November had 31% fewer healthcare data breaches reported compared to October 2022. November had a total of 49 breaches involving 500 and up records, which is below the 58 breaches per month 12-month average. In 2022, there were a total of 643 healthcare data breaches reported to the HHS’ Office for Civil Rights, making this year the second worst year ever for healthcare data breaches.
Although the reported breaches dropped, the number of breached records went up by 10% from the previous month. November had 6,904,441 healthcare records exposed or impermissibly disclosed, making it the worst month in 2022 with regard to the number of breached healthcare records. The 12-month average is 3.99 million records per month and there had been 44,852,648 breached healthcare records so far in 2022.
November’s Biggest Healthcare Data Breaches
There were 17 breaches affecting 10,000 and up records reported to OCR in November. Five of the 17 affected over half a million records while three cases affected over 1 million records. The biggest data breach involved Pennsylvania-based Connexin Software’s hacked network server. An unauthorized person acquired access to an offline collection of patient information that was employed for data conversion and troubleshooting resulting in the exposure and potential theft of 2,216,365 patients’ records.
Indiana-based Community Health Network announced an impermissible disclosure of the protected health information (PHI) of around 1.5 million individuals. The healthcare provider used a tracking code on its website, which enabled the transfer of patient data to third parties like Meta and Google, without patient consent or a signed business associate agreement. A number of healthcare companies have reported the same breaches compelling OCR to give a warning to HIPAA-covered entities with regard to the use of tracking technologies on their mobile apps and websites.
Doctors’ Center Hospital located in Puerto Rico encountered a ransomware attack that compromised the PHI of around 1,195,220 individuals. Prosthetics and orthotics company in Michigan, Wright & Filippis, as well as Health Care Management Solutions in West Virginia also reported big ransomware attacks.
1. Connexin Software, Inc. – 2,216,365 individuals were affected by Hacking/IT Incident
2. Community Health Network, Inc. – 1,500,000 individuals were affected by unauthorized access/disclosure of PHI, wherein website tracking code transferred PHI to third parties
3. Doctors’ Center Hospital – 1,195,220 individuals were affected by hacking/IT incident
4. Wright & Filippis LLC – 877,584 individuals were affected by hacking/IT Incident
5. Health Care Management Solutions, LLC – 500,000 individuals were affected by hacking/IT Incident
6. Gateway Rehabilitation Center – 130,000 individuals were affected by hacking/IT Incident
7. Mena Regional Health System – 84,814 individuals were affected by hacking/IT Incident
8. Dallam Hartley Counties Hospital District – 69,835 individuals were affected by hacking/IT Incident
9. Consumer Directed Services in Texas, Inc. – 56,728 individuals were affected by hacking/IT Incident
10. Stanley Street Treatment and Resources, Inc. – 45,785 individuals were affected by hacking/IT Incident with confirmed data theft
11. South Walton Fire District – 25,331 individuals were affected by hacking/IT Incident
12. Rosenfeld VanWirt, PC PA – 18,719 individuals were affected by hacking/IT Incident
13. CCA Health Plans of California, Inc d/b/a CCA Health CA – 14,631 individuals were affected by a hacking/IT Incident with confirmed data theft
14. CareFirst Administrators – 14,538 individuals were affected by hacking/IT incident
15. Work Health Solutions – 13,157 individuals were affected by hacking/IT Incident
16. New York-Presbyterian Hospital – 12,000 individuals were affected by hacking/IT Incident
17. Epic Management LLC – 10,862 individuals were affected by hacking/IT Incident
Causes of Data Breaches in November
All except one of the 17 data breaches were caused by hacking incidents, a number of which involved ransomware attacks. A lot of hackers use ransomware, though it is typical for HIPAA-covered entities not to make known the precise nature of attacks. It is thus hard to know the magnitude of using ransomware in cyberattacks in the healthcare sector. The hacking incidents resulted in the exposure or theft of 5,374,670 records, which is 77.8% of all breached records in November. The average and median breach sizes were 134,367 records and 7,158 records, respectively.
In the 8 unauthorized access/disclosure incidents, the records of 1,521,788 persons were affected. Most of those records had been impermissibly disclosed by one healthcare company. The average and median breach sizes were 190,224 records and 2,275 records, respectively. There was likewise one case of theft reported that affected the records of 7,983 persons. Most of the reported cases involved the exposure of PHI stored on network servers. Seven reported incidents involved email breaches and four involved electronic health records.
HIPAA-Covered Entities Impacted by Data Breaches
Healthcare providers reported 26 breaches. One of the breaches happened at a business associate yet the healthcare provider reported it. Health plans reported 6 data breaches, One of the breaches happened at a business associate. Business associates self-reported 17 breaches.
Healthcare Data Breaches Per State
HIPAA-regulated entities in 18 states and Puerto Rico reported healthcare data breaches. Pennsylvania topped the list with 12 breaches reported. California reported 6 minor breaches. Florida & New York reported 4 breaches each, while Texas reported 3 breaches. Arkansas, Indiana, Connecticut, Massachusetts, Maryland, and Tennessee reported 2 breaches each. Georgia, Michigan, Nevada, New Jersey, Oregon, West Virginia, Washington, and Puerto Rico each had one breach reported.
November HIPAA Enforcement Activity
OCR did not announce any civil monetary penalties or settlements in November. Nevertheless, 2022 had the highest number of HIPAA enforcement actions since OCR started enforcing HIPAA compliance. Most of the financial penalties in 2022 were charged because of HIPAA right of access violations. 55% of the enforcement actions involved HIPAA violations by small healthcare companies.
In November, the Massachusetts Attorney General issued Aveanna Healthcare a $425,000 financial penalty for the breach of PHI of 166,000 persons, including 4,000 Massachusetts citizens. Aveanna Healthcare had experienced a phishing attack, which led to the discovery of a lack of safety measures like multi-factor authentication and safety awareness training.