May 2023 was a particularly bad month for healthcare data breaches. 75 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in May. May – along with October 2022 – was the second-worst-ever month for healthcare data breaches, only beaten by the 95 breaches that were reported in September 2020. Month-over-month there was a 44% increase in reported data breaches and May’s total was well over the 12-month average of 58 data breaches a month.
May was also one of the worst-ever months in terms of the number of breached records, which increased by 330% month-over-month to an astonishing 19,044,544 breached records. Over the past 12 months, the average number of records breached each month is 6,104,761 and the median is 5,889,562 records. 46.52 of the breached records in May came from one incident, which exposed the records of almost 8.9 million individuals, and 90.45% of the breached records came from just three security incidents. More healthcare records have been breached in the first 5 months of 2023 (36,437,539 records) than in all of 2020 (29,298,012 records).
Largest Healthcare Data Breaches in May 2023
23 data breaches of 10,000 or more records were reported to OCR in May, including the two largest healthcare data breaches of 2023. The worst data breach was a LockBit ransomware attack on the HIPAA business associate Managed Care of North America (MCNA) which affected almost 8.9 million individuals. The LockBit gang stole data, threatened to publish the information on its website if the $10 million ransom was not paid, and when it wasn’t, uploaded leaked the stolen data. Almost 6 million records were stolen in a ransomware attack on PharMerica Corporation and its subsidiary BrightSpring Health Services. The Money Message ransomware group exfiltrated 4.7 terabytes of data in the attack and proceeded to upload the stolen data to its data leak site when the ransom was not paid.
A third million+ record data breach resulted in the exposure and potential theft of the protected health information of 2,550,922 Harvard Pilgrim Health Care plan members following a cyberattack on its parent Company, Point32Health, the second largest health insurer in Massachusetts. This was also a ransomware attack with data theft confirmed. Other large data breaches include a hacking incident at the Virginia-based business associate, Credit Control Corporation (345,523 records), and ransomware attacks affecting Onix Group (319,500 records), the Iowa Department of Health and Human Services (233,834 records), and Albany ENT & Allergy Services, PC (224,486 records).
Get the FREE
HIPAA Compliance Checklist
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
Healthcare Data Breaches of 10,000 or More Records
|Name of Covered Entity||State||Covered Entity Type||Individuals Affected||Cause of Breach|
|Managed Care of North America (MCNA)||GA||Business Associate||8,861,076||Ransomware attack (LockBit) – Data theft confirmed|
|PharMerica Corporation||KY||Healthcare Provider||5,815,591||Hacking Incident – data theft confirmed|
|Harvard Pilgrim Health Care||MA||Health Plan||2,550,922||Ransomware attack – Data theft confirmed|
|R&B Corporation of Virginia d/b/a Credit Control Corporation||VA||Business Associate||345,523||Hacking Incident – data theft confirmed|
|Onix Group||PA||Business Associate||319,500||Ransomware attack – Data theft confirmed|
|Iowa Department of Health and Human Services – Iowa Medicaid (Iowa HHS-IM)||IA||Health Plan||233,834||Ransomware attack (LockBit) on its business associate (MCNA Dental) – Data theft confirmed|
|Albany ENT & Allergy Services, PC.||NY||Healthcare Provider||224,486||Ransomware attack (BianLian/RansomHouse) – Data theft confirmed|
|Uintah Basin Healthcare||UT||Healthcare Provider||103,974||Hacking Incident|
|UI Community Home Care, a subsidiary of University of Iowa Health System||IA||Healthcare Provider||67,897||Cyberattack on subcontractor (ILS) of its business associate (Telligen) – data theft confirmed|
|University Urology||NY||Healthcare Provider||56,816||Hacking Incident|
|Illinois Department of Healthcare and Family Services, Illinois Department of Human Services||IL||Health Plan||50,839||Hackers compromised the state Application for Benefits Eligibility (ABE) system|
|New Mexico Department of Health||NM||Healthcare Provider||49,000||Impermissible disclosure of deceased individuals’ PHI per access request by a journalist|
|Pioneer Valley Ophthalmic Consultants, PC||MA||Healthcare Provider||36,275||Malware infection at business associates (Alta Medical Management and ECL Group, LLC)|
|Brightline, Inc.||CA||Business Associate||28,975||Hacking of Fortra GoAnywhere MFT solution|
|Clarke County Hospital||IA||Healthcare Provider||28,003||Hacking Incident|
|United Healthcare Services, Inc. Single Affiliated Covered Entity||CT||Health Plan||26,561||Hacking Incident|
|ASAS Health, LLC||TX||Healthcare Provider||25,527||Hacking Incident|
|iSpace, Inc.||CA||Business Associate||24,382||Hacking Incident – data theft confirmed|
|PillPack LLC||NH||Healthcare Provider||19,032||Credential stuffing attack allowed customer account access|
|Solutran||MN||Business Associate||17,728||Hacking incident|
|MedInform, Inc.||OH||Business Associate||14,453||Hacking Incident – data theft confirmed|
|Catholic Health System||NY||Healthcare Provider||12,759||hacking incident at business associate (Minimum Data Set Consultants) – data theft confirmed|
|Northwest Health – La Porte||IN||Healthcare Provider||10,256||Paper records were removed from locked shredding bins at an old facility|
Causes of May 2023 Healthcare Data Breaches
The vast majority of the month’s data breaches were hacking/IT incidents, many of which were ransomware attacks and data theft/extortion attempts. 81.33% of the month’s data breaches (61 incidents) were hacking/IT incidents and those incidents accounted for 99.54% of all breached records. The protected health information of 18,956,101 individuals was exposed or stolen in those incidents. The average data breach size was 310,756 records and the median breach size was 3,833 records. There were 11 data breaches reported as unauthorized access/disclosure incidents, which affected 82,236 individuals. The average breach size was 7,476 records and the median breach size was 1,809 records. Two theft incidents were reported involving a total of 5,632 records and there was one incident involving the improper disposal of 575 paper records.
Unsurprisingly given the large number of hacking incidents, 57 data breaches involved electronic protected health information stored on network servers. There were also 9 data breaches involving electronic protected health information in email accounts.
Where Did the Breaches Occur?
When data breaches occur at business associates of HIPAA-regulated entities, they are either reported by the business associate, the HIPAA-regulated entity, or a combination of the two, depending on the terms of their business associate agreements. In May, 36 breaches were reported by healthcare providers, 25 by business associates, and 14 by health plans; however, those figures do not accurately reflect where the data breaches occurred. The pie charts below show where the data breaches occurred rather than the entity that reported the data breach, along with the number of records that were exposed or impermissibly disclosed in those data breaches.
Geographical Distribution of Healthcare Data Breaches
Data breaches of 500 or more records were reported by HIPAA-regulated entities in 30 states. While Massachusetts tops the list with 15 data breaches reported, 13 of those breaches were the same incident. Alvaria, Inc. submitted a separate breach report to OCR for each of its affected healthcare clients. As such, California and New York were the worst affected states with 7 breaches each.
|State||Number of Reported Data Breaches|
|California & New York||7|
|Connecticut, Iowa & Ohio||4|
|Illinois, New Jersey & Philadelphia||3|
|Alaska, Indiana, Missouri & Texas||2|
|Arizona, Arkansas, Georgia, Kansas, Kentucky, Michigan, Minnesota, New Hampshire, New Mexico, Oklahoma, South Dakota, Tennessee, Utah, Virginia, Washington, West Virginia & Wisconsin||1|
Click here to view more detailed healthcare data breach statistics.
HIPAA Enforcement Activity in May 2023
After two months with no HIPAA enforcement actions, there was a flurry of enforcement activity in May over HIPAA compliance failures. Two financial penalties were imposed by OCR to resolve HIPAA violations, two enforcement actions were announced by state attorneys general, and the Federal Trade Commission (FTC) announced an enforcement action against a non-HIPAA-regulated entity for the impermissible disclosure of consumer health information.
In May, OCR announced its 44th financial penalty under its HIPAA Right of Access enforcement initiative, which was launched in the fall of 2019. David Mente, MA, LPC, a Pittsburgh-based counselor, was fined $15,000 for failing to provide a father with the medical records of his minor children, despite the father making two requests for the records and OCR providing technical assistance after the first complaint was filed.
Between January 2020 and June 2023, OCR imposed 61 financial penalties on HIPAA-regulated entities to resolve potential violations of the HIPAA Rules, 69% of which were for HIPAA Right of Access violations. We are now starting to see more financial penalties imposed for other violations. May’s other HIPAA settlement involved a financial penalty of $350,000 for MedEvolve Inc., a Little Rock, AR-based business associate that provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated entities. MedEvolve had misconfigured an FTP server which exposed the electronic protected health information of 230,572 individuals. OCR investigated and determined that in addition to the impermissible disclosure, MedEvolve had failed to conduct a comprehensive, accurate, and organization-wide risk analysis and had not entered into a business associate agreement with a subcontractor.
The New York Attorney General agreed to a settlement to resolve violations of HIPAA and state laws that were discovered during an investigation of Professional Business Systems Inc, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp. The medical management company was investigated after reporting a ransomware attack and data breach that impacted 1.2 million individuals. The hackers gained access to its network by exploiting a vulnerability that had not been patched, despite the patch being available for 22 months. Practicefirst was determined to have violated HIPAA and state laws through patch management failures, security testing failures, and not implementing encryption. The case was settled for $550,000.
A multi-state investigation of the vision care provider, EyeMed Vision Care, over a 2.1 million-record data breach was settled with the state attorneys general in Oregon, New Jersey, Florida, and Pennsylvania. A hacker gained access to an employee email account that contained approximately 6 years of personal and medical information including names, contact information, dates of birth, and Social Security numbers. The investigation revealed there had been several data security failures, including a lack of administrative, technical, and physical safeguards, in violation of HIPAA and state laws. The case was settled for $2.5 million.
The FTC has started actively policing the FTC Act and Health Breach Notification Rule and announced its third enforcement action of the year in May. Easy Healthcare, the developer and distributor of the Premom Ovulation Tracker (Premom) app, was alleged to have shared the health data of app users with third parties without user consent, in violation of the FTC Act, and failed to issue notifications, in violation of the Health Breach Notification Rule. Easy Healthcare agreed to settle the case and paid a $200,000 financial penalty.