January is often a quiet month for healthcare data breaches and January 2023 was no different. There were 40 data breaches involving 500 and up records reported to the HHS’ Office for Civil Rights. The number of healthcare data breaches is the same as in December 2022. Compared to January 2022’s 53 healthcare data breaches reported, last month’s total was quite low. It was also below the 12-month data breach average of 58 per month.
The number of breached records has dropped for the second consecutive month. January just had 1,064,195 healthcare records impermissibly disclosed or exposed, well below the 12-month breached records average of 4,209,121 per month.
January 2023 Biggest Healthcare Data Breaches
January had 13 data breaches of 10,000 and up records. Eight of the data breaches involved hacked email accounts and network servers. The biggest data breach of January happened at Mindpath Health breaching several email accounts of employees. There were 5 unauthorized access/disclosure incidents that affected over 10,000 people, three of those reported incidents were because of using tracking codes on websites. The tracking code gathered individually identifiable information, which includes the health data of website users, and sent that data to third parties like Meta and Google. One of these unauthorized access incidents resulted in the second-biggest breach at BayCare Clinic. One more unauthorized access incident happened at mscripts, a mobile pharmacy company. Its cloud storage was misconfigured, resulting in the exposure of its customers’ data online for 6 years.
1. Community Psychiatry Management, LLC also known as Mindpath Health – 193,947 individuals were affected due to compromised email accounts
2. BayCare Clinic, LLP – 134,000 individuals affected by impermissible PHI disclosure as a result of using website tracking technology
3. DPP II, LLC (Home Care Providers of Texas) – 125,981 individuals affected due to ransomware attacks and data theft
4. Jefferson County Health Center (Jefferson County Health Department) – 115,940 individuals were affected due to hacked network server
5. UCLA Health – 94,000 individuals affected by impermissible PHI disclosure as a result of using website tracking technology
6. mscripts®, LLC – 66,372 individuals affected by PHI exposure because of misconfigured cloud storage
7. Circles of Care, Inc. – 61,170 individuals were affected by the hacked network server
8. Howard Memorial Hospital – 53,668 individuals were affected by a hacked network server
9. Stroke Scan Inc – 50,000 individuals affected by hacking incident. The breach was not announced to the public.
10. University of Colorado Hospital Authority – 48,879 individuals affected by hacking incident at Diligent, its business associate
11. Insulet Corporation – 29,000 individuals affected by impermissible PHI disclosure because of website tracking technology
12. City of Cleveland – 15,206 individuals affected by unauthorized access/disclosure incidents. The breach was not announced to the public
13. DotHouse Health Incorporated – 10,000 individuals affected by the hacked network server
Causes of Healthcare Data Breaches in January 2023
Hacking/IT incidents are the number one cause of the data breaches in January. In most of the 40 data breaches reported, there was a hacked network server involved. Ransomware attacks are still carried out, though the nature of the ransomware is not clear, since a lot of HIPAA-covered entities don’t reveal the precise nature of their breaches, and certain entities were not announced to the public. In all 23 hacking incidents, the data of 698,295 individuals were compromised or stolen. The average and median breach sizes were 30,610 and 5,264 records, respectively.
Unauthorized access/disclosure incidents increased in January. There were 15 cases reported. At this stage, the nature of 7 of the unauthorized access/disclosure incidents is not known, since the affected entities have not made any announcement. 5 of the 15 cases were a result of using tracking codes on websites and applications. In the 15 unauthorized access/disclosure cases, there were 362,629 impermissibly accessed or disclosed records. The average and median breach sizes were 24,175 records and 3,780 records, respectively.
Two theft cases were reported. One case involved stolen documents and the other involved the theft of a portable electronic device. In those two cases, there were 3,271 records stolen. There was no report of loss or improper disposal cases.
Location of Data Breaches
Healthcare providers reported 31 data breaches while health plans reported 5 data breaches. Business associates of HIPAA-regulated entities reported only 4 data breaches. but there were 14 other data breaches that had the involvement of a business associate. The covered entitiy reported ten of the breaches rather than the business associate. There were 23 data breaches that happened at health plans, which affected about 275,000 records. The 14 data breaches that occurred at business associates impacted about thrice as many persons.
States Affected by Data Breaches in January
In January, 40 states submitted breach reports. HIPAA-regulated entities from California reported 7 breaches. Texas reported 6 breaches. Georgia, Missouri, Massachusetts, & Pennsylvania had 3 reported data breaches. Florida, North Carolina, and New York reported 2 data breaches each. Alabama,
Arkansas, Colorado, Indiana, Illinois, New Jersey, Minnesota, Ohio & Wisconsin reported one data breach each.
January 2023 HIPAA Enforcement Activity
The Office for Civil Rights made an announcement about one settlement in January to settle potential HIPAA Right of Access violations. OCR looked into a complaint by a personal spokesperson who was not given a copy of the medical records of her departed father within the permitted 30 days. Life Hope Labs took 7 months to give those records. Life Hope Labs decided to pay to OCR $16,500 in financial charges and undertake a corrective action plan that will make sure patients get timely access to their health records down the road. This was the 43rd penalty granted by OCR in relation to its HIPAA Right of Access enforcement initiative that was introduced in the fall of 2019. State attorneys general did not announce No HIPAA enforcement action was announced by state attorneys general in January.