Large healthcare data breaches have reached an 18-month low after going down for the fourth consecutive month. In July 2024, 43 breach reports involving 500 and up records were submitted to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). July has the lowest monthly data breach report since January 2023. Despite an increase in March 2024, the number of reported breaches has been steadily decreasing beginning December 2023.
Compared to previous years, the reduction is as follows: July 2024 saw a 10.4% decrease in breaches from the previous month, a 30.6% drop from July 2023, and a 37.7% decrease from July 2022. The trend extends to the number of healthcare records exposed in these breaches. In July 2024, there were 1,217,299 healthcare records reported as exposed, improperly disclosed or stolen – a 68.3% decrease from June 2024. This also represents a 92.3% decrease from April 2024 and a 95.1% decrease from July 2023.
However, there is a caveat. July 2024 had an unusually high number of reported breaches with 500 or 501 records affected. These figures are often used as placeholders when entities are unable to determine the exact number of affected individuals within the 60-day reporting window mandated by the HIPAA Breach Notification Rule. The rule requires an estimate to be provided if the total number of affected individuals is not yet known, with the expectation that the figure will be updated once the investigation is complete.
One incident in July 2024 involved the ransomware attack on Change Healthcare, where the use of the 500-record placeholder raised eyebrows. The CEO of United Health Group, Change Healthcare’s parent company, had informed Congress that the breach could potentially impact over 110 million people, or 1 in 3 Americans. Another ransomware attack involved Ascension, which still has an unknown number of individuals affected, prompting the use of a 500-record placeholder.
In total, ten breach reports in July 2024 used the 500 or 501 records placeholder. The status of the breach is not yet confirmed, ongoing document reviews suggest that the final numbers for the other nine breaches will likely be higher. Once these figures are updated, July 2024 might shift from being one of the better months for healthcare data breaches to one of the worst on record.
Healthcare Breach Reports Using 501 Placeholder
1. Delta County Memorial Hospital District (Delta Health) – Network Server hacking incident
2. EMS Department for the Kansas City, Kansas Fire Department – Cyberattack and data theft – Document review still in progress
3. Neuro Rehab Associates, Inc. doing business as Northeast Rehabilitation Hospital Network – Ransomware attack and data theft on Hunters International – document review is in progress
4. Franklin County, Kansas – Ransomware attack and data theft by Rhysida ransomware group – Document analysis in progress
5. Palomar Health Medical Group – Ransomware attack and data theft – Document analysis in progress
6. Maryville, Inc. – Email hacking incident – Document analysis in progress
7. Special Health Resources of Texas, Inc. – Ransomware attack and stolen data- Document review in progress
8. Change Healthcare, Inc. – Ransomware attack by Blackcat group – Document analysis in progress
9. Hospital Auxilio Mutuo – Cyberattack and data theft – Document analysis still in progress
10. Ascension Health – Ransomware attack and data theft by Black Basta) – Document analysis is in progress
Biggest Healthcare Data Breaches in July 2024
The ransomware attacks on Change Healthcare and Ascension are the causes of the big healthcare data breach reports in July 2024. However, the full scope of these breaches could not be verified for weeks or months. There were 13 data breaches involving at least 10,000 healthcare records reported to the Office for Civil Rights (OCR). A confirmed big data breach involved Arisa Health, a healthcare provider in Arkansas, with over 375,000 people impacted. The exact nature of the incident is still unknown but the breach is said to be due to unauthorized network server access. The second-biggest breach, impacting up to 300,000 people, was reported by American Clinical Solutions, a Florida-based drug testing laboratory. The RansomHub ransomware group took responsibility for this attack.
Phishing incidents also contributed to the data breaches in July, with four of the biggest breaches attributed to this method of attack. One phishing attack resulted in the unauthorized access to the email accounts of 11 employees, and the exposure of sensitive data. Michigan Medicine’s second data breach this year was because of a phishing attack.
Although ransomware is a major threat to the healthcare industry, phishing remains a persistent issue. The breaches reported in July emphasize the value of cybersecurity measures to safeguard sensitive healthcare information from unauthorized access.
1. Arisa Health Incorporated – 375,436 individuals affected by hacked network server and likely data theft
2. American Clinical Solutions – 300,000 individuals affected by ransomware attack (RansomHub group) with data theft
3. United of Omaha Life Insurance Company – 107,894 individuals affected by phishing attack with access to email account
4. New Jersey Oral & Maxillofacial Surgery – 74,413 individuals affected by hacked network server and data theft
5. DaVita Inc. CO – 67,443 individuals affected by usage of tracking technologies on its web pages
6. University of Michigan/Michigan Medicine – 56,953 individuals affected by phishing attack with 3 email accounts compromised
7. Surgery Center of Mid Florida – 48,684 individuals affected by ransomware attack and likely data theft
8. The Medibase Group, Inc. – 35,106 individuals affected by hacked network server and likely data theft
9. Janna Pharmacy LLC – 26,000 individuals affected by unauthorized access to email system
10. Human Technology Inc., and its affiliates – 24,580 individuals affected by hacked network server and likely data theft
11. Allcare Medical Management Incorporated – 16,378 individuals affected by a phishing attack with 1 breached email account
12. Patented Acquisition Corporation – 12,787 individuals affected by network server hacking incident
13. Aveanna Healthcare, LLC – 10,482 individuals affected by phishing attack with 11 breached email accounts
Causes of Healthcare Data Breaches in July 2024
Ransomware and extortion groups have targeted the healthcare sector, and while attacks remain frequent, a shift in strategy has been noted. Blockchain analysis company Chainalysis has observed that these groups are now focusing on “big game hunting,” aiming for larger organizations capable of yielding high financial returns. By targeting major entities, attackers can inflict costly disruptions, steal big volumes of data, and demand higher ransom payments. This change in approach may be due to a decline in the number of victims willing to pay ransoms. Both Chainalysis and the ransomware recovery company Coveware have reported a steady drop in ransom payments. In fact, Coveware’s data from Q1 2024 shows the lowest recorded percentage (28%) of victims paying ransom.
In July 2024, hacking and IT incidents were the leading cause of healthcare data breaches, accounting for 83.7% of all breaches and 91% of breached records. 36 incidents exposed 1,107,192 records, with an average and median breach size of 30,755 records and 2,740, respectively.
The remaining 16.3% of breaches involved unauthorized access or disclosure incidents. Three breaches were the result of unauthorized email access, one breach was due to unauthorized network servers access, and one breach was due to unauthorized electronic medical records access. There were also two breaches involving physical PHI being improperly disclosed. A total of 110,107 healthcare records were compromised. The average and median breach sizes were 15,730 records and 3,435 records, respectively.
Network servers were the most common target for breached healthcare data, but email accounts were also vulnerable, with 10 reported breaches, including four of the largest in July. No breaches were reported due to loss, theft, or improper disposal of records during the month.
Where did the Data Breaches Occur?
In July 2024, healthcare providers reported 31 breaches, health plans reported 7, and business associates of HIPAA-covered entities reported 5. Healthcare provider breaches affected 1,027,292 records, while breaches by health plans impacted 121,866 records. Business associate breaches affected 68,141 records, but some breaches occurring at business associates are reported by HIPAA-covered entities.
Geographical Distribution of Healthcare Data Breaches
HIPAA-regulated entities in 25 states and Puerto Rico reported data breaches involving 500 or more records. California and Georgia reported four breaches each, then Indiana and Ohio reported three data breaches each. The states with the highest breached records were Arkansas with 375,436 records, Florida with 348,684 records, Nebraska with 107,894 records, New Jersey with 74,914 records, and Colorado with 67,944 records. Colorado, Florida, New Jersey, Kansas, Oregon, Texas and Tennessee reported two each. Alabama, Arkansas, Arizona, Delaware, Michigan, Massachusetts, Minnesota, Missouri, New Hampshire, Nebraska, New York, North Carolina, Washington, Virginia, & Puerto Rico reported one each. 1
HIPAA Enforcement Activity in April 2024
In the past three months, the Office for Civil Rights (OCR) has not issued any settlements or civil monetary penalties, except for one announced in July. Heritage Valley Health System, a network of three hospitals with over 50 doctor offices in Pennsylvania, West Virginia, and eastern Ohio, was impacted by a 2017 global malware attack.
Following an investigation of the attack, OCR found several areas of noncompliance, including the failure to perform a risk analysis, lack of emergency response policies, and insufficient technical policies for controlling access to systems that keep electronic protected health information (ePHI). To resolve these issues, OCR proposed a financial penalty, which Heritage Valley Health System agreed to settle by paying $950,000. This is OCR’s fifth HIPAA violation penalty issued in 2024. The total collected from January 1 to July 31, 2024, is now $5,775,000.
Concerning HIPAA violation penalties issued by State Attorneys General, Washington State announced in July a settlement with Allure Esthetic. The plastic surgery practice was accused of inflating online reviews, bribing and intimidating patients, and compelling patients to sign non-disclosure agreements that waived their HIPAA rights. Under the HIPAA Privacy Rule, healthcare entities cannot condition services on a patient’s authorization to disclose protected health information. Allure Esthetic settled the violations of both HIPAA and state laws with payment of a $5 million penalty.