Nearly 438,000 patients affected in January-reported breaches

Modern Healthcare Illustration / Getty Images

Providers, health plans and their business associates reported 29 breaches affecting nearly 438,000 patients to the federal government in the first month of 2020.

While the overall number of breaches is down in January compared to December, 10% more patients were affected, according to data from the HHS' Office for Civil Rights, the agency that maintains the government's database of healthcare breaches. But it's down from last year's January, when breaches exposed data of almost 578,000 patients.

A breach at not-for-profit health system PIH Health in California—the result of an email phishing campaign—was the only incident reported to the OCR in January that affected more than 100,000 people.

The largest healthcare breach reported in 2019 involved exposure of 11.5 million patients' data.

PIH Health in June discovered that some employee email accounts might have been compromised in a targeted email phishing scheme. After an investigation by a third-party cybersecurity team, the system said it in October received confirmation that unauthorized users had accessed certain employee email accounts during about one week in June.

PIH Health told OCR on Jan. 10 that the breach affected an estimated 199,548 patients.

HHS gives HIPAA-covered entities 60 days from when they discover a breach to notify the department. PIH Health in a notice posted online said it learned from the third-party cybersecurity team that the employee email accounts in question contained the health data of some current and former patients in November.

"Upon learning about the security incident in June 2019, PIH Health immediately launched an investigation and engaged leading, independent cybersecurity experts to provide assistance," PIH Health said a statement. "We went through the regulatory process as appropriate which took months for review."

The investigation has found no evidence indicating that health data included in the email accounts has been misused, the health system said.

Hacking and IT incidents accounted for more than half of the 29 breaches submitted to the OCR in January, at just over 60%.

The remaining breaches reported in January resulted from theft, improper disposal, unauthorized access or unauthorized disclosure of records.

Letter
to the
Editor

Send us a letter

Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

Recommended for You
cybersecurity
Health insurance data breach exposes Congressional members' personal info
cybersecurity-data-hacking_2_i.png
Following alleged cyberattack, Tallahassee Memorial resumes some services
Most Popular
1
Centene to lay off 2,000 workers
2
How health systems are battling price-gouging allegations
3
Senate advances bill to temporarily aid hospitals, health centers
4
Elevance, Blue Cross Louisiana halt $2.5B proposed deal
5
Tower Health to sell urgent care centers, close others