This Canary Mail HIPAA Breach report entails information about the breaches that have occurred in May 2022.
In May 2022, the Office for Civil Rights (OCR) of the United States Department of Health and Human Services received 72 reports of healthcare security breaches involving 500 or more records, which is the highest number of breaches reported in this year. A sharp increase of 30% from the past month in healthcare security breaches has been observed in May 2022.
4,410,500 people had their personal information compromised, stolen, or illegally revealed as a result of the data breaches, which is more than double the number of records that were compromised in April and nearly 38% more than the average monthly breach rate over the previous 12 months.
Biggest Medical Data Thefts in May ’22
In May 2022, 30 healthcare data breaches affecting 10,000 or more people were recorded. Shields Health Care Group, which offers MRI and other imaging services in New England, reported the largest HIPAA breach. The type of the attack was not revealed, although Shields stated that intruders gained access to its network and exfiltrated information containing patient data. Around two million patients in New England were affected by this attack.
Partnership HealthPlan of California disclosed another significant data leak, this time due to a ransomware attack. Intruders obtained access to devices that comprised the personal information of 854,910 active and former patients.
During May, the percentage of eye care providers directly impacted by a data leak at ePHI vendor Eye Care Leaders increased. The data leak has impacted at least 2,187,380 patients. Alameda Health System in California reported another hacking incident where around 90,000 individuals were affected due to unauthorized access to email accounts. In another breach reported by Creative Hospice Care, Inc. dba Homestead Hospice & Palliative Care in Georgia, around 28,300 email accounts were accessed by unauthorized individuals resulting in another major HIPAA breach incident. Capsule Healthcare Provider in New York also reported a similar breach wherein 27,400 user accounts were compromised.
In a mismailing incident reported in California by Motion Picture Industry Health Plan, 16,800 individuals were affected due to unauthorized email access. Allaire Healthcare Group based in New Jersey filed another HIPAA breach report wherein around 13,100 user accounts were accessed by unauthorized individuals.
Reasons for May ’22 Medical Data Thefts
May ’22 saw a continued high volume of reported hacking events, with 54 of the month’s data breaches being categorized as cyber attacks or other IT mishaps. In comparison to April, there were around 75 percent more occurrences. The amount of records disclosed in cyberattacks in April was more than double the number of data exposed in May i.e., 60 percent of the 4,212,500 records compromised in May. Around 13,150 records were compromised in the median breach, which had a breach size of around 79,500 records on average.
A little rise from April saw 10+ unauthorized login events recorded in May. 43,800 documents were improperly shared throughout those occurrences. 3,300 records were compromised on average, and 1,190 records were compromised on average in each breach.
Approximately 3 stealing crimes and 1 event associated with loss of paper were both recorded. These breaches affected around 154,000 records in total, with a median intrusion size of 1,770 records and an average breach size of 35,500 records.
With so many cyber attacks, it is not unexpected that protected health information (PHI) housed on network servers was compromised in 30 of the month’s data breaches. The hack on Eye Care Leaders was to blame for the substantial number of breaches of healthcare data. Email account breaches were widely reported in May, with 71 percent more incidences than in April. While multi-factor authentication and security awareness training for employees won’t stop all email data theft, they can greatly increase security.
HIPAA Enforcement Activity in May ‘22
In May, neither the HHS Office for Civil Rights nor any state Attorneys General disclosed any HIPAA enforcement proceedings. OCR has levied 4 cash penalties totalling $170,000 to settle HIPAA breaches this year.