Ivy Rehab Network, a New York-based network of physical therapy clinics, reported the largest data breach disclosed to the OCR in November, affecting roughly 125,000 patients.
Ivy Rehab in May discovered evidence that an unauthorized user had accessed a some employee email accounts, according to a notice the provider posted online. After an investigation, Ivy Rehab determined that the email accounts compromised in what appeared to be a phishing scam targeting its employees may have included patient names, protected health information and financial account information.
The second-largest data breach reported in November also involved an email phishing scam.
There's been a marked increase in email breaches across healthcare in recent years. Since 2017, email has been the primary outlet through which health data is exposed, according to data from the OCR.
Solara Medical Supplies, which sells medical devices for patients with diabetes, in June discovered that an unauthorized user had gained access to some employee email accounts, including ones that contained data like customer names, medical information and credit card information. The company reported that the breach affected roughly 114,007 patients and employees.
Hacking and IT incidents, like the ones at Ivy Rehab and Solara Medical Supplies, accounted for nearly 60% of data breaches reported in November, three-quarters of which targeted email addresses. The remaining data breaches resulted from theft, unauthorized access or unauthorized disclosure.