informed HHS that 697,800 patients were affected by an incident that they reported as “Theft – Other.” Three weeks later, Med Center Health uploaded a notice to their site that described an insider-wrongdoing incident. Media outlets were informed that the incident affected 160,000 patients. It’s possible that the contradictory reports were for the same incident, but if so, which is the correct number of patient records? The number of breached records for March remains somewhat uncertain at this point until that incident (or those incidents?) are clarified.
Protenus’s March barometer was based on reports involving the following entities or individuals:
- ABCD Pediatrics, P.A.
- American Home Patient
- Apex Edi
- Bristol Court Assisted Living Facility
- Center for Health and Wellness Law, LLC
- City of Delray Beach
- Commonwealth Health Corporation
- CVS Health
- Denton Heart Group (HealthTexas Provider Network)
- Dr. O Medical & Wellness Center (Dr. Tinuade Olusegun-Gbadehan)
- Estill County Chiropractic, PLLC
- Highland Rivers Community Service Board
- Houston Methodist Cancer Center
- Houston Methodist Hospital
- Lane Community College health clinic
- Local 693 Plumbers & Pipefitters Health & Welfare Fund
- Mecklenburg County Health Dept
- Med Center Health
- Memphis VA Medical Center
- Metropolitan Urology Group
- Orange County Global Medical Center
- Primary Care Specialists, Inc.
- Primrose OB/GYN Clinic (CoxHealth)
- Rashel Williams
- Riaz Baber, M.D.
- Rocky Mountain Health Maintenance Organization, Inc
- Sharp Healthcare
- Skin Cancer Specialists, P.C.
- Specialty Dental Partners of Philadelphia, PLLC.- DBA Rich Orthodontics
- Charles Health System
- Louis Children’s Hospital (BJC Healthcare)
- Tarleton Medical Group (Harold Tarleton, M.D.)
- UNC Health Care (N.C. Women’s Hospital and UNC Maternal-Fetal Medicine)
- Unnamed Western PA healthcare facility
- Urology Austin
- Virginia Commonwealth University
- VisionQuest Eyecare
- Washington University School of Medicine
- WellSpan Health
Details on many of the incidents can be found by searching this site.