The number of healthcare data breaches in September is the lowest since May 2020. Only 34 data breach reports involving 500 and up records were submitted to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). It looks like 2024 will have less number of healthcare data breaches year-over-year. To date, there are 531 data breaches involving 500 and up records reported to OCR. Throughout the first half of 2024, the number of data breach reports averaged 67 per month, while the second half of 2024 had an average of 44 monthly data breach reports.
From the 34 data breach reports, 4,839,018 individuals had their data exposed or impermissibly disclosed. So far, this figure is the third lowest monthly total this year, and less than the average of 7,082,007 records per month (for 9 months of this year).
From January 1 to September 30, 2024, the protected health information (PHI) of 63,738,063 people was compromised or impermissibly disclosed. That total involved 52 breach reports submitted to OCR with placeholders of 500 or 501 affected individuals, which is frequently used whenever the total number of impacted persons is not yet final. One example is Change Healthcare, which was reported using a placeholder of 500 impacted persons, although the UnitedHealth Group CEO mentioned the breach might impact a lot of Americans.
In September, 13 healthcare data breaches involving 10,000 and up records and 4 breaches with 500 or 501-record placeholder were reported to OCR. The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) reported the biggest confirmed breach that was because of the mass exploitation of a vulnerability found in the MOVEit file transfer solution of Progress Software in May 2023.
Wisconsin Physicians Service Insurance Corporation, a business associate of CMS, used the file transfer solution. It investigated a likely breach in 2023 yet did not have any proof that the Clop group had stolen files. In May 2024, one year after the vulnerability exploitation, new proof confirmed the theft of files. It was established that 947,000 people were impacted, but now the reports say that the PHI of over 3 million people was compromised in the attack.
The following two largest data breaches of September were due to ransomware attacks. The BlackSuit ransomware attack on Young Consulting in Georgia resulted in the compromise of PHI of over 950,000 people. The ransomware attack on Enhanced 911 Trust Authority in Muskogee County, Oklahoma impacted 180,000 people. The email account breach reports in September included five breaches involving 10,000 and up records. Michigan Medicine reported the biggest email breach in September.
Biggest Data Breaches in September
1. Centers for Medicare & Medicaid Services – 3,112,815 individuals affected by the Clop threat group’s exploitation of the MOVEit vulnerability at Wisconsin Physicians Service Insurance Corporation
2. Young Consulting LLC – 954,177 individuals affected by the Blacksuit Ransomware attack and data theft
3. Muskogee City County Enhanced 911 Trust Authority – 180,000 individuals affected by a ransomware attack
4. Community Clinic of Maui, Inc. also called Malama I Ke Ola Health Center – 123,816 individuals were affected by a hacked network server
5. Richland County, WI – 76,365 individuals affected by a Hacked network server
6. Asheville Arthritis and Osteoporosis Center, P.A. – 58,251 individuals affected by a hacked network server
7. University of Michigan/Michigan Medicine – 57,891 individuals affected by unauthorized access to email accounts through Phishing
8. Guam Seventh-Day Adventist Clinic – 56,635 individuals affected by unauthorized email account access
9. Prentke Romich Company dba PRC-Saltillo – 51,627 individuals were affected by a hacked network server and data theft
10. Atrium Health – 32,120 individuals affected by an unauthorized email account access through a phishing attack
11. Hafetz and Associates – 26,474 individuals affected by unauthorized email account access and phishing attack
12. ERLC LLC, d/b/a Elitecare Emergency Hospital -24,754 individuals affected by a Hacked network server
13. JTaylor & Associates LLC – 22,315 individuals affected by unauthorized access to email accounts
Causes of Healthcare Data Breaches in September 2024
The 30 data breaches in September were caused by the following:
- 26 Hacking/IT incidents (88%)
- 3 Unauthorized access/disclosure incidents (8.8%)
- 1 Theft incident (2.9%)
- No improper disposal or loss cases in September
99.85% of the compromised records were caused by hacking incidents. From the 30 breaches, 4,831,775 individuals had their records exposed or compromised. The average and median sizes of a hacking/IT incident were 161,059 records and 7,836 records, respectively.
The unauthorized/disclosure incidents affected 4,625 records. Average and median breach sizes were 1,542 records and 778 records, respectively. The theft incident affected the data of 2,618 people, which were kept on stolen electronic devices from a health center located in Puerto Rico.
Location of Breached PHI in September 2024
Because of the number of hacking incidents, the most frequent location of breached PHI was network servers. 52% of the data breaches involved breached network servers, while 35% involved compromised email accounts.
Where did the Data Breaches Occur?
In September, healthcare providers reported 24 breaches, health plans reported 4 breaches and business associates reported 6 breaches. Whenever a data breach happens at a business associate, the breach report is usually submitted by the business associate; nevertheless, certain covered entities opt to report the breach even if the breach happened at a business associate, like in the case of the CMS breach in September. It isn’t uncommon for a business associate to submit a breach report on behalf of some covered entity clients whereas others submit the breach report themselves. Data breaches that occur at business associates are frequently underreported.
Healthcare Data Breaches by State
Texas reported 5 data breaches involving 500 and up records with 57,123 individuals affected. The worst impacted states when it comes to the number of people impacted were Hawaii (123,816 records), Oklahoma (180,000 records), Georgia (954,678 records), and Maryland (3,112,815 records). The states of California, Georgia, North Carolina, New Jersey, Michigan, Ohio and Pennsylvania reported 2 breaches. Arizona, Connecticut, Guam, Hawaii, Florida, Illinois, Maryland, Maine, Mississippi, New York, New Hampshire, Oklahoma, Puerto Rico, Utah, and Wisconsin reported one each.
HIPAA Enforcement Activity in September 2024
OCR issued one HIPAA enforcement action that led to a financial penalty. Healthcare provider Cascade Eye and Skin Centers based in Washington suffered a ransomware attack in March 2017. The ransomware group accessed a server with 291,000 files containing patient information.
OCR investigated the incident to find out whether Cascade Eye and Skin Centers was compliant with the HIPAA Guidelines and discovered two compliance concerns – the inability to perform a complete, accurate, company-wide risk analysis to determine possible risks and vulnerabilities to electronic PHI and inadequate assessments of activity in data systems comprising ePHI. The company settled the issue by paying a $250,000 financial penalty and following a corrective action plan to deal with the non-compliance. This financial penalty is the 8th issued by OCR and the fourth investigation of a ransomware attack that resulted in a financial penalty.