August 2023 Healthcare Data Breach Report
There was a 21.4% month-over-month increase in healthcare data breaches in August. 68 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights, which makes August the second-worst month of the year for data breaches, with reported data breaches reported well above the 2023 monthly average of 58.2 data breaches per month. 463 healthcare data breaches have been reported this year up to August 31, 2023 – a slight increase from the 460 data breaches reported in the corresponding period last year.
While there was a 34.3% month-over-month fall in the number of breached records, July’s total was exceptionally high. In August, almost 12 million records were reported as having been exposed or stolen, which is well above the 2023 average of 7.49 million records a month.
So far in 2023, the records of 71,479,579 individuals have been exposed or stolen. At this time last year, 29.27 million records had been breached, and 2022 was a bad year for breached healthcare data. If healthcare data breaches continue to occur at the scale seen in the first 8 months of the year, 2023’s total will not be far short of the 112,466,720 records that were breached in 2015. – See our healthcare data breach statistics page for more info.
In August 2023, 26 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, 15 of which were data breaches of 100,000 or more records, and 3 involved the records of more than 1 million individuals. 15 of the 26 data breaches, including the two largest data breaches of the month, were due to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Progress Software issued a security alert about the vulnerability on May 31, 2023, and released a patch the same day to fix the vulnerability; however, it had already been mass exploited by the Clop group. The Clop group exfiltrated data and issued ransom demands, payment of which was required to prevent the release of the stolen data on the group’s data leak site.
The scale of the mass exploitation of the vulnerability is now becoming clearer. Kon Briefing is tracking reports of the MOVEit attacks, and 1,203 organizations are now known to have had the vulnerability exploited and between 54.2 million and 59 million individuals have been stolen. The ransomware remediation firm Coveware estimates that the Clop group has earned between $75 million and $100 million from the attacks.
Three of the top 26 data breaches in August were confirmed ransomware attacks, although ransomware attacks are not always reported as such and the HIPAA Journal has not been able to obtain information on the nature of some of the reported hacking incidents in August. Two of the ransomware attacks were conducted by the Royal ransomware group, which continues to target healthcare organizations. The Health Sector Cybersecurity Coordination Center issued a warning about Royal ransomware in December 2022, and CISA and the FBI published a joint cybersecurity advisory about Royal ransomware in March 2023.
The Largest Healthcare Data Breaches Reported in August 2023
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Colorado Department of Health Care Policy & Financing | CO | Health Plan | 4,091,794 | Hacking of MOVEit Transfer solution (Clop) at business associate |
| Performance Health Technology | OR | Business Associate | 1,750,000 | Hacking of MOVEit Transfer solution (Clop) |
| PurFoods, LLC | IA | Healthcare Provider | 1,229,333 | Ransomware attack |
| Missouri Department of Social Services | MO | Health Plan | 739,884 | Hacking of MOVEit Transfer solution (Clop) at business associate |
| Radius Global Solutions | MN | Business Associate | 600,794 | Hacking of MOVEit Transfer solution (Clop) |
| The Harris Center for Mental Health and IDD | TX | Healthcare Provider | 599,367 | Hacking of MOVEit Transfer solution (Clop) at business associate |
| Unum Group SACE | TN | Health Plan | 531,732 | Hacking of MOVEit Transfer solution (Clop) |
| Virginia Dept. of Medical Assistance Services | VA | Health Plan | 423,824 | Hacking incident involving business associate (no information available) |
| El Centro Del Barrio d/b/a CentroMed | TX | Healthcare Provider | 350,000 | Hacking incident (details not disclosed) |
| Morris Hospital & Healthcare Centers | IL | Healthcare Provider | 248,943 | Ransomware attack (Royal) |
| EMS Management and Consultants Inc | NC | Business Associate | 223,598 | Hacking of MOVEit Transfer solution (Clop) |
| Health Care Service Corporation | IL | Health Plan | 192,231 | Hacking incident involving business associate (no information available) |
| The University of Massachusetts Chan Medical School | MA | Business Associate | 134,394 | Hacking of MOVEit Transfer solution (Clop) |
| Illinois Department of Public Health | IL | Healthcare Provider | 126,000 | Hacking incident (no information available) |
| VNS Health Plans | NY | Health Plan | 103,775 | Hacking of MOVEit Transfer solution (Clop) at business associate |
| IEC Group, Inc. dba AmeriBen | ID | Business Associate | 74,884 | Unauthorized access to email account |
| Data Media Associates | GA | Business Associate | 74,730 | Hacking of MOVEit Transfer solution (Clop) |
| Milan Eye Center | GA | Healthcare Provider | 67,336 | Hacking incident at business associate (MedicWare Inc.) |
| American National Group, LLC | TX | Health Plan | 47,711 | Hacking of MOVEit Transfer solution (Clop) |
| Blue Cross Blue Shield of Arizona | AZ | Health Plan | 47,485 | Hacking incident at business associate (TMG Health) – data theft confirmed |
| Premera Blue Cross | WA | Health Plan | 33,212 | Hacking of MOVEit Transfer solution (Clop) at business associate |
| Self-insured group health plans sponsored by the City of Dallas | TX | Health Plan | 30,253 | Ransomware attack (Royal) |
| Baesman Group, Inc. | OH | Business Associate | 24,757 | Hacking of MOVEit Transfer solution (Clop) |
| Indiana University Health | IN | Health Plan | 21,383 | Hacking of MOVEit Transfer solution (Clop) at business associate |
| Serco Inc. Group Health Plan | VA | Health Plan | 10,140 | Hacking of MOVEit Transfer solution (Clop) at business associate |
| Absolute Dental Services | NC | Business Associate | 10,037 | Email account breach |
Data Breach Types and Data Locations
A majority of the month’s HIPAA compliance data breaches were classed as hacking and other IT incidents, which accounted for 83.8% (57) of the month’s data breaches and 99.2% (11,815,507) of the month’s breached records. The average size of these data breaches was 207,290 records and the median breach size was 8,175 records.
There were 10 data breaches classified as unauthorized access or disclosure incidents, across which 90,468 records were accessed by or disclosed to unauthorized individuals. The average data breach size was 9,047 records and the median breach size was 1,434 records. There was one theft incident reported – a stolen, unencrypted laptop that contained up to 4,000 records. No loss or improper disposal incidents were reported in August. Unsurprisingly, given the large number of hacking incidents, network servers were the most common location of breached protected health information followed by email accounts.
Where did the Data Breaches Occur?
The raw data from the OCR data breach portal indicates healthcare providers were the worst affected entity in August, with 30 healthcare providers reporting data breaches, along with 19 health plans and 19 business associates. These figures do not tell the full story, however, as the reporting entity may not be the entity that suffered a data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. To better reflect this, the charts below show where the data breaches occurred rather than the entity that reported the data breach.
The average size of a business associate data breach in August was 250,875 records (median: 10,037 records), compared to the 89,344 records at health plans (median: 8,487 records), and 83,425 records at healthcare providers (median: 1,556 records).
Geographical Distribution of Data Breaches
Data breaches of 500 or more records were reported by HIPAA-regulated entities in 33 states plus the District of Columbia. Texas and Illinois were the worst affected states.
| State | Breaches |
| Texas | 7 |
| Illinois | 6 |
| California, Georgia & Massachusetts | 4 |
| Indiana, New York, Pennsylvania & Virginia | 3 |
| Colorado, Minnesota, Missouri, New Jersey, North Carolina & Washington | 2 |
| Arizona, Connecticut, Florida, Idaho, Iowa, Kentucky, Louisiana, Maryland, Michigan, Mississippi, Ohio, Oklahoma, Oregon, South Carolina, Tennessee, Utah, Vermont, West Virginia & the District of Columbia | 1 |
HIPAA Enforcement Activity in August 2023
The HHS’ Office for Civil Rights announced one HIPAA enforcement action in August. OCR investigated a complaint against UnitedHealthcare and identified a potential violation of the HIPAA Right of Access, as a patient had not been provided with timely access to their requested medical records. It took 6 months from the date of the request for the records to be provided. UnitedHealthcare said the failure was due to employee oversight and chose to settle the case and pay an $80,000 penalty. This was the 45th enforcement action under OCR’s HIPAA Right of Access to result in a financial penalty. No HIPAA enforcement actions were announced by state attorneys general in August, nor by the FTC to resolve violations of the FTC Act or FTC’s Health Breach Notification Rule by non-HIPAA-regulated entities.
