May 2023 was a particularly bad month for healthcare data breaches. 75 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in May. May – along with October 2022 – was the second-worst-ever month for healthcare data breaches, only beaten by the 95 breaches that were reported in September 2020. Month-over-month there was a 44% increase in reported data breaches and May’s total was well over the 12-month average of 58 data breaches a month.

Healthcare Data Breaches in the Past 12 Months - May 2023

May was also one of the worst-ever months in terms of the number of breached records, which increased by 330% month-over-month to an astonishing 19,044,544 breached records. Over the past 12 months, the average number of records breached each month is 6,104,761 and the median is 5,889,562 records. 46.52 of the breached records in May came from one incident, which exposed the records of almost 8.9 million individuals, and 90.45% of the breached records came from just three security incidents. More healthcare records have been breached in the first 5 months of 2023 (36,437,539 records) than in all of 2020 (29,298,012 records).

Records Breached in Healthcare Data Breaches in the Past 12 Months - May 2023

Largest Healthcare Data Breaches in May 2023

23 data breaches of 10,000 or more records were reported to OCR in May, including the two largest healthcare data breaches of 2023. The worst data breach was a LockBit ransomware attack on the HIPAA business associate Managed Care of North America (MCNA) which affected almost 8.9 million individuals. The LockBit gang stole data, threatened to publish the information on its website if the $10 million ransom was not paid, and when it wasn’t, uploaded leaked the stolen data. Almost 6 million records were stolen in a ransomware attack on PharMerica Corporation and its subsidiary BrightSpring Health Services. The Money Message ransomware group exfiltrated 4.7 terabytes of data in the attack and proceeded to upload the stolen data to its data leak site when the ransom was not paid.

A third million+ record data breach resulted in the exposure and potential theft of the protected health information of 2,550,922 Harvard Pilgrim Health Care plan members following a cyberattack on its parent Company, Point32Health, the second largest health insurer in Massachusetts. This was also a ransomware attack with data theft confirmed. Other large data breaches include a hacking incident at the Virginia-based business associate, Credit Control Corporation (345,523 records), and ransomware attacks affecting Onix Group (319,500 records), the Iowa Department of Health and Human Services (233,834 records), and Albany ENT & Allergy Services, PC (224,486 records).

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

Healthcare Data Breaches of 10,000 or More Records

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Managed Care of North America (MCNA) GA Business Associate 8,861,076 Ransomware attack (LockBit) – Data theft confirmed
PharMerica Corporation KY Healthcare Provider 5,815,591 Hacking Incident – data theft confirmed
Harvard Pilgrim Health Care MA Health Plan 2,550,922 Ransomware attack – Data theft confirmed
R&B Corporation of Virginia d/b/a Credit Control Corporation VA Business Associate 345,523 Hacking Incident – data theft confirmed
Onix Group PA Business Associate 319,500 Ransomware attack – Data theft confirmed
Iowa Department of Health and Human Services – Iowa Medicaid (Iowa HHS-IM) IA Health Plan 233,834 Ransomware attack (LockBit) on its business associate (MCNA Dental) – Data theft confirmed
Albany ENT & Allergy Services, PC. NY Healthcare Provider 224,486 Ransomware attack (BianLian/RansomHouse) – Data theft confirmed
Uintah Basin Healthcare UT Healthcare Provider 103,974 Hacking Incident
UI Community Home Care, a subsidiary of University of Iowa Health System IA Healthcare Provider 67,897 Cyberattack on subcontractor (ILS) of its business associate (Telligen) – data theft confirmed
University Urology NY Healthcare Provider 56,816 Hacking Incident
Illinois Department of Healthcare and Family Services, Illinois Department of Human Services IL Health Plan 50,839 Hackers compromised the state Application for Benefits Eligibility (ABE) system
New Mexico Department of Health NM Healthcare Provider 49,000 Impermissible disclosure of deceased individuals’ PHI per access request by a journalist
Pioneer Valley Ophthalmic Consultants, PC MA Healthcare Provider 36,275 Malware infection at business associates (Alta Medical Management and ECL Group, LLC)
Brightline, Inc. CA Business Associate 28,975 Hacking of Fortra GoAnywhere MFT solution
Clarke County Hospital IA Healthcare Provider 28,003 Hacking Incident
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 26,561 Hacking Incident
ASAS Health, LLC TX Healthcare Provider 25,527 Hacking Incident
iSpace, Inc. CA Business Associate 24,382 Hacking Incident – data theft confirmed
PillPack LLC NH Healthcare Provider 19,032 Credential stuffing attack allowed customer account access
Solutran MN Business Associate 17,728 Hacking incident
MedInform, Inc. OH Business Associate 14,453 Hacking Incident – data theft confirmed
Catholic Health System NY Healthcare Provider 12,759 hacking incident at business associate (Minimum Data Set Consultants) – data theft confirmed
Northwest Health – La Porte IN Healthcare Provider 10,256 Paper records were removed from locked shredding bins at an old facility

Causes of May 2023 Healthcare Data Breaches

The vast majority of the month’s data breaches were hacking/IT incidents, many of which were ransomware attacks and data theft/extortion attempts. 81.33% of the month’s data breaches (61 incidents) were hacking/IT incidents and those incidents accounted for 99.54% of all breached records. The protected health information of 18,956,101 individuals was exposed or stolen in those incidents. The average data breach size was 310,756 records and the median breach size was 3,833 records. There were 11 data breaches reported as unauthorized access/disclosure incidents, which affected 82,236 individuals. The average breach size was 7,476 records and the median breach size was 1,809 records. Two theft incidents were reported involving a total of 5,632 records and there was one incident involving the improper disposal of 575 paper records.

Causes of May 2023 Healthcare Data Breaches

Unsurprisingly given the large number of hacking incidents, 57 data breaches involved electronic protected health information stored on network servers. There were also 9 data breaches involving electronic protected health information in email accounts.

Location of Breached PHI in May 2023 Healthcare Data Breaches

Where Did the Breaches Occur?

When data breaches occur at business associates of HIPAA-regulated entities, they are either reported by the business associate, the HIPAA-regulated entity, or a combination of the two, depending on the terms of their business associate agreements. In May, 36 breaches were reported by healthcare providers, 25 by business associates, and 14 by health plans; however, those figures do not accurately reflect where the data breaches occurred. The pie charts below show where the data breaches occurred rather than the entity that reported the data breach, along with the number of records that were exposed or impermissibly disclosed in those data breaches.

May 2023 Healthcare Data Breaches - HIPAA-regulated Entities

Records Breached at HIPAA-regulated entities - May 2023

Geographical Distribution of Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 30 states. While Massachusetts tops the list with 15 data breaches reported, 13 of those breaches were the same incident. Alvaria, Inc. submitted a separate breach report to OCR for each of its affected healthcare clients. As such, California and New York were the worst affected states with 7 breaches each.

State Number of Reported Data Breaches
Massachusetts 15
California & New York 7
Connecticut, Iowa & Ohio 4
Illinois, New Jersey & Philadelphia 3
Alaska, Indiana, Missouri & Texas 2
Arizona, Arkansas, Georgia, Kansas, Kentucky, Michigan, Minnesota, New Hampshire, New Mexico, Oklahoma, South Dakota, Tennessee, Utah, Virginia, Washington, West Virginia & Wisconsin 1

Click here to view more detailed healthcare data breach statistics.

HIPAA Enforcement Activity in May 2023

After two months with no HIPAA enforcement actions, there was a flurry of enforcement activity in May over HIPAA compliance failures. Two financial penalties were imposed by OCR to resolve HIPAA violations, two enforcement actions were announced by state attorneys general, and the Federal Trade Commission (FTC) announced an enforcement action against a non-HIPAA-regulated entity for the impermissible disclosure of consumer health information.

In May, OCR announced its 44th financial penalty under its HIPAA Right of Access enforcement initiative, which was launched in the fall of 2019. David Mente, MA, LPC, a Pittsburgh-based counselor, was fined $15,000 for failing to provide a father with the medical records of his minor children, despite the father making two requests for the records and OCR providing technical assistance after the first complaint was filed.

Between January 2020 and June 2023, OCR imposed 61 financial penalties on HIPAA-regulated entities to resolve potential violations of the HIPAA Rules, 69% of which were for HIPAA Right of Access violations.  We are now starting to see more financial penalties imposed for other violations. May’s other HIPAA settlement involved a financial penalty of $350,000 for MedEvolve Inc., a Little Rock, AR-based business associate that provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated entities. MedEvolve had misconfigured an FTP server which exposed the electronic protected health information of 230,572 individuals. OCR investigated and determined that in addition to the impermissible disclosure, MedEvolve had failed to conduct a comprehensive, accurate, and organization-wide risk analysis and had not entered into a business associate agreement with a subcontractor.

The New York Attorney General agreed to a settlement to resolve violations of HIPAA and state laws that were discovered during an investigation of Professional Business Systems Inc, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp. The medical management company was investigated after reporting a ransomware attack and data breach that impacted 1.2 million individuals. The hackers gained access to its network by exploiting a vulnerability that had not been patched, despite the patch being available for 22 months. Practicefirst was determined to have violated HIPAA and state laws through patch management failures, security testing failures, and not implementing encryption. The case was settled for $550,000.

A multi-state investigation of the vision care provider, EyeMed Vision Care, over a 2.1 million-record data breach was settled with the state attorneys general in Oregon, New Jersey, Florida, and Pennsylvania. A hacker gained access to an employee email account that contained approximately 6 years of personal and medical information including names, contact information, dates of birth, and Social Security numbers. The investigation revealed there had been several data security failures, including a lack of administrative, technical, and physical safeguards, in violation of HIPAA and state laws. The case was settled for $2.5 million.

The FTC has started actively policing the FTC Act and Health Breach Notification Rule and announced its third enforcement action of the year in May. Easy Healthcare, the developer and distributor of the Premom Ovulation Tracker (Premom) app, was alleged to have shared the health data of app users with third parties without user consent, in violation of the FTC Act, and failed to issue notifications, in violation of the Health Breach Notification Rule. Easy Healthcare agreed to settle the case and paid a $200,000 financial penalty.


By admin

Leave a Reply

Your email address will not be published. Required fields are marked *