The number of reported healthcare data breaches declined for the second successive month, with 40 data breaches of 500 or more healthcare records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in December 2022 – The lowest monthly total of the year and 29.7% fewer data breaches than the average monthly for 2022. The year ended with 683 data breaches, which is a year-over-year reduction of 4.3%. Only one other year has seen a fall in recorded data breaches (2014).
The worst month of 2022 for breached records was followed by the best, with 2,174,592 healthcare records exposed or compromised in December, well below the 2022 average of 3,986,025 records per month and 68.5% fewer breached records than in November. While this is certainly great news, even with this reduction, 2022 was the second worst-ever year for healthcare data breaches with more than 47 million records exposed or compromised from January 1 to December 31, 2022.
Largest Healthcare Data Breaches in December 2022
December saw 13 data breaches of 10,000 or more healthcare records reported to OCR. HIPAA Journal has been unable to obtain information on two of those breaches. Ransomware attacks continue to plague the healthcare industry, with 5 of the 13 largest breaches in December confirmed as involving ransomware, two of which involved the protected health information of more than 600,000 patients. Ransomware attacks on the healthcare industry more than doubled between 2016 and 2021 according to one recent analysis, although it is becoming increasingly difficult to obtain reliable data on the extent to which ransomware is used in cyberattacks due to the lack of standardized reporting. While healthcare organizations of all sizes are being attacked, ransomware gangs tend to focus their efforts on larger healthcare organizations, according to a recent report by Delinea.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| CommonSpirit Health | IL | Business Associate | 623,774 | Ransomware attack with business associate involvement |
| Metropolitan Area EMS Authority dba MedStar Mobile Healthcare | TX | Healthcare Provider | 612,000 | Ransomware attack |
| Avem Health Partners | OK | Business Associate | 271,303 | Hacking Incident at a business associate |
| Southwest Louisiana Health Care System, Inc. d/b/a Lake Charles Memorial Health System | LA | Healthcare Provider | 269,752 | Ransomware attack |
| Fitzgibbon Hospital | MO | Healthcare Provider | 112,072 | Ransomware attack |
| Monarch | NC | Healthcare Provider | 56,155 | Hacking Incident – No information released |
| Ola Equipment LLC | HI | Business Associate | 39,000 | Hacking Incident – No information released |
| The Elizabeth Hospice | CA | Healthcare Provider | 35,496 | An employee sent PHI to a personal email account |
| Legacy Operating Company d/b/a Legacy Hospice | AL | Healthcare Provider | 21,202 | Compromised email accounts |
| Employee Group Insurance Benefits Plan of Acuity Brands, Inc. | GA | Health Plan | 20,849 | Hacking incident (data theft confirmed) |
| San Gorgonio Memorial Hospital | CA | Healthcare Provider | 16,846 | Hacking incident (data theft confirmed) |
| Hawaiian Eye Center | HI | Healthcare Provider | 14,524 | Ransomware attack |
| Foundcare, Inc. | FL | Healthcare Provider | 14,194 | Compromised email account |
Causes of December 2022 Healthcare Data Breaches
Hacking and other IT incidents continue to dominate the breach reports and typically involve many more records than other types of data breaches. In December, 28 incidents were classified as hacking/IT incidents – 70% of the month’s total breaches. 1,965,032 healthcare records were exposed or impermissibly disclosed in those incidents– 90.4% of the month’s breached records. The average breach size was 70,180 records and the median breach size was 4,152 records. 20 of the month’s breaches involved compromised network servers, with 12 incidents involving hacked email accounts.
The risk of email-related data breaches can be greatly reduced by providing regular security awareness training to the workforce, as is required by the HIPAA Security Rule, and by implementing multi-factor authentication, with FIDO-based MFA providing the greatest level of protection. HIPAA-regulated entities should also ensure that their password management practices are kept up to date. A recent audit of the Department of the Interior identified many password management failures, which are all too common in the healthcare industry.
There were 10 unauthorized access/disclosure-related data breaches in December involving 168,386 records. The average breach size was 16,839 records and the median breach size was 1,739 records. There has been a decline in these types of data breaches in recent years as HIPAA training and monitoring of medical record access have improved. There were two loss/theft incidents reported involving 41,174 records. Both of these incidents involved computers/other electronic devices and could have been prevented by encrypting the devices.
December Data Breaches by HIPAA Regulated Entity
Healthcare providers were the worst affected type of HIPAA-regulated entity, with 24 breaches reported of 500 or more records. Business associates reported 11 data breaches and 5 data breaches were reported by 5 health plans. Two of the data breaches reported by healthcare providers had business associate involvement but were reported by the healthcare provider. The chart below shows the breakdown based on where the breach occurred.
States Affected by December 2022 Data Breaches
Healthcare data breaches were reported by HIPAA-regulated entities in 22 states. California was the worst affected with 4 reported breaches.
| State | Reported Data Breaches |
| California | 4 |
| Florida, New York, Texas & Washington | 3 |
| Georgia, Hawaii, Illinois, Massachusetts, Missouri, South Dakota & Virginia | 2 |
| Alabama, Connecticut, Louisiana, Maryland, North Carolina, Nebraska, Oklahoma, Rhode Island, Wisconsin & West Virginia | 1 |
HIPAA Enforcement Activity in 2022
OCR closed the year with two financial penalties to resolve alleged HIPAA violations. Health Specialists of Central Florida’s case stemmed from an investigation into a HIPAA Right of Access violation over the failure to provide a woman with a copy of her deceased father’s medical records. The records were provided, but there was a 5-month delay. Health Specialists of Central Florida settled the case and paid a $20,000 financial penalty. This was the 42nd financial penalty to be imposed under OCR’s HIPAA Right of Access enforcement, which was launched in 2019.
New Vision Dental in California was one of just two healthcare providers to settle a HIPAA violation case with OCR in 2022 that did not involve a HIPAA Right of Access violation. OCR investigated New Vision Dental in response to complaints that patient information was being impermissibly disclosed online in response to negative reviews on Yelp. OCR also identified a Notice of Privacy Practices failure. The case was settled for $23,000. Including these two penalties, OCR resolved 22 HIPAA violation cases with settlements and civil monetary penalties in 2022, more than any other year since OCR was given the authority to impose financial penalties for HIPAA violations.
State Attorneys General also have the authority to impose financial penalties for HIPAA violations. In December, a joint investigation by Oregon and Utah resulted in a financial penalty for Avalon Healthcare over a phishing attack. Avalon Healthcare was determined to be in violation of the HIPAA Security and Breach Notification Rules and state laws due to a lack of appropriate safeguards to protect against phishing attacks and an unreasonable delay in sending breach notification letters, which were issued 10 months after the breach was detected. The case was settled for $200,000. This was one of three enforcement actions by state attorneys general in 2022 to resolve HIPAA violations.
The post December 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.