HIPAA Breach News

Ardent Health Services Ransomware Attack Affects Hospitals in 6 States

Posted by Steve Alder

Brentwood, Tennessee-based Ardent Health Services, which operates 30 hospitals and has more than 200 sites of care across the country, has suffered a ransomware attack that has impacted hospitals in 6 states – Texas, Idaho, Kansas, New Jersey, New Mexico, and Oklahoma. The attack has resulted in emergency rooms being placed on divert, with new emergency patients redirected to alternate healthcare facilities. Without access to IT systems, some non-urgent elective surgeries have been canceled and will be rescheduled when access is restored to IT systems.

Several Ardent Health Services facilities had already announced over the Thanksgiving weekend that they were investigating network outages that started on Thanksgiving Day. Emergency downtime protocols had been implemented and patient information was being recorded using pen and paper due to the lack of access to IT systems and patient data. Ardent Health Services issued a statement on Monday confirming that the disruption had been caused by a ransomware attack.

Unauthorized activity was first detected on the morning of November 23, 2023, and it was subsequently determined to have been caused by a ransomware attack. At the time of writing, no ransomware group has claimed responsibility for the attack. Ardent said it immediately took its network offline, suspended user access to its technology applications, corporate servers, Epic EMR system, and its Internet and clinical programs, and implemented its downtime protocols.

The health system is working to restore access to its IT systems as quickly as possible and, in the meantime, ambulances are likely to remain on divert until its IT operations have been restored. There is also likely to be ongoing disruption to its clinical and financial operations; however, patient care continues to be provided safely and effectively in all of its hospitals. Third-party cybersecurity experts have been engaged to assist with the investigation and determine the scope of the attack and the extent to which patient data was compromised, and the incident has been reported to law enforcement. A time frame could not be provided for how long it will take to restore its IT systems and determine the extent, if any, that that patient data has been compromised.

The HIPAA Journal first reported outages at several hospitals early on Monday. Details of the affected hospitals can be found in this post.

The post Ardent Health Services Ransomware Attack Affects Hospitals in 6 States appeared first on HIPAA Journal.

BlackCat Ransomware Group Re-encrypts Henry Schein Data

Posted by Steve Alder

The BlackCat ransomware group conducted a ransomware attack on the Fortune 500 firm Henry Schein and claimed to have stolen 35 TB of sensitive data. The healthcare giant was engaged in ongoing discussions with the group but negotiations had stalled. According to a spokesperson for the BlackCat group, “We have not received any indication of their willingness to prioritize the security of their clients, partners, and employees, let alone protect their own network.” Just as Henry Schein was about to finish restoring its systems, the BlackCat hackers struck again and re-encrypted its data.

Henry Schein confirmed in an October 15, 2023, announcement that it had been forced to take some of its systems offline to contain a cyberattack that had affected its manufacturing and distribution businesses. According to the announcement, the attack occurred the previous day. The company had been working around the clock to resolve the situation and bring its systems online, and as its investigation progressed it became clear that the ransomware group had gained access to sensitive customer and supplier information. That information included personal information, bank account information, and payment card numbers. Around two weeks after Henry Schein announced the attack, the BlackCat ransomware group claimed responsibility and added Henry Schein to its data leak site.

Henry Schein has now confirmed that the second attack resulted in applications such as its e-commerce platform being made unavailable; however, Henry Schein anticipated a quick recovery from the attack and only expected it to cause short-term disruption. Following the attack, the BlackCat group threatened to publish internal payroll data on its data leak site within a few hours if Henry Schein refused to negotiate, and claimed additional data would be released on a daily basis thereafter. Instead of posting data, BlackCat removed the listing. That could mean Henry Schein has started negotiating again or that a ransom payment has been made. Entries on the data leak sites of ransomware groups are typically only removed if a ransom has been paid.

The post BlackCat Ransomware Group Re-encrypts Henry Schein Data appeared first on HIPAA Journal.

Texas and Idaho Healthcare Providers Suffer Thanksgiving Day Cyberattacks

Posted by Steve Alder

Cyber actors often time their attacks to coincide with holiday periods when IT staffing levels are likely to be reduced to increase the probability of being able to access networks and exfiltrate data undetected, especially during Thanksgiving weekend. This year is no exception. A medical center in Idaho and an East Texas health system have announced that they are currently investigating potential cyberattacks that started on Thanksgiving Day. The nature of the attacks has not yet been disclosed and, at such an early stage in the investigations, it is unclear if patient data has been exposed or stolen.

UT Health East Texas, Texas

Tyler, TX-based UT Health East Texas, the operator of 10 hospitals and more than 90 healthcare clinics in East Texas, has confirmed that it experienced a network outage on Thursday, November 24, 2023. Steps were immediately taken to lock down its network to prevent any further unauthorized access. Without access to critical IT systems, ambulances were put on divert; however, care continues to be provided to patients with the health system operating under established downtime procedures. A statement was issued by a UT Health East Texas spokesperson saying network access is expected to be restored in around 24-36 hours, although it is currently unclear if that has happened.

Portneuf Medical Center, Idaho

Portneuf Medical Center in Pocatello, IA, has launched an investigation into a possible cyberattack and data breach that was detected on November 24, 2023. The attack resulted in a network outage, and the decision was taken to put the emergency room on divert status until access to its network was restored. The medical center is operating under established downtime procedures and says patient care has been unaffected.

Three Further Healthcare Providers Added to Hacking Group Data Leak Sites

Three healthcare providers have recently been added to the data leak sites of hacking groups.

Vanderbilt University Medical Center, Tennessee

Vanderbilt University Medical Center (VUMC), which operates seven hospitals and many healthcare facilities in and around Nashville, TN, has confirmed an investigation has been launched into a recent cyberattack. While the nature of the cyberattack has not yet been disclosed, VUMC has confirmed that a database was compromised in the attack, although the preliminary results of the investigation indicate neither patient nor employee data were stolen in the attack.

On November 24, 2023, VUMC was added to the Meow Leaks data leak site, along with 7 (non-healthcare) victims. The listing indicates the attack occurred on November 2, 2023, and the group claims to have 100% leaked the stolen data and has threatened to hack VUMC again if the ransom is not paid.

Crystal Lake Health Centers, Michigan

Crystal Lake Health Centers, the operator of 11 health centers in Michigan, has recently been added to the Hunters International data leak site. The listing includes a sample of 47.5 MB of data as evidence of the attack, and the group claims to have exfiltrated 120 GB of data in total including patient information such as contact details, SSNs, and insurance data. Hunters International is primarily a data theft and extortion group; however, has recently acquired the infrastructure and source code of the now-defunct Hive ransomware group.

Granger Medical Clinic, Utah

Granger Medical Clinic in Riverton, UT, was added to the data leak site of the NoEscape ransomware group on November 24, 2023.  It is not clear from the listing when the attack occurred but it appears that the clinic entered into negotiations before refusing to pay the ransom. The group claims to have infiltrated 38 GB of data and has published screenshots as proof of the attack. The NoEscape group claims to have successfully encrypted data on the network and exfiltrated employee data and patient data, including names, contact information, more than 2,000 passports, and tens of thousands of SSNs. The group demanded payment of $700,000 to prevent the release of the stone data.

The medical clinic has not yet announced the ransomware attack and data breach but has posted a notice on its website warning about emails that claim to be from Granger Medical Clinic about employment opportunities and said communications would only come from @GRANGERMEDICAL.COM, @SEND.APPLICANTEMAILS.COM, or @APPLICANTEMAIL.COM and the clinic would never ask for payment in relation to job opportunities. It is unclear if this scam is related to the ransomware attack.

The post Texas and Idaho Healthcare Providers Suffer Thanksgiving Day Cyberattacks appeared first on HIPAA Journal.

Mission Community Hospital Alerts Patients About May 2023 Cyberattack

Posted by Steve Alder

Mission Community Hospital, an acute care hospital serving the patients of the San Fernando Valley in California, has started notifying patients that some of their personal and protected health information was exposed in a May 2023 cyberattack.

Unauthorized access to its network was discovered on May 1, 2023, and the forensic investigation determined that an unauthorized third party accessed its network the same day, including files that contained patient data. The review of the files revealed they contained names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, health insurance plan member IDs, claims data, and clinical information related to the care received at Mission Community Hospital.

Affected individuals have been offered a complimentary one-year membership to a credit monitoring and identity theft protection service. Mission Community Hospital said it has implemented additional safeguards and technical security measures to further protect and monitor its systems. The HHS’ Office for Civil Rights breach portal still shows the placeholder of 500 records in a report submitted on June 30, 2023. 500 is a commonly used placeholder to meet breach reporting requirements until the number of individuals affected is known.

The breach notification letter did not include details about the nature of the attack other than stating ” files containing some of your information may have been subject to unauthorized access,”; however, this appears to have been a ransomware attack. The RansomHouse ransomware group claimed responsibility for the attack and has added Mission Community Hospital to its dark web data leak site. In the listing, the group claims to have infiltrated “more than 2.5 TB” of data. The listing has a downloadable evidence pack, which consists of screenshots of its file system that appear to have been taken on April 16, 2023, around two weeks before unauthorized access was detected. The HIPAA Journal has confirmed that no data is currently showing on the listing, only the screenshots, which could indicate that the data has been sold per the group’s threat or the group is still holding out for payment. Listings are usually removed from data leak sites if a ransom is paid.

RansomHouse was behind a 2023 attack on Warren General Hospital, the listing for which is still on the group’s data leak site along with evidence packs, although there has been no data dump so far. Warren General Hospital recently reported the breach to OCR as affecting 168,921 individuals. A March 2023 attack on Albany ENT & Allergy Services is also listed, which includes a full data dump. According to the OCR breach portal, 224,486 patients of Albany ENT were affected by the attack.

The post Mission Community Hospital Alerts Patients About May 2023 Cyberattack appeared first on HIPAA Journal.

Longhorn Imaging Center Cyberattack Affects More than 100,000 Patients

Posted by Steve Alder

Data breaches have recently been announced by Longhorn Imaging Center in Texas, Woodfords Family Services in Maine, Prestige Care/Prestige Senior Living in Washington, WellLife Network Inc. in New York, and Frederiksted Health Care in the U.S. Virgin Islands.

Longhorn Imaging Center Data Breach

South Austin Health Imaging LLC, which does business as Longhorn Imaging Center in Austin, TX, has recently reported a hacking incident to the HHS’ Office for Civil Rights that has affected 100,643 patients. According to the breach notice submitted to the Texas Attorney General, the breached information included full names, addresses, dates of birth, medical information, and health insurance information. Notification letters are now being sent to the affected individuals.

There is currently no substitute breach notice on the Longhorn Imaging Center website and the imaging center has yet to confirm exactly what happened, including when the breach occurred and when it was detected; however, this appears to have been an attack by the SiegedSec threat group – the group behind the recent attack on the Idaho National Laboratory.

In early June, the group added Longhorn Imaging Center to its data leak site and claimed it had exfiltrated a database that included “physician full names, patient full names, patient treatment info, patient data of birth, patient gender, treatment date, institution name, and lost more.”

Woodfords Family Services Data Breach

Woodfords Family Services, a Westbrook, ME-based provider of services to people with special needs and their families, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 6,691 individuals.

According to its substitute breach notification, the forensic investigation confirmed that its network was accessed by an unauthorized third party on or around June 19, 2023, and files containing a limited amount of personal information may have been removed from its network. The document review confirmed the files contained full names in combination with one or more of the following: address, date of birth, phone number, email address, Social Security number, driver’s license number, government-issued identification number, medical record number, full face photo, unique identifier, certificate/license number, financial account information, credit/debit card information, passport number, medical treatment/diagnosis information, and/or health insurance policy information.

Affected individuals were notified on November 10, 2023, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

Prestige Care Data Breach

Prestige Care/Prestige Senior Living in Washington has recently announced that it fell victim to a cyberattack that was detected on or around September 7, 2023, that resulted in its network being infected with malware that prevented access to certain files. The investigation confirmed the unauthorized actor accessed files on its systems the same day the breach was detected.

The investigation and file review are ongoing, and the total number of individuals affected has yet to be determined, although Prestige has said the information of current and former employees and residents was compromised in the attack. The impacted information varies from individual to individual and may include names, Social Security numbers, dates of birth, medical information, and health insurance information. Notification letters will be sent to the affected individuals when the review is completed. To meet regulatory breach reporting requirements, the incident has been reported to the HHS’ Office for Civil Rights as affecting at least 501 individuals. The total will be updated when the review is completed.

The HIPAA Journal previously reported that the ALPHV/BlackCat ransomware group claimed responsibility for the attack and had added Prestige to its data leak site and claimed to have stolen 260 GB of data. While the listing is still on the leak site, no data is currently downloadable.

WellLife Network Inc. Data Breach

WellLife Network Inc., a New York-based provider of behavioral health services, has recently issued an interim notification about a cyberattack that was detected on September 7, 2023. Third-party cybersecurity specialists were engaged to investigate unauthorized network activity and confirmed that an unauthorized third party accessed its network between August 26, 2023, and September 7, 2023, and viewed and/or copied files containing patient information.

The WellLife Network has started a manual and programmatic review of the affected files to determine the affected data and the number of individuals impacted. That review is ongoing, but it appears that the types of information involved include name, date of birth, demographic information, and/or other personal or health information. Individual notifications will be sent to the affected individuals when the review is completed. To meet regulatory breach reporting requirements, the incident has been reported to the HHS’ Office for Civil Rights as affecting at least 501 individuals. The total will be updated when the review is completed.

Frederiksted Health Care Data Breach

Frederiksted Health Care, Inc., a healthcare provider serving patients in the St. Croix community in the U.S. Virgin Islands, confirmed to local media in late October that it had suffered a cyberattack. Steps were immediately taken to secure its systems and an investigation was launched to determine the nature and scope of the incident. Local media reports indicate this was a ransomware attack. The healthcare provider has recently reported the incident to the HHS’ Office for Civil Rights as affecting 600 individuals.

The post Longhorn Imaging Center Cyberattack Affects More than 100,000 Patients appeared first on HIPAA Journal.

WellTok Data Breach: At Least 3.5 Million Individuals Notified

Posted by Steve Alder

The Denver-based patient engagement company, WellTok, has recently confirmed that it was one of the victims of the Clop hacking group, which exploited a zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer file transfer tool in May 2023. Around 3.5 million individuals have been notified they have been affected by the Welltok data breach.

Welltok, which is owned by Virgin Pulse, works with health plan providers and manages communications with their subscribers through its platform. The company also operates a voluntary online wellness program for health plan subscribers that encourages healthy lifestyle changes. Welltok used the MOVEit Transfer tool for transferring large datasets across the Internet as part of its contracted services with health plans. According to Welltok, it was notified by Progress Software on May 31, 2023, about a vulnerability in the platform and applied the patch and mitigations as recommended by Progress Software. Its initial investigation suggested its MOVEit Transfer server had not been compromised. Then on July 26, 2023, it was alerted about an earlier breach of its MOVEit Transfer server, and on August 11, 2023, confirmed that the Clop group had exploited the vulnerability on May 30, 2023, the day before the patch was released. Data theft was confirmed on August 26, 2023.

A review of the affected files confirmed that they contained the data of health plan members such as names, dates of birth, addresses, and health information. Certain individuals also had their Social Security numbers, Medicare/Medicaid IDs, and health insurance information stolen. A substitute breach notification was uploaded to the Welltok website in October; however, it would only likely be found by individuals who visited the website, as the page had been set as no-index which meant it would not be indexed by search engines.

Welltok notified the Maine Attorney General about the data breach, which was reported as affecting 1,648,848 individuals. The notification was issued on behalf of the following group of health plans of Stanford Health Care:

  • Stanford Health Care
  • Lucile Packard Children’s Hospital Stanford
  • Stanford Health Care Tri-Valley
  • Stanford Medicine Partners
  • Packard Children’s Health Alliance

The Welltok website notification states it is providing notifications on behalf of Sutter Health, Trane Technologies Company LLC, and group health plans sponsored by Trane Technologies Company LLC or Trane U.S. Inc. Those entities were not included in the Maine Attorney General notification. Sacramento, CA-based Sutter Health previously confirmed that it was affected by the Welltok data breach and said 845,451 individuals had been affected.

Arkansas-based St. Bernards Healthcare, Inc. separately reported the breach to the Maine Attorney General as affecting 89,556 individuals. Corewell Health, which serves patients in southeast Michigan, was also affected by the Welltok data breach and said approximately 1 million patients had been affected along with around 2,500 Priority Health members. Based on the reports so far, Welltok has notified around 3.5 million individuals that they were affected.

“Yet another stark example of supply chain vulnerabilities being exploited by cybercriminals. For far too long companies who develop software platforms have seen cybersecurity as an expense versus a functionality of doing business. Greater due diligence is necessitated by Virgin Pulse per runtime security and vulnerability management,” Tom Kellermann, SVP of Cyber Strategy at Contrast Security told the HIPAA Journal.

The latest tracking data from the cybersecurity firm Emsisoft shows the Clop hacking group mass exploited the vulnerability to attack at least 2,618 organizations globally, and the personal data of at least 77 million individuals was stolen. Emsisoft said the sectors most affected were education, healthcare, financial and professional services. While the vulnerability was exploited in late May, many organizations have only recently confirmed they were affected and those totals are certain to continue to rise. Many lawsuits have been filed in response to these data breaches, against the organizations affected as well as Progress Software. 58 lawsuits against Progress Software were consolidated into a single class action in Federal court in Massachusetts last month, as each made similar claims. The U.S. Securities and Exchange Commission (SEC) has also launched an investigation into Progress Software over the data breach.

“Once a vulnerability is made public, the hourglass is turned and IT teams have limited time before criminals take advantage of the vulnerability if they haven’t done so already,” Dror Liwer, co-founder of cybersecurity company Coro told the HIPAA Journal “To minimize the risk, removal of impacted software, or patching if available, must be immediate. Every sand grain that falls is an opportunity for the criminals, and an exposure to the organization.”

The post WellTok Data Breach: At Least 3.5 Million Individuals Notified appeared first on HIPAA Journal.

Daviess Community Hospital Investigating Potential Cyberattack

Posted by Steve Alder

Daviess Community Hospital, an Ascension St. Vincent affiliated hospital in Washington, IN, has recently announced that it has launched an investigation after being notified by the U.S. Department of Homeland Security (DHS) about a possible security breach. According to the DHS, a security issue was identified during routine monitoring which may have been exploited by cyber actors.

Hospital CEO, Tracy Conway, said all internal systems have been shut down while the incident is investigated by a third-party digital forensics firm. Conway said no evidence has been found to date to indicate unauthorized access to its network or patient data, and no ransom demand has been received by the hospital. Disruption has been caused due to IT systems being taken offline, including phone lines to outpatient clinics and email, and the hospital has effectively been temporarily non-computerized. As a result, services have been limited until systems are restored and some appointments have been cancelled and will have to be rescheduled. The biggest impact is on radiology, as it is not possible to send images to be read. Conway said they are working around the clock to bring IT systems back online and are prioritizing the radiology and pharmacy interfaces.

Wyoming County Community Health System Reports March 2023 Cyberattack

Wyoming County Community Health System in Warsaw, NY, has recently notified 24,016 patients about a security incident that was detected on March 28, 2023. While not referred to as a ransomware attack, legal counsel for the health system said the attack disrupted its network. The forensic investigation revealed files containing patient information had been exposed and may have been viewed or acquired by unauthorized individuals in the attack.

A review of the files was completed on November 8, 2023, and confirmed they contained information such as names, Social Security numbers, driver’s license or state identification numbers, dates of birth, biometric data, medical information, health insurance information, and account numbers. The health system has implemented additional security measures to prevent similar breaches in the future and has offered affected individuals complimentary credit monitoring and identity theft protection services.

Southland Integrated Services Notifies Patients About October 2023 Cyberattack

Southland Integrated Services (SIS), a Californian community-based non-profit organization that operates a Federally Qualified Health Center, has recently notified certain individuals about the exposure of some of their protected health information. SIS explained in its November 10, 2023, breach notification letters that suspicious activity was detected within its computer systems on October 18, 2023.

The forensic investigation confirmed its systems had been accessed by an unauthorized third party between October 16 and October 18, 2023, and during that time, documents were viewed that contained patient data such as names, addresses, dates of birth, vaccination statuses, Social Security numbers, driver’s license numbers, and/or financial account information. Additional safeguards have been implemented to prevent similar breaches in the future and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The incident has been reported to regulators but is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Daviess Community Hospital Investigating Potential Cyberattack appeared first on HIPAA Journal.

St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its 11th HIPAA penalty of 2023. St. Joseph’s Medical Center, a non-profit academic medical center in New York, was investigated over the disclosure of patients’ protected health information (PHI) to a reporter and has paid a $80,000 financial penalty to resolve the alleged HIPAA violations.

The Privacy Rule of the Health Insurance Portability and Accountability Act permits disclosures of PHI for the purpose of treatment, payment, and healthcare operations but other disclosures of PHI are generally prohibited unless authorization is obtained from a patient. OCR launched an investigation of St. Joseph’s Medical Center on April 20, 2020, pursuant to the publication of an article in the media by a reporter from the Associated Press (AP). Based on the information in the article it appeared that the reporter had been allowed to observe three patients who were being treated for COVID-19.

The article included information about the medical center’s response to the COVID-19 public health emergency and photographs and information about the facility’s patients. The images were distributed nationally, exposing PHI such as patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans. OCR’s investigation found evidence to suggest that St. Joseph’s Medical Center had allowed the reporter access to the patients and their clinical information. St. Joseph’s Medical Center had not obtained consent and valid HIPAA authorizations from the patients and the disclosure of PHI was not permitted by the HIPAA Privacy Rule.

St. Joseph’s Medical Center chose to settle the alleged HIPAA violation with OCR with no admission of liability and agreed to adopt a corrective action plan (CAP). The CAP requires St. Joseph’s Medical Center to review and, to the extent necessary, develop, maintain, and revise its written privacy policies and procedures to ensure they are compliant with the HIPAA Privacy Rule, provide those policies and procedures to OCR for review, distribute the updated policies and procedures to members of the workforce, and obtain a signed written or electronic compliance certification from all members of the workforce confirming they have read and understood the new policies and procedures. St. Joseph’s Medical Center will also be monitored by OCR for compliance for 2 years.

“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

Disclosures of PHI in Response to Media Enquires

When it comes to disclosures of PHI in response to media inquiries, 45 CFR § 164.510(a) of the HIPAA Privacy Rule permits notifications to individuals who inquire about a patient or the patient’s general condition and location in the facility.

In such cases, disclosure of PHI is permitted if it is consistent with the patient’s wishes and the patient is asked for by name. All that can be disclosed is “facility directory information.” The patient’s name may be disclosed along with the individual’s location within the facility, provided the location does not disclose information about the patient’s treatment, e.g., labor & delivery, and their condition in general terms. i.e., stable, fair, or critical. All other disclosures of PHI can only be made if a HIPAA-compliant authorization is obtained from the patient in advance.

The post St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter appeared first on HIPAA Journal.

October 2023 Healthcare Data Breach Report

Posted by Steve Alder

For the second consecutive month, the number of reported data breaches of 500 or more healthcare records has fallen, with October seeing the joint-lowest number of reported data breaches this year. After the 29.4% fall in reported data breaches from August to September, there was a further 16.7% reduction, with 40 data breaches reported by HIPAA-regulated entities in October – the opposite trend to what was observed in 2022, when data breaches increased from 49 in August 2022 to 71 breaches in October 2022. October’s total of 40 breaches is well below the 12-month average of 54 breaches per month (median:52 breaches).

October 2023 healthcare data breach report - 12 month breaches

For the third consecutive month, the number of breached healthcare records has fallen, from more than 18 million records in July 2023 to 3,569,881 records in October – a month-over-month percentage decrease of 52.76%. October’s total is well below the 12-month average of 7,644,509 breached records a month (median: 5,951,455 records). While this is certainly good news, it should noted that 2023 has been a particularly bad year for healthcare data breaches. Between January 1, 2023, to October 31, 2023, more than 82.6 million healthcare records have been exposed or impermissibly disclosed, compared to 45 million records in 2021 and 51.9 million records in 2023. As of November 17, 2023, more than 100 million records have been breached.

October 2023 healthcare data breach report - 12 month breached records

Largest Healthcare Data Breaches Reported in October 2023

14 breaches of 10,000 or more records were reported in October, the largest of which occurred at Postmeds Inc., the parent company of Truepill, a provider of a business-to-business pharmacy platform that uses APIs for order fulfillment and delivery services for direct-to-consumer brands. While victims of the breach do not face an immediate risk of identity theft since no Social Security numbers were compromised, they do face an increased risk of phishing and social engineering attacks. As is now common in breach notifications, little information about the incident has been disclosed, other than it being a hacking incident involving unauthorized access to its network between August 30 and September 1, 2023.  The Postmeds data breach was the 21st data breach of 1 million or more records to be reported this year.

Even though the Clop hacking group’s mass exploitation of the zero-day vulnerability in Progress Software’s MOVEIt Transfer solution occurred in late May, healthcare organizations are still reporting MOVEit data breaches. More than 2,300 organizations are now known to have been affected and more than 60 million records were stolen in the attacks.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of breach
Postmeds, Inc. (TruePill) CA Healthcare Provider 2,364,359 Hacking incident (details not disclosed)
Western Washington Medical Group MS Healthcare Provider 350,863 Hacking incident (details not disclosed)
Greater Rochester Independent Practice Association, Inc. NY Healthcare Provider 279,156 Hacking incident (details not disclosed)
Radius Global Solutions PA Business Associate 135,742 Hacking incident – MoveIT Transfer vulnerability exploited
Dakota Eye Institute ND Healthcare Provider 107,143 Hacking incident (details not disclosed)
Walmart, Inc. Associates Health and Welfare Plan AR Health Plan 85,952 Hacking incident (details not disclosed)
Westat, Inc. MD Business Associate 50,065 Hacking incident – MoveIT Transfer vulnerability exploited
Brooklyn Premier Orthopedics NY Healthcare Provider 48,459 Hacking incident (details not disclosed)
PeakMed CO Healthcare Provider 27,800 Hacking incident (Compromised credentials)
Hospital & Medical Foundation of Paris, Inc IL Healthcare Provider 16,598 Hacking incident (details not disclosed)
Fredericksburg Foot & Ankle Center, PLC VA Healthcare Provider 14,912 Hacking incident (details not disclosed)
Cadence Bank MS Business Associate 13,862 Hacking incident – MoveIT Transfer vulnerability exploited
Peerstar LLC PA Healthcare Provider 11,438 Hacking incident (details not disclosed)
Atlas Healthcare CT CT Healthcare Provider 10,831 Hacking incident (details not disclosed)

October 2023 Data Breach Causes and Data Locations

As has been the case throughout 2023, hacking was the most common cause of data breaches in October, accounting for 77.5% of the month’s data breaches (31 incidents) and 99.13% of the breached records (3,538,726 records). The average data breach size in hacking incidents was 114,152 records and the median data breach size was 4,049 records.

The exact nature of these incidents has not been publicly disclosed in many cases, so it is not possible to determine the extent to which ransomware attacks, phishing attacks, and vulnerability exploits are occurring. The exception being the mass hacking of a zero-day vulnerability in the MOVEit Transfer solution, a fairly safe disclosure legally as organizations cannot be expected to patch a vulnerability that is unknown even to the company that developed the software. While the lack of information is undoubtedly intended to reduce legal risk, if victims of the breach are given insufficient information it is difficult for them to accurately gauge the level of risk they face.

There were 8 data breaches classified as unauthorized access/disclosure incidents, across which 30,555 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 3,819 records and the median breach size was 2,111 records. There was one reported incident involving the theft of a desktop computer, which contained the unencrypted protected health information of 600 individuals, and no incidents involving the loss or improper disposal of PHI.

October 2023 healthcare data breach report - causes of breaches

The most common location of breached PHI was network servers, which is unsurprising given the large number of hacking incidents. 8 data breaches involved compromised email accounts.

October 2023 healthcare data breach report - location of breached data

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in October, with 25 reported data breaches. There were 11 data breaches reported by business associates and 4 breaches reported by health plans. These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. To better reflect this and to avoid the underrepresentation of business associates in the healthcare data breach statistics, the charts below show where the data breaches occurred rather than the entity that reported the data breach.

October 2023 healthcare data breach report - affected entities

October 2023 healthcare data breach report - breached records at HIPAA-regulated entities

Geographical Distribution of Healthcare Data Breaches

HIPAA-regulated entities in 23 states reported data breaches of 500 or more records in October. Texas was the worst affected state with 5 large data breaches followed by Mississippi with 4.

State Breaches
Texas 5
Mississippi 4
Illinois, New York & Pennsylvania 3
California, Colorado, Florida & Georgia 2
Arkansas, Connecticut, Delaware, Iowa, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, New Jersey, North Dakota, Oklahoma, Oregon & Virginia 1

HIPAA Enforcement Activity in October 2023

In October, the HHS’ Office for Civil Rights (OCR) announced its 10th HIPAA compliance enforcement action of the year. Doctors’ Management Services, a Massachusetts-based medical management company that offers services such as medical billing and payor credentialing, opted to settle an OCR investigation of a data breach. In April 2017, a threat actor accessed its network via Remote Desktop Protocol and gained access to the protected health information of 206,695 individuals.

OCR determined there had been a risk analysis failure, a failure to review records of system activity, and a failure to implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule. Those failures resulted in an impermissible disclosure of the PHI of 206,695 individuals. Doctors’ Management Services paid a financial penalty of $100,000 and agreed to a corrective action plan to address the HIPAA compliance issues discovered by OCR.

State Attorneys General also have the authority to investigate HIPAA-regulated entities and impose financial penalties for HIPAA violations, although they often choose to impose penalties for equivalent violations of state laws. Three settlements were agreed in October with HIPAA-regulated entities to resolve allegations of data security and breach notification failures.

Blackbaud, a Delaware corporation headquartered in Charleston, South Carolina that provides donor relationship management software, chose to settle alleged violations of the HIPAA Security Rule, HIPAA Breach Notification Rule, and state consumer protection laws with 49 states and the District of Columbia and paid a $49.5 million penalty and agreed to make substantial data security improvements. Blackbaud suffered a ransomware attack in May 2020, which exposed the protected health information of 5,500,000 individuals. The multi-state investigation identified a lack of appropriate safeguards to ensure data security and breach response failures.

Inmediata, a Puerto Rico-based healthcare clearinghouse settled a multi-state data breach investigation involving more than 35 state attorneys general. A server has been left unsecured, which allowed sensitive data to be indexed by search engines, allowing it to be found by anyone with Internet access. The protected health information of 1,565,338 individuals was exposed. The multi-state investigation identified a failure to implement reasonable and appropriate security measures, as required by the HIPAA Security Rule, a failure to conduct a secure code review, and violations of the HIPAA Breach Notification Rule and state breach notification rules for failing to provide timely and complete information to victims of the breach. The investigation was settled for $1.4 million and Inmediata agreed to make improvements to its information security program and strengthen its data breach notification practices.

Personal Touch Holding Corp, a home health company that does business as Personal Touch Home Care, opted to settle an investigation by the Office of the New York Attorney General into a breach of the protected health information of 753,107 individuals, including 316,845 New York residents. An employee responded to a phishing email which resulted in malware being installed. The threat actor exfiltrated data and then used ransomware to encrypt files. The New York Attorney General alleged Personal Touch only had an informal information security program, insufficient access controls, no continuous monitoring system, a lack of encryption, and inadequate staff training. Personal Touch paid a $350,000 financial penalty and agreed to make improvements to its information security and training programs.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on November 11, 2023.

The post October 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.