January had 61 data breach reports involving 500 and up records submitted to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), a 22% month-over-month decrease in reported data breaches. The number of data breaches in January is two less than the monthly average data breaches of 63. January is usually a quiet month in terms of healthcare data breaches, but the January 2024 numbers are 45% higher compared to January 2023.
For the second successive month, the number of breached records, which is 8,800,875 breached healthcare records, dropped. Like with the number of reported breaches, the decline is good, however, the number of breached records in 2024 is significantly higher compared to the past years.
In January 2024, 4 cyberattack reports to OCR had no actual total number of records determined yet. To satisfy the reporting conditions of the HIPAA Breach Notification Law, which demands reporting within 60 days of discovering the data breaches, the four data breach reports were submitted with a placeholder of 500 or 501 records. Therefore, it is likely that January’s total is considerably higher.
Largest Healthcare Data Breaches in January 2024
There were 24 data breaches involving at least 10,000 healthcare records reported to OCR in January 2024, which include a breach that impacted 500,000 records, a breach that impacted over 2 million records, and a breach that compromised approximately 4 million records. Two of the data breaches mentioned above happened at Perry Johnson & Associates, Inc. (PJ&A), a transcription service provider. However, the affected covered entities reported the breaches. In November 2023, PJ&A announced a cyberattack that impacted 8.95 million persons. The number of individuals affected by the PJ&A data breach, including those at North Kansas City Hospital and Concentra Health Services is over 13.45 million.
The second biggest data breach of January was the ransomware attack on Integris Health that resulted in the compromised data of 2,385,646 people. Integris Health had retrieved files using backups and opted not to give the ransom demand to stop the exposure of the stolen information. When no ransom was paid, the threat actor attempted to extort money from patients, calling them directly and threatening them with the publication of information should they fail to pay $50. This wasn’t the first time that a ransomware attacker has chased after patients, and it surely won’t be the last. With fewer victims paying ransoms, these aggressive tactics will likely increase.
OCR inspects all healthcare data breaches involving 500 and up records to find out whether they were caused by noncompliance with the HIPAA Regulations. OCR has likewise pointed out that it is going to restart its HIPAA audit program to evaluate compliance with the HIPAA Regulations throughout the healthcare sector. The last time HIPAA audits were done in 2017, they showed that most HIPAA-covered entities were not completely HIPAA Security Rule compliant.
An IBM report in February indicates little changes and healthcare companies not implementing standard security procedures. The study discovered that 85% of cyberattacks targeting critical infrastructure sectors could have been averted using basic security procedures, like multi-factor authentication, prompt patching, and using the principle of least privilege. OCR is trying to address this concern using its voluntary cybersecurity operation objectives, and possibly, with the HIPAA Security Guideline update that OCR is going to recommend this spring.
1. Concentra Health Services, Inc. – 3,998,162 individuals affected by a cyberattack on business associate (PJ&A)
2. INTEGRIS Health – 2,385,646 individuals affected by a ransomware attack with confirmed data theft
3. North Kansas City Hospital – 502,438 individuals affected by a cyberattack on a business associate (PJ&A)
4. Azura Vascular Care – 348,000 individuals affected by a hacking incident
5. Des Moines Orthopaedic Surgeons, P.C. – 307,864 individuals affected by a hacking incident with confirmed data theft
6. The Harris Center for Mental Health and IDD – 238,463 individuals affected by ransomware attack with confirmed data theft
7. HORNE, LLP – 170,052 individuals affected by a hacking incident
8. Columbus Regional Healthcare System – 132,887 individuals affected by a hacking incident with confirmed data theft
9. Cooper Clinic, P.A. – 124,341 individuals affected by a hacking incident
10. Psychological Holdings, PLLC d/b/a Senior PsychCare – 75,349 individuals affected by a hacking incident
11. ACE – 65,295 individuals affected by a Hacking incident
12. ConsensioHealth, LLC – 60,871 individuals affected by a ransomware attack with confirmed data theft
13. Veterans Health Administration – 46,677 individuals affected by Unauthorized access/disclosure of paper/films; There is no public report about the incident
14. Hampton-Newport News Community Services Board – 44,312 individuals affected by a ransomware attack with confirmed data theft
15. United Regional Health Care System – 36,900 individuals affected by a hacking incident at a business associate
16. Air Methods, LLC – 34,016 individuals affected by theft of an unencrypted laptop computer
17. Coastal Hospice & Palliative Care – 29,100 individuals affected by a hacking incident
18. AHS Management Company, Inc. – 23,686 individuals affected by a ransomware attack with confirmed data theft
19. Burr & Forman LLP – 19,893 individuals affected by a hacking incident
20. Insurance ACE/Humana Inc. – 12,539 individuals were affected by a mailing error that sent documents to the wrong recipients
21. InHealth Technologies – 12,143 individuals affected by a hacking incident
22. TGI Direct – 11,556 individuals affected by a Hacking incident
23. Fincantieri Marine Group, LLC – 11,535 individuals affected by a ransomware attack with confirmed data theft
24. Midwest Long Term Care Services d/b/a Senior Scripts – 10,566 individuals affected by a hacking incident
Causes of Data Breaches and Their Locations
There were 21 hacking/IT incidents out of the reported 24 data breaches involving 10,000 and up records. Out of the 61 data breaches reported this January, 47, or 77% were hacking/IT incidents. In all those data breaches, 8,687,590 records, or 98.7% of the month’s breached records were exposed or impermissibly disclosed. The average and median sizes of a hacking-related data breach was 184,842 records and 6,457 records, respectively.
Twelve reported data breaches were due to unauthorized access/disclosure affecting 78,162 records. The average breach and median breach sizes were 6,514 records and 1,069 records, respectively. Two loss/theft incidents involving unencrypted electronic devices were reported. The records contained in the devices belong to 35,123 persons. The locations of breached healthcare data reported in January are network servers, email accounts (7 data breaches), and physical records (6 data breaches).
In February, the LockBit ransomware-as-a-service group lost its infrastructure after an international law enforcement operation. LockBit was the busiest ransomware group for a big percentage of the 4 years it was active and it carried out a lot of attacks on the healthcare industry.
LockBit group took down 34 servers, an affiliate portal, Tor sites, and a data leak site. The group has taken advantage of vulnerabilities in past times to acquire network access for victims. The group exploited an unpatched vulnerability that permitted law enforcement to acquire access to its facilities. Over 2,000 decryption keys were acquired and 200 cryptocurrency wallets were taken over. The primary members of the gang are still at large and may build their infrastructure again and relaunch using another name, however, the operation has brought about considerable disruption and has ruined the group’s standing in the hacking community.
Entities Impacted by the Data Breaches
The raw information on the OCR data breach website indicates healthcare providers reported 38 data breaches affecting 8,030,189 records; health plans reported 12 data breaches affecting 122,803 records; business associates reported 9 data breaches affecting 644,716 records; and healthcare clearinghouses reported two data breaches affecting 3,167 records. These statistics do not show the complete story; because the entity submitting the data breach report is not the entity that encountered the data breach. Any time a data breach happens at a business associate, it may submit the breach report, or the impacted covered entities, or both of them, as what happened with the data breach at PJ&A. Investigating the information reveals where the data breaches happened.
Geographical Statistics of Healthcare Data Breaches
Data breach reports involving 500 and up records were submitted by HIPAA-covered entities from the 31 U.S. states and Washington D.C. California reported 9 data breaches, while Texas reported 6 breaches. Alabama, the District of Columbia, and Tennessee reported 3 breaches. Arkansas, Iowa, Florida, Michigan, Indiana, Missouri, North Dakota, Nevada, Virginia, and Pennsylvania reported 2 breaches each. Arizona, Colorado, Kentucky, Kansas, Mississippi, Maryland, Nebraska, New Mexico, New Hampshire, North Carolina, New York, Oregon,
Ohio, Oklahoma, Wisconsin, and Washington reported 1 each.
January 2024 HIPAA Enforcement Activity
OCR did not announce any HIPAA enforcement action in January. The State Attorney General did not issue any HIPAA enforcement actions either. However, the California Attorney General reported a settlement with Quest Diagnostics to take care of supposed violations of state regulations, which include accusations that Quest Diagnostics improperly disposed of personal patient data. A sequence of inspections of Quest Diagnostics labs and patient service facilities revealed extensive illegal disposal of medical and harmful waste along with unredacted personal medical data of patients. Quest Diagnostics consented to pay $5 million as a financial penalty and deal with the issues identified in the investigation.