Cyberattacks affected tens of millions of Americans in 2023.
Analysts say ransomware groups and attackers found ways to deliver more damaging breaches over the past year. Breaches of private health information affected more victims, cybersecurity experts say. Some organizations suffered attacks that exposed the information of millions of patients.
The U.S. Department of Health and Human Services requires organizations to disclose if they’ve suffered a data breach affecting more than 500 individuals. According to the department’s data, 541 breaches were reported in 2023. It’s worth noting additional breaches that occurred in 2023 may be reported in the future.
Here’s a review of the 11 largest health data breaches in 2023, based on the health department’s data. Each of the 11 biggest breaches affected a minimum of 3 million individuals.
Taken together, these 11 breaches of private health information affected more than 68.9 million individuals. By comparison, the 11 biggest health data breaches of 2022 affected 21.5 million people.
Some breaches involved hospitals and health systems, but attackers have also gone after insurers. Analysts also warn that attackers have targeted the vendors that work with health systems and payers. Some of the organizations were affected by breaches involving file transfer software used by their partners.
John Riggi, national advisor for cybersecurity for the American Hospital Association, said 2023 is likely to be the most damaging year for cyberattacks, in terms of the number of victims. The average breach over the past year affected more than 200,000 people, he said.
“The bad guys have figured out it’s not the number of attacks. It’s where you attack,” he told Chief Healthcare Executive® in a recent interview.
Here’s the rundown of the largest breaches of health information over the past year.
The nation’s largest hospital system disclosed a breach in July that affected as many as 11 million individuals.
HCA said that the information included patients, names, addresses, dates of birth and information on patient service dates, locations, and the dates for appointments.
“This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages,” HCA said in a statement.
HCA said the breach did not expose clinical information, such as treatment, diagnosis, or condition, or payment information, such as credit card or account numbers.
The company says it has been working with law enforcement agencies and threat intelligence advisors to investigate the breach.
HCA operates 182 hospitals and more than 2,300 healthcare sites across the United States and in the United Kingdom. HCA says the UK facilities were not affected.
(In this video, cybersecurity experts talked with Chief Healthcare Executive® about emerging threats for hospitals and healthcare organizations.)
Perry Johnson & Associates, Inc., which does business as PJ&A, suffered a breach affecting more than 8.95 million individuals. PJ&A offers medical transcription services used by health systems and providers for documenting patient notes.
The breach was posted on the health department database on Nov. 3.
PJ&A said in a notice that there is no evidence the data has been used for fraud or identity theft. The company said an unauthorized party gained access to the PJ&A network between March 27 and May 2, 2023.
The company said the breach “did not involve access to any systems or networks of PJ&A’s healthcare customers.”
New York Attorney General Letitia James said in November that at least 4 million individuals in New York were affected.
Managed Care of North America (MCNA), a dental insurer, suffered a breach affecting more than 8.8 million Americans. The breach was reported in May.
MCNA said in a public statement that it determined someone “was able to see and take copies of some information in our computer system between February 26, 2023 and March 7, 2023.”
The attackers gained access to data including full names, Social Security numbers, insurance information, driver’s licenses or other government identification numbers, and care for teeth and braces.
The LockBit ransomware game claimed credit for the attack and released the data after issuing a ransom demand, Bleeping Computer reported.
The software company suffered a breach affecting nearly 8.5 million individuals, according to the health department. It was posted on Nov. 6.
Welltok said in a statement that it’s one of many organizations affected by the breach involving MOVEIt, a well-known file transfer tool from Progress Software. Many health data breaches have involved the MOVEIt incident, says John Riggi of the American Hospital Association.
Welltok says it has reached out to dozens of hospitals, health systems and insurers utilizing the company’s software. The company says the breach involved the names, addresses, phone numbers and email addresses of individuals, and a smaller group may have had their Social Security numbers or their Medicare and Medicaid identification numbers exposed.
Progress Software has said that it disclosed the MOVEit vulnerability on May 31, and deployed a patch that day.
A pharmacy services firm, PharMerica said in a statement it was hit with a cyberattack in March. The breach has affected more than 5.8 million Americans, according to the health department.
PharMerica says a third party accessed its computers March 12-23, and the company and its parent, Brightspring Health Services, Inc., learned of the suspicious activity March 14. Later that month, the company determined the criminals may have taken data including names, Social Security numbers, medication information and insurance information.
The company said it’s not aware of any theft or fraud related to the breach, but is offering identity theft protection and credit monitoring services.
PharMerica also said it was changing procedures to reduce the likelihood of another breach.
A software company, Reventics suffered a breach affecting more than 4.2 million individuals, according to the health department. Reventics provides revenue cycle management services for healthcare providers.
Reventics said in a letter to the New Hampshire attorney general’s office that it first discovered a breach of its systems in late December 2022, and the company discovered in March 2023 that more records had been accessed. The company said records potentially exposed included names, addresses, patient account numbers, and possibly clinical data and dates of services.
The company offered free identity theft services to those affected.
Colorado Department of Health Care Policy & Financing
The Colorado agency experienced a breach affecting more than 4 million people, according to HHS. The department, which oversees Colorado’s Medicaid program, issued a public statement about the breach in August.
The agency said the exposure is tied to the MOVEit Transfer software breach, which has affected many companies. IBM, which is a contractor working with the department, uses the MOVEit software to transfer files and notified the Colorado health department that it had been affected.
The Colorado agency said none of its systems or databases were affected, but it found out that some of the department’s files on the MOVEit application were accessed.
The data could have included names, Social Security numbers, Medicare and Medicaid ID numbers, and clinical information, such as diagnosis and lab results, the Colorado department said. Those affected are being offered two years of free credit monitoring.
Regal Medical Group
A medical group based in southern California, Regal said it experienced a ransomware attack. The health department says nearly 3.4 million individuals were affected.
Regal Medical Group posted the information on its website and notified individuals in February. Regal later found additional individuals who were affected in March.
The breach may have exposed information from Regal and its affiliates: Lakeside Medical Organization, Affiliated Doctors of Orange County and Greater Covina Medical Group.
Patient information that could have been exposed included names, Social Security numbers, dates of birth, phone numbers, diagnosis and treatment information, prescriptions and lab results, Regal said.
Regal offered one year of free credit monitoring to those affected.
An insurance company based in Dayton, Ohio, CareSource experienced a breach affecting more than 3.1 million individuals. The breach was posted on the health department database on July 27.
In a notice filed with the California Department of Justice, CareSource said it is one of the many organizations affected by the MOVEit breach on May 31. CareSource said it patched software as instructed by MOVEit on June 1. (MOVEit notes it issued the patch on May 31.) In late June, CareSource said it learned that some of its data was accessed.
CareSource said that some of the information potentially accessed included names, addresses, medications, and health conditions. CareSource said it’s offering two years of free credit monitoring to the individuals who have been affected.
The telehealth company said patient information was inadvertently disclosed to other parties. The health department says more than 3.1 million people are affected.
Cerebral said information may have been shared via pixels, such as those made available by Google, Meta (the parent of Facebook) and Tik Tok. Other health systems have reported similar breaches involving technology that tracks visitors to websites.
In a statement, Cerebral said the company determined in early January that it had “disclosed certain information that may be regulated as protected health information.”
Cerebral said the information disclosed could include names, phone numbers, email addresses, dates of birth, and other information. For patients who completed mental health self assessments, the information disclosed could have included the services they received and assessment responses.
Four U.S. senators wrote letters to telehealth companies last year, including Cerebral, asking them to do more to protect patient information.
The health department says the NationsBenefits breach affected more than 3 million people. The company provides supplemental benefits, flex cards and other solutions for healthcare plans and managed care organizations.
NationsBenefits sent a notice to the New Hampshire Attorney General’s office that it is one of more than 100 organizations affected by a data breach involving Fortra, a cybersecurity company, TechCrunch reported.
A Russia-linked ransomware group Clop, which typically targets the healthcare sector, has claimed responsibility for the broader Fortra attack, according to the Michigan Attorney General’s office. The incident apparently involved vulnerabilities in Fortra’s file transfer software, authorities say.
NationsBenefits said it began notifying plan members of the breach on April 13, and the company said it is providing two years of identity theft protection for those affected.