March 2019 Healthcare Data Breaches

The Health and Human Services Office of Civil Rights (OCR) is responsible for enforcing civil right laws. Covered Entities such as Skilled Nursing Facilities and Business Associates must comply with HIPAA regulations which includes reporting breaches of Protected Health Information (PHI). Breaches affecting 500 or more individuals are posted by OCR on a public website. Breaches affecting less than 500 individuals are also required to be reported but are not posted for public viewing.

To give you an idea of the information available on the public site using March 2019 data, there were 32 breaches reported with 500 or more individuals involving 951,252 individuals. Of these 32 breaches, there were 22 Healthcare Providers, 4 Health Plans, and 6 Business Associates involved.

The types of breaches consisted of

  • 20 – Hacking/IT Incidents
  • 8 – Unauthorized Access/Disclosure
  • 4 – Thefts

Breaches involving email and network servers accounted for 893,502 of the impacted individuals (see chart below). This is why security awareness training, good password management practices, and virus protection are so important.

For a list of the names of companies impacted and other information, visit the OCR portal at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf