July 2024 Healthcare Data Breach Report
Large healthcare data breaches have fallen for the fourth consecutive month to an 18-month low. In July 2024, 43 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR). That’s the lowest monthly total since January 2023. Aside from March 2024, when there was a spike in reported data breaches, data breaches have been reducing each month since December 2023.
Large healthcare data breaches are down 10.4% month-over-month, down 30.6% from July 2023, and down 37.7% from July 2022.
The number of healthcare records exposed in healthcare data breaches follows a similar trend, with the number of records exposed or stolen each month also reducing for the past three months.
In July 2024, 1,217,299 healthcare records were confirmed as exposed, stolen, or impermissibly disclosed, which is a 68.3% month-over-month reduction, a 92.3% reduction in breached records from April 2024, and a 95.1% reduction from July 2023.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
There is a caveat, as July saw an unusually high number of healthcare data breaches reported as involving 500 or 501 healthcare records. While these breaches may have been reported with accurate figures, these numbers are commonly used as interim figures pending the completion of document reviews. The HIPAA Breach Notification Rule requires data breaches to be reported within 60 days of discovery, but when the total number of affected individuals has not been determined by the 60-day reporting deadline, the Breach Notification Rule requires an estimate to be provided of how many individuals have been affected, which should be updated when the investigation and document review have been completed. Many covered entities choose to report breaches as 500 records since that is the trigger point for the 60-day reporting deadline and for the data breach to be added to the OCR breach portal.
In July, one of the 500-record breaches was the ransomware attack on Change Healthcare. The use of the 500-record placeholder came as a surprise, since the CEO of Change Healthcare’s parent company, United Health Group, told Congress that the breach could affect up to 1 in 3 Americans – more than 110 million individuals. There was also the ransomware attack on Ascension, where the total number of affected individuals is still not known. A 500-record placeholder was used for that breach as well.
Ten breaches were reported in July 2024 using a figure of 500 or 501 records. The HIPAA Journal has not been able to obtain information about one of these breaches; however, document reviews are ongoing in the other 9 breaches, so the 500 or 501 total is likely to be an interim figure and will almost certainly increase. When these breaches are updated with accurate figures, July will likely go from one of the best months in recent years to the worst-ever month for breached healthcare records.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Delta County Memorial Hospital District (Delta Health) | CO | Healthcare Provider | 501 | Network Server hacking incident (no further information released) |
| EMS Department for the Kansas City, Kansas Fire Department | KS | Healthcare Provider | 501 | Cyberattack with confirmed data theft – Document review ongoing |
| Neuro Rehab Associates, Inc. d/b/a Northeast Rehabilitation Hospital Network | NH | Healthcare Provider | 501 | Ransomware attack with data theft (Hunters International) – document review ongoing |
| Franklin County, Kansas | KS | Healthcare Provider | 501 | Ransomware attack with data theft (Rhysida) – Document review ongoing |
| Palomar Health Medical Group | CA | Healthcare Provider | 501 | Ransomware attack with data theft – Document review ongoing |
| Maryville, Inc. | NJ | Healthcare Provider | 501 | Email hacking incident – Document review ongoing |
| Special Health Resources of Texas, Inc. | TX | Healthcare Provider | 500 | Ransomware attack with data theft – Document review ongoing |
| Change Healthcare, Inc. | MN | Business Associate | 500 | Ransomware attack (Blackcat) – Document review ongoing |
| Hospital Auxilio Mutuo | PR | Healthcare Provider | 500 | Cyberattack with confirmed data theft – Document review ongoing |
| Ascension Health | MO | Healthcare Provider | 500 | Ransomware attack with data theft (Black Basta) – Document review ongoing |
Biggest Healthcare Data Breaches in July 2024
The biggest healthcare data breaches reported in July are likely to be the ransomware attacks on Change Healthcare and Ascension; however, the scale of those data breaches may not be confirmed for several weeks or months. In July, thirteen data breaches were reported to OCR that involved 10,000 or more healthcare records. The largest confirmed data breach affected the Arkansas healthcare provider, Arisa Health, and impacted more than 375,000 individuals. The exact nature of that hacking incident is unknown, other than that it involved unauthorized access to a network server. The second biggest data breach was reported by the Florida drug testing lab American Clinical Solutions. The cause of that breach is known since the RansomHub ransomware group claimed responsibility for the attack. That breach affected up to 300,000 individuals.
July saw a relatively large number of phishing incidents reported by HIPAA-regulated entities, including 4 of the largest breaches in the month. One of those breaches involved unauthorized access to 11 employee email accounts, and the phishing attack on Michigan Medicine was the second phishing attack to hit the healthcare provider in the space of a year.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Arisa Health Incorporated | AR | Healthcare Provider | 375,436 | Hacked network server – Data theft possible |
| American Clinical Solutions | FL | Healthcare Provider | 300,000 | Ransomware attack (RansomHub) – Data theft confirmed |
| United of Omaha Life Insurance Company | NE | Health Plan | 107,894 | Phishing attack with 1 compromised email account |
| New Jersey Oral & Maxillofacial Surgery | NJ | Healthcare Provider | 74,413 | Hacked network server – Data theft confirmed |
| DaVita Inc. | CO | Healthcare Provider | 67,443 | Use of tracking technologies on its website |
| University of Michigan/Michigan Medicine | MI | Healthcare Provider | 56,953 | Phishing attack – 3 compromised email accounts |
| Surgery Center of Mid Florida | FL | Healthcare Provider | 48,684 | Ransomware attack – Data theft possible |
| The Medibase Group, Inc. | GA | Business Associate | 35,106 | Hacked network server – Data theft possible |
| Janna Pharmacy LLC | CA | Healthcare Provider | 26,000 | Unauthorized access to email environment (no further information available) |
| Human Technology Inc., and its affiliates | TN | Healthcare Provider | 24,580 | Hacked network server – Data theft possible |
| Allcare Medical Management Incorporated | CA | Business Associate | 16,378 | Phishing attack with 1 compromised email account |
| Patented Acquisition Corporation | OH | Business Associate | 12,787 | Network server hacking incident (No further information available) |
| Aveanna Healthcare, LLC | GA | Healthcare Provider | 10,482 | Phishing attack with 11 compromised email accounts |
Causes of July 2024 Healthcare Data Breaches
The healthcare industry has been targeted by ransomware and extortion groups, and while these groups continue to conduct attacks in number, a trend has been identified by the blockchain analysis firm Chainalysis with ransomware groups focusing on ‘quality’ rather than quantity by going big game hunting – Targeting the largest organizations where they can cause incredibly costly disruptions, steal large amounts of data, and demand large ransom payments. The focus on big game hunting could be a response to fewer victims of ransomware attacks paying the ransom. Chainalysis and the ransomware remediation firm Coveware both report falling numbers of ransom payments. Coveware reports that Q1, 2024, saw the lowest-ever percentage of victims paying the ransom, just 28%.
It is difficult to determine the extent to which healthcare organizations are falling victim to ransomware attacks from breach reports and notifications, since the cause of the attack is often not disclosed, other than involving unauthorized access to network servers. What is clear from the breach reports is the majority of the breaches now being reported are due to hacking and other IT incidents, which in July 2024 accounted for 83.7% of all reported breaches (36 incidents) and 91% of the month’s breached records (1,107,192 records). The average size of these breaches was 30,755 records and the median breach size was 2,740 records.
The remaining 16.3% of the month’s breaches were unauthorized access/disclosure incidents, which included three breaches involving unauthorized access to emails, one breach involving unauthorized access to a network server, one instance of unauthorized access to electronic medical records, and two impermissibly disclosures of physical PHI. Across these breaches, 110,107 healthcare records were impermissibly accessed or disclosed, with an average breach size of 15,730 records and a median branch size of 3,435 records. In July there were no breaches involving the loss, theft, or improper disposal of healthcare records.
In July 2024, the most common location of breached healthcare data was network servers; however, there were 10 breaches reported involving PHI stored in email accounts, including four of the month’s largest healthcare data breaches.
Where did the Data Breaches Occur?
The OCR breach portal lists data breaches by the reporting entity. In July 2024, 31 breaches were reported by healthcare providers, 7 breaches by health plans, and 5 breaches by business associates of HIPAA-covered entities. Healthcare provider breaches involved 1,027,292 records, health plan breaches involved 121,866 records, and business associate breaches involved 68,141 records.
The figures for HIPAA-covered entities include some data breaches that occurred at business associates but were reported by the affected HIPAA-covered entities. Each month, the HIPAA Journal determines where the breach occurred to better reflect the number of data breaches occurring at business associates. The adjusted data has been used for the pie charts below.
Geographical Distribution of Healthcare Data Breaches
Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states and Puerto Rico, with California and Georgia the worst affected states with four breaches each, followed by Indiana and Ohio which each had three data breaches. The worst affected states in terms of breached records were Arkansas (375,436 records), Florida (348,684 records), Nebraska (107,894 records), New Jersey (74,914 records), and Colorado (67,944 records).
| State | Breaches |
| California & Georgia | 4 |
| Indiana & Ohio | 3 |
| Colorado, Florida, Kansas, New Jersey, Oregon, Tennessee & Texas | 2 |
| Alabama, Arizona, Arkansas, Delaware, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, New Hampshire, New York, North Carolina, Virginia, Washington & Puerto Rico | 1 |
HIPAA Enforcement Activity in July 2024
For the past three months, no settlements or civil monetary penalties have been announced by OCR, although there a settlement was announced in July. Heritage Valley Health System is a 3-hospital health system with more than 50 physician offices and community satellite facilities in Pennsylvania, eastern Ohio, and the panhandle of West Virginia. Heritage Valley Health System was affected by a global malware attack in 2017, which saw malware transferred through a connection with one of its business associates.
OCR launched an investigation of the data breach and identified several noncompliance issues, including the failure to conduct a risk analysis, a lack of policies/procedures for responding to an emergency, and a lack of technical policies and procedures for restricting access to systems containing ePHI. OCR proposed a financial penalty and Heritage Valley Health System agreed to settle with OCR and pay a $950,000 financial penalty. This was the 5th penalty to be imposed by OCR in 2024 to resolve HIPAA violations, and brings the total collections from January 1, 2024, to July 31, 2024, up to $5,775,000.
State Attorneys General can also impose financial penalties for HIPAA violations. In July, Washington announced that a settlement had been reached with the plastic surgery practice Allure Esthetic for falsely inflating online ratings, bribing and threatening patients, and requiring patients to sign a non-disclosure agreement and waive their rights under HIPAA. The HIPAA Privacy Rule prohibits covered entities from conditioning treatment, payment, enrolment, or benefits eligibility on an individual granting authorization to disclose protected health information. Allure Esthetic agreed to settle the alleged violations of HIPAA and state laws and paid a $5 million financial penalty.
About This Report
Our July 2024 healthcare data breach report is based on data obtained from OCR on data breaches of 500 or more records reported to OCR between July 1 and July 31, 2024. The data for this report was obtained from OCR on August 19, 2024, and other sources throughout the month. You can find out more about healthcare data breaches from 2009 to 2024 in our healthcare data breach statistics article.
