Our August 2023 Healthcare Data Breach Report reveals concerning trends in the number and scale of data breaches plaguing the healthcare industry.
In August alone, 26 major breaches exposed the records of over 11 million individuals.
Hacking and IT incidents accounted for nearly all reported breaches, with email and network servers emerging as prime targets.
Mass exploitation of vulnerabilities in file transfer software led to several of the largest single breaches.
Other notable findings from the report include:
Holistic Security Policies
Get a step ahead of your 2023 security goals with our free security policy templates.
The Right of Access provision under HIPAA grants patients the right to request and obtain copies of their medical records from healthcare providers and health plans.
Covered entities must provide the requested records within 30 days in most cases.
In the action against UnitedHealthcare, OCR found the insurer had failed to provide a patient with timely access to their records after a request was made. The records were provided months later than the 30 day deadline.
OCR determined this violation warranted a financial penalty of $80,000.
This enforcement shows that OCR takes Right of Access compliance seriously and is willing to impose fines for noncompliance.
Timely access to medical records is critical for patients to manage their care, share information with other providers, and verify billing accuracy.
When HIPAA-covered entities like UnitedHealthcare ignore or delay requests, it hinders patient rights and healthcare delivery.
By fining violators like UnitedHealthcare, OCR aims to enforce the Right of Access while signaling to the broader healthcare industry that access problems will not be tolerated.
Continued violations can trigger larger penalties, audits, and corrective action plans.
This vulnerability was patched on June 15, 2023, but many organizations had not yet applied the patch by the time it was exploited in August.
In mid-June 2023, Progress Software issued a patch for a critical zero-day vulnerability affecting its MOVEit Transfer file transfer product.
The vulnerability allowed remote attackers to execute arbitrary code and commands. Unfortunately, many organizations using MOVEit failed to promptly apply the patch after its release.
This patching delay left them exposed when threat actors began actively exploiting the vulnerability in August 2023.
The sophisticated Russia-linked ransomware group known as Clop was one of the first to leverage the MOVEit flaw to breach entities like healthcare providers and insurers.
By exploiting the vulnerability, Clop and other attackers could gain initial access to systems, disable security tools, and exfiltrate sensitive data before deploying ransomware across networks.
The unpatched MOVEit software provided an ideal entry point.
The lack of timely patching enabled the vulnerability to be mass-exploited across the healthcare sector.
Major breaches at Performance Health Technology, PurFoods, and many other covered entities trace back to unpatched MOVEit deployments.
Most of August’s data breaches were categorized as hacking and other IT incidents.
Prevention should be the first line of defense.
Investing in robust multi-factor authentication, endpoint detection and response tools, email security filters, and regular penetration testing must become standard practice.
Training staff to recognize phishing and social engineering is equally important.
However, entities also need response plans for when breaches do occur.
Having strong incident response and communication protocols in place with a qualified forensics team reduces the impact. Quickly isolating and investigating a breach can limit the damage.
The surge in hacking and malware incidents also underscores the importance of regularly patching and updating software. This month saw mass exploitation of a single unpatched vulnerability. Staying on top of patches and upgrades shrinks the attack surface.
Finally, the scale of third-party risk was on full display, with numerous breaches traced to vendors. Covered entities need greater visibility into the security of their business associates, through audits and stricter contracts.
Overall, the report paints a sobering picture of the data security challenges facing healthcare organizations.
As breaches proliferate, there is a clear urgent need for covered entities to:
The Healthcare Data Breach Report for August 2023 found that there were 26 data breaches of 10,000 or more records reported to the HHS’ Office for Civil Rights (OCR) during the month.
Of those, 15 involved the records of 100,000 or more individuals, and 3 involved the records of more than 1 million individuals.
Share This Article
AI & Cybersecurity Insights
Delivered To Your Inbox