Over the past three months, the number of healthcare data breach reports has remained somewhat the same. February just had a little increase in breaches with 43 data breaches involving at least 500 records reported to the HHS’ Office for Civil Rights (OCR). The average number of data breach reports for the past 3 months is 41 data breaches per month.
The decreasing pattern in breached records didn’t last long. The month-over-month breached records increased by 418.7% with 5,520,291 records in February, which is significantly higher than the 4,472,186 average breached records per month. The high total number is mostly because of just one breach that impacted over 3.3 million people.
February 2023 Biggest Healthcare Data Breaches Reported
There were 17 healthcare data breach reports involving 10,000 and up records in February, which were all hacking incidents. The biggest data breach impacted 3,300,638 patients from these four medical groups located in California: Regal Medical Group, Inc.; ADOC Acquisition Co., A Medical Group Inc.; Lakeside Medical Organization, A Medical Group, Inc.; & Greater Covina Medical Group, Inc. They are members of the Heritage Provider Network. It was confirmed that the incident involved a ransomware attack with data theft. This is the biggest healthcare data breach this 2023 when it was reported, but not for long because Independent Living Systems reported a 4.4 million-record breach in March 2023.
The following reported hacking incidents in February. It is uncertain if these incidents involved ransomware attacks or extortion attacks.
- CentraState Healthcare System in New York reported a 617,901 record-breach
- Cardiovascular Associates in Alabama reported a 441,640 record-breach
- Revenue cycle management firm, Revenetics in Florida reported a 250,918 record breach with exfiltration of sensitive data
- Highmark Inc. reported an email account breach to the HHS’ Office for Civil Rights as two distinct breaches. One affected 239,039 individuals and the other affected 36,600 individuals. A total of 275,639 individuals were affected. The breach happened because an employee clicked a hyperlink in a phishing email.
Here’s the complete list of 10,000+ record data breaches plus their causes:
1. Regal Medical Group, Inc., ADOC Acquisition Co., A Medical Group Inc., Lakeside Medical Organization, A Medical Group, Inc., and Greater Covina Medical Group, Inc. CA – 3,300,638 individuals affected by ransomware attack with data theft
2. CentraState Healthcare System, Inc. – 617,901 individuals affected by hacking incident with data theft
3. Cardiovascular Associates – 441,640 individuals affected by hacking incident with data theft
4. Reventics, LLC – 250,918 individuals affected by hacking incident with data theft
5. Highmark Inc – 239,039 individuals affected by a phishing attack
6. 90 Degree Benefits, Inc. – 175,000 individuals affected by hacking incident
7. Hutchinson Clinic, P.A. KS – 100,000 individuals affected by hacking incident
8. Lawrence General Hospital – 76,571 individuals affected by hacking incident
9. Sharp Healthcare – 62,777 individuals affected by a hacked web server with data theft
10. Rise Interactive Media & Analytics, LLC – 54,509 individuals affected by hacking incident
11. Highmark Inc – 36,600 individuals affected by a phishing attack
12. Teijin Automotive Technologies Welfare Plan – 25,464 individuals affected by a ransomware attack
13. Evergreen Treatment Services – 21,325 individuals affected by hacking incident
14. Aloha Nursing Rehab Centre – 20,216 individuals affected by hacking incident with data theft
15. NR Pennsylvania Associates, LLC – 14,335 individuals affected by hacking incident with data theft
16. Intelligent Business Solutions – 11,595 individuals affected by ransomware attack
17. Arizona Health Advantage, Inc. dba AZPC Clinics, LLC; Arizona Priority Care (APC); and health plans for which APC has signed a BAA – 10,978 individuals affected by ransomware attack
Causes of Healthcare Data Breaches in February 2023
There were 33 hacking and other IT incidents reported in February, accounting for 76.7% of all breach reports for the month. Those incidents caused the exposure or theft of 5,497,797 persons’ data, which is 99.59% of February’s breached records. The average and median breach sizes were 166,600 records and 10,978 records, respectively.
A total of 13,950 records were affected by 8 unauthorized access/disclosure incidents reported. The average and median breach sizes were 1,744 records and 689 records, respectively. The incident reported by Asante concerned a doctor who accessed the records of patients with whom there’s no treatment relationship. The unauthorized access happened for 9 years prior to its discovery and resulted in the impermissible disclosure of 8,834 patients’ records. Incidents like this clearly show the importance of maintaining medical record access logs and reviewing those logs on a regular basis. If possible, this process should be automated using a tracking and alerting system.
There was one incident report of theft involving a portable electronic device that contains the PHI of 986 individuals. There was also one incident report of improper disposal of paper documents containing the PHI of 7,558 patients.
HIPAA-Regulated Entities Affected
Healthcare providers reported 31 data breaches involving 500 or more records in February. Business associates reported 7 data breaches while health plans reported five. In case of data breaches at business associates, the covered entities often report the incident. In February, 6 data breaches had business associates involved but the affected healthcare providers and health plans reported them.
The average and median breach sizes reported by healthcare providers were 178,046 records and 3,061 records, respectively. The average and median breach sizes reported by health plans were 67,236 records and 3,909 records, respectively. The average and median breach sizes reported by business associates were 47,859 records and 8,500 records, respectively.
Locations of Breaches
Data breach reports submitted by HIPAA-covered entities and business associates were from in 28 states. California reported 4 breaches reported in February. Pennsylvania and Texas reported 3 breaches. Arizona, Illinois, Massachusetts, Kansas, New Jersey, Oregon, Washington and Virginia reported 2 breaches each. Alabama, Connecticut, Colorado, Florida, Georgia, Iowa, Hawaii, Michigan, Maryland, New Hampshire, North Carolina, New Mexico, Rhode Island, Utah, Tennessee, Wyoming and Wisconsin reported one breach each.
February 2023 HIPAA Enforcement Activity
In February, there is one enforcement action announced by the HHS’ Office for Civil Rights to settle alleged HIPAA Rules violations. OCR conducted an investigation of Banner Health because of a 2016 breach that affected the PHI of 2.81 million people. There were several potential HIPAA violations identified that were associated with risk analyses, system activity assessments, validation of identity for PHI access, and technical safety procedures. Banner Health consented to pay a $1,125,000 financial penalty to settle the case.
The Attorneys General in Pennsylvania and Ohio investigated DNA Diagnostics Center after receiving a data breach report involving the personal data and PHI of 45,600 state locals. The investigation revealed a lack of safety measures, an inability to update its asset inventory, and a failure to deactivate or take out assets that weren’t utilized for business functions. Although these failures constitute HIPAA violations, the settlement took care of state laws violations. DNA Diagnostics Center paid a $400,000 financial penalty or $200,000 each for Pennsylvania and Ohio branches.
In February, the Federal Trade Commission (FTC) reported its first settlement of an FTC Health Breach Notification Rule violation. Although the Rule has been in place for 10 years, there’s been no enforcement by FTC yet ever since. The FTC mentioned last year that it is going to hold non-HIPAA-covered entities responsible for impermissible disclosures of medical data and breach notification failures. It was discovered that GoodRx Holdings Inc. put tracking technologies on its web page that led to the unauthorized disclosures of personal and health data to Google, Facebook, and other third-party apps. The company also failed to provide the corresponding notifications to impacted persons. GoodRx paid $1,500,000 as a financial penalty to settle the allegations.