As per the Department of Health and Human Services Office for Civil Rights (OCR) breach website, there is a 12% month-over-month decrease in the number of healthcare data breaches involving 500 and up records. HIPAA-covered entities reported 66 breaches in June, which is lower than the 73 breaches reported in June last year, but still higher than the 12-month average of 58 data breaches per month.
May was a notably bad month in terms of data breaches with over 19 million people having their protected health information (PHI) compromised or impermissibly shared, and so although there was a 73.67% month-over-month decrease in breached information in June, the prior month’s total was unusually high. June had a total of 5,015,083 breached health records, which was lower than the 12-month average of 6 million records per month and lower than the 6,258,833 breached health records in June last year. Nevertheless, that is still greater than 167,000 breached records per day – higher than 2022’s daily average by 17.6%.
In quarter 1 of 2023, there were 41,452,622 healthcare records compromised or impermissibly disclosed. That’s only a few thousand records below the total for 2019 and just 10 million below the total for all of 2022.
June 2023 Biggest Healthcare Data Breaches
In June, OCR received 25 data breach reports with 500 or more records impacted, all except two were hacking/IT incidents. The biggest breach was a ransomware attack with data theft that occurred at the biotech and diagnostics firm, Enzo Clinical Labs. Murfreesboro Medical Clinic & SurgiCenter likewise experienced a big breach that involved theft of sensitive information and the attacker issued a ransom demand to avert a data leak. Intellihartx was one of the firms that were affected by the Clop ransomware attack and data theft. The Clop ransomware group mass exploited Fortra’s GoAnywhere MFT file transfer solution’s zero-day vulnerability at the end of January.
It is becoming more prevalent for HIPAA-covered entities to only report the exposure of limited data in their breach notifications. Notifications frequently only report that unauthorized persons accessed the system and potentially accessed or removed patient data, even if there was a confirmed data theft and the stolen data was published to the ransomware group’s data leak sites. The insufficiency of details can make it hard for data breach victims to evaluate the magnitude of risk they are facing.
Healthcare Data Breaches Involving 10,000 and Up Records
1. Enzo Clinical Labs, Inc. – 2,470,000 individuals affected by hacking/IT Incident
2. Murfreesboro Medical Clinic & SurgiCenter – 559,000 individuals affected by hacking/IT Incident
3. Intellihartx, LLC- 489,830 individuals affected by hacking/IT Incident, hacking of Fortra GoAnywhere MFT Solution
4. Advanced Medical Management, LLC – 319,485 individuals affected by hacking/IT Incident
5. Great Valley Cardiology – 181,764 individuals affected by hacking/IT Incident involving data theft
6. Petaluma Health Center – 124,862 individuals affected by hacking/IT Incident
7. Imagine360 – 112,611 individuals affected by Unauthorized Access/Disclosure, hacking of Fortra GoAnywhere MFT and Citrix file transfer solutions
8. Kannact, Inc. – 103,547 individuals affected by hacking/IT Incident, hacking of Fortra GoAnywhere MFT Solution
9. Activate Healthcare LLC – 93,761 individuals affected by hacking/IT Incident with data theft
10. Desert Physicians Management – 56,556 individuals affected by hacking/IT Incident with data theft
11. ARx Patient Solutions – 41166 individuals affected by Unauthorized Access/Disclosure
12. Orrick, Herrington & Sutcliffe LLP- 40,823 individuals affected by hacking/IT Incident
13. Tidewater Diagnostic Imaging, Ltd. – 40,195 individuals affected by hacking/IT Incident
14. Peachtree Orthopaedic Clinic – 34,691 individuals affected by hacking/IT Incident by Karakurt threat group
15. Atlanta Women’s Health Group – 33,839 individuals affected by hacking/IT Incident
16. Maimonides Medical Center – 33,000 individuals affected by hacking/IT Incident
17. Elgon Information Systems – 31,248 individuals affected by hacking/IT Incident
18. Community Research Foundation – 30,057 individuals affected by hacking/IT Incident
19. Mount Desert Island Hospital, Inc. – 24,180 individuals affected by hacking/IT Incident
20. Mercy Medical Center – Clinton, Inc. IA – 20,865 individuals affected by hacking/IT Incident
21. Ascension Seton – 17,191 individuals affected by hacking/IT Incident
22. John N. Evans, DPM – 15,585 individuals affected by hacking/IT Incident
23. New Horizons Medical, Inc – 12,317 individuals affected by hacking/IT Incident
24. CareNet Medical Group, PC – 10,059 individuals affected by hacking/IT Incident
25. Core Performance Physicians, dba Vincera Core Physicians – 10,000 individuals affected by hacking/IT Incident
Causes of Healthcare Data Breaches in June 2023
Hacking incidents still took over the breach reports resulting in over 77% of June’s data breaches and over 96% of breached records. The average and median breach sizes were 94,480 and 5,973 records, respectively. There were 4,818,457 records exposed or breached due to hacking. Fourteen unauthorized access/disclosure incidents were reported, which cover a variety of incidents that include unauthorized access to medical records, unsecured paper documents, mismailing occurrences, and emailing errors. In all those incidents, there were 196,026 health records impermissibly viewed or disclosed. The average and median breach sizes were 14,002 and 2,567 records, respectively. There was one incident concerning 600 paper records that were improperly disposed of and no reported cases of loss or theft. The most frequent location of breached PHI was network servers, followed by email accounts.
Distribution of Healthcare Data Breaches by State
HIPAA-covered entities in 31 states reported data breaches with 500 and up records in June 2023. The worst affected state was Pennsylvania with 11 data breach reports. The high number is partially because of 6 breaches that were associated with two incidents that had been reported independently for every company impacted. Pennsylvania reported 11 breaches, California reported 5, and Massachusetts, New York, and Texas reported 4 each. Arizona and Minnesota reported 3 each while Florida, Georgia, Michigan, Maryland, North Carolina, Ohio, Utah and Tennessee reported 2 breaches each. The following states reported one breach each: Alabama, Delaware, Illinois, Idaho, Iowa, Indiana, Kentucky, Kansas, Maine, Montana, Mississippi, New Jersey, Oregon, Oklahoma, South Carolina and Virginia
June 2023 HIPAA Enforcement Activity
The Office for Civil Rights issued three enforcement actions in June 2023 to settle potential HIPAA violations. OCR determined that Yakima Valley Memorial Hospital was unable to carry out acceptable and proper policies and procedures to adhere to the standards and implementation requirements of the Security Rule. The case was resolved with the hospital paying a $240,000 penalty.
OCR investigated Manasa Health Center for impermissible disclosures of PHI when it responded to negative online ratings by four patients. The case was resolved with Manasa Health Center agreeing to pay $30,000 as a penalty.
OCR investigated iHealth Solutions, dba Advantum Health, because of a small data breach that led to the exposure of 267 patients’ ePHI. The investigation revealed that iHealth Solutions did not carry out an accurate, comprehensive, company-wide risk analysis to determine all risks and vulnerabilities to the integrity, availability, and confidentiality of ePHI. The case was resolved with iHealth Solutions agreeing to pay $75,000 as a penalty.
State attorneys general are also authorized to enforce financial penalties for HIPAA violations, but the fines are frequently issued for the same state law violations. California imposed on Kaiser Permanente a financial penalty for violating the California Confidentiality of Medical Information Act (CMIA). The violation involved the impermissible disclosure of the personal data of around 175,000 persons and the improper storage and/or disposal of health data. Kaiser Permanente settled the case by paying $450,000.