Updated June 14, 2023 – since this blog first appeared on May 23, new breaches have been reported every day, and many of them are affecting huge numbers. For example, on Wednesday May 24, Harvard Pilgrim Health Care reported a breach that affected more than 2.5 million people. And on May 26, Managed Care of North America Dental reported a ransomware breach that affected nearly 9 million individuals, almost 4 million more than were affected by PharMerica.
Before a ransomware attack becomes public cyber thieves sometimes publish stolen protected health information (PHI) on the internet to get attention and pressure their targets to pay a ransom. That happened on April 8, 2023, when the Money Message ransomware group posted samples of PHI from pharmacy giant PharMerica. That same day DataBreaches.net noticed the post and began to investigate.
As of May 23, the PharMerica incident was the largest known healthcare data breach so far in 2023, affecting more than 5.8 million people. PharMerica, owned by BrightSpring Health Services, is based in Louisville, Kentucky. It operates in all 50 states serving over 3,100 facilities that provide long-term care and senior living, hospice, behavioral health, home infusion, specialty pharmacies, hospital management and hospice care.
PharMerica’s breach notice on its website states:
“On March 14, 2023, PharMerica and its parent company, BrightSpring Health Services, Inc., learned of suspicious activity on their computer network. Upon discovering the incident, PharMerica promptly began an internal investigation and engaged cybersecurity experts to investigate and secure its computer systems. The investigation determined that an unknown third party accessed PharMerica computer systems from March 12-13, 2023, and that certain personal information may have been obtained as a part of the incident.”
Stolen data include names, dates of birth, Social Security numbers, medication lists and health insurance information. PharMerica’s breach notice says it “is not aware of any fraud or identity theft to any individual as a result of this incident…” However, the investigation by DataBreaches.net reveals that the ransomware group “has continued to dump more data, as it threatened.”
HIPAA Breach Notification Rule
On May 12, 2023 PharMerica filed a breach report with the Maine Attorney General and with HHS on its Breach Reporting tool.
The Breach Notification Rule requires covered entities hit by breaches affecting 500 or more to notify patients, the media, and report to HHS’ Office for Civil Rights (OCR) “without unreasonable delay, and in no case later than 60 days after discovering the breach.”
Large HIPAA Breaches are Much Bigger Compared to Last Year
Astonishingly, seven breaches reported so far in 2023 each affected more than a million individuals. In addition to the PharMerica breach which affected 5.8 million, the largest known healthcare data breaches reported in 2023 so far include:
- Managed Care of North America (Dental): more than 8.9 million (Healthcare provider)
- Regal Medical Group: 3.30 million individuals (Healthcare provider)
- Cerebral, Inc.: 3.18 million individuals (Business associate)
- NationsBenefits Holdings: 3.04 million individuals (Business associate)
- Apria Healthcare LLC: 1.86 million individuals (Healthcare provider)
- NextGen Healthcare, Inc.: 1.05 million individuals (Business associate)
Notably, business associates reported three of the seven largest breaches, highlighting again their value as a target for criminals.
The seven largest breaches of 2023 so far total 27.2 million affected individuals: this is nearly eight times as many as the 3.5 million affected by the seven largest breaches during the same period in 2022. Note, these totals do not include dozens of other reported breaches affecting hundreds of thousands more. And each week that passes adds other reported breaches of unprecedented sizes.
Large HIPAA Breaches Invite Lawsuits
While the Office for Civil Rights (OCR) investigates all breaches affecting 500 or more, five of the breaches noted above are also the subject of class action lawsuits. The lawsuits vary, but most allege negligence, breach of privacy and/or violations of consumer protection laws. A simple internet search reveals the pending federal class action lawsuits as well as law firms advertising for breach victims to come forward to join one of the legal actions. Plaintiffs’ lawyers are joining government regulators as significant enforcers of HIPAA.
Fight Cyber Theft and Protect Patients with HIPAA Compliance
Ransomware groups are finding vast amounts of valuable PHI at vulnerable targets among the largest organizations in healthcare – at both covered entities and business associates.
Organizations holding massive amounts of data can do more by following the HIPAA Security Rule: fortify defenses, tighten cybersecurity and practice Risk Management year round.