76 HIPAA Breach Report statistics for 2023

This analysis presents a data-driven examination of HIPAA breach reports filed with the OCR, covering both resolved and unresolved cases from 2023 and 2022.

Utilizing data directly from the OCR, this analysis dissects the reported breaches, focusing on patterns across various dimensions such as breach type, location of breached information, and the presence of business associates.

The raw data can be found here and here.

Table of contents:

• 2023 HIPAA breach statistics
• Type of HIPAA breach
• Location of HIPAA breach
• Business associates' involvement in breaches
• Employees and HIPAA breaches
• HIPAA breaches by state
• Repeat HIPAA breaches in 2022 and 2023
• Top 10 HIPAA breaches
• Top 10 HIPAA breaches involving business associates
• The impact of HIPAA breaches in 2023
• Take action in 2024

The Bottom Line: Data sets show a high prevalence of Hacking/IT incidents, with Email also often implicated in breaches. The frequent involvement of business associates highlights the urgent need to reassess third-party risk management strategies.

2023 HIPAA breach statistics

• 265 breaches from the year 2022 are still under investigation.
• There were 720 breaches in 2022.
• There were 733 breaches in 2023.
• Healthcare providers experienced 62.3% of breaches in 2023.
• Business associates experienced 23.4% of breaches in 2023.
• Health plans accounted for 14% of breaches in 2023.
• Healthcare Clearing Houses experienced only 0.3% of breaches in 2023.
• Hacking/IT incidents account for the majority of breaches, with ransomware attacks being particularly disruptive.
  
• Business Associates are present in many breaches, highlighting the amplified risks they bring.
  
• The largest breach affected over 11 million individuals, signifying severe impacts when systems are compromised.
  
• The keyword "ransomware" was prevalent in the resolved HIPAA breach descriptions, mentioned in 169 cases, indicating a significant impact of ransomware attacks.
  
• "Email" was a common keyword, appearing in 147 resolved cases, suggesting email-related vulnerabilities play a substantial role in these breaches.
  
• "Phishing" was notably mentioned in 101 resolved cases, highlighting its prominence as an email-based security threat.
  
• In contrast, "hacking" was mentioned less frequently, appearing in only 15 resolved cases.

Related: HIPAA Compliant Email: The Definitive Guide

Type of HIPAA breach

The data indicates that "Hacking/IT Incident" breaches are by far the most prevalent type in 2023, constituting the vast majority of cases.

• Hacking/IT incidents were approximately 80% of breaches.
• Unauthorized Access/Disclosure accounted for 17% of breaches.
• Theft, improper disposal, and loss altogether accounted for less than 3% of HIPAA violations.

Location of HIPAA breach

A heavy concentration of breaches involved network servers and email systems.

• 67% of breaches involved Network Server in 2023.
• Email was involved in 18% of breaches in 2023.
• Paper/Films were involved in only 5.18% of breaches in 2023.
• Only 2.46% of breaches involved Electronic Medical Record.
• Other accounted for 1.50% of 2023's breaches.
• Desktop Computer, Other Portable Electronic Device, and Laptop each accounted for less than 1% of breaches in 2023.
• In 2023, where the Location of Breached Information was Network Server, about 93% were due to a Hacking/IT Incident. This was a mere 1% increase from 2022.
• Unauthorized Access/Disclosure accounted for the remaining 7% of Network Server breaches, down by 6.5% from 2022.
• In 2023, where the Location of Breached Information was Email, 75% were due to a Hacking/IT Incident - a 15% decrease from 2022.
• Unauthorized Access/Disclosure accounted for the remaining 25% of Email breaches in 2023, up a massive 115.5% from 2022. 
• The total number of HIPAA breaches where the Location of Breached Information was a Network Server was 406 breaches in 2022 and 492 breaches in 2022 - a notable increase.
• Phishing was involved in 75% of cases where the Location of Breached Information was Email in 2023.
• Approximately 45.91% of the resolved HIPAA breaches where the Location of Breached Information was a Network Server involved ransomware. 

Business associates' involvement in breaches

A Business Associate was involved in over a third of the breaches in 2023.

• In 2023, for all HIPAA breaches (both resolved and under investigation), the percentage where a Business Associate was present was 37.5%.
• Hacking/IT Incidents were the leading breach type for both Business Associates and Healthcare Providers.
  • In 2023, Hacking/IT Incidents dominated HIPAA breaches among Business Associates, accounting for approximately 84.80%, while Unauthorized Access/Disclosure and Theft followed with 14.04% and 1.17% respectively.
  • For Healthcare Providers, Hacking/IT Incidents were also the most common, representing about 78.07% of breaches, with Unauthorized Access/Disclosure at 18.20%.
  • Unauthorized Access/Disclosure was a significant breach type in both categories.
• Network Servers and Email emerged as the top locations for breached information in both Business Associates and Healthcare Providers.
  • In 2023 HIPAA breaches among Business Associates, Network Servers were the most common location, comprising about 81.87%, followed by Email at 9.36%, Paper/Films at 5.26%, with Other, Desktop Computers, and Other Portable Electronic Devices accounting for smaller percentages.
  • Network Servers again topped the list for Healthcare Providers with 60.09%, but Email breaches were more common at 22.15%. 

Employees and HIPAA breaches

• In 2023, 26.67% of resolved HIPAA breach cases mentioned "employee" in their descriptions.
• The year 2022 saw a higher incidence, with 33.41% of HIPAA breach cases referencing employee involvement.
• In 2023, email breaches with an "employee" mention comprised 79.17%, a decrease from 2022's 89.11%, yet still indicating a high prevalence of employee involvement in email-related HIPAA breaches.
• Network server breaches showed fewer employee mentions, with 7.23% in 2022 and 6.54% in 2023.

HIPAA breaches by state

• California led the states in 2023, with 11.05% of HIPAA breaches, followed closely by New York at 8.59% and Texas at 7.91%.
• Pennsylvania and Massachusetts contributed moderately to the breach statistics, with 5.46% and 5.32% respectively.
• Illinois recorded 5.18% of the breaches, while Florida's share stood at 4.50%.
• Georgia and New Jersey each accounted for an equal percentage of breaches at 2.86%.
• Michigan rounded out the top 10 states with 2.32% of the HIPAA breaches in 2023

Repeat HIPAA breaches in 2022 and 2023

• United Healthcare Services, Inc. leads the list with 6 unique HIPAA breach incidents after adjusting for multiple breaches on the same date.
• Benefit Plan Administrators, Inc. and Brightline, Inc. are tied for the second spot, each recording 5 unique breach incidents.
• Indiana University Health, BlueCross BlueShield of Tennessee, Inc., Aetna ACE, Molina Healthcare, and Fred Hutchinson Cancer Center each reported 3 unique incidents.
• UCLA Health and Healix Infusion Therapy, LLC experienced 2 unique HIPAA breaches apiece.

Top 10 HIPAA breaches

• HCA Healthcare (TN) tops the list in 2023 with a massive breach affecting 11,270,000 individuals, involving a business associate and classified as a hacking/IT incident, among others, on 07/31/2023.
• Perry Johnson & Associates, Inc. (NV) follows with a breach impacting 8,952,212 individuals, attributed to a business associate's network server hacking incident on 11/03/2023.
• Managed Care of North America (MCNA) (GA) reported a significant breach affecting 8,861,076 individuals, involving a business associate's network server hacking incident on 05/26/2023.
• Welltok, Inc. (CO) experienced a breach affecting 8,493,379 individuals, also due to a business associate's network server hacking incident, occurring on 11/06/2023.
  
• PharMerica Corporation (KY), a healthcare provider, faced a breach impacting 5,815,591 individuals, stemming from a network server hacking incident on 05/12/2023.
• HealthEC LLC (NJ) saw 4,452,782 individuals affected due to a business associate's network server hacking incident on 12/21/2023.
• Reventics, LLC (FL) reported a breach affecting 4,212,823 individuals, involving a business associate's network server hacking incident on 02/10/2023.
• Colorado Department of Health Care Policy & Financing (CO) had 4,091,794 individuals affected in a health plan related network server hacking incident on 08/11/2023.
• Regal Medical Group, Lakeside Medical Organization (CA) experienced a breach affecting 3,388,856 individuals, a healthcare provider's network server hacking incident on 02/01/2023.
• CareSource (OH) rounds out the top 10 with 3,180,537 individuals affected in a business associate related unauthorized access/disclosure incident on 07/27/2023.

Top 10 HIPAA breaches involving business associates

• Performance Health Technology, with 1,752,076 individuals affected, faced a breach due to the Progress MOVEit hack.
• Novant Health Inc. reported a breach impacting 1,362,296 individuals.
• Prospect Medical Holdings, Inc., beach affected 1,309,096 individuals.
• Texas Tech University Health Sciences Center experienced a breach involving 1,290,104 individuals.
• Nuance Communications, Inc., a business associate, faced a breach affecting 1,225,054 individuals due to unauthorized data access.
• Practice Resources, LLC had a breach involving 942,138 individuals.
• Brightline, Inc. reported a breach affecting 473,467 individuals.
• Conifer Revenue Cycle Solutions, LLC faced unauthorized access to sensitive information, affecting 343,593 individuals.
• Aetna ACE experienced a breach involving 325,278 individuals due to unauthorized patient information access.
• Santa Clara Family Health Plan, with 276,993 individuals affected, reported a breach involving unauthorized access to sensitive health data.

The impact of HIPAA breaches in 2023

• In 2022, HIPAA breaches affected approximately 56,508,948 individuals, surging dramatically in 2023 to about 134,787,438 individuals affected.
• This significant rise in the number of individuals impacted by HIPAA breaches in 2023 is mainly due to several substantial breaches, with the top five contributing heavily to this escalation.
• The largest breach in 2023 was by HCA Healthcare, impacting 11,270,000 individuals through a hacking/IT incident in an 'Other' location.
• Perry Johnson & Associates, Inc. experienced a breach affecting 8,952,212 individuals, Managed Care of North America (MCNA) affected 8,861,076 individuals, Welltok, Inc. impacted 8,493,379 individuals, and PharMerica Corporation affected 5,815,591 individuals, all due to hacking/IT incidents on network servers.
  • These major breaches, particularly HCA Healthcare's, significantly inflated the total figure for 2023. 

Take action in 2024

To effectively address the challenges presented in this analysis, healthcare organizations should prioritize the following key access control strategies:

1. User authentication: Implement strong password policies and multi-factor authentication.
2. Role-based access control (RBAC): Assign access rights based on job roles.
3. Regular access reviews: Update access permissions periodically.
4. Audit trails and monitoring: Log and monitor access to sensitive data.
5. Training and awareness: Educate employees on data security and HIPAA compliance, particularly on how to avoid phishing attacks.
6. Encrypted email solutions: Use tools like Paubox to communicate securely between covered entities, business associates, and patients.
7. Additional security features: Implement solutions like ExecProtect to guard against phishing attacks, spoofing, and other inbound security threats, which are common in cybersecurity attacks.

Related: Top 10 HIPAA compliant email services