Healthcare data breaches in August increased by 21.4% month-over-month. There were 68 data breaches involving 500 or more records that were reported to the HHS’ Office for Civil Rights. August is now the second-worst month of 2023 in terms of reported data breaches, considering the higher than the 2023 monthly average of 58.2 data breaches per month. To date, there are 463 healthcare data breaches reported this 2023, which is slightly higher than the 460 data breaches reported in the same period in 2022.
Although the number of breached records dropped by 34.3% month-over-month, July’s total was remarkably high. August had nearly 12 million exposed or stolen records reported, which is higher than the average of 7.49 million records per month in 2023.
To date in 2023, there are 71,479,579 records of individuals that were exposed or stolen. For the same time period last year, there were 29.27 million breached records, and 2022 was regarded as an awful year in terms of breached healthcare records. If the occurrence of healthcare data breaches remain at the current rate, 2023’s total will potentially reach 2015’s total of 112,466,720 breached records.
In August 2023, the HHS’ Office for Civil Rights received 26 data breach reports involving 10,000 and up records. Fifteen of the reported data breaches involved 100,000 and up records, and three had more than 1 million breached records. Fifteen of the 26 data breaches, including the month’s two biggest data breaches, were because of the massive exploitation of a zero-day vulnerability in the MOVEit Transfer file transfer solution of Progress Software. Progress Software released a security advisory about the vulnerability on May 31, 2023, and made a patch available on the same day to resolve the vulnerability; even so, the Clop group already exploited the vulnerability. The Clop group extracted information and demanded ransom payment, otherwise, the stolen data would be exposed on the group’s data leak website.
The enormity of the vulnerability exploitation is now getting clearer. As per Kon Briefing’s monitoring of the MOVEit attacks reports, 1,203 companies have confirmed being affected by the vulnerability exploitation, and the data of 54.2 to 59 million people were stolen. The ransomware remediation company Coveware states that the Clop group is estimated to have made $75 to $100 million from the ransomware attacks.
Three data breaches in August were due to ransomware attacks, though not all ransomware attacks are reported as such. The Royal ransomware group was responsible for two of the ransomware attacks on healthcare organizations. The Health Sector Cybersecurity Coordination Center released an alert about Royal ransomware last December 2022. CISA and the FBI also warned about Royal ransomware in a joint cybersecurity alert in March 2023.
The Largest Healthcare Data Breaches Reported in August 2023
- Colorado Department of Health Care Policy & Financing – 4,091,794 individuals were affected by the hacking of MOVEit Transfer solution (Clop) at a business associate
- Performance Health Technology – 1,750,000 individuals affected by the hacking of MOVEit Transfer solution (Clop)
- PurFoods, LLC – 1,229,333 individuals affected by a ransomware attack
- Missouri Department of Social Services – 739,884 individuals were affected by the hacking of MOVEit Transfer solution (Clop) at a business associate
- Radius Global Solutions – 600,794 individuals affected by the hacking of MOVEit Transfer solution (Clop)
- The Harris Center for Mental Health and IDD – 599,367 individuals affected by the hacking of MOVEit Transfer solution (Clop) at business associate
- Unum Group SACE – 531,732 individuals affected by the hacking of MOVEit Transfer solution (Clop)
- Virginia Dept. of Medical Assistance Services – 423,824 individuals affected by the hacking incident at a business associate
- El Centro Del Barrio d/b/a CentroMed – 350,000 individuals affected by a hacking incident
- Morris Hospital & Healthcare Centers – 248,943 individuals affected by the Royal Ransomware attack
- EMS Management and Consultants Inc – 223,598 individuals were affected by the hacking of MOVEit Transfer solution by Clop
- Health Care Service Corporation – 192,231 individuals were affected by the hacking incident at a business associate
- The University of Massachusetts Chan Medical School – 134,394 individuals were affected by the hacking of MOVEit Transfer solution by Clop
- Illinois Department of Public Health – 126,000 individuals affected by a hacking incident
- VNS Health Plans – 103,775 individuals were affected by hacking of MOVEit Transfer solution at a business associate by Clop
- IEC Group, Inc. dba AmeriBen – 74,884 individuals affected by unauthorized access to email account
- Data Media Associates – 74,730 individuals were affected due to the hacking of MOVEit Transfer solution by Clop
- Milan Eye Center – 67,336 individuals were affected due to the hacking at a business associate, MedicWare Inc.
- American National Group, LLC – 47,711 individuals were affected due to the hacking of MOVEit Transfer solution by Clop
- Blue Cross Blue Shield of Arizona – 47,485 individuals were affected due to a hacking incident at business associate TMG Health with confirmed data theft
- Premera Blue Cross – 33,212 individuals were affected due to hacking of MOVEit Transfer solution by Clop at business associate
- Self-insured group health plans sponsored by the City of Dallas – 30,253 individuals affected due to Royal ransomware attack
- Baesman Group, Inc. – 24,757 individuals were affected due to hacking of MOVEit Transfer solution by Clop
- Indiana University Health – 21,383 individuals were affected due to hacking of MOVEit Transfer solution by Clop at a business associate
- Serco Inc. Group Health Plan – 10,140 individuals were affected due to hacking of MOVEit Transfer solution by Clop at a business associate
- Absolute Dental Services – 10,037 individuals affected by email account breach
Types of Data Breach and Data Locations
Most of August’s data breaches were categorized as hacking and other IT incidents. This consists of 57 (83.8%) of the data breaches and 11,815,507 (99.2%) of breached records. The average and median sizes of these data breaches were 207,290 records and 8,175 records, respectively.
Causes of Healthcare Data Breaches in August 2023
In the 10 data breaches categorized as unauthorized access or disclosure incidents, 90,468 records had been accessed or impermissibly disclosed. The average and median data breach sizes were 9,047 records and 1,434 records. One theft incident involved a stolen, unencrypted laptop computer with approximately 4,000 records. There was no loss or improper disposal incident reported for this month. In the many hacking incidents reported, the most common location of breached data were network servers then email accounts.
Where did the Data Breaches Take Place?
The raw information from the OCR data breach website shows 30 healthcare providers, 19 health plans and 19 business associates reported data breaches in August. These numbers do not reflect the entire story as the entity that submitted the report did not directly encounter the data breach. A lot of data breaches happened at business associates of HIPAA-regulated entities yet the covered entity reported the incident to OCR instead of the business associate.
The average and median breach sizes of a business associate data breach were 250,875 records and 10,037 records, respectively, compared to the health plans’ average and median breach sizes of 89,344 records and 8,487 records, respectively, and the healthcare providers’ average and median breach sizes of 83,425 records and 1,556 records, respectively.
Geographical Distribution of Data Breaches
Data breach reports involving 500 and up records were submitted by HIPAA-covered entities in 33 states and the District of Columbia. Texas reported 7 data breaches and Illinois reported 6. The states of California, Georgia, and Massachusetts reported 4 each. Indiana, New York, Virginia, and Pennsylvania reported 3 each. Colorado, Missouri, Minnesota, North Carolina, New Jersey, and Washington reported two each. Arizona, Connecticut, Iowa, Idaho, Florida, Kentucky, Louisiana, Michigan, Maryland, Mississippi, Ohio, Oregon, Oklahoma, South Carolina, Utah, Tennessee, Vermont, West Virginia, and the District of Columbia reported one data breach each.
HIPAA Enforcement Activity in August 2023
The HHS’ Office for Civil Rights declared one HIPAA enforcement action this August. OCR looked into a complaint against UnitedHealthcare and discovered a potential HIPAA Right of Access violation, as the provider failed to provide a patient with timely access to their requested health documents. The records were provided 6 months after the date they were requested. UnitedHealthcare stated the failure was because of an employee’s oversight and opted to negotiate the case and pay the penalty of $80,000. This enforcement action was the 45th under OCR’s HIPAA Right of Access to end in a financial penalty. The state attorneys general did not announce any HIPAA enforcement action in August. The FTC had not resolved any cases of violations of the FTC’s Health Breach Notification Rule or the FTC Act in August.