August-reported healthcare breaches exposed 700,000 people's data

More than 700,000 people had data exposed in healthcare breaches reported to the federal government last month.

In August, providers, health plans and their business associates reported 44 data breaches—affecting a total of 710,279 individuals—to HHS' Office for Civil Rights, the agency that maintains the government's database of healthcare breaches. That's the second-lowest number of impacted individuals in a single month since the start of 2019, following January's tally of 577,511 people.

Two of the data breaches reported to the OCR in August affected more 100,000 people each.

New Mexico-based Presbyterian Healthcare Services on June 6 discovered an unauthorized user had gained access to some employee email accounts, which the health system attributed to a phishing scam that began in May. The breached emails, which Presbyterian reported to the OCR Aug. 2, included patient and health plan data from an estimated 183,370 people.

"While our investigation is ongoing, we want to stress that we have no evidence indicating that any patient or member data has been used in any way and there was no access to our electronic health record or billing systems," Dale Maxwell, Presbyterian's president and CEO, said in a statement.

The second-largest data breach reported in August involved an IT incident at Wisconsin Diagnostic Laboratories, which reported a breach of 114,985 patients to OCR Aug. 2.

The OCR's tally of data breaches reported in July also continued to climb, hitting a total of 58 incidents affecting 26.6 million people as of Tuesday. Most of those people had data exposed at clinical testing labs impacted by a massive data breach at billing collections vendor American Medical Collection Agency, the third-party data breach that exposed information on millions of Quest Diagnostics and LabCorp patients.

Hacking and IT incidents, like the ones at Presbyterian and Wisconsin Diagnostic Laboratories, accounted for 64% of data breaches reported in August. The remaining data breaches resulted from theft, loss, or unauthorized access or disclosure of patient records.