For three months now, the reported number of healthcare data breaches has gone down. August had 49 reported breaches involving 500 or more records, which is below the typical 58 breaches a month. The number of data breaches dropped by 25.75% from July 2022 and the number of breached records dropped by more or less 30%.
With the 45 data breaches, there were 3,741,385 healthcare records impermissibly disclosed or exposed, which is a lot less than the 5,135,953 breached records in August 2021. However, this figure is slightly higher than the average of 3,382,815 breached healthcare records a month.
August 2022 Biggest Healthcare Data Breaches
In August 2022, the HHS’ Office for Civil Rights received 18 healthcare data breach reports involving 10,000 or more records. It’s to be noted that the breached entity doesn’t always report the particular nature of the data breach, for instance, if ransomware was employed for file encryption.
The biggest data breach for August happened at Novant Health. It was caused by the usage of Meta Pixel, a third-party JavaScript code snippet, on the website of the healthcare provider. The code snippet is meant to track website visitor activity, however, it can transmit PHI to Meta (Facebook), which in turn is employed to feed targeted advertisements. Novant Health mentioned that a misconfiguration added the code to the login page of the patient portal.
To date, such a breach is only reported by Novant Health, although investigations have shown numerous healthcare companies have put the code snippet on their sites, including their patient portals. These privacy breaches have resulted in multiple lawsuits.
1. Novant Health Inc. – 1,362,296 individuals were affected by unauthorized disclosure to Meta for using Meta Pixel code snippet on the website
2. Practice Resources, LLC NY – 942,138 individuals were affected by a ransomware attack
3. Warner Norcross and Judd, LLP – 255,160 individuals were affected by a hacking and data theft incident
4. California Department of Corrections and Rehabilitation – 236,000 individuals were affected by a hacking incident
5. Conifer Revenue Cycle Solutions, LLC – 134,948 individuals were affected by the hacking of Microsoft 365 environment
6. Common Ground Healthcare Cooperative – 133,714 individuals were affected by a ransomware attack on its business associate, OneTouchPoint
7. Methodist McKinney Hospital – 110,244 individuals were affected by hacking and data theft incident
8. First Choice Community Health Care, Inc. – 101,541 individuals were affected by a hacking incident
9. Onyx Technology LLC- 96,814 individuals were affected by a hacking incident
10. EmergeOrtho – 68,661 individuals were affected by a ransomware attack
11. Lamoille Health Partners – 59,381 individuals were affected by a ransomware attack
12. Henderson & Walton Women’s Center, P.C. – 34,306 individuals were affected by hacking incident
13. St. Luke’s Health System, Ltd. – 31,573 individuals were affected by hacking incident that occurred at a billing vendor
14. Diego American Indian Health Center – 27,367 individuals affected by hacking and data theft incident
15. County Human Services Department – 25,610 individuals affected by unauthorized access to email accounts
16. hStar HealthCare Consulting LLC – 18,354 individuals affected by unauthorized access to email accounts
17. Methodist Craig Ranch Surgical Center – 15,157 individuals were affected by hacking and data theft incident at Methodist McKinney
18. Valley Baptist Medical Center – 11,137 individuals were affected by a ransomware attack at Practice Resources
The list above shows that hacking incidents are still a big problem for the healthcare sector as ransomware is normally employed in the attacks. More and more attackers perform data theft and extortion attacks with no ransomware. Though the impact on patients may still be significant, the inability to encrypt files brings about less trouble. Nevertheless, new research by Proofpoint shows that patient safety concerns are still encountered after cyberattacks without the use of ransomware. About 22% of healthcare companies reported a higher mortality rate after a big cyberattack and 57% reported not as good patient results.
Healthcare companies are prone to email attacks, often caused by phishing attacks. The use of reverse proxies in attacks has likewise increased, which enables threat actors to steal login credentials and circumvent multifactor authentication to gain access to Microsoft (Office) 365 environments.
Causes of Healthcare Data Breaches in August 2022
Hacking/IT incidents are the cause of 35 (71.4%) of August’s breaches. The breaches resulted in the exposure or theft of 2,337,485 healthcare records or 62.48% of the total reported breached records. The mean and median breach sizes were 66,785 and 7,496 records, respectively.
The cause of 10 breaches is unauthorized access/disclosure affecting 1,398,595 records or 37.38% of the total breached records in August. The mean and median breach sizes were 139,860 and 1,375 records, respectively. 1,362,296 of the breached records were associated with the Novant Health incident. Four breaches were caused by loss/theft incidents (2 losses; 2 theft) affecting 5,305 records. The mean and median breach sizes were 1,326 and 1,357 records, respectively.
Data Breaches Per Type of HIPAA-Regulated Entity
Healthcare providers reported 35 data breaches; business associates reported 9 breaches, and health plans reported 5 breaches. Business associates do not always report data breaches directly, as many HIPAA-covered entities opt to report the breaches that happened at their business associates. Although 14 data breaches happened at business associates in August, it is still much less compared to July’s 36 and June’s 40 data breaches at business associates.
Data Breaches by State
In August, HIPAA-regulated entities in 26 states had reported healthcare data breaches involving 500 and up records to the HHS’ Office for Civil Rights. Texas reported 8 data breaches, and North Carolina reported 4. Arkansas, California, & Michigan reported 3 data breaches each. Colorado, Illinois, Florida, New York, Vermont, Wisconsin and Washington reported 2 each. Arizona, Alabama, Georgia, Indiana, Idaho, Louisiana, Mississippi, Maryland, New Hampshire, New Mexico, New Jersey, Ohio, Pennsylvania, and Virginia each had 1 data breach reported.
August 2022 HIPAA Enforcement Activity
OCR announced one HIPAA enforcement activity in August related to improper PHI disposal. Of the past 25 enforcement actions with financial penalties issued by OCR, only 5 were non-HIPAA Right of Access violations.
OCR started investigating New England Dermatology and Laser Center after seeing the report on March 11, 2021 regarding the inappropriate disposal of 58,106 patients’ PHI. Aside from not making the PHI unreadable and indecipherable, the entity also failed to follow proper administrative safety measures. The empty specimen containers that were improperly disposed of have patient labels covering the period of 2011 to 2021. New England Dermatology and Laser Center paid a $300,640 penalty to resolve the case.
OCR’s new Director is now Melanie Fontes Rainer. The direction of the department with regards to the enforcement of HIPAA compliance is not sure yet, but HHS Secretary Xavier Becerra mentioned that OCR will prioritize HIPAA Privacy Rule violations regarding unauthorized disclosures of PHI associated with sexual and reproductive health care including abortion care.