November’s reported breaches involving 500 and up healthcare records increased by 45% with 61 big data breaches reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). For the 2023 reported data breaches, there were 640 large data breaches from January 1 to November 30.
The number of breached records also increased by 508% from October 2023 with 22,077,489 breached healthcare records reported. November became 2023’s second-worst month in terms of breached records. July had 24 million breached healthcare records reported. 2023 already had 115,705,433 breached healthcare records from January 1 to November 30, making it the worst-ever year for breached healthcare records.
November 2023 Biggest Healthcare Data Breaches
November had 28 reported breaches involving 10,000 and up records, which include two breaches involving over 8 million records. Two breaches reported in November, both involving business associates of HIPAA-covered entities, are now included in the top ten breaches in history. The biggest breach happened at Perry Johnson & Associates, Inc. (PJ&A) a medical transcription services provider. The PJ&A data breach report submitted to OCR indicated that 8,952,212 individuals were affected, though the total is bigger since a number of its clients have separately reported the breach. Hackers accessed the PJ&A network for over one month from March to May 2023.
The second-biggest data breach involved Welltok, Inc. with 8,493,379 individuals affected. Welltok offers its services to health plans managing their communications with subscribers. The Welltok data breach involved the exploitation by the Clop hacking group of a zero-day vulnerability in the MOVEit Transfer file transfer solution by Progress Software.
Three reported data breaches involved the PHI of over 500,000 people. Sutter Health and Blue Shield of California were also affected by the mass hacking of the MOVEit vulnerability and had the records of 845,441 individuals and 636,848 individuals stolen, respectively. The business associates of the two entities used the MOVEit tool. East River Medical Imaging in New York encountered a cyberattack that resulted in a 3-week network breach from October to September 2023. During that time, the hackers extracted files that contained the PHI of 605,809 persons. All 28 data breaches involved hacking with unauthorized network server access.
1. Perry Johnson & Associates, Inc. dba PJ&A – 8,952,212 individuals affected by hacking and data theft incident
2. Welltok, Inc. – 8,493,379 individuals affected by the MOVEit Transfer hacking incident
3. Sutter Health – 845,441 individuals affected by the MOVEit Transfer hacking incident at business associate
4. California Physicians’ Service d/b/a Blue Shield of California – 636,848 individuals affected by the MOVEit Transfer hacking incident at business associate
5. East River Medical Imaging, PC – 605,809 individuals affected by hacking and data theft incident
6. State of Maine – 453,894 individuals affected by theMOVEit Transfer hacking incident
7. Proliance Surgeons – 437,392 individuals affected by a ransomware attack
8. Medical Eye Services, Inc. – 377,931 individuals affected by the MOVEit Transfer hacking incident
9. Medical College of Wisconsin – 240,667 individuals affected by the MOVEit Transfer hacking incident
10. Warren General Hospital – 168,921 individuals affected by hacking and data theft incident
11. Financial Asset Management Systems (“FAMS”) – 164,796 individuals affected by a ransomware attack
12. Morrison Community Hospital District – 122,488 individuals affected by the BlackCat ransomware attack
13. South Austin Health Imaging LLC dba Longhorn Imaging Center – 100,643 individuals affected by hacking and data theft incidents (SiegedSec threat group)
14. Mulkay Cardiology Consultants at Holy Name Medical Center, P.C. – 79,582 individuals affected by a ransomware attack (NoEscape)
15. International Paper Company Group Health and Welfare Plan (the “IP Plan”) – 78,692 individuals affected by the MOVEit Transfer
hacking incident at a business associate
16. CBIZ KA Consulting Services, LLC – 30,806 individuals affected by the MOVEit Transfer hacking incident
17. Endocrine and Psychiatry Center – 28,531 individuals affected by hacking and data theft incident
18. Blue Shield of California OR Blue Shield of California Promise Health Plan – 26,523 individuals affected by a hacking incident at a business associate (MOVEit Transfer)
19. Wyoming County Community Health System – 26,000 individuals affected by hacking and data theft incident
20. Westat, Inc. – 20,045 individuals affected by the MOVEit Transfer hacking incident
21. Psychiatry Associates of Kansas City – 18,255 individuals affected by hacking and data theft incident
22. Southwest Behavioral Health Center – 17,147 individuals affected by hacking and data theft incident
23. TGI Direct, Inc. – 16,113 individuals affected by the MOVEit Transfer hacking incident
24. Pharmacy Group of Mississippi, LLC – 13,129 individuals affected by hacking and data theft incident
25. U.S. Drug Mart, Inc. – 13,016 individuals affected by hacking and data theft incident at business associate
26. Catholic Charities of the Diocese of Rockville Centre d/b/a Catholic Charities of Long Island – 13,000 individuals affected by hacking and data theft incident
27. Foursquare Healthcare, Ltd. – 10,890 individuals affected by ransomware attack
28. Saisystems International, Inc. – 10,063 individuals affected by hacking and data theft incident
Data Breach Causes and Data Locations in November 2023
A number of the breaches in November involved the Clop threat group mass hacking a MOVEit Transfer solution vulnerability. MOVEit data breaches are still being reported, despite the attacks happening at the end of May. Based on the cybersecurity company Emsisoft, about 2,620 companies were impacted by these breaches, and 77.2 million data were stolen. 78.1% of the impacted companies are located in the U.S. The U.S. Securities and Exchange Commission is investigating Progress Software over the breach. There were 54 incidents involving hacking/ransomware attacks or 88.52% of the month’s data breaches that resulted in 22,064,623 breached records or 99.94% of the breached records. The average and median data breach sizes were 408,604 records and 10,477 records, respectively.
Ransomware groups still attack the healthcare sector as more ransomware groups, including NoEscape and BlackCat, listed stolen healthcare data on their leak sites in November. A lot of hacking groups do not utilize ransomware and just steal information, then threaten the victims to sell or post the data if no ransom is paid, for instance, Hunter’s International and SiegedSec. Because the risk of having ransomware actors apprehended is small, the attacks will most likely continue. OCR is preparing to make it more difficult for cyber actors to be successful by adding new cybersecurity demands for healthcare companies. These new cybersecurity specifications will be voluntary at first but will be implemented later on. New York has additionally declared that there will be stricter cybersecurity requirements for hospitals in the state, but there will be financial support.
In November, unauthorized access/disclosure incidents resulted in 6 data breaches with 10,371 records impermissibly accessed by or disclosed. The average and median data breach sizes were 1,481 records and 1,481 records, respectively. One reported incident of theft of paperwork affected the PHI of 2,495 persons. No incident of loss or improper disposal was reported. 77% of breached records are located in network servers, while 10 are in email accounts.
As per the OCR data breach portal, 42 healthcare providers reported data breaches in November; health plans reported 6 and business associates reported 13. The problem is these numbers do not precisely reflect the location of the data breaches. When a business associate encounters a data breach, the covered entity, the business associate, or both may report the incident to OCR. Therefore, the raw information frequently doesn’t correctly represent the number of data breaches happening at business associates of HIPAA-covered entities.
Healthcare Data Breaches By State
28 states had data breaches reported by HIPAA-covered entities. California had 8 reported breaches, while New York had 6 reports. Illinois and Texas reported 5 each. Connecticut, Georgia, Florida, Indiana, Iowa, Kansas, Michigan, Maine, Minnesota, New Jersey, Oregon, Washington, and South Carolina reported 2 each. Arizona, Colorado, Massachusetts, Maryland, Mississippi, Nevada, Pennsylvania, Ohio, Tennessee, Wisconsin and Utah reported 1 each.
November 2023 HIPAA Enforcement Activity
In November, OCR reported one enforcement action. St. Joseph’s Medical Center paid an $80,000 financial penalty to OCR to resolve a case of impermissible disclosure of patient data to a reporter. OCR investigated St. Joseph’s Medical Center because an Associated Press reporter published an article after being permitted to observe three COVID-19 patients. The article contained pictures and information concerning the patients and was distributed nationally. OCR learned that the patients did not give their HIPAA authorizations for disclosing the information, thus St. Joseph Medical committed a HIPAA violation.
HIPAA is mainly enforced by OCR though State Attorneys General could also inspect HIPAA-covered entities and they also have the power to issue penalties for HIPAA violations. In November, the New York Attorney General announced a settlement with U.S. Radiology Specialists Inc. to resolve alleged HIPAA and state law violations. The breach involved the personal data and PHI of 198,260 persons, including 95,540 New York locals. Based on the New York Attorney General’s investigation, U.S. Radiology Specialists knew about the vulnerabilities but did not deal with those vulnerabilities promptly. Cyber actors exploited those vulnerabilities in a ransomware attack. U.S. Radiology Specialists decided to pay a $450,000 financial penalty and make sure of complete compliance with HIPAA and state legislation.