Healthcare data privacy improved in September with the least reported healthcare data breaches since February 2023. There were 48 data breaches involving 500 and up records reported to the HHS’ Office for Civil Rights (OCR) compared to the 12-month data breaches average of 57 per month. Breached records dropped by 36.6% month-over-month. There were 7,556,174 individuals whose protected health information (PHI) was exposed or impermissibly disclosed in all the 48 reported data breaches. This figure was below the average in 12 months of 7,906,890 records per month.
The large number of breached records is attributed to the mass attack on a zero-day vulnerability identified in the MOVEit solution by Progress Software. Many healthcare companies and their business associates use this software for transferring files. As per Emsisoft, it is monitoring the MOVEit data breaches, which affected 2,553 companies worldwide, and 19.2% of the companies were healthcare-associated.
Biggest Healthcare Data Breaches in September 2023
16 of the data breaches reported in September had 10,000 and up records affected, four were because of the mass attack on vulnerability CVE-2023-34362 that impacted the MOVEit Cloud and MOVEit Transfer solutions. The healthcare sector is still attacked by ransomware and extortion groups, such as Clop, Money Message, Rhysida, NoEscape, Royal, ALPHV (BlackCat), and Karakurt. Three of the incidents with 10,000+ breached records were due to ransomware attacks, though more are probably affected by a ransomware or extortion. It is usual for HIPAA-covered entities not to make known information about hacking incidents.
Although hacking incidents frequently top the headlines, the healthcare sector experiences more insider breaches compared to other industries. September had a big insider breach happen at a business associate. A worker of the business associate Maximus was found to have sent to a personal email account the PHI of 1,229,333 health plan members.
1. Arietis Health, LLC – 1,975,066 individuals affected by the hacking/IT Incident of MOVEit by Clop
2. Virginia Dept. of Medical Assistance Services – 1,229,333 individuals affected by Hacking/IT Incident at Maximus
3. Nuance Communications, Inc. – 1,225,054 individuals affected by a hacking/IT Incident of MOVEit by Clop
4. International Business Machines Corporation – 630,755 individuals affected by Unauthorized Access/Disclosure due to the MOVEit Hack (Clop)
5. Temple University Health System, Inc. – 430,381 individuals affected by a hacking/IT Incident at a business associate
6. Prospect Medical Holdings, Inc. – 342,376 individuals affected by hacking/IT Incident conducted by Rhysida ransomware attack
7. United Healthcare Services, Inc. Single Affiliated Covered Entity – 315,915 individuals affected by unauthorized access/disclosure involving the MOVEit Hack (Clop)
8. Oak Valley Hospital District – 283,629 individuals affected by a hacking/IT Incident involving a network server
9. Bienville Orthopaedic Specialists LLC – 242,986 individuals affected by a hacking/IT Incident involving a network server with confirmed data theft
10. Amerita – 219,707 individuals affected by a hacking/IT Incident; it was a ransomware attack by the Money Message group on PharMerica, its parent company
11. Community First Medical Center – 216,047 individuals affected by a Hacking/IT Incident involving a network server
12. OrthoAlaska, LLC – 176,203 individuals affected by a hacking/IT Incident
13. Acadia Health, LLC d/b/a Just Kids Dental- 129,463 individuals affected by Hacking/IT Incident due to a ransomware attack. Data was deleted
14. Founder Project Rx, Inc. – 30,836 individuals affected by a hacking/IT Incident and an unauthorized access to email account
15. Health First, Inc. – 14,171 individuals affected by a hacking/IT Incident due to unauthorized access to email account
16. MedMinder Systems, Inc. – 12,146 individuals affected by hacking/IT Incident involving a network server
Types and Location of Data Breaches
The majority of breach reports are still due to hacking and other IT incidents. In September, 81.25% (39 cases) of all reported data breaches involving 500 and up records were due to hacking/IT incidents and 87.23% (6,591,496) records were exposed or stolen. The average and median data breach sizes were 169,013 and 4,194 records, respectively. Nine data breaches were due to unauthorized access/disclosure incidents and had 964,678 records impermissibly accessed or exposed to unauthorized people. The average and median data breach sizes were 107,186 records and 2,834 records, respectively. No report was submitted that involved breaches associated with loss or theft of paper records or electronic devices or improper disposal of PHI. Considering the big number of hacking incidents, it is expected that network servers were mostly the location of breached PHI. Only 7 incidents had unauthorized access in email accounts.
Where did the Data Breaches Occur?
The September data on OCR’s data breach portal indicates that 30 healthcare providers reported data breaches. Eleven business associates reported data breaches and seven health plans reported breaches. These figures may not be completely accurate as many data breaches happen at business associates of HIPAA-covered entities yet the report is submitted to OCR by the covered entity instead of the business associate. Business associate data breaches are usually severe because when a hacker acquires access to the network server of a business associate, they are able to access the information of all customers of that business associate.
Data Breaches by State
HPAA-regulated entities in 24 states reported healthcare data breaches involving 500 and up records. California, New York, and Florida reported 4 breaches each. Illinois, Georgia, and Texas reported 3 breaches each. Alabama, Connecticut, Minnesota, Massachusetts, Mississippi, New Jersey, Missouri, Pennsylvania, and Virginia reported 2 breaches each. Arkansas, Arizona, Indiana, Kentucky, Kansas, Maryland, North Carolina, Nevada, and Tennessee reported 1 each.
HIPAA Enforcement Activity in September 2023
OCR investigates all healthcare data breaches involving 500 and up records to find out if they were caused by non-compliance with the HIPAA Regulations. OCR has a lot of investigations due to financial limitations, and cases of HIPAA violation can take a while to be settled. In September, OCR reported that one investigation had been settled. The case goes back to March 2014, which started when an online media reported the inability of health plan members to access the PHI of other members using its online member website. The breach report sent to OCR mentioned that less than 500 plan members and OCR started a compliance evaluation in February 2016. Three years later, there was another breach report about a mailing error impacting 1,498 plan members.
OCR looked into LA Care Health Plan again and discovered several HIPAA Rules violations, including a risk analysis failure, inadequate security procedures, not enough reviews of documentation of data system activity, lack of assessments based on environmental/operational adjustments, not enough recording and assessment of activity in data systems, and ePHI impermissible disclosure of the ePHI of 1,498 people. The case was resolved, and LA Care Health Plan adopted a corrective action plan and paid a penalty of $1,300,000.
State attorneys general are likewise authorized to look at healthcare data breaches and penalize institutions for violating HIPAA. From 2019 to 2022, there were somewhat few financial fines issued for HIPAA violations or comparable violations of state legislation, however, enforcement actions considerably increased in 2023. From 2019 to 2022, 12 enforcement actions issued by state attorneys general led to the payment of financial penalties. There are already 11 penalties imposed to date in 2023.
In September, state attorney generals already announced three settlements. The first, and the biggest, was Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals in California, which paid $49 million. The Indiana Attorney General announced a settlement with Schneck Medical Center after paying a $250,000 penalty and agreeing to strengthen its security practices. The Colorado Attorney General reported reaching a settlement with Broomfield Skilled Nursing and Rehabilitation Center with regard to a breach of the PHI of 677 residents. The center paid a penalty of $60,000 to take care of the alleged violations with the implementation of corrective measures.