SecureTrust Cybersecurity
Contents
August 2023 HIPAA Data Breaches

HIPAA Data Breach Report
(August 2023)

Our August 2023 Healthcare Data Breach Report reveals concerning trends in the number and scale of data breaches plaguing the healthcare industry.

In August alone, 26 major breaches exposed the records of over 11 million individuals.

Hacking and IT incidents accounted for nearly all reported breaches, with email and network servers emerging as prime targets.

Mass exploitation of vulnerabilities in file transfer software led to several of the largest single breaches.

Other notable findings from the report include:

  • Healthcare providers were the most affected type of covered entity, accounting for 15 of the 26 breaches.
  • Hacking/IT incidents were the most common type of breach, accounting for 23 of the 26 breaches.
  • Email and network servers were the most common locations of breached data.
IT security policy templates

Holistic Security Policies

Get a step ahead of your 2023 security goals with our free security policy templates.

HIPAA Enforcement Activity In August 2023

The Right of Access provision under HIPAA grants patients the right to request and obtain copies of their medical records from healthcare providers and health plans.

Covered entities must provide the requested records within 30 days in most cases.

UnitedHealthcare

In the action against UnitedHealthcare, OCR found the insurer had failed to provide a patient with timely access to their records after a request was made. The records were provided months later than the 30 day deadline.

OCR determined this violation warranted a financial penalty of $80,000.

This enforcement shows that OCR takes Right of Access compliance seriously and is willing to impose fines for noncompliance.

Timely access to medical records is critical for patients to manage their care, share information with other providers, and verify billing accuracy. 

When HIPAA-covered entities like UnitedHealthcare ignore or delay requests, it hinders patient rights and healthcare delivery.

By fining violators like UnitedHealthcare, OCR aims to enforce the Right of Access while signaling to the broader healthcare industry that access problems will not be tolerated. 

Continued violations can trigger larger penalties, audits, and corrective action plans.

Zero-Day Vulnerability In MOVEit Transfer

The two largest data breaches of the month were due to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution.

This vulnerability was patched on June 15, 2023, but many organizations had not yet applied the patch by the time it was exploited in August.

In mid-June 2023, Progress Software issued a patch for a critical zero-day vulnerability affecting its MOVEit Transfer file transfer product.

The vulnerability allowed remote attackers to execute arbitrary code and commands. Unfortunately, many organizations using MOVEit failed to promptly apply the patch after its release.

This patching delay left them exposed when threat actors began actively exploiting the vulnerability in August 2023.

The sophisticated Russia-linked ransomware group known as Clop was one of the first to leverage the MOVEit flaw to breach entities like healthcare providers and insurers.

By exploiting the vulnerability, Clop and other attackers could gain initial access to systems, disable security tools, and exfiltrate sensitive data before deploying ransomware across networks.

The unpatched MOVEit software provided an ideal entry point.

The lack of timely patching enabled the vulnerability to be mass-exploited across the healthcare sector.

Major breaches at Performance Health Technology, PurFoods, and many other covered entities trace back to unpatched MOVEit deployments.

The Largest Healthcare Data Breaches Reported In August 2023

  1. Colorado Department of Health Care Policy & Financing  –  4,091,794 individuals were affected by the hacking of MOVEit Transfer solution (Clop) at a business associate.
  2. Performance Health Technology  –  1,750,000 individuals affected by the hacking of MOVEit Transfer solution (Clop).
  3. PurFoods, LLC  –  1,229,333 individuals affected by a ransomware attack.
  4. Missouri Department of Social Services – 739,884 individuals were affected by the hacking of MOVEit Transfer solution (Clop) at a business associate.
  5. Radius Global Solutions  –  600,794 individuals affected by the hacking of MOVEit Transfer solution (Clop).
  6. The Harris Center for Mental Health and IDD  –  599,367 individuals affected by the hacking of MOVEit Transfer solution (Clop) at business associate.
  7. Unum Group SACE  –  531,732 individuals affected by the hacking of MOVEit Transfer solution (Clop).
  8. Virginia Dept. of Medical Assistance Services  –  423,824 individuals affected by the hacking incident at a business associate.
  9. El Centro Del Barrio d/b/a CentroMed  –  350,000 individuals affected by a hacking incident.
  10. Morris Hospital & Healthcare Centers  –  248,943 individuals affected by the Royal Ransomware attack.
  11. EMS Management and Consultants Inc  –  223,598 individuals were affected by the hacking of MOVEit Transfer solution by Clop.
  12. Health Care Service Corporation  –  192,231 individuals were affected by the hacking incident at a business associate.
  13. The University of Massachusetts Chan Medical School  –  134,394 individuals were affected by the hacking of MOVEit Transfer solution by Clop.
  14. Illinois Department of Public Health  –  126,000 individuals affected by a hacking incident.
  15. VNS Health Plans  –  103,775 individuals were affected by hacking of MOVEit Transfer solution at a business associate by Clop.
  16. IEC Group, Inc. dba AmeriBen  –  74,884 individuals affected by unauthorized access to email account.
  17. Data Media Associates  –  74,730 individuals were affected due to the hacking of MOVEit Transfer solution by Clop.
  18. Milan Eye Center  –  67,336 individuals were affected due to the hacking at a business associate, MedicWare Inc.
  19. American National Group, LLC  –  47,711 individuals were affected due to the hacking of MOVEit Transfer solution by Clop.
  20. Blue Cross Blue Shield of Arizona  –  47,485 individuals were affected due to a hacking incident at business associate TMG Health with confirmed data theft.
  21. Premera Blue Cross  –  33,212 individuals were affected due to hacking of MOVEit Transfer solution by Clop at business associate.
  22. Self-insured group health plans sponsored by the City of Dallas  – 30,253 individuals affected due to Royal ransomware attack.
  23. Baesman Group, Inc.  –  24,757 individuals were affected due to hacking of MOVEit Transfer solution by Clop.
  24. Indiana University Health  –  21,383 individuals were affected due to hacking of MOVEit Transfer solution by Clop at a business associate.
  25. Serco Inc. Group Health Plan  –  10,140 individuals were affected due to hacking of MOVEit Transfer solution by Clop at a business associate.
  26. Absolute Dental Services  –  10,037 individuals affected by email account breach.

Types Of Data Breach And Data Locations

Most of August’s data breaches were categorized as hacking and other IT incidents.

  • This consists of 57 (83.8%) of the data breaches and 11,815,507 (99.2%) of breached records.
  • The average and median sizes of these data breaches were 207,290 records and 8,175 records, respectively.

The Main Causes Of Healthcare Data Breaches In August 2023

  • In the 10 data breaches categorized as unauthorized access or disclosure incidents, 90,468 records had been accessed or impermissibly disclosed.
  • The average and median data breach sizes were 9,047 records and 1,434 records.
  • One theft incident involved a stolen, unencrypted laptop computer with approximately 4,000 records.
  • There was no loss or improper disposal incident reported for this month.
  • In the many hacking incidents reported, the most common location of breached data were network servers then email accounts.

Where Did The Data Breaches Take Place?

  • The raw information from the OCR data breach website shows 30 healthcare providers, 19 health plans and 19 business associates reported data breaches in August.
  • These numbers do not reflect the entire story as the entity that submitted the report did not directly encounter the data breach.
  • A lot of data breaches happened at business associates of HIPAA-regulated entities, yet the covered entity reported the incident to OCR instead of the business associate.
  • The average and median breach sizes of a business associate data breach were 250,875 records and 10,037 records
  • Compared to the health plans’ average and median breach sizes of 89,344 records and 8,487 records.
  • The healthcare providers’ average and median breach sizes of 83,425 records and 1,556 records, respectively.

Geographical Distribution Of Data Breaches

  • Data breach reports involving 500 and up records were submitted by HIPAA-covered entities in 33 states and the District of Columbia.
  • Texas reported 7 data breaches and Illinois reported 6.
  • The states of California, Georgia, and Massachusetts reported 4 each.
  • Indiana, New York, Virginia, and Pennsylvania reported 3 each.
  • Colorado, Missouri, Minnesota, North Carolina, New Jersey, and Washington reported 2 each.
  • Arizona, Connecticut, Iowa, Idaho, Florida, Kentucky, Louisiana, Michigan, Maryland, Mississippi, Ohio, Oregon, Oklahoma, South Carolina, Utah, Tennessee, Vermont, West Virginia, and the District of Columbia reported 1 data breach each.

How To Prevent These Cyber Attacks

Prevention should be the first line of defense.

Investing in robust multi-factor authentication, endpoint detection and response tools, email security filters, and regular penetration testing must become standard practice.

Training staff to recognize phishing and social engineering is equally important.

However, entities also need response plans for when breaches do occur.

Having strong incident response and communication protocols in place with a qualified forensics team reduces the impact. Quickly isolating and investigating a breach can limit the damage.

The surge in hacking and malware incidents also underscores the importance of regularly patching and updating software. This month saw mass exploitation of a single unpatched vulnerability. Staying on top of patches and upgrades shrinks the attack surface.

Finally, the scale of third-party risk was on full display, with numerous breaches traced to vendors. Covered entities need greater visibility into the security of their business associates, through audits and stricter contracts.

Data Security Challenges Ahead

Overall, the report paints a sobering picture of the data security challenges facing healthcare organizations.

As breaches proliferate, there is a clear urgent need for covered entities to:

  • Patch systems.
  • Enable multi-factor authentication.
  • Conduct risk assessments.
  • Have a response plan in place.

The Healthcare Data Breach Report for August 2023 found that there were 26 data breaches of 10,000 or more records reported to the HHS’ Office for Civil Rights (OCR) during the month.

Of those, 15 involved the records of 100,000 or more individuals, and 3 involved the records of more than 1 million individuals.

Related Content

Rich Selvidge
Rich Selvidge
Rich Selvidge is the President, CEO, & Co founder of SecureTrust, providing singular accountability for all information security controls in the company.

Share This Article

Subscribe to SecureTrust newsletter

Get the week’s best
cybersecurity content.
Sign Up >

Join 10,000 Subscribers

AI & Cybersecurity Insights
Delivered To Your Inbox

SecureTrust Cybersecurity Powered By Helios