Healthcare Data Breaches Continue to Break Records

There isn’t a day that goes by that some healthcare organization hasn’t fallen victim to a data breach. Thousands of patients from around the country are having their sensitive and personal healthcare information hijacked one way or another.

From phishing emails sent to healthcare company employees, to ransomware attacks, to outright failure to secure patients’ personal healthcare information, providers, insurers and others involved in healthcare are finding themselves on the defense.

A recent report from Protenus and finds that nearly 32 million patient records were breached in 2019, doubling the number from all of 2018. The number of breach incidents that took place between January and June of this year reached 285 – that’s at least one breach per day.

One of the most recent and largest data breaches involved American Medical Collection Agency (AMCA), which affected more than 20 million of its users from different blood testing laboratories and medical institutions around the country. The portal was used to pay for laboratory fees for patients of Quest Diagnostics, LabCorp, BioReference Laboratories, Carecentrix and Sunrise Laboratories, among others. AMCA has since filed for bankruptcy and is the target of investigations and lawsuits.

The data breach report breaks it down even further, noting that nearly 21 percent of all breaches were inside jobs resulting in the exposure of 3,457,621 records. Insider error accounted for 35 percent of the breaches and 22 percent were the result of insider wrongdoing.

Providers accounted for nearly three-quarters (72 percent) of the breaches, followed by health plans (11 percent), business associates (9 percent) and 8 percent could not be classified.

Those breaches come with a big price tag. As we wrote about last month, many violations of the Health Insurance Portability and Accountability Act (HIPAA), can result in substantial fines or even jail time.

Earlier this month, the Veterans Affairs Office of Inspector General found that some workarounds put into place at the Tibor Rubin VA Medical Center in Long Beach, Calif., may have resulted in the exposure of 133 patients’ records to outside parties.

The problems began in 2013 after the medical center upgraded the computer system on several of its medical devices and continued until late 2017, according to the OIG. The agency noted that the workarounds were “the use of the GI provider’s personal computer and emails, a non-VA (unencrypted) flash drive, and the Cloud.”

As HIPAA-covered entities continue to rely on electronic health records, telemedicine and other electronic means, it is incumbent upon them to ensure the security of patients’ data, not only for themselves, but also to ensure that business associates take steps to do the same.

As we wrote about in June, the U.S. Department of Health and Human Services Office for Civil Rights recently issued a new fact sheet on the Direct Liability of Business Associates under HIPAA.

The release of the fact sheet immediately followed a settlement agreement with a business associate relating to a data breach that occurred in 2015 when hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of some 3.5 million individuals.

The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced legal professionals can help you to create a HIPAA Privacy and Security compliance program designed to meet your unique needs. Give us a call at 305-358-4500 or send an email to and let’s discuss how we might be able to assist you.

Posted in
The Health Law Offices of Anthony C. Vitale

The Health Law Offices of Anthony C. Vitale