The largest breach, which compromised data on up to 206,695 people, involved a ransomware attack at Doctors' Management Service, a company that provides medical billing services to hospitals and physician practices. Doctors' Management Service reported the data breach to the OCR on April 22, two years after the incident began.
The company said patients seen at 38 of its client locations may have had information comprised in the data breach.
Doctors' Management Service said it first noticed technical issues with its computer network in December 2018. Upon investigation, the company discovered its server had been encrypted with GandCrab, a ransomware variant, and determined that an unauthorized user had accessed the network beginning in April 2017.
The company said it restored its patient data through backups, and therefore did not pay any ransom.
"On February 15, 2019, our forensic investigator reported that while the investigation could not determine whether personal health information was actually viewed or downloaded that type of activity could not be ruled out," Doctors' Management Service said in a notice signed by its CEO Timothy DiBona and posted to its website April 22.
DiBona said that despite the unauthorized access beginning in 2017, the company had provided notice to affected providers within 60 days of its discovery of the incident, as required by the OCR.
"The healthcare providers had an additional 60 days after receipt of notice from DMS to notify HHS," he added. "In this case, DMS agreed to notify HHS on behalf of the healthcare providers within the allotted 60-day period."
The second-largest breach in April took place at Centrelake Medical Group, which operates a network of imaging facilities in southern California.
In February, Centrelake Medical Group discovered its information system had been infected with a virus that restricted access to its files. As part of its investigation, the group found what it called "suspicious activity" on its network dating back to January and lasting until the virus infection in February, according to a notice posted online April 16.
The affected servers housed files and software applications that contained information on up to 197,661 patients who visited Centrelake Medical Group.
Doctors' Management Service and Centrelake Medical Group's data breaches represent the sixth- and seventh-largest breaches reported this year, respectively. Centrelake Medical Group had not responded to a request for comment at deadline.
Nearly two-thirds of organizations—including Doctors' Management Service and Centrelake Medical Group—attributed breaches they reported in April to hacking or IT incidents. The remaining breaches resulted from theft, loss, improper disposal, or unauthorized access or disclosure of patient records.
