Most common causes of health data breaches in the last three months

Published 4:20 pm Friday, June 30, 2023

Monkey Business Images // Shutterstock

Most common causes of health data breaches in the last three months

In April 2023, Point32Health experienced a ransomware attack that caused widespread system outages. The second-largest health insurer in Massachusetts, Point32Health serves more than 2 million people, including those with Tufts Health Plan and Harvard Pilgrim Health Care policies, many of whom were enrolled in Medicare.

Though this may initially seem like an unusual occurrence, health data breaches are not uncommon in our increasingly digitized world. In 2022 alone, there were 707 health data breaches where more than 500 records were compromised; from January to May 2023, 273 breaches occurred.

On average, a health data breach in 2023 compromises just shy of 150,000 records, while the average breach size in 2022 was closer to 75,000. In light of this growing crisis, Stacker investigated the most common causes of health data breaches from March to May 2023, using data fromĀ the HIPAA Journal‘s monthly Healthcare Data Breach Reports.

Subscribe to our free email newsletter

Get the latest news sent to your inbox

Read on to see how your health data can be compromised and what happened to those made vulnerable by data breaches.

Close view of computer hard drives.

zentilia // Shutterstock

#4. Improper disposal

– Number of breaches, March-May 2023: 3 (1.6%)
— March 2023: 1 (1.6%)
— April 2023: 1 (1.9%)
— May 2023: 1 (1.3%)

Improper disposal data breaches can occur when a hard drive that holds patient health data isn’t properly wiped and destroyed before it leaves the hands of the health provider. The Health Insurance Portability and Accountability Act outlines a few options for permanently deleting patient data stored on hard drives, including using software to overwrite the data, putting the drive through a process called magnetic purging, or destroying the hard drive through shredding, melting, or incinerating.

In September 2021, a large health data breach caused by improper disposal occurred when HealthReach Community Health Centers in Waterville, Maine, used a third-party service to dispose of several hard drives. This caused more than 115,000 individuals to have their health data jeopardized, with more than 100,000 of those individuals residing in Maine. After the incident, those impacted were provided with reimbursement insurance policies and various data and identity protection services.

A person stealing a laptop through a car window.

Sergey Mironov // Shutterstock

#3. Theft

– Number of breaches, March-May 2023: 5 (2.6%)
— March 2023: 1 (1.6%)
— April 2023: 2 (3.8%)
— May 2023: 2 (2.7%)

Data has to be stored somewhere, and when that equipment is stolen, it constitutes a theft data breach. Though these types of breaches are rarer than others, they can occur whenever someone comes into contact with a computer, hard drive, or other storage receptacle containing patient data.

The Valley Hope Association, a nonprofit organization that provides addiction treatment in Kansas, reported that, on Dec. 30, 2015, an employee’s laptop was stolen from their car, impacting the data of upwards of 50,000 patients. The data on the laptop included Social Security numbers, insurance information, state identification and driver’s license numbers, and other personally identifying and sensitive information.

Two doctors reviewing paperwork together.

Monkey Business Images // Shutterstock

#2. Unauthorized access/disclosure

– Number of breaches, March-May 2023: 38 (20.0%)
— March 2023: 14 (22.2%)
— April 2023: 13 (25.0%)
— May 2023: 11 (14.7%)

A patient is generally made aware of every individual or entity allowed access to their medical records. This can include their doctors, nurses, other medical staff, and other authorized individuals the patient designates, such as a spouse, other family member, close friend, or caretaker. Any instance when a person not given explicit permission to access a patient’s medical records gains access constitutes an unauthorized access or disclosure data breach, and medical providers must report it.

At times, these breaches are as simple as a provider mistakenly handing the wrong medical forms to a colleague or patient or a doctor’s office disclosing information about the status of a patient to the incorrect family member. However, these issues can become much more serious if someone deliberately accesses information they’re unauthorized to see, such as when an unauthorized user gained access to a Merritt Healthcare Advisors employee’s email account from July 30 to Aug. 25, 2022.

A hacker sitting at their computer.

F8 studio // Shutterstock

#1. Hacking/IT incident

– Number of breaches, March-May 2023: 144 (75.8%)
— March 2023: 47 (74.6%)
— April 2023: 36 (69.2%)
— May 2023: 61 (81.3%)

Hacking incidents constitute the largest share of health data breaches and have notably risen since the beginning of the COVID-19 pandemic. Cybersecurity experts have recently raised concerns about the startling 385 million patient records exposed since 2010. Often, hacking incidents are perpetrated by cybercriminals looking for ransoms in exchange for restoring access to or returning sensitive records.

One of the largest health data hacking breaches ever occurred in 2014, when a group of cybercriminals believed to be based in China compromised the digital records of Community Health Systems. About 4.5 million individuals were impacted during this single data breach, a wake-up call to data and information technology professionals to be more cognizant of potential software vulnerabilities that might be exploited by sophisticated malware.

Data reporting by Emilia Ruzicka. Story editing by Brian Budzynski. Copy editing by Paris Close. Photo selection by Abigail Renaud.