This Canary Mail HIPAA Breach report entails information about the breaches that have occurred in April 2022.
Following four months of decreasing data leak counts, there was a 30.2 percent spike in reported data leaks. In April 2022, the Office for Civil Rights at the Department of Health and Human Services received 56 reports of data leaks involving 500 or more records.
While the number of reported leaks rose every month, the quantity of patient information exposed or improperly released fell by 30% to 2,160,194, the lowest monthly total since October 2021. In April 2022, the mean breach size was 38,575 data, with a median breach size of 6,546 data.
Ten more occurrences were reported by business partners. A total of 23,324 patients were impacted by business associate occurrences, accounting for little over 1% of all patients.
Biggest Medical Data Thefts in April ’22
In April 2022, 28 healthcare data leaks affecting 10,000 or more people were recorded. Adaptive Health Integrations, a provider of software and billing/revenue services to laboratories, physician offices, and other medical firms, claimed the worst cyber attack. ARcare, an Arkansas healthcare provider, was hit by spyware, which crippled its systems and might have given intruders access to the information of more than 3,00,00 people. In April, the Refuah Health Center disclosed a cyberattack and information breach event that had happened over a year before in May 2021, affecting approximately 2,50,000 patients.
Optima Dermatology Holdings is a healthcare firm located in New Hampshire which reported an cyber attack wherein around 59,872 email accounts were targeted. Similarly, Newman Regional Health in Kansas reported another cyber breach where 52,224 email accounts were affected. Healthplex, Inc., The Guidance Center, Inc. and Fairfield County Implants & Periodontics, LLC are other healthcare providers which reported email attacks which affected 89,955, 23104 and 10,502 email accounts respectively.
Reasons for April ’22 Medical Data Thefts
In April 2022, hackers and IT events were responsible for 73.2 percent of all medical information leak recorded, and 97.1 percent of all leaked medical records. Those cyber attacks affected around 20 lakh people, and their protected medical information may have been taken. The median breach size was 9,969 records, with an average breach size of around 51,000 records. Cyber attackers gained access to employee email accounts in 16 of the hacking events, and there were 7 breaches of electronic medical records as a result of the hacking incident at EHR vendor Eye Care Leaders.
Unauthorized access/disclosure instances involving a total of 20,391 records were the only breaches documented. The median breach size was 820 records, with an average breach size of 1,854 records. Two theft cases using laptops or computers were recorded, as well as one loss case involving a ‘other portable electronic item.’ The records of 40,298 people might have been compromised as a result of the three loss/theft cases. If data had been encrypted, all three cases may have been avoided. One incorrect disposal case involving 1,115 paper documents was also recorded.
Medical services Data Breaches by Covered Entity Type
With 39 reporting data theft in April, healthcare providers were the most severely impacted HIPAA-covered entity. Health plans reported seven data breaches, while business organizations reported ten data breaches. A total of 17 data breaches occurred at business organizations, but each covered company was notified. The graph below illustrates the data theft for the month, with the locations of the data theft changed to reflect where they happened.
HIPAA Enforcement Activity in April ’22
In April 2022, neither the HHS Office for Civil Rights nor the state attorneys general disclosed any HIPAA enforcement efforts. HIPAA infractions have resulted in four monetary penalties so far this year.