Millions of Americans have been affected by the disclosure of private health data. Health systems continue to see more cyberattacks and breaches.
Just three months into 2023, millions of Americans have had personal health information exposed.
The U.S. Department of Health and Human Services publishes data on any health breach affecting at least 500 Americans. Through March 31, 136 breaches affecting at least 500 people have been reported, according to the HHS Office of Civil Rights.
Some of those breaches have affected hundreds of thousands of Americans. In two breaches, the number of people impacted has surpassed 3 million. All of the 10 largest breaches in the first quarter affected more than 150,000 individuals.
In 2022, nearly 50 million Americans were affected by breaches of health data. Hospitals and health systems have been hit with scores of ransomware attacks, and cybersecurity experts say attackers are targeting smaller hospitals as well since they could be more vulnerable.
Experts urge health systems to take the threat of cyberattacks seriously, since they can cost hospitals and health organizations millions of dollars and endanger patients.
Here’s a rundown of the 10 largest breaches in the first quarter of 2023. Some cases involve healthcare providers, health plans or companies doing business with hospitals or medical groups. In a few instances, the breaches occurred in 2022 but they weren’t publicly reported to the health department until early 2023.
1. Regal Medical Group
The medical group, based in southern California, said in February that it was the victim of a ransomware attack. The breach potentially exposed the data of more than 3.3 million people, according to the health department.
Regal said in a statement the breach, which it said originated from a “ransomware cyberattack,” occurred on or about Dec. 1, and the medical group became aware of the breach December 8.
The breach may have exposed information from Regal and its affiliates: Lakeside Medical Organization, Affiliated Doctors of Orange County and Greater Covina Medical Group.
Patient information that could have been exposed includes names, Social Security numbers for some individuals, dates of birth, phone numbers, diagnosis and treatment information, health plan member numbers, prescriptions and lab results, Regal said.
The medical group said it is strengthening security protocols, and is offering free credit monitoring to patients for one year.
The telehealth company said patient information was inadvertently disclosed to other parties. The health department says more than 3.1 million people could potentially be affected.
Cerebral said information may have been shared via tracking technologies, known as pixels, such as those made available by Google, Meta and Tik Tok. Other health systems, including Advocate Aurora Health and Novant Health, have reported similar breaches involving tracking technology.
In a statement, Cerebral said the company determined in early January that it had “disclosed certain information that may be regulated as protected health information (“PHI”) under HIPAA to certain Third-Party Platforms and some Subcontractors without having obtained HIPAA-required assurances.”
Cerebral said the information disclosed varied but could include names, phone numbers, email addresses, dates of birth, and other information. For patients who completed mental health self assessments, the information disclosed could have included the services they received and assessment responses.
Four U.S. senators wrote letters to telehealth companies, including Cerebral, asking them to do more to protect patient information.
3. ZOLL Medical Corporation
The company, which makes medical devices, suffered a breach that has affected about 1 million individuals. The U.S. health department estimates the figure is 997,097, while the Maine attorney general’s office puts the number affected at 1,004,443.
The breach stems from a “hacking incident,” according to the Maine AG’s office. ZOLL said in a letter to patients the breach was caused by a “cybersecurity incident.”
“Based on our investigation, we have no indication that any of your information has been misused,” ZOLL said in the letter to patients.
Some information exposed could include Social Security numbers. Patients who have been affected are being offered identity theft services for up to two years, and employees who have been impacted are being offered such services for three years.
ZOLL produces devices for defibrillation and cardiac monitoring, sleep apnea, oxygen therapy and more.
4. Community Health Systems
The Tennessee-based hospital system said it was affected by a cybersecurity incident involving a third-party vendor. More than 960,000 people have been affected, according to the health department.
Community Health Systems said in a statement the breach stems from an attack on Fortra, a cybersecurity firm that contracts with the health system to provide a secure file transfer software called GoAnywhere.
The incident occurred between Jan. 28 and Jan. 30, Community Health System said.
In a notices to the SEC, the hospital system said, “While that investigation is still ongoing, the Company believes that the Fortra breach has not had any impact on any of the Company’s information systems and that there has not been any material interruption of the Company’s business operations, including the delivery of patient care.”
In its own investigation, the hospital system said information relating to patients, a limited number of employees and others may have been disclosed. The information could have included names, addresses, medical billing, information such as diagnosis and mediations, dates of birth and Social Security numbers.
5. CentraState Healthcare System
The hospital system based in New Jersey suffered a data breach due to an attack affecting more than 617,000 individuals, according to the health department.
The company said it began noticing unusual activity in its computer systems in late December, The Asbury Park Press reported. The breach was reported to HHS on Feb. 10.
The attacker exfiltrated a copy of a database with dates of birth, insurance information and patient account numbers, but no financial account or payment card information was involved, the news organization reported.
Due to the incident, the health system temporarily diverted ambulances and halted some outpatient services in late December, The Asbury Park Press reported.
6. Cardiovascular Associates
A data breach for the Alabama-based healthcare provider affected more than 441,000 people, according to the health department.
The breach was reported to HHS on Feb. 3. In a statement on its website, Cardiovascular Associates said someone gained access to patient information between Nov. 28 through Dec. 5, 2022.
The provider said the hacker gained access to information including names, dates of birth, Social Security numbers, medical and treatment information, credit card and debit card information and financial account information.
The provider said in the wake of the attack, it is strengthening the organization’s defenses to reduce the risk of breaches in the future.
The revenue cycle management company suffered a breach involving more than 250,000 individuals.
In mid-December, Reventics said it detected an unauthorized party possibly trying to gain access to its systems. The company said in a statement on its website that it confirmed the attacker gained access to private health information, including dates of birth, Social Security numbers, clinical data, and financial information.
Working with cybersecurity consultants, Reventics said it quickly contained the intruder and was able to continue operations. The health department said it was notified of the breach Feb. 10.
Regional One Health, a Tennessee hospital system that utilizes Reventics as a vendor, posted information on its website about the breach.
Reventics said it has improved its defenses, is retraining employees and also offering free credit and identity monitoring services.
The health plan based in Pittsburgh alerted customers of a breach on Feb. 6.
Highmark said one of its employees received a “malicious phishing email link,” and the intruder accessed files that may have private health data of the plan’s members.
“Highmark has not discovered any evidence to date that data potentially accessed because of this incident has been used fraudulently,” the company said in a statement.
Some data potentially disclosed includes treatment information, dates of birth, driver’s license numbers, passport and, in some cases, Social Security information, the company said.
Highmark said it is working to improve email security controls and also is improving email training on phishing threats to prevent further incidents.
9. Mindpath Health
Community Psychiatry Management, which does business as Mindpath Health, suffered a cyberattack affecting more than 193,000 people, according to the health department.
In a statement, Mindpath Health said suspicious activity was discovered in early December 2022, and an investigation revealed two emails were breached (one in March 2022 and the other in June 2022).
Mindpath Health said some protected health information was accessed, including Social Security numbers, diagnosis and treatment information, health insurance information and prescription information.
“At this time, Mindpath Health is not aware of any evidence to suggest that any information has been, or will be, misused,” the company said. “However, Mindpath Health was unable to rule out the possibility that the information could have been accessed.”
10. 90 Degree Benefits
The Wisconsin-based health benefits company suffered a cyberattack affecting 175,000 people, according to the health department.
The breach was reported to HHS on Feb. 8, 2023. The hacking incident involved the company’s network service, the health department said.
The company has 24 offices serving 525,000 members nationwide.