A report into the spate of data breaches that ripped through America’s healthcare industry last year has revealed that more breaches happened in Texas than in any other state.
The “2019 Healthcare Data Breach Report” published yesterday by HIPAA Journal shows that healthcare data breaches involving the exposure of 500 or more records occurred in every state with the exception of North Dakota and Hawaii. The Lone Star State was the worst hit, with 60 breaches recorded, followed by California, which suffered 42.
Citing figures from the Department of Health and Human Services’ Office for Civil Rights’ breach portal, the report showed a huge year-on-year increase in both the number of breaches that occurred and the quantity of patient records exposed.
The report found that 510 healthcare data breaches in which 500 or more records were exposed were reported in 2019, representing a 37.4% increase over the 371 such breaches reported in 2018. The total number of patient records exposed shot up from 13,947,909 in 2018 to 41,335,889 in 2019.
Shockingly, the report disclosed that in 2019 alone, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen.
According to the report, “more healthcare records were breached in 2019 than in the six years from 2009 to 2014.”
The largest single healthcare data breach in the US last year occurred when a network server at Optum360, LLC, was compromised after hackers illegally gained access to the systems of their business associate American Medical Collection Agency (AMCA).
The Optum360 breach alone resulted in the exposure of 11,500,000 records; however, the AMCA hack affected 24 healthcare organizations in total, resulting in the exposure of 26,059,725 records.
Nearly a quarter—23.33%—of last year’s breaches “involved business associates to some extent,” according to the report.
Of the breaches that occurred last year, most—59.41%—were classified as hacking/IT incidents, accounting for 87.60% of all breached records in 2019. The second biggest cause of data breaches, accounting for 28.82% of incidents that occurred, were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached.
Email and network servers proved the most vulnerable locations for personal health information, with the majority of incidents involving phishing and spear-phishing attacks. Of the 510 breaches to occur, 214 involved records located on email and 132 affected records on network servers.