Nearly 1.2 million patients had data exposed in healthcare data breaches reported to the federal government last month, half of which were linked to just three incidents.
As of Wednesday, HHS' Office for Civil Rights posted 48 breach reports that healthcare providers, insurers and their business associates had submitted to the agency in November.
HHS gives HIPAA-covered entities 60 days from when they discover a breach to notify the department, so many of the incidents reported to OCR in November were discovered in September, and may have taken place even earlier.
Hacking and IT incidents accounted for half of breaches reported in November, including the month's largest reported breach at Colorado Springs, Colo.-based mental healthcare provider AspenPointe. The remaining 24 breaches resulted from loss, theft, improper disposal, and unauthorized access or disclosure.
AspenPointe on Nov. 19 reported a breach compromising data on roughly 295,600 patients.