July 2023 Healthcare Data Breach Report

Posted by Steve Alder

There was a 15.2% fall in reported data breaches in July with 56 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), which makes July an average month for data breaches. Over the past 12 months, 57 breaches have been reported each month on average; however, July was not an average month in terms of the number of compromised records.

There was a 261% month-over-month increase in breached records in July, with 18,116,982 records breached across the 56 reported incidents. The incredibly high total was due to a major data breach at HCA Healthcare that saw the records of 11,270,000 individuals compromised.

The figures this month bring the running breach total for 2023 up to 395 incidents, across which the records of 59,569,604 individuals have been exposed or stolen. The average breach size for 2023 is 150,809 records and the median breach size is 4,209 records. Over the past 12 months, more than 81.76 million records have been breached across 683 incidents.

Largest Healthcare Data Breaches Reported in July

HCA Healthcare is a Nashville, TN-based health system that operates 182 hospitals and around 2,300 sites of care. Hackers gained access to an external electronic storage facility that was used by a business associate for automating the formatting of email messages, such as reminders sent to patients about scheduling appointments. While the breach was one of the largest ever reported, the data stolen in the attack was limited. HCA Healthcare said the data compromised was limited to name, city, state, zip code, email, telephone number, date of birth, gender, service date, location, and, in some instances, the date of the next appointment.

The second largest breach, reported by the Centers for Medicare and Medicaid Services (CMS) as affecting 1,362,470 Medicare recipients, was more severe due to the types of data compromised. The breach occurred at a CMS contractor, Maximus Federal Services, Inc. (Maximus). Maximus was one of hundreds of organizations to fall victim to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Progress Software identified the vulnerability and issued a patch on May 31, 2023; however, the vulnerability had already been exploited by the Clop hacking group. The total number of victims of this breach has yet to be determined; however, Kon Briefing has been tracking the breach reports and reports that at least 734 organizations had the vulnerability exploited and between 42.7 million and 47.6 million records were stolen in the attack. Clop did not encrypt data, just stole files and issued ransom demands, payment of which was required to prevent the release or sale of the stolen data. In July, 26 breaches of 10,000 or more records were reported to OCR, 11 of which were due to the exploitation of the MOVEit vulnerability. All but two of the 26 breaches were due to hacking incidents.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
HCA Healthcare TN Business Associate 11,270,000 Hacking/IT Incident Hacking Incident – External, electronic storage facility used by a business associate
Centers for Medicare & Medicaid Services MD Health Plan 1,362,470 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion (Maximus)
Florida Health Sciences Center, Inc. dba Tampa General Hospital FL Healthcare Provider 1,313,636 Hacking/IT Incident Hacking incident – Ransomware attack
Pension Benefit Information, LLC MN Business Associate 1,209,825 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Allegheny County PA Healthcare Provider 689,686 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 398,319 Hacking/IT Incident Hacking incident
Johns Hopkins Medicine MD Healthcare Provider 310,405 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Harris County Hospital District d/b/a Harris Health System TX Healthcare Provider 224,703 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Precision Anesthesia Billing LLC FL Business Associate 209,200 Hacking/IT Incident Hacking incident – Ransomware attack
Fairfax Oral and Maxillofacial Surgery VA Healthcare Provider 208,194 Hacking/IT Incident Hacking incident
The Chattanooga Heart Institute TN Healthcare Provider 170,450 Hacking/IT Incident Hacking incident – Data theft confirmed
Phoenician Medical Center, Inc AZ Healthcare Provider 162,500 Hacking/IT Incident Hacking incident – Data theft confirmed
UT Southwestern Medical Center TX Healthcare Provider 98,437 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Hillsborough County, Florida (County Government) FL Healthcare Provider 70,636 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Family Vision of Anderson, P.A. SC Healthcare Provider 62,631 Hacking/IT Incident Hacking incident – Ransomware attack
Jefferson County Health Center IA Healthcare Provider 53,827 Hacking/IT Incident Hacking incident – Data theft confirmed (Karakurt threat group)
New England Life Care, Inc. ME Healthcare Provider 51,854 Hacking/IT Incident Hacking incident
Care N’ Care Insurance Company, Inc. TX Health Plan 33,032 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion (TMG Health Inc)
Synergy Healthcare Services GA Business Associate 25,772 Hacking/IT Incident Hacking incident
Rite Aid Corporation PA Healthcare Provider 24,400 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Life Management Center of Northwest Florida, Inc. FL Healthcare Provider 19,107 Hacking/IT Incident Hacking incident
Saint Francis Health System OK Healthcare Provider 18,911 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Pennsylvania Department of Human Services PA Healthcare Provider 16,390 Unauthorized Access/Disclosure Hacking incident – Unauthorized access to a system test website
The Vitality Group, LLC IL Business Associate 15,569 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Wake Family Eye Care NC Healthcare Provider 14,264 Hacking/IT Incident Hacking incident – Ransomware attack
East Houston Med and Ped Clinic TX Healthcare Provider 10,000 Unauthorized Access/Disclosure Storage unit sold that contained boxes of patient records

Causes of July 2023 Data Breaches

Hacking incidents dominated the breach reports in July, with 49 incidents reported to OCR involving 18,083,328 records. The average breach size was 369,048 records and the median breach size was 9,383 records. The majority of these incidents were data theft and extortion incidents, where hackers gained access to networks, stole data, and issued ransom demands. Many hacking groups are now choosing not to encrypt files and are concentrating on data theft and extortion. When claiming responsibility for the MOVEit attacks, a spokesperson for the Clop group said they could have encrypted data but chose not to.

There were 7 unauthorized access/disclosure incidents reported involving the PHI of 33,654 individuals. The average breach size was 4,808 records and the median breach size was 1,541 records. Three of those incidents involved unauthorized access to paper records and three were email-related data breaches. There were no reported breaches involving the loss, theft, or impermissible disclosure of physical records or devices containing electronic PHI.

Where did the Data Breaches Occur?

The OCR breach portal lists data breaches by the reporting entity, although that is not necessarily where the data breach occurred. Business associates of HIPAA-covered entities may report their own breaches, they may be reported by the covered entity, or a combination of the two. For instance, Maximus reported its MOVEit Transfer breach as affecting 932 individuals, but many of its clients were affected and the total number of individuals affected was in the millions.

The raw data on the breach portal indicates 37 breaches at healthcare providers, 11 breaches at business associates, 7 at health plans, and one breach at a healthcare clearing house. The charts below are based on where the breach occurred, rather than the reporting entity.

Geographical Distribution of Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states. Texas was the worst affected state with 7 breaches, with Florida and California also badly affected.

State Breaches
Texas 7
Florida 6
California 5
Maryland, Pennsylvania & Tennessee 4
Arizona & North Carolina 3
Connecticut, Illinois & Minnesota 2
Georgia, Idaho, Indiana, Iowa, Kentucky, Maine, Michigan, New Jersey, New York, Ohio, Oklahoma, South Carolina, Virginia & Washington 1

HIPAA Enforcement Activity in July 2023

There were no enforcement actions announced by OCR or state attorneys general in July to resolve HIPAA violations.

The post July 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Mandiant: Malicious Actors Use of Generative AI Remains Limited

Posted by Steve Alder

There is justifiable fear that malicious actors will leverage generative AI to facilitate their malicious activities; however, the adoption of generative AI by threat actors appears to be limited, certainly for intrusion operations. Mandiant reports that it has been tracking threat actor interest in generative AI, but its research and open source accounts indicate generative AI is only currently being used to a significant extent for social engineering and misinformation campaigns.

Mandiant has found evidence indicating generative AI is being used to create convincing lures for phishing and business email compromise (BEC) attacks. Malicious actors can create text output reflecting natural human speech patterns for phishing lures and enhance the complexity of language in their existing operations. Threat actors have used generative AI to manipulate video and voice content in BEC scams and to manipulate images to defeat know-your-customer (KYC) requirements. Evidence has also been obtained indicating financially motivated threat actors are using the malicious WormGPT tool to create convincing phishing and BEC lures.

Mandiant has previously demonstrated how malicious actors can use AI-based tools to support their operations, such as for processing open source information and stolen data for reconnaissance purposes. For example, state-sponsored intelligence services can use machine learning and data science tools on massive quantities of stolen and open-source data to improve data processing and analysis, improving the speed and efficiency of operationalizing collected information.  In 2016, a system was demonstrated that can identify high-value targets from previous Twitter activity and generate convincing lures targeting individuals based on past tweets. Mandiant has also found evidence indicating a North Korean cyber espionage actor (APT43) has an interest in large language models (LLMs) and is using LLM tools, although it has yet to be established why the LLMs are being used.

Currently, one of the most effective uses of generative AI is for information operations. AI tools help information operation actors with limited resources and capabilities produce higher quality content at scale, and the tools increase their ability to create content that may have a stronger persuasive effect on their targeted audiences than was previously possible. “We believe that AI-generated images and videos are most likely to be employed in the near term; and while we have not yet observed operations using LLMs, we anticipate that their potential applications could lead to their rapid adoption,” suggest the researchers.

While there is limited evidence of threat actors leveraging LLMs for creating new malware and improving existing malware, this is an area that is expected to see significant growth. Mandiant reports that several threat actors are advertising services on underground forums on how to bypass restrictions on LLMs to get them to assist with malware development.

“While we expect the adversary to make use of generative AI, and there are already adversaries doing so, adoption is still limited and primarily focused on social engineering,” John Hultquist, Chief Analyst, Mandiant Intelligence, Google Cloud told The HIPAA Journal. “There’s no doubt that criminals and state actors will find value in this technology, but many estimates of how this tool will be used are speculative and not grounded in observation.”

While threat actors are expected to increasingly use generative AI for offensive purposes, AI-based tools currently offer far more benefits to defenders. “AI has been around for a while, but this is the inflection point where the general public has taken notice. Like any technological innovation, we expect adversaries are going to find applications for these tools. However, there is far greater promise for defenders who have the ability to direct the development of it,” said Sandra Joyce, VP, Mandiant Intelligence, Google Cloud. “We still own the technology. There are going to be people who will use AI for ill intent, but that shouldn’t stop us from leapfrogging ahead to out innovate the adversaries.”

The post Mandiant: Malicious Actors Use of Generative AI Remains Limited appeared first on HIPAA Journal.