In June 2024, 47 data breaches involving 500 and up healthcare records were reported to the HHS’ Office for Civil Rights (OCR). This is the lowest number of breaches from October 2023 to date. Data breaches dropped by 9.6% from May 2024, and dropped by 30.9% from June 2023. This number of breaches is under the 12-month average of 64 data breaches per month.
For the second consecutive month, the number of breached records dropped. The 47 breaches reported in June resulted in the exposure, theft, and impermissible disclosure of the protected health information (PHI) of 3,837,356 individuals.
June’s number of breached records is the second-lowest monthly total in 2024, and below the 12-month average of breached records (11,637,320). The numbers may be different the following month because Change Healthcare will be sending breach notification letters to the people impacted by its February 2024 ransomware attack beginning July 20, 2024. OCR will be informed soon regarding the scope of the breach. The CEO of UnitedHealth Group (Change Healthcare’s parent company) spoke on a senate hearing that the breach is expected to impact approximately 1 in 3 Americans, close to 113,000,000 people.
Biggest Healthcare Data Breaches in June 2024
Pennsylvania health system Geisinger reported the biggest data breach that affected the PHI of 1,276,026 persons. It wasn’t caused by hacking or ransomware attacks. Geisinger found out that an ex-employee of a business associate got access to patient records after being fired. The business associate did not block the employee’s access to patient records prior to firing the employee.
Lurie Children’s Hospital’s hacking incident is the biggest this month. The ransomware attack resulted in the theft of the PHI of 775,860 present and past patients. The hospital’s electronic health record (EHR) system was offline for a few months, from January when the attack occurred until May. Lurie Children’s did not pay the ransom demand and so the ransomware group responsible for the attack claimed to have offered the stolen data for sale.
The Minnesota radiology services firm, Consulting Radiologists, breach report indicated that the PHI of 583,824 patients was impacted. The attack involved a hacking incident with potential data theft. Two eye care service providers reported breaches involving ransomware attacks that impacted over 300,000 patients each. Panorama Eyecare reported an incident involving the LockBit ransomware group that stole patient records in May 2023. Texas Retina Associate reported an attack that was detected in March 2024 but occurred in October 2023 when the Monto ransomware group accessed its network.
Financial Business and Consumer Solutions reported a breach to OCR that affected the PHI of 117,567 people. The breach also impacted several clients, not HIPAA-covered entities, and the breach report was at first submitted to the Maine Attorney General as affecting the personal data of 1,955,385 people. After further investigation, the breach report to the Maine Attorney General now indicated that 4,050,711 individuals were affected. It is presently uncertain whether the added 2,095,326 affected individuals were patients from the HIPAA-covered entity clients.
1. Geisinger – 1,276,026 individuals affected by the theft of patient data by the ex-employee of a business associate
2. Ann & Robert H. Lurie Children’s Hospital of Chicago – 775,860 individuals affected by a ransomware attack with data theft
3. Consulting Radiologists LTD. – 583,824 individuals affected by a hacking incident with potential data theft
4. Panorama Eyecare – 377,911 individuals affected by a ransomware attack with potential data theft
6. Texas Retina Associates – 312,867 individuals affected by a ransomware attack with possible data theft
7. Financial Business and Consumer Solutions, Inc. – 117,567 individuals affected by a hacking incident with potential data theft
8. Signature Performance, Inc. – 106,540 individuals affected by a hacking incident with potential data theft
9. Adventist Health Tulare – 70,000 patients affected
10. County of Los Angeles Department of Health Services – 41,444 individuals were affected by a phishing attack including 53 breached email accounts
11. Radiology and Imaging Specialists – 37,210 individuals affected by a hacking/IT incident affecting email
12. The Mount Kisco Surgery Center LLC – 22,139 individuals affected by a breached employee email account
13. Aptihealth, Inc. – 19,805 individuals affected by a hacking incident at business associate Sisense with probable data theft
14. Wisconsin Department of Health Services – 19,150 individuals affected by an accidental disclosure of patient information through email by a business associate
15. Neurobehavioral Medicine Consultants, P.C. – 18,182 individuals affected by a hacking incident with probable data theft
16. The Lash Group, LLC – 15,196 individuals affected by a hacking incident with probable data theft impacting Cencora and The Lash Group
AmerisourceBergen Specialty Group also reported this breach to OCR as impacting 255,316 individuals
17. Insurance ACE/Humana Inc – 15,003 individuals affected by an unauthorized disclosure of paper documents
18. Kairos Health Arizona, Inc. – 14,364 individuals affected by unauthorized access to patient information by a previous business associate
19. SkinCure Oncology – 13,434 individuals affected by unauthorized access to multiple email accounts
20. Memorial Sloan Kettering Cancer Center – 12,274 individuals affected by a phishing attack involving multiple breached email accounts
Causes of Data Breach and Location of Breached PHI
The number of reported hacking incidents dropped by 18% month-over-month, although hacking incidents still outnumber other causes of data breach. Hacking incidents were 68% of June’s reported big data breaches and 65.5% of breached records (2,512,792). Hacking incidents affected the PHI of 45,562 persons and the median data breach size is 6,419 records.
The number of unauthorized access/disclosure incidents reported in June is 23, it was 24 in May; nonetheless, the number of records exposed in these incidents increased by 2,138% month-over-month because of a massive insider breach at Geisinger’s business associate. Of the 12 incidents, there were 1,319,305 individuals’ records impermissibly accessed or exposed. The average and median breach sizes were 109,942 records and 1,648 records, respectively. Two reports involved theft incidents affecting the PHI of 4,018 persons. In one incident, a laptop was stolen; in the other incident, paper records were stolen. One improper disposal incident was reported with 1,241 individuals’ PHI affected.
The most frequent location of breached PHI was network servers. If in compliance with HIPAA Security Rule, it is more difficult for hackers to attack networks. Still, a lot of breaches happen at HIPAA-covered entities with implemented cybersecurity defenses. Email was the second most frequent location of breached PHI. Email-connected breaches are the easiest to prevent.
Where did the Data Breaches Happen?
In June 2024, healthcare providers reported to OCR 34 breaches affecting 3,538,078 records. The mean and median breach sizes were 104,061 records and 3,029 records, respectively. Health plans reported 7 breaches involving 25,905 records. The mean and median breach sizes were 3,701 records and 1,867 records, respectively. Business associates reported 6 breaches affecting 273,373 healthcare records. The mean and median breach sizes were 45,562 records and 14,780 records, respectively.
Geographical Distribution of Healthcare Data Breaches
In June 2024, HIPAA-covered entities in 24 states submitted breach reports involving 500 and up healthcare records. New York and Pennsylvania reported five reported data breaches per state. New York reported 59,945 breached records in 5 incidents while Pennsylvania reported 1,416,019 affected individuals. Massachusetts and Ohio reported 4 breaches each. Georgia reported 3 breaches each, while Connecticut, California, Florida, Illinois, Nebraska Michigan, and Oregon reported 2 breaches each. Alabama, Arkansas, Arizona, Colorado, Iowa, Kentucky, Kansas, Minnesota, Maine, New Mexico, Texas and Wisconsin reported 1 breach each.
June 2024 HIPAA Enforcement Activity
OCR didn’t issue any HIPAA enforcement actions this month; but the California Attorney General decided to resolve potential violations of HIPAA and state legislation with Blackbaud and Adventist Health Hanford.
California Attorney General Rob Bonta stated that South Carolina-based data management software company Blackbaud agreed to resolve violations of HIPAA and California’s consumer privacy and data protection laws for $6.75 million. Blackbaud’s cyberattack was investigated after it was reported in May 2020, but attackers accessed its systems 3 months prior to the discovery of the breach.
According to the investigation, Blackbaud did not implement proper security measures and did not adhere to standard security procedures. Blackbaud held large volumes of sensitive information, keeping sensitive information even if there’s no legitimate business reason for doing so, did not adequately track suspicious activity inside its systems, did not update security requirements, and did not apply multifactor authentication. Besides the financial penalty, Blackbaud must apply data security enhancements to lessen the risk of more cyberattacks.
The California Attorney General additionally reported that Adventist Health Hanford agreed to resolve an alleged unauthorized disclosure of patient data to authorities with no warrant. The allegations involved two patients who had stillbirths and the hospital disclosed their medical data to law enforcement because of their alleged drug use. Adventist Health did not admit any wrongdoing but decided to pay a $10,000 financial penalty to resolve the case.