Nearly 389,000 patients affected in March-reported breaches

Healthcare providers, insurers and their business associates reported 30 breaches affecting nearly 389,000 patients to the federal government last month.

That's 60% fewer than the number of patients affected in breaches reported in March 2019, when organizations reported 35 breaches affecting roughly 972,000 people, according to data from the HHS' Office for Civil Rights, the agency that maintains the government's database of healthcare breaches.

In February, organizations reported 43 breaches that exposed data on more than 1.6 million people.

A breach at Tandem Diabetes Care was the only incident reported to the OCR in March that affected more than 100,000 people.

The San Diego-based devicemaker in January discovered that an unauthorized user may have gained access to a "limited number of Tandem employee email accounts" between January 17 and January 20 as a result of an email phishing scam, according to a notice posted on the company's website.

Email phishing is a tactic in which cybercriminals send malware or trick targets into sharing personal information via email by posing as a trusted entity, such as the recipient's employer.

Tandem reported the breach to the OCR on March 17, after determining that the breached email accounts contained information including names, clinical data regarding diabetes therapy and Social Security numbers of some customers. HHS gives HIPAA-covered entities 60 days from when they discover a breach to notify the department.

In total, Tandem reported that the phishing incident compromised data on up to 140,781 customers—accounting for more than one-third of all people who had data exposed in breaches reported to the OCR in March.

Hacking and IT incidents accounted for roughly half of the 30 breaches submitted to the OCR in March. The remaining breaches reported last month resulted from theft, loss, unauthorized access or unauthorized disclosure of records.