OCR 2023 Report Cites Record Year for US Health Data Breaches – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

OCR Report Reveals Record Health Data Breaches in 2023

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) reported to Congress that 2023 was a record-breaking year for healthcare data breaches, affecting nearly 135 million individuals.

OCR Report Reveals Record Health Data Breaches in 2023

Summary of the Event

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has submitted its annual reports for the 2023 calendar year to Congress. These reports paint a concerning picture of Health Insurance Portability and Accountability Act (HIPAA) compliance and data breaches. According to the report, 2023 set a new record for the number of large data breaches affecting more than 500 individuals. A total of 725 large breaches were reported, resulting in the exposure of protected health information (PHI) for nearly 135 million people. This figure represents a staggering 141% increase in the number of affected individuals compared to 2022.

Leaked Data and Scope

The data compromised in healthcare data breaches consists of Protected Health Information (PHI), which is extremely sensitive and personal. Protected under HIPAA, this data includes private details about an individual's medical history, diagnoses, treatments, and insurance information. The types of data exposed in the 2023 breaches typically include:

  • Personal Identifiable Information (PII): Full name, date of birth, address, and Social Security number.
  • Medical Information: Diagnoses, treatment records, prescription information, lab results, and physician's notes.
  • Health Insurance Information: Policy numbers, group numbers, and data related to insurance claims.
  • Financial Information: Billing information related to medical services and sometimes credit card numbers.

The scope of these breaches is vast. The report states that 725 large-scale breaches occurred; the term "large-scale" is used to describe incidents affecting 500 or more individuals. However, the most alarming statistic is that the total number of people affected reached 134,834,163. This means that a significant portion of the U.S. population may have had their sensitive health data fall into the hands of cybercriminals. This situation highlights the vulnerabilities in the healthcare sector's cybersecurity posture and the growing threats it faces.

Has your email been leaked? Check for free — results in seconds.

Check Now →

Technical Aspect of the Attack

The OCR report also details the primary causes of these data breaches. The vast majority of incidents in 2023 were due to external cyberattacks. Technically, the main factors behind the events are as follows:

Hacking and IT Incidents: The report shows that 80% of the nearly 135 million individuals affected in 2023, or about 108 million people, were victims of hacking and IT incidents. This category involves cybercriminals actively infiltrating the networks and systems of healthcare organizations. The most common attack vectors include ransomware attacks, phishing campaigns, and the exploitation of software vulnerabilities. In ransomware attacks, attackers encrypt data on systems, making it inaccessible, and then demand a ransom to restore access or to prevent the data from being published online.

Unauthorized Access and Disclosure: The second most common cause is unauthorized access or disclosure. These types of incidents are often internal. For example, an employee looking at patient records they are not authorized to view, or sensitive data being accidentally emailed to the wrong person, falls into this category. While such incidents are more frequent, they generally affect a smaller number of individuals compared to large-scale cyberattacks.

The report specifies that network servers were the most common location of breached data. This indicates that attackers are targeting the central systems where an organization's entire data is stored, rather than individual computers. This explains how a single successful attack can compromise the data of millions of people. The latest Data Breach News often covers these types of large-scale server attacks.

Who Are the Affected Users

The individuals affected by the data breaches outlined in this report are patients who received services from various U.S. healthcare providers, health plans, or their business associates in 2023. In short, millions of people living in the U.S. who received medical treatment, were insured, or used any health service are potentially affected. The victims are not customers of a single hospital or insurance company but are patients and members of 725 different organizations across the country. Therefore, the impact is widespread and not limited to a specific geographical region or demographic group.

What Should You Do

It is difficult to know for certain if your data was compromised in one of these breaches. Under HIPAA rules, affected individuals must be notified by the healthcare entity. However, as a general precaution, all individuals are advised to take the following steps:

  • Monitor Your Account Statements: Regularly check your bank and credit card statements to immediately detect any suspicious transactions.
  • Review Your Explanation of Benefits (EOB): Carefully examine the EOB documents from your health insurer. Claims for medical services you did not receive could be a sign of medical identity theft.
  • Be Wary of Phishing Attacks: Cybercriminals can use stolen personal information to send you targeted phishing emails. Do not click on links in suspicious emails that ask for personal information or passwords.
  • Monitor Your Credit Reports: Regularly check your credit reports from the three major credit bureaus (Equifax, Experian, TransUnion) to look for unfamiliar accounts opened in your name. Consider placing a credit freeze if necessary.

The Organization's Statement

In this case, the "organization" is the regulatory and enforcement body, the Office for Civil Rights (OCR). In its report, OCR transparently laid out the situation and provided information on its activities to ensure HIPAA compliance. OCR stated that it received 34,747 new complaints related to HIPAA violations in 2023 and resolved a total of 34,879 complaints, including those carried over from previous years. 98% of these complaints were resolved through voluntary compliance by the entities, without requiring a formal investigation.

Furthermore, OCR conducted 19 HIPAA enforcement actions in 2023, resulting in a total of $4,176,500 in financial penalties. The report also mentioned that under the HITECH Act, a portion of these collected penalties is planned to be distributed to victims of data breaches in the future, although this mechanism has not yet been fully implemented. OCR's report aims to highlight the seriousness of the situation while also demonstrating that its oversight and enforcement mechanisms are active.

Kaynak

https://www.hipaajournal.com/ocr-reports-congress-hipaa-compliance-data-breaches-2023/

Share This Article
X LinkedIn WhatsApp
← Previous Post West Pharmaceutical Hit by Disruptive Cyberattack Next Post → Instructure Under Government Scrutiny for Canvas Breach

Weekly Newsletter

Curated data breach news delivered to your inbox every week.