The number of large healthcare data breaches in August slightly increased. There were 49 data breaches involving 500 or more healthcare records reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Although reported breaches increased by 8.9% month-over-month, the 12-month average, which is 62 data breaches per month, is still 21% lower than in August 2023.
The number of breached healthcare records increased by 592.8% from July’s approximately 1.4 million breached records to August’s 9,680,551 breached records. In 2024, August is the second-worst month in terms of breached healthcare records, but it is better than the 23 million breached healthcare records reported in August last year. The average and median breached records in the past 12 months are 9,989,003 healthcare records and 9,079,469 records, respectively. From January 1 to August 31, 2024, 491 data breaches involving 500 or more records had been reported with 58,668,002 breached records. The average and median breach sizes in 2024 are 119,487 records and 4,109 records, respectively.
There were 8 healthcare data breaches reported with 500 or 501 individuals affected. The 500 or 501 figures are common placeholders for breaches reported without an exact number of people affected yet. The placeholder is used to comply with the 60-day reporting deadline of the HIPAA Breach Notification Rule. Therefore, August’s total number of breached records could be higher than 9 million.
Largest Healthcare Data Breaches Reported in August 2024
Two data breaches reported had the biggest number of individuals affected. The data breach at HealthEquity affected 4.3 million people and the breach at Acadian Ambulance affected about 2.9 million people. These two breaches were the second and fourth biggest data breaches this 2024 so far, not including the Change Healthcare data breach, which is not officially confirmed.
1. HealthEquity, Inc. – 4,300,000 individuals were affected by a hacking incident of a SharePoint server via a business partner’s breached device
2. Acadian Ambulance Service, Inc. – 2,896,985 individuals affected by a Daixin Team ransomware attack and data theft
3. Florida Department of Health – 729,699 individuals affected by a ransomware attack by RansomHub and data theft
4. Specialty Networks, Inc. – 411,037 individuals affected by a hacking incident and data theft
5. Alabama Cardiovascular Group – 280,534 individuals affected by a hacking incident and data theft
6. PDG, P.A. dba Park Dental – 238,667 individuals affected by unauthorized access to email accounts
7. Illinois Bone & Joint Institute, LLC – 182,670 individuals affected by a hacking incident and data theft
9. VeriSource Services, Inc. – 112,726 individuals affected by a hacking incident and data theft
10. Fraser Child and Family Center – 67,000 individuals affected by a hacking incident and data theft
11. Carespring Health Care Management LLC – 64,609 individuals affected by a hacked network server
12. Gramercy Surgery Center, Inc. – 50,554 individuals affected by an Everest Group ransomware attack and data theft
13. Monte Nido – 41,662 individuals affected by a hacked network server
14. Pomona Community Health Center dba ParkTree Community Health Center – 40,964 individuals affected by a hacked network server
15. The Dental Specialists – 38,442 individuals affected by unauthorized access to email accounts
16. Pemiscot Memorial Health System – 33,279 individuals affected by unauthorized access to electronic medical record system
17. Internal Medicine Associates, LLC d/b/a Gastrointestinal Medicine Associates – 31,835 individuals affected by a hacking incident and data theft
19. Pocahontas Medical Clinic, PA – 31,216 individuals affected by a hacked network server
20. HAH Group Holding Company, LLC d/b/a “Help At Home” – 26,744 individuals affected by a hacked network server at a business associate
21. United Urology Group – 10,704 individuals affected by a hacking incident and data theft
22. PG Dental d/b/a Aire Dental Arts – 10,200 individuals affected by a hacking incident and unauthorized access to PHI
Causes of Healthcare Data Breaches in August 2024
Most of the data breaches were hacking/IT incidents that involved unauthorized network server access. 93.9% of August’s data breaches were hacking/IT incidents, which resulted in the compromise of 99.6% of August’s breached healthcare records. The average and median breach sizes in these hacking incidents were 209,608 records and 6,559 records, respectively. The other three data breaches involved unauthorized access/disclosure incidents that impacted 38,570 records. The average and median breach sizes were 12,857 records and 4,125 records, respectively. No incidents involving theft, loss, or improper disposal were reported in August.
The majority of breaches involving protected health information occurred on network servers, with email accounts being the second most common target. The email account breaches affected at least 303,264 individuals, although the actual number is likely much higher. Four of the breaches reported used a placeholder of 500 individuals impacted, suggesting the true scope could be significantly greater.
Where the Data Breaches Happen
According to data breaches reported on the OCR breach portal, healthcare providers reported 33 data breaches, business associates reported 11, and health plans reported 2. Although there were more breaches reported by healthcare providers, the 11 data breaches from business associates impacted more healthcare records — 4,859,632 individuals. Breaches reported by healthcare providers impacted 4,819,494, and the two health plan breaches impacted 1,425 individuals only. Often, breach reports by HIPAA-covered entities also cover incidents that happened at business associates. As per HIPAA laws, when a breach happens at a business associate, the responsibility for issuing breach notifications falls on the covered entities involved.
Healthcare Data Breaches by State
HIPAA-regulated entities in 28 U.S. states reported data breaches in August. California reported 6 large healthcare data breaches, then Minnesota and Illinois reported 4 breaches each. The worst impacted state in terms of compromised healthcare records was Utah. The state reported only one breach that impacted the protected health information (PHI) of 4.3 million people, the biggest breach in August. Florida reported 3 breaches that impacted the records of 771,861 people; Arkansas, New York, and Ohio also reported 3 breaches each. Louisiana reported two breaches that impacted the PHI of 2,897,486 people; Washington also reported 2 breaches. Tennessee reported one breach that impacted 411,037 people. One breach was also reported by Alabama, Arizona, Georgia, Connecticut, Indiana, Kansas, Missouri, Maryland, Mississippi, New Jersey, North Carolina, Oregon, Rhode Island, Pennsylvania, South Carolina, Texas, Utah and Virginia.
HIPAA Enforcement in August 2024
The HHS’ Office for Civil Rights (OCR) investigated a patient complaint about American Medical Response, a private ambulance provider. The patient stated that the provider did not give timely access to their health records. As per the HIPAA Right of Access of the HIPAA Privacy Law, people should be furnished with a copy of their requested information in 30 days from the date of a request. The complainant at first asked for a copy of her healthcare information on October 31, 2018, yet after submitting multiple requests, the patient did not get the requested records. She only got the data on November 5, 2019, after 370 days of filing the initial request.
American Medical Response was allowed to resolve the claimed HIPAA violation. Its lawyer requested OCR to reconsider yet did not present any counteroffer or engage in negotiations. Responding to OCR’s letter, American Medical Response provided evidence in an attempt to mitigate the circumstances of their case. However, OCR rejected these reasons as they did not qualify for an affirmative defense. As a result, OCR imposed a $115,200 civil monetary penalty. This marked 2024’s sixth HIPAA enforcement action with a financial penalty. To date, OCR has a total of $5,990,200 in collections from the settlement of HIPAA violations in 2024.
Enzo Biochem/Enzo Clinical Labs were investigated over a breach of the protected health information of 2.4 million individuals in April 2023. Hackers gained access to an Enzo database server that was used for analytics and reporting, exfiltrating data from October 2012 to April 2023, and then encrypted files using ransomware to encrypt files. The investigation findings found that the provider violated 12 HIPAA Security Rule conditions and a New York General Business Law.
State Attorneys General are also authorized to impose penalties for HIPAA violations. Enzo Biochem/Enzo Clinical Labs settled a multi-state investigation with the Attorneys General of New Jersey, New York, and Connecticut for $4,500,000. The investigation was prompted by a breach in April 2023 that exposed the PHI of 2.4 million people. Hackers had breached an Enzo database server and used it for analytics and reporting, extracted sensitive information from tests done from October 2012 to April 2023. Later, ransomware was used to encrypt files. Based on the results of the investigation, Enzo violated 12 conditions of the HIPAA Security Rule and the New York General Business Law.
State Attorneys General had six enforcement actions so far in 2024 and collected a total of $21,710,000 from financial penalties.