Healthcare data breaches dropped by 43% month-over-month. There were 54 data breaches involving 500 and up records reported to the HHS’ Office for Civil Rights. The reported number of breaches this April is the lowest to date in 2024, which is below the monthly average of 63 data breaches a month over the past 12 months.
Although the decrease in data breaches is good news, April was the worst month in 2024 about breached healthcare records. The 54 data breaches had 15,349,203 records reported as impermissibly disclosed or compromised. The number of breached records will likely increase since 5 breach reports had 500 or 501 records, which are placeholders frequently used for reporting breaches that are yet to confirm the number of impacted individuals.
Largest Healthcare Data Breach Reports in April 2023
The ransomware attack on Change Healthcare has not yet been reported to OCR. Although this is unquestionably 2024’s biggest data breach, the number of impacted persons remains unknown. In a House subcommittee hearing, CEO Andrew Witty of UnitedHealth Group (UHG) confirmed the theft of data in the attack but cannot state the exact number of individuals affected. He mentioned that approximately 1/3 of U.S. residents are potentially impacted by the ransomware attack, which may be over 110 million U.S. citizens.
The biggest verified data breach happened at Kaiser Foundation Health Plan. The personally identifiable information of 13.4 million people had been impermissibly disclosed during the attack. Similar to other healthcare companies, Kaiser used tracking technologies on its web pages and applications. When people visited web pages or used applications, the technologies transmitted information collected from those visits to third parties like Google, Microsoft (Bing), and X (Twitter). According to the guidance published by the HHS’ Office for Civil Rights in December 2022, with revision published in March 2023, when these tools acquire personally identifiable health information and send that information to third parties without having a signed business associate agreement, a HIPAA violation is committed.
The second biggest breach of April happened at Group Health Cooperative of South Central Wisconsin. A ransomware attack resulted in the theft of the PHI of 533,809 people. A number of cybercriminal groups have given up the use of ransomware and opted to focus on breaching systems, stealing information, and requiring payment to stop the exposure or selling of stolen data, like the case of the attacks on Otolaryngology Associates and Optometric Physicians of Middle Tennessee.
1. Kaiser Foundation Health Plan, Inc. – 13,400,000 individuals affected by impermissible disclosure of PHI caused by website tracking technologies
2. Group Health Cooperative of South Central Wisconsin – 533,809 individuals affected by ransomware attack and data theft
3. Knowles Smith & Associates, d/b/a Village Family Dental – 240,214 individuals affected by a hacked network server and potential data theft
4. LivaNova USA, Inc. – 180,000 individuals affected by a LockBit ransomware attack and data theft
5. OrthoConnecticut PLLC – 118,141 individuals affected by a hacked network server and potential data theft
6. Inland Physicians Billing Services – 77,434 individuals affected by hacked network server
7. Bluebonnet Trails Community Services – 76,165 individuals affected by unauthorized access to email accounts and potential data theft
8. Gaia Software, LLC – 56,676 individuals affected by hacked network server
9. Bridgeway Center, Inc. – 36,353 individuals affected by hacked network server and potential data theft
10. The Prudential Insurance Company of America – 36,092 individuals affected by a Blackcat ransomware attack and data theft
11. Blackstone Valley Community Health Care – 34,518 individuals affected by hacked network server and potential data theft
11. Politzer and Durocher, PLC d/b/a Optometric Physicians of Middle Tennessee – 29,000 individuals affected by a hacking incident, theft of PHI and extortion by BianLian threat group
11. Moffitt Cancer Center and Research Institute – 26,577 individuals affected by hacked network server at an anonymous business associate and data theft
12. University of Tennessee Health Science Center – 19,353 individuals affected by a hacked network server at KMJ Health Solutions and data theft
13. Aspire Health Alliance – 17,490 individuals affected by a hacked network server and data theft
14. Cattaraugus-Allegany Board of Cooperative Education Services – 15,203 individuals affected by a hacked network server and potential data theft
15. Bay Oral Surgery & Implant Center – 13,055 individuals affected by unauthorized access to email account and potential data theft
16. Somerset Dental Las Vegas – 11,321 individuals affected by hacked network server and potential data theft
Causes of Data Breach
Hacking plus other IT incidents make up 84.5% of April’s healthcare data breaches. Concerning breached records, hacks and ransomware attacks typically represent the majority of breached records; nevertheless, in April, unauthorized disclosures impacted a lot of people because of the huge breach at Kaiser. The protected health information (PHI) of 1,919,637 people was compromised or stolen during hacking and other IT incidents, which accounts for 12.5% of April’s breached records. The average and median breach sizes were 43,628 records and 6,812 records, respectively.
April’s 87.5% of breached records were caused by 8 unauthorized access/disclosure incidents. Those data breaches resulted in the unauthorized access or impermissible disclosure of the PHI of 13,428,243 people. The average and median breach sizes were 1,678,530 records, and 4,550 records, respectively.
Loss and theft of paper documents and electronic devices that contain PHI are now quite rare. April had no reported thefts, one loss incident affecting 755 paper documents, and one improper disposal incident affecting 568 paper documents.
Location of Breached PHI
The most frequent location of breached PHI was network servers, followed by email accounts. Email account breaches could be diminished with the implementation of phishing-resistant multi-factor authentication. Over 133,000 records were exposed in email breaches in April.
Where did the Data Breaches Occur?
The HIPAA Breach Notification Rule calls for reporting data breaches to OCR and sending notifications to the impacted persons. Whenever a data breach happens at a business associate, the affected covered entity must be informed by the business associate. Then, the covered entity is responsible for ensuring that OCR and the impacted individuals are alerted. As OCR lately reported in its FAQs concerning the Change Healthcare ransomware attack, there is an option for the covered entity to assign the business associate to issue the notices. Although this is usual, a few covered entities opted to send the notifications themselves.
Business associate data breaches are not always noticeable on the OCR data breach website. In April, the portal posted 34 breaches at healthcare providers with 1,012,114 impacted persons, 12 breaches at business associates impacted 1.919,637 people, 7 breaches at health plans affected 13,985,180 people, and one breach happened at a healthcare clearinghouse affecting 77,434 persons.
Healthcare Data Breaches by State
HIPAA-regulated entities in 26 U.S. states reported data breaches in April. California reported 7 breaches with 13,502,632 individuals affected. Washington reported 5 breaches that affected the PHI of about 15,489 people. That number will likely increase since two of the reported breaches indicated 500 and 501 records, which means the actual number of impacted persons is not yet confirmed. Tennessee reported 4 breaches affecting the records of no less than 49,404 people. Wisconsin only reported two breaches, yet it is the second worst impacted state with 546,864 records breached. Florida, New York, New Jersey, North Carolina, and Pennsylvania reported 3 each; Illinois, Maryland, Texas, Ohio, and Wisconsin reported 2 breaches; Arizona, Alabama, Connecticut, Georgia, Indiana, Idaho, Kentucky, Montana, Massachusetts, Nevada, New Hampshire and Rhode Island reported one breach each.
HIPAA Enforcement Activity in April 2024
In April, OCR settled its 48th HIPAA Right of Access case with a $100,000 civil monetary penalty issued on nursing care provider Essex Residential Care in New Jersey, also known as Hackensack Meridian Health, West Caldwell Care Center. Most cases under the HIPAA Enforcement Activity initiative are resolved with OCR; nonetheless, West Caldwell Care Center decided not to settle. West Caldwell Care Center confessed to the HIPAA Right of Access violation yet contended with OCR’s decision and the amount of penalty. West Caldwell Care Center asserted that a civil monetary penalty is arbitrary and would break the Administrative Procedure Act (APA). OCR disagreed and provided the opportunity to bring the case to an Administrative Law Judge; nevertheless, legal counsel of West Caldwell Care Center recommended to waive that right and decided to pay for the penalty.