For the second consecutive month, the number of reported data breaches of 500 or more healthcare records has fallen, with October seeing the joint-lowest number of reported data breaches this year. After the 29.4% fall in reported data breaches from August to September, there was a further 16.7% reduction, with 40 data breaches reported by HIPAA-regulated entities in October – the opposite trend to what was observed in 2022, when data breaches increased from 49 in August 2022 to 71 breaches in October 2022. October’s total of 40 breaches is well below the 12-month average of 54 breaches per month (median:52 breaches).
For the third consecutive month, the number of breached healthcare records has fallen, from more than 18 million records in July 2023 to 3,569,881 records in October – a month-over-month percentage decrease of 52.76%. October’s total is well below the 12-month average of 7,644,509 breached records a month (median: 5,951,455 records). While this is certainly good news, it should noted that 2023 has been a particularly bad year for healthcare data breaches. Between January 1, 2023, to October 31, 2023, more than 82.6 million healthcare records have been exposed or impermissibly disclosed, compared to 45 million records in 2021 and 51.9 million records in 2023. As of November 17, 2023, more than 100 million records have been breached.
Largest Healthcare Data Breaches Reported in October 2023
14 breaches of 10,000 or more records were reported in October, the largest of which occurred at Postmeds Inc., the parent company of Truepill, a provider of a business-to-business pharmacy platform that uses APIs for order fulfillment and delivery services for direct-to-consumer brands. While victims of the breach do not face an immediate risk of identity theft since no Social Security numbers were compromised, they do face an increased risk of phishing and social engineering attacks. As is now common in breach notifications, little information about the incident has been disclosed, other than it being a hacking incident involving unauthorized access to its network between August 30 and September 1, 2023. The Postmeds data breach was the 21st data breach of 1 million or more records to be reported this year.
Even though the Clop hacking group’s mass exploitation of the zero-day vulnerability in Progress Software’s MOVEIt Transfer solution occurred in late May, healthcare organizations are still reporting MOVEit data breaches. More than 2,300 organizations are now known to have been affected and more than 60 million records were stolen in the attacks.
Name of Covered Entity |
State |
Covered Entity Type |
Individuals Affected |
Cause of breach |
Postmeds, Inc. (TruePill) |
CA |
Healthcare Provider |
2,364,359 |
Hacking incident (details not disclosed) |
Western Washington Medical Group |
MS |
Healthcare Provider |
350,863 |
Hacking incident (details not disclosed) |
Greater Rochester Independent Practice Association, Inc. |
NY |
Healthcare Provider |
279,156 |
Hacking incident (details not disclosed) |
Radius Global Solutions |
PA |
Business Associate |
135,742 |
Hacking incident – MoveIT Transfer vulnerability exploited |
Dakota Eye Institute |
ND |
Healthcare Provider |
107,143 |
Hacking incident (details not disclosed) |
Walmart, Inc. Associates Health and Welfare Plan |
AR |
Health Plan |
85,952 |
Hacking incident (details not disclosed) |
Westat, Inc. |
MD |
Business Associate |
50,065 |
Hacking incident – MoveIT Transfer vulnerability exploited |
Brooklyn Premier Orthopedics |
NY |
Healthcare Provider |
48,459 |
Hacking incident (details not disclosed) |
PeakMed |
CO |
Healthcare Provider |
27,800 |
Hacking incident (Compromised credentials) |
Hospital & Medical Foundation of Paris, Inc |
IL |
Healthcare Provider |
16,598 |
Hacking incident (details not disclosed) |
Fredericksburg Foot & Ankle Center, PLC |
VA |
Healthcare Provider |
14,912 |
Hacking incident (details not disclosed) |
Cadence Bank |
MS |
Business Associate |
13,862 |
Hacking incident – MoveIT Transfer vulnerability exploited |
Peerstar LLC |
PA |
Healthcare Provider |
11,438 |
Hacking incident (details not disclosed) |
Atlas Healthcare CT |
CT |
Healthcare Provider |
10,831 |
Hacking incident (details not disclosed) |
October 2023 Data Breach Causes and Data Locations
As has been the case throughout 2023, hacking was the most common cause of data breaches in October, accounting for 77.5% of the month’s data breaches (31 incidents) and 99.13% of the breached records (3,538,726 records). The average data breach size in hacking incidents was 114,152 records and the median data breach size was 4,049 records.
The exact nature of these incidents has not been publicly disclosed in many cases, so it is not possible to determine the extent to which ransomware attacks, phishing attacks, and vulnerability exploits are occurring. The exception being the mass hacking of a zero-day vulnerability in the MOVEit Transfer solution, a fairly safe disclosure legally as organizations cannot be expected to patch a vulnerability that is unknown even to the company that developed the software. While the lack of information is undoubtedly intended to reduce legal risk, if victims of the breach are given insufficient information it is difficult for them to accurately gauge the level of risk they face.
There were 8 data breaches classified as unauthorized access/disclosure incidents, across which 30,555 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 3,819 records and the median breach size was 2,111 records. There was one reported incident involving the theft of a desktop computer, which contained the unencrypted protected health information of 600 individuals, and no incidents involving the loss or improper disposal of PHI.
The most common location of breached PHI was network servers, which is unsurprising given the large number of hacking incidents. 8 data breaches involved compromised email accounts.
Where did the Data Breaches Occur?
The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in October, with 25 reported data breaches. There were 11 data breaches reported by business associates and 4 breaches reported by health plans. These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. To better reflect this and to avoid the underrepresentation of business associates in the healthcare data breach statistics, the charts below show where the data breaches occurred rather than the entity that reported the data breach.
Geographical Distribution of Healthcare Data Breaches
HIPAA-regulated entities in 23 states reported data breaches of 500 or more records in October. Texas was the worst affected state with 5 large data breaches followed by Mississippi with 4.
State |
Breaches |
Texas |
5 |
Mississippi |
4 |
Illinois, New York & Pennsylvania |
3 |
California, Colorado, Florida & Georgia |
2 |
Arkansas, Connecticut, Delaware, Iowa, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, New Jersey, North Dakota, Oklahoma, Oregon & Virginia |
1 |
HIPAA Enforcement Activity in October 2023
In October, the HHS’ Office for Civil Rights (OCR) announced its 10th HIPAA compliance enforcement action of the year. Doctors’ Management Services, a Massachusetts-based medical management company that offers services such as medical billing and payor credentialing, opted to settle an OCR investigation of a data breach. In April 2017, a threat actor accessed its network via Remote Desktop Protocol and gained access to the protected health information of 206,695 individuals.
OCR determined there had been a risk analysis failure, a failure to review records of system activity, and a failure to implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule. Those failures resulted in an impermissible disclosure of the PHI of 206,695 individuals. Doctors’ Management Services paid a financial penalty of $100,000 and agreed to a corrective action plan to address the HIPAA compliance issues discovered by OCR.
State Attorneys General also have the authority to investigate HIPAA-regulated entities and impose financial penalties for HIPAA violations, although they often choose to impose penalties for equivalent violations of state laws. Three settlements were agreed in October with HIPAA-regulated entities to resolve allegations of data security and breach notification failures.
Blackbaud, a Delaware corporation headquartered in Charleston, South Carolina that provides donor relationship management software, chose to settle alleged violations of the HIPAA Security Rule, HIPAA Breach Notification Rule, and state consumer protection laws with 49 states and the District of Columbia and paid a $49.5 million penalty and agreed to make substantial data security improvements. Blackbaud suffered a ransomware attack in May 2020, which exposed the protected health information of 5,500,000 individuals. The multi-state investigation identified a lack of appropriate safeguards to ensure data security and breach response failures.
Inmediata, a Puerto Rico-based healthcare clearinghouse settled a multi-state data breach investigation involving more than 35 state attorneys general. A server has been left unsecured, which allowed sensitive data to be indexed by search engines, allowing it to be found by anyone with Internet access. The protected health information of 1,565,338 individuals was exposed. The multi-state investigation identified a failure to implement reasonable and appropriate security measures, as required by the HIPAA Security Rule, a failure to conduct a secure code review, and violations of the HIPAA Breach Notification Rule and state breach notification rules for failing to provide timely and complete information to victims of the breach. The investigation was settled for $1.4 million and Inmediata agreed to make improvements to its information security program and strengthen its data breach notification practices.
Personal Touch Holding Corp, a home health company that does business as Personal Touch Home Care, opted to settle an investigation by the Office of the New York Attorney General into a breach of the protected health information of 753,107 individuals, including 316,845 New York residents. An employee responded to a phishing email which resulted in malware being installed. The threat actor exfiltrated data and then used ransomware to encrypt files. The New York Attorney General alleged Personal Touch only had an informal information security program, insufficient access controls, no continuous monitoring system, a lack of encryption, and inadequate staff training. Personal Touch paid a $350,000 financial penalty and agreed to make improvements to its information security and training programs.
The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on November 11, 2023.
The post October 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.