2.1 million patients had data exposed in October-reported breaches

More than 2.1 million patients had data exposed in healthcare data breaches reported to the federal government last month.

As of Thursday, HHS' Office for Civil Rights posted 59 data breach reports that healthcare providers, insurers and their business associates had submitted to the agency in October.

In terms of patients affected, that's a 219.6% increase from October 2019, when organizations reported 53 breaches affecting nearly 677,300 patients. But 2.1 million is down from September, when 9.7 million patients had data exposed in a landmark 97 breaches—the highest number reported in a single month since OCR began tracking healthcare data breaches in 2010.

Hacking and IT incidents accounted for more than 70% of breaches reported in October. The remainder resulted from theft, improper disposal and unauthorized access or disclosure.

Luxottica of America, part of Italian eyewear giant Luxottica, reported a massive breach compromising data on more than 829,400 people—nearly 40% of the 2.1 million records reported in October.

The breach is likely linked to a ransomware attack the company reportedly suffered in September. Luxottica did not immediately return a request for comment.

Reports linked to a ransomware attack at software vendor Blackbaud, which drove September's record high, also continued to trickle in throughout October.

The second- and third-largest data breaches reported to OCR last month—at Presbyterian Healthcare Services in Albuquerque, N.M., and Sisters of Charity Health System in Cleveland—were both tied to the cyberattack at Blackbaud, a company that sells software to not-for-profits to manage fundraising, marketing and other operations.

Blackbaud discovered the cyberattack in May. The company has said it paid a ransom to the cybercriminals, who in exchange destroyed a copy of the data they had taken.

Roughly 193,200 patients at Presbyterian Healthcare Services may have had data including names, dates of birth, dates of treatment, facilities or departments of service, treating physicians, employers, emergency contacts or medical record numbers compromised in the breach.

Hospitals have varied in what data was held in Blackbaud's systems.

"It's not unusual for foundations to solicit patients for donations," Drex DeFord, healthcare executive strategist at cybersecurity consulting firm CI Security, told Modern Healthcare in October. But how much information is collected "specific to the patient and their disease, where they were treated, and who the doctors were, I think probably varies widely."

Providers have reported breaches stemming from the cyberattack at Blackbaud to OCR since August.

When organizations report to the agency has largely depended on when they were notified of the incident by Blackbaud. Blackbaud notified Presbyterian's foundation, Presbyterian Healthcare Foundation, about the cyberattack in August, according to a news release from the health system.

HHS gives HIPAA-covered entities 60 days from when they discover a data breach to notify the department.