During the first six months of this year, 228 breaches affecting 500 or more individuals were reported to the HHS Office for Civil Rights (OCR), and of the top 20, five involved business associates (BAs), including the largest.
If the second half of the year is like the first, the 2020 breach total could fall short of 2019’s record high of 511 breaches of this size posted on OCR’s so-called “Wall of Shame” website.
But whether the numbers truly reflect fewer breaches or are temporarily down, perhaps due to delayed reporting or the impact of the COVID-19 pandemic, is just a guess at this point.
If anything, some are predicting that the number of breaches may climb in the second half of the year. Covered entities (CEs) have 60 days from when a breach occurs to notify the agency, so the OCR website is always somewhat behind.
Experts have been warning for months that the “bad guys” are seizing on the chaos of the moment to strike, particularly through email hacks. Indeed, of the top 20 breaches reported this year, based on number of affected individuals, all of them were the result of hacking/IT incident involving email, except three.
Still, the trend in recent years has been for smaller breaches, a somewhat relative term, and that has so far continued in 2020. It wasn’t unusual four or five years ago for a health plan, for example, to report a breach involving more than one million people. The big spike from 2014 to 2017 included Anthem and Premera Blue Cross, with 79 million and 11 million affected, respectively.
Last year saw a breach affecting 22 million individuals, partly attributed to Quest Diagnostics and LabCorp, due to a breach at their collection agency. That organization itself is a subcontractor and wasn’t responsible for reporting the breach to OCR. On OCR’s website, Quest’s BA Optum360 reported 11.5 million affected individuals related to this breach.
As of the end of June, however, there have been no breaches of this magnitude reported. The largest breach reported thus far in 2020 was Health Share of Oregon, and it also set the pace for the issue of BAs as a cause.
On Jan. 2, the health plan learned that a laptop containing the protected health information (PHI) of 654,362 individuals was stolen from GridWorks, which the plan described as its “non-emergent medical transportation” vendor. The laptop disappeared after a burglary in November 2019.