Nearly 446,000 patients affected in April-reported breaches

Healthcare providers, insurers and their business associates reported 38 breaches affecting nearly 446,000 patients to the federal government last month.

That's down 55.8% from the number of patients affected in breaches reported in April of last year, when organizations reported 50 breaches affecting just over 1 million people, according to data from the HHS' Office for Civil Rights, the agency that maintains the government's database of healthcare breaches.

In March 2020, organizations reported 39 breaches that exposed data on more than 834,000 people.

HHS gives HIPAA-covered entities 60 days from when they discover a breach to notify the department. That means many of the incidents reported to the OCR in April were discovered in February, and may have taken place even earlier—so April numbers likely don't include the recent rise in coronavirus-related cyberattacks that healthcare organizations have reportedly seen.

Two organizations reported incidents that affected more than 100,000 people each, which collectively accounted for roughly half of the 446,000 patients affected in breaches reported last month.

Beaumont Health on April 17 reported the breach with the largest number of individuals affected last month, after discovering some employee email accounts—which included health information of up to 112,211 patients—had been accessed by an unauthorized individual in May 2019 and June 2019. The Michigan system discovered the breach March 29.

Beaumont said it's found no evidence to suggest that the health information has been misused.

Meridian Health Services Corp. in Indiana reported the second-largest breach of the month on April 27, which also involved unauthorized access to some employee email accounts. Meridian discovered the breach, which took place in December 2019, in February. It also said that it's found no evidence to suggest that the information has been misused.

Hacking and IT incidents like those at Beaumont and Meridian accounted for half of the 38 breaches submitted to the OCR in April. The remaining breaches resulted from loss, theft, and unauthorized access or disclosure.