July 2023 Healthcare Data Breach Report
There was a 15.2% fall in reported data breaches in July with 56 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), which makes July an average month for data breaches. Over the past 12 months, 57 breaches have been reported each month on average; however, July was not an average month in terms of the number of compromised records.
There was a 261% month-over-month increase in breached records in July, with 18,116,982 records breached across the 56 reported incidents. The incredibly high total was due to a major data breach at HCA Healthcare that saw the records of 11,270,000 individuals compromised.
The figures this month bring the running breach total for 2023 up to 395 incidents, across which the records of 59,569,604 individuals have been exposed or stolen. The average breach size for 2023 is 150,809 records and the median breach size is 4,209 records. Over the past 12 months, more than 81.76 million records have been breached across 683 incidents.
Largest Healthcare Data Breaches Reported in July
HCA Healthcare is a Nashville, TN-based health system that operates 182 hospitals and around 2,300 sites of care. Hackers gained access to an external electronic storage facility that was used by a business associate for automating the formatting of email messages, such as reminders sent to patients about scheduling appointments. While the breach was one of the largest ever reported, the data stolen in the attack was limited. HCA Healthcare said the data compromised was limited to name, city, state, zip code, email, telephone number, date of birth, gender, service date, location, and, in some instances, the date of the next appointment.
The second largest breach, reported by the Centers for Medicare and Medicaid Services (CMS) as affecting 1,362,470 Medicare recipients, was more severe due to the types of data compromised. The breach occurred at a CMS contractor, Maximus Federal Services, Inc. (Maximus). Maximus was one of hundreds of organizations to fall victim to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Progress Software identified the vulnerability and issued a patch on May 31, 2023; however, the vulnerability had already been exploited by the Clop hacking group. The total number of victims of this breach has yet to be determined; however, Kon Briefing has been tracking the breach reports and reports that at least 734 organizations had the vulnerability exploited and between 42.7 million and 47.6 million records were stolen in the attack. Clop did not encrypt data, just stole files and issued ransom demands, payment of which was required to prevent the release or sale of the stolen data. In July, 26 breaches of 10,000 or more records were reported to OCR, 11 of which were due to the exploitation of the MOVEit vulnerability. All but two of the 26 breaches were due to hacking incidents.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Type of Breach | Cause of Breach |
| HCA Healthcare | TN | Business Associate | 11,270,000 | Hacking/IT Incident | Hacking Incident – External, electronic storage facility used by a business associate |
| Centers for Medicare & Medicaid Services | MD | Health Plan | 1,362,470 | Hacking/IT Incident | Hacking incident – MOVEit Transfer data theft/extortion (Maximus) |
| Florida Health Sciences Center, Inc. dba Tampa General Hospital | FL | Healthcare Provider | 1,313,636 | Hacking/IT Incident | Hacking incident – Ransomware attack |
| Pension Benefit Information, LLC | MN | Business Associate | 1,209,825 | Hacking/IT Incident | Hacking incident – MOVEit Transfer data theft/extortion |
| Allegheny County | PA | Healthcare Provider | 689,686 | Hacking/IT Incident | Hacking incident – MOVEit Transfer data theft/extortion |
| United Healthcare Services, Inc. Single Affiliated Covered Entity | CT | Health Plan | 398,319 | Hacking/IT Incident | Hacking incident |
| Johns Hopkins Medicine | MD | Healthcare Provider | 310,405 | Hacking/IT Incident | Hacking incident – MOVEit Transfer data theft/extortion |
| Harris County Hospital District d/b/a Harris Health System | TX | Healthcare Provider | 224,703 | Hacking/IT Incident | Hacking incident – MOVEit Transfer data theft/extortion |
| Precision Anesthesia Billing LLC | FL | Business Associate | 209,200 | Hacking/IT Incident | Hacking incident – Ransomware attack |
| Fairfax Oral and Maxillofacial Surgery | VA | Healthcare Provider | 208,194 | Hacking/IT Incident | Hacking incident |
| The Chattanooga Heart Institute | TN | Healthcare Provider | 170,450 | Hacking/IT Incident | Hacking incident – Data theft confirmed |
| Phoenician Medical Center, Inc | AZ | Healthcare Provider | 162,500 | Hacking/IT Incident | Hacking incident – Data theft confirmed |
| UT Southwestern Medical Center | TX | Healthcare Provider | 98,437 | Hacking/IT Incident | Hacking incident – MOVEit Transfer data theft/extortion |
| Hillsborough County, Florida (County Government) | FL | Healthcare Provider | 70,636 | Hacking/IT Incident | Hacking incident – MOVEit Transfer data theft/extortion |
| Family Vision of Anderson, P.A. | SC | Healthcare Provider | 62,631 | Hacking/IT Incident | Hacking incident – Ransomware attack |
| Jefferson County Health Center | IA | Healthcare Provider | 53,827 | Hacking/IT Incident | Hacking incident – Data theft confirmed (Karakurt threat group) |
| New England Life Care, Inc. | ME | Healthcare Provider | 51,854 | Hacking/IT Incident | Hacking incident |
| Care N’ Care Insurance Company, Inc. | TX | Health Plan | 33,032 | Hacking/IT Incident | Hacking incident – MOVEit Transfer data theft/extortion (TMG Health Inc) |
| Synergy Healthcare Services | GA | Business Associate | 25,772 | Hacking/IT Incident | Hacking incident |
| Rite Aid Corporation | PA | Healthcare Provider | 24,400 | Hacking/IT Incident | Hacking incident – MOVEit Transfer data theft/extortion |
| Life Management Center of Northwest Florida, Inc. | FL | Healthcare Provider | 19,107 | Hacking/IT Incident | Hacking incident |
| Saint Francis Health System | OK | Healthcare Provider | 18,911 | Hacking/IT Incident | Hacking incident – MOVEit Transfer data theft/extortion |
| Pennsylvania Department of Human Services | PA | Healthcare Provider | 16,390 | Unauthorized Access/Disclosure | Hacking incident – Unauthorized access to a system test website |
| The Vitality Group, LLC | IL | Business Associate | 15,569 | Hacking/IT Incident | Hacking incident – MOVEit Transfer data theft/extortion |
| Wake Family Eye Care | NC | Healthcare Provider | 14,264 | Hacking/IT Incident | Hacking incident – Ransomware attack |
| East Houston Med and Ped Clinic | TX | Healthcare Provider | 10,000 | Unauthorized Access/Disclosure | Storage unit sold that contained boxes of patient records |
Causes of July 2023 Data Breaches
Hacking incidents dominated the breach reports in July, with 49 incidents reported to OCR involving 18,083,328 records. The average breach size was 369,048 records and the median breach size was 9,383 records. The majority of these incidents were data theft and extortion incidents, where hackers gained access to networks, stole data, and issued ransom demands. Many hacking groups are now choosing not to encrypt files and are concentrating on data theft and extortion. When claiming responsibility for the MOVEit attacks, a spokesperson for the Clop group said they could have encrypted data but chose not to.
There were 7 unauthorized access/disclosure incidents reported involving the PHI of 33,654 individuals. The average breach size was 4,808 records and the median breach size was 1,541 records. Three of those incidents involved unauthorized access to paper records and three were email-related data breaches. There were no reported breaches involving the loss, theft, or impermissible disclosure of physical records or devices containing electronic PHI.
Where did the Data Breaches Occur?
The OCR breach portal lists data breaches by the reporting entity, although that is not necessarily where the data breach occurred. Business associates of HIPAA-covered entities may report their own breaches, they may be reported by the covered entity, or a combination of the two. For instance, Maximus reported its MOVEit Transfer breach as affecting 932 individuals, but many of its clients were affected and the total number of individuals affected was in the millions.
The raw data on the breach portal indicates 37 breaches at healthcare providers, 11 breaches at business associates, 7 at health plans, and one breach at a healthcare clearing house. The charts below are based on where the breach occurred, rather than the reporting entity.
Geographical Distribution of Data Breaches
Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states. Texas was the worst affected state with 7 breaches, with Florida and California also badly affected.
| State | Breaches |
| Texas | 7 |
| Florida | 6 |
| California | 5 |
| Maryland, Pennsylvania & Tennessee | 4 |
| Arizona & North Carolina | 3 |
| Connecticut, Illinois & Minnesota | 2 |
| Georgia, Idaho, Indiana, Iowa, Kentucky, Maine, Michigan, New Jersey, New York, Ohio, Oklahoma, South Carolina, Virginia & Washington | 1 |
HIPAA Enforcement Activity in July 2023
There were no enforcement actions announced by OCR or state attorneys general in July to resolve violations of HIPAA compliance.
