Midyear Health Data Breach Analysis: The Top CulpritsLatest Hacking, Vendor Incident Trends Emerging From the Federal Tally
Hacking incidents, including those involving ransomware attacks or vendors, that affect tens of millions of individuals, continue to account for the majority of health data breaches reported to federal regulators so far this year.
A analysis on Friday of health data breaches affecting 500 or more individuals posted so far in 2023 on the Department of Health and Human Services' HIPAA Breach Reporting Tool shows the persistent and extensive impact of hacking incidents on the protected health information of millions of American patients.
The HHS site shows that 336 major health data breaches affected nearly 41.4 million individuals between Jan. 1 and June 30 - nearly double the number affected during the same period last year. According to the reports to the HHS' Office for Civil Rights, 252 - or 75% - of all breaches in 2023 were hacking incidents that affected nearly 37.3 million people - or about 90% of all individuals affected.
Business associates were involved in 125 - or nearly 40% - of the breaches so far this year, affecting nearly 21 million people, or about half of the individuals touched by major health data breaches. All but 23 of those business associate breaches involved hacking incidents.
Cybercriminals' focus on business associates is "not surprising," said Mike Hamilton, CISO and co-founder of security firm Critical Insight. "The trend for criminals to search for the easiest entry point continues to involve business associates," he said, adding that these vendors have become the "unlocked window that criminals crawl through."
That includes the largest health data breach reported so far this year: A hacking incident at Fort Lauderdale, Florida-based Managed Care North America, a business associate that supports state Medicaid agencies and children's health insurance programs. The MCNA breach affected more than 100 of its client organizations - including various states' departments of health and human services - and nearly 9 million people (see: Dental Health Insurer Hack Affects Nearly 9 Million).
Largest Health Data Breaches in 2023, So Far
|Managed Care of North America
|Regal Medical Group
|Harvard Pilgrim Health Care
|Enzo Clinical Labs
|Community Health Systems Professional Services
|CentraState Healthcare System
Of the 10 largest HIPAA breaches posted so far this year to the HHS OCR tally, nine were hacking breaches, including several ransomware and exfiltration incidents, and four involved business associates.
The largest ransomware-related breaches so far in 2023 were reported by institutional pharmacy PharMerica, affecting nearly 6 million people, and by California medical group Regal Medical Group, affecting about 3.3 million people.
Compared with midyear 2022, the federal tally of major health data breaches shows slightly fewer incidents posted so far in 2023, but many more individuals are affected. A snapshot of the HHS OCR tally on July 14, 2022, shows some 360 major health breaches affecting nearly 22.5 million individuals posted to the tally for the first six months of 2022. The number of victims in the first half of 2023 grew by 84% to 41.4 million. Ransomware incidents and vendor breaches also dominated incidents for that time.
Hamilton pointed out that many of the breaches in the healthcare sector are hacking incidents that often involve unpatched vulnerabilities being exploited. "The trend for threat actors to weaponize announcements of vulnerabilities and patch releases continues unabated, and the healthcare sector is not treating internet-exposed vulnerabilities with an aggressive patching process," he said.
To get a better grip on such breaches, Hamilton recommends that organizations "treat the announcement of a vulnerability in a product that is exposed to the internet as an incident and embed that language into business associate agreements."
Following hacks, unauthorized access/disclosure incidents are the second-most common category of health data breaches posted on the tally so far this year. There have been 71 unauthorized access/disclosure breaches affecting nearly 4.1 million individuals posted so far.
Of those, several incidents involved the use of tracking tools in websites that shared individuals' personal information to third-party marketing, advertising or social media companies without individuals' consent.
Online mental health services firm Cerebral has reported the largest such incident so far this year. The San Francisco-based company in March reported a breach affecting nearly 3.2 million individuals involving the "inadvertent" sharing of PHI, including online mental health assessments, through its use of pixels and similar web tracking technologies to third parties such as TikTok, Facebook and Google (see: Not-So-Cerebral Sharing of Mental Health Data Hits Millions).
HHS OCR issued guidance in December warning that entities covered by HIPAA cannot use website tracking technologies if the trackers transmit PHI without patient consent or if the entities don't have a signed business associate agreement with the tech tracking vendors (see: HHS: Web Trackers in Patient Portals Violate HIPAA).
HHS OCR officials have also stated that HIPAA violations involving the use of website trackers are becoming a top enforcement priority. So far, the agency has not issued a HIPAA enforcement action involving trackers (see: HHS OCR Leader: Agency Is Cracking Down on Website Trackers).
The only relatively good news emerging from the federal tall, so far this year is that only five breaches that involve the loss or theft of unencrypted devices, affecting a total of 12,305 people, have been reported. Less than 10 years ago, incidents involving unencrypted computing devices and media were the No. 1 category of health data breaches and affected millions of individuals annually.
To date 5,598 major health data breaches affecting nearly 431 million people have been posted to the HHS OCR tally since 2009.