Odds are, you’ve gotten at least one of the unnerving letters in your mailbox this year: “We’re writing to inform you of a cybersecurity incident,” it might start. It’s the standard notice many health care organizations are required to provide when your protected health information gets exposed — and in 2023, data leaks, hacks, and mishandling led more of them to be delivered than ever before.
As many as 116 million individuals have been impacted by large health data breaches reported to the Department of Health and Human Services this year, according to records from its Office for Civil Rights as of December 21. That number has more than doubled over recent counts, driven primarily by a surge in hacking and ransomware attacks on health care organizations regulated by the privacy rule HIPAA.
Since 2009, OCR has issued reports on large data breaches — those that impact 500 or more patients — which appear on its public “wall of shame.” The last record for individual impact was set in 2015, when three data breaches at health plans Anthem, Premera Blue Cross, and Excellus impacted tens of millions of patients each. It was a massive outlier, driving the total individuals impacted by large health breaches over 112 million.
By contrast, this year’s breaches were both large and numerous. Twenty hacking and IT incidents each impacted more than 1 million people, with the largest, at HCA Healthcare, exposing information for up to 11 million. Along with other industries and public groups, health care organizations fell prey to widespread hacks enabled by the MOVEit file transfer vulnerability, from the Centers for Medicare and Medicaid Services to software providers like Nuance and Welltok. HHS has emphasized the challenge of these attacks in a new cybersecurity strategy issued this month: Between 2018 and 2022, it reported, large breaches involving ransomware increased 278%.
As cyberattacks continue to increase, federal agencies are taking action: This week, new rules from the Securities and Exchange Commission go into effect that require public companies to disclose “material” cybersecurity incidents within four days of their discovery. HHS has issued guidance about data privacy and security in telehealth and cybersecurity practices in health care. And in late October, OCR settled its first breach associated with a ransomware attack, one that impacted over 200,000 people, for $100,000.
But hackers aren’t solely responsible for this year’s record impact on individual health data. It was also driven by significant increases in what OCR categorizes as unauthorized access and disclosure of data — records that aren’t taken as much as they slip away. More than 8 million individuals were affected by breaches of protected health data in this category, which includes a new class resulting from the use of third-party tracking technologies.
HHS cracked down on trackers this year, starting with a bulletin in late 2022 and following up with warning letters that explained how tools like the Meta pixel can relay protected health information when installed on health care websites. In response, some covered entities started reporting tracking pixel use as breaches, including Cerebral, which reported that its use of tracking technologies may have impacted as many as 3 million people.
Those trackers can leak health data from a wide range of websites, which provides a cheery end-of-year reminder that breaches are far from limited to the health care businesses and associates covered by HIPAA and reported to OCR. Plenty of consumer businesses deal in sensitive medical information — like 23andMe, whose recent breach exposed health-related information for some of its users — and they can be just as vulnerable to mishandling and cyberattacks as your hospital.