Monthly data breach reports include data breaches involving 500 and up records that were reported each month to the Department of Health and Human Services’ Office for Civil Rights (OCR). The monthly reports show the trends of healthcare data breaches, whether they are increasing, decreasing, or staying just the same. In March, there were 63 breaches involving 500 and up records reported to OCR. The number of breaches is higher by 46.51% compared to February, and 6.92% higher than the 12-month average.
Month-over-month breached records increased by 15.62%. 6,382,618 records were compromised or impermissibly shared across the 63 data breaches. In the last 12 months, breached records increased by 36%. This year’s March had 76.46% more breached records compared to the same month last year.
Biggest Healthcare Data Breaches
There were 22 healthcare data breach reports that affected over 10,000 persons compared to just 17 in February 2023. The top four data breaches this March was due to the use of tracking codes on web pages that obtained the individually identifiable data of website visitors. The purpose of collecting the information was to analyze its website visitors. Then, the collected data is sent to third-party code providers like Meta (Facebook), Google, and Instagram.
The HIPAA Privacy Rule does not prohibit the use of tracking tools, however, when used the healthcare company must get the user’s consent, or the data sharing must be authorized by the Privacy Rule. There must also be a signed business associate agreement with the code provider. These kinds of breaches will likely increase over the coming weeks and months. Based on a new research study, 99% of U.S. clinics have added the codes on their web pages, yet only a few have informed OCR about their use of the tracking codes or the resulting data breaches.
Malicious actors still use ransomware when attacking healthcare companies. Three of the 22 data breaches involved ransomware. There were a number of hacking incidents reported that resulted in network disruption, but these were not confirmed to have ransomware involvement. A few threat actors that use ransomware when attacking the healthcare sector before, do not encrypt files now. They only steal information to extort money from the victims. For instance, the Clop ransomware group used to conduct ransomware attacks. However, in their last attack on the GoAnywhere managed file transfer (MFT) solution of Fortra, it did not deploy ransomware. The group stole information from 130 companies during the attack, such as US Wellness Inc, and Community Health Systems Professional Services Corporations.
Three email account hacking incidents through phishing resulted in data breaches that affected 10,000+ records. Healthcare industry attacks commonly involve phishing. Though it is difficult to stop these attacks, the harm caused can be limited by putting time limits on the duration of storing emails in the accounts. Since emails must be retained to comply with HIPAA and other legislation, the files must be moved to a safe archive to avoid data breaches in case of an email account breach. One phishing attack resulted in the compromise of one email account that held the PHI of over 77,000 people.
1. Cerebral, Inc – 3,179,835 individuals affected by website tracking code usage that led to impermissible disclosure to third parties
2. ZOLL Services LLC – 997,097 individuals affected by hacking incident
3. Community Health Systems Professional Services Corporations (CHSPSC), LLC – 962,884 individuals were affected by the hacking of Fortra’s GoAnywhere MFT solution
4. Santa Clara Family Health Plan – 276,993 individuals were affected by a hacking incident involving a business associate
5. Monument, Inc. – 108,584 individuals affected by the use of website tracking code and impermissible disclosure to third parties
6. Bone & Joint Clinic, S.C. – 105,094 individuals affected by hacking incident
7. Florida Medical Clinic, LLC – 94,132 individuals affected by a ransomware attack
8. Healthy Options dba Postal Prescription Services – 82,466 individuals affected by impermissible disclosure of PHI to Kroger
9. NorthStar Emergency Medical Services – 82,450 individuals affected by a hacking incident
10. Merritt Healthcare Advisors – 77,258 individuals affected by unauthorized accessing of employee email account
11. New York Presbyterian Hospital – 54,396 individuals affected by the use of website tracking code and impermissible disclosure to third parties
12. Trinity Health – 45,350 individuals affected by phishing attack and email account breach
13. UHS of Delaware, Inc – 40,290 individuals affected by unauthorized accessing of employee email account
14. SundaySky, Inc – 37,095 individuals affected by hacked cloud server and data theft
15. Denver Public Schools Medical Plans – 35,068 individuals affected by hacked network server and data theft
16. Atlantic General Hospital – 26,591 individuals were affected by a ransomware attack
17. UC San Diego Health – 23,000 individuals affected by the use of website tracking code and impermissible disclosure to third parties
18. Tallahassee Memorial Healthcare, Inc. – 20,376 individuals affected by hacked network server and data theft
19. Northeast Surgical Group, PC – 15,298 individuals affected by hacked network server
20. Health Plan of San Mateo – 11,894 individuals affected by unauthorized accessing of employee email account
21. US Wellness Inc. – 11,459 individuals affected by the hacking of Fortra’s GoAnywhere MFT solution
22. Codman Square Health Center – 10,161 individuals were affected by a ransomware attack
Causes of Data Breaches in March 2023
Most of the reported breaches were due to hacking/IT incidents. Although hacking incidents are mostly the cause of breached records, they only account for 54.29% of March’s breached records. The large data breaches in March were due to the usage of tracking codes. The average and median breach sizes of a hacking incident in March were 73,724 and 2,785 records, respectively.
Fourteen data breaches were due to unauthorized access/disclosure incidents and accounted for 22.22% of data breaches, and 45.65% of the breached records in March. Most of these breaches happened as a result of using website tracking codes. The average and median breach sizes were 208,114 and 2,636 records, respectively. One theft incident report affected the protected health information (PHI) of 3,013 people. One improper disposal incident affected the records of 999 individuals.
Location of the Data Breaches
Based on the information submitted to OCR, the breaches were reported by 33 healthcare providers, 6 health plans, and 24 business associates. 75.4% of the breached records in March were traced to data breaches at business associates.
March 2023 Data Breaches by State
HIPAA-regulated entities from 25 U.S. states reported data breaches in March. New York reported 18 data breaches. The very high total was because of the attack on business associate Atlantic Dialysis Management Services. The business associate submitted breach reports to OCR for each of the 14 affected clients.
California had 7 data breach reports, while Florida, Ohio, Massachusetts, Pennsylvania, and Texas each had 3 data breach reports. Indiana, Kansas, Michigan, Maryland, and Oregon each had 2 data breach reports. Arizona, Alabama, Connecticut, Colorado, Delaware, Georgia, Kentucky, Illinois, New Jersey, Oklahoma, Tennessee, West Virginia, and Wisconsin each submitted one data breach report.
March 2023HIPAA Enforcement Activity
The HHS’ Office for Civil Rights did not announce any HIPAA enforcement actions in March, however, a state Attorney General announced one enforcement action. According to the New York Attorney General, the law agency, Heidell, Pittoni, Murphy & Bach LLP was investigated because of a breach affecting the personal data and PHI of 61,438 New York residents. The Attorney General’s office investigated the law firm for potential HIPAA and New York law violations. It was determined that the law agency violated 17 provisions of the HIPAA and implementation specifications. The law agency made a decision to settle the case without admitting any wrongdoing and paid a $200,000 financial penalty.
Although the Federal Trade Commission is not the agency that enforces HIPAA, it has begun going after non-HIPAA-covered entities that have breached healthcare data to settle the FTC Act and FTC Health Breach Notification Rule violations. The FTC had its first settlement for a health data breach notification failure in February. In March, there was a second enforcement action. The FTC made a settlement with BetterHelp, an online counseling service provider, to resolve its FTC Act violations associated with impermissible disclosures of health information to third parties. There was no fine imposed but the terms of the settlement state that consumers impacted by the breach will be paid $7.8 million. They will also be informed as the Health Breach Notification Rule demands.