The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

December 2022 Healthcare Data Breach Report

Posted By on Jan 16, 2023

The number of reported healthcare data breaches declined for the second successive month, with 40 data breaches of 500 or more healthcare records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in December 2022 – The lowest monthly total of the year and 32% fewer data breaches than the average monthly for 2022. The year ended with 707 data breaches, which is a year-over-year reduction of 1.12% from the 715 reported in 2022. Only one other year has seen a fall in recorded data breaches (2015).

The worst month of 2022 for breached records was followed by the best, with 2,174,592 healthcare records exposed or compromised in December, well below the 2022 average of 4,325,302 records per month and 68.5% fewer breached records than in November. While this is undoubtedly great news, even with this reduction, 2022 was one of the worst-ever years for healthcare data breaches with more than 51.9 million records exposed or impermissibly disclosed from January 1, 2022, to December 31, 2022.

Largest Healthcare Data Breaches in December 2022

December saw 13 data breaches of 10,000 or more healthcare records reported to OCR. HIPAA Journal has been unable to obtain information on two of those breaches. Ransomware attacks continue to plague the healthcare industry, with 5 of the 13 largest breaches in December confirmed as involving ransomware, two of which involved the protected health information of more than 600,000 patients. Ransomware attacks on the healthcare industry more than doubled between 2016 and 2021 according to one recent analysis, although it is becoming increasingly difficult to obtain reliable data on the extent to which ransomware is used in cyberattacks due to the lack of standardized reporting. While healthcare organizations of all sizes are being attacked, ransomware gangs tend to focus their efforts on larger healthcare organizations, according to a recent report by Delinea.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
CommonSpirit Health IL Business Associate 623,774 Ransomware attack with business associate involvement
Metropolitan Area EMS Authority dba MedStar Mobile Healthcare TX Healthcare Provider 612,000 Ransomware attack
Avem Health Partners OK Business Associate 271,303 Hacking Incident at a business associate
Southwest Louisiana Health Care System, Inc. d/b/a Lake Charles Memorial Health System LA Healthcare Provider 269,752 Ransomware attack
Fitzgibbon Hospital MO Healthcare Provider 112,072 Ransomware attack
Monarch NC Healthcare Provider 56,155 Hacking Incident – No information released
Ola Equipment LLC HI Business Associate 39,000 Hacking Incident – No information released
The Elizabeth Hospice CA Healthcare Provider 35,496 An employee sent PHI to a personal email account
Legacy Operating Company d/b/a Legacy Hospice AL Healthcare Provider 21,202 Compromised email accounts
Employee Group Insurance Benefits Plan of Acuity Brands, Inc. GA Health Plan 20,849 Hacking incident (data theft confirmed)
San Gorgonio Memorial Hospital CA Healthcare Provider 16,846 Hacking incident (data theft confirmed)
Hawaiian Eye Center HI Healthcare Provider 14,524 Ransomware attack
Foundcare, Inc. FL Healthcare Provider 14,194 Compromised email account

Causes of December 2022 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports and typically involve many more records than other types of data breaches. In December, 28 incidents were classified as hacking/IT incidents – 70% of the month’s total breaches. 1,965,032 healthcare records were exposed or impermissibly disclosed in those incidents– 90.4% of the month’s breached records. The average breach size was 70,180 records and the median breach size was 4,152 records. 20 of the month’s breaches involved compromised network servers, with 12 incidents involving hacked email accounts.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Causes of December 2022 Healthcare data breaches

The risk of email-related data breaches can be greatly reduced by providing regular security awareness training to the workforce, as is required by the HIPAA Security Rule, and by implementing multi-factor authentication, with FIDO-based MFA providing the greatest level of protection. HIPAA-regulated entities should also ensure that their password management practices are kept up to date. A recent audit of the Department of the Interior identified many password management failures, which are all too common in the healthcare industry.

There were 10 unauthorized access/disclosure-related data breaches in December involving 168,386 records. The average breach size was 16,839 records and the median breach size was 1,739 records. There has been a decline in these types of data breaches in recent years as HIPAA training and monitoring of medical record access have improved. There were two loss/theft incidents reported involving 41,174 records. Both of these incidents involved computers/other electronic devices and could have been prevented by encrypting the devices.

December 2022 healthcare data breaches - location of breached PHI

December Data Breaches by HIPAA Regulated Entity

Healthcare providers were the worst affected type of HIPAA-regulated entity, with 24 breaches reported of 500 or more records. Business associates reported 11 data breaches and 5 data breaches were reported by 5 health plans. Two of the data breaches reported by healthcare providers had business associate involvement but were reported by the healthcare provider. The chart below shows the breakdown based on where the breach occurred.

December 2022 healthcare data breaches - HIPAA-regulated entity type

States Affected by December 2022 Data Breaches

Healthcare data breaches were reported by HIPAA-regulated entities in 22 states. California was the worst affected with 4 reported breaches.

State Reported Data Breaches
California 4
Florida, New York, Texas & Washington 3
Georgia, Hawaii, Illinois, Massachusetts, Missouri, South Dakota & Virginia 2
Alabama, Connecticut, Louisiana, Maryland, North Carolina, Nebraska, Oklahoma, Rhode Island, Wisconsin & West Virginia 1

HIPAA Enforcement Activity in 2022

OCR closed the year with two financial penalties to resolve alleged HIPAA violations. Health Specialists of Central Florida’s case stemmed from an investigation into a HIPAA Right of Access violation over the failure to provide a woman with a copy of her deceased father’s medical records. The records were provided, but there was a 5-month delay. Health Specialists of Central Florida settled the case and paid a $20,000 financial penalty. This was the 42nd financial penalty to be imposed under OCR’s HIPAA Right of Access enforcement, which was launched in 2019.

New Vision Dental in California was one of just two healthcare providers to settle a HIPAA violation case with OCR in 2022 that did not involve a HIPAA Right of Access violation. OCR investigated New Vision Dental in response to complaints that patient information was being impermissibly disclosed online in response to negative reviews on Yelp. OCR also identified a Notice of Privacy Practices failure. The case was settled for $23,000. Including these two penalties, OCR resolved 22 HIPAA violation cases with settlements and civil monetary penalties in 2022, more than any other year since OCR was given the authority to impose financial penalties for HIPAA violations.

State Attorneys General also have the authority to impose financial penalties for HIPAA violations. In December, a joint investigation by Oregon and Utah resulted in a financial penalty for Avalon Healthcare over a phishing attack. Avalon Healthcare was determined to be in violation of the HIPAA Security and Breach Notification Rules and state laws due to a lack of appropriate safeguards to protect against phishing attacks and an unreasonable delay in sending breach notification letters, which were issued 10 months after the breach was detected. The case was settled for $200,000. This was one of three enforcement actions by state attorneys general in 2022 to resolve HIPAA violations.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist