August 2024 Healthcare Data Breach Report
There was a slight increase in large healthcare data breaches in August, reversing a four-month trend of falling data breaches. In August, 49 data breaches of 500 or more healthcare records were reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)., Despite that increase, data breaches were still well below the average monthly breaches in the first half of the year.
While there was an 8.9% month-over-month increase in reported breaches, there were 21% fewer breaches than the 12-month average of 62 data breaches a month and 32.9% fewer breaches than in August 2023.
There was a sizeable month-over-month increase in the number of compromised healthcare records, which increased by 592.8% from around 1.4 million breached records in July to 9,680,551 breached records in August, reversing a 3-month trend of decreasing breach severity.
August was the second-worst month of the year so far for breached healthcare records, but a considerable improvement on the 23 million breached healthcare records in August 2023. Over the past 12 months, an average of 9,989,003 healthcare records were breached each month (median: 9,079,469 records). In the year to August 31, 2024, there have been 491 data breaches of 500 or more records, and at least 58,668,002 records are known to have been breached. The average breach size in 2024 is currently 119,487 records and the median breach size is 4,109 records.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In August, 8 healthcare data breaches were reported as affecting 500 or 501 individuals. These are common “placeholder” figures when the 60-day reporting deadline of the HIPAA Breach Notification Rule is approaching but it has yet to be determined exactly how many individuals have been affected. August’s total of 9 million breached records could therefore be considerably higher, as could the running total of 58,668,002 records for the year, as 48 breaches are still showing on the OCR breach portal as involving 500 or 501 records, including the Change Healthcare data breach, which is thought to have affected around 100 million individuals.
Biggest Healthcare Data Breaches in August 2024
Two data breaches stood out in August due to the number of individuals affected – The 4.3 million record data breach at HealthEquity and a breach at Acadian Ambulance that affected almost 2.9 million individuals. These two breaches affected more than five times the number of individuals affected by all 45 data breaches reported in July 2024. These were the second-largest and fourth-largest data breaches of the year to date, excluding the data breach at Change Healthcare, the scale of which has yet to be officially confirmed.
HealthEquity is a health savings account (HSA) administrator and a directed third-party administrator of FSA/HRA, Commuter, COBRA, and Lifestyle plans. In March 2024, HealthEquity discovered hackers had gained access to its SharePoint environment and potentially stole sign-up information for the accounts and benefits the company administers. The next two biggest data breaches of the month were both ransomware attacks involving data theft and extortion. Acadian Ambulance was attacked by Daixin Team, a threat actor that has actively targeted the healthcare and public health sector since at least June 2022. The Florida Department of Health was hit with a ransomware attack by RansomHub, another threat group that has conducted several attacks on healthcare providers. While RansomHub attempted to extort the Florida Department of Health, the ransom was never going to be paid, as government entities are prohibited from paying ransoms under state law.
The data breaches at Speciality Networks and Alabama Cardiovascular Group affected a total of 691,571 individuals, and while little information is known about the exact nature of the attacks, such as whether ransomware was involved, data theft was confirmed in both incidents. There was also a major email data breach involving unauthorized access to email accounts at two Minnesota dental practices, Park Dental (238,667 records) and The Dental Specialists (38,442 records).
Most hacking incidents involve unauthorized access to systems containing patient data, but it is relatively rare for electronic medical records to be accessed. An electronic medical record breach was reported to the HHS in August by Pemiscot Memorial Health System, which involved unauthorized access to the protected health information of more than 33,000 patients, although little more is known about the breach. There appears to have been no media announcements, nor any substitute notice added to the health system’s website.
| HIPAA-Regulated Entity | State | Covered Entity Type | Individuals Affected | Cause of Data Breach |
| HealthEquity, Inc. | UT | Business Associate | 4,300,000 | Hacking incident – Access gained to a SharePoint server through a business partner’s compromised device |
| Acadian Ambulance Service, Inc. | LA | Healthcare Provider | 2,896,985 | Ransomware attack by Daixin Team – Data theft confirmed |
| Florida Department of Health | FL | Healthcare Provider | 729,699 | Ransomware attack by RansomHub – Data theft confirmed |
| Specialty Networks, Inc. | TN | Business Associate | 411,037 | Hacking incident – Data theft confirmed |
| Alabama Cardiovascular Group | AL | Healthcare Provider | 280,534 | Hacking incident – Data theft confirmed |
| PDG, P.A. dba Park Dental | MN | Healthcare Provider | 238,667 | Unauthorized access to email accounts |
| Illinois Bone & Joint Institute, LLC | IL | Healthcare Provider | 182,670 | Hacking incident – Data theft confirmed |
| VeriSource Services, Inc. | TX | Business Associate | 112,726 | Hacking incident – Data theft confirmed |
| Fraser Child and Family Center | MN | Healthcare Provider | 67,000 | Hacking incident – Data theft confirmed |
| Carespring Health Care Management LLC | OH | Healthcare Provider | 64,609 | Hacked network server |
| Gramercy Surgery Center, Inc. | NY | Healthcare Provider | 50,554 | Ransomware attack by Everest Group – Data theft confirmed |
| Monte Nido | FL | Healthcare Provider | 41,662 | Hacked network server |
| Pomona Community Health Center dba ParkTree Community Health Center | CA | Healthcare Provider | 40,964 | Hacked network server |
| Dental Specialists of Minnesota, PLLC dba The Dental Specialists | MN | Healthcare Provider | 38,442 | Unauthorized access to email accounts |
| Pemiscot Memorial Health System | MO | Healthcare Provider | 33,279 | Unauthorized access to electronic medical record system |
| Internal Medicine Associates, LLC d/b/a Gastrointestinal Medicine Associates | RI | Healthcare Provider | 31,835 | Hacking incident – Data theft confirmed |
| Pocahontas Medical Clinic, PA | AR | Healthcare Provider | 31,216 | Hacked network server |
| HAH Group Holding Company, LLC d/b/a “Help At Home” | IL | Healthcare Provider | 26,744 | Hacked network server at business associate |
| United Urology Group | MD | Business Associate | 10,704 | Hacking incident – Data theft confirmed |
| PG Dental d/b/a Aire Dental Arts | NY | Healthcare Provider | 10,200 | Hacking incident – Unauthorized PHI access confirmed |
Causes of August 2024 Healthcare Data Breaches
In August, the majority of data breaches were hacking/IT incidents involving unauthorized access to network servers. Hacking/IT incidents accounted for 93.9% of the month’s data breaches and 99.6% of the month’s breached records. The average breach size in these hacking incidents was 209,608 records and the median breach size was 6,559 records. The remaining three data breaches were unauthorized access/disclosure incidents involving a total of 38,570 records. The average breach size was 12,857 records and the median breach size was 4,125 records. No loss, theft, or improper disposal incidents were reported in August.
The most common location for breached protected health information was network servers, followed by email accounts. The email account breaches involved the protected health information of at least 303,264 individuals and most likely considerably more, since four of those breaches were reported with a potential placeholder figure of 500 affected individuals.
Where did the Data Breaches Occur?
The OCR breach portal lists data breaches by the reporting entity. In August 2024, 33 data breaches were reported by healthcare providers, 11 data breaches by business associates, and 2 data breaches by health plans. Despite there being three times as many data breaches at healthcare providers than business associates, the 11 breaches at business associates involved more healthcare records. The business associate breaches affected 4,859,632 individuals, healthcare provider breaches affected 4,819,494 individuals, and the two health plan breaches only affected 1,425 individuals.
The breaches reported by HIPAA-covered entities often include some breaches at business associates. Under HIPAA, if a data breach occurs at a business associate, it is ultimately the responsibility of the affected covered entities to ensure that breach notifications are issued. Each month, the HIPAA Journal determines where the breach occurred to better reflect the number of data breaches occurring at business associates. The adjusted data has been used for the pie charts below.
Geographical Distribution of Healthcare Data Breaches
In August, healthcare data breaches were reported by HIPAA-regulated entities in 28 U.S. states. California was the worst affected with 6 large healthcare data breaches, followed by Illinois and Minnesota which each had 4 reported breaches.
The worst affected state in terms of the number of compromised records was Utah, which only had one breach, but it was the largest breach of the month involving the protected health information of 4.3 million individuals. Louisiana had two breaches involving the protected health information of 2,897,486 individuals, Florida had the records of 771,861 individuals compromised across 3 breaches, and 411,037 individuals were affected by a single breach in Tennessee.
| State | Breaches |
| California | 6 |
| Illinois & Minnesota | 4 |
| Arkansas, Florida, New York, & Ohio | 3 |
| Louisiana & Washington | 2 |
| Alabama, Arizona, Connecticut, Georgia, Indiana, Kansas, Maryland, Missouri, Mississippi, North Carolina, New Jersey, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah & Virginia | 1 |
HIPAA Enforcement in August 2024
The HHS’ Office for Civil Rights (OCR) is the main enforcer of HIPAA compliance. OCR investigates all data breaches of 500 or more records to assess HIPAA compliance, some smaller breaches, and complaints about potential HIPAA violations. Most HIPAA violations are addressed through voluntary compliance or technical assistance from OCR, although for particularly egregious violations financial penalties are pursued.
When OCR informs a HIPAA-regulated entity of the findings of an investigation and its intention to impose a financial penalty, the majority of HIPAA-regulated entities choose to settle the alleged violations. If a settlement is not agreed by both parties then OCR will impose a civil monetary penalty, as was the case with its single enforcement action in August.
OCR investigated a complaint from a patient of the private ambulance company, American Medical Response. The patient claimed not to have been provided with timely access to their medical records. Under the HIPAA Right of Access of the HIPAA Privacy Rule, individuals must be provided with a copy of their requested records within 30 days of submitting a request. The complainant initially requested a copy of her records on October 31, 2018, but despite making multiple requests, the records were not provided. She finally received the records on November 5, 2019, 370 days after the initial request.
American Medical Response was given the opportunity to settle the alleged HIPAA violation, but its legal counsel asked OCR to reconsider but then failed to provide any counteroffer or otherwise engage in negotiations. In response to a letter from OCR, American Medical Response submitted evidence of mitigating factors. OCR rejected its arguments as they did not support an affirmative defense, and a civil monetary penalty of $115,200 was imposed. This was the 6th HIPAA enforcement action of 2024 to result in a financial penalty. OCR has collected $5,990,200 so far in 2024 to resolve HIPAA violations.
State Attorneys General also have the authority to impose financial penalties for HIPAA violations. In August, a multi-state investigation of Enzo Biochem/Enzo Clinical Labs by the Attorneys General in New York, New Jersey, and Connecticut was settled for $4,500,000. Enzo Biochem/Enzo Clinical Labs were investigated over a breach of the protected health information of 2.4 million individuals in April 2023. Hackers gained access to an Enzo database server that was used for analytics and reporting, exfiltrated data relating to testing between October 2012 and April 2023, and then used ransomware to encrypt files. The investigation uncovered violations of 12 provisions of the HIPAA Security Rule and a violation of New York General Business Law.
The HIPAA Journal has tracked 6 enforcement actions by State Attorneys General in 2024 that have resulted in financial penalties totaling $21,710,000.
About This Report
The data for this report was obtained from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on September 19, 2024, and has been augmented with information from previous data breach reporting by The HIPAA Journal.
The OCR breach portal is regularly updated, as HIPAA-regulated entities are permitted to submit updates to previously reported breaches. OCR also verifies reported data breach information before adding data breaches to the OCR breach portal so there is a delay between a breach being reported and it being added to the OCR breach portal. The data in this report is correct as of September 19, 2024. Any updates made to the OCR breach data after that date will be reflected in future monthly HIPAA Journal healthcare data breach reports, which are published on or around the 20th of each month. For insights into healthcare data breach trends, be sure to visit our healthcare data breach statistics page.
