There are fewer reported healthcare data breaches for two consecutive months. December 2022 had 40 data breaches involving 500 and up healthcare records, which is the lowest monthly number in 2022. The reported healthcare data breaches to the Department of Health and Human Services Office for Civil Rights (OCR) is 29.7% lower than the monthly average for 2022. The year had a total of 683 data breaches, which is 4.3% less year-over-year.
December had 2,174,592 healthcare records exposed, which is lower than the 2022 monthly average of 3,986,025 records. Breached records in December is 68.5% less than the breached records in November. Although this is absolutely good news, the record shows that 2022 was the second most awful year ever in terms of healthcare data breaches with more than 47 million records breached.
December 2022 Biggest Healthcare Data Breaches
Thirteen data breaches in December involving 10,000 and up healthcare records were filed with OCR. Ransomware attacks still beset the healthcare sector, as 5 of the 13 biggest breaches involved ransomware, two of which affected the protected health information (PHI) of over 600,000 individuals. Ransomware attacks on the healthcare sector increased by over 100% from 2016 to 2021 based on a recent study, though it is becoming more and more challenging to get dependable data on the degree to which ransomware is employed in cyberattacks because of insufficient standardized reporting. Even though healthcare companies of different sizes are being targeted, ransomware groups often aim their efforts at bigger healthcare companies, based on a new Delinea report.
1. CommonSpirit Health – 623,774 individuals were affected by a ransomware attack on a business associate
2. Metropolitan Area EMS Authority dba MedStar Mobile Healthcare – 612,000 individuals were affected by a ransomware attack
3. Avem Health Partners – 271,303 individuals were affected by a hacking incident that happened at a business associate
4. Southwest Louisiana Health Care System, Inc. d/b/a Lake Charles Memorial Health System – 269,752 individuals were affected by a ransomware attack
5. Fitzgibbon Hospital – 112,072 individuals were affected by a ransomware attack
6. Monarch – 56,155 individuals affected by a hacking incident
7. Ola Equipment LLC – 39,000 individuals affected by hacking Incident
8. The Elizabeth Hospice – 35,496 individuals were affected by a staff member that mailed PHI to a personal account
9. Legacy Operating Company d/b/a Legacy Hospice – 21,202 individuals affected by compromised email accounts
10. Employee Group Insurance Benefits Plan of Acuity Brands, Inc. – 20,849 individuals affected by a hacking incident (stolen data confirmed)
11. San Gorgonio Memorial Hospital – 16,846 individuals affected by a hacking incident (stolen data confirmed)
12. Hawaiian Eye Center – 14,524 individuals were affected by a ransomware attack
13. Foundcare, Inc. – 14,194 individuals were affected by breached email account
Causes of Healthcare Data Breaches in December 2022
Hacking and other IT incidents still lead the breach reports and normally entail a lot more records compared to other kinds of data breaches. There were 28 incidents (70% of the total breaches) in December that were categorized as hacking/IT incidents. There were 1,965,032 healthcare records (90.4% of the total breached records) compromised or impermissibly disclosed from those cases. The average and median breach sizes were 70,180 records and 4,152 records, respectively. There were 20 breaches this month that were linked to breached network servers, while 12 breaches involved hacked email accounts.
The risk of email-related data breaches may be considerably reduced by providing employees with regular security awareness training, as required by the HIPAA Security Rules, and by utilizing multi-factor authentication, together with FIDO-based MFA offering the best security. HIPAA-regulated entities should similarly make certain to have updated password management practices. A recent analysis of the Department of the Interior revealed many password management pitfalls, which are quite typical in the healthcare industry.
In December, 10 unauthorized access/disclosure-associated data breaches affected 168,386 records. The average and median breach sizes were 16,839 and 1,739 records, respectively. These types of data breaches have declined lately since the improvement in HIPAA training and tracking of medical record access. Two loss/theft incidents were reported that affected 41,174 records, which could have been avoided through device encryption.
December Data Breaches Reported by HIPAA-Covered Entity Type
Healthcare providers had 24 breaches reported involving 500 and up records. Business associates had 11 data breaches reported while health plans had 5 data breaches reported. Two data breaches that healthcare providers reported had business associate involvement
December 2022 healthcare data breaches – HIPAA-regulated entity type
States Impacted by Data Breaches in December 2022
HIPAA-regulated entities reported healthcare data breaches in 22 states. California reported 4 breaches. Florida, New York, Washington and Texas had 3 breaches reported. Georgia, Illinois, Hawaii, Missouri, Massachusetts, South Dakota and Virginia reported 2. Alabama, Louisiana, Connecticut, Maryland, Nebraska, North Carolina, Oklahoma, Rhode Island, West Virginia and Wisconsin reported one each.
2022 HIPAA Enforcement Activity
OCR issued two financial penalties to settle HIPAA violations. The case of Health Specialists of Central Florida is linked to an investigation into a HIPAA Right of Access violation for not providing promptly a woman with a copy of her dead father’s health records. The records were only delivered after 5 months. Health Specialists of Central Florida resolved the case by paying $20,000 as a financial penalty. This financial penalty is the 42nd issued under OCR’s HIPAA Right of Access enforcement.
New Vision Dental based in California settled a case of HIPAA violation with OCR in 2022 but the case had nothing to do with a HIPAA Right of Access violation. OCR investigated New Vision Dental after receiving complaints about its impermissible disclosure of patient data online by posting a response to negative comments on Yelp. OCR likewise determined a Notice of Privacy Practices issue. The clinic paid $23,000 to OCR. Together with these two cases, OCR had 22 HIPAA violation cases resolved in 2022.
State Attorneys General likewise are authorized to issue financial penalties for HIPAA violations. In December, Avalon Healthcare’s phishing attack had been jointly investigated by Oregon and Utah resulting in a financial penalty. It was determined that Avalon Healthcare violated state laws and the HIPAA Security rule for insufficient proper safety measures to defend against phishing attacks. The breach notification rules were also violated for an unreasonable delay in delivering breach notification letters. The notifications were issued after 10 months since the discovery of the breach. The case was resolved for $200,000.