December had the second-highest number of data breach reports for 2023. The Department of Health and Human Services (HHS) Office for Civil Rights had 74 healthcare data breach reports involving 500 and up records in December, which helped make 2023 a record-breaking year for healthcare data breaches. Although there may still be additional breach report submissions, as of January 18, 2023, there were 725 data breaches involving 500 or more healthcare records reported to OCR. This is the highest number from the time OCR began posting data breach records on its “Wall of Shame.” 11,306,411 healthcare records were breached.
Healthcare data breaches are growing in seriousness. Some ransomware attackers had contacted patients and threatened them to expose their sensitive health information. Many data breach reports in 2023 were on a large scale. December had two reports with multi-million-record data breaches. 2021 had 45.9 million breached records. 2022 grew worse with 51.9 million breached records. 2023 had an unbelievable 133,068,542 breached records.
December 2023 Largest Healthcare Data Breaches
December records the two of the biggest data breaches of 2023. The biggest of which happened at HealthEC, an analytics software vendor based in New Jersey. Hackers acquired access to a system utilized by over 1 million healthcare experts to enhance patient results. The platform comprised the PHI of 4,452,782 people. The data breach resulted in the exposure of the health information of over 1 million residents in Michigan, compelling the Michigan Attorney General to want new laws to make companies responsible for healthcare data breaches.
Business associate ESO Solutions reported a 2.7 million-record data breach. ESO Solutions provides hospitals, EMS agencies, health systems,
and fire departments with software solutions. The ransomware attack resulted in a network breach and the encryption of files. No less than 12 hospitals and health systems were impacted.
The hackers obtained over 900,000 records and acquired access to a data archive of defunct Fallon Ambulance Services, which was being kept by Transformative Healthcare to adhere to the data retention requirements. The data of approximately 543,000 patients were exposed in the Electrostim Medical Services cyberattack.
Seven months ago, the Clop hacking group took advantage of a zero-day vulnerability in the MOVEit Transfer solution of Progress Software. Until now, data breach reports continue to be filed. Over 2,600 companies around the world suffered data theft because of the attacks. The healthcare sector was the worst impacted.
1. HealthEC LLC – 4,452,782 individuals affected by hacking incident with data theft
2. ESO Solutions, Inc. – 2,700,000 individuals affected by a ransomware attack
3. Transformative Healthcare (Fallon Ambulance Services) – 911,757 individuals affected by a hacking incident and data theft
4. Electrostim Medical Services, Inc. dba EMSI – 542,990 individuals affected by a hacking incident
5. Cardiovascular Consultants Ltd. – 484,000 individuals were affected by a ransomware attack and data theft
6. Retina Group of Washington, PLLC – 455,935 individuals affected by a ransomware attack
7. CompleteCare Health Network – 313,973 individuals affected by a ransomware attack and data theft
8. Health Alliance Hospital Mary’s Avenue Campus – 264,197 individuals affected by a hacking incident and data theft
9. Independent Living Systems, LLC – 123,651 individuals affected by a MOVEit hacking incident
10. Pan-American Life Insurance Group, Inc. – 105,387 individuals affected by a MOVEit Hacking incident
11. Meridian Behavioral Healthcare, Inc. – 98,808 individuals affected by a hacking incident
12. Mercy Medical Center – 97,132 individuals affected by a hacking incident at business associate (PJ&A)
13. Pan-American Life Insurance Group, Inc. – 94,807 individuals affected by a MOVEit hacking incident
14. Regional Family Medicine – 80,166 individuals affected by a hacking incident
15. HMG Healthcare, LLC – 80,000 individuals affected by a hacking Incident and data theft
16. Heart of Texas Behavioral Health Network – 63,776 individuals affected by a hacking incident
17. Kent County Community Mental Health Authority d/b/a Network180 – 59,334 individuals affected by an unauthorized email account access
18. Highlands Oncology Group PA – 55,297 individuals affected by a ransomware attack
19. Southeastern Orthopaedic Specialists, PA – 35,533 individuals affected by a ransomware attack and data theft
20. Eye Physicians of Central Florida, PLLC – 31,189 individuals affected by a hacking incident and data theft
21. Clay County Social Services – 22,005 individuals affected by a ransomware attack and data theft
22. Bellin Health – 20,790 individuals affected by a hacking incident
23. Neuromusculoskeletal Center of the Cascades, PC – 19,373 individuals affected by an unauthorized email account access
24. Independent Living Systems, LLC – 19,303 individuals affected by a MOVEit hacking incident
25. Community Memorial Healthcare, Inc. – 14,798 individuals affected by a hacking incident
26. VNS Choice dba VNS Health Health Plans – 13,584 individuals affected by an unauthorized email account access
27. Hi-School Pharmacy – 12,779 individuals affected by a ransomware attack
A lot of HIPAA-covered entities provide the bare minimum information in their breach reports, just enough to meet the legal prerequisites for breach reporting and lessen the risk of exposing details that can be employed against them in case of a lawsuit. This minimalistic breach reporting is causing problems for breach victims as they are unable to properly determine the threat they face. They are unaware of how attackers are acquiring access to healthcare systems and the character of the attacks whether they are ransomware attacks or data theft/extortion attacks. Some breaches were reported in 2023 as hacking incidents with a chance of unauthorized access or data theft, wherein the threat actors listed the breached entity to their data leak sites.
Causes and Locations of Data Breaches
All the data breaches involving 10,000 or more records in December 2023 were hacking incidents, that is 62 incidents or 83.78% of the 74 data breaches and 11,283,128 records or 99.79% of breached healthcare records in December 2023. The average and median breach sizes were 181,986 records and 6,728 records, respectively. Something obviously must be done to increase resiliency to hacking incidents. Some action is being undertaken at the federal and state level.
In December 2023, OCR publicized its Healthcare Sector Cybersecurity Strategy, which discusses some steps that OCR is planning to enhance resiliency against cyber attacks in the healthcare industry and patient security. The reality of these plans will be dependent on Congress, which will provide the necessary funding. OCR is preparing to update the HIPAA Security Rule in 2024 and has mentioned that it will create voluntary cybersecurity targets for the healthcare industry. OCR is working with Congress to give financial support for domestic ventures in cybersecurity to help pay for the initial expense. The New York Attorney General has likewise declared that new cybersecurity requirements will be implemented for hospitals in New York following the big increase in cyberattacks, and that funds were provided to aid low-resource hospitals make the required upgrades.
Eight data breaches with 14,998 breached healthcare records were identified as unauthorized access/disclosure incidents. The average and median breach sizes were 1,875 records and 1,427 records, respectively. Four loss/theft cases with 8,285 breached records were reported in December. Two of the incidents concerned stolen documents and the other two involved lost electronic devices. The latter could have been prevented if encryption was employed.
The location of most hacking incidents was network services while 14 data breaches had the exposed or stolen PHI kept in email accounts. Three of these incidents had over 10,000 records exposed. According to the OCR data breach portal, healthcare providers had reported 49 data breaches involving 500 or more records in December with 3,730,791 breached healthcare records. Business associates reported 13 breaches with 7,416,567 breached records, while health plans reported 11 breaches with 156,479 breached records. One breach was reported by a healthcare clearinghouse with 2,574 breached records.
These statistics do not show the entire story, since the reporting entity may not be the one that encountered the data breach. A lot of data breaches happen at business associates of HIPAA-regulated entities 0but the covered entity reported the breach to OCR. The average and median sizes of a business associate data breach were 314,354 records and 2,749 records, respectively; the average and median sizes of a healthcare provider data breach were 84,095 records and 5,809 records, respectively. The average and median sizes of health plan data breaches were 23,876 records and 7,695 records, respectively.
Healthcare Data Breaches by State
Thirty-two states received data breach reports involving at least 500 records in December. California had the highest number of data breach reports with 8, followed by New York and Texas with 7 data breach reports each. Florida had 6; Massachusetts had 4; New Jersey, Tennessee, and Wisconsin had 3 data breach reports each. Arkansas, Illinois, Connecticut, Kentucky, Kansas, Louisiana, Maryland, North Carolina, and Washington had 2 data breach reports each. Arizona, Alaska, Colorado, Iowa, Minnesota, Michigan, Mississippi, Montana, Missouri, North Dakota, New Mexico, Oregon, South Carolina, West Virginia and Virginia had 1 data breach each.
OCR HIPAA Enforcement in December 2023
In December, OCR had two enforcement actions against healthcare companies for alleged HIPAA Rules violations. OCR’s 46th enforcement action concerned the failure of Optum Medical Care of New Jersey to give individuals prompt access to their healthcare records. To resolve the investigation, Optum Medical Care decided to pay a $160,000 financial penalty to take care of allegations that patients needed to wait 84 days to 231 days to get their requested documents when they should have been available in 30 days.
OCR additionally reported its first-ever settlement caused by a phishing attack investigation. Lafourche Medical Group based in Louisiana encountered a phishing attack that led to the compromise of the PHI of more or less 35,000 people. Although phishing attacks aren’t HIPAA violations, OCR’s investigation found several HIPAA Security Rule violations, such as no risk analyses before the 2021 phishing attack, and no measures to routinely evaluate records of system activity before the attack. Lafourche Medical Group decided to negotiate the investigation by paying a $480,000 penalty.
The total number of OCR enforcement actions involving financial penalties for 2023 is 13 with the total funds collected from these enforcement actions totaling $4,176,500. OCR is requesting Congress to raise the HIPAA violation penalties to deter violators and to give OCR the much-needed funds to take care of the backlog of HIPAA compliance investigations, particularly investigations regarding hacking cases. Presently, OCR is limited by the department’s funds which stayed the same for a long time even with yearly increases for inflation but still need to deal with the increased caseload of breach investigations.
State Attorneys General HIPAA Enforcement
State attorneys general are authorized to impose HIPAA compliance. 2023 had 16 enforcement actions by state attorneys general that settled violations of HIPAA or comparable data breach notification and state consumer protection laws. In December, New York Attorney General Letitia James announced two enforcement actions and Indiana Attorney General Todd Rokita announced one enforcement action. New York is specifically active with 4 settlements of HIPAA violations in 2023 and participation in two multi-state actions.
In December, AG James reported a settlement with Healthplex resolving alleged violations of New York’s data security and consumer protection regulations regarding data retention, MFA, logging, and data security evaluations which led to a cyberattack and data breach that impacted 89,955 persons. Healthplex paid $400,000 to settle the case. AG James likewise investigated New York Presbyterian Hospital regarding a reported breach of the medical information of 54,396 persons associated with its usage of tracking tools on its website that shared patient information with third parties like Meta and Google violating the New York Executive Law and the HIPAA Privacy Rule. The case was resolved for $300,000.
The Indiana Attorney General inspected CarePointe ENT because of a breach of the medical data of 48,742 people. AG Rokita claimed that CarePointe ENT knew about the security problems a few months before the cybercriminals’ exploitation but failed to deal with them immediately. There was additionally no business associate agreement signed with the IT services provider. The case was resolved with a $125,000 payment.
The basis of the information for this report was acquired on January 18, 2023, from the U.S. Department of Health and Human Services’ Office for Civil Rights.