The number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in February dropped with 59 data breaches involving 500 and up records reported.
The breaches reported dropped by 10.6% compared to January. The breaches reported dropped by 22% from December 2023 to January 2024. The average number of healthcare breaches reported per month over the past 12 months is 64.
The number of breached records in February was 5,130,515 records, which dropped by 41.7% compared to January. That figure is below the 12-month average of 8.9 million records a month. That number can still increase since three data breaches were reported with placeholders of 500 or 501 to satisfy HIPAA’s breach reporting requirements. The number of impacted individuals in the three breaches is not yet determined.
Largest Healthcare Data Breaches Reported in February 2024
February had 24 data breaches involving 10,000 healthcare records. The biggest breach involved 2.35 million records at Medical Management Resource Group, also known as American Vision Partners. Breaches at Unite Here and Eastern Radiologists involved 1.67 million breached records due to hacking incidents. Four breaches involving at least 10,000 records were not due to hacking.
Ransomware attacks still affect the healthcare sector, however, it is hard to ascertain the enormity of the problem because breach notifications seldom state if ransomware was involved. Ransomware groups usually steal information and expose it or peddle it when there is no ransom paid. When there is no explanation of the type of attack to the impacted persons, it is hard for them to correctly measure the amount of risk they deal with and make educated decisions concerning the actions they have to take to avoid the misuse of their personal data.
1. Medical Management Resource Group, L.L.C. – 2,350,236 individuals affected by a hacking incident with data theft
2. Eastern Radiologists, Inc – 886,746 individuals were affected by a hacking incident
3. UNITE HERE – 791,273 individuals affected by a hacking incident
4. Northeast Orthopedics and Sports Medicine, PLLC – 177,101 individuals affected by a hacking incident
5. Bold Quail Holdings, LLC (NewGen Administrative Services, LLC) – 105,425 individuals affected by a hacking incident
6. Prime Healthcare Employee Health Plan – 101,135 individuals affected by a hacking incident at Keenan & Associates, a business associate
7. Egyptian Health Department – 100,000 individuals affected by a hacking incident
8. Scurry County Hospital District dba Cogdell Memorial Hospital – 86,981 individuals affected by a hacking incident
9. MedQ, Inc. – 54,725 individuals affected by a ransomware attack with confirmed data theft
10. Coleman Professional Services Inc. – 51,889 individuals affected by email accounts breach
11. Greater Cincinnati Behavioral Health Services – 50,000 individuals affected by a hacking incident
12. Kirkland & Ellis LLP – 48,802 individuals affected by a hacking incident (MOVEit Transfer)
13. Employee Benefits Corporation of America and Benefit Design Group, Inc. – 38,912 individuals affected by a hacking incident
14. Washington County Hospital and Nursing Home – 29,346 individuals affected by a ransomware attack with confirmed data theft
15. Qualcomm Incorporated – 27,038 individuals affected by a hacking incident at a business associate
16. McKenzie County Healthcare System, Inc. – 21,000 individuals affected by a breach of email accounts
17. East Carolina University’s Brody School of Medicine – 19,085 individuals affected by an unauthorized access to a network server
18. Tiegerman – 19,000 individuals affected by a hacking incident
19. Human Affairs International of California – 18,347individuals affected by unauthorized Access/Disclosure of paper/films
20. Maryville, Inc. – 15,503 individuals affected by a breach of email account
21. Bay Area Anesthesia, LLC – 15,196 individuals affected by a hacking incident at Bowden Barlow Law, a business associate
22. AGC Flat Glass North America, Inc. Welfare Benefits Plan – 13,079 individuals affected by a hacking incident
23. Littleton Regional Healthcare – 12,614 individuals affected by a misdirected email
24. CVS Caremark Part D Services, L.L.C. (“CVS”) – 11,193 individuals affected by an unauthorized Access/Disclosure of paper/films
Causes and Location of Breached PHI
Hacking was the main reason for healthcare data breaches in February. There were 41 data breaches categorized as hacking/IT incidents, which is 69.5% of February’s data breaches. These incidents usually result in big numbers of breached records. In all the 41 breaches, the PHI of 5,017,167 persons was compromised, which is 97.8% of February’s breached records. The 16 biggest healthcare data breaches were due to hacking incidents. The average and median breach sizes were 122,370 records and 7,288 records, respectively.
HIPAA-covered entities had 16 data breaches reported as unauthorized access/disclosure incidents. Out of the 16 data breaches, 104,359 individuals’ records were viewed or impermissibly disclosed by unauthorized people. The biggest of those breaches was due to a phishing attack exposing the records of 21,000 people. The average and median breach sizes were 6,522 records and 2,516 records, respectively. There were two theft incidents affecting 8,989 individuals. Healthcare data was most commonly breached in network servers, then email accounts.
Although it isn’t possible to stop all data breaches, a lot could be averted by compliance with the HIPAA Security Rule and following OCR’s HPH Cybersecurity Performance Goals (CPGs). The CPGs are categorized as essential CPGs or advanced CPGs. The Essential CPGs deal with typical vulnerabilities, will considerably enhance an organization’s security and incident response, and lessen residual risk. The Enhanced CPGs are meant to mature the cybersecurity capabilities of HPH sector organizations and enhance their defenses against more attack vectors. An IBM study recently reported that 85% of cyberattacks involving critical infrastructure were preventable using basic security steps including those contained in the essential CPGs.
OCR’s data breach website indicates the following statistics:
- Healthcare providers reported 33 data breaches with 1,632,712 breached records
- Health plans reported 16 data breaches with 212,785 breached records
- Business associates reported 10 data breaches with 3,285,018 breached records.
Healthcare Data Breaches by State
In February, HIPAA-regulated entities in 27 states and the District of Columbia reported big healthcare data breaches. California reported the most number of breaches. However, Arizona reported the most number of breached records, which is 2,351,027 records from 2 incidents.
California reported 6 breaches. New York & Ohio reported 5. Illinois, Texas, and Kentucky reported 4 breaches. Alabama, Michigan, and Florida reported 3 each. Arizona, Rhode Island, and North Carolina reported 2 each. Colorado, Iowa, Georgia, Maryland, Missouri, Massachusetts, New Hampshire, North Dakota, New Jersey, Oklahoma, South Carolina, Pennsylvania, Tennessee, West Virginia, Virginia and the District of Columbia reported 1 each.
February 2024 HIPAA Enforcement Activity
In February, OCR publicized reaching two settlements with HIPAA-covered entities involving HIPAA compliance violations. OCR investigated Montefiore Medical Center based in New York City for a data breach by a malicious insider. The New York Police Department discovered the breach in 2015. An investigation in 2015 showed that an ex-employee stole the information of 12,517 patients in 2013. The case was only settled in February 2024.
OCR discovered multiple HIPAA violations, and the intensity of those problems demanded a substantial fine. Montefiore Medical Center’s violations included the failure to perform a risk analysis, implement regular evaluation of information system activity, and use hardware, software programs, and/or procedural systems that document and analyze activity in all IT systems that include or employ ePHI. Montefiore Medical Center had to pay a $4.75 million penalty to resolve the supposed HIPAA violations.
OCR likewise reported reaching a settlement with Green Ridge Behavioral Health with the payment of a $40,000 penalty. This was the second settlement involving a ransomware attack on a HIPAA-regulated entity. OCR confirmed that the entity failed to conduct a comprehensive risk analysis, control risks to the integrity, confidentiality, and availability of ePHI, and implement enough policies and procedures for checking logs of data system activity. These failures allowed a ransomware attack that resulted in the impermissible PHI disclosure involving over 14,000 patients.
State Attorneys General are also authorized to penalize HIPAA violations; nevertheless, there was no announcement of civil monetary penalties or settlements.