January 2023 Healthcare Data Breach Report
January is usually one of the quietest months of the year for healthcare data breaches and last month was no exception. In January, 40 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights, the same number as in December 2022. January’s total is well below the 53 data breaches reported in January 2022 and the 12-month average of 58 data breaches a month.
For the second successive month, the number of breached records has fallen, with January seeing just 1,064,195 healthcare records exposed or impermissibly disclosed – The lowest monthly total since June 2020, and well below the 12-month average of 4,209,121 breached records a month.
Largest Healthcare Data Breaches in January 2023
In January there were 13 data breaches involving 10,000 or more records, 8 of which involved hacked network servers and email accounts. The largest HIPAA compliance data breach of the month affected Mindpath Health, where multiple employee email accounts were compromised. 5 unauthorized access/disclosure incidents were reported that impacted more than 10,000 individuals, three of which were due to the use of tracking technologies on websites. The tracking code collected individually identifiable information – including health information – of website users and transmitted that information to third parties such as Google and Meta, including the month’s second-largest breach at BayCare Clinic. Another notable unauthorized access incident occurred at the mobile pharmacy solution provider, mscripts. Its cloud storage environment had been misconfigured, exposing the data of customers of its pharmacy clients on the Internet for 6 years.
HIPAA-Regulated Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
Community Psychiatry Management, LLC (Mindpath Health) | NC | Healthcare Provider | 193,947 | Compromised email accounts |
BayCare Clinic, LLP | WI | Healthcare Provider | 134,000 | Impermissible disclosure of PHI due to website tracking technology |
DPP II, LLC (Home Care Providers of Texas) | TX | Healthcare Provider | 125,981 | Ransomware attack (data theft confirmed) |
Jefferson County Health Center (Jefferson County Health Department) | MO | Healthcare Provider | 115,940 | Hacked network server |
UCLA Health | CA | Healthcare Provider | 94,000 | Impermissible disclosure of PHI due to website tracking technology |
mscripts®, LLC | CA | Business Associate | 66,372 | PHI exposed due to misconfigured cloud storage |
Circles of Care, Inc. | FL | Healthcare Provider | 61,170 | Hacked network server |
Howard Memorial Hospital | AR | Healthcare Provider | 53,668 | Hacked network server |
Stroke Scan Inc | TX | Healthcare Provider | 50,000 | Hacking Incident – No public breach announcement |
University of Colorado Hospital Authority | CO | Healthcare Provider | 48,879 | Hacking incident at business associate (Diligent) |
Insulet Corporation | MA | Healthcare Provider | 29,000 | Impermissible disclosure of PHI due to website tracking technology |
City of Cleveland | OH | Health Plan | 15,206 | Unauthorized access/disclosure incident – No public breach announcement |
DotHouse Health Incorporated | MA | Healthcare Provider | 10,000 | Hacked network server |
Causes of January 2023 Healthcare Data Breaches
Just over half of the 40 data breaches reported in January were hacking/IT incidents, the majority of which involved hacked network servers. Ransomware attacks continue to be conducted, although the extent to which ransomware is used is unclear, as many HIPAA-regulated entities do not disclose the exact nature of their hacking incidents, and some entities have not made public announcements at all. Across the 23 hacking incidents, the records of 698,295 individuals were exposed or stolen. The average breach size was 30,61 records and the median breach size was 5,264 records.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
There was an increase in unauthorized access/disclosure incidents in January, with 15 incidents reported. The nature of 7 of the unauthorized access/disclosure incidents is unknown at this stage, as announcements have not been made by the affected entities. 5 of the 15 incidents were due to the use of tracking technologies on websites and web apps. Across the 15 unauthorized access/disclosure incidents, 362,629 records were impermissibly accessed or disclosed. The average breach size was 24,175 records and the median breach size was 3,780 records. There were two theft incidents reported, one involving stolen paper records and one involving a stolen portable electronic device. Across those two incidents, 3,271 records were stolen. No loss or improper disposal incidents were reported.
Where Did the Data Breaches Occur?
Healthcare providers were the worst affected HIPAA-covered entity with 31 reported data breaches and 5 data breaches were reported by health plans. While there were only 4 data breaches reported by business associates of HIPAA-covered entities, 14 data breaches had business associate involvement. 10 of those breaches were reported by the covered entity rather than the business associate. The chart below shows the breakdown of data breaches based on where they occurred, rather than which entity reported the breach.
The chart below highlights the impact of data breaches at business associates. 23 data breaches occurred at health plans, involving almost 275,000 records. The 14 data breaches at business associates affected almost three times as many people.
Geographical Spread of January Data Breaches
California was the worst affected state with 7 breaches reported by HIPAA-regulated entities based in the state, followed by Texas with 6 reported breaches. January’s 40 data breaches were spread across 40 U.S. states.
State | Breaches |
California | 7 |
Texas | 6 |
Georgia, Massachusetts, Missouri & Pennsylvania | 3 |
Florida, New York & North Carolina | 2 |
Alabama, Arkansas, Colorado, Illinois, Indiana, Minnesota, New Jersey, Ohio & Wisconsin | 1 |
HIPAA Enforcement Activity in January 2023
The Office for Civil Rights announced one settlement in January to resolve potential violations of the HIPAA Right of Access. OCR investigated a complaint from a personal representative who had not been provided with a copy of her deceased father’s medical records within the allowed 30 days. It took 7 months for those records to be provided. Life Hope Labs agreed to pay a $16,500 financial penalty and adopt a corrective action plan that will ensure patients are provided with timely access to their medical records in the future. This was the 43rd penalty to be imposed under OCR’s HIPAA Right of Access enforcement initiative, which was launched in the fall of 2019. No HIPAA enforcement actions were announced by state attorneys general in January.