October saw a drop in the number of reported data breaches involving 500 or more healthcare records. Only 40 data breaches were reported by HIPAA-regulated entities in October, making the 12-month average of 54 breaches per month. The number of breached healthcare records also dropped from over 18 million records in July 2023 to 3,569,881 records in October. Although this is really good news, 2023 is a notably bad year with regard to healthcare data breaches. From January 1, 2023, to October 31, 2023, over 82.6 million healthcare records were exposed or impermissibly disclosed. In November 17, 2023, over 100 million breached records had been reported.
Biggest Healthcare Data Breaches Reported in October 2023
October had 14 breaches involving 10,000 or more records, the biggest of which happened at Postmeds Inc., the parent firm of Truepill, a company of a business-to-business pharmacy platform that utilizes APIs for fulfilling orders and delivery services for direct-to-consumer products. Although breach victims do not face a serious risk of identity theft because no Social Security numbers were exposed, they may have a greater risk of social engineering and phishing attacks. Little information concerning the incident was shared in breach notifications. It oily mentioned that it was a hacking incident involving network unauthorized access from August 30 to September 1, 2023. The Postmeds data breach is number 21 of the data breaches involving 1 million and up records that were reported this year.
Although the Clop group’s mass hacking of the zero-day vulnerability in the MOVEIt Transfer solution by Progress Software happened at the end of May, healthcare companies still report MOVEit data breaches. Over 2,300 companies are now identified as impacted and there were over 60 million stolen records.
1. Postmeds, Inc. (TruePill) – 2,364,359 individuals affected by hacking incident
2. Western Washington Medical Group – 350,863 individuals affected by hacking incident
3. Greater Rochester Independent Practice Association, Inc. – 279,156 individuals affected by hacking incident
4. Radius Global Solutions – 135,742 individuals were affected by a hacking incident involving the MoveIT Transfer solution
5. Dakota Eye Institute – 107,143 individuals affected by hacking
6. Walmart, Inc. Associates Health and Welfare Plan – 85,952 individuals affected by hacking incident
7. Westat, Inc. – 50,065 individuals were affected by a hacking incident involving MoveIT Transfer solution
8. Brooklyn Premier Orthopedics – 48,459 individuals affected by hacking incident
9. PeakMed – 27,800 individuals affected by hacking incident
10. Hospital & Medical Foundation of Paris, Inc – 16,598 individuals affected by hacking incident
11. Fredericksburg Foot & Ankle Center, PLC – 14,912 individuals affected by hacking incident
12. Cadence Bank – 13,862 individuals were affected by a hacking incident involving the MoveIT Transfer solution
13. Peerstar LLC – 11,438 individuals affected by hacking incident
14. Atlas Healthcare CT – 10,831 individuals affected by hacking incident
Causes of Data Breach in October 2023 and Data Locations
Hacking was the reason for 77.5% of data breaches (31 incidents) in October and 99.13% of the breached health records (3,538,726 records). The average and median data breach sizes in hacking incidents were 114,152 records and 4,049 records, respectively.
The specific nature of these occurrences was not publicly disclosed most of the time, therefore the scope to which phishing attacks,
ransomware attacks, and vulnerability exploits are happening cannot be known. The exception is the mass hacking of a zero-day vulnerability in the MOVEit Transfer solution, a relatively safe disclosure lawfully as companies cannot be anticipated to patch a vulnerability that is not known even to the organization that created the software program. Although the insufficiency of data is unquestionably meant to minimize legal risk, when breach victims are provided inadequate data it is hard for them to measure the degree of risk they deal with correctly.
There were 8 data breaches categorized as unauthorized access/disclosure incidents with 30,555 impermissibly accessed or disclosed records. The average and median data breach sizes were 3,819 records and 2,111 records, respectively. There was one case reported involving a stolen desktop computer, which included the unencrypted protected health information (PHI) of 600 persons. No case was reported that involved missing or improperly disposed of PHI.
The most frequent location of breached data was network servers, which is not unusual considering the big number of hacking cases. 8 data breaches were due to compromised email accounts.
Where did the Data Breaches Happen?
The information from the OCR data breach website indicates that healthcare providers reported 25 data breaches. Business associates reported 11 data breaches and health plans reported 4 breaches. These statistics do not show the complete story, since the reporting entity might not be the entity that experienced the data breach. A lot of data breaches happen at business associates of HIPAA-covered entities yet the covered entity reported the incident to OCR instead of the business associate.
Healthcare Data Breaches by State
HIPAA-covered entities located in 23 states submitted reports on data breaches involving 500 and up records in October. Texas had reported 5 big data breaches then Mississippi had 4 reports. Illinois, New York and Pennsylvania had 3 data breach reports each. Colorado, California, Florida and Georgia had 2 data breach reports each. Arkansas, Delaware, Connecticut, Iowa, Louisiana, Massachusetts, Maryland,
Minnesota, Michigan, North Dakota, New Jersey, Oregon, Oklahoma, and Virginia had 1 data breach report each.
October 2023 HIPAA Enforcement Activity
In October, the HHS’ Office for Civil Rights (OCR) reported its 10th HIPAA compliance enforcement action in 2023. The medical management company, Doctors’ Management Services based in Massachusetts, which provides services like payor credentialing and medical billing, decided to negotiate OCR’s investigation of a data breach. The data breach in April 2017 involved a threat actor who accessed its system through Remote Desktop Protocol and acquired access to the PHI of 206,695 persons.
OCR established there was a failure in risk analysis, in reviewing logs of system activity, and in implementing reasonable and suitable policies and procedures to adhere to the HIPAA Security Rule. Those failures led to an impermissible disclosure of 206,695 individuals’ PHI. Doctors’ Management Services paid $100,000 as a financial penalty and consented to a corrective action plan to deal with the HIPAA compliance problems found by OCR.
State Attorneys General likewise possess the authority to check into HIPAA-covered entities and enforce financial penalties for violations of HIPAA, though they frequently opt to enforce penalties for equal violations of state legislation. Three settlements with HIPAA-covered entities were resolved in October to deal with allegations of failures in data protection and breach notification.
Blackbaud, a Delaware firm based in Charleston, South Carolina that offers donor relationship management software program, opted to negotiate alleged violations of the HIPAA Breach Notification Rule, HIPAA Security Rule, and state consumer protection legislation with the District of Columbia and 49 states and spent $49.5 million for penalty and consented to make extensive data security enhancements. Blackbaud experienced a ransomware attack in May 2020, which compromised the PHI of 5,500,000 individuals. The multi-state inquiry discovered insufficient safeguards to ensure data security and breach response failures.
Healthcare clearinghouse, Inmediata based in Puerto Rico, resolved a multi-state data breach investigation that involved over 35 state attorneys general. A server was left unprotected, which permitted sensitive information to be spidered by search engines, letting anyone with Access to the internet discover it. The PHI of 1,565,338 persons was compromised. The multi-state investigation discovered a failure to employ reasonable and proper security steps, as demanded by the HIPAA Security Rule, an inability to perform a secure code evaluation, and violations of the HIPAA Breach Notification Regulation and state breach notification guidelines for not providing prompt and complete data to breach victims. The investigation was resolved for $1.4 million and Inmediata consented to make enhancements to its data security program and reinforce its data breach notification procedures.
Home health company, Personal Touch Holding Corp, doing business as Personal Touch Home Care, decided to resolve the Office of the New York Attorney General’s investigation into a breach of the PHI of 753,107 individuals, which include 316,845 New York locals. A worker replied to a phishing email which led to the installation of malware. The threat actor extracted data and then utilized ransomware for file encryption. The New York Attorney General claimed Personal Touch just had an informal data security system, inadequate access controls, no steady monitoring system, insufficient encryption, and limited staff training. Personal Touch spent $350,000 for financial penalties and consented to improve its data security and training programs.
The information included in this report was taken from the U.S. Department of Health and Human Services’ Office for Civil Rights last November 11, 2023.