2.9M Victims, 42 Healthcare Data Breaches Reported to HHS in March

HHS OCR’s breach portal showed a decrease in healthcare data breach reports in March compared to the first two months of the year.

UPDATE 4/14/2022: This article has been updated to reflect additional entries in OCR's data breach portal. 

The number of healthcare data breaches reported to HHS in March dipped for the second month in a row, HealthITSecurity’s analysis of the HHS Office for Civil Rights (OCR) data breach portal revealed. 

The portal displays data breaches suffered by HIPAA-covered entities that impacted at least 500 individuals. OCR categorizes the breaches by type of covered entity (healthcare provider, business associate, or health plan) and type of incident (hacking/IT incidents, theft, loss, and unauthorized access or disclosure).

In January, 50 breaches impacted 2,316,419 individuals. February saw a slight decrease, with 47 reported breaches affecting 2,254,895 individuals. In March, 42 reported breaches impacted a total of 2,917,387 individuals.

It is important to note that entities reported the breaches to HHS in March, but that does not mean they all took place in March. Covered entities have 60 days after discovering a breach to report it to HHS.

Hacking/IT incidents continue to be the most popular type of healthcare data breach. Even as more organizations prioritize cyber threats in healthcare, threat actors continue to shift their tactics and targets.

A report by Abnormal Security discovered that threat actors were increasingly leveraging Ransomware-as-a-Service (RaaS), double extortion, and software vulnerability exploits over traditional data encryption.

Hacking/IT incidents accounted for the majority of healthcare data breaches reported in March. Just 3 breaches were logged as unauthorized access/disclosure.

In addition, 4 business associate breaches were logged in March, compared to 14 in January and 5 in February. Meanwhile, 6 health plans reported breaches in March, the same number reported in both January and February.

A report by Critical Insight found that health plan cyberattacks increased by 35 percent from 2020 to 2021, and attacks against third-party business associates increased by 18 percent. Despite this increase, healthcare providers continue to be the most popular targets. In March, 32 of 42 reported data breaches impacted healthcare providers.

With 502,869 victims, Christie Business Holdings Company faced the largest reported breach in March. Other notable breaches reported in March included a breach at CSI Laboratories that impacted 312,000 people, and a cyberattack against Clinic of North Texas, which impacted over 244,000 individuals.

For context, the five largest breaches reported so far in 2022 according to OCR’s portal (as of April 2022), are as follows:

As healthcare data breaches continue to impact organizations across the sector, healthcare entities must implement technical and administrative safeguards to effectively detect and respond to security incidents.

Next Steps

Dig Deeper on Health data threats