Our monthly data breach reports are based on data breaches of 500 or more records that have been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) each month. The monthly reports provide an indication of the extent to which healthcare data breaches are increasing, decreasing, or remaining flat. To view longer-term healthcare data breach trends, visit our healthcare data breach statistics page.
Healthcare Data Breaches Reported in March 2023
In March, 63 breaches of 500 or more records were reported to OCR, which is a 46.51% increase from February, 6.92% more than the 12-month average, and 40% more breaches than in March 2022.
There was a 15.62% month-over-month increase in breached records, with 6,382,618 records exposed or impermissibly disclosed across the 63 data breaches. That’s 36% more records breached than the 12-month average and 76.46% more breached records than in March 2022.
Largest Healthcare Data Breaches
In March, 22 healthcare data breaches were reported that impacted more than 10,000 individuals, up from 17 such breaches in February 2023. Four of those breaches, including the largest data breach of the month, were due to the use of tracking code on websites that collected individually identifiable website visitor data. The data collected was used for analytics purposes but was transferred to the providers of the code. Those third parties included, but were not limited to, Meta (Facebook), Instagram, & Google. These tracking tools are not prohibited by the HIPAA Privacy Rule, but if they are used, consent must be obtained, or the disclosure must be permitted by the Privacy Rule and a business associate must be in place with the provider of the code. We can expect to see many more of these breaches reported over the coming weeks and months. According to a recently published study, 99% of U.S. hospitals have used these tools on their websites. Relatively few have reported tracking code-related data breaches to OCR.
Get the FREE
Discover everything you need
to become HIPAA compliant
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
Malicious actors continue to use ransomware in their attacks on healthcare organizations. Three of the top 22 data breaches were confirmed as involving ransomware, and several other hacking incidents were reported that involved network disruption, but were not reported as involving ransomware. Several threat actors that are known to use ransomware in their attacks on the healthcare sector are now choosing not to encrypt files, instead, they just steal data for extortion. For example, the Clop ransomware group typically deploys ransomware in its attacks but in recent attacks that exploited a vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) solution, ransomware was not deployed. The group stole data from 130 organizations in the attacks, including Community Health Systems Professional Services Corporations, Santa Clara Family Health Plan, and US Wellness Inc, all three of which make the top 22 list.
There were three 10,000+ record data breaches involving the hacking of email accounts – through phishing or other means. Phishing attacks are common in healthcare, and while these attacks can be difficult to prevent, it is possible to limit the harm caused by placing time limits on how long emails are stored in email accounts. While emails often need to be retained for compliance with HIPAA and other laws – moving them to a secure archive can help to reduce the extent of a data breach if email accounts are compromised. One of the phishing attacks saw one email account compromised that contained the PHI of more than 77,000 individuals.
|Name of Covered Entity||State||Covered Entity Type||Individuals Affected||Cause of Breach|
|Cerebral, Inc||DE||Business Associate||3,179,835||Website tracking code – Impermissible disclosure to third parties|
|ZOLL Services LLC||MA||Healthcare Provider||997,097||Hacking incident (details not made public)|
|Community Health Systems Professional Services Corporations (CHSPSC), LLC||TN||Business Associate||962,884||Hacking of Fortra’s GoAnywhere MFT solution|
|Santa Clara Family Health Plan||CA||Health Plan||276,993||Hacking of Fortra’s GoAnywhere MFT solution|
|Monument, Inc.||NY||Business Associate||108,584||Website tracking code – Impermissible disclosure to third parties|
|Bone & Joint Clinic, S.C.||WI||Healthcare Provider||105,094||Hacking incident: Network disruption and data theft|
|Florida Medical Clinic, LLC||FL||Healthcare Provider||94,132||Ransomware attack|
|Healthy Options dba Postal Prescription Services – Kroger||OH||Healthcare Provider||82,466||Impermissible disclosure of PHI to Kroger|
|NorthStar Emergency Medical Services||AL||Healthcare Provider||82,450||Hacking incident (details not made public)|
|Merritt Healthcare Advisors||CT||Business Associate||77,258||Unauthorized accessing of employee email account|
|NewYork Presbyterian Hospital||NY||Healthcare Provider||54,396||Website tracking code – Impermissible disclosure to third parties|
|Trinity Health||MI||Business Associate||45,350||Phishing attack: employee email account compromised|
|UHS of Delaware, Inc.||PA||Business Associate||40,290||Unauthorized accessing of employee email account|
|SundaySky, Inc.||NY||Business Associate||37,095||Hacked cloud server – data theft confirmed|
|Denver Public Schools Medical Plans||CO||Health Plan||35,068||Hacked network server – data theft confirmed|
|Atlantic General Hospital||MD||Healthcare Provider||26,591||Ransomware attack|
|UC San Diego Health||CA||Healthcare Provider||23,000||Website tracking code used by a business associate – Impermissible disclosure to third parties|
|Tallahassee Memorial Healthcare, Inc.||FL||Healthcare Provider||20,376||Hacked network server – data theft confirmed|
|Northeast Surgical Group, PC||MI||Healthcare Provider||15,298||Hacked network server|
|Health Plan of San Mateo||CA||Health Plan||11,894||Unauthorized accessing of employee email account|
|US Wellness Inc.||MD||Business Associate||11,459||Hacking of Fortra’s GoAnywhere MFT solution|
|Codman Square Health Center||MA||Healthcare Provider||10,161||Ransomware attack|
Causes of March 2023 Data Breaches
The majority of the month’s reported breaches were classified as hacking/IT incidents, as has been the case for many months. While hacking incidents usually account for the vast majority of breached records, in March they accounted for only 54.29% of the month’s breached records due to very large data breaches caused by the use of tracking technologies. The average size of a hacking incident in March was 73,724 records and the median breach size was 2,785 records.
There were 14 data breaches reported as unauthorized access/disclosure incidents and while they only accounted for 22.22% of the month’s data breaches, they were responsible for 45.65% of the breached records, mostly due to the website tracking code breaches. The average breach size was 208,114 records and the median breach size was 2,636 records. There was one theft incident reported involving the protected health information of 3,013 individuals and one improper disposal incident involving 999 records.
Where Did the Breaches Occur?
The entity reporting a data breach is not always the entity that experienced the breach. Business associates of HIPAA -covered entities may self-report breaches, but it is common for the covered entity to report the breaches. The data submitted to OCR indicates breaches occurred at 33 healthcare providers, 24 business associates, and 6 health plans. The pie charts below are based on where the breaches actually occurred rather than the reporting entity, as this provides a clearer picture of the extent to which data breaches are occurring at business associates.
The pie chart below shows the extent to which patient and health plan member records have been exposed or compromised at business associates. 75.4% of the month’s breached records were due to data breaches at business associates.
Geographical Distribution of March 2023 Data Breaches
Data breaches were reported by HIPAA-regulated entities in 25 U.S. states in March, with New York topping the list with 18 reported data breaches. The unusually high total was due to an attack on a business associate – Atlantic Dialysis Management Services – which reported the breach separately for each affected client and submitted 14 separate breach reports to OCR.
|Florida, Massachusetts, Ohio, Pennsylvania & Texas||3|
|Indiana, Kansas, Maryland, Michigan & Oregon||2|
|Alabama, Arizona, Colorado, Connecticut, Delaware, Georgia, Illinois, Kentucky, New Jersey, Oklahoma, Tennessee, Wisconsin & West Virginia||1|
HIPAA Enforcement Activity in March 2023
No HIPAA enforcement actions were announced by the HHS’ Office for Civil Rights in March, but there was one enforcement action by a state Attorney General. The New York Attorney General confirmed that a case had been settled with the law firm, Heidell, Pittoni, Murphy & Bach LLP. The law firm was investigated following a breach of the personal and protected health information of 61,438 New York residents to identify potential violations of HIPAA and New York laws. The law firm chose to settle the case with no admission of wrongdoing and paid a financial penalty of $200,000. The New York Attorney General alleged violations of 17 HIPAA provisions and implementation specifications, details of which can be found here.
While the Federal Trade Commission does not enforce HIPAA, the agency has started taking action over breaches of healthcare data by non-HIPAA-covered entities to resolve violations of the FTC Act and the FTC Health Breach Notification Rule. In February, the FTC announced that its first settlement had been reached for a health data breach notification failure and that was followed up with a second enforcement action in March. The FTC announced that the online counseling service provider, BetterHelp, had agreed to settle alleged FTC Act violations related to impermissible disclosures of health data to third parties when users of its services had been told their information was private and confidential. While there was no fine, under the terms of the settlement, $7.8 million will be paid to the consumers affected by the breach and they must be notified per the Health Breach Notification Rule.