Tricerat Blog

Health IT Security Report: Top 7 Causes of HIPAA Breaches in 2024

Written by Tricerat | Nov 18, 2024 1:30:00 PM

In 2023, the healthcare sector saw a significant rise in data breaches, with 727 incidents impacting nearly 133 million individuals—a double increase from the previous year. This trend continued into 2024, with 116 breaches reported in just the first quarter, affecting over 13 million individuals.

2024 Healthcare Data Breach Overview

Record-High Data Breaches in March 2024

March 2024 set a new record for healthcare data breaches. The HIPAA Journal reported a significant uptick, noting 93 breaches of 500 or more records reported to the HHS Office for Civil Rights (a 50% increase from February 2024 and a 41% increase YoY from March 2023). This marked the highest number of breaches reported in a single month since before the COVID-19 shutdown in 2020.

Biggest Healthcare Data Breaches in 2024 So Far (HHSOCR Database)

Concentra Health Services, Inc. (TX, Healthcare Provider, January 9, 2024):

  • Individuals Affected: 3,998,163
  • Type of Breach & Location: Hacking/IT Incident, Network Server

INTEGRIS Health (OK, Healthcare Provider, January 26, 2024):

  • Individuals Affected: 2,385,646
  • Type of Breach & Location: Hacking/IT Incident, Network Server

Medical Management Resource Group, L.L.C. (AZ, Business Associate, February 6, 2024):

  • Individuals Affected: 2,350,236
  • Type of Breach & Location: Hacking/IT Incident, Network Server

Priorities for Healthcare CIOs and CTOs in 2024

In 2024, healthcare CIOs and CTOs are focused on driving operational and financial efficiencies with strategic tech investments, from implementing EMR/ERP systems to managing supply chain risks and using AI to streamline patient care and operation. Cybersecurity is a top priority for safeguarding patient data and system integrity in a complex vendor ecosystem. IT security and data protection are the primary investments for 28% of healthcare leaders in 2024, as noted in a recent Gartner report.

Top 7 Causes of HIPAA Breaches in 2024

1. Ransomware and Hacking

Cyberattacks, especially ransomware and hacking, severely threaten healthcare data security. As reported by the HIPAA Journal, by December 2023, ransomware and hacking accounted for 83.78% of all data breaches in the healthcare sector, compromising 99.79% of affected records. In early 2024, over 5 million records were compromised in just one month. 

Examples of Recent Ransomware Attacks

MCNA Dental suffered a data breach from the LockBit ransomware group. The breach affected 9 million individuals and resulted in compromised personal information such as Social Security numbers. Despite a $10 million ransom demand, MCNA did not pay, and some data was leaked in April 2023.

In 2023, Change Healthcare, a UnitedHealth Group subsidiary, was hit by a major ransomware attack by the Blackcat group. The breach led to unauthorized access to the IT network, impacting a system that processes 15 billion billing transactions a year and processes about 50% of U.S. medical claims.

In a statement on April 22, 2024, UnitedHealth said the cyberattack may “cover a substantial proportion of people in America,” with estimates hovering over 100 million Americans impacted. 

2. Unauthorized Access and Internal Breaches

Insider threats often go unnoticed but play a significant role in data breaches, with unauthorized access by insiders accounting for 93% of reported incidents in 2023. Moreover, human factors such as social engineering, human errors, and misuse of privileges influenced 74% of all breaches, as indicated in Verizon's 2023 Data Breach Investigations Report.

Examples of Data Breaches Caused by Unauthorized Access

In 2020, a former employee at Montefiore Medical Center stole patient data, impacting over 4,000 patients. The data were used to purchase goods and fraudulent credit lines, impacting both the affected patients and the medical center's reputation.

The HCA Healthcare data breach, reported in July 2023, involved an unauthorized party making a list of certain patient information available on an online forum. The compromised data included various personal details such as names, locations, contact information, and appointment dates. The breach resulted from theft from an external storage location used for email formatting automation.

3. Supply Chain and Vendor Vulnerabilities

The WHO reports that supply chain attacks tripled in Q1 2024 compared to Q1 2023Healthcare organizations rely on a web of suppliers and service providers to deliver care and manage operations. Each entity in this network is a potential cybercriminal target. With varying levels of cybersecurity maturity, third-party vendors can inadvertently become the Achilles' heel of data security.

Examples of Supply Chain Attacks in Healthcare 

A prime example of this occurred in 2020, when Blackbaud, a cloud computing provider renowned for its services to non-profits, including healthcare, fell victim to a cyberattack. This breach potentially exposed sensitive information from hundreds of healthcare entities relying on Blackbaud's solutions. 

In 2023, a prominent healthcare software vendor, Accellion, was breached, impacting numerous organizations worldwide, including those in the healthcare sector. The attackers exploited vulnerabilities in Accellion's file transfer application to access sensitive data. 

4. Impermissible Disclosure via Business Tracking Tools

Like supply chain vulnerabilities, healthcare companies' business tools pose a significant risk. In March 2024, the HHS issued a major update, providing new guidance on the use of online tracking technologies by HIPAA-covered entities and their partners. This update aimed to clarify how HIPAA regulations extend to data collected through cookies, device identifiers, etc, used on websites, mobile apps, and other platforms connecting to outlets like Google, Meta (Facebook), and TikTok.

Examples of Data Breaches by Online Tracking Technologies

In 2022, Advocate Aurora Health and Novant Health experienced data exposure incidents caused by misconfigured tracking tools on patient portals and websites. Advocate Aurora Health impacted 3 million individuals, while Novant Health impacted 1.3 million.

In 2023, Cerebral's health app experienced a data breach that affected 3.1 million users. The breach stemmed from third-party tracking pixels implemented on Cerebral's platform without securing HIPAA-required assurances from subcontractors, resulting in unauthorized PHI disclosure.

5. IoT Devices and Network Servers

IoT devices in healthcare are a leading entry point for cyberattacks, with 70% of breaches in 2023 linked to vulnerable network servers (HIPAA Journal). These devices include printers, routers, and IP cameras and often lack sufficient security measures, making them vulnerable to hacking attempts. 

Examples of IoT Device Hacking in Healthcare

In 2023, Ardent Health Services suffered a major cybersecurity breach when hackers took advantage of a vulnerability in its IoT infrastructure. By hacking the hospital's networked temperature control systems, the breach allowed unauthorized access to the network and sensitive patient data.

In 2024, Medtronic faced a critical issue when unauthorized users remotely accessed a series of networked insulin pumps due to unsecured wireless connectivity. This allowed the attackers to manipulate dosage controls, posing a direct threat to patient safety. 

6. Overlooked Hardware and Printers

Printers are often overlooked in a company's security strategy but are "lucky charm" endpoints and targets for cyber-attacks. Recent reports show that insecure printing practices in companies lead to data loss and intellectual property theft: Only 1 in 5 IT decision-makers are confident about print infrastructure security, while 64% of companies report data loss due to insecure printing practices.

With 61% of organizations reporting data loss from unsecured printers in 2023, robust security protocols for these peripheral devices are crucial.

Examples of Printer Hacking in Healthcare

In 2021, Eskenazi Health suffered a ransomware attack by a group called Vice Society. The attackers exploited a security vulnerability known as PrintNightmare in Microsoft Windows servers to gain system privileges and install malware or ransomware. This led to the hospital shutting down its networks and ER, causing delays in procedures and diverting ambulances to other hospitals.

In 2022, OneTouchPoint, a major printing vendor, revealed that nearly 2.7 million individuals were affected by a breach. The breach impacted the vendor's healthcare clients, including 38 health plans, potentially exposing PHI. At least one health plan not on the reported list, Common Ground Healthcare Collaborative, reported 133,714 individuals affected by the OneTouchPoint hacking incident to HHS.

7. Noncompliance with HIPAA Security Rule

Despite the crucial role of the HIPAA Security Rule in safeguarding sensitive health data, many healthcare organizations face challenges in meeting compliance standards. The HHS OCR is entrusted with enforcing HIPAA regulations and has handled over 353,000 complaints in 2023 alone. This led to civil money penalties and settlements, resulting in fines totaling around $142.53 million.

Example of HIPAA Security Rule Breaches in 2024 

In 2024, Montefiore Medical Center faced a significant HIPAA violation settlement, fined $4.75 million by the OCR for failing to conduct an adequate risk analysis and implement procedures to review records post a security breach. This breach involved a former employee who improperly accessed and stole the data of 12,517 patients.