As in previous months, Protenus has summarized what kind of month November was for breaches involving health data. And as the November issue of Breach Barometer makes clear, insider/employee incidents outnumbered external attacks in a month where we first learned of 57 incidents – the largest number of monthly reports this year.
One of the main explanations for November having so many reports is that clients of a few business associates that had experienced breaches all started submitting notifications to HHS and patients. Of special note, the Ambucor Health Solutions breach – reported by Ambucor to HHS back in July as affecting 1,679 patients – accounted for 11 of the incident reports this month and 16,765 records for the 9 Ambucor-related reports for which we had numbers. Similarly, 4 more clients of EMR4All/RBS reported their incidents in November. Both Ambucor and EMR4All/RBS were insider breaches: the former, a case of insider-wrongdoing, and the latter, a case of insider error.
Protenus’s Breach Barometer is particularly helpful to those interested in analyzing breach trends because the HHS public breach tool generally does not accurately reflect the extent to which breaches involve a third party. If you were to rely on HHS’s breach tool, you might think there were only 3 business associate breaches in November, yet our research and analysis indicated that at least 25 incidents involved a third party, and we realize that that’s likely only the tip of a much larger iceberg.
While Protenus provides aggregated statistics, readers who are curious may want to know which incidents were included in the November report.
The following organizations or entities all had incidents that were included in their November statistics:
Aetna Signature Administrators
Austin Pulmonary Consultants
Bay Sleep Clinic
Berkshire Medical Center
Best Health Physical Therapy, LLC
Biomechanics LLC
Briar Hill Management
Broward Health: Broward Health Imperial Point
Camas Center Clinic, Kalispel Tribe of Indians
Carolina Cardiology Consultants (Greenville Health System)
Charleston Area Medical Center
CHI Franciscan Health
Cleveland Clinic Akron General
Conemaugh Physician Group Cardiology
Consultants in Neurological Surgery, LLP
Darlingten
Eye Institute of Marin
GHI (Emblem Health)
Glendale Adventist
Harrisonburg OB GYN Associates, P.C.
Horizon Blue Cross Blue Shield of New Jersey
Indiana Family and Social Services Administration -Indiana Health Coverage Program
Irvine Company
Kaiser Foundation Health Plan
Kaiser Permanente Health Plan – N. Cal
Kaiser Permanente Health Plan- S. Cal
KinetoRehab Physical Therapy, PLLC
La Gloria Pharmacy
LCS Westminster Partnership IV, LLP d/b/a Sagewood
Lebanon Cardiology Associates, PC (now known as WellSpan Cardiology)
Lenox Hill Heart and Vascular Institute
Lister Healthcare
Louisiana Health Cooperative, Inc. in Rehabilitation
Luque Chiropractic
Main Line Health
Managed Health Services
Horizon BCBS & UnitedHealth Group
New Mexico Heart Institute
North Texas Heart Center, P.A
OC Gastrocare
OptumHealth New Mexico
Pikeville Medical Center
Pinellas County Board of County Commissioners
Primerica
Seguin Dermatology
Stony Brook Internists, University Faculty Practice Corporation VA Eastern Colorado Health Care System
Vanderbilt U. Psychological & Counseling Center
Vascular Surgical Associates
Vein Specialists of Northwest Georgia
Vision Care Florida, LLC
WADA and USADA
Wal-Mart Stores, Inc.
Washington Department of Social and Health Services- Aging and Disability Services
Watsonville Chiropractic (David W. Christie, D.C.)
Wentworth-Douglass Hospital
Young Adult Institute, Inc.
The following entities or organizations all had some involvement in reported incidents as business associates to the above or as third -parties in reported incidents:
Aetna Signature Administrators
Ambucor Health Solutions
AON Hewitt
Briar Hill Management
Command Marketing Innovations
Darlingten
EMR4All/RBS
HP Enterprise Services, LLC
Marin Medical Practice Concepts, Inc.
Unnamed cleaning service
Unnamed vendor
Unnamed vendor + UPS
The majority of incidents included in the barometer can be found on DataBreaches.net by using the search function for the entities’ names.