October 2024 Healthcare Data Breach Report
In October, 57 healthcare data breaches of 500 or more records were reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, slightly fewer than the 2024 average of 62 data breaches per month. While data breaches were below average, there was a 62.9% month-over-month increase in reported data breaches, following a particularly low number in September (35 breaches) – the lowest total since May 2020.
As of October 31, 2024, 594 large data breaches have been reported to OCR, almost 100 fewer than this time last year (593 data breaches). Unless there is a sharp uptick in data breaches in November and December, this year will be one of the exceptionally rare years where there is a year-over-year decline in healthcare data breaches.
Across the 57 data breaches, the protected health information of 5,232,507 individuals was exposed, stolen, or impermissibly disclosed, with 35% of that total coming from a single data breach. The number of breached records increased by 2.98% from September, although the total is considerably lower than the median of 7,543,676 breached records a month. The average number of breached records per month in 2024 is 18,090,055, a figure heavily skewed by the 100 million-record data breach at Change Healthcare in February. The average breach size in October was 91,798 records and the median branch size was 4,083 records.
Unsurprisingly with Change Healthcare’s massive data breach – the largest ever healthcare data breach in the United States – 2024 is already the worst-ever year for breached healthcare records. As of October 31, 2024, the protected health information of 170,762,026 individuals has been exposed, stolen, or impermissibly disclosed. The previous record – 112,466,720 records – was set in 2015 when Anthem Inc. experienced its 78.8 million-record data breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Biggest Healthcare Data Breaches in October 2024
In October, 21 data breaches of 500 or more healthcare records were reported to OCR, the largest of which was a ransomware attack on Summit Pathology by the Medusa ransomware group that affected more than 1.8 million individuals. There were several confirmed ransomware attacks in October involving the Medusa, Play, and Rhysida ransomware groups, although it is relatively rare for healthcare organizations to disclose the nature of a hacking incident, so it is difficult to accurately track the number of ransomware attacks.
The ransomware landscape has evolved over the past 12 months. Last year, the majority of attacks were conducted by a small number of highly prolific ransomware groups including LockBit and ALPHV/Blackcat; however, law enforcement operations against both groups saw affiliates leave and join other groups or start their own operations. Following the ALPHV/BlackCat ransomware attack on Change Healthcare in February, the group shut down its operation; however, RansomHub appears to be filling the gap, having recruited several experienced affiliates from the ALPHV operation. RansomHub is now the most prolific ransomware-as-a-service operation. According to a recent report from Corvus, there were 59 active ransomware groups in Q3, 2024, with 40% of those attacks committed by 5 ransomware groups, confirming the ransomware landscape has become increasingly distributed. The BianLian “ransomware” group, is now favoring data theft and extortion without file encryption and was behind the second-largest data breach of the month. BianLian is one of several ransomware groups that have adopted this strategy.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Summit Pathology and Summit Pathology Laboratories, Inc. | CO | Healthcare Provider | 1,813,538 | Ransomware attack (Medusa) |
| ATSG, Inc | NY | Business Associate | 909,469 | Hacking incident with confirmed data theft (BianLian) |
| OnePoint Patient Care | AZ | Healthcare Provider | 795,916 | Hacking incident with confirmed data theft |
| Omni Family Health | CA | Healthcare Provider | 468,344 | Hacking incident with confirmed data theft |
| Gryphon Healthcare, LLC | TX | Business Associate | 393,358 | Hacking incident with potential data theft |
| Long Island Plastic Surgical Group, P.C. | NY | Healthcare Provider | 161,707 | Hacking incident with confirmed data theft |
| RRCA Accounts Management Inc. | IL | Business Associate | 115,837 | Ransomware attack (Play) |
| Mystic Valley Elder Services | MA | Healthcare Provider | 85,133 | Hacking incident with potential data theft |
| Advanced Recovery Equipment & Supplies, LLC | NY | Healthcare Provider | 56,000 | Hacking incident with confirmed data theft |
| Clay Platte Family Medicine | MO | Healthcare Provider | 53,916 | Hacking incident with potential data theft |
| Dr. Daniel J. Leeman, M.D. | TX | Healthcare Provider | 50,000 | Hacking incident with potential data theft |
| Visionworks of America, Inc. | TX | Healthcare Provider | 39,825 | Hacking incident with potential data theft |
| Center for Urban Community Services | NY | Business Associate | 38,000 | Hacking incident with confirmed data theft |
| GPS Sango Family Dentistry, PLLC d/b/a Sango Family Dentistry | TN | Healthcare Provider | 27,000 | Ransomware attack |
| Southwest Colorado Mental Health Center, Inc. d/b/a Axis Health System | CO | Healthcare Provider | 23,385 | Hacking incident with potential data theft |
| Hawaii Radiologic Associates, Ltd. | HI | Healthcare Provider | 23,205 | Hacking incident with potential data theft |
| Wellfleet Group, LLC | MA | Business Associate | 22,959 | Exposure of PHI on Internet due to website misconfiguration |
| Gandara Mental Health Center | MA | Healthcare Provider | 20,024 | Hacking incident with confirmed data theft |
| Valleygate Dental Surgery Centers of Charlotte, Fayetteville, and the West, LLC. | NC | Healthcare Provider | 14,589 | Hacking incident with potential data theft |
| Survival Flight, Inc. | AZ | Healthcare Provider | 12,342 | Unauthorized access to email accounts |
| Tower Clock Eye Center | WI | Healthcare Provider | 10,737 | Unauthorized access to email accounts |
The following data breaches were reported to OCR as affecting 500 or 501 individuals. These numbers are commonly used as placeholders while the extent of a data breach is investigated to ensure compliance with the reporting requirements of the HIPAA Breach Notification Rule. The number of affected individuals is updated when the investigation is completed, although not always. The following data breaches could turn out to be much larger than the OCR breach portal suggests. For instance, in July, Change Healthcare reported its ransomware attack to OCR with a 500 placeholder figure and later updated it to 100 million affected individuals.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| St. Anthony Regional Hospital | IA | Healthcare Provider | 501 | Hacking incident with potential data theft |
| Ciox Health LLC, d/b/a Datavant Group | AZ | Business Associate | 501 | Hacking incident with potential data theft |
| General Physician, P.C. | NY | Healthcare Provider | 501 | Unauthorized access to email accounts |
| Seven Counties Services, Inc. | KY | Healthcare Provider | 501 | Unauthorized access to email accounts (Phishing) |
| Oregon Reproductive Medicine, LLC d/b/a ORM Fertility | NY | Healthcare Provider | 500 | Ransomware attack |
| Smile Design Management LLC | FL | Healthcare Provider | 500 | Unauthorized network access through a third-party software solution |
| Bayhealth Medical Center | DE | Healthcare Provider | 500 | Ransomware attack (Rhysida) |
Causes of October 2024 Healthcare Data Breaches
As has been the case for many months, hacking and other IT incidents account for the vast majority of healthcare data breaches. In October, 81.7% of the month’s data breaches were due to hacking/IT incidents and accounted for 99.1% of the month’s breached records (5,183,578 records). The average breach size was 112,686 records and the median breach size was 7,786 records.
There was a 30% month-over-month increase in the number of unauthorized access/disclosure incidents, with 10 data breaches reported; however, relatively few healthcare records were involved – Just 40,929 records across the 10 incidents. The average breach size was 4,093 records and the median breach size was 1,431 records. A single data breach was reported that involved the improper disposal of 8,000 physical records, and no data breaches involved the loss or theft of physical records or devices containing unencrypted protected health information.
The most common location of breached healthcare data was network servers, followed by email-related data breaches. Email data breaches often occur due to poor password practices, infrequent security awareness training, and the lack of multi-factor authentication on email accounts and are among the easiest data breaches to prevent.
Where did the Data Breaches Occur?
In October, 43 data breaches were reported by healthcare providers, 11 by business associates, and 3 by health plans. When a data breach occurs at a business associate, it is often reported by the business associate; however, some covered entities choose to report the breach themselves even though the breach occurred at a business associate. It is not unusual for a business associate to report a breach for some covered entity clients while others choose to report the breach themselves.
As a result, data breaches at business associates are often underrepresented in data breach reports. The HIPAA Journal calculates where the breach occurred rather than the entity that reported the breach to ensure business associate data breaches are reported accurately. The pie charts below are based on the location of the breach rather than the reporting entity.
Geographical Distribution of Healthcare Data Breaches
Data breaches of 500 or more records were reported by HIPAA-regulated in 27 states plus the U.S. Virgin Islands. New York was the worst affected state with 6 large data breaches.
| State | Data Breaches |
| New York | 6 |
| Illinois & Massachusetts | 5 |
| Texas | 4 |
| Arizona, Maryland, New Jersey & North Carolina | 3 |
| Arkansas, California, Colorado, Indiana, & Tennessee | 2 |
| Alaska, Delaware, Florida, Hawaii, Iowa, Kentucky, Michigan, Minnesota, Missouri, Montana, Nebraska, Oregon, Pennsylvania, Wisconsin & the U.S. Virgin Islands | 1 |
While Illinois and Massachusetts each had 5 data breaches, they were relatively small. Colorado was the worst affected state in terms of breached records, with the protected health information of 1,836,923 individuals compromised in its two data breaches.
| State | Individuals Affected |
| Colorado | 1,836,923 |
| New York | 1,166,177 |
| Arizona | 808,759 |
| Texas | 484,177 |
| California | 469,111 |
HIPAA Enforcement Activity in October 2024
OCR announced four financial penalties in October to resolve alleged violations of the HIPAA Rules, including three stemming from ransomware attacks. OCR has now imposed 11 financial penalties this year (as of October 31, 2024) to resolve violations of the HIPAA Rules.
Gums Dental Care
In October, OCR announced its 50th financial penalty under its HIPAA Right of Access enforcement initiative, with a $70,000 civil monetary penalty paid by the Silver Spring, MD, dental practice Gums Dental Care, Gums Dental Care. A patient requested a copy of her children’s records on at least 3 occasions but they were not provided. The dental practice claimed the records were not provided as there was not a secure way of providing the records electronically and the patient refused to pay a $25 fee for physical copies. OCR determined the fee was inappropriate as the patient requested the records be sent via email and found no evidence that Gums Dental attempted to provide the records in any format other than mailing the records.
Providence Medical Institute
An investigation of three ransomware attacks on Providence Medical Institute resulted in a civil monetary penalty of $240,000 for violating two provisions of the HIPAA Security Rule. A threat actor gained access to the network following a response to a phishing email. Files were encrypted in three attacks within a few days of each other, as the threat actor had retained access to the network after files were restored. The OCR investigation revealed a business associate was used for data management but there was no business associate agreement in place. There were also insufficient technical policies and procedures for restricting access to systems containing ePHI to only individuals and software authorized to access the data.
Plastic Surgery Associates of South Dakota
Plastic Surgery Associates of South Dakota suffered a ransomware attack after the threat actor used brute force methods on remote desktop protocol and gained access to 2 servers and 9 workstations. OCR investigated and identified significant noncompliance with the HIPAA Rules, including the failure to conduct a risk analysis, a lack of policies and procedures to prevent, detect, contain, and correct security violations, a failure to implement policies and procedures for reviewing logs of system activity, and a lack of policies and procedures for responding to security incidents. The alleged violations were settled for $500,000.
Bryan County Ambulance Service
The Oklahoma emergency medical service provider, Bryan County Ambulance Service, was investigated over a ransomware attack that involved the protected health information of 14,273 patients. OCR discovered Bryan County Ambulance Service had never conducted a risk analysis to identify potential risks and vulnerabilities to ePHI. This is the first enforcement action under OCR’s new risk analysis enforcement initiative. The alleged violation was settled for $90,000.
Albany ENT & Allergy Services
State Attorneys General also have the authority to seek civil monetary penalties for violations of the HIPAA Rules, although oftentimes, action is taken for equivalent violations of state laws. In October, the New York Attorney General announced a settlement had been reached with Albany ENT & Allergy Services to resolve alleged violations of New York’s Business and Executive Laws that were identified during an investigation of two ransomware attacks that were suffered in quick succession.
The investigation identified several security failures, including insufficient retention of server access logs, no security software for monitoring logs and generating alerts, encryption of sensitive data only on laptops, insufficient monitoring of vendors to ensure they were following recommended practices, and the failure to accurately identify and disclose the number of individuals affected – The reported total was 120,000 individuals, 80,000 less than the actual number of affected individuals.
The settlement includes $1 million in penalties and an agreement to invest $2.25 million to improve its information security program over the next 5 years, with $500,000 of the civil monetary penalty suspended. The suspended $500,000 must also be paid if $2.25 million is not invested in cybersecurity over the next 5 years.
