HIPAA Breach News

Healthcare Data Breach Statistics

Posted by Rebecca Murray-Watson

The HIPAA Journal has compiled healthcare data breach statistics from October 2009, when the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) first started publishing summaries of healthcare data breaches on its website.

HIPAA Compliance Checklist To Avoid HIPAA BreachesThis page is regularly updated to reflect the latest healthcare data breach statistics. (These statistics and graphs were last updated on (Apr 3, 2024). Check back regularly to get the latest healthcare data breach statistics and healthcare data breach trends. You can also receive a free copy of our HIPAA Compliance Checklist to understand your organization’s responsibilities under HIPAA.

Trends In Healthcare Data Breach Statistics

Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 14 years, with 2021 seeing more data breaches reported than any other year since records first started being published by OCR.

Data breaches increased once again in 2022, with OCR receiving reports of 720 data breaches of 500 or more records. There was no letup in cyberattacks on healthcare organizations in 2023, which set two new records – The most reported data breaches and the most breached records. In 2023, 725 data breaches were reported to OCR and across those breaches, more than 133 million records were exposed or impermissibly disclosed.

The healthcare data breach statistics below only include data breaches of 500 or more records that have been reported to OCR, as while HIPAA requires all data breaches to be reported regardless of size, OCR does not publish details of smaller data breaches. The breaches included in the statistics and graphs below include closed cases and breaches that are still being investigated by OCR for potential HIPAA violations.

Between October 21, 2009, when OCR first started publishing summaries of data breach reports on its “Wall of Shame”, and and December 31, 2023, 5,887 large healthcare data breaches have been reported. On January 22, 2023, the breach portal listed 857 data breaches as still; under investigation. This time last year there were 882 breaches listed as under investigation, which shows OCR has made little progress in clearing its backlog of investigations – something that is unlikely to change given the chronic lack of funding for the department.

There have been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015. The move to digital record keeping, more accurate tracking of electronic devices, and more widespread adoption of data encryption have been key in reducing these data breaches. There has also been a downward trend in improper disposal incidents and unauthorized access/disclosure incidents, but data breaches continue to increase due to a massive increase in hacking incidents and ransomware attacks. In 2023, OCR reported a 239% increase in hacking-related data breaches between January 1, 2018, and September 30, 2023, and a 278% increase in ransomware attacks over the same period. In 2019, hacking accounted for 49% of all reported breaches. In 2023, 79.7% of data breaches were due to hacking incidents.

It is not just the number of data breaches that are increasing as the breaches are becoming more severe. 2021 was a bad year for data breaches with 45.9 million records breached, and 2022 was worse with 51.9 million records breached, but 2023 smashed all previous records with an astonishing 133 million records exposed, stolen, or otherwise impermissibly disclosed. The huge total for 2023 includes 26 data breaches of more than 1 million records and four breaches of more than 8 million records. The largest data breach of the year affected 11,270,000 individuals – the second-largest healthcare data breach of all time.

The breach data is updated at least monthly, with the previous month’s figures typically added around the 20th of each month so check back frequently to see the emerging trends for the current year.

Healthcare Data Breaches by Year

Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR. Those breaches have resulted in the exposure or impermissible disclosure of 519,935,970 healthcare records. That equates to more than 1.5x the population of the United States. In 2018, healthcare data breaches of 500 or more records were being reported at a rate of around 1 per day. Fast forward 5 years and the rate has more than doubled. In 2023, an average of 1.99 healthcare data breaches of 500 or more records were reported each day, and on average, 364,571 healthcare records were breached every day.

Healthcare Records Exposed by Year

There has been a general upward trend in the number of records exposed each year, with a massive increase in 2015. Until 2023, 2015 was the worst year in history for breached healthcare records with more than 112 million records exposed or impermissibly disclosed. 2015 was particularly bad due to three massive data breaches at health plans: Anthem Inc, Premera Blue Cross, and Excellus. The Anthem breach affected 78.8 million of its members, with the Premera Blue Cross and Excellus data breaches both affecting around 10 million+ individuals.

Average/Median Healthcare Data Breach Size by Year

Largest Healthcare Data Breaches (2009 – 2024)

Rank Name of Covered Entity Year Covered Entity Type Individuals Affected Type of Breach
1 Anthem Inc. 2015 Health Plan 78,800,000 Hacking/IT Incident
2 American Medical Collection Agency 2019 Business Associate 26,059,725 Hacking/IT Incident
3 HCA Healthcare 2023 Business Associate 11,270,000 Hacking/IT Incident
4 Premera Blue Cross 2015 Health Plan 11,000,000 Hacking/IT Incident
5 Excellus Health Plan, Inc. 2015 Health Plan 10,000,000 Hacking/IT Incident
6 Perry Johnson & Associates (PJ&A) 2023 Business Associate 8,952,212 Ransomware attack
7 Managed Care of North America (MCNA Dental) 2023 Business Associate 8,861,076 Ransomware attack
8 Welltok 2023 Business associate 8,493,379 Hacking Incident (MoveIT)
9 Delta Dental of California 2023 Healthcare Provider 6,928,932 Hacking Incident (MoveIT)
10 PharMerica 2023 Healthcare Provider 5,815,591 Ransomware attack
11 Science Applications International Corporation 2011 Business Associate 4,900,000 Loss
12 University of California, Los Angeles Health 2015 Healthcare Provider 4,500,000 Hacking/IT Incident
13 Community Health Systems Professional Services Corporations 2014 Business Associate 4,500,000 Hacking/IT Incident
14 HealthEC 2023 Business Associate 4,452,782 Hacking/IT Incident
15 Reventics 2023 Business Associate 4,212,823 Hacking/IT Incident
16 OneTouchPoint 2022 Business Associate 4,112,892 Ransomware attack
17 Colorado Department of Health Care Policy & Financing 2023 Health Plan 4,091,794 MOVEit Transfer hacking incident
18 Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group 2013 Healthcare Provider 4,029,530 Theft
19 Medical Informatics Engineering 2015 Business Associate 3,900,000 Hacking/IT Incident
20 Concentra Health Services, Inc. 2024 Healthcare Provider 3,998,162 Hacking/IT Incident
21 Eye Care Leaders 2022 Business Associate 3,649,470 Hacking/IT Incident
22 Banner Health 2016 Healthcare Provider 3,620,000 Hacking/IT Incident
23 Florida Healthy Kids Corporation 2021 Health Plan 3,500,000 Hacking/IT Incident
24 Newkirk Products, Inc. 2016 Business Associate 3,466,120 Hacking/IT Incident
25 Regal Medical Group (including Lakeside Medical Organization, A Medical Group, ADOC Acquisition Co., A Medical Group Inc. & Greater Covina Medical Group Inc.) 2023 Healthcare Provider 3,388,856 Ransomware attack
26 Trinity Health 2020 Business Associate 3,320,726 Hacking/IT Incident
27 20/20 Eye Care Network, Inc 2021 Business Associate 3,253,822 Hacking/IT Incident
28 CareSource 2023 Business Associate 3,180,537 MOVEit Transfer hacking incident
29 Cerebral, Inc. 2023 Business Associate 3,179,835 Impermissible Disclosure (website tracking code)
30 NationsBenefits Holdings, LLC 2023 Business Associate 3,037,303 Hacking Incident (Fortra GoAnywhere MFT)
31 Advocate Aurora Health 2022 Healthcare Provider 3,000,000 Impermissible Disclosure (website tracking code)
32 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. 2019 Health Plan 2,964,778 Hacking/IT Incident
33 Maximus, Inc. 2023 Business Associate 2,781,617 MOVEit Transfer hacking incident
34 AccuDoc Solutions, Inc. 2018 Business Associate 2,652,537 Hacking/IT Incident
35 Harvard Pilgrim Health Care 2023 Health Plan 2,624,191 Hacking/IT Incident
36 Enzo Clinical Labs, Inc. 2023 Healthcare Provider 2,470,000 Ransomware Attack
37 Florida Health Sciences Center, Inc. dba Tampa General Hospital 2023 Healthcare Provider 2,430,920 Hacking Incident
38 Forefront Dermatology, S.C. 2021 Healthcare Provider 2,413,553 Hacking/IT Incident
39 Integris Health 2024 Healthcare Provider 2,385,646 Hacking/IT Incident
40 Postmeds Inc. 2023 Business Associate 2,364,359 Hacking/IT Incident
41 Medical Management Resource Group, L.L.C. 2024 Business Associate 2,350,236 Hacking/IT Incident
42 Centers for Medicare & Medicaid Services 2023 Health Plan 2,342,357 Hacking/IT Incident
43 Connexin Software 2022 Business Associate 2,216,365 Hacking/IT Incident
44 21st Century Oncology 2016 Healthcare Provider 2,213,597 Hacking/IT Incident
45 Shields Healthcare Group 2022 Business Associate 2,000,000 Unauthorized Access/Disclosure
46 Xerox State Healthcare, LLC 2014 Business Associate 2,000,000 Unauthorized Access/Disclosure
47 Arietis Health 2023 Business Associate 1,975,066 MOVEit Transfer hacking incident
48 Professional Finance Company 2022 Business Associate 1,918,941 Ransomware attack
49 IBM 2011 Business Associate 1,900,000 Unknown
50 Apria Healthcare 2023 Healthcare Provider 1,868,831 Hacking Incident
51 Pension Benefit Information 2023 Business Associate 1,866,694 MOVEit Transfer hacking incident
52 Performance Health Technology 2023 Business Associate 1,752,076 Hacking/IT Incident
53 Dental Care Alliance, LLC 2021 Business Associate 1,723,375 Hacking/IT Incident
54 GRM Information Management Services 2011 Business Associate 1,700,000 Theft
55 NEC Networks, LLC d/b/a CaptureRx 2021 Business Associate 1,656,569 Hacking/IT Incident
56 Baptist Medical Center and Resolute Health Hospital 2022 Healthcare Provider 1,608,549 Hacking/IT Incident
57 Inmediata Health Group, Corp. 2019 Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure
58 Eskenazi Health 2021 Healthcare Provider 1,515,918 Hacking/IT Incident
59 Community Health Network 2022 Healthcare Provider 1,500,000 Impermissible Disclosure (website tracking code)

These figures are calculated based on the reporting entity. When a data breach occurs at a business associate, it may be reported by the business associate, or by each affected HIPAA-covered entity. For instance, in 2022, the electronic health record provider, Eye Care Leaders, suffered a ransomware attack. Each covered entity reported the breach separately. The HIPAA Journal has tracked the breach reports and at least 39 HIPAA-covered entities were affected, and the records of more than 3.09 million individuals were exposed. Similarly, a major data breach occurred at American Medical Collection Agency in 2019 that was reported by each covered entity, rather than AMCA. That breach affected more than 25 million individuals. Even when business associates of HIPAA-covered entities self-report the data breaches, some of their covered entity clients choose to report the breach themselves. As a result, business associate data breaches tend to be under-represented in analyses of healthcare data breaches.

Causes of Healthcare Data Breaches

Healthcare Hacking Incidents by Year

Our healthcare data breach statistics show hacking is now the leading cause of healthcare data breaches, although it should be noted that healthcare organizations are now much better at detecting hacking incidents than they were in 2010. The low number of hacking/IT incidents in the earlier years could be partially due to the failure to detect hacking incidents and malware infections although it is clear that there has been a massive increase in attacks in recent years. Many of the hacking incidents between 2014 and 2018 occurred many months – and in some cases years – before they were detected.

Unauthorized Access/Disclosures by Year

As with hacking, healthcare organizations are getting better at detecting insider breaches and reporting those breaches to the Office for Civil Rights, although as the chart below shows, the severity of these breaches has increased significantly in recent years. These incidents consist of errors by employees, negligence, snooping on medical records, and data theft by malicious insiders. Better HIPAA and security awareness training along with the use of technologies for monitoring access to medical records are helping to reduce these data breaches.

Loss/Theft of PHI and Unencrypted ePHI by Year

Our healthcare data breach statistics show that HIPAA-covered entities and business associates have gotten significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public. Many of these theft/loss incidents involve paper records, which can equally result in the exposure of large amounts of patient information.

Improper Disposal of PHI/ePHI by Year

HIPAA requires healthcare data, whether in physical or electronic form, to be permanently destroyed when no longer required. The improper disposal of PHI is a relatively infrequent breach cause and typically involves paper records that have not been sent for shredding or have been abandoned.

Healthcare Data Breaches by HIPAA-Regulated Entity Type

The table below shows the raw data from OCR of the data breaches by the entity reporting the breaches; however, this data does not tell the whole story, as data breaches occurring at business associates may be reported by the business associate or each affected covered entity or a combination of the two. Many online reports that provide healthcare data breach statistics fail to accurately reflect where many data breaches are occurring.

Healthcare Data Breaches: Reporting Entity (2009 – 2024)

Year Healthcare Provider Health Plan Business Associate Healthcare Clearinghouse Total
2009 14 1 3 0 18
2010 134 21 44 0 199
2011 135 19 45 1 200
2012 154 23 40 1 218
2013 191 20 64 2 277
2014 200 40 74 0 314
2015 195 61 14 0 270
2016 256 51 22 0 329
2017 285 52 21 0 358
2018 274 53 42 0 369
2019 397 59 54 2 512
2020 515 72 74 2 663
2021 516 104 93 2 715
2022 504 87 129 0 720
2023 450 103 170 2 725
2024 76 28 20 1 125
Total 4,296 794 909 13 6,012

The graphs below paint a more accurate picture of where healthcare data breaches are occurring, rather than the entities that have reported the data breaches, and clearly show the extent to which business associate data breaches have increased in recent years. In 2023, more than 93 million healthcare records were exposed or stolen in data breaches at business associates compared to 34.9 million records in breaches at healthcare providers. The charts below show data breaches by reporting entity.


These data highlight the importance of securing the supply chain, conducting due diligence on vendors before their products and services are used, and monitoring existing vendors for HIPAA Security Rule compliance and cybersecurity. In 2023, one of the biggest challenges in healthcare cybersecurity is securing the supply chain.

OCR Settlements and Fines for HIPAA Violations

The penalties for HIPAA violations can be severe. Multi-million-dollar fines are possible when violations have been allowed to persist for several years or when there is systemic non-compliance with the HIPAA Rules, making HIPAA compliance financially as well as ethically important.

The penalty structure for HIPAA violations is detailed in the infographic below. These figures are adjusted annually for inflation. The current penalty amounts can be found here.

Penalties for HIPAA violations

OCR Settlements and Fines Over the Years

Further information on HIPAA fines and settlements can be viewed on our HIPAA violation fines page, which details all HIPAA violation fines imposed by OCR since 2008. As the graph below shows, HIPAA enforcement activity has steadily increased over the past 14 years, with 2022 being a record year, with 22 penalties imposed. The major rise in HIPAA violation penalties in 2020 was largely due to a new enforcement initiative by OCR targeting non-compliance with the HIPAA Right of Access – the right of patients to access and obtain a copy of their healthcare data. 11 settlements were reached with healthcare providers in 2020 to resolve cases where patients were not given timely access to their medical records, and in 2021 all but two of the 14 penalties were for HIPAA Right of Access violations. From September 2019 to December 2023, 46 penalties have been imposed to resolve HIPAA Right of Access violations.

How Much Has OCR Fined HIPAA Covered Entities and Business Associates?

In addition to an increase in fines and settlements, penalty amounts increased considerably between 2015 and 2018. In 2018, the largest ever financial penalty for HIPAA violations was paid by Anthem Inc. to resolve potential violations of the HIPAA Security Rule that were discovered by OCR during the investigation of its 78.8 million record data breach in 2015. Anthem paid $16 million to settle the case. In 2020, Premera Blue Cross settled potential violations of the HIPAA Rules and paid a $6,850,000 penalty to resolve its 2015 data breach of the PHI of almost 10.5 million individuals, and in 2021 a $5,000,000 settlement was agreed upon with Excellus Health Plan to resolve HIPAA violations identified that contributed to its 2015 data breach of the PHI of almost 9.4 million individuals.

While large financial penalties are still imposed to resolve HIPAA violations, the trend has been for smaller penalties to be issued in recent years, with those penalties imposed on healthcare organizations of all sizes. It is no longer the case where smaller healthcare organizations escape HIPAA fines. In 2022, 55% of the financial penalties imposed by OCR were on small medical practices.

The fall in revenues from OCR’s enforcement activities in recent years is due to OCR reassessing the language of the HITECH Act, which called for penalties for HIPAA violations to be increased. OCR determined that the language of the HITECH Act had been misinterpreted at the time and reduced the penalty caps in three of the four penalty tiers. OCR is now petitioning Congress to increase the penalty caps to increase the deterrent effect.

It was expected that 2018 would see fewer fines for HIPAA-covered entities than in the past two years due to HHS budget cuts, but that did not prove not to be the case. 2018 was a record-breaking year for HIPAA fines and settlements, beating the previous record of $23,505,300 set in 2016 by 22%. OCR received payments totaling $28,683,400 in 2018 from HIPAA-covered entities and business associates who had violated HIPAA Rules and 2020 saw a major increase in enforcement activity with 19 settlements. The number of financial penalties was reduced in 2021; however, 2022 has seen penalties increase, with 22 penalties announced by OCR, more than in any other year to date. There was a reduction in enforcement actions in 2023, although there was an increase in penalty amounts. OCR had been concentrating on HIPAA Right of Access violations, for which the penalties are generally relatively low as only one HIPAA provision is typically violated. In 2023, OCR imposed more files for HIPAA Security Rule violations, where the entity concerned violated multiple aspects of the Security Rule, hence the higher penalties.

OCR Penalties for HIPAA Violations (2008 – 2024)

Year Covered Entity Amount Penalty Type
2024 Essex Residential Care (Hackensack Meridian Health, West Caldwell Care Center) $100,000 Civil Monetary Penalty
2024 Phoenix Healthcare $35,000 Settlement
2024 Green Ridge Behavioral Health $40,000 Settlement
2024 Montefiore Medical Center $4,750,000 Settlement
2023 Optum Medical Care of New Jersey $160,000 Settlement
2023 Lafourche Medical Group $480,000 Settlement
2023 St. Joseph’s Medical Center $80,000 Settlement
2023 Doctors’ Management Services $100,000 Settlement
2023 L.A. Care Health Plan $1,300,000 Settlement
2023 UnitedHealthcare $80,000 Settlement
2023 iHealth Solutions (dba Advantum Health) $75,000 Settlement
2023 Yakima Valley Memorial Hospital $240,000 Settlement
2023 Manasa Health Center, LLC $30,000 Settlement
2023 MedEvolve Inc. $350,000 Settlement
2023 David Mente, MA, LPC $15,000 Settlement
2023 Banner Health $1,250,000 Settlement
2023 Life Hope Labs, LLC $16,500 Settlement
2022 Health Specialists of Central Florida Inc $20,000 Settlement
2022 New Vision Dental $23,000 Settlement
2022 Great Expressions Dental Center of Georgia, P.C. $80,000 Settlement
2022 Family Dental Care, P.C. $30,000 Settlement
2022 B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental $25,000 Settlement
2022 New England Dermatology and Laser Center $300,640 Settlement
2022 ACPM Podiatry $100,000 Civil Monetary Penalty
2022 Memorial Hermann Health System $240,000 Settlement
2022 Southwest Surgical Associates $65,000 Settlement
2022 Hillcrest Nursing and Rehabilitation $55,000 Settlement
2022 MelroseWakefield Healthcare $55,000 Settlement
2022 Erie County Medical Center Corporation $50,000 Settlement
2022 Fallbrook Family Health Center $30,000 Settlement
2022 Associated Retina Specialists $22,500 Settlement
2022 Coastal Ear, Nose, and Throat $20,000 Settlement
2022 Lawrence Bell, Jr. D.D.S $5,000 Settlement
2022 Danbury Psychiatric Consultants $3,500 Settlement
2022 Oklahoma State University – Center for Health Sciences $875,000 Settlement
2022 Dr. Brockley $30,000 Settlement
2022 Jacob & Associates $28,000 Settlement
2022 Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. $50,000 Civil Monetary Penalty
2022 Northcutt Dental-Fairhope $62,500 Settlement
2021 Advanced Spine & Pain Management $32,150 Settlement
2021 Denver Retina Center $30,000 Settlement
2021 Dr. Robert Glaser $100,000 Civil Monetary Penalty
2021 Rainrock Treatment Center LLC (dba monte Nido Rainrock) $160,000 Settlement
2021 Wake Health Medical Group $10,000 Settlement
2021 Children’s Hospital & Medical Center $80,000 Settlement
2021 The Diabetes, Endocrinology & Lipidology Center, Inc. $5,000 Settlement
2021 AEON Clinical Laboratories (Peachstate) $25,000 Settlement
2021 Village Plastic Surgery $30,000 Settlement
2021 Arbour Hospital $65,000 Settlement
2021 Sharpe Healthcare $70,000 Settlement
2021 Renown Health $75,000 Settlement
2021 Excellus Health Plan $5,100,000 Settlement
2021 Banner Health $200,000 Settlement
2020 Peter Wrobel, M.D., P.C., dba Elite Primary Care $36,000 Settlement
2020 University of Cincinnati Medical Center $65,000 Settlement
2020 Dr. Rajendra Bhayani $15,000 Settlement
2020 Riverside Psychiatric Medical Group $25,000 Settlement
2020 City of New Haven, CT $202,400 Settlement
2020 Aetna $1,000,000 Settlement
2020 NY Spine $100,000 Settlement
2020 Dignity Health, dba St. Joseph’s Hospital and Medical Center $160,000 Settlement
2020 Premera Blue Cross $6,850,000 Settlement
2020 CHSPSC LLC $2,300,000 Settlement
2020 Athens Orthopedic Clinic PA $1,500,000 Settlement
2020 Housing Works, Inc. $38,000 Settlement
2020 All Inclusive Medical Services, Inc. $15,000 Settlement
2020 Beth Israel Lahey Health Behavioral Services $70,000 Settlement
2020 King MD $3,500 Settlement
2020 Wise Psychiatry, PC $10,000 Settlement
2020 Lifespan Health System Affiliated Covered Entity $1,040,000 Settlement
2020 Metropolitan Community Health Services dba Agape Health Services $25,000 Settlement
2020 Steven A. Porter, M.D $100,000 Settlement
2019 Jackson Health System $2,154,000 Civil Monetary Penalty
2019 Texas Department of Aging and Disability Services $1,600,000 Civil Monetary Penalty
2019 University of Rochester Medical Center $3,000,000 Settlement
2019 Touchstone Medical imaging $3,000,000 Settlement
2019 Sentara Hospitals $2,175,000 Settlement
2019 Medical Informatics Engineering $100,000 Settlement
2019 Korunda Medical, LLC $85,000 Settlement
2019 Bayfront Health St. Petersburg $85,000 Settlement
2019 West Georgia Ambulance $65,000 Settlement
2019 Elite Dental Associates $10,000 Settlement
2018* University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty
2018 Anthem Inc $16,000,000 Settlement
2018 Fresenius Medical Care North America $3,500,000 Settlement
2018 Massachusetts General Hospital $515,000 Settlement
2018 Brigham and Women’s Hospital $384,000 Settlement
2018 Boston Medical Center $100,000 Settlement
2018 Filefax, Inc. $100,000 Settlement
2017 Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty
2017 Memorial Healthcare System $5,500,000 Settlement
2017 Cardionet $2,500,000 Settlement
2017 Memorial Hermann Health System $2,400,000 Settlement
2017 21st Century Oncology $2,300,000 Settlement
2017 MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement
2017 Presense Health $475,000 Settlement
2017 Metro Community Provider Network $400,000 Settlement
2017 St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement
2017 The Center for Children’s Digestive Health $31,000 Settlement
2016 Lincare, Inc. $239,800 Civil Monetary Penalty
2016 Advocate Health Care Network $5,550,000 Settlement
2016 Feinstein Institute for Medical Research $3,900,000 Settlement
2016 University of Mississippi Medical Center $2,750,000 Settlement
2016 Oregon Health & Science University $2,700,000 Settlement
2016 New York Presbyterian Hospital $2,200,000 Settlement
2016 St. Joseph Health $2,140,500 Settlement
2016 North Memorial Health Care of Minnesota $1,550,000 Settlement
2016 Raleigh Orthopaedic Clinic, P.A. of North Carolina $750,000 Settlement
2016 University of Massachusetts Amherst (UMass) $650,000 Settlement
2016 Catholic Health Care Services of the Archdiocese of Philadelphia $650,000 Settlement
2016 Care New England Health System $400,000 Settlement
2016 Complete P.T., Pool & Land Physical Therapy, Inc. $25,000 Settlement
2015 Triple S Management Corporation $3,500,000 Settlement
2015  Lahey Hospital and Medical Center $850,000 Settlement
2015 University of Washington Medicine $750,000 Settlement
2015 Cancer Care Group, P.C. $750,000 Settlement
2015 St. Elizabeth’s Medical Center $218,400 Settlement
2015 Cornell Prescription Pharmacy $125,000 Settlement
2014 New York and Presbyterian Hospital and Columbia University $4,800,000 Settlement
2014 Concentra Health Services $1,725,220 Settlement
2014 Parkview Health System, Inc. $800,000 Settlement
2014 QCA Health Plan, Inc., of Arkansas $250,000 Settlement
2014 Skagit County, Washington $215,000 Settlement
2014 Anchorage Community Mental Health Services $150,000 Settlement
2013 WellPoint $1,700,000 Settlement
2013 Affinity Health Plan, Inc. $1,215,780 Settlement
2013 Idaho State University $400,000 Settlement
2013 Shasta Regional Medical Center $275,000 Settlement
2013 Adult & Pediatric Dermatology, P.C. $150,000 Settlement
2012 Alaska DHSS $1,700,000 Settlement
2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. $1,500,000 Settlement
2012 Blue Cross Blue Shield of Tennessee $1,500,000 Settlement
2012 Phoenix Cardiac Surgery $100,000 Settlement
2012 The Hospice of Northern Idaho $50,000 Settlement
2011 Cignet Health of Prince George’s County $4,300,000 Civil Monetary Penalty
2011 General Hospital Corp. & Massachusetts General Physicians Organization Inc. $1,000,000 Settlement
2011 University of California at Los Angeles Health System $865,500 Settlement
2010 Rite Aid Corporation $1,000,000 Settlement
2010 Management Services Organization Washington Inc. $35,000 Settlement
2009 CVS Pharmacy Inc. $2,250,000 Settlement
2008 Providence Health & Services $100,000 Settlement

*In 2021, following an appeal, the civil monetary penalty imposed on the University of Texas MD Anderson Cancer Center by the HHS’ Office for Civil Rights was vacated.

State Attorneys General HIPAA Fines and Other Financial Penalties for Healthcare Organizations

State attorneys general can bring actions against HIPAA-covered entities and their business associates for violations of the HIPAA Rules. Penalties range from $100 per HIPAA violation up to a maximum of $25,000 per violation category, per year.

Only a handful of U.S. states have imposed penalties for HIPAA violations; however, that changed in 2019 when many state Attorneys General started participating in multistate actions against HIPAA-covered entities and business associates that experienced major data breaches and were found not to be in compliance with the HIPAA Rules.

The penalties detailed below have been imposed by state attorneys general for HIPAA violations and violations of state laws. It is common for penalties to be imposed solely for violations of state laws, even though there are corresponding HIPAA violations.

Attorneys General HIPAA Fines (2008 – 2024)

Year State Covered Entity Amount
2024 New York Refuah Health Center $450,000 and an investment of $1.2 million in cybersecurity
2023 New York New York Presbyterian Hospital $300,000
2023 New York Healthplex $400,000
2023 Indiana CarePointe ENT $120,000
2023 New York U.S. Radiology Specialists Inc. $450,000
2023 Multistate (32 states and PR) Inmediata $1,400,000
2023 New York Personal Touch Holding Corp $350,000
2023 Multistate (49 states and DC) Blackbaud $49,500,000
2023 Colorado Broomfield Skilled Nursing and Rehabilitation Center $60,000 ($25,000 suspended)
2023 Indiana Schneck Medical Center $250,000
2023 California Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49,000,000
2023 California Kaiser Permanente $450,000
2023 New York Professional Business Systems Inc. dba Practicefirst Medical Management Solutions $550,000
2023 Multi-state: Oregon, New Jersey, Florida, Pennsylvania EyeMed Vision Care $2,500,000
2023 New York Heidell, Pittoni, Murphy & Bach LLP $200,000
2023 Pennsylvania & Ohio DNA Diagnostics Center $400,000
2022 Oregon & Utah Avalon Healthcare $200,000
2022 Massachusetts Aveanna Healthcare $425,000
2022 New York EyeMed Vision Care $600,000
2021 New Jersey Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) $425,000
2021 New Jersey Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) $425,000
2021 New Jersey Diamond Institute for Infertility and Menopause $495,000
2021 Multistate American Medical Collection Agency $21 million (suspended)
2020 Multistate CHSPSC LLC $5,000,000
2020 Multistate Anthem Inc. $39.5 million
2020 California Anthem Inc. $8.7 million
2019 Multistate Premera Blue Cross $10,000,000
2019 Multistate Medical Informatics Engineering $900,000
2019 California Aetna $935,000
2018 Massachusetts McLean Hospital $75,000
2018 New Jersey EmblemHealth $100,000
2018 New Jersey Best Transcription Medical $200,000
2018 Connecticut Aetna $99,959
2018 New Jersey Aetna $365,211.59
2018 District of Columbia Aetna $175,000
2018 Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000
2018 New York Arc of Erie County $200,000
2018 New Jersey Virtua Medical Group $417,816
2018 New York EmblemHealth $575,000
2018 New York Aetna $1,150,000
2017 California Cottage Health System $2,000,000
2017 Massachusetts Multi-State Billing Services $100,000
2017 New Jersey Horizon Healthcare Services Inc., $1,100,000
2017 Vermont SAManage USA, Inc. $264,000
2017 New York CoPilot Provider Support Services, Inc $130,000
2015 New York University of Rochester Medical Center $15,000
2015 Connecticut Hartford Hospital/ EMC Corporation $90,000
2014 Massachusetts Women & Infants Hospital of Rhode Island $150,000
2014 Massachusetts Boston Children’s Hospital $40,000
2014 Massachusetts Beth Israel Deaconess Medical Center $100,000
2013 Massachusetts Goldthwait Associates $140,000
2012 MN Accretive Health $2,500,000
2012 Massachusetts South Shore Hospital $750,000
2011 Vermont Health Net Inc. $55,000
2011 Indiana WellPoint Inc. $100,000
2010 Connecticut Health Net Inc. $250,000

Click for further information HIPAA enforcement by State Attorneys General.

Federal Trade Commission Fines and Penalties 2023

In 2009, the Federal Trade Commission (FTC) published a new rule that required vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. The FTC Health Breach Notification Rule applies only to identifying health information that is not covered by HIPAA. The Rule does not apply to HIPAA-covered entities or business associates, which have reporting requirements per the HIPAA Breach Notification Rule.

The FTC issued a policy update in 2021 stating its intention to start actively enforcing compliance. Prior to 2023, no financial penalties had been imposed for breach notification failures but that changed in February 2023.

Entity Company Type Penalty Type Amount Reason
Easy Healthcare (Premom) Fertility tracking health app provider Settlement $200,000 Impermissible disclosure of personal and health information to third parties such as Google and Facebook. Failure to issue timely notifications
BetterHelp Inc. Online counseling service provider Settlement $7,800,000 Impermissible disclosure of personal and health information to third parties such as Google and Facebook
GoodRx Holdings Inc. Telemedicine platform provider Settlement $1,500,000 Failure to notify consumers about the impermissible disclosure of personal and health information to third parties such as Google and Facebook

Healthcare Data Breach Statistics FAQs

How does the number of data breaches in the healthcare sector compare with other sectors?

The number of data breaches in the healthcare sector compares poorly with other sectors. An analysis of data breaches recorded on the Privacy Rights database between 2015 and 2022 showed that 32% of all recorded data breaches were in the healthcare sector – almost double the number recorded in the financial and manufacturing sectors.

Why are there so many more data breaches in the healthcare sector than in other sectors?

There are so many more data breaches in the healthcare sector than in other sectors because healthcare data is more valuable on the black market than any other type of data. This is because it takes longer for healthcare fraud to be discovered and stolen data can be used for longer compared to (for example) a stolen credit card which can be stopped as soon as the breach is discovered.

It is also the case that organizations in the healthcare sector have stricter breach notification requirements than in other sectors. Certain types of breaches (i.e., ransomware attacks) have to be reported even if it cannot be established data has been compromised. The increasing number of recent ransomware attacks may have influenced the healthcare data breach statistics.

Why has the average HIPAA penalty decreased since 2018 despite increases in the number of breaches and median breach size?

The average HIPAA penalty has decreased since 2018 despite increases in the number of breaches and median breach size because in recent years the Office for Civil Rights (OCR) has been running a right of access initiative to clamp down on providers who fail to provide patients with access to their PHI within the thirty days allowed.

Penalties for right of access failures are less than for high-volume data breaches, and this has resulted in a decrease in the average HIPAA penalty in recent years. However, while the average HIPAA penalty issued by OCR has decreased, penalties issued by State Attorneys General have remained constant, while it is too early to find trends in fines issued by the FTC.

If a healthcare professional discloses PHI without authorization, is this included in the healthcare data breach statistics?

If a healthcare professional discloses PHI without authorization, the disclosure is unlikely to appear in the healthcare data breach statistics because the statistics are compiled from breaches involving 500 or more records. Therefore, individual unauthorized disclosures of PHI are not included in the figures. However, if the unauthorized disclosure is investigated by OCR and found to be attributable to willful neglect, any subsequent fines will be included in the settlement statistics.

How can healthcare organizations mitigate data breaches?

Healthcare organizations can mitigate data breaches using various methods. The most effective is to encrypt protected health information to render it unusable, unreadable, or indecipherable in the event of a data breach attack. This will ensure data is not compromised and the attack will not have to be reported to the Office for Civil Rights.

Other steps include implementing two-factor authentication on privileged accounts to mitigate the consequences of credential theft, running checks on all storage volumes (cloud and on-premises) to ensure appropriate permissions are applied, checking network connections for unauthorized open ports, and eliminating Shadow IT environments developed as workarounds.

How are successful phishing attacks recorded in the HIPAA breach reports?

Successful phishing attacks are recorded in the HIPAA breach reports as Hacking/IT Incidents. However, as other cybersecurity incidents such as ransomware attacks and events attributable to malware are also categorized as Hacking/IT Incidents, it is not possible to determine how many successful phishing attacks there have been affecting more than 500 individuals.

Why doesn’t HHS fine every covered organization when a HIPAA data breach occurs?

HHS doesn’t fine every covered organization when a HIPAA data breach occurs because not all data breaches are attributable to HIPAA violations. For example, successful ransomware attacks are notifiable events even when no PHI is disclosed and when systems can be quickly restored from backups because, for a period of time, PHI was unavailable.

Why is the number of HIPAA breaches increasing despite more awareness about HIPAA compliance?

The number of HIPAA breaches is increasing despite more awareness about HIPAA compliance due to the increasing digitalization of healthcare data and the increasing sophistication of cyberattacks. While there is an argument that more awareness about HIPAA compliance is having an impact on the lower number of HIPAA breaches attributable to lost or stolen drives and devices, there is a counterargument that, because of the increase in cloud computing, fewer covered organizations are transporting unencrypted PHI on drives and devices.

How can HIPAA covered entities better secure their supply chains to prevent data breaches attributable to business associates?

HIPAA covered entities can better secure their supply chains to prevent data breaches attributable to business associates by conducting more thorough due diligence on each business associate. Many covered entities rely on “good faith assurances” rather than investigating the measures each business associate has in place to prevent data breaches, the training provided to business associate workforces, and the security of communication channels used to transmit PHI.

What is the difference between a healthcare data breach and a HIPAA data breach?

The difference between a healthcare data breach and a HIPAA data breach is that a healthcare data breach is one in which healthcare data is accessed without authorization from a healthcare provider (who may or may not be a HIPAA covered entity or business associate), while a HIPAA data breach is a breach of any Protected Health Information (which can include financial information) from any covered health plan, health care clearinghouse, or healthcare provider, or any business associate providing a service for or on behalf of a covered entity.

Therefore, not only is it the nature of the data that distinguishes a healthcare data breach from a HIPAA data breach (i.e., healthcare data vs healthcare, payment, and other data with protected status), but also the status of the organization where data was accessed without authorization (i.e., covered or non-covered healthcare provider vs HIPAA covered entity or business associate). The difference may be subtle, but it can impact the breach notification requirements, the regulatory authority, and the penalty for a data breach.

The post Healthcare Data Breach Statistics appeared first on HIPAA Journal.

OCR Settles HIPAA Right of Access Investigation with Phoenix Healthcare for $35,000

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that a $35,000 settlement has been reached with Phoenix Healthcare to resolve a HIPAA Right of Access violation. This is the 47th investigation of a HIPAA Right of Access case to result in a financial penalty. The HIPAA Right of Access provision of the HIPAA Privacy Rule requires patients or their personal representatives to have timely access to their health information. Access/copies of the requested information must be provided within 30 days of the request being received.

OCR received a complaint from a daughter whose mother was a patient of Phoenix Healthcare, an Oklahoma multi-facility organization in nursing care. The daughter was the personal representative of her mother and had not been provided with timely access to her mother’s medical records. The daughter requested the records on multiple occasions and had to wait almost a year to receive the requested data. The requested records were provided 323 days after the initial request was made.

The daughter reported the matter to OCR as a potential HIPAA investigation and OCR launched an investigation. OCR determined that there had been a violation of the HIPAA Right of Access and informed Phoenix Healthcare by letter on March 30, 2021, of its intention to impose a financial penalty of $250,000 for the failure to comply with the HIPAA Right of Access provision of the HIPAA Privacy Rule. Phoenix Healthcare contested the proposed fine and requested a hearing before an Administrative Law Judge (ALJ). The ALJ upheld the violations cited by OCR and that there had been wilful neglect of the HIPAA Privacy Rule. The ALJ ordered Phoenix Healthcare to pay a civil monetary penalty of $75,000.

Phoenix Healthcare appealed the $75,000 penalty, contesting both the penalty amount and the wilful neglect determination. The Departmental Appeals Board affirmed the ALJ’s decision that there had been wilful neglect of the HIPAA Rules and order to pay $75,000; however, OCR chose to settle with Phoenix Healthcare and reduced the financial penalty to $35,000 on the condition that the Departmental Appeals Board’s decision is not challenged, that Phoenix Healthcare revises its HIPAA policies and procedures, and provides HIPAA training on the revised policies and procedures to its workforce.

“Patients need to make the best decisions possible for their health and well-being, so timely access to their medical records is imperative,” said OCR Director Melanie Fontes Rainer. “Without this access, patients are at risk for incorrect treatments, inaccurate health records, and lack of understanding of their health conditions. It is unacceptable for a health care provider to delay or deny requests to release medical records for months, and we are calling on providers everywhere to be compliant to help empower patients.”

This is the third OCR HIPAA investigation of 2024 to result in a financial penalty, the others being a $4,750,000 settlement with Montefiore Medical Center, and a $40,000 settlement with Green Ridge Behavioral Health.

The post OCR Settles HIPAA Right of Access Investigation with Phoenix Healthcare for $35,000 appeared first on HIPAA Journal.

MFA Bypassed in Cyberattack on L.A. County Department of Mental Health

Posted by Steve Alder

Cyberattacks and data breaches have been reported by the L.A. County Department of Mental Health, Healthfirst, Wyndemere Senior Care, Risas Dental & Braces, and Baylor College of Medicine.

Los Angeles County Department of Mental Health

The Los Angeles County Department of Mental Health has recently notified the California Attorney General about a breach of an employee’s email account. The email account had multi-factor authentication (MFA) in place; however, MFA was bypassed. The cyber threat actors bypassed MFA using a technique known as push notification spamming, where a user is sent multiple MFA push notifications to their mobile device in the hope that they will eventually respond. The employee did respond, resulting in their email account being compromised.

According to the Department of Mental Health, the attack stemmed from a breach at the City of Gardena Police Department (GDP). “GPD’s email exchanges with the Department of Mental Health (DMH) allowed the malicious actor or actors to send an email to a DMH employee and get access to that employee’s Microsoft Office 365 account.” The account contained names, dates of birth, Social Security numbers, addresses, telephone numbers, and medical record numbers.

This is not the first attack of this kind to affect the Department of Mental Health. Similar attacks occurred on October 6, 2023, and October 24, 2023. The breach notices sent to the affected individuals on December 6, 2023, December 22, 2023, and March 22, 2024, all include the following statement, “We have also notified Microsoft of the vulnerability in the Microsoft Office 365 multifactor authentication that was exploited by the malicious actor or actors. We have since implemented new security controls to address this specific attack.” Only one report is currently showing on the HHS’ Office for Civil Rights breach portal – dated December 22, 2023 – indicating 1,284 individuals were affected. It is unclear how many individuals had their data exposed in the latest attack.

Healthfirst

The New York health insurance provider, Healthfirst, has recently notified 6,836 of its 2 million members about unauthorized access to its member portal. Healthfirst, which provides health plans under the names Healthfirst PHSP, Inc., Healthfirst Health Plan, Inc., and Healthfirst Insurance Company, said member names, dates of birth, Healthfirst member ID numbers, and member zip codes were used to create unauthorized accounts. The accounts have now been disabled and internal protocols for digital member account validation have been updated to prevent similar incidents in the future. An investigation is ongoing into the source of the unauthorized activity. Healthfirst said it has no reason to believe that the unauthorized activity is linked to the Change Healthcare cyberattack. The affected individuals were notified on March 19, 2024.

Wyndemere Senior Care

Wyndemere Senior Care LLC, a Wheaton, IL-based provider of independent & assisted living neighborhoods, skilled nursing, & memory care, has notified 6,846 individuals that some of their personal information has been exposed in a cyberattack. Suspicious activity was detected in its computer systems on September 8, 2023, with the forensic investigation confirming there had been unauthorized network access between September 1, 2023, and September 8, 2023. A review of the files on the compromised parts of the network confirmed on February 21, 2024, that names and financial account numbers had been exposed. Individual notifications were mailed to the affected individuals on March 28, 2024. Wyndemere said it is implementing additional cybersecurity safeguards and is providing further training to its employees.

Risas Dental & Braces

Risas Dental & Braces in Phoenix, AZ, has recently notified patients about a cyberattack detected in July 2023 in which their protected health information was exposed. Unusual activity was identified in its computer systems on July 10, 2023, and immediate action was taken to secure its network. Third-party cybersecurity specialists were engaged to investigate the incident and determine the nature and scope of the unauthorized activity. The digital forensics team determined that unauthorized individuals had gained access to the network and may have downloaded files containing patient data.

The review of those files was completed on January 26, 2024, and confirmed they contained protected health information such as names, contact information, high-level treatment information such as procedure names or notes, the initial date or dates of service, and/or insurance subscriber information.  The affected individuals were notified by mail on March 22, 2024. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Baylor College of Medicine (Advarra)

Baylor College of Medicine in Houston, TX, has confirmed that the personal information of certain participants in breast cancer clinical trials has been exposed in a data breach at its vendor, Advarra. The data was present in the email account of an Advarra employee that was accessed by an unauthorized third party in October 2023. Baylor College of Medicine was first made aware of the email security incident in November 2023, with the Advarra investigation determining in February 2024 that research participants’ data had been exposed. Advarra reported the breach to the Maine Attorney General in February as affecting 4,656 individuals and involving names, other personal identifiers, and Social Security numbers. It is unclear whether that figure includes the research participants.

Baylor College of Medicine said the research participants’ data exposed in the attack related to breast cancer research and clinical trials at the Dan L Duncan Comprehensive Cancer Center between 1999 to 2013. Baylor College of Medicine said the breach names and dates of birth and that Advarra has offered affected individuals complimentary credit monitoring, fraud consultation, and identify theft restoration services.

The post MFA Bypassed in Cyberattack on L.A. County Department of Mental Health appeared first on HIPAA Journal.

Harvard Pilgrim Health Care Increases Ransomware Victim Count to 2.86 Million

Posted by Steve Alder

In February, Harvard Pilgrim Health Care revised the total number of individuals affected by an April 2023 ransomware attack, increasing the total by more than 81,000 to 2,632,275 individuals. That total was increased for the fourth time on March 27, 2024, as the ongoing investigation identified more data that was compromised in the attack. Now, at least 2,860,795 individuals are known to have been affected.

The ransomware attack was discovered on April 17, 2023, with the forensic investigation determining there had been unauthorized access to its network between March 28, 2023, and April 17, 2023. The additional 228,520 affected individuals have now been notified by mail and the notification letters state the exact types of data that were likely compromised in the attack. Harvard Pilgrim Health Care said it is offering complimentary credit monitoring and identity protection services through IDX.

It is not unusual for data breach investigations to uncover additional compromised data. Further data identified as having been accessed in the attack included the information of patients of Brigham and Women’s Physician Organization (BWPO). BWPO is not part of Harvard Pilgrim, but an employee of Harvard Pilgrim Health Care Institute also worked at BWPO part-time. The employee had backed up the contents of their laptop to Harvard Pilgrim’s servers, and the backup file included BWPO data. BWPO learned of the data exposure in January 2024.

BWPO said the backup file included data from January 1, 2017, to May 1, 2019, including names, addresses, phone numbers, dates of birth, medical record numbers, health insurance numbers, and limited clinical information, such as lab results, procedures, medications, and diagnoses related to care provided at BWPO. A BWPO spokesperson said appropriate steps have been taken to address the breach and prevent similar incidents from occurring in the future.

The post Harvard Pilgrim Health Care Increases Ransomware Victim Count to 2.86 Million appeared first on HIPAA Journal.

California and North Dakota Hospitals Report Cyberattacks

Posted by Steve Alder

Cyberattacks have been reported by Pembina County Memorial Hospital, Pomona Valley Hospital Medical Center, and Rancho Family Medical Group. The Massachusetts Department of Developmental Services has discovered documents containing PHI have been left unsecured for a decade.

Pembina County Memorial Hospital

Pembina County Memorial Hospital in Cavalier, ND, has recently confirmed that unauthorized individuals gained access to its network and exfiltrated sensitive patient data. Suspicious activity was detected within its network on April 13, 2023, and after securing its systems, a forensic investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed that there had been unauthorized access to its network between March 7, 2023, and April 13, 2023, and files had been exfiltrated from the network.

The forensic investigation and document review took almost a year, with the hospital stating in its breach notice that those processes were not completed until March 4, 2024. The types of information involved varied from individual to individual and may have included first and last names in combination with one or more of the following: address, phone number, email address, date of birth, driver’s license number, government identification number, vehicle identification number, passport number, Social Security number, patient ID account number, medical information, health information and/or health insurance information.

Pembina County Memorial Hospital said it has implemented additional cybersecurity safeguards, enhanced its cybersecurity training, and revised and updated its policies, procedures, and protocols. Complimentary identity monitoring and protection services have been offered to individuals whose Social Security numbers were involved. The breach is not yet showing on the HHS’ Office for Civil Rights breach portal, but the notification sent to the Maine Attorney General indicates that 23,451 individuals have been affected.

Pomona Valley Hospital Medical Center

Pomona Valley Hospital Medical Center in California is notifying 13,345 individuals about a data breach at a subcontractor of one of its business associates. The hospital used a vendor to run its patient-management tool, and the vendor subcontracted out the storage of the underlying data to another company. In November 2023, the vendor was unable to access the patient management tool and worked with its subcontractor to address the problem. The access problems were due to a ransomware attack.

The attacker was discovered to have accessed patient data, including names, medical record numbers, dates of birth, and clinical information such as allergies, diagnoses, medications, and doctors’ notes. The hospital clarified the data that was involved, verified contact information, and notification letters have now been sent to the affected individuals. The hospital has confirmed that it no longer uses the vendor or subcontractor in connection with patient data.

Rancho Family Medical Group

Rancho Family Medical Group, Inc., a 10-location Californian health system, has confirmed that it has been affected by a data breach at its business associate, KMJ Health Solutions, a provider of online signout and charge capture systems.

Rancho Family Medical Group was notified on January 11, 2024, that there had been unauthorized access to the KMJ Health Solutions network on November 19, 2023. The compromised parts of the network contained the protected health information of 10,480 individuals, including names, dates of birth, hospital medical record numbers, hospital treatment locations, dates of service, and procedure medical codes. Rancho Family Medical Group mailed individuals notifications to the affected individuals on March 11, 2024, along with information about the steps that the affected individuals can take to protect themselves against misuse of their data.

Massachusetts Department of Developmental Services

The Massachusetts Department of Developmental Services (DDS), a state agency that provides support to individuals with intellectual and developmental disabilities across the state, has discovered physical records have been exposed and may have been accessed by unauthorized individuals.

Personal documents containing protected health information were inadvertently left in buildings that were part of the former Walter E. Fernald Developmental Center campus in Waltham, MA, which was sold to the city of Waltham in 2014. The records included the PHI of individuals served by the DSS at the Fernald Developmental Center, as well as some staff records. DDS received a complaint about the documents on January 11, 2024, and visited the facilities to recover the documents the following day.

The documents had been improperly stored in the buildings since 2014 and many had degraded, so it was not possible to tell the exact types of information that had been exposed. Some documents contained names, dates of birth, diagnoses, medical information, medication/prescription information, and other treatment information. Financial account information or Social Security numbers have not been found, but DDS said it could not confirm whether those data types had been exposed due to the state of the documents. Similarly, it may not be possible to determine exactly how many people have been affected. An interim figure of 500 individuals was used when reporting the breach. DDS is now awaiting recommendations from the State Archivist and Secretary of State’s Office on how long the documents should be retained.

The post California and North Dakota Hospitals Report Cyberattacks appeared first on HIPAA Journal.

Benefytt, EMSA, Lindsay Municipal Hospital Affected by Cyberattacks

Posted by Steve Alder

Health Plan Intermediaries Holdings (Benefytt) has been affected by a cyberattack on a vendor, Emergency Medical Services Authority said patient data was exposed in a February cyberattack, and the Bian Lian group has claimed responsibility for a cyberattack on Lindsay Municipal Hospital.

Bian Lian Hacking Group Claims Responsibility for Lindsay Municipal Hospital Cyberattack

Lindsay Municipal Hospital in Oklahoma has recently reported a hacking incident to the HHS’ Office for Civil Rights (OCR) that has affected 500 individuals, a number that is commonly used as a placeholder to meet the breach reporting requirements of the HIPAA Breach Notification Rule when the number of affected individuals has yet to be confirmed.

Aside from the report to OCR, Lindsay Municipal Hospital has remained quiet about the cyberattack and data breach; however, the group behind the attack has not. The Bian Lian hacking group has claimed responsibility for the attack and added Lindsay Municipal Hospital to its data leak site, including evidence to support its claims.

Bian Lian has been in operation since at least 2021 and favors attacks on healthcare providers, manufacturing companies, and law firms, where there is greater potential for a high ransom payment. The group engages in double extortion tactics, where data is stolen, and payment is required to prevent the release of that data and to obtain the keys to decrypt encrypted files. The listing states that the stolen data will be uploaded soon. It is unclear whether Lindsay Municipal Hospital is negotiating with the group.

Patient Data Stolen in Cyberattack on Emergency Medical Services Authority

The Emergency Medical Services Authority (EMSA) in Oklahoma City, OK, has announced that it fell victim to a cyberattack that saw unauthorized individuals gain access to its network between February 10, 2024, and February 13, 2024. The intrusion was detected on February 13, 2024, and systems were shut down to prevent further unauthorized access. The forensic investigation confirmed that the attackers exfiltrated files containing patient data including names, addresses, dates of birth, dates of service, and, for some individuals, the name of their primary care provider and/or Social Security number.

Notification letters have started to be mailed to the affected individuals, although EMSA has yet to publicly confirm how many individuals have been affected. Complimentary credit monitoring and identity theft protection services have been offered to individuals who had their Social Security numbers exposed.

Health Plan Intermediaries Holdings (Benefytt) Affected by Cyberattack on Vendor

Health Plan Intermediaries Holdings, which operates as Benefytt, has recently confirmed that it was affected by a data breach at a business associate of its vendor, Multiplan Inc. Multiplan used the law firm, Orrick, Herrington & Sutcliffe, LLP, which suffered a ransomware attack. Benefytt said its systems and those of Multiplan were unaffected; however, data provided to the law firm to perform its contracted duties was exposed and potentially compromised. The cyberattack was detected on March 13, 2023, and on March 10, 2023, Orrick, Herrington & Sutcliffe confirmed that files containing sensitive data had been stolen. Benefytt said neither MultiPlan nor Orrick could determine which health insurance plans were affected, and that it has been working with the two firms to obtain the necessary information to issue notifications.

Benefytt said it is notifying all affected individuals and is offering them complimentary credit monitoring services. Orrick, Herrington & Sutcliffe reported the breach to the HHS’ Office for Civil Rights on June 30, 2023, as affecting 40,823 individuals; however, the total was revised upwards to 152,818 individuals, and the notification to the Maine attorney General in December 2023 states that 637,620 individuals were affected. It is currently unclear how many Multiplan/Benefytt health plan members have been affected.

The post Benefytt, EMSA, Lindsay Municipal Hospital Affected by Cyberattacks appeared first on HIPAA Journal.

Med-Data Settles Data Breach Lawsuit for $7 Million

Posted by Steve Alder

The Spring, TX-based revenue cycle management company Med-Data has agreed to a $7 million settlement to resolve all claims stemming from a data breach between 2018 and 2019 that involved the protected health information of approximately 136,000 individuals.

Between December 2018 and September 2019, an employee of Med-Data uploaded patient data to the public-facing software development hosting platform GitHub. The files were added to personal folders on GitHub Arctic Code Vault and contained the protected health information of patients of several of its clients. The exposed data included names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, claims information, dates of service, subscriber IDs, medical procedure codes, provider names, and health insurance policy numbers. Med-Data removed the files when it was alerted to the data exposure and offered the affected individuals complimentary credit monitoring and identity protection services.

A lawsuit was filed in response to the data breach that claimed Med-Data failed to adequately protect the sensitive data it obtained from its clients and did not issue timely notifications when the breach was discovered. Med-Data chose to settle the lawsuit and the settlement has received preliminary court approval. There are two tiers to the settlement. The first tier allows affected individuals to claim up to $5,000 to cover documented, unreimbursed losses incurred due to the data breach, including out-of-pocket expenses such as bank fees, credit costs, and communication expenses, up to five hours of lost time at $25 per hour, and losses due to identity theft, identity theft, and medical identity theft.

Alternatively, class members can opt for the second tier, which will provide a cash payment of up to $500 to cover time spent in response to the data breach, including monitoring credit reports, signing up for credit monitoring services, changing passwords, and other actions. Claims will be paid pro rata, depending on the number of claims received.

Regardless of the tier chosen, class members can also claim a 3-year membership to a health data and fraud monitoring service (Medical Shield Premium), which includes a $1 million identity theft insurance policy (Pango). Class members have until April 26, 2024, to object to or exclude themselves from the settlement, and the final approval hearing has been scheduled for September 11, 2024.

The post Med-Data Settles Data Breach Lawsuit for $7 Million appeared first on HIPAA Journal.

Roper St. Francis Healthcare Settles Data Breach Lawsuit for $1.5 Million

Posted by Steve Alder

Roper St. Francis Healthcare has agreed to a $1.5 million settlement to resolve a class action lawsuit that was filed in response to a data breach in 2020. Roper St. Francis Healthcare is a South Carolina-based healthcare system with 4 hospitals and more than 117 healthcare facilities in the state. In late October 2020, Roper St. Francis Healthcare discovered three email accounts had been compromised after employees responded to phishing emails. The email accounts were accessed by unauthorized individuals between October 14 and October 29, 2020. The compromised accounts contained the protected health information of 89,761 patients, including names, medical record numbers, patient account numbers, dates of birth, and limited treatment and clinical information, such as dates of service, locations of service, providers’ names, and billing information.

A lawsuit was filed in response to the breach that claimed Roper St. Francis Healthcare was negligent by failing to implement reasonable and appropriate cybersecurity measures, and that Roper St. Francis Healthcare should have been aware that it was vulnerable to cyberattacks as it had experienced multiple data breaches in the past. Roper St. Francis Healthcare disagreed with the plaintiffs’ claims and chose to settle the lawsuit with no admission of wrongdoing.

Under the terms of the settlement, individuals who were notified about the data breach by Roper St. Francis Healthcare may claim up to $325 as reimbursement for data breach-related expenses, including credit costs and bank fees, and up to four hours of lost time at $20 per hour. If extraordinary losses have been incurred due to identity theft and fraud, claims may be submitted up to a maximum of $3,250. All class members are entitled to one year of credit monitoring services, in addition to those already offered in the individual notifications about the data breach. The deadline for exclusion from and objection to the settlement is April 30, 2024, and the final approval hearing has been scheduled for May 2, 2024.

The post Roper St. Francis Healthcare Settles Data Breach Lawsuit for $1.5 Million appeared first on HIPAA Journal.

Avem Health Partners Agrees $1.45 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

A $1.45 million settlement has been agreed by Avem Health Partners to resolve claims related to a 2022 data breach involving the protected health information of 271,303 individuals. Avem Health Partners is an Oklahoma City-based provider of administrative and technology services to healthcare organizations. On May 16, 2022, hackers were found to have gained access to the servers of one of its vendors, 365 Data Centers. The unauthorized access occurred on May 14, 2022, and Avem Health Partners was notified about the data breach on September 9, 2022.

The exposed data included names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and diagnosis and treatment information, and the affected individuals were notified by Avem Health Partners in December 2022. Legal action – Bingaman, et al. v. Avem Health Partners Inc. – was taken over the breach with the plaintiffs alleging their protected health information was negligently maintained and had appropriate cybersecurity measures been implemented, the breach could have been prevented. Avem Health Partners chose to settle the lawsuit with no admission of wrongdoing.

Claims will be accepted from individuals who were notified about the data breach by Avem Health Partners. Claims may be submitted for up to $7,000 to cover out-of-pocket expenses incurred due to the data breach, including credit expenses, bank fees, losses to identity theft and fraud, and up to five hours of lost time at $25 per hour. Individuals who do not submit claims to cover losses will be eligible to receive a cash payment of up to $100, although that amount may be reduced depending on the number of claims received.

Regardless of the option chosen, class members will be eligible to receive three years of identity theft protection and credit monitoring services, which include a $1 million identity theft insurance policy. The deadline for objection to and exclusion from the settlement is April 25, 2024, and the final approval hearing has been scheduled for May 10, 2024.

The post Avem Health Partners Agrees $1.45 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.