Health care organizations continue to be a popular target for hackers. According to information from the U.S. Department of Health & Human Services (HHS), more than 30 reports of data breaches were filed by health care entities in the first month and a half of 2020. Although a few reported breaches involved theft or improper disposal of information, the majority of the reported breaches concerned hacking/IT incidents and unauthorized access or disclosure.

HHS is required to post a list of breaches of unsecured protected health information affecting 500 or more individuals. Cumulatively, the breaches reported through February 13, 2020, potentially affect over 1 million patients. The largest breach involving a hacking/IT incident was reported by health care provider PIH Health, with nearly 200,000 individuals affected. Other significant hacking/IT incident breaches reported included one by a hospital in Minnesota that affected over 49,000 individuals, one reported by a health care provider in Maine that affected 33,000 individuals, one involving an orthopedic group in Texas that affected just over 30,000 patients, and another by a rehabilitation facility in Oregon that affected over 25,000 individuals. In most of these larger breaches, hackers targeted emails, although one breach involved a network server.

While theft was reported as the cause of breaches in only a handful of cases, it was the cause of the largest health care data breach reported thus far this year. Health Share of Oregon, a health plan, reported that more than 650,000 individuals were affected by a breach attributed to the theft of a laptop. This underscores the importance of keeping such devices secure and the data encrypted.

All of these breaches are currently being investigated by the Office for Civil Rights at HHS. Information on reported breaches is regularly updated and available for review on the HHS Breach Portal.