The number of reported healthcare data breaches dropped to its lowest for the second month since October 2023. May had 51 data breaches with 500 and up breached healthcare records reported to OCR. This number is less than the average in 12 months or 65 data breaches per month.
Although reported data breaches declined, they remain higher by 22% for 2024. OCR received 333 data breach reports involving 500 and up records from January 1, 2024 to May 31, 2024. There were only 273 data breach reports for 2023. The average and median breach sizes in 2024 are 123,785 records and 3,716 records, respectively. Associated with the 333 data breaches is the exposure or theft of the data of 41,220,380 persons.
Despite having two data breaches involving 2.5 to 2.8 million records in May, there was a decline on the number of breached healthcare records. Of the 51 data breaches reported, the protected health information (PHI) of 8,468,460 people was compromised. This number of people impacted by big healthcare data breaches dropped by 44.8% compared to April 2024 and 60.6% compared to April 2023. The 12-month average of 9,002,020 breached healthcare records a month is higher than in May. During the last 12 months, the average and median breached records were 11.42 million and 8.49 million breached records per month.
Biggest Healthcare Data Breaches in May 2024
In May 2024, covered entities reported to OCR 20 data breaches involving 10,000 and up records, 8 breaches involving 100,000 and up records, and two breaches involving more than 2.5 million records. The biggest data breach report was submitted by Medication Benefit Management services provider A&A Services based in Nebraska. The attack was not labeled as a ransomware attack, but it is suspected that ransomware was used. Sav-Rx affirmed the theft of data during the attack, which impacted up to 2,812,336 people.
Administration services provider WebTPA serves medical insurance and benefit plans in Texas. It encountered a cyberattack but did not say the nature of its breach nor the types of data exposed. Although the attack report was submitted in May, it occurred over a year ago, and hackers got access to its system for about a week in April 2023. The issuance of notification letters was delayed just like in the hacking incident involving EMS service provider Superior Air-Ground Ambulance Service in Illinois. The company sent notifications in May 2024, whereas the 9-day attack on its system happened in May 2023. The data of 858,238 individuals were exposed because of the attack.
United Seating and Mobility, L.L.C., aka Numotion, provides wheelchair and mobility equipment. It sent breach notification letters in a considerably more sensible period. It identified the ransomware attack on March 2, 2024, and sent breach notification letters in May. The attackers got access to Numotion’s system for 3 days since February 29, 2024.
The next two biggest data breaches happened at two healthcare companies, CentroMed in Antonio, TX, and Affiliated Dermatologists and Dermatologic Surgeons in New Jersey. The attack involved extortion impacting 400,000 and 380,000 people respectively. Hackers viewed their systems, stole data, and required a ransom payment to stop data exposure. Ransomware wasn’t employed in either of these occurrences.
There were 6 data breaches reported to OCR that impacted 500 or 501 people. These numbers are frequently utilized as placeholders to satisfy the requirement of reporting breaches when the total number of impacted people is still unknown.
1. A&A Services d/b/a Sav-Rx – 2,812,336 individuals affected by ransomware attack and data theft
2. WebTPA Employer Services, LLC (“WebTPA”) – 2,518,533 individuals affected by a hacked network server
3. Superior Air-Ground Ambulance Service, Inc. – 858,238 individuals affected by a hacked network server
4. United Seating and Mobility, L.L.C., d/b/a Numotion – 602,265 individuals affected by ransomware attack and data theft
5. El Centro Del Barrio d/b/a CentroMed – 400,000 individuals affected by data theft and extortion by Karakurt threat group
6. Affiliated Dermatologists and Dermatologic Surgeons, P.A. – 380,000 individuals affected by data theft and extortion incident
7. AmerisourceBergen Specialty Group, LLC – 252,214 individuals affected by a hacked network server and data theft
8. MedStar Health, Inc. – 183,079 individuals affected by unauthorized access to email accounts of employees
9. Trionfo Solutions, LLC – 81,588 individuals affected by a hacked network server
10. Victoria Eye Center/Victoria Surgery Center/Victoria Vision Center – 80,000 individuals affected by a ransomware attack and data theft
11. Adventist Health Tulare – 70,802 individuals affected by a hacking incident and data theft at Signature Performance, its business associate
12. Hypertension-Nephrology Associates, P.C. – 39,491 individuals affected by data theft and extortion incident
13. Columbia University Irving Medical Center – 29,629 individuals affected by unauthorized access to online files
14. Brockton Area Multi Services, Inc. – 21,537 individuals affected by a hacked network server
15. Omni Healthcare Financial Holdings – 16,852 individuals affected by a ransomware attack
16. UnitedHealthcare Insurance Company – 16,665 individuals affected by unauthorized access to paper documents
17. Texas Panhandle Centers – 16,394 individuals affected by a hacked network server and data theft
18. Lakeview Health Systems, LLC – 10,772 individuals affected by a hacked network server
19. Call 4 Health, Inc. – 10,434 individuals affected by a break-in and stolen laptop computers with password protection
20. University of Chicago Medical Center – 10,332 individuals affected by unauthorized access to email accounts of employees
Causes of Data Breach and Location of Breached PHI in May 2024
76.5% of reported data breaches in May were due to hacking and other IT incidents. The records of 8,407,641 individuals were exposed in these incidents or 99.3% of all breached records. The average and median breach size are 215,581 records and 7,260 records, respectively. The number of hacking/it incidents dropped by 11.4% compared to April 2024, although breached records increased by 338% month-over-month.
The breach of 58,939 individuals’ records or 0.7% of May’s breached records were due to 11 unauthorized access/disclosure incidents. The average and median breach sizes were 5,358 records and 1,427 records, respectively. There was only one report of a theft incident. A laptop computer was stolen resulting in the breach of unencrypted data of 1,880 persons.
Most of the breached PHI involved network servers but 33% of May’s data breaches involved hacked email accounts. Email breaches could have been prevented with the adoption of email best practices like using phishing-resistant multi-factor authentication.
Where did the Data Breaches Happen?
Based on the published reported data breaches on the OCR breach portal, healthcare providers reported 38 data breaches involving 2,992,405 records, business associates reported 10 data breaches involving 5,465,269 records, health plans reported 2 breaches involving 9,692 records, and a healthcare clearinghouse reported 1 breach involving 1,094 records.
The breaches reported by HIPAA-covered healthcare providers may also include data breaches that occurred at business associates because certain covered entities issue the breach notifications themselves. Therefore, reported business associate data breaches may be less in OCR’s listing.
Healthcare Data Breaches by State
HIPAA-regulated entities in 20 U.S. states reported data breaches involving 500 and up records in May. Florida, Illinois, and Tennessee each submitted 5 data breach reports. Florida reported the breach of 24,564 records, Tennessee reported the breach of 605,667 records, and Illinois reported the breach of 952,538 records. The states that reported the most number of breached records were Texas (3,014,927 records) and Nebraska (2,812,837 records).
California, New York, Pennsylvania and Texas reported 4 data breaches each. Connecticut and Massachusetts reported 3 each. Minnesota, Nebraska, and Oregon reported two each. Alabama, Arkansas, Arizona, Maryland, Michigan, North Carolina, New Jersey and Wisconsin reported one each.
HIPAA Enforcement Activity
OCR did not announce any settlements or civil monetary penalties in May 2024. There were 4 enforcement actions announced this year and $4,925,000 had been paid as penalties to settle alleged HIPAA violations. State Attorneys General also did not issue any HIPAA compliance penalties in May.