Healthcare data breaches have been on the rise in recent years, with five significant incidents making recent headlines:
- HCA Healthcare’s data breach affecting 11 million patients was reported to be the largest data breach incident of 2023. A third party was used to automate the formatting of email messages. HCA says the breached information included patients, names, addresses, dates of birth, and information on patient service dates, locations, and the dates for the next appointments.
- PharMerica, the parent company of BrightSpring Health Services, reported a ransomware attack. PharMerica identified 5.8 million patients whose personal and limited medical information—names, dates of birth, Social Security numbers, medication lists, and health insurance information—were disclosed.
- Regal Medical Group disclosed that over 3.3 million patients had their personal and health information exposed in a December 2022 ransomware cyberattack. At least 11 lawsuits were filed against Regal within weeks following the disclosure, asking for monetary damages ranging between $100 and $3000 per class member.
- Cerebral, an online mental healthcare platform, informed over 3.1 million users of a data breach that stemmed from its use of tracking pixels. The information disclosed may have included name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic information.
- Anthem Inc., one of the largest health insurance companies in the United States, experienced a that exposed the personal information of approximately 80 million customers and employees.
These breaches have had severe consequences for patients and healthcare providers, including identity theft, financial loss, damage to reputation, and legal repercussions. To mitigate these risks, healthcare providers must prioritize protection of patient information by implementing up-to-date security measures, regular penetration and vulnerability testing, and robust data encryption.
According to the HIPAA Journal, healthcare data breaches have increased over the past 14 years, with 2021 marking a record year for reported breaches. More healthcare data breaches were reported in 2021 than in any other year since the Office for Civil Rights (OCR) began publishing records. Shockingly, nearly two healthcare data breaches were reported every day in 2021.
The HIPAA Journal has diligently compiled healthcare data breach statistics since October 2009, when the Department of Health and Human Services Office for Civil Rights first began summarizing these incidents on its website. As of December 31, 2022, 5,150 data breaches were reported to OCR, with 882 still under investigation by the end of that year. The report is set to be updated monthly in 2023, providing the latest figures on data breaches and HIPAA enforcement actions.
The financial implications of healthcare data breaches are significant. According to a report by the IBM Security and Ponemon Institute, the average cost of a healthcare data breach in the United States in 2023 reached an astounding $11 million, encompassing expenses related to lost business, legal fees, and regulatory fines. Furthermore, the HIPAA Journal estimates that the total cost of healthcare data breaches in the United States since 2009 amounts to a staggering $100 billion, considering costs associated with lost business, legal fees, regulatory fines, and other related expenses.
Healthcare data breaches jeopardize patient information privacy and security and pose substantial threats to patient financial data. These breaches can result in financial fraud, identity theft, medical billing complications, damaged credit scores, legal repercussions for patients and healthcare organizations, and loss of trust and patient engagement. Healthcare providers must prioritize safeguarding patient information by implementing strong security measures, conducting regular assessments, and encrypting sensitive data. This strategy is necessary to protect patients’ financial well-being and maintain trust in today’s increasingly digital healthcare landscape.