Breach Notification , Governance & Risk Management , Healthcare
How 2023 Broke Long-Running Records for Health Data Breaches
What Will 2024 Be Like If the Healthcare Sector Doesn't Step Up?For nearly a decade, no matter how bad things seemed to get each year, 2015 remained the record year for U.S. health data breaches - with 112.5 million people affected. That was due mainly to the eye-popping 79 million people affected by just one breach reported in 2015 - the infamous suspected Chinese hack of health insurer Anthem.
See Also: A Secure-By-Default Strategy for Driving Your Business Success
But all the hacks of 2023 have shattered those records, making it the worst year ever for major health data breaches in U.S.
Last year, a record number of major health data breaches - 734 breaches - affecting a record number of individuals - nearly 135.3 million - were reported to U.S. federal regulators. That's equal to more than 40% of the U.S. population having their protected health information compromised in a single year.
That's also a lot worse than in 2015 - the year of the Anthem hack - when less than half that number of organizations reported a total of 270 major health data breaches to the U.S. Department of Health and Human Services.
The health data breaches in 2023 reflected the trend of a growing number of organizations being hit by data breaches. In 2022, 721 breaches were reported to HHS - only about 23 fewer than in 2023. But the breaches reported in 2022 affected "only" about 56.5 million individuals, which is less than half the number of people affected in 2023.
Hacks by far dominated the types of compromises reported in 2023. A total of 587 incidents - representing 80% of all breaches - affected more than 126.6 million individuals - or nearly 94% of people affected by major PHI breaches last year.
Third-party business associates - from bill collection companies to medical transcription services - accounted for much of last year's skyrocketing breach totals. Business associates were reported "present" in 275 of the major breaches reported in 2023, affecting nearly 90.3 million people. That's equal to nearly 40% of breaches reported and two-thirds of people affected in 2023.
10 Largest Health Data Breaches in 2023
Breached Entity | Individuals Affected |
---|---|
HCA Healthcare | 11.3 Million |
Perry Johnson & Associates | 9 Million |
Managed Care of North America | 8.9 Million |
Welltok | 8.5 Million |
PharMerica | 5.8 Million |
HealthEC | 4.5 Million |
Reventics | 4.2 Million |
Colorado Department of Health Care Policy | 4.1 Million |
Regal Medical Group | 3.4 Million |
CareSource | 3.2 Million |
As of Thursday, the HHS Office for Civil Rights' HIPAA Breach Reporting Tool website - which posts reports of PHI breaches affecting 500 or more individuals - shows the largest single breach in 2023 as a hacking incident affecting nearly 11.3 million people, reported in July by Tennessee-based HCA Healthcare as a business associate.
But further analysis of the website by Information Security Media Group shows that the largest breach last year actually appears to have been a data theft incident reported to regulators in November by Nevada-based medical transcription firm Perry Johnson & Associates.
While PJ&A reported the hack to HHS as affecting nearly 9 million individuals, several of the company's clients also submitted their own separate breach reports to HHS, linked to the same PJ&A incident.
As of Thursday, the estimated total number of individuals affected by the PJ&A hack appears to be hovering around 14 million, taking into account several breach reports filed to HHS in recent weeks by the clients of the company (see: Therapy Provider Notifying 4 Million Patients of PJ&A Hack).
Hacking incidents involving data exfiltration or ransomware attacks soared in 2023, contributing to the record-breaking health data breach statistics seen last year (see: Sizing Up the Worst Healthcare Hacks in 2023).
Those included major hacks on third-party software such as Progress Software's MOVEit and Fortra's GoAnywhere file transfer applications, which resulted in thousands of victim entities globally across all sectors - and tens of millions of individuals, including healthcare patients - having their information stolen.
As of Thursday, the largest MOVEit incident affecting the healthcare sector appears to have been reported by Welltok, a medical patient communication services provider that is part of Virgin Pulse. Welltok's MOVEit breach has affected nearly 8.5 million individuals so far.
Think Things Are Bad Now? Just Wait.
Some experts predict the situation for healthcare sector entities could grow even worse in 2024, given the increasing sophistication of cyberthreats and the high value of health data.
Already, new concerning developments are emerging in some of the latest health data hacks, said Mike Hamilton, co-founder and CISO of security firm Critical Insight.
"The trend to use records that have been stolen in different ways is troubling - not only directly contacting patients whose records have been disclosed and offering them 'buyout' privileges, but referencing our own regulatory and statutory rules as a further threat: 'Pay us, because the class action suit will be much more expensive,'" he said.
Meanwhile, the industry's reliance on digital solutions will continue to pose challenges, significantly if proactive measures aren't intensified, said Ani Chaudhuri, CEO and co-founder of security firm Dasera.
"Organizations must enhance their data security strategies by adopting comprehensive, automated solutions focusing on visibility, control and continuous monitoring of sensitive data. The key is not just to react to breaches but to prevent them by understanding where all data resides and ensuring robust governance," Chaudhuri said.
"A critical step is the implementation of automated and continuous monitoring systems to detect anomalies in data usage and access, as well as ensuring comprehensive data governance and management. As healthcare data continues to be a prime target for cybercriminals, these enhanced measures are essential in safeguarding sensitive patient information and maintaining trust in the healthcare sector."
Regulatory Action
HHS OCR told ISMG in a statement that hacking was indeed the most frequent type of large breach reported to OCR in 2023, and network servers the predominate "location" of compromises. Ransomware was a significant subset of reported hacking incidents, the agency said.
"Regulated entities should ensure they are implementing all of the HIPAA Security Rule requirements," HHS OCR said.
But in addition, last week, HHS issued guidance promoting sets of "essential" and "enhanced" cybersecurity performance goals that entities should adopt to improve their security posture (see: HHS Details New Cyber Performance Goals for Health Sector).
The new CPGs can also assist regulated entities in defending against cyberattacks and safeguarding ePHI, HHS OCR told ISMG.
While HHS called the goals "voluntary," the Biden administration has signaled plans for new requirements, coming through a planned update of the HIPAA Security Rule this spring, and new potential regulatory sticks and carrots to incentivize adoption of the CPGs, which are based on the National Institute of Standards and Technology's Cybersecurity Framework and other industry best practices.
"National security, patients' rights, the advance of AI both in healthcare services and attacks - these factors are all behind the feds' push," said Padraic O'Reilly, founder and chief innovation officer at cyber risk firm CyberSaint.
"Potentially tying the CPGs to Medicare and Medicaid will put the industry on blast, and I generally see positive outcomes to practices when a bit of enforcement is in the mix. This includes the Securities and Exchange Commission," O'Reilly said.
The healthcare sector needs to step up its security efforts in order to avoid falling further behind cybercriminals in their ever-evolving scams targeting hospitals, clinics, insurers and the thousands of third parties that help these organizations provide care.
"Security breaches are and have been and will continue to be a major concern, in the healthcare industry and more generally," said privacy attorney Kirk Nahra of the law firm WilmerHale.
"Cyberattackers clearly are getting more sophisticated - although there still are situations where the attack does not seem particularly sophisticated," he said.
Multiple factors are contributing to these breaches, Nahra said. "There is a need for continuing and constant vigilance and updating of security systems. There is a need to pay attention to vendors. But at the same time, it's increasingly difficult to do that up and down long business associate chains," he said.
"Many of the business associate breaches that are reported involve downstream entities where there are multiple trails and levels of customers, often in situations where some may not even be healthcare-related," he said.
Organization should be paying even more attention to their incident response plans. They should ensure that that they have a good way to respond to breaches and include information about how to address - in advance, where feasible - incidents involving business associates, Nahra said.
HHS OCR should be looking for ways to be helpful in these incidents and avoid punishing companies that are trying to do the right thing but get attacked in any event, he said. "More guidance is fine, but creating additional and parallel sets of standards to meet will not be productive. This 'punish the victim' approach is not ultimately helpful for covered entities or the healthcare system."
Resources Aplenty
There are plenty of cybersecurity resources available that specifically address the array of technology and use cases found across healthcare, if entities are willing to look, said privacy attorney David Holtzman of consulting HITprivacy LLS.
They include the recently developed HHS Health/Public Health Cyber Gateway, an information clearinghouse for resources that can assist many kinds of healthcare organizations, Holtzman said. "There is no magic bullet or one-size-fits-all approach that will be effective for all healthcare organizations, but resources are available to assist in addressing many use cases."
*Update: Statement from HHS OCR added. Feb. 1, 23:03 UTC.