Nearly 3.5 million people had data exposed in healthcare breaches reported to the federal government last month.
That’s up from 2 million people who had information compromised in data breaches reported in May.
Yet June had the lowest number of healthcare breaches reported in a single month since the start of 2019, with providers, health plans and their business associates reporting 29 data breaches to HHS’ Office for Civil Rights, the agency that maintains the government’s database of healthcare breaches. That’s down 40% from the 49 data breaches reported to the OCR during May.
The vast majority of people affected in the data breaches reported in June, just under 3 million, had information exposed in a single incident at Dominion National, an insurer and administrator of dental and vision benefits in the Mid-Atlantic. The breach is the largest incident to be reported to the OCR this year.
Dominion National on June 21 notified the OCR that an unauthorized user may have accessed some of its computer servers. The unauthorized access, which Dominion National said it learned of April 24, may have begun as early as April 2010, according to an investigation the insurer is conducting with an unnamed cybersecurity firm.
The computer servers in question stored or were able to access enrollment and demographic data for current and former members of select plans, as well as people affiliated with organizations that Dominion National administers dental and vision benefits for. That could mean addresses, dates of birth, Social Security numbers and bank account numbers were exposed in the breach.
Hacking and IT incidents, like the one at Dominion National, accounted for 45% of the data breaches reported in June. The remaining breaches resulted from theft, loss, improper disposal, or unauthorized access or disclosure of patient records.
Absent from the OCR’s breach portal to date are reports from a massive breach at billing collections vendor American Medical Collection Agency, which was publicly disclosed last month.
LabCorp and Quest Diagnostics in June said a data breach resulting from an unauthorized user accessing the vendor’s web payment system between August 2018 and March 2019 had affected nearly 8 million and 12 million of their patients, respectively, but that AMCA had not provided them with information on which patients’ data was exposed.
The data breach sparked a set of investigations and inquiries into AMCA, LabCorp and Quest, including an investigation by Illinois Attorney General Kwame Raoul and Connecticut Attorney General William Tong.
An AMCA spokesperson did not respond to a request for comment on whether it had reported the breach to the OCR or whether it intends to. LabCorp said it’s continuing to investigate the incident. “LabCorp will take additional steps that may be appropriate, including making any required notifications, once more is known about the AMCA incident,” a spokesperson said in an email last month.