Hacking continues to dominate largest data breaches in November

Nearly 1.2 million patients had data exposed in healthcare data breaches reported to the federal government last month, half of which were linked to just three incidents.

As of Wednesday, HHS' Office for Civil Rights posted 48 breach reports that healthcare providers, insurers and their business associates had submitted to the agency in November.

HHS gives HIPAA-covered entities 60 days from when they discover a breach to notify the department, so many of the incidents reported to OCR in November were discovered in September, and may have taken place even earlier.

Hacking and IT incidents accounted for half of breaches reported in November, including the month's largest reported breach at Colorado Springs, Colo.-based mental healthcare provider AspenPointe. The remaining 24 breaches resulted from loss, theft, improper disposal, and unauthorized access or disclosure.

AspenPointe on Nov. 19 reported a breach compromising data on roughly 295,600 patients.

The breach is linked to a cyberattack that AspenPointe experienced in September, during which an unauthorized user accessed the provider's network and exfiltrated data, according to a letter sent to patients and published online by the Montana Department of Justice.

Names and some dates of birth, Medicaid ID numbers, Social Security numbers and diagnosis codes were among patient information the user removed from the network.

The second- and third-largest incidents reported in November involved a September breach at Lawrence (Mass.) General Hospital and a July ransomware attack at Alamance Skin Center—a Cone Health medical practice based in Burlington, N.C.—and compromised data on nearly 176,600 and 100,000 patients, respectively.

Alamance Skin Center categorized the ransomware as a "loss" in its report to OCR, since its patient records are currently "unrecoverable" as a result of the attack, according to a notice it posted online.

Cumulatively, the breaches at AspenPointe, Lawrence General and Alamance Skin Center accounted for 572,204 of the 1.2 million breached patient records reported in November.

In terms of patients affected, November represented a 90.3% increase from November 2019, when organizations reported 36 breaches affecting more than 608,500 patients. But the 1.2 million figure is down 56% month-over-month from this year's September, when more than 2.6 million patients had data exposed in 79 breaches.