In November 2024, healthcare data breaches increased by 15.3% month-over-month. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) received 68 data breach reports involving 500 and up healthcare records. This number of reported healthcare data breaches makes November the worst month for the second half of 2024 and the fourth worst month for 2024. The total number of healthcare data breaches from January to November 30, 2024, is 667.
Although data breaches increased in November, 3,437,256 records were breached, which decreased by 36.1% month over month. About 16,395,000 records were compromised every month in 2024, but that number is skewed because of the big data breach at Change Healthcare that impacted around 100 million people. The 2024 median number of breached records per month is 6,496,306 records.
Breached records significantly decreased compared to November 2023’s 31 million breached records, which was inflated by the Clop ransomware attack on Progress Software. Including November’s, the total breached records for 2024 is 180,345,139. Even without additional data breach reports for 2024, this year will still be the worst year in terms of breached healthcare records.
Largest Healthcare Data Breaches in November 2024
November’s three largest healthcare data breaches were all caused by ransomware attacks. Texas Tech University Health encountered a ransomware attack conducted by the Interlock ransomware group. The attack resulted in the theft of 1,465,000 patients’ protected health information (PHI) and exposure of the stolen data online when Texas Tech University Health did not pay the ransom. The two impacted science centers submitted separate breach reports.
Not much data was disclosed when the report was published regarding the data breach at American Addiction Centers. The American Addiction Centers website has no post about the breach report. The Rhysida ransomware group professed to have launched the attack and stated that it exfiltrated 2.8 TB of data, 90% of which were listed on its data leak site.
1. Texas Tech University Health Sciences Center in El Paso – 815,000 individuals were affected by the ransomware attack and data theft by the Interlock ransomware group
2. Texas Tech University Health Sciences Center in TX – 650,000 individuals were affected by the ransomware attack and data theft by the Interlock ransomware group
3. American Addiction Centers, Inc. – 410,747 individuals affected by the Rhysida ransomware attack
4. Rocky Mountain Gastroenterology Associates PLLC – 366,491 individuals affected by a hacking incident and data theft
5. Thompson Coburn LLP – 305,088 individuals affected by a hacking incident targeting Presbyterian Healthcare Services (NM) data
6. Great Plains Regional Medical Center – 133,149 individuals affected by a ransomware attack and data theft
7. Conceptions Reproductive Associates of Colorado – 80,000 individuals affected by the Inc ransomware attack
8. ESHA, Inc. – 76,922 individuals affected by a hacking incident
9. MDLand International Corporation – 63,052 individuals were affected by a hacking incident involving EHR
10. AuthoraCare Collective – 58,019 individuals affected by unauthorized access/disclosure involving its network server
11. Radiologic Medical Services, P.C. – 56,902 individuals affected by compromised email accounts
12. Foundation Hospitals – 44,600 individuals affected by compromised email accounts
13. Mid-Ohio Psychological Services Inc. – 40,345 individuals affected by the BlackSuit ransomware attack
14. Oklahoma Spine Hospital – 38,945 individuals affected by compromised email account
15. South West Family Medicine Associates, PA – 36,959 individuals affected by a hacking incident
16. Colonial Behavioral Health – 29,930 individuals affected by the Qilin ransomware attack
17. TriHealth H, LLC d/b/a TriHealth Physician Partners – 27,426 individuals affected by a hacking incident that happened at a business associate
18. Equinox, Inc. – 21,565 individuals affected by compromised email accounts
19. VPS of MI PLLC – 20,604 individuals affected by a ransomware attack conducted by an unknown group
20. East Central Missouri Behavioral Health Services, Inc. – 20,000 individuals affected by a hacking incidet involving a network server
21. Planned Parenthood of Montana – 18,003 individuals affected by the RansomHub ransomware attack
22. Vann Virginia Center for Orthopaedics, PC dba Atlantic Orthopaedic Specialists – 15,264 individuals affected by compromised email account
23. Jefferson Dental Center, Inc. – 12,340 individuals affected by a ransomware attack and data theft
24. Ardon Health, LLC – 10,098 individuals affected by an email hacking incident
In November, 24 data breaches had at least 10,000 healthcare records affected, although that number can still increase because 10 breach reports had the placeholder 500 or 501 individuals affected, which means the number of affected persons was not yet confirmed. These figures can vary significantly. The Change Healthcare data breach was at first reported as impacting 500 individuals, then it was later changed to 100 million people. The Ascension Health data breach was also reported as involving 500 individuals, then increased to 5.6 million a few months after.
The following covered entities submitted breach reports with 501 individuals affected:
1. Lubbock County Hospital District – ransomware attack by Brain Cipher
2. York County – compromised email account
3. Laboratory Services Cooperative – a hacking incident
4. Maternal Fetal Medicine Associates, PLLC, Carnegie Women’s Health, and Carnegie Hill Imaging for Women (collectively, “the Practices) – a hacking incident and data theft
The following covered entities submitted breach reports with 500 individuals affected:
1. Georgia Department of Public Health – compromised email accounts
2. Western Montana Mental Health Center – hacking incident and still unfinished investigation
3. Physicians’ Primary Care of Southwest Florida – hacking incident and still unfinished investigation
4. Humboldt Independent Practice Association (Humboldt IPA) – hacking incident
5. Orthopedics Rhode Island, Inc. – hacking incident and still unfinished investigation
6. Brunswick Hospital Center – hacking incident and still unfinished investigation
Causes of Healthcare Data Breaches in November 2024
Of the 68 data breaches in November, 56 or 82.4% were due to hacking and other IT incidents, 11 data breaches or 16.2% were due to unauthorized access/disclosure incidents, and 1 data breach or 1.47% was due to theft. No data breach was reported due to loss or improper disposal incidents. Hacking/IT incidents affected 3,276,321 records or 95.3% of the November’s breached records. The average and median breach sizes of a hacking incident were 58,506 records and 2,999 records, respectively. The 11 unauthorized access/disclosure incidents affected 155,990 records. The average and median breach sizes were 14,181 records and 2,945 records, respectively. The theft incident affected 4,945 records.
In November, 53% of data breaches involved PHI located on network servers; 36% of data breaches involved PHI located in 25 email accounts. The HHS Health Sector Cybersecurity Coordination Center (HC3) lately warned HIPAA-covered entities regarding active credential harvesting campaigns. To help prevent these email breaches, set and implement password complexity requirements following the most recent NIST guidance, perform routine security awareness training, and activate multi-factor authentication.
Where the Data Breaches Happened
In November, healthcare providers reported 57 data breachs affecting 2,561,190 records. Health plans reported two data breaches affecting 5,789 records. Healthcare clearinghouses did not report any data breach. Busines associates of HIPAA-covered entities reported 9 data breaches affecting 870,277 records. In case a data breach happens at a business associate, the business associate should notify affected covered entities. Sending individual notifications and the notification to the HHS’ Office for Civil Rights may be done by the affected covered entities. However, some pass the responsibility of sending notifications to the business associate.
Healthcare Data Breaches by State
HIPAA-regulated entities in Illinois reported 8 data breaches that affected only 19,484 records. New York and Texas reported 6 breaches. Michigan reported 5 data breaches while Missouri and Ohio reported 4 each. California, Massachusetts, Florida, Oklahoma and Virginia reported 3 data breaches each. Colorado, Indiana, North Carolina, Montana, Tennessee and Pennsylvania reported 2 breaches each. Connecticut, Georgia, Kentucky, Iowa, Maryland, Oregon, New Hampshire, and Washington reported 1 data breach each.
November 2024 HIPAA Enforcement Activity
The HHS’ Office for Civil Rights reported two settlements of HIPAA violation cases — one settlement and one civil monetary penalty. OCR investigated California-based Rio Hondo Community Mental Health Center after receiving a complaint filed by a patient who stated the health center did not give a copy of their health records in 30 days after filing a request. Because of a stay-at-home order given by California Governor Gavin Newsom as part of the COVID-19 pandemic, the health center could not provide the records for 2 months since the center was closed. However, the center still did not provide the records 5 months after the order to stay-at-home ended. OCR decided the delay was a HIPAA Privacy Rule violation and that the mental health center failed to submit proof to support a civil monetary penalty (CMP) waiver. OCR charged a CMP of $100,000 to settle the HIPAA violation. This was OCR’s 51st HIPAA Right of Access case that is resolved.
OCR investigated Holy Redeemer Family Medicine because of a supposed impermissible disclosure of the reproductive health data of a patient. The complaint filed with OCR alleged that the patient permitted Holy Redeemer Family Medicine to provide the results of one medical test to her potential employer, but it was not regarding reproductive healthcare. A staff erroneously shared the patient’s complete medical record to the potential employer. Holy Redeemer Family Medicine opted to resolve the claimed HIPAA Privacy Rule violation by paying a $35,581 penalty.