HIPAA Breach News

Security Breaches in Healthcare in 2023

An unwanted record was set in 2023 with 725 large security breaches in healthcare reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), beating the record of 720 healthcare security breaches set the previous year. Aside from 2015, the number of reported security breaches in healthcare has increased every year although the rate of increase is slowing and 2024 could see the healthcare industry start to turn the corner.

As the chart shows, healthcare security breaches are occurring twice as often as in 2017/2018, with two large healthcare data breaches reported each day on average in 2023. Just a few years ago it was alarming that large healthcare data security breaches were being reported at a rate of one a day. Little did we know how bad the situation would get in such a short space of time.

The healthcare industry is struggling to deal with increasingly sophisticated cyberattacks, although in many incidents cyber threat actors have exploited vulnerabilities that should have been identified and addressed long before they were found and exploited by hackers. Many healthcare organizations are failing at basic security measures and are not consistently adhering to cybersecurity best practices due to budgetary pressures, difficulty recruiting and retaining skilled IT security professionals, and confusion about the most effective steps to take to improve resilience to cyber threats.

With healthcare data breaches increasing year-over-year, something needs to be done to help healthcare organizations improve resilience to cyber threats and action is now being taken at the state and federal levels. In December 2023, the HHS published a concept paper outlining plans to improve resilience to cyber threats across the sector and limit the severity of attacks when defenses are breached. In the paper, the HHS indicated it will be adopting a carrot-and-stick approach by developing voluntary Healthcare and Public Health (HPH) Sector Cybersecurity Goals (CPGs) that consist of cybersecurity measures that will have the greatest impact on security along with an update to the HIPAA Security Rule to add new cybersecurity requirements.

In January 2024, the CPGs were unveiled. They consist of Essential CPGs, which are high-impact, low-cost steps that healthcare organizations can take to improve cybersecurity, and a set of Enhanced CPGs to help healthcare organizations mature their cybersecurity programs. The HHS also hopes to obtain the necessary funding to help low-resourced healthcare delivery organizations cover the initial cost of the cybersecurity improvements in the Essential CPGs and to create an incentive scheme to encourage the adoption of the Enhanced CPGs.

In response to an alarming increase in cyberattacks on New York hospitals, New York Governor Kathy Hochul announced new cybersecurity measures had been proposed for New York hospitals, which are expected to be finalized in the first half of 2024. Hospitals in the state will be given a 1-year grace period to comply with the new requirements and funding has been set aside to help them cover the cost of making the necessary improvements.

It is not just the increasing number of data breaches that is a cause of concern it is the scale of these data breaches. 2023 was the worst-ever year for breached healthcare records with breached records increasing by 156% from 2022 to 133,068,542 breached records, beating the previous record of 113 million records set in 2015. In 2023, an average of 373,788 healthcare records were breached every day.

healthcare security breaches 2009-2023- records compromised

The total of 133 million records is also likely to significantly increase. To meet the breach reporting requirements of the HIPAA Breach Notification Rule, OCR must be notified within 60 days of the discovery of a data breach. When that deadline is near and breached organizations have not yet completed their document reviews to find out how many individuals have had their protected health information (PHI) exposed, breaches are reported to OCR using a placeholder of 500 or 501 records. The breached entity can then amend its OCR breach report when the number of affected individuals has been confirmed. Currently, 54 data breaches in 2023 are listed on the OCR breach portal as affecting 500 or 501 individuals. Some of these incidents have been reported by large healthcare providers, health plans, and business associates, so some of those breaches could involve hundreds of thousands or even millions of records.

Biggest Healthcare Security Breaches in 2023

Since several large healthcare organizations and major vendors have yet to confirm how many individuals have been affected by data breaches, the list of the biggest healthcare data breaches in 2023 is subject to change. Based on current figures, 114 data breaches of 100,000 or more records were reported in 2023, including 26 data breaches of more than 1 million records, 5 data breaches of more than 5 million records, and one breach of 11.27 million records. The average data breach size in 2023 was 183,543 records and the median data breach size was 5,175 records.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Data Breach
HCA Healthcare TN Business Associate 11,270,000 Hackers accessed an external storage location that was used to automatically format emails
Perry Johnson & Associates, Inc., which does business as PJ&A NV Business Associate 8,952,212 Hackers access to its network between March 27, 2023, and May 2, 2023
Managed Care of North America (MCNA) GA Business Associate 8,861,076 Ransomware attack with data leak (LockBit ransomware group)
Welltok, Inc. CO Business Associate 8,493,379 MOVEit Transfer vulnerability exploited (Clop hacking group)
PharMerica Corporation KY Healthcare Provider 5,815,591 Ransomware attack with data leak (Money Message ransomware group)
HealthEC LLC NJ Business Associate 4,452,782 Hackers had access to its network between July 14, 2023, and July 23, 2023
Reventics, LLC FL Business Associate 4,212,823 Ransomware attack with data leak (Royal ransomware group)
Colorado Department of Health Care Policy & Financing CO Health Plan 4,091,794 MOVEit Transfer vulnerability exploited at a vendor (Clop hacking group)
Regal Medical Group, Lakeside Medical Organization, ADOC Acquisition, & Greater Covina Medical Group CA Healthcare Provider 3,388,856 Ransomware attack with data leak (Unspecified, Russia-based ransomware group)
CareSource OH Business Associate 3,180,537 MOVEit Transfer vulnerability exploited (Clop hacking group)
Cerebral, Inc DE Business Associate 3,179,835 Impermissible disclosure of PHI via Pixel tracking code on its website
NationsBenefits Holdings, LLC FL Business Associate 3,037,303 Fortra GoAnywhere MFT vulnerability exploited (Clop hacking group)
Maximus, Inc. VA Business Associate 2,781,617 MOVEit Transfer vulnerability exploited (Clop hacking group)
ESO Solutions, Inc. TX Business Associate 2,700,000 Ransomware attack (ransomware group unknown)
Harvard Pilgrim Health Care MA Health Plan 2,624,191 Ransomware attack (ransomware group unknown)
Enzo Clinical Labs, Inc. NY Healthcare Provider 2,470,000 Ransomware attack (ransomware group unknown)
Florida Health Sciences Center, Inc. dba Tampa General Hospital FL Healthcare Provider 2,430,920 Ransomware attack (Snatch and Nokoyawa groups claimed credit)
Postmeds, Inc. CA Healthcare Provider 2,364,359 Hackers hack access to its network between August 30, 2023, and September 1, 2023
Centers for Medicare & Medicaid Services MD Health Plan 2,342,357 MOVEit Transfer vulnerability exploited at Maximus Inc. (Clop hacking group)
Arietis Health, LLC FL Business Associate 1,975,066 MOVEit Transfer vulnerability exploited (Clop hacking group)
Pension Benefit Information, LLC MN Business Associate 1,866,694 MOVEit Transfer vulnerability exploited (Clop hacking group)
Performance Health Technology OR Business Associate 1,752,076 MOVEit Transfer vulnerability exploited (Clop hacking group)
Prospect Medical Holdings, Inc. CA Business Associate 1,309,096 Ransomware attack and data leak (Rhysida group unknown)
PurFoods, LLC IA Healthcare Provider 1,229,333 Hackers had access to its network between January 16, 2023, and February 22, 2023
Virginia Dept. of Medical Assistance Services VA Health Plan 1,229,333 Hacking incident – details unknown
Nuance Communications, Inc. MA Business Associate 1,225,054 MOVEit Transfer vulnerability exploited (Clop hacking group)

Causes of Cybersecurity Breaches in Healthcare in 2023

There has been a leveling off of security breaches in healthcare in the last three years after a sharp increase in hacking incidents between 2018 and 2021, with only a 0.69% year-over-year increase in large data breaches. The year included two major mass hacking incidents by the Clop hacking group that affected many healthcare organizations. Clop-linked threat actors exploited zero-day vulnerabilities in two file transfer solutions – Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer. The first of these mass hacking incidents occurred in January with the group exploiting a remote code execution flaw – CVE-2023-0669 – in GoAnywhere MFT to attack almost 130 organizations, including healthcare organizations and business associates.

The second mass hacking incident occurred in May and was far more extensive. A zero-day vulnerability was exploited in MOVEit Transfer and more than 2,470 organizations had data stolen from their MOVEit servers. Across those incidents, the data of more than 94 million individuals was stolen. Many healthcare providers and business associates were affected, and the top three worst affected companies were HIPAA-regulated entities – Maximus, Welltok, and Delta Dental of California and Affiliates.

As the graph below shows, hacking incidents continue to dominate the breach reports with almost four times as many hacking incidents reported in 2023 than all other breach causes combined. 578 of the year’s 725 breaches were due to hacking and other IT incidents. The sharp rise in hacking incidents in 2018 is linked to the widespread use of ransomware and the proliferation of ransomware-as-a-service (RaaS) groups, which allowed attacks to be conducted at scale by recruiting affiliates to breach networks and receive a cut of any ransoms generated.

Causes of healthcare security breaches

Data from the ransomware remediation firm Coveware shows ransomware attacks are becoming much less profitable, with fewer victims choosing to pay the ransom. In Q4, 2023, 29% of ransomware victims paid the ransom compared to 85% at the start of 2019.  In these attacks, ransomware groups steal vast amounts of sensitive data. If the ransom is not paid, the data is leaked or sold to other threat actors and is used for a multitude of nefarious purposes, but it is ransom payments that are the main source of income for these groups, and with fewer ransoms being paid, ransomware actors need to conduct more attacks to maintain their incomes.

The number of healthcare records stolen in hacking incidents has increased sharply in recent years. In 2023, more than 124 million records were compromised in healthcare hacking incidents which is 93.5% of the year’s total number of breached records. On average, 215,269 healthcare records were stolen in each hacking incident (median 73,623 records). The scale of some of these hacking incidents emphasizes the need for network segmentation to limit the data that can be accessed if networks are breached, and the importance of implementing a zero trust architecture. Zero trust assumes that adversaries have already breached ‘perimeter’ defenses and requires verification and validation of every stage of a digital interaction.

healthcare security breaches - records compromised

Aside from hacking incidents, there are several other types of security breaches in healthcare. There was a 10.4% increase in unauthorized access and disclosure incidents in 2023 and a 13.6% increase in impermissibly accessed or disclosed records. 127 Unauthorized access/disclosure incidents were reported in 2023 and 8,598,916 records were accessed or disclosed across those incidents. These HIPAA breaches may be smaller than the hacking incidents, averaging 67,708 records per incident (median 1,809 records), but they can be just as harmful.

Improper disposal incidents have remained consistently low over the past 5 years (5 incidents in 2023) apart from a spike during the pandemic in 2020, and there has been a marked decline in loss/theft incidents, of which there were only 15 incidents reported in 2023 – the lowest total of any year to date. The fall in these incidents can be explained by the widespread use of encryption on portable electronic devices and the migration of data to the cloud.

Given the high percentage of hacking incidents, the most common locations of breached PHI – network servers – should come as no surprise. In 2023, 69.8% of large data breaches involved network servers (506 incidents). Email was the next most common location of compromised PHI, accounting for 18.3% of breaches (133 incidents). While multifactor authentication does not provide complete protection against email account breaches, widespread adoption of phishing-resistant multifactor authentication will see email data breaches reduce dramatically. Multifactor authentication is one of the Essential HPH CPGs and one of the most important security measures to implement in 2024.

healthcare security breaches in 2023 - location of breached data

Healthcare Security Breaches at HIPAA-Regulated Entities

The HIPAA Breach Notification Rule requires all breaches of protected health information to be reported to OCR and individual notifications to be sent to the affected individuals within 60 days of the discovery of a data breach. When a data breach occurs at a business associate of a HIPAA-covered entity, the entity that reports the breach will be dictated by the terms of the business associate agreement. Business associates often self-report their data breaches to OCR, but their covered entities may choose to report the breach themselves, or a combination of the two. For instance, Maximus Inc. disclosed in an SEC filing that the data of between 8 million and 11 million individuals was compromised in its MOVEit Transfer hacking incident, but Maximus reported the breach to OCR as affecting 2,781,617 individuals. Several clients chose to report the breach themselves.

The OCR breach data shows data breaches by the reporting entity, and as such, using that data for analyses means business associate data breaches will be underrepresented. In the table below we show data breaches by reporting entity and the charts reflect where the breach actually occurred.

Healthcare Security Breaches in 2023 – Reporting Entity

Entity Type Data Breaches Records Breached Average Breach Size
Healthcare Provider 450 39,925,448 88,723
Business Associate 170 77,347,471 454,985
Health Plan 103 15,792,548 153,326
Healthcare Clearinghouse 2 3,075 1,538

Healthcare Security Breaches in 2023 – Location of Data Breach

The adjusted data shows healthcare providers suffered the most data breaches; however, data breaches at business associates were more severe, with more than 2.5 times as many records breached at business associates than at healthcare providers. The average size of a data breach at a healthcare provider was 89,983 records (median 5,354 records) whereas the average breach at a business associate was 338,394 records (median 5,314 records). 11 of the top 15 security breaches in healthcare in 2023 occurred at business associates of HIPAA-covered entities.

Securing the supply chain is one of the biggest cybersecurity challenges in healthcare. Healthcare organizations often outsource certain functions to specialist vendors and health systems often rely on dozens, if not hundreds, of different vendors, many of which require access to protected health information and every vendor used introduces risk. Healthcare organizations need to conduct due diligence on their vendors, including assessing their security controls. Before onboarding any new vendor it must be made abundantly clear what the business associate’s responsibilities are with respect to HIPAA, data security, and breach reporting.

Strengthening the security of the supply chain is labor-intensive and costly, and many healthcare organizations lack the appropriate resources to devote to vendor risk management, but vendor risk management failures can have significant ramifications. An inventory should be maintained on all vendors, including details of the business associate agreements, and data provided to each.  A risk assessment should be conducted before onboarding any vendor including an assessment of their security posture. If a vendor fails to meet the necessary cybersecurity requirements, then they should not be used. If there is no suitable alternative, then controls should be put in place to manage risk and reduce it to a low and acceptable level. While vendors may confirm that they have implemented reasonable and appropriate safeguards and data security policies and procedures, there are no guarantees that those policies and procedures will be followed and cybersecurity standards maintained. Conducting assessments of vendor security at intake is not sufficient. There should be ongoing reviews and audits of vendors and suppliers. If an organization lacks the personnel to handle this in-house, then third-party consultants should be engaged to assist with these processes. Third-party risk management requirements are included in both the Essential and Enhanced CPGs announced by the HHS in January 2024.

HIPAA Security Breaches Reported in All 50 States

No U.S. state was able to avoid a healthcare security breach in 2023. Data breaches of 500 or more records were reported in all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. The states that experienced the most data breaches are the most heavily populated and have the highest number of HIPAA-regulated entities.

State Number of Data Breaches
California 80
New York 63
Texas 58
Pennsylvania 40
Massachusetts 39
Illinois 36
Florida 33
Georgia & New Jersey 21
Arizona & Minnesota 17
Connecticut, Maryland, Michigan & Ohio 16
Indiana, North Carolina & Tennessee 15
Virginia 14
Iowa 13
Kansas & Oregon 12
Washington 11
Kentucky, Missouri, Mississippi & Wisconsin 10
Colorado 9
Alabama 8
Utah 7
Arkansas, Oklahoma, and South Carolina 6
Alaska 5
Idaho, Louisiana, Maine, North Dakota & West Virginia 4
Delaware & New Mexico 3
Montana, Nebraska, New Hampshire & Nevada 2
Hawaii, Rhode Island, South Dakota, Vermont, Wyoming, District of Columbia, Puerto Rico & the U.S. Virgin Islands 1

HIPAA Enforcement Activity in 2023

In 2023, OCR announced 13 settlements with HIPAA-regulated entities to resolve allegations of HIPAA violations, a 40.9% reduction from the previous year. These investigations stemmed from reviews of HIPAA compliance in response to reported data breaches and investigations of complaints from patients and health plan members about potential HIPAA violations. While the number of financial penalties fell, the funds raised from OCR enforcement actions increased from $2,124,140 in 2022 to $4,176,500 in 2023.

Since 2019, the majority of penalties imposed by OCR resolved alleged violations of the HIPAA Right of Access. The HIPAA Right of Access requires individuals to be provided with a copy of their health records, on request, within 30 days of that request being received and they should only be charged a reasonable, cost-based fee for exercising that right if they are charged at all. Since OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019, 46 penalties have been imposed for HIPAA Right of Access violations, 4 of which were in 2023. This is a significant reduction from the 17 HIPAA Right of Access fines imposed in 2022.

Penalties were imposed for other HIPAA Privacy Rule violations in 2023, including one penalty for a lack of policies and procedures relating to access to PHI by employees and one penalty for the failure to obtain authorization from patients before disclosing their PHI to a reporter. Following the overturning of the penalty imposed on the University of Texas MD Anderson Cancer Center in 2018, OCR appears to have been reluctant to pursue financial penalties for Security Rule violations in all but the most egregious cases. In 2023, OCR imposed seven penalties to resolve potential violations of the HIPAA Security Rule.

Violations of several HIPAA Security Rule provisions were cited in these enforcement actions, with t6 of the 7 enforcement actions involving risk analysis failures. Another common violation was the failure to maintain and review logs of activity in information systems containing ePHI to identify unauthorized access. One of the penalties stemmed from a report of snooping on medical records by security guards, with OCR determining there was a failure to implement policies and procedures relating to HIPAA Security Rule compliance and a lack of HIPAA Privacy Rule training.

OCR Enforcement Actions in 2023 Resulting in Financial Penalties

HIPAA-Regulated Entity Penalty Amount Penalty Type Individuals Affected Reason for Penalty
LA Care Health Plan $1,300,000 Settlement 1,498 Risk analysis failure, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, and impermissible disclosure of PHI
Banner Health $1,250,000 Settlement 2.81 million Risk analysis failure, lack of reviews of information system activity, lack of verification of identity for access to PHI, and a lack of technical safeguards
Lafourche Medical Group $480,000 Settlement 34,862 No risk analysis prior to the 2021 phishing incident, and no procedures to regularly review logs of system activity prior to the incident
MedEvolve Inc. $350,000 Settlement 230,572 Risk analysis failure, lack of a business associate agreement, and an impermissible disclosure of PHI
Yakima Valley Memorial Hospital $240,000 Settlement 419 Lack of HIPAA Security Rule policies and procedures
Optum Medical Care $160,000 Settlement 6 Failure to provide individuals with timely access to their medical records
Doctors’ Management Services $100,000 Settlement 206,695 Risk analysis failure, lack of reviews of records of system activity, lack of policies/procedures to comply with the HIPAA Security Rule, and impermissible disclosure of PHI
UnitedHealthcare $80,000 Settlement 1 Failure to provide an individual with timely access to their medical records
St. Joseph’s Medical Center $80,000

 

Settlement 3 Disclosure of the PHI of patients to a reporter and a lack of HIPAA Privacy Rule training
iHealth Solutions (Advantum Health) $75,000

 

Settlement 267 Risk analysis failure and an impermissible disclosure of PHI
Manasa Health Center, LLC $30,000

 

Settlement 4 Impermissible PHI disclosure in response to online review
Life Hope Labs, LLC $16,500 Settlement 1 Failure to provide an individual with timely access to their medical records
David Mente, MA, LPC $15,000 Settlement 1 Failure to provide an individual with timely access to their medical records

Attorney General Penalties for HIPAA Violations in 2023

The was a major increase in enforcement actions by state attorneys general in 2023 in response to security breaches in healthcare, with 15 settlements reached with HIPAA-regulated entities to resolve violations of HIPAA and state consumer protection laws. In 2022 there were only three settlements with attorneys general to resolve HIPAA violations, four in 2021, and three in 2019. The majority of the penalties imposed in 2023 by state attorneys general resolved violations of the HIPAA Security Rule that were uncovered during data breach investigations. The majority of these cases involved a lack of reasonable and appropriate security measures such as multifactor authentication, access controls, encryption, security testing, data logging and monitoring, data retention, and up-to-date asset inventories.

Four settlements in 2023 came from multi-state actions. Since the entities concerned operated in multiple states, attorneys general pooled their resources and conducted joint investigations. The largest penalty of the year was imposed on Blackbaud and resolved multiple violations of the HIPAA Security Rule that contributed to a breach of the personal and protected health information of 5.5 million individuals. State attorneys general in Oregon, New Jersey, Florida & Pennsylvania joined forces in an investigation of a 2.1 million-record data breach at EyeMed Vision Care, and Pennsylvania & Ohio conducted a joint investigation of DNA Diagnostics Center over a 45,600-record data breach, both of which uncovered multiple HIPAA Security Rule failures.

32 states and Puerto Rico participated in an investigation of the Puerto Rican healthcare clearinghouse, practice management software, and electronic medical record provider Inmediata. HIPAA Security Rule failures were identified that led to a breach of the protected health information of more than 1.5 million individuals, followed by violations of the HIPAA Breach Notification Rule. California imposed a massive penalty on Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals. The case was resolved for $49 million and related to the improper disposal of PHI and hazardous waste, with the bulk of the settlement amount concerned with the latter.

State Attorney General HIPAA-Regulated Entity Penalty Amount Penalty Type Individuals Affected Reason for Penalty
49 States and the District of Columbia Blackbaud $49,500,000 Settlement 5,500,000 Failure to implement appropriate safeguards to ensure data security and breach response failures, which violated the HIPAA Security Rule, Breach Notification Rule, and state consumer protection laws
California Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49,000,000 Settlement 7,700 Violations of HIPAA for the improper disposal of PHI and violations of several state laws for the improper disposal of hazardous waste
Oregon, New Jersey, Florida & Pennsylvania EyeMed Vision Care $2,500,000 Settlement 2.1 million Lack of administrative, technical, and physical safeguards, and access control failures – use of the same password by several employees.
32 States and Puerto Rico Inmediata $1,400,000 Settlement 1,565,338 Failure to implement appropriate safeguards to ensure data security, failure to conduct a secure code review, and data breach notification failures
New York Practicefirst $550,000 Settlement 1.2 million Patch management failure, lack of encryption, and a lack of security testing.
New York U.S. Radiology Specialists Inc. $450,000 Settlement 198,260, including 92,540 New York residents Failure to upgrade hardware to address a known vulnerability
California Kaiser Permanente $450,000 Settlement Up to 167,095 individuals Mailing error that resulted in an impermissible disclosure of PHI, failure to promptly halt mailings when there was a known error and negligent maintenance or disposal of medical information
New York Healthplex $400,000 Settlement 89,955 (62,922 New York residents) Violation of New York’s data security and consumer protection laws (data retention/logging, MFA, data security assessments)
New York Personal Touch Holding Corp dba Personal Touch Home Care $350,000 Settlement 753,107 (316,845 New York residents) Only had an informal information security program, insufficient access controls, no continuous monitoring system, lack of encryption, and inadequate staff training
New York New York Presbyterian Hospital $300,000 Settlement 54,396 Violations of the HIPAA Privacy Rule and New York Executive Law due to the use of pixels on its website that transmitted PHI to third parties
Indiana Schneck Medical Center $250,000 Settlement 89,707 Failure to address known vulnerabilities in a timely manner and breach notification failures.
New York Heidell, Pittoni, Murphy & Bach LLP $200,000 Settlement 61,438 New York residents Widespread non-compliance with the HIPAA Security Rule – 17 HIPAA violations
Pennsylvania & Ohio DNA Diagnostics Center $400,000 Settlement 45,600 Lack of safeguards to detect and prevent unauthorized access, failure to update asset inventory, and disable/remove assets that were not used for business purposes.
Indiana CarePointe ENT $125,000 Settlement 48,742 Failure to correct known security issues in a reasonable time frame, lack of business associate agreement
Colorado Broomfield Skilled Nursing and Rehabilitation Center $60,000 ($25,000 suspended) Settlement 677 Violations of HIPAA data encryption requirements, violation of state data protection laws, and deceptive trading practices.

Outlook for 2024

It has been a particularly bad year for security breaches in healthcare with hacking incidents continuing to increase in number as well as severity. Cyber actors will continue to target the healthcare industry and with fewer victims paying ransoms, these attacks may even increase as ransomware actors attempt to maintain their incomes. In 2023 we saw increasingly aggressive tactics by ransomware groups including swatting attacks on patients when their healthcare provider refused to pay the ransom and these aggressive tactics look set to continue.

To reduce security breaches in healthcare, more must be done than achieving the minimum cybersecurity standards of the HIPAA Security Rule. If all healthcare organizations implemented the recently announced HHS Essential Cybersecurity Goals, there would be a marked reduction in healthcare cybersecurity breaches in 2024. In practice that will be difficult for many healthcare organizations due to limited budgets and a chronic shortage of skilled cybersecurity professionals; however, the HHS plans to make funding available to help cover the initial cost of security improvements and establish an incentive program for adopting the Enhanced Security Goals. These measures will go a long way toward raising the baseline level of cybersecurity in the healthcare industry and improving resilience to cyber threats.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Security Breaches in Healthcare in 2023 appeared first on HIPAA Journal.

Keenan & Associates Data Breach Affects More Than 1.5 Million Individuals

The Torrance, CA-based insurance broker Keenan & Associates has recently reported a cybersecurity incident to the Maine Attorney General that has affected 1,509,616 individuals. Keenan & Associates is part of AssuredPartners NL, one of the largest brokerage firms in the United States. The company has clients across a variety of industries, including healthcare, education, and the public sector.

The cybersecurity incident was detected on Sunday, August 27, 2023, when some of its network servers were disrupted. Action was immediately taken to contain the attack and isolate the affected network servers and third-party cybersecurity experts were engaged to investigate to determine the nature and scope of the unauthorized activity. The forensic investigation confirmed that there had been unauthorized access to its internal systems at various points between August 21, 2023, and August 27, 2023, and during that time, certain files were exfiltrated from its systems. Some of those files contained personal data provided by its clients along with some employee data. The review of those files confirmed they contained names in combination with one or more of the following: date of birth, Social Security number, passport number, driver’s license number, health insurance information, and general health information.

Keenan & Associates said additional security protocols have been implemented to enhance network, data, and system security, and its security measures will continue to be evaluated to determine if further steps need to be taken to harden cybersecurity defenses. The incident has also been reported to the Federal Bureau of Investigation (FBI) and Keenan & Associates has been assisting the FBI with its investigation.

While data theft was confirmed, Keenan & Associates is unaware of any actual or attempted misuse of the stolen data. As a precaution, affected individuals have been offered complimentary credit monitoring, identity theft protection, and identity theft resolution services. Keenan & Associates did not publicly disclose the names of the affected clients, so it is unclear at this stage whether the breach is reportable under the Health Insurance Portability and Accountability Act.

The post Keenan & Associates Data Breach Affects More Than 1.5 Million Individuals appeared first on HIPAA Journal.

314,000 Patients Affected by Cyberattack on CompleteCare Health Network

CompleteCare Health Network, a health system serving patients in southern New Jersey, has recently confirmed that the protected health information of 313,973 patients has potentially been compromised in an October 2023 ransomware attack.

An unauthorized third party gained access to certain CompleteCare Health Network computer systems and attempted to use ransomware to encrypt files. CompleteCare Health Network said this was a sophisticated ransomware attack that was detected and stopped on or around October 12, 2023. Third-party cybersecurity experts were engaged to investigate the attack and determine the nature of any unauthorized activity, and whether any patient data was involved. The substitute breach notice on the CompleteCare Health Network states, “Please know that we have taken steps to ensure your data will not be further published or distributed,” which appears to confirm that there was data exfiltration, the threat group behind the attack threatened to publish the data, and payment was made to prevent that outcome.

CompleteCare Health Network conducted a review of all files on the affected systems and confirmed they contained protected health information. The types of information involved varied from patient to patient and may have included names, phone numbers, addresses, and some sensitive personal information and/or personal health information. Notification letters started to be mailed to the affected individuals on December 15, 2023. Each individual notification letter states the exact types of data involved. CompleteCare Health Network said no reports have been received to indicate any actual or attempted misuse of patient data, but as a precaution, complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

“Data security is one of our highest priorities. Upon discovering the incident, we immediately took the affected systems offline and began the process of securing and confirming the fortification of our systems,” said a spokesperson for CompleteCare Health Network. Measures taken in response to the breach include revising policies and procedures and network security software, and reviewing how patient data are stored and managed. Since the attack, the network has been monitored 24/7 by third-party cybersecurity experts and CompleteCare Health Network has engaged leading cybersecurity firms to assist with monitoring its network for the long term.

The post 314,000 Patients Affected by Cyberattack on CompleteCare Health Network appeared first on HIPAA Journal.

Plaza Radiology Data Breach Affects Up to 569,000 Patients

Plaza Radiology, which does business as Chattanooga Imaging across several locations in Tennessee and North Georgia, has suffered a cyberattack and data breach that has affected up to 569,000 patients.

Plaza Radiology identified the cyberattack on October 21, 2023, but did not disclose any details about the nature of the attack, other than stating that the initial results of the forensic investigation confirmed there had been unauthorized access to a small number of files on its network that contained patient information.

The analysis of the results from the forensic investigation is ongoing and, at this stage, there have been no reports of any actual or attempted misuse of patient data. Plaza Radiology reported the data breach to the HHS’ Office for Civil Rights on December 20, 2023, and said it will be mailing individual notification letters to the affected patients when the specific individuals affected have been identified and the types of data involved have been determined.

Legal counsel for Plaza Radiology confirmed that several steps have been taken in response to the security breach to improve cybersecurity and prevent similar breaches in the future. Those measures include changing passwords on accounts, enabling multi-factor authentication, replacing the affected desktop computers and network servers, and providing enhanced security awareness training to the workforce.

Plaza Radiology has confirmed that complimentary credit monitoring and identity theft protection services will be offered to individuals whose sensitive information was accessed in the attack and encourages all patients to be vigilant against identity theft and fraudulent uses of their data.

The post Plaza Radiology Data Breach Affects Up to 569,000 Patients appeared first on HIPAA Journal.

Columbus Regional Healthcare System Reports 133K Record Data Breach

Columbus Regional Healthcare System in Whiteville, NC, has notified the Maine Attorney General about a cybersecurity incident involving the theft of patient data. Unauthorized individuals had access to its network between May 19, 2023, and May 21, 2023, during which time files were removed from its network.

The file review was completed on December 28, 2023, and individual notifications have now been mailed to the affected individuals. The types of information involved varied from individual to individual and may have included names in combination with one or more of the following: Social Security number, date of birth, driver’s license number, state identification number, passport number, alien registration number, financial account information, medical information (date(s) of service, treatment/diagnosis information, medical record number, patient account number, and/or prescription information) and/or health insurance policy information.

The Notification to the Maine Attorney General indicates 132,887 individuals were affected. The healthcare system said no evidence has been found to indicate any actual or attempted misuse of that data. As a precaution against identity theft and fraud, Complimentary credit monitoring services have been offered to individuals who had their Social Security numbers exposed. Columbus Regional Healthcare said it had implemented safeguards to protect against unauthorized access and continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal information.”

Senior PsychCare Notifies 75,000 Patients About December 2022 Data Breach

Texas-based Psychological Holdings, PLLC, which does business as Senior PsychCare (SPC), has notified 75,000 patients that some of their protected health information was exposed in a December 2022 security breach. According to the breach notification letters, unauthorized individuals had access to its network between December 13, 2022, and December 22, 2022.

Senior PsychCare engaged third-party cybersecurity professionals to conduct a forensic investigation which was followed by a manual review of all files on the parts of its network that were accessible to the attackers. That process was completed on November 20, 2023, and confirmed that the exposed information included names, addresses, Social Security numbers, medical information, and health insurance information.

Senior PsychCare said it is unaware of any actual or attempted misuse of patient data and has offered the affected individuals complimentary credit monitoring services as a precaution. SPC said it had cybersecurity measures in place to protect against unauthorized data access and continually evaluates and modifies its practices and internal controls to enhance the security and privacy of personal data.

Primary Health & Wellness Center Discloses October 2023 Ransomware Attack

Primary Health & Wellness Center in Baltimore County, MD, has recently notified 4,792 individuals that some of their protected health information was potentially compromised in a ransomware attack that was detected on October 20, 2023. According to the substitute breach notice, the affected server contained the medical records of patients from 2018 to present, which included names, addresses, dates of birth, Social Security numbers, and medical record data. The forensic investigation uncovered no evidence to indicate data was exfiltrated from the server before files were encrypted, and typically threat actors that use Phobos ransomware are not known to exfiltrate data. That said, it was not possible to totally rule out the possibility of data theft.

While data theft is not thought to have occurred, the affected patients have been advised to monitor their account statements and credit reports for potential fraudulent activity and to promptly report any suspected fraudulent activity to law enforcement. Primary Health & Wellness Center said it takes its responsibilities under HIPAA and the Maryland Confidentiality of Medical Records Act very seriously and genuinely apologizes for the incident and inconvenience caused.

PHI Compromised in Coastal Hospice & Palliative Care Cyberattack

Coastal Hospice & Palliative Care in Salisbury, MD, has recently announced that it suffered a cyberattack on July 24, 2023, that caused network disruption. Cybersecurity experts were engaged to investigate the incident and confirmed that its network had been accessed by unauthorized individuals. A review was conducted of all files on the network that had been exposed and may have been obtained by the attackers, and that process was completed on November 20, 2023. Notification letters were mailed to the affected individuals on January 22, 2023.

The information exposed and potentially stolen included names, Social Security numbers, dates of birth, medical diagnosis information, health insurance policy numbers, physician or medical facility information, medical condition or treatment information, and patient account numbers. The incident has been reported to the appropriate authorities, but it is not currently displayed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals were affected.

Aria Care Partners Discloses May 2023 Cyberattack

Aria Care Partners in Overland Park, KS, has recently disclosed a cybersecurity incident that occurred in May 2023. The forensic investigation confirmed there had been unauthorized access to its vision file server. A comprehensive review was conducted of all files on the server which was completed in December 2023 and confirmed that files had been exposed that contained patient names, dates of birth, Social Security numbers, driver’s license numbers, diagnosis, treatment information, and health insurance information.

Notification letters were mailed to the affected individuals on January 19, 2024, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services, which include a $1 million identity theft insurance policy, dark web monitoring, and identity theft recovery services.

The incident has been reported to the appropriate authorities, but it is not currently displayed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals were affected.

The post Columbus Regional Healthcare System Reports 133K Record Data Breach appeared first on HIPAA Journal.

Lincare Holdings Proposes $7.25 Million Settlement to Resolve Data Breach Lawsuit

A $7.25 million settlement has been proposed to resolve a class action lawsuit – In re: Lincare Holdings Inc. Data Breach Litigation – filed against Lincare Holdings over a September 2021 data breach that affected 2,918,444 individuals.

Lincare Holdings is a provider of in-home respiratory care and equipment. In September 2021, unauthorized activity was detected within its network and the forensic investigation confirmed an unauthorized third party had gained access to files containing patient data. The exposed protected health information included names, addresses, Lincare account numbers, dates of birth, treatment information, provider names, dates of service, diagnosis and procedure information, account or record numbers, health insurance information, and prescription information, and for a small number of affected individuals, Social Security numbers.

Legal action was taken by the affected individuals who alleged that Lincare Holdings was negligent for failing to implement reasonable and appropriate cybersecurity measures, and had those measures been implemented, the data breach could have been avoided. Lincare has not admitted any wrongdoing but has proposed a settlement to end the litigation.

Class members will be permitted to submit claims for up to $5,000 as reimbursement for out-of-pocket losses fairly traceable to the data breach, including up to 4 hours of lost time at $20 per hour. Recoverable losses include bank fees, credit fees, communication costs, unreimbursed fraudulent charges, and losses to identity theft. Individuals who were California residents at the time of the breach can also claim an additional $90.

All class members are eligible to receive a one-year membership to Medical Shield services, which includes medical record monitoring, health insurance monitoring, dark web monitoring, real-time authentication alerts, high-risk transaction monitoring, Medicare monitoring, provider monitoring HSA monitoring, ICD monitoring, credit freeze assistance, and identity theft remediation services. They will also be covered by a $1 million identity theft insurance policy.

Claims must be submitted by April 15, 2024, and any class member wishing to object to or exclude themselves from the settlement must do so by March 14, 2024. The final hearing has been scheduled for June 12, 2024.

The plaintiff and class members were represented by John A. Yanchunis of Morgan & Morgan; Stephen R. Basser of Barrack Rodos & Bacine; Raina Borrelli of Turke & Strauss LLP; Alexandra M Honeycutt of Milberg Coleman Bryson Phillips Grossman PLLC; and Carl V Malmstrom of Wolf Haldenstein Adler Freeman & Herz LLC

The post Lincare Holdings Proposes $7.25 Million Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

Meridian Behavioral Healthcare Discloses 99,000-Record Data Breach

Data breaches have recently been reported by Meridian Behavioral Healthcare, Network 180, Erie VA Medical Center, and Fred Hutchinson Cancer Center.

Meridian Behavioral Healthcare

Meridian Behavioral Healthcare, Inc. in Florida has recently confirmed that protected health information was exposed in a security breach that was detected on August 11, 2023. Third-party cybersecurity specialists were engaged to investigate the breach and on December 4, 2023, confirmed that 98,808 individuals had been affected. Written notifications were mailed on December 22, 2023. The information exposed in the breach varied from individual to individual and may have included names, addresses, Social Security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.

Meridian Behavioral Healthcare said it is not aware of any misuse of patient data but has offered the affected individual complimentary credit monitoring services. Additional security measures have been implemented within its network, and data security policies and procedures are being reviewed and will be updated to better protect patient data.

Network 180

The Kent County Community Mental Health Authority, which does business as Network 180, has notified 59,334 individuals about unauthorized access to their protected health information. A security breach was detected on October 18, 2023, and the attack was contained by the IT department the same day. Third-party cybersecurity experts were engaged to investigate the breach and confirmed on October 25, 2023, that the unauthorized activity stemmed from a phishing attack.

An employee clicked a malicious link in an email that directed them to a website where they were prompted to enter their credentials, which were captured by the attacker and used to access the employee’s email account. Network 180 said multi-factor authentication was enabled on the employee’s account; however, the MFA controls were bypassed in the attack. The threat actor was able to access the employee’s email account between September 28, 2023, and October 18, 2023, and during that time exported data from the account, including names, addresses, dates of birth, full or partial Social Security Numbers, health insurance policy information, medical information, other demographic information (i.e., race or gender), and in a limited number of cases, financial account or payment card numbers and/or driver’s license numbers.

Network 180 said it has taken several steps to improve the security of its Office 365 email accounts and has hired cybersecurity staff to proactively monitor its systems. The affected individuals have been notified and offered complimentary credit monitoring services for 12 months. Network 180 deserves credit for being transparent about the data breach and providing detailed information in its breach notice to the affected individuals.

Erie VA Medical Center

Erie VA Medical Center has apologized for an impermissible disclosure of patient data in mid-November. A printing error was made when sending appointment scheduling and appointment reminders to patients, which resulted in the reminders being sent to incorrect patients. The postcards only included information concerning the appointment and did not include sensitive or other identifying information. 2,380 veterans in Delaware, Kentucky, Maryland, New Jersey, New York, Ohio, Pennsylvania, Virginia, & West Virginia were affected. The postcards were sent to the correct recipients on November 16, 2023.

Fred Hutchinson Cancer Center

Fred Hutchinson Cancer Center has notified 544 patients that some of their sensitive data has potentially been exposed. Fred Hutch was notified on October 27, 2023, by a provider that their laptop computer had been lost while traveling. The laptop was used to access a Microsoft Outlook application through which patient information could be accessed. The provider said the laptop was password protected and has now been configured to initiate a remote wipe of the hard drive if it comes online. Fred Hutch conducted a review to find out what types of data were accessible through the laptop and determined that names, addresses, phone numbers, dates of birth, medical record numbers, patient account numbers, dates of service, and certain clinical information had been exposed, and for a limited number of patients, also Social Security numbers.

Notification letters were sent on December 26, 2023, and complimentary credit monitoring services have been made available to individuals who had their Social Security numbers exposed. Fred Hutch has provided additional education to the workforce on safeguarding mobile devices. This is the second data breach to be reported by Fred Hutchinson Cancer Center in the past few weeks. A much more serious breach occurred between November 19 and November 25, 2023, when a cybercriminal group breached its network and stole patient data. Fred Hutch has not yet confirmed how many patients have been affected but the hackers claimed to have infiltrated the data of around 800,000 patients. When the ransom was not paid, the threat actors started threatening patients directly.

The post Meridian Behavioral Healthcare Discloses 99,000-Record Data Breach appeared first on HIPAA Journal.

December 2023 Healthcare Data Breach Report

There was no letup in healthcare data breaches as the year drew to a close, with December seeing the second-highest number of data breaches of the year. The Department of Health and Human Services (HHS) Office for Civil Rights received 74 reports of healthcare data breaches of 500 or more records in December, which helped make 2023 a record-breaking year for healthcare data breaches. While there may still be some late additions to the list, as of January 18, 2023, 725 data breaches of 500 or more healthcare records have been reported to OCR in 2023 – The highest number since OCR started publishing records of data breaches on its “Wall of Shame.” To add some perspective, that is more than twice the number of data breaches that were reported in 2017.

It is not just the number of data breaches that is concerning. Healthcare data breaches have been increasing in severity and there have been ransomware attacks that have seen patients contacted and threatened directly with the exposure of their sensitive health data. Many of the data breaches reported in 2023 have been on a colossal scale, with December no exception with two multi-million-record data breaches reported.

Since 2009, when OCR created its Wall of Shame, the number of breached records has been trending upwards, but even the most pessimistic of security professionals would not have predicted at the start of 2023 that there would be such a massive rise in breached records. 2021 was a bad year with 45.9 million records breached, and 2022 was worse with 51.9 million breached records, but in 2023, an astonishing 133 million records were exposed or stolen. On January 18, 2023, the OCR breach portal showed 133,068,542 individuals had their protected health information exposed or stolen in 2023.

We will explore the year’s data breaches in greater detail and make predictions for the coming year in posts over the next few days but first, let’s take a dive into December’s data breaches to see where and how 11,306,411 healthcare records were breached.

The Biggest Healthcare Data Breaches in December 2023

Two of the largest data breaches of 2023 were reported in December, the largest of which occurred at the New Jersey-based analytics software vendor, HealthEC. Hackers gained access to a system used by more than 1 million healthcare professionals to improve patient outcomes. The platform contained the protected health information of 4,452,782 individuals. The data breach was the second in as many months to result in the exposure of the health data of more than 1 million Michigan residents, prompting the Michigan Attorney General to call for new legislation to hold companies accountable for breaches of healthcare data.

A 2.7 million-record data breach was reported by another business associate, ESO Solutions. ESO Solutions is a provider of software solutions for hospitals, health systems, EMS agencies, and fire departments, and had its network breached and files encrypted with ransomware. At least 12 health systems and hospitals are known to have been affected.

More than 900,000 records were obtained by hackers who gained access to an archive of data from the now defunct Fallon Ambulance Services, which was being stored to meet data retention requirements by Transformative Healthcare, and a cyberattack on Electrostim Medical Services exposed the data of almost 543,000 patients.

It has now been 7 months since the Clop hacking group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution and data breach reports continue to be issued. More than 2,600 organizations worldwide had data stolen in the attacks, with the healthcare industry among the worst affected.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Data Breach
HealthEC LLC NJ Business Associate 4,452,782 Hacking incident (Data theft confirmed)
ESO Solutions, Inc. TX Business Associate 2,700,000 Ransomware attack
Transformative Healthcare (Fallon Ambulance Services) MA Healthcare Provider 911,757 Hacking incident (Data theft confirmed)
Electrostim Medical Services, Inc. dba EMSI FL Healthcare Provider 542,990 Hacking incident
Cardiovascular Consultants Ltd. AZ Healthcare Provider 484,000 Ransomware attack (Data theft confirmed)
Retina Group of Washington, PLLC MD Healthcare Provider 455,935 Ransomware attack
CompleteCare Health Network NJ Healthcare Provider 313,973 Ransomware attack (Data theft confirmed)
Health Alliance Hospital Mary’s Avenue Campus NY Healthcare Provider 264,197 Hacking incident (Data theft confirmed)
Independent Living Systems, LLC FL Business Associate 123,651 Hacking incident (MOVEit)
Pan-American Life Insurance Group, Inc. LA Health Plan 105,387 Hacking incident (MOVEit)
Meridian Behavioral Healthcare, Inc. FL Healthcare Provider 98,808 Hacking incident
Mercy Medical Center IA Healthcare Provider 97,132 Hacking incident at business associate (PJ&A)
Pan-American Life Insurance Group, Inc. LA Business Associate 94,807 Hacking incident (MOVEit)
Regional Family Medicine AR Healthcare Provider 80,166 Hacking incident
HMG Healthcare, LLC TX Healthcare Provider 80,000 Hacking Incident (Data theft confirmed)
Heart of Texas Behavioral Health Network TX Healthcare Provider 63,776 Hacking incident
Kent County Community Mental Health Authority d/b/a Network180 MI Healthcare Provider 59,334 Unauthorized email account access
Highlands Oncology Group PA AR Healthcare Provider 55,297 Ransomware attack
Southeastern Orthopaedic Specialists, PA NC Healthcare Provider 35,533 Ransomware attack (Data theft confirmed)
Eye Physicians of Central Florida, PLLC, a division of Florida Pediatric Associates, LLC FL Healthcare Provider 31,189 Hacking incident (Data theft confirmed)
Clay County Social Services MN Business Associate 22,005 Ransomware attack (Data theft confirmed)
Bellin Health WI Healthcare Provider 20,790 Hacking incident
Neuromusculoskeletal Center of the Cascades, PC OR Healthcare Provider 19,373 Unauthorized email account access
Independent Living Systems, LLC FL Healthcare Provider 19,303 Hacking incident (MOVEit)
Community Memorial Healthcare, Inc. KS Healthcare Provider 14,798 Hacking incident
VNS Choice dba VNS Health Health Plans NY Health Plan 13,584 Unauthorized email account access
Hi-School Pharmacy WA Healthcare Provider 12,779 Ransomware attack

Many HIPAA-regulated entities keep information to the bare minimum in their breach reports, which allows them to meet legal requirements for breach reporting while minimizing the risk of disclosing information that could be used against them in class action lawsuits. The problem with this minimalistic breach reporting is the victims of the breach are not given enough information to accurately assess the risk they face, and the lack of transparency in data breach reporting makes it difficult to accurately assess how hackers are gaining access to healthcare networks and the nature of the attacks.

This is especially true for ransomware attacks and data theft/extortion attacks. Several breaches have been reported as hacking incidents where a possibility of unauthorized access to or theft of patient data, when the threat actors behind the attacks have claimed responsibility and have added the breached entity to their data leak sites. This trend has grown throughout the year.

December 2023 Data Breach Causes and Data Locations

All of December’s data breaches of 10,000 or more records were hacking incidents, which accounted for 83.78% of the month’s 74 data breaches (62 incidents) and 99.79% of the month’s breached healthcare records (11,283,128 records). The average breach size was 181,986 records and the median breach size was 6,728 records. In 2009, hacking incidents accounted for 49% of all data breaches of 500 or more records. In 2023, hacking incidents accounted for 79.72% of all large data breaches. Something clearly needs to be done to improve resiliency to hacking and there are signs of action being taken at the state and federal level.

In December 2023, OCR published its Healthcare Sector Cybersecurity Strategy which details several steps that OCR plans to take to improve cyber resiliency in the healthcare sector and patient safety. The extent to which these plans will be made a reality will depend on Congress making the necessary funding available. OCR is planning a much-needed update to the HIPAA Security Rule in 2024 and has stated that it will establish voluntary cybersecurity goals for the healthcare sector. OCR will be working with Congress to provide financial assistance for domestic investments in cybersecurity to help cover the initial cost. The New York Attorney General has also announced that there will be new cybersecurity requirements for hospitals in the state after a significant increase in cyberattacks, and that funds have been made available to help low-resource hospitals make the necessary improvements.

There were 8 data breaches classified as unauthorized access/disclosure incidents, involving 14,998 healthcare records. The average breach size was 1,875 records and the median breach size was 1,427 records. There were four loss/theft incidents reported in December, two of which involved stolen paperwork and two involved the loss of electronic devices, with the latter preventable if encryption had been used. 8,285 records were lost across these incidents.

The most common location of breached healthcare data was network services, which is unsurprising given the large number of hacking incidents. 14 data breaches involved protected health information stored in email accounts, three of which resulted in the exposure of more than 10,000 records.

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in December with 49 reported breaches of 500 or more records, followed by business associates with 13 breaches, health pans with 11, and a single breach at a healthcare clearinghouse. While healthcare providers suffered the most breaches, it was data breaches at business associates that exposed the most records. Across the 13 business associate-reported breaches, 7,416,567 records were breached, compared to 3,730,791 records in the 49 breaches at healthcare providers. The health plan breaches exposed 156,479 records and 2,574 records were exposed in the healthcare clearinghouse data breach.

These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. A deeper dive into the data to determine where the breach actually occurred reveals there were 24 data breaches at business associates (7,544,504 records), 43 data breaches at healthcare providers (3,616,078 records), 6 data breaches at health plans (143,255 records), and one breach at a healthcare clearinghouse (2,574 records).

The average size of a business associate data breach was 314,354 records (median: 2,749 records), the average size of a healthcare provider data breach was 84,095 records (median: 5,809 records), and the average health plan data breach was 23,876 records (median: 7,695 records). The chart below shows where the data breaches occurred rather than the reporting entity.

Geographical Distribution of Healthcare Data Breaches

HIPAA-regulated entities in 32 states reported data breaches of 500 or more records in December. California was the worst affected state with 85 large data breaches followed by New York and Texas with 7 reported breaches.

State Number of Breaches
California 8
New York & Texas 7
Florida 6
Massachusetts 4
New Jersey, Tennessee & Wisconsin 3
Arkansas, Connecticut, Illinois, Kansas, Kentucky, Louisiana, Maryland, North Carolina & Washington 2
Alaska, Arizona, Colorado, Iowa, Michigan, Minnesota, Mississippi, Missouri, Montana, New Mexico, North Dakota, Oregon, South Carolina, Virginia & West Virginia 1

HIPAA Enforcement in December 2023

OCR announced two enforcement actions against healthcare providers in December to resolve alleged violations of the HIPAA Rules. OCR continued its enforcement initiative targeting noncompliance with the HIPAA Right of Access with its 46th enforcement action over the failure to provide individuals with timely access to their medical records. Optum Medical Care of New Jersey settled its investigation and agreed to pay a financial penalty of $160,000 to resolve allegations that patients had to wait between 84 days and 231 days to receive their requested records when they should have been provided within 30 days.

OCR also announced its first-ever settlement resulting from an investigation of a phishing attack. Lafourche Medical Group in Louisiana suffered a phishing attack that resulted in the exposure of the protected health information of almost 35,000 individuals. While phishing attacks are not HIPAA violations, OCR’s investigation uncovered multiple violations of the HIPAA Security Rule, including no risk analyses prior to the 2021 phishing attack, and no procedures to regularly review logs of system activity before the attack. Lafourche Medical Group chose to settle the investigation and paid a $480,000 penalty.

These two enforcement actions bring the total number of OCR enforcement actions involving financial penalties up to 13, the lowest annual total since 2019, although there was a slight increase in funds raised from these enforcement actions with $4,176,500 collected in fines. OCR is pushing Congress to increase the penalties for HIPAA violations to make penalties more of a deterrent and also to provide much-needed funding to allow OCR to clear the backlog of HIPAA compliance investigations, in particular investigations of hacking incidents. Currently, OCR’s hands are tied, as the department’s budget has remained the same for years, aside from annual increases for inflation, yet its caseload of breach investigations has soared.

HIPAA Enforcement by State Attorneys General

State attorneys general have the authority to enforce HIPAA compliance and 2023 saw an increase in enforcement actions. The HIPAA Journal has tracked 16 enforcement actions by state attorneys general in 2023 that resolved violations of HIPAA or equivalent state consumer protection and data breach notification laws. In December, three enforcement actions were announced, two by New York Attorney General Letitia James and one by Indiana Attorney General Todd Rokita. New York has been particularly active this year having announced 4 settlements to resolve HIPAA violations in 2023 and the state also participated in two multi-state actions.

In December, AG James announced a settlement had been reached with Healthplex to resolve alleged violations of New York’s data security and consumer protection laws with respect to data retention, logging, MFA, and data security assessments which contributed to a cyberattack and data breach that affected 89,955 individuals. The case was settled for $400,000. AG James also investigated New York Presbyterian Hospital over a reported breach of the health information of 54,396 individuals related to its use of tracking technologies on its website, which sent patient data to third parties such as Meta and Google in violation of the HIPAA Privacy Rule and New York Executive Law. The case was settled for $300,000.

The Indiana Attorney General investigated CarePointe ENT over a breach of the health information of 48,742 individuals. AG Rokita alleged that CarePointe ENT was aware of security issues several months before they were exploited by cybercriminals but did not address them in a timely manner. There was also no business associate agreement with its IT services provider. The investigation was settled for $125,000.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on January 18, 2023.

The post December 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Singing River Health System Confirms Ransomware Attack Affected 253,000 Patients

Singing River Health System has confirmed that the PHI of 253,000 patients was compromised in an August 2023 ransomware attack.  Data breaches have also been reported by Highlands Oncology Group, Fincantieri Marine Group, Senior Scripts, and Family Healthcare.

Singing River Health System

Singing River Health System in Mississippi experienced a ransomware attack in August 2023 that took its IT systems out of action for several days, including its electronic medical record system. Without access to patient data and essential IT systems, operations were disrupted, although care continued to be provided to patients throughout. The Rhysida ransomware group claimed responsibility for the attack.

The attack was detected on August 19, 2023, and the forensic investigation confirmed there had been unauthorized network access between August 16 and August 18, 2023. When the initial announcement about the attack was made, it was unclear if any patient data had been compromised and as the deadline for reporting the breach to the HHS’ Office for Civil Rights approached it was still unclear exactly how many patients had been affected, so the breach was reported with an interim figure of 501 individuals.

On September 13, 2023, Singing River Health System confirmed that data had been exfiltrated from its systems, and an update was provided on October 18, 2023; although the extent of the breach had still not been confirmed. On December 18, 2023, Singing River Health System confirmed that the protected health information of 252,890 patients had been compromised. The data involved included names, dates of birth, addresses, Social Security numbers, medical information, and health information.

Notification letters were mailed to the affected individuals on January 12, 2023, and the affected patients have been offered complimentary credit monitoring and identity theft protection services.

Highlands Oncology Group

Highlands Oncology Group in Arkansas experienced a ransomware attack in September 2023. The attackers gained access to parts of its network that contained the protected health information of 55,297 patients. The attack was detected on September 26, 2023, and immediate action was taken to isolate its network to prevent further unauthorized access. The forensic investigation confirmed the attackers had access to its network between September 25, 2023, and September 26, 2023, and that files may have been acquired before ransomware was used to encrypt files.

The review confirmed on November 27, 2023, that the following types of information may have been accessed or acquired in the attack: name, date of birth, Social Security number, driver’s license/state ID number, passport number, military ID number, financial account number, credit/debit card number with and without expiration date and security code, health insurance information, and clinical information, such as diagnosis/conditions, lab results, and prescription information.

While no cases of identity theft or fraud have been tied to the incident, as a precaution, individuals whose Social Security numbers and/or driver’s license/state ID numbers were involved have been offered complimentary identity theft protection services.

Fincantieri Marine Group

Fincantieri Marine Group, LLC, the U.S. arm of the Italian shipbuilder, has confirmed that the protected health information of 11,535 members of its group health plan had their data compromised in an April 2023 ransomware attack. Fincantieri said the attack was detected on April 12, 2023, and the outage caused significant production disruption, as it affected servers that fed information to machines used for welding, cutting, and other manufacturing processes, which were taken out of action for several days.

Fincantieri announced the attack in April 2023; however, the extent of the attack was unclear at the time. It was since confirmed that the attackers had access to its network between April 6, 2023, and April 12, 2023, and during that period, files were exfiltrated from its network. Fincantieri’s review of the files on the affected part of its network confirmed on November 6, 2023, that the data of 16,769 individuals had been exposed and potentially stolen, including 11,535 members of its group health plan. The affected individuals were notified about the incident on January 5, 2023, and 2 years of complimentary credit monitoring services have been offered.

Senior Scripts

Midwest Long Term Care Services, which does business as Senior Scripts, recently confirmed that the protected health information of 10,566 patients was compromised in a security incident that disrupted some of its IT systems. The cyberattack was detected and blocked on October 20, 2023, and the forensic investigation confirmed that the attackers first accessed its system on October 8, 2023. Files containing patient data were potentially removed from its network that included information such as names, contact information, insurance information, dates of birth, prescription information, and Social Security numbers. Network monitoring capabilities have been enhanced and security measures will continue to be reviewed and improved to prevent similar incidents in the future.

Family Healthcare

Family Healthcare in North Dakota has recently announced that it has been affected by a data breach at its business associate Brady Martz & Associates. Brady Martz & Associates is a North Dakota-based provider of tax-related services, audit and financial guidance, and bookkeeping and payroll assistance.

Brady Martz & Associates was provided with the data of Family Healthcare employees and certain patients in order to complete its contracted duties, which included auditing patient billing documents. Brady Martz & Associates promptly detected a security breach in November 2022 and engaged cybersecurity experts to investigate to determine the extent of the breach, which was discovered to have affected more than 53,000 individuals. The breach was announced by Brady Martz & Associates on September 8, 2023.

According to Brady Martz & Associates, the information exposed and potentially compromised in the attack included patient and/or employee names, dates of birth, ages, phone numbers, financial account information, health insurance information, patient account numbers, Social Security numbers, and information regarding care received at Family HealthCare facilities. It is unclear how many Family Healthcare patients were affected and why it took until January 11, 2024, for Family Healthcare to publicly announce the breach.

The post Singing River Health System Confirms Ransomware Attack Affected 253,000 Patients appeared first on HIPAA Journal.