May 2023 was notably bad with regard to healthcare data breaches. There were 75 data breaches involving 500 and up healthcare records reported to the HHS’ Office for Civil Rights (OCR). Month-over-month, May’s reported data breaches increased by 44% increase and it was above 58 data breaches a month.
May’s number of breached records increased by 330% month-over-month to 19,044,544 breached records. In the last year, the average number and median of breached records per month is 6,104,761 and 5,889,562 records, respectively. One incident in May resulted in the exposure of the records of nearly 8.9 million people, and three security incidents were responsible for 90.45% of the breached records. The first 5 months of 2023 had more breached healthcare records (36,437,539 records) compared to 2020s 29,298,012 records.
May 2023’s Biggest Healthcare Data Breaches
There were 23 data breaches involving 10,000 and up records that were reported to OCR in May, which included two of 2023’s biggest healthcare data breaches.
- The LockBit ransomware attack involving the HIPAA business associate Managed Care of North America (MCNA) impacted more or less 8.9 million people. The LockBit group stole information and threatened to post the details on its webpage in the event that MCNA doesn’t pay the $10 million ransom. When there was no payment, the group leaked the stolen information.
- The Money Message ransomware group stole about 6 million records in a ransomware attack on BrightSpring Health Services and its holding company PharMerica Corporation. The group extracted 4.7 terabytes of data files and uploaded the stolen information to its data leak webpage when the ransom was not paid.
- A cyberattack on Point32Health resulted in a data breach and potential theft of the protected health information (PHI) of 2,550,922 Harvard Pilgrim Health Care plan members in Massachusetts. This was actually a ransomware attack and data theft.
Other big data breaches consist of a hacking incident at the business associate, Credit Control Corporation based in Virginia affecting 345,523 records, and ransomware attacks on Onix Group impacting 319,500 records, Albany ENT & Allergy Services, PC impacting 224,486 records, and the Iowa Department of Health and Human Services impacting 233,834 records.
Healthcare Data Breaches Involving 10,000 and Up Records
1. Managed Care of North America (MCNA) – 8,861,076 individuals were affected by the LockBit ransomware attack and data theft
2. PharMerica Corporation – 5,815,591 individuals were affected by a hacking Incident and data theft
3. Harvard Pilgrim Health Care – 2,550,922 individuals were affected by a ransomware attack and data theft
4. R&B Corporation of Virginia doing business as Credit Control Corporation – 345,523 individuals were affected by a hacking Incident and data theft
5. Onix Group – 319,500 individuals were affected by a attack and data theft
6. Iowa Department of Health and Human Services – Iowa Medicaid (Iowa HHS-IM) – 233,834 individuals were affected by LockBit
ransomware attack on MCNA Dental, its business associate and data theft
7. Albany ENT & Allergy Services, PC. – 224,486 individuals were affected by BianLian/RansomHouse ransomware attack and data theft
8. Uintah Basin Healthcare – 103,974 individuals were affected by hacking Incident
9. UI Community Home Care – 67,897 individuals were affected by a cyberattack on the subcontractor (ILS) of its business associate (Telligen) and data theft
10. University Urology – 56,816 individuals were affected by a hacking incident
11. Illinois Department of Healthcare and Family Services, Illinois Department of Human Services – 50,839 individuals were affected by hacking into the state Application for Benefits Eligibility (ABE) system
12. New Mexico Department of Health – 49,000 individuals were affected by impermissible disclosure of dead persons’ PHI
13. Pioneer Valley Ophthalmic Consultants, PC – 36,275 individuals were affected by malware infection at business associates ECL Group, LLC and Alta Medical Management)
14. Brightline, Inc. – 28,975 individuals were affected by the hacking of Fortra GoAnywhere MFT solution
15. Clarke County Hospital – 28,003 individuals were affected by a hacking incident
16. United Healthcare Services, Inc. Single Affiliated Covered Entity – 26,561 individuals were affected by a hacking Incident
17. ASAS Health, LLC – 25,527 individuals were affected by a hacking Incident
18. iSpace, Inc. – 24,382 individuals were affected by a hacking incident and data theft
19. PillPack LLC – 19,032 individuals were affected by credential stuffing attack giving customer account access
20. Solutran – 17,728 individuals were affected by a hacking incident
21. MedInform, Inc. – 14,453 individuals were affected by a hacking Incident and data theft
22. Catholic Health System – 12,759 individuals were affected by a hacking incident at Minimum Data Set Consultants, a business associate and data theft
23. Northwest Health – La Porte – 10,256 individuals were affected by improper disposal of paper records
Causes of Healthcare Data Breaches in May 2023
Most of the month’s data breaches involved hacking/IT incidents, ransomware attacks, and data theft/extortion attempts. 61 incidents or 81.33% of May’s data breaches were hacking/IT incidents and accounted for 99.54% of breached records. The PHI of 18,956,101 persons was compromised or stolen in those cases. The average and median data breach sizes were 310,756 and 3,833 records, respectively. There were 11 incidents of unauthorized access/disclosure, which impacted 82,236 people. The average and median breach sizes were 7,476 records and 1,809 records, respectively. Two incidents involved the theft of 5,632 records and one incident involved the incorrect disposal of 575 paper documents. 57 hacking incidents also exposed the electronic protected health information (ePHI) saved in network servers and 9 hacking incidents exposed the ePHI saved in email accounts.
Location of Breached PHI in May 2023
Whenever data breaches happen at business associates of HIPAA-regulated entities, the business associate, or the HIPAA-regulated entity, or both report it, subject to the conditions of their business associate agreements. In May 2023, healthcare providers reported 36 breaches, business associates reported 25 breaches and health plans reported 14; nonetheless, those numbers do not exactly indicate where the data breaches happened.
Healthcare Data Breaches’ Geographical Distribution
HIPAA-regulated entities in 30 states reported data breaches involving 500 and up records. Although Massachusetts reported 15 data breaches, 13 of those reported breaches involved Alvaria, Inc., which submitted one breach report for every one of its impacted healthcare clients. Therefore, New York and California had the most number of breaches reported with 7 each. Connecticut, Ohio and Iowa reported 4 breaches each. New Jersey, Illinois, & Philadelphia reported 3 each. Alaska, Indiana, Texas, and Missouri reported 2 each. Arizona, Arkansas, Kentucky, Kansas, Georgia, Michigan, Minnesota, New Mexico, New Hampshire, Oklahoma, South Dakota, Utah, Tennessee, Virginia, Washington, Wisconsin and West Virginia reported one each.
HIPAA Enforcement Activity in May 2023
After two months without HIPAA enforcement actions, May had many enforcement activities in May associated with HIPAA compliance failures. OCR issued two financial penalties to settle HIPAA violations. State attorneys general announced two enforcement actions, and the Federal Trade Commission (FTC) reported one enforcement action involving a non-HIPAA-regulated entity for impermissibly disclosing consumer health data.
In May, OCR issued its 44th financial penalty in relation to its HIPAA Right of Access enforcement initiative. Counselor David Mente, MA, LPC in Pittsburgh was to pay $15,000 for not giving a father the health records of his young children, in spite of the father submitting two requests to get a copy of the records and OCR giving technical support after getting the first complaint.
The New York Attorney General consented to a settlement agreement to resolve HIPAA violations and state legislation violations that were confirmed in the course of an investigation of Professional Business Systems Inc, also known as PBS Medcode Corp, and Practicefirst Medical Management Solutions. The healthcare management firm was investigated after submitting a ransomware attack and data breach report involving 1.2 million people. The hackers acquired access to its system by taking advantage of a vulnerability that hadn’t been patched, even though there is a patch since 22 months ago. Practicefirst’s HIPAA and state regulations violations are due to failures in patch management, security testing inabilities, and not using encryption. The case was resolved for $550,000.