A breach at UW Medicine in Seattle accounted for nearly half of these individuals. On Feb. 20, the health system disclosed a website vulnerability that exposed protected health information from an estimated 974,000 patients. This marks the the largest breach reported yet this year.
Although UW Medicine reported the breach in February, the information security incident took place in December 2018. HHS gives HIPAA-covered entities 60 days from when they discover a breach to notify the department.
Nearly three-quarters of organizations that reported breaches in February attributed the incident to hacking or IT incidents. The remaining breaches were attributed to theft—such as theft of paper records, film or laptops—as well as unauthorized access or disclosure.
Overall, hacking and IT incidents were up roughly two-fold from February 2018. One of the 23 hacking incidents reported in February related to a foreign attack on an emergency medical services provider in North Carolina.
A hacker operating outside of the U.S. accessed a server that housed billing information related to EMS services provided by the state's Pasquotank County, according to a notice the Pasquotank-Camden Emergency Medical Services posted Feb. 28. The organization did not specify the country of origin or when the hack occurred.