What you need to know about the forces reshaping our industry.


May 22, 2019

A record-breaking number of health care data breaches were reported in April

Daily Briefing

    Read Advisory Board's take: How should your organization prepare and respond to breaches?

    Health care entities in April reported 45 data breaches to HHS, marking the highest number of reported health care-related breaches in one month since the agency began tracking such breaches in an online database in 2010, according to a report published by HHS' Office for Civil Rights.

    The previous record was set in April 2018, when providers reported 42 data breaches to HHS.

    April breaches affected data of nearly 700K individuals

    According to the report, 45 businesses and organizations covered by HIPAA reported data breaches to HHS in April, including 38 health care providers, six health plans, and one business associate. Entities reported breaches in 23 states, with the most breaches reported in California and Texas.

    About two-thirds of the organizations that reported data breaches in April said the breaches were caused by hacking or IT incidents. Entities also reported loss, improper disposal, theft, and unauthorized access or disclosure of patient records as reasons for the breaches.

    The reported breaches on average compromised the data of 30,000 people, though two of the reported breaches each impacted more than 100,000 people. The largest reported breach, a ransomware attack at Doctors' Management Service, compromised the data of more than 200,000 people. The attack is the sixth-largest breach reported so far in 2019, according to the report.

    While the number of reported health data breaches reached a record-high last month, fewer people's data was comprised in April 2019 when compared with March 2019 and April 2018. The breaches reported last month compromised the of data 686,953 individuals, down from 963,794 in March 2019 and 896,532 in April 2018 (Cohen, Modern Healthcare, 5/10; Bendix, Medical Economics, 5/15; HHS' OCR report, accessed 5/22).

    Advisory Board's take

    Allyson Vicars

    Allyson Vicars, Consultant, Health Care IT Advisor

    The number of breaches in April is quite concerning and reinforces the need for health care organizations to continue maturing and expanding their cybersecurity programs. As an industry, we have made strides in the past couple of years improving our technological stance and security processes, but as the data here alludes, the cyber threats we face continue to grow in sophistication and magnitude and become more difficult to combat.

    “Breaches and related incidents can have devastating consequences for health care organizations”

    Breaches and related incidents can have devastating consequences for health care organizations. Not only is the immediate clean-up expensive to address, but class action lawsuits are now commonplace following a breach. And certain incidents, like ransomware, can halt clinical activity for hours and even days, which can continue to reverberate long after the attack. As a result, every health care organization needs to have a strong strategy in place to mitigate cyber risk.

    You can't eliminate cyber risk completely. Rather, the most progressive organizations have a well-funded and widely-supported security program that matches their specific organizational culture and operational needs and ultimately is aimed at mitigating risk down to an acceptable level (as set by the board of directors). And this isn't just about having the best technology. A strong cybersecurity strategy requires inclusive governance, clearly defined and enforced policies as well as continued education and process implementation across all areas of the enterprise.

    Executives need to play a crucial role in this strategy. While the chief information officer (CIO) and chief information security officer (CISO) will be critical partners, they can't be left to lead the charge all on their own. For example:

    • The board can ensure mechanisms in place to track security status and progress;
    • The CEO can include cybersecurity in due diligence of any M&A or partnership activity;
    • The CMO and CNO can make the clinical voice heard in the organization's security governance;
    • The CFO can ensure funding requests for security tools and services are vetted against a security strategy and roadmap;
    • The COO can ensure business continuity plans are in place, tested, and work well across all shifts; and
    • The CHRO can ensure the security team has the necessary staff to operationalize its security strategy.

    Want to learn more about what you should be doing in your role? Check out our cybersecurity cheat sheet series which outline what executives in every role should be doing—and the key questions they should be asking—to help their organizations stay secure.

    Access the Cheat Sheet Series

    Have a Question?


    Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.