A Look at Health Care Data Breaches

February 22, 2024

The federal Office for Civil Rights (OCR) today delivered its annual report on data breaches in health care, indicating a significant increase in large-scale incidents over the last five years.

The latest report indicates that breaches affecting more than 500 or more individuals rose 107 percent from 2018 to 2022. The report also comes as a major UnitedHealth Group subsidiary, Change Healthcare, announced it was dealing with a cybersecurity issue that forced the organization to disconnect its systems.

“Change Healthcare is experiencing a cyber security issue, and our experts are working to address the matter,” the organization said in a statement this afternoon. “Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact. At this time, we believe the issue is specific to Change Healthcare and all other systems across UnitedHealth Group are operational.”

The OCR reports are a requirement of Congress and are part of an effort to ensure “privacy and security safeguards for protected health information, and give individuals rights with respect to that information, such as the right to access their health information.”

Here’s what you need to know:

• The issue:  In an increasingly digital world, health care organizations are responsible for an array of health care data that makes them targets for digital attacks from bad actors.
• Large breaches:  There were 626 breaches reported affecting 500 or more individuals, a slight increase from 2021, but down from a high of 656 in 2020.
• Small breaches:  The number of reported small breaches (63,966) affecting fewer than 500 individuals increased 1 percent during 2022. 
• Enforcement:  Following complaints, OCR completed 846 compliance reviews during 2022 and required corrective action plans or civil monetary penalties in 60 percent of those cases. Payments totaled $2.4 million.
• Quotable:  “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.”

The OCR also released its 2022 report about unsecured breaches, finding that hacking/IT incidents remain the largest category of large breaches, comprising 77 percent of those incidents. Network servers (58%) were the most common location for large breaches.

The report highlighted the need for:

• Risk analysis and risk management
• Information system activity review
• Audit controls
• Response and reporting
• Person or entity authentication.

HAP will continue to monitor federal regulatory activity and other health care cybersecurity trends and provide updates to members. For questions, contact Jason Tomashunas, MS, CHEP, manager, emergency management.

Members of the American Hospital Association (AHA) also are encouraged to avail themselves of the valuable expertise and experience of John Riggi, the AHA’s Senior Advisor for Cybersecurity and Risk. AHA is planning a members-only briefing on the Change Healthcare incident tomorrow.