Breach Notification , HIPAA/HITECH , Security Operations

Major Health Data Breaches: How Are Trends Shifting in 2024?

Midyear Analysis of HHS OCR 'Wall of Shame' Shows Hacks, Vendor Breaches Top List
Major Health Data Breaches: How Are Trends Shifting in 2024?
Image: Getty Images

Hacks and vendor incidents continue to dominate major health data breach trends in 2024, but a handful of large incidents involving "unauthorized access or disclosure" also top the list of major health data breaches reported to federal regulators so far this year.

See Also: Using the Netskope HIPAA Mapping Guide

As of Thursday, a snapshot of the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows 384 major health data breaches affecting a total of 44.8 million individuals reported between Jan. 1 and June 30, or by midyear 2024.

Of those, in 298 breaches or about 77%, healthcare organizations and partners reported hacking incidents that affected a total of 29.7 million individuals, or about 66% of the people affected so far this year by major health data compromises that appear on the HHS OCR website.

Physical therapy provider Concentra Health posted the largest hack on the HHS OCR website so far in 2024 in January. It affected nearly 4 million individuals.

The incident involved the 2023 data theft hack of medical transcription services firm Perry Johnson & Associates, which last year affected more than a dozen of the company's other clients and so far appears to have touched about 14 million individuals (see: Medical Transcriber's Hack Breach Affects at Least 9 Million).

But not just hacks have compromised the protected health information of millions. Seventy incidents, affecting more than 15 million people, were reported to HHS OCR as "unauthorized access/disclosure" breaches.

As of Thursday, one of those incidents topped the list of 10 largest health data breaches posted on the HHS OCR website this year. That breach, reported in April by health plan Kaiser Foundation, involved the organization's previous use of online trackers in its websites and affected 13.4 million, including the lion's share of incidents labeled as "unauthorized access/disclosure" (see: Kaiser Permanente Notifying 13.4 Million of Tracker Breach).

Another unauthorized access/disclosure breach, reported by Pennsylvania-based health system Geisinger as affecting nearly 1.3 million individuals, so far ranks as the seventh-largest health data breach posted on the HHS OCR website so far this year.

That incident involved a business associate of Geisinger - the former employee of IT services provider Nuance Communication, a unit of Microsoft. The U.S. Department of Justice in January indicted that individual on one count of "obtaining information from a protected computer," which is a federal crime under the Computer Fraud and Abuse Act (see: Nuance Ex-Employee Indicted for Breach Affecting 1 Million).

10 Largest Health Data Breaches So Far in 2024

Breached Entity Individuals Affected
Kaiser Foundation 13.4 Million
Concentra Health 4 Million
Sav-Rx 2.8 Million
WebTPA 2.5 Million
Integris Health 2.4 Million
Medical Management Resource Group 2.35 Million
Geisinger 1.3 Million
Eastern Radiologists 887,000
Superior Air-Ground Ambulance Service 858,000
Unite Here 791,000
Source: U.S. Department of Health and Human Services

Vendors and other third-party business associates that handle protected health information continue to be at the center of many major health data breaches reported to HHS OCR.

So far in 2024, business associates are reported as "present" in 141 breaches affecting 17.5 million people. That means that this year business associates have been responsible for 40% of the total number of major health data breaches reported to HHS OCR.

Noticeably absent so far from the midyear tally are breach reports related to the February cyberattack on Change Healthcare, which parent company UnitedHealth Group has estimated affected one-third of the American population.

UnitedHealth Group has offered to handle breach notification duties for clients affected by the incident, so it's unclear whether the Change Healthcare hack will eventually show up on the HHS OCR website as hundreds of breaches reported by UHG on behalf of covered entities or as one report reflecting the total number of the millions of individuals likely affected (see: State AGs Warn Consumers About Change Healthcare Breach).

Once the Change Healthcare's hack is reflected on the HHS OCR tally, the breach numbers for 2024 are expected to increase dramatically, by tens of millions.

Also missing so far are any breach reports related to several other noteworthy recent breaches, including a ransomware hack in May on hospital system Ascension (see: Worker-Downloaded Malware Caused Ascension Ransomware Attack).

The Shift to Larger Victims

Although hacks and business associate breaches have been dominant themes in major health data breaches for several years, some experts see other trends emerging.

"Targeting of the healthcare sector seems to have shifted to larger organizations, which when disrupted have an outsized impact sectorwide," said Mike Hamilton, founder and CISO of security firm Critical Insight.

That was certainly the case in the hack of Change Healthcare, whose parent company, UnitedHealth Group, admits paying a $22 million ransom to BlackCat attackers.

"Those records that are stolen are not as frequently monetized by selling them; rather, they are being used as an extortion tool," Hamilton said. "This brings the added risk of class action and other litigation, and criminals know and are capitalizing on this risk."

Cyber incidents in the healthcare sector are a foreseeable risk, which suggests that preventive controls are insufficient and that the risk must be mitigated through impact minimization, he said.

"Good monitoring of the network, endpoints and cloud applications combined with 24/7 analyst oversight and effective incident response is one of the best investments to effect impact minimization."

While some breach trends are morphing - and in most cases worsening, the latest snapshot of the HHS OCR breach website does show continuing signs of improvement in some areas.

So far in 2024, only eight breaches affecting a total of 51,000 individuals have been linked to theft/loss incidents involving unencrypted laptops, servers and similar gear. Less than a decade ago, those types of breaches dominated the "wall of shame" and affected millions of individuals annually.

HIPAA breaches involving the loss and theft of computing and mobile devices have plummeted in recent years as more organizations have implemented encryption on those products.

In total, the HHS OCR website shows 6,292 major health data breaches affecting more than 585.2 million individuals reported since September 2009.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.