More than 4M patients had data exposed in December-reported breaches

More than 4.2 million patients had data exposed in healthcare data breaches reported to the federal government last month.

As of Jan. 13, HHS' Office for Civil Rights posted 58 breach reports that healthcare providers, insurers and their business associates had submitted to the agency in December. That rounded out 2020 with 641 reports in total, marking the most breaches reported in a single year since OCR began maintaining its database in 2010.

In terms of patients affected, December represented a 955.6% increase from December 2019, when organizations reported 41 breaches affecting nearly 398,000 patients. The 4.2 million figure is also a massive jump month-over-month from November 2020 when 1.2 million patients had data exposed in 49 breaches.

December marks the second-highest month in 2020 based on the number of patients with data exposed in breaches, second to September, when 9.9 million patients had data affected.

The two largest breaches reported in December affected roughly 1 million patients each, ranking them as the first- and third-biggest breaches for 2020 as a whole.

HHS gives HIPAA-covered entities 60 days from when they discover a breach to notify the department, so many of the incidents reported to OCR in December were discovered in October and may have taken place even earlier.

Hacking and IT incidents accounted for just over half of breaches reported in December, including the month's largest reported breach at MEDNAX Services, a business associate that provides administrative services to physician practice groups. The remaining 27 breaches resulted from loss, theft, improper disposal, and unauthorized access or disclosure.

MEDNAX in June discovered that hackers had gained access to a "small number" of employee email accounts through a phishing scam, according to a letter sent to patients and published online by California's Justice Department. MEDNAX in November determined 1.3 million patients may have had personal, medical or financial data held in the email accounts.

"We immediately took action to prevent any further unauthorized activity, began an investigation and engaged a national forensic firm," a MEDNAX spokesperson said of the incident in an emailed statement. "We are not aware of any actual or attempted misuse of personal information as a result of this event."

The second-largest breach reported in December, which took place at Dental Care Alliance, involved a hack into the dental support organization's network.

Dental Care Alliance in October discovered that hackers had accessed certain files that contained either personal, medical or financial information of an estimated 1 million patients, according to a notice posted by Maine's Attorney General.

There's been no evidence to suggest that patient data exposed in the breach was viewed or misused by hackers, according to Dental Care Alliance.

Dental practices that are part of Dental Care Alliance's network "take the security of personal information in their care very seriously," the organization wrote in an emailed statement shared through their attorney. Since the incident, the practices have worked with cybersecurity specialists to "reaffirm the security of shared IT resources" and improve existing security measures.