Reported data breaches in July dropped by 15.2% with 56 breaches involving 500 and up records reported to the HHS OCR making July just an average month in terms of data breaches. In the last 12 months, the average number of breaches reported per month is 57 breaches; nevertheless, July is not considered an average month when it comes to the number of breached records.
Breached records in July increased by 261% month-over-month with 18,116,982 breached records reported across 56 incidents. The extremely high number was because of a big data breach that happened at HCA Healthcare that resulted in the exposure of 11,270,000 records.
To date, the running breach total for 2023 is 395 incidents with 59,569,604 records of individuals compromised or stolen. The average and median breach sizes are 150,809 records and 4,209 records, respectively. In the last 12 months, there were over 81.76 million records breached spanning 683 incidents.
Biggest Healthcare Data Breaches Reported in July
HCA Healthcare based in Nashville, TN is a health system that manages 182 hospitals and about 2,300 care facilties. Hackers acquired access to its external electronic database facility that a business associate used for automating the format of messages, for instance reminders emailed to patients concerning the booking of appointments. Although the incident was one of the biggest breaches ever reported, there was limited data stolen during the attack. HCA Healthcare stated the information exposed only included names, city, zip code, state, email address, phone number, birth date, gender, service date, place, and, in a number of cases, the next appointment date.
The Centers for Medicare and Medicaid Services (CMS) reported the second biggest breach with 1,362,470 Medicare recipients affected. This was more critical because of the types of information exposed. The breach happened at Maximus Federal Services, Inc. (Maximus), a contractor of CMS. Maximus was one the companies that was affected by the mass exploitation of a zero-day vulnerability in the MOVEit Transfer file transfer solution of Progress Software. Progress Software discovered the vulnerability and released a patch on May 31, 2023; nevertheless, the Clop hacking group already exploited the vulnerability. It is still unknown how many victims were impacted by this breach; nevertheless, Kon Briefing has been monitoring the breach reports. At least 734 organizations had encountered exploitation of the vulnerability and 42.7 to 47.6 million records had been stolen during the attack. Clop didn’t encrypt information. It only stole files and sent ransom demands. To stop the exposure or selling of the stolen information, the ransom must be paid. In July, 26 breaches involving 10,000 and up records had been reported to OCR. Eleven were a result of the exploitation of the MOVEit vulnerability. All 26 except two breaches were caused by hacking incidents.
1. HCA Healthcare – 11,270,000 individuals affected by hacking/IT Incident
2. Centers for Medicare & Medicaid Services – 1,362,470 individuals affected by hacking/IT Incident involving MOVEit Transfer data theft/extortion (Maximus)
3. Florida Health Sciences Center, Inc. dba Tampa General Hospital – 1,313,636 individuals affected by hacking/IT Incident
4. Pension Benefit Information, LLC – 1,209,825 individuals affected by hacking/IT Incident involving MOVEit Transfer data theft/extortion
5. Allegheny County – 689,686 individuals affected by hacking/IT Incident involving the MOVEit Transfer data theft/extortion
6. United Healthcare Services, Inc. Single Affiliated Covered Entity – 398,319 individuals affected by hacking/IT Incident
7. Johns Hopkins Medicine – 310,405 individuals affected by hacking/IT Incident involving MOVEit Transfer data theft/extortion
8. Harris County Hospital District d/b/a Harris Health System – 224,703 individuals affected by hacking/IT Incident involving MOVEit Transfer data theft/extortion
9. Precision Anesthesia Billing LLC – 209,200 individuals affected by hacking/IT Incident
10. Fairfax Oral and Maxillofacial Surgery – 208,194 individuals affected by hacking/IT Incident
11. The Chattanooga Heart Institute – 170,450 individuals affected by hacking/IT Incident and data theft
12. Phoenician Medical Center, Inc – 162,500 individuals affected by hacking/IT Incident and data theft
13. UT Southwestern Medical Center – 98,437 individuals affected by hacking/IT Incident involving the MOVEit Transfer data theft/extortion
14. Hillsborough County, Florida (County Government) – 70,636 individuals affected by hacking/IT Incident involving the MOVEit Transfer data theft/extortion
15. Family Vision of Anderson, P.A. – 62,631 individuals affected by hacking/IT incident involving a ransomware attack
16. Jefferson County Health Center – 53,827 individuals affected by hacking/IT Incident and data theft by the Karakurt threat group
17. New England Life Care, Inc. – 51,854 individuals affected by hacking/IT Incident
18. Care N’ Care Insurance Company, Inc. – 33,032 individuals affected by hacking/IT Incident involving the MOVEit Transfer data theft/extortion (TMG Health Inc)
19. Synergy Healthcare Services – 25,772 individuals affected by hacking/IT Incident
20. Rite Aid Corporation – 24,400 individuals affected by hacking/IT Incident involving the MOVEit Transfer data theft/extortion
21. Life Management Center of Northwest Florida, Inc. – 19,107 individuals affected by hacking/IT Incident
22. Saint Francis Health System – 18,911 individuals affected by hacking/IT Incident involving the MOVEit Transfer data theft/extortion
23. Pennsylvania Department of Human Services – 16,390 individuals affected by unauthorized Access/Disclosure due to a hacking incident 24. The Vitality Group, LLC – 15,569 individuals affected by hacking/IT Incident involving the MOVEit Transfer data theft/extortion
25. Wake Family Eye Care – 14,264 individuals affected by hacking/IT Incident and ransomware attack
26. East Houston Med and Ped Clinic – 10,000 individuals affected by unauthorized access/disclosure of boxes of patient records
Causes of July 2023 Data Breaches
The majority of the breach reports in July were hacking incidents, with 49 breach reports submitted to OCR affecting 18,083,328 records. The average and median breach sizes were 369,048 records and 9,383 records, respectively. Most of these cases were data theft and extortion incidents involving hackers that acquired access to systems, stole information, and demanded ransom payments. A lot of hacking groups are already opting not to do file encryption and are focusing on data theft and extortion.
Entities reported 7 unauthorized access/disclosure incidents that affected the PHI of 33,654 persons. The average breach and median breach sizes were 4,808 records and 1,541 records, respectively. Three incidents were email-related data breaches and
three incidents were unauthorized access to paper documents. There were no reports of data theft, loss, or impermissible disclosure of physical documents or devices that contain electronic PHI.
Location of Data Breaches
The OCR breach portal posts the data breaches reported by covered entities, even though that is not always where the data breach happened. Business associates of covered entities may submit their own breach reports, or the covered entity may submit it, or a combination of the two. For example, Maximus submitted a breach report of its MOVEit Transfer incident that affected 932 people, however, a lot of its clients were impacted and millions of people were impacted. The breach portal shows 37 breaches reported by healthcare providers, 11 breaches were reported by business associates, 7 by health plans, and one by a healthcare clearing house.
Data Breaches by State
Data breach reports involving 500 and up records were submitted by HIPAA-covered entities in 25 states. Texas state reported 7 breaches, Florida reported 6 and California reported 5. Maryland, Pennsylvania, and Tennessee reported 4 breaches each. Arizona & North Carolina reported 3 each. Connecticut, Illinois, and Minnesota reported 2 each. Georgia, Indiana, Idaho, Iowa, Kentucky, Michigan, Maine, New Jersey, New York, Oklahoma, Ohio, South Carolina, Washington and Virginia reported one each.
HIPAA Enforcement Activity in July 2023
OCR or state attorneys general did not announce any enforcement action in July.