Macon, Ga.-based Navicent Health disclosed the largest breach in March. The breach, which took place during summer 2018, resulted from a cyberattack targeting employee email accounts. These email accounts held personal information of up to 278,016 patients.
Although Navicent Health learned of the cyberattack in July 2018, the health system reported it to the OCR on March 22. HHS gives HIPAA-covered entities 60 days from when they discover a breach to notify the department.
At deadline, Navicent Health had not responded to Project Japan's request for comment regarding its timeframe in reporting the incident.
In a posted online, Navicent Health said it did not conclude that the affected email accounts contained personal information—such as patients' names, dates of birth, addresses, Social Security numbers and medical information—until Jan. 24.
"Upon learning of the attack, Navicent Health commenced a prompt, extensive and thorough investigation," the health system wrote in a separate online . Navicent Health said it worked with four third-party data privacy and cybersecurity firms as part of its investigation.
Zoll Medical, a medical-device and software maker, disclosed a breach affecting 277,319 patients in March. The breach took place in late 2018 when a third-party service that archives Zoll Medical's emails migrated to a new server.
Some information from the company's emails—such as patients' personal and medical data—was exposed during the server migration, Zoll Medical said.
Navicent Health and Zoll Medical's breaches represent the fourth- and fifth-largest breaches reported this year, respectively.
More than half of organizations—including Navicent Health and Zoll Medical—attributed breaches they reported in March to hacking or IT incidents. The remaining breaches resulted from theft—such as theft of a computer or laptop—as well as unauthorized access or disclosure.