The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) only received 46 reports of data breaches involving 500 and up healthcare records in December. The small December total showed that since 2009, this is the second time that healthcare data breaches had a year-over-year reduction. The OCR data breach website presently exhibits 721 reports of big data breaches in 2024, lower by 3.48% from 2023’s total of 747 big healthcare data breaches.
December was the third-lowest month in terms of number of breaches in 2024. Big data breaches decreased by 34.3% month-over-month and this December is the second-lowest in the last 5 years. December 2023 had 33 more large data breaches than this December.
December 2024 was also the second-lowest month in terms of breached healthcare records in 2024. There were only 3,938,375 healthcare records noted as impermissibly disclosed, exposed, or stolen. However, the total number of breach records increased by 14.5% month-over-month.
It seems that in December 2024, the number of breached records returned to its typical number as 5 years ago. There was a 74% decrease in the number of breached records compared to December 2023. However, 2024 was really bad in terms of breached healthcare records increasing by 9.96% than in 2023. The OCR breach website indicates that 2024 had 185,043,568 breached records. That number will still go up when HIPAA-covered entities conclude their data breach inspections and send more accurate numbers. Many data breaches posted on the OCR breach portal still have placeholders of 500 or 501 impacted persons.
December 2024 Biggest Healthcare Data Breaches
Although OCR did not receive a data breach report involving 1 million+ records in December, one data breach had 914,138 breached records due to a hacking incident at ConnectOnCall.com. Richmond University Medical Center reported a hacking incident that affected the protected health information (PHI) of 674,033 people. River Region Cardiology, Regional Care, Center for Vein Restoration, and Tycon Medical Systems also reported hacking incidents.
December had 19 data breaches involving 10,000 and up records, mostly due to hacking incidents and ransomware attacks, except two data breaches. Atrium Health reported the third-biggest data breach of December, which was because of using website tracking technologies that impermissibly transmitted information to third parties like Google and Meta potentially affecting 585,959 individuals.
1. ConnectOnCall.com, LLC – 914,138 individuals affected by a hacking incident
2. Richmond University Medical Center – 674,033 individuals affected by a hacking incident
3. Atrium Health – 585,959 individuals affected by Website tracking tools sharing PHI to third parties
4. River Region Cardiology – 500,000 individuals affected by a hacking incident
5. Center for Vein Restoration – 446,094 individuals affected by a hacking incident
6. Regional Care, Inc. – 225,728 individuals affected by a hacking incident
7. Tycon Medical Systems, Inc. – 112,847 individuals affected by a hacking incident
8. Brockton Neighborhood Health Center – 97,488 individuals affected by an Interlock Ransomware attack and data theft
9. VisionPoint Eye Center, PLLC – 66,926 individuals affected by a hacking incident
10. Dignity Health Lassen Medical Clinic – 65,482 individuals affected by a hacking incident
11. UT Southwestern Medical Center – 43,048 individuals affected by exposed information to an unauthorized third party
11. SAG-AFTRA Health Plan – 35,592 individuals affected by a phishing attack on one email account
12. Lexington Diagnostic Center – 29,819 individuals affected by a hacking incident
13. Ott Cone & Redpath, P.A. – 22,171 individuals affected by a phishing attack on one email account
14. In-Home Attendant Services Ltd. – 22,000 individuals affected by a hacking incident
15. Rumpke Consolidated Companies, Inc. & Affiliates Benefits Plan – 16,946 individuals were affected by a hacking incident and data theft with extortion attempted
16. Lifetime Psychiatry, LLC – 16,926 individuals affected by a hacked email account
17. PracticeSuite, Inc. – 13,000 individuals affected by a hacking incident
18. Alta Resources Corp. – 12,162 individuals affected by a ransomware attack
Besides the data breaches listed above, four breach reports were noted as impacting 500 or 501 individuals.
1. Dragonfly Health – 501 due to a Hacking/IT Incident
2. Word & Brown Insurance Administrators, Inc. – 501 due to a hacking/IT Incident
3. Youth Eastside Services – 501 due to a Hacking/IT Incident
4. Kitsap Mental Health Services – 500 due to Hacking/IT Incident
Causes of Healthcare Data Breaches in December 2024
Breach reports in December were mostly due to hacking and other IT-related issues, just like the other months of 2024 and over the recent years. HIPAA-covered entities do not disclose the nature of these incidents like if ransomware was involved, even if ransomware groups have claimed to steal the data and expose it on their data leak websites. A few ransomware groups do not use ransomware and just focus on stealing data and extortion. Many medical providers could retrieve their data using backups, and not doing file encryption makes cyberattacks quieter and quicker. Oftentimes, the risk of exposing stolen information is the main reason why victims pay a ransom.
The statistics for December’s data breaches in terms of causes are:
- 37 cases or 80.4% of the big data breaches are due to hacking and other IT incidents resulting in 83.81% of the month’s breached records. The average and median breach sizes were 89,212 records and 3,112 records, respectively.
- 7 cases were due to unauthorized access/disclosure incidents resulting in the breach of 635,149 records. The average and median breach sizes were 90,736 records and 1,317 records, respectively.
- Two cases were due to loss incidents affecting 2,375 records.
- No theft or improper disposal incidents were reported.
The most frequent location of breached PHI was network servers because of the number of hacking incidents; nevertheless, over 20% of breaches affected information stored in email accounts. These incidents indicate the requirement for strong password guidelines, multifactor authentication, and HIPAA training of employees on security awareness.
Places Where the Data Breaches Occur
Healthcare providers submitted 30 data breach reports in December impacting 2,243,060 individuals. Business associates submitted 8 data breaches impacting 1,401,066 individuals. Health plans reported 7 data breaches impacting 68,521 individuals. A healthcare clearinghouse submitted one data breach impacting 225,728 individuals. Whenever a data breach happens at a business associate, each affected covered entity must be notified by the business associate about the data breach. The covered entity must decide who should mail out personal notifications and inform the OCR and the media. A few covered entities opt to report business associate data breaches themselves and mail their breach notifications, whereas others outsource that task to the business associate. If a business associate works with several covered entities, a combination of the two may arise. So data breaches at business associates are frequently underreported.
Healthcare Data Breaches by State
California reported 5 data breaches, Texas reported 4 breaches, whereas Illinois, Tennessee, Massachusetts, and Washington reported 3 data breaches each. Alabama, Florida, Nebraska Missouri, & North Carolina reported 2 data breaches each. Arizona, Connecticut, Delaware, Kentucky, Indiana, Michigan, Maryland, Nevada, New York, Oklahoma, Ohio, Utah, Wisconsin, Virginia, & the District of Columbia reported one breach each.
HIPAA Enforcement Activity in December 2024
OCR reached 9 settlements with HIPAA-covered entities over alleged HIPAA rule violations in December. In 2024, OCR investigated 22 complaints. There were 15 data breach investigations with settlements and 7 civil monetary penalties accumulating penalties amounting to $12,841,796.