Updated January 29, 2024
Healthcare data breaches are growing at an astonishing rate. In 2023, twice as many individuals had their protected health information (PHI) compromised than in 2022. More than 112 million individuals were affected by data breaches, according to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in 2023, up from 48.6 million in 2022.
The ten largest breaches reveal alarming trends to watch in 2024 and beyond. The table below lists those breaches, the number of individuals affected, and identifies each organization as a covered entity (CE) or business associate (BA).
Concentra Health Services filed a breach report with HHS on January 9, noting that 3.9 million of its patients were affected by the breach at Perry Johnson & Associates. These patients are in addition to the 8.9 million originally reported by PJ&A. This makes the PJ&A data breach the largest of 2023, affecting nearly 14 million people.
Note that just ten breaches disclosed the PHI of about half the people affected. This highlights the danger that one hacking attack poses to a contemporary electronic health record system containing records of millions of patients. Small organizations with fewer resources are even more vulnerable to criminal attack.
Business Associate Due Diligence
Business associates have an outsized role in the damage done to data breach victims. They are responsible for three of the five largest breaches and five of the top ten. Those five breaches affected 34.9 million individuals, over half of the top ten (66.4 million).
MOVEit File Transfer Program
In 2023, a flaw in the MOVEit file transfer software program caused the largest number of worldwide data breaches reported in history to date. The MOVEit data breach has affected over 90 million individuals across banking, healthcare, education, and government services. Healthcare was hit especially hard.
Three of the ten largest healthcare breaches involved MOVEit, at Welltok, Delta Dental of California, and the Colorado Department of Health Care Policy and Finance, affecting 19.5 million individuals. Dozens of other healthcare organizations suffered breaches caused by MOVEit affecting millions of individuals.
Lawsuits are Increasing
Class action lawsuits have been filed against all ten organizations listed in the table above. This is a new, rapidly growing trend. When large numbers of people are affected by the same incident, breach of privacy lawsuits follow. Although HIPAA does not provide individuals a right to sue, they can file lawsuits on other grounds, like negligence, breach of contract, breach of privacy, and consumer protection. Plaintiffs’ lawyers use HIPAA rules as a standard to compare against a defendant’s level of compliance.
Organizations Must Prioritize Cybersecurity
Healthcare organizations remain vulnerable to cybercrime because the data they hold is valuable. HIPAA compliance is a blueprint to protect against cybercrime. Organizations should review and update their risk analysis, ensure their HIPAA policies and procedures address their organization’s specific risks, and make sure their workforce is properly trained.
Criminals steal medical identity to sell on the dark web. It commands the highest prices because medical identity is used to commit health insurance fraud and get prescription drugs. Medical identity theft can go undetected for years until damage is done.
The FBI, HHS, and the Cybersecurity Infrastructure Security Agency (CISA) have recently issued guidance to bolster cybersecurity awareness and preparedness in healthcare. Also, see more guidance for ransomware and visit StopRansomware.gov.
Web Trackers Threaten Health Privacy
While none of the top ten breaches reported in 2023 involved web trackers, this issue is the sleeping giant of HIPAA compliance and breach of privacy litigation. We will be following the issue closely in 2024.
The twelfth largest breach occurred at Cerebral, Inc. affecting 3,179,835 individuals. Cerebral is a virtual mental health service provider and HIPAA business associate that used web trackers. Cerebral gathered patient information through its website, and the web tracker technology shared the data with third-party platforms, like Google, Meta (Facebook), TikTok, and others. Cerebral disabled the web trackers once it was made aware of the potential HIPAA violations, but it still faces investigations and lawsuits because the matter has not been resolved.
The web tracker issue stays at the top of health information privacy news. Another recent example is the December 27, 2023 announcement that the New York Attorney General obtained a $300,000 settlement from New York Presbyterian Hospital for the use of web trackers. Dozens of other lawsuits and investigations are pending across the country.