Healthcare data breaches are continuing to impact the healthcare sector at alarming rates, even as healthcare organizations continue to adopt the latest security solutions to keep pace with the influx of new cyber threats.
The healthcare sector suffered about 295 breaches in the first half of 2023 alone, according to the HHS Office for Civil Rights (OCR) data breach portal. More than 39 million individuals were implicated in healthcare data breaches in the first six months of the year.
Below, HealthITSecurity has compiled a list of the top ten biggest healthcare data breaches reported to the HHS Office for Civil Rights (OCR) data breach portal this year as of late June 2023, based on the number of individuals impacted for each event. It is important to note that this list refers to breaches reported to OCR in 2023, but a few occurred in 2022 or earlier.
Some of the biggest breaches so far this year stemmed from known cybersecurity vulnerabilities in Fortra’s GoAnywhere managed file transfer (MFT) solution and attacks on other third-party vendors, while others involved direct cyberattacks against healthcare organizations.
Managed Care of North America: 8,861,076 Individuals Impacted
Managed Care of North America (MCNA) suffered a major healthcare data breach between February 26 and March 7, 2023, when its systems were infected with malicious code. Further investigation revealed that an unauthorized party had accessed certain systems and removed copies of personal information.
MCNA is a dental benefits administrator that provides services to Medicaid and CHIP programs across eight states. Approximately 8.9 million people, including patients, parents, guardians, or guarantors, were affected by this incident.
The data involved included protected health information (PHI) such as names, addresses, telephone numbers, email addresses, birth dates, Social Security numbers, driver’s license numbers, government-issued ID numbers, health insurance information, Medicare/Medicaid ID numbers, group plan names and numbers, and information related to the dental and orthodontic care provided. The types of compromised information varied from individual to individual.
The LockBit ransomware group claimed responsibility for the data breach, reportedly leaking a portion of the stolen data onto the dark web and holding the rest hostage for ransom.
MCNA responded to the data breach by taking measures to rectify the situation and bolster its cybersecurity to avert future breaches.
“We are sorry for any concern this event may cause. We are mailing letters to people whose information may have been involved in this event,” MCNA said.
PharMerica Corporation: 5,815,591 Individuals Impacted
Long-term care pharmacy network PharMerica disclosed a breach to OCR in May that impacted more than 5.8 million individuals. PharMerica is a Fortune 1000 company headquartered in Louisville, Kentucky and is operated by parent company BrightSpring Health Services.
PharMerica discovered suspicious activity within its network on March 14, 2023, later determining that an unknown party had accessed its computer systems and potentially obtained personal information.
The information involved in the breach included names, Social Security numbers, addresses, birth dates, medication information, and health insurance information. A breach notice provided to the Maine Attorney General’s Office was addressed to estate executors, meaning that some portion of the impacted individuals were deceased.
PharMerica urged executors to request copies of the deceased individual’s credit report and to place alerts on the file with major credit reporting agencies.
PharMerica said it had “no reason to believe that anyone’s information has been misused for the purpose of committing fraud or identity theft.”
Regal Medical Group: 3,388,856 Individuals Impacted
Regal Medical Group disclosed a breach to OCR in February 2023 that occurred in December 2022. Regal Medical Group is an affiliate of Heritage Provider Network (HPN) that consists of Lakeside Medical Organization, Affiliated Doctors of Orange County and Greater Covina Medical Group.
On December 2, Regal employees “noticed difficulty in accessing some of our servers,” the notice to patients stated. Regal later discovered that a threat actor had deployed malware on its server and had accessed and exfiltrated sensitive data.
The data involved in the incident may have included names, addresses, Social Security numbers, dates of birth, lab test results, prescription data, diagnoses, radiology reports, health plan numbers, and phone numbers.
Regal worked with third-party vendors to assist in its response and restored access to its systems.
Cerebral: 3,179,835 Individuals Impacted
Online mental healthcare platform Cerebral notified more than 3.1 millionusers of a data breach that stemmed from its use of tracking pixels. As previously reported, several United States senators sent letters to telehealth companies in February, including Cerebral, to address concerns over their health data privacy practices.
Specifically, the Senators took issue withreportsthat these companies have been tracking their customers’ sensitive health information and sharing it with third-party advertiserssuch as Metaand Google.
In March, Cerebral issued a breach notification stating that “like others in many industries, including health systems, traditional brick and mortar providers, and other telehealth companies, Cerebral has used what are called ‘pixels’ and similar common technologies (‘Tracking Technologies’), such as those made available by Google, Meta (Facebook), TikTok, and other third parties (‘Third-Party Platforms’), on Cerebral’s Platforms.”
Cerebral implemented these technologies when it began operations in October 2019 until it launched a review of its data sharing practices a few years later. On January 3, 2023, Cerebral determined that it had disclosed protected health information (PHI) to certain subcontractors “without having obtained HIPAA-required assurances.”
“If an individual created a Cerebral account, the information disclosed may have included name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic or information,” the notice stated.
“If, in addition to creating a Cerebral account, an individual also completed any portion of Cerebral’s online mental health self-assessment, the information disclosed may also have included the service the individual selected, assessment responses, and certain associated health information.”
Other telehealth companies have faced enforcement actions from the Federal Trade Commission (FTC), showing that the commission is committed to cracking down on improper health data privacy and security practices.
NationsBenefits Holdings: 3,037,303 Individuals Impacted
NationsBenefits, which provides supplemental benefits administration services to healthcare plans, reported a breach to OCR in April that impacted more than 3 million individuals. California-based Santa Clara Health Plan (SCHP) was one of the organizations impacted by the NationsBenefits breach.
NationsBenefits reported that the breach stemmed from a known vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) solution. NationsBenefits determined that certain members’ personal information was impacted by the incident in mid-February. The impacted information included names, demographic information, health insurance numbers, Social Security numbers, dates of service, phone numbers, and provider names.
NationsBenefits said it immediately stopped using Fortra’s software and implemented additional processes to strengthen its security posture.
The Health Sector Cybersecurity Coordination Center (HC3)issued an alert in February to warn the healthcare sector specifically aboutClop ransomware’s use of the Fortra vulnerability. Clop claimed to have conducted a mass cyberattack against 130 organizations.
Harvard Pilgrim Health Care: 2,550,922 Individuals Impacted
Point32Health, the parent company of Harvard Pilgrim Health Care and Tufts Health Plan, suffered a ransomware attack on April 17. The impacted systems affected only the Harvard Pilgrim Health Care side of the business.
After detecting suspicious activity, Point32Health took its Harvard Pilgrim Health Care systems offline to contain the threat. The organization has since notified more than 2.5 million individuals that files containing the personal information of current and former subscribers and dependents were involved in the incident.
Point32Health has made an effort to enhance the security of its systems in the aftermath of the incident by enhancing user access protocols and vulnerability scanning, implementing a new Endpoint Detection and Response (EDR) security solution, and conducting password resets for administrative accounts.
Enzo Biochem: 2,470,000 Individuals Impacted
New York-based molecular diagnostics company Enzo Biochem suffered a data breach that exposed the clinical test information of 2,470,000 individuals, and the Social Security numbers of 600,000 of those individuals.
The company suffered a ransomware attack on April 6 that impacted certain information technology systems. Following the discovery, Enzo said it immediately disconnected its systems from the internet, notified law enforcement, and engaged a cybersecurity firm. The company continued to remain open and provide services to patients throughout the response.
“The Company has incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter. Further, the Company remains subject to risks and uncertainties as a result of the incident, including as a result of the data that was accessed or exfiltrated from the Company’s network as noted above,” Enzo stated in a Securities and Exchange Commission (SEC) filing.
“Additionally, security and privacy incidents have led to, and may continue to lead to, additional regulatory scrutiny. The Company is in the process of evaluating the full scope of the costs and related impacts of this incident.”
ZOLL Services: 997,097 Individuals Impacted
In March, ZOLL Medical Corporation notified nearly one million individuals of a data breach. ZOLL develops novel resuscitation and acute critical care technology.
ZOLL detected suspicious network activity on January 28, 2023 and immediately took steps to investigate. By early February, the company had determined that names, addresses, Social Security numbers, and birth dates were potentially compromised.
“It is important to be careful when receiving emails or other communications from unknown individuals, including any communications with your medical details. You may also take advantage of the complimentary identity protection services being offered,” the company noted in its breach notice at the time.
Community Health Systems: 962,884 Individuals Impacted
Along with NationsBenefits and other organizations, Community Health Systems (CHS) was impacted by a vulnerability in Fortra’s GoAnywhere MFT solution.
The Franklin, Tennessee-based health system is one of the largest healthcare providers in the US, operating 79 hospitals across 16 states. According to an SEC filing, CHS was notified by Fortra of a “security incident that resulted in the unauthorized disclosure of company data.” As a result of the hack, the protected health information (PHI) of approximately one million individuals was exposed.
“Upon receiving notification of the security breach, the Company promptly launched an investigation, including to determine whether any Company information systems were affected, whether there was any impact to ongoing operations, and whether and to what extent PHI or PI had been unlawfully accessed by the attacker,” the filing stated.
At the time, CHS stated that it did not believe that the breach had any impact on CHS’ information systems or business operations.
CentraState Healthcare System: 617,901 Individuals Impacted
CentraState Healthcare System in New Jersey began experiencing an IT network issue in the final days of December 2022 that forced it to revert to paper records and divert ambulances to nearby hospitals.
Further investigation determined that an unauthorized party had obtained a copy of an archived database containing patient information. The information varied by individual, but included names, addresses, Social Security numbers, medical record numbers, health insurance information, and patient account numbers, as well as treatment plans and diagnoses.
CentraState notified more than 617,000 individuals of the breach in early February and encouraged patients to review provider and insurance statements.
“Events of this nature are affecting an increasing number of companies in the U.S. and around the world, and federal government, law enforcement and industry experts are working in tandem to address this unlawful criminal activity,” the official breach notice stated.
