Our monthly data breach reports are based on data breaches of 500 or more records that have been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) each month. The monthly reports provide an indication of the extent to which healthcare data breaches are increasing, decreasing, or remaining flat. To view longer-term healthcare data breach trends, visit our healthcare data breach statistics page.

Healthcare Data Breaches Reported in March 2023

In March, 63 breaches of 500 or more records were reported to OCR, which is a 46.51% increase from February, 6.92% more than the 12-month average, and 40% more breaches than in March 2022.

March 2023 Healthcare Data Breach Report - 12 month breaches

There was a 15.62% month-over-month increase in breached records, with 6,382,618 records exposed or impermissibly disclosed across the 63 data breaches. That’s 36% more records breached than the 12-month average and 76.46% more breached records than in March 2022.

March 2023 Healthcare Data Breach Report - 12 month breached records

Largest Healthcare Data Breaches

In March, 22 healthcare data breaches were reported that impacted more than 10,000 individuals, up from 17 such breaches in February 2023. Four of those breaches, including the largest data breach of the month, were due to the use of tracking code on websites that collected individually identifiable website visitor data. The data collected was used for analytics purposes but was transferred to the providers of the code. Those third parties included, but were not limited to, Meta (Facebook), Instagram, & Google. These tracking tools are not prohibited by the HIPAA Privacy Rule, but if they are used, consent must be obtained, or the disclosure must be permitted by the Privacy Rule and a business associate must be in place with the provider of the code. We can expect to see many more of these breaches reported over the coming weeks and months. According to a recently published study, 99% of U.S. hospitals have used these tools on their websites. Relatively few have reported tracking code-related data breaches to OCR.

Get the FREE
HIPAA Checklist

Discover everything you need
to become HIPAA compliant

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

Malicious actors continue to use ransomware in their attacks on healthcare organizations. Three of the top 22 data breaches were confirmed as involving ransomware, and several other hacking incidents were reported that involved network disruption, but were not reported as involving ransomware. Several threat actors that are known to use ransomware in their attacks on the healthcare sector are now choosing not to encrypt files, instead, they just steal data for extortion. For example, the Clop ransomware group typically deploys ransomware in its attacks but in recent attacks that exploited a vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) solution, ransomware was not deployed. The group stole data from 130 organizations in the attacks, including Community Health Systems Professional Services Corporations, Santa Clara Family Health Plan, and US Wellness Inc, all three of which make the top 22 list.

There were three 10,000+ record data breaches involving the hacking of email accounts – through phishing or other means. Phishing attacks are common in healthcare, and while these attacks can be difficult to prevent, it is possible to limit the harm caused by placing time limits on how long emails are stored in email accounts. While emails often need to be retained for compliance with HIPAA and other laws –  moving them to a secure archive can help to reduce the extent of a data breach if email accounts are compromised. One of the phishing attacks saw one email account compromised that contained the PHI of more than 77,000 individuals.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Cerebral, Inc DE Business Associate 3,179,835 Website tracking code – Impermissible disclosure to third parties
ZOLL Services LLC MA Healthcare Provider 997,097 Hacking incident (details not made public)
Community Health Systems Professional Services Corporations (CHSPSC), LLC TN Business Associate 962,884 Hacking of Fortra’s GoAnywhere MFT solution
Santa Clara Family Health Plan CA Health Plan 276,993 Hacking of Fortra’s GoAnywhere MFT solution
Monument, Inc. NY Business Associate 108,584 Website tracking code – Impermissible disclosure to third parties
Bone & Joint Clinic, S.C. WI Healthcare Provider 105,094 Hacking incident: Network disruption and data theft
Florida Medical Clinic, LLC FL Healthcare Provider 94,132 Ransomware attack
Healthy Options dba Postal Prescription Services – Kroger OH Healthcare Provider 82,466 Impermissible disclosure of PHI to Kroger
NorthStar Emergency Medical Services AL Healthcare Provider 82,450 Hacking incident (details not made public)
Merritt Healthcare Advisors CT Business Associate 77,258 Unauthorized accessing of employee email account
NewYork Presbyterian Hospital NY Healthcare Provider 54,396 Website tracking code – Impermissible disclosure to third parties
Trinity Health MI Business Associate 45,350 Phishing attack: employee email account compromised
UHS of Delaware, Inc. PA Business Associate 40,290 Unauthorized accessing of employee email account
SundaySky, Inc. NY Business Associate 37,095 Hacked cloud server – data theft confirmed
Denver Public Schools Medical Plans CO Health Plan 35,068 Hacked network server – data theft confirmed
Atlantic General Hospital MD Healthcare Provider 26,591 Ransomware attack
UC San Diego Health CA Healthcare Provider 23,000 Website tracking code used by a business associate – Impermissible disclosure to third parties
Tallahassee Memorial Healthcare, Inc. FL Healthcare Provider 20,376 Hacked network server – data theft confirmed
Northeast Surgical Group, PC MI Healthcare Provider 15,298 Hacked network server
Health Plan of San Mateo CA Health Plan 11,894 Unauthorized accessing of employee email account
US Wellness Inc. MD Business Associate 11,459 Hacking of Fortra’s GoAnywhere MFT solution
Codman Square Health Center MA Healthcare Provider 10,161 Ransomware attack

Causes of March 2023 Data Breaches

The majority of the month’s reported breaches were classified as hacking/IT incidents, as has been the case for many months. While hacking incidents usually account for the vast majority of breached records, in March they accounted for only 54.29% of the month’s breached records due to very large data breaches caused by the use of tracking technologies. The average size of a hacking incident in March was 73,724 records and the median breach size was 2,785 records.

March 2023 Healthcare Data Breach Report - causes

There were 14 data breaches reported as unauthorized access/disclosure incidents and while they only accounted for 22.22% of the month’s data breaches, they were responsible for 45.65% of the breached records, mostly due to the website tracking code breaches. The average breach size was 208,114 records and the median breach size was 2,636 records. There was one theft incident reported involving the protected health information of 3,013 individuals and one improper disposal incident involving 999 records.

March 2023 Healthcare Data Breach Report - data location

Where Did the Breaches Occur?

The entity reporting a data breach is not always the entity that experienced the breach. Business associates of HIPAA -covered entities may self-report breaches, but it is common for the covered entity to report the breaches. The data submitted to OCR indicates breaches occurred at 33 healthcare providers, 24 business associates, and 6 health plans. The pie charts below are based on where the breaches actually occurred rather than the reporting entity, as this provides a clearer picture of the extent to which data breaches are occurring at business associates.

March 2023 Healthcare Data Breach Report - breaches at hipaa-regulated entities

The pie chart below shows the extent to which patient and health plan member records have been exposed or compromised at business associates. 75.4% of the month’s breached records were due to data breaches at business associates.

March 2023 Healthcare Data Breach Report - records breached at hipaa-regulated entities

Geographical Distribution of March 2023 Data Breaches

Data breaches were reported by HIPAA-regulated entities in 25 U.S. states in March, with New York topping the list with 18 reported data breaches. The unusually high total was due to an attack on a business associate – Atlantic Dialysis Management Services – which reported the breach separately for each affected client and submitted 14 separate breach reports to OCR.

State Breaches
New York 18
California 7
Florida, Massachusetts, Ohio, Pennsylvania & Texas 3
Indiana, Kansas, Maryland, Michigan & Oregon 2
Alabama, Arizona, Colorado, Connecticut, Delaware, Georgia, Illinois, Kentucky, New Jersey, Oklahoma, Tennessee, Wisconsin & West Virginia 1

HIPAA Enforcement Activity in March 2023

No HIPAA enforcement actions were announced by the HHS’ Office for Civil Rights in March, but there was one enforcement action by a state Attorney General. The New York Attorney General confirmed that a case had been settled with the law firm, Heidell, Pittoni, Murphy & Bach LLP. The law firm was investigated following a breach of the personal and protected health information of 61,438 New York residents to identify potential violations of HIPAA and New York laws. The law firm chose to settle the case with no admission of wrongdoing and paid a financial penalty of $200,000. The New York Attorney General alleged violations of 17 HIPAA provisions and implementation specifications, details of which can be found here.

While the Federal Trade Commission does not enforce HIPAA, the agency has started taking action over breaches of healthcare data by non-HIPAA-covered entities to resolve violations of the FTC Act and the FTC Health Breach Notification Rule. In February, the FTC announced that its first settlement had been reached for a health data breach notification failure and that was followed up with a second enforcement action in March. The FTC announced that the online counseling service provider, BetterHelp, had agreed to settle alleged FTC Act violations related to impermissible disclosures of health data to third parties when users of its services had been told their information was private and confidential.  While there was no fine, under the terms of the settlement, $7.8 million will be paid to the consumers affected by the breach and they must be notified per the Health Breach Notification Rule.


By admin

Leave a Reply

Your email address will not be published. Required fields are marked *