The number of reported healthcare data breaches dropped by 17.5% as 52 cases involving 500 or more data files were reported to the HHS’ Office for Civil Rights (OCR). This number is below the 12-month average, which is 58 breaches per month.
April 2023 Healthcare Data Breaches
This year’s biggest healthcare data breach was reported in April. However, there was a remarkable month-over-month decrease in breached records by 30.7%. The total of 4,425,891 records is below the 4.9 million records monthly average, but it is higher than the number of exposed breach records in April 2022.
April 2023 Biggest Healthcare Data Breaches Reported
There was a major data breach reported in April that impacted 3,037,303 people. That is the third biggest breach that a single HIPAA-covered entity reported thus far this year, and the 19th biggest breach that a single HIPAA-covered entity reported to date. The breach happened at NationsBenefits Holdings, a HIPAA business associate. The Clop ransomware group conducted a data theft and extortion attack that affected the Fortra GoAnywhere MFT solution. Of the 21 breaches involving 10,000 or more records this month, 8 were because of Clop attacks, which include April’s top 5 breaches. Brightline Inc. was likewise attacked, and 9 covered entity clients submitted a report separately. The Clop attacks on Brightline affected the protected health information (PHI) of over 964,000 people.
Eighteen of the 21 breaches involving 10,000 and up records were due to hacking incidents. The other three breaches were the result of unauthorized PHI disclosures — one was because of tracking technologies and two because of mailing errors. Although most breaches were due to ransomware and data theft/extortion attacks, phishing, business email compromise (BEC), and other email account breaches are prevalent. Five of the top 21 breaches were due to hacked email accounts. It is recommended to conduct end-user security awareness training to minimize susceptibility to these attacks and to implement multifactor authentication on all email accounts, preferably utilizing multifactor authentication that is resistant to phishing.
1. NationsBenefits Holdings, LLC – 3,037,303 individuals affected by hacking and extortion (Fortra GoAnywhere MFT)
2. Brightline, Inc. – 462,241 individuals affected by hacking and extortion (Fortra GoAnywhere MFT)
3. Brightline, Inc. – 199,000 individuals affected by hacking and extortion (Fortra GoAnywhere MFT)
4. Brightline, Inc. – 180,694 individuals affected by hacking and extortion (Fortra GoAnywhere MFT)
5. California Physicians’ Services dba Blue Shield of California – 61,790 individuals affected by hacking and extortion (Fortra GoAnywhere MFT)
6. MiniMed Distribution Corp. – 58,374 individuals affected by unauthorized disclosure of PHI to Google and other third parties
7. Brightline, Inc. – 49,968 individuals affected by hacking and extortion (Fortra GoAnywhere MFT)
8. United Steelworkers Local 286 – 37,965 individuals affected by hacked email account
9. Retina & Vitreous of Texas, PLLC – 35,766 individuals affected by hacking incident
10. Brightline, Inc. – 31,440 individuals affected by hacking and extortion (Fortra GoAnywhere MFT)
11. Brightline, Inc. – 21,830 individuals affected by hacking and extortion (Fortra GoAnywhere MFT)
12. Iowa Department of Health and Human Services – Iowa Medicaid Enterprise (Iowa HHS-IME) – 20,815 individuals affected by hacking incident at Independent Living Systems, a business associate
13. Lake County Health Department and Community Health Center – 17,000 individuals affected by hacked email account
14. Southwest Healthcare Services – 15,996 individuals affected by hacking incident (data theft confirmed)
15. La Clínica de La Raza, Inc. – 15,316 individuals affected by hacked email accounts
16. St. Luke’s Health System, Ltd. – 15,246 individuals affected by exposed Paper/Films and mailing error
17. Two Rivers Public Health Department – 15,168 individuals affected by hacked email account
18. Robeson Health Care Corporation – 15,045 individuals affected by malware infection
19. Northeast Behavioral Health Care Consortium – 13,240 individuals affected by hacked email account (Phishing)
20. Centers for Medicare & Medicaid Services – 10,011 individuals affected by ex[psed Paper/Films and mailing error at Palmetto GBA, a business associate
21. Modern Cardiology Associates – 10,000 individuals affected by hacking incident
Causes of Healthcare Data Breaches in April 2023
The majority of the breach reports (36 or 69.2%) are due to hacking and other IT incidents affecting the majority of the breached records. In all those cases, there were 4,077,019 healthcare records or 92.1% that were exposed or stolen. The average and median breach sizes were 119,914 records and 9,675 records, respectively.
Ransomware attacks still persist but tactics have changed. A lot of ransomware groups do data theft and extortion and do not encrypt files. This is what the Clop ransomware did and took advantage of a zero-day vulnerability found in the Fortra GoAnywhere MFT solution. Another threat group, BianLian, has done attacks utilizing ransomware, however this year it conducted extortion-only attacks. Twelve of April’s breaches (40%) were due to hacked email accounts, showcasing the value of security awareness training and multifactor authentication.
April had 13 unauthorized access/disclosure incidents. One case was a 58K-record incident that involve the use of tracking technologies which sent sensitive information to third parties like Google and exposed online. Throughout those 13 breaches, 105,155 records were impermissibly disclosed. The average and median breach sizes were 8,089 records and and 1,304 records.
There were two theft incidents that affected 3,321 records and one case of improper disposal that affected 501 records. That number is only a placeholder to satisfy the Breach Notification Rule requirement to report a number of individuals affected that is still to be confirmed.
Location of PHI in Healthcare Data breaches
The raw information on the OCR breach website indicates the reporting entity, which in some instances is a HIPAA-covered entity when the breach really happened at a business associate. The breach website indicates there were 31 healthcare companies that report data breaches , 8 were health plans, and 13 were business associates.
Healthcare Data Breaches by HIPAA-regulated entity type
Although healthcare providers were the worst impacted HIPAA-regulated entity, most of the breached log were due to data breaches at business associates.
Healthcare Data breaches by Hipaa-Regulated entity type
Geographical Distribution of April 2023 Healthcare Data Breaches
HIPAA-regulated entities reported data breaches involving 500 and up records . Puerto Rico and California were the the most severely impacted state having 16 breaches. 9 breaches had the similar incident that was reported individually for every client by Brightline Inc.,
New York & Pennsylvania 3
- Illinois, Ohio, Kentucky, & Texas 2
- Alabama, Arizona, Iowa, Iaho, Minnesota, Mryland, Michigan, North Carolina, Nebraska, North Dakota, Oregon, Virginia, Utah, West Virginia, Wisconsin Washington & Puerto Rico 1
April 2023 HIPAA Enforcement Activity
Attrneys general in There were no HIPAA enforcement actions annoouncement ate April 2023 to resolve violations of HIPAA and state laws, and no Health Breach Notification Rule enforcement actions were announced by the Federal Trade Commission.