November was a relatively quiet month for healthcare data breaches with 31% fewer breaches reported than the previous month. November’s total of 49 breaches of 500 or more records was also well below the 12-month average of 58 breaches a month. 643 healthcare data breaches have been reported to the HHS’ Office for Civil Rights so far in 2022, which makes this year the second worst year to date for healthcare data breaches.
Despite the fall in reported breaches, the number of breached records increased by 10% from October. November was the worst month of 2022 in terms of the number of breached healthcare records, with 6,904,441 records exposed or impermissibly disclosed – Well above the 12-month average of 3.99 million records a month. So far in 2022, 44,852,648 healthcare records have been breached.
Largest Healthcare Data Breaches in November
17 breaches of 10,000 or more records were reported to OCR in November, five of which involved more than half a million records and three incidents involved the impermissible disclosure of more than 1 million records. The largest data breach was a hacked network server at the Pennsylvania-based business associate Connexin Software – A provider of electronic medical records to pediatric practices. An unauthorized individual gained access to an offline set of patient data that was used for data conversion and troubleshooting. The records of 2,216,365 patients were exposed and potentially stolen.
The Indiana-based healthcare provider, Community Health Network, reported an impermissible disclosure of the protected health information of up to 1.5 million patients. Tracking code had been added to its website that resulted in patient information being transferred to third parties such as Meta and Google, without obtaining consent from patients or having a business associate agreement in place. Several healthcare providers have reported similar breaches this year, prompting OCR to issue a warning to HIPAA-regulated entities this month over the use of tracking technologies on websites and mobile applications.
Doctors’ Center Hospital in Puerto Rico suffered a ransomware attack that exposed the protected health information of up to 1,195,220 patients. Major ransomware attacks were also reported by the Michigan-based prosthetics and orthotics provider, Wright & Filippis, and Health Care Management Solutions in West Virginia.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Type of Breach | Cause of Data Breach |
| Connexin Software, Inc. | PA | Business Associate | 2,216,365 | Hacking/IT Incident | Hacking of network server |
| Community Health Network, Inc. as an Affiliated Covered Entity | IN | Healthcare Provider | 1,500,000 | Unauthorized Access/Disclosure | Website tracking code transmitted PHI to third parties |
| Doctors’ Center Hospital | PR | Healthcare Provider | 1,195,220 | Hacking/IT Incident | Ransomware attack |
| Wright & Filippis LLC | MI | Healthcare Provider | 877,584 | Hacking/IT Incident | Ransomware attack |
| Health Care Management Solutions, LLC | WV | Business Associate | 500,000 | Hacking/IT Incident | Ransomware attack on subcontractor of CMS business associate |
| Gateway Rehabilitation Center | PA | Healthcare Provider | 130,000 | Hacking/IT Incident | Hacking of network server |
| Mena Regional Health System | AR | Healthcare Provider | 84,814 | Hacking/IT Incident | Hacking of network server |
| Dallam Hartley Counties Hospital District | TX | Healthcare Provider | 69,835 | Hacking/IT Incident | Hacking of network server (data theft confirmed) |
| Consumer Directed Services in Texas, Inc. | TX | Healthcare Provider | 56,728 | Hacking/IT Incident | Hacking incident at a business associate |
| Stanley Street Treatment and Resources, Inc. | MA | Healthcare Provider | 45,785 | Hacking/IT Incident | Hacking of network server (data theft confirmed) |
| South Walton Fire District | FL | Healthcare Provider | 25,331 | Hacking/IT Incident | South Walton Fire District |
| Rosenfeld VanWirt, PC | PA | Business Associate | 18,719 | Hacking/IT Incident | Hacking incident affecting multiple affiliates of the Lehigh Valley Health Network |
| CCA Health Plans of California, Inc d/b/a CCA Health CA | CA | Health Plan | 14,631 | Hacking/IT Incident | Hacking of network server (data theft confirmed) |
| CareFirst Administrators | MD | Health Plan | 14,538 | Hacking/IT Incident | Phishing attack on business associate |
| Work Health Solutions | CA | Healthcare Provider | 13,157 | Hacking/IT Incident | Phishing attack |
| New York-Presbyterian Hospital | NY | Healthcare Provider | 12,000 | Hacking/IT Incident | Hacking of network server |
| Epic Management LLC | TN | Healthcare Provider | 10,862 | Hacking/IT Incident | Unauthorized email account access |
Causes of November Data Breaches
All but one of the 17 data breaches of 10,000 or more records were due to hacking incidents, several of which were ransomware attacks. Many hacking incidents involve ransomware, although it is common for HIPAA-regulated entities not to disclose the exact nature of these attacks. It is therefore difficult to determine the extent to which ransomware is used in cyberattacks on the healthcare industry. 5,374,670 records were exposed or stolen in these hacking incidents – 77.8% of all records breached in November. The average breach size was 134,367 records and the median breach size was 7,158 records.
There were 8 unauthorized access/disclosure incidents reported that involved the records of 1,521,788 individuals. The majority of those records were impermissibly disclosed by one healthcare provider. The average breach size was 190,224 records and the median breach size was 2,275 records. There was also one theft incident reported involving the records of 7,983 individuals. In the majority of reported incidents, the breached protected health information was located on network servers. There were also 7 incidents involving breaches of email data, and four incidents involving electronic health records.
HIPAA-Regulated Entities Affected by Data Breaches
Healthcare providers were the worst affected entities in November, with 26 reported breaches, one of which occurred at a business associate but was reported by the healthcare provider. 6 data breaches were reported by health plans, with one of those breaches occurring at a business associate. Business associates self-reported 17 breaches in November. The pie chart below shows the breakdown of data breaches based on where they occurred, rather than the entities reporting the data breaches.
Healthcare Data Breaches by State
Data breaches were reported by HIPAA-regulated entities in 18 states and Puerto Rico. Pennsylvania was the worst affected state with 12 breaches, which involved 34.8% of the month’s breached records. 10 of those breaches were due to a hacking incident involving healthcare providers that are part of the Lehigh Valley Health Network. HIPAA-regulated entities in California reported 6 breaches, but these were relatively minor, only involving the protected health information of 41,382 patients.
| State | Breaches |
| Pennsylvania | 12 |
| California | 6 |
| Florida & New York | 4 |
| Texas | 3 |
| Arkansas, Connecticut, Indiana, Maryland, Massachusetts & Tennessee | 2 |
| Georgia, Michigan, New Jersey, Nevada, Oregon, Washington, West Virginia, and Puerto Rico | 1 |
HIPAA Enforcement Activity in November
No civil monetary penalties or settlements were announced by OCR in November. Even so, 2022 has seen more HIPAA enforcement actions than in any other year since OCR was given the authority to enforce HIPAA compliance. The majority of the financial penalties in 2022 have been imposed for violations of the HIPAA right of access, and 55% of the year’s enforcement actions over HIPAA violations were on small healthcare providers.
In November, the state of Massachusetts announced that Aveanna Healthcare had been fined $425,000 for a breach of the PHI of 166,000 individuals, 4,000 of whom were Massachusetts residents. Aveanna Healthcare had suffered a phishing attack, with the Massachusetts Attorney General discovering a lack of safeguards such as multi-factor authentication and security awareness training.
The post November 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.