Executive summary: Q3 healthcare cybersecurity trends

Based on the analysis of 256 breaches affecting a total of 59,480,058 individuals, this Q3 healthcare breach report tracks vulnerabilities, risks, and action points as listed on the OCR's Wall of Shame and Paubox breach reports. This analysis of third-quarter data shows what kinds of breaches are happening, who's being affected, and how.

Key findings

1. Fluctuating breach incidents: Breaches ranged from 59 to 118 per month, affecting between 11.5 million and 24.7 million individuals each month. These numbers indicate a dynamic and ever-changing threat landscape.
2. Variable impact: The number of individuals affected per month fluctuated between 11,519,803 and 24,652,555, emphasizing the varying scale of these incidents.
3. Emerging threat: A 24% increase in hacking and IT-related incidents was observed totaling 62 incidents by the end.
4. Email is a consistent risk: Email-related breaches were consistent, affecting an average of 7,855 individuals per occurrence.
5. State-specific threats: Texas (25 breaches), California (19), and Illinois (18) were the states with the highest number of reported breaches.
6. Business associate involvement: Business associates were implicated in 121 breaches, making up about 47% of all incidents. As the reporting "Covered Entity Type," business associates accounted for 63 breaches.
7. Covered Entity Types at risk: Healthcare Providers had the highest incidence with 140 breaches, followed by Business Associates (63) and Health Plans (52).
8. Common breach types for email: Hacking/IT Incidents (28 breaches) and Unauthorized Access/Disclosure (14) were the most frequent types of email-related breaches.
9. Days to report: On average, organizations took about 73 days from the breach occurrence to report the incident.

Recommendations

1. Strengthen email security: Email-related breaches affect an average of 7,855 individuals. Implementing HIPAA compliant email advanced security measures like multi-factor authentication is essential.
2. Focus on IT infrastructure: With a 24% increase in hacking/IT incidents this quarter, robust network security measures are more critical than ever.
3. Regular security audits: The fluctuating number of breaches and affected individuals highlights the need for frequent security audits.
4. Employee training: The consistent nature of email-related breaches underscores the importance of comprehensive employee training programs.
5. Vendor risk management: As 47% of breaches involved business associates, a stringent vendor security assessment is imperative to ensure security.
6. Advanced email security features: Given the frequency of hacking and unauthorized access in email-related breaches, inbound protection and advanced features like DMARC are recommended.
7. Improve Reporting Time: With an average of 73 days to report breaches, quicker detection and reporting mechanisms are advisable.

Spotlight on the top breaches

HCA Healthcare

• Breach Date: July 31, 2023
• Type of Breach: Hacking/IT Incident
• Location: Other
• Individuals Affected: 11,270,000

Colorado Department of Health Care Policy & Financing

• Breach Date: August 11, 2023
• Type of Breach: Hacking/IT Incident
• Location: Network Server
• Individuals Affected: 4,091,794

CareSource

• Breach Date: July 27, 2023
• Type of Breach: Unauthorized Access/Disclosure
• Location: Network Server
• Individuals Affected: 3,180,537

Maximus, Inc.

• Breach Date: August 4, 2023
• Type of Breach: Hacking/IT Incident
• Location: Network Server
• Individuals Affected: 2,781,617

Notes:

Massive scale of HCA Healthcare Breach: The breach at HCA Healthcare was by far the largest, affecting over 11 million individuals, which is more than double the next highest breach.

Variety in type of breach: Among the top 5 breaches, four were the result of Hacking/IT Incidents, while one was due to Unauthorized Access/Disclosure.

Network servers as common target: Except for the HCA Healthcare breach, all the top breaches involved Network Servers.