Healthcare Data Breach Volume Dips As Number of Compromised Records Rises

August 23, 2023 - Healthcare data breaches remain a troubling and frequent occurrence despite an observed dip in the number of breaches reported to HHS in the first six months of 2023, Critical Insight noted in its H1 2023 Healthcare Data Cyber Breach Report.

While the number of breaches dropped 15 percent in the first six months of the year compared to the latter half of 2022, the number of records compromised jumped by 31 percent. As previously reported, nearly 40 million records were implicated in healthcare data breaches reported to HHS from January to June.

This means that of the 308 breaches reported in the first half of the year, a few large-scale data breaches took their toll on victim organizations and patients. Some of the largest breaches reported in the first half of the year included an attack on dental benefits administrator Managed Care of North America, which impacted 8.9 million records.

What’s more, pharmacy services provider PharMerica suffered a ransomware attack that compromised 5.8 million records.

“The Managed Care of North America and PharMerica breaches were the third and fourth largest ever reported,” Critical Insight noted.

“The average number of individuals affected per breach also hit an all-time high of 131,000, which reflects the lower number of breaches and the impact of the large breaches on the overall average.”

Since the report strictly focused on breaches reported to HHS in the first half of 2023, it did not even include several high-profile breaches that will make 2023’s total breach tally much higher. For example, HCA Healthcare reported its large-scale data breach to HHS at the end of July, which impacted more than 11 million records.

With this in mind, 2023 is shaping up to be an unprecedented year for healthcare data breaches. Additionally, threat actors are continuing to target third-party business associates, further expanding the attack surface.

“In the first half of 2023, breaches involving business associates affected 304,191 individuals on average per breach,” the report added. “This is significantly higher than the average number of individuals affected per breach in healthcare provider breaches (85,680) and health plan-related breaches (84,240).”

As healthcare organizations strengthen their defenses, hackers are still finding ways to access sensitive data. Network server breaches accounted for 77 percent of all incidents, while email-related breaches accounted for 19 percent.

“Organizations have since improved their defenses against phishing attacks, resulting in a consistent decline in email-related hacks. As a result, hackers have shifted their tactics towards targeting network vulnerabilities,” the report stated, speaking to the ever-changing tactics of cyber threat actors.

These trends indicate that threat actors will continue to shift their techniques to account for increased safeguards implemented by healthcare organizations. To the report authors, this trend underscored the importance of preparation, early detection, and incident response.

The report recommended that healthcare organizations craft a thorough incident response plan, and leverage the NIST Cybersecurity Framework to mitigate risk. In addition, Critical Insight stressed the importance of effective third-party risk management.

“The results of this analysis support the hypothesis that cybercriminals are continually evolving their tactics to minimize risk and maximize the return on effort,” said Mike Hamilton, founder and CISO at Critical Insight, in an accompanying press release.

“Focusing on business associates that perform a service for covered entities should give all these providers pause. Fines, additional regulatory scrutiny, class actions, and enforcement of the False Claims Act will affect these organizations for years.”