In October, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights received 57 reports of healthcare data breaches involving 500 and up records. Data breaches increased by 62.9% month-over-month from 35 breaches in September. OCR has received 594 reports of large data breaches as of October 31, 2024. Unless data breaches in November and December increase sharply, this year will be exceptional in terms of a drop in healthcare data breaches.
Of the 57 data breaches, 5,232,507 individuals had their protected health information (PHI) exposed, impermissibly disclosed, or stolen. 35% of the impacted individuals were a result of one data breach. The number of breached records is 2.98% higher than in September. The average and median breach sizes in October were 91,798 records and 4,083 records, respectively.
The massive data breach at Change Healthcare already made 2024 the worst year ever in terms of breached healthcare records. As of October 31 this year, 170,762,026 individuals already had their PHI exposed, impermissibly disclosed, or stolen. The highest record was in 2015 with 112,466,720 breached records because Anthem Inc. suffered a 78.8 million-record data breach.
October 2024 Largest Healthcare Data Breaches
In October, OCR received 21 data breach reports involving 500 and up healthcare records. The biggest data breach was due to the Medusa ransomware group’s attack on Summit Pathology that impacted over 1.8 million people. There were a few verified ransomware attacks in October associated with the Play, Medusa, and Rhysida ransomware groups, but it is uncommon for healthcare institutions to reveal the nature of a breach, so it is hard to monitor the number of ransomware attacks.
Last year, most attacks were executed by a few highly prolific ransomware groups such as ALPHV/Blackcat and LockBit. However, affiliates of the two groups left and joined other groups or started their own because of law enforcement operations against the two groups. The ALPHV/BlackCat ransomware group shut down its operation after it attacked Change Healthcare in February. RansomHub recruited a few seasoned affiliates from the ALPHV operation. RansomHub is a high-profile ransomware-as-a-service operation today. The Corvus report listed 59 active ransomware groups in Q3 of 2024, but only five ransomware groups committed 40% of the attacks. The BianLian “ransomware” group attacks involve data theft and extortion without encrypting files. It is responsible for the second biggest data breach in October.
1. Summit Pathology and Summit Pathology Laboratories, Inc. – 1,813,538 individuals affected due to a ransomware attack by Medusa
2. ATSG, Inc – 909,469 individuals were affected due to a hacking incident with data theft by BianLian
3. OnePoint Patient Care – 795,916 individuals affected due to a hacking incident with data theft
4. Omni Family Health – 468,344 individuals affected due to a hacking incident with data theft
5. Gryphon Healthcare, LLC – 393,358 individuals affected due to a hacking incident with possible data theft
6. Long Island Plastic Surgical Group, P.C. – 161,707 individuals affected due to a hacking incident with data theft
7. RRCA Accounts Management Inc. – 115,837 individuals were affected due to a ransomware attack by Play
8. Mystic Valley Elder Services – 85,133 individuals affected due to a hacking incident with possible data theft
9. Advanced Recovery Equipment & Supplies, LLC – 56,000 individuals affected due to a hacking incident with data theft
10. Clay Platte Family Medicine – 53,916 individuals affected due to a hacking incident with possible data theft
11. Dr. Daniel J. Leeman, M.D. – 50,000 individuals affected due to a hacking incident with possible data theft
12. Visionworks of America, Inc. – 39,825 individuals affected due to a hacking incident with possible data theft
13. Center for Urban Community Services – 38,000 individuals affected due to a hacking incident with data theft
14. GPS Sango Family Dentistry, PLLC d/b/a Sango Family Dentistry – 27,000 individuals affected due to a ransomware attack
15. Southwest Colorado Mental Health Center, Inc. d/b/a Axis Health System – 23,385 individuals affected due to a hacking incident with possible data theft
16. Hawaii Radiologic Associates, Ltd. – 23,205 individuals affected due to a hacking incident with possible data theft
17. Wellfleet Group, LLC – 22,959 individuals’ PHI exposed online because of website misconfiguration
18. Gandara Mental Health Center – 20,024 individuals affected due to a hacking incident with data theft
19. Valleygate Dental Surgery Centers of Charlotte, Fayetteville, and the West, LLC. – 14,589 individuals affected due to a hacking incident with possible data theft
20. Survival Flight, Inc. – 12,342 individuals affected due to unauthorized access to email accounts
21. Tower Clock Eye Center – 10,737 individuals affected due to unauthorized access to email accounts
The data breaches listed below were reported to OCR as impacting 500 or 501 individuals. The investigation of these breaches is not yet done and so the numbers are used as placeholders to comply with the reporting requirements of the HIPAA Breach Notification Law. The number of impacted persons is corrected when the investigation is done, though not at all times.
1. St. Anthony Regional Hospital – a hacking incident with possible data theft
2. Ciox Health LLC, d/b/a Datavant Group – a hacking incident with possible data theft
3. General Physician, P.C. – Unauthorized access to email accounts
4. Seven Counties Services, Inc. – Unauthorized access to email accounts through Phishing
5. Oregon Reproductive Medicine, LLC d/b/a ORM Fertility – Ransomware attack
6. Smile Design Management LLC – Unauthorized network access using a third-party software solution
7. Bayhealth Medical Center – Ransomware attack by the Rhysida group
Causes of Healthcare Data Breaches in October 2024
In October, 81.7% of healthcare data breaches were caused by hacking and IT incidents, resulting in the breach of 5,183,578 records, or 99.1% of October’s breached records. The average and median breach sizes were 112,686 records and 7,786 records, respectively.
The number of unauthorized access/disclosure incidents increased by 30% month-over-month, with 10 data breach reports submitted to OCR. These 10 incidents, however, resulted in the breach of just 40,929 records. The average and median breach sizes were 4,093 records and 1,431 records, respectively. One data breach report involved the improper disposal of 8,000 paper documents. There was no report involving lost or stolen paper documents or devices with unencrypted PHI.
The location of breached healthcare data commonly includes network servers and email. Email data breaches frequently happen because of poor usage of passwords, lack of HIPAA training on security awareness, and zero to non-implementation of multi-factor authentication on emails.
Where did the Data Breaches Occur?
In October, healthcare providers reported 43 data breaches, business associates reported 11, and health plans reported 3. When a business associate encounters a data breach, the business associate usually submits the data breach report. Some covered entities affected by a data breach that occurred at a business associate could opt to submit a breach report themselves. It is not uncommon for a business associate to submit a breach report on behalf of some covered entity clients although others decide to submit the breach report themselves. Consequently, data breaches at business associates are usually underreported.
Healthcare Data Breaches by State
HIPAA-covered entities in 27 states plus the U.S. Virgin Islands reported data breaches involving 500 and up records. New York reported 6 large data breaches. Illinois & Massachusetts reported 5 each while Texas reported 4. Arizona, Maryland, North Carolina and New Jersey reported 3 each. Arkansas, Colorado, California, Indiana, and Tennessee reported 2 each. The following states reported 1 data breach each:
Alaska, Delaware, Hawaii, Florida, Iowa, Kentucky, Minnesota, Michigan, Montana, Missouri, Nebraska, Pennsylvania, Oregon, the U.S. Virgin Islands and Wisconsin. Illinois and Massachusetts reported 5 data breaches each with only a small number of individuals impacted. Colorado reported two breaches that resulted in the compromise of 1,836,923 individuals’ PHI.
October 2024 HIPAA Enforcement Activity
OCR issued four financial penalties in October to settle alleged HIPAA violations, three of which were due to ransomware attacks. OCR has already issued 11 financial penalties from January to October 31, 2024 to settle HIPAA violations.
Dental practice Gums Dental Care based in Silver Spring, MD paid a $70,000 civil monetary penalty to settle a HIPAA Right of Access enforcement initiative. Providence Medical Institute paid a civil monetary penalty of $240,000 to settle two HIPAA Security Rule violations. Plastic Surgery Associates of South Dakota paid $500,000 to settle alleged noncompliance with the HIPAA Rules, such as not conducting a risk analysis, and not implementing policies and procedures for monitoring records of system activity. The emergency medical service provider, Bryan County Ambulance Service paid $90,000 to settle its alleged violation as it never performed a risk analysis to determine potential risks and vulnerabilities to ePHI.