May 2024 Healthcare Data Breach Report
There has been a fall in the number of reported healthcare data breaches for the second consecutive month to the lowest monthly total since October 2023. In May, 51 data breaches of 500 or more healthcare records were reported to the Department of Health and Human Services Office for Civil Rights (OCR), well below the 12-month average of 65 large data breaches a month.
Such a low total has not been seen in May since 2020, with reported breaches down 7.3% from the previous month and 33.8% from May 2023.
While there has been a reduction in reported data breaches, they are still up by 22% for the year. 333 data breaches of 500 or more records were reported to OCR between January 1, 2024, and May 31, 2024. , compared to 273 for the corresponding period last year. The average breach size in 2024 is 123,785 records and the median data breach size is 3,716 records. Across those 333 data breaches, the records of 41,220,380 individuals have been exposed or stolen.
Even with two massive data breaches of 2.8 million and 2.5 million records in May, there was a fall in the number of breached healthcare records. Across the 51 reported data breaches, 8,468,460 individuals had their protected health information compromised.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The number of individuals affected by large healthcare data breaches is down 44.8% from April 2024 and 60.6% from April 2023 and is below the 12-month average of 9,002,020 breached healthcare records per month. Over the past 12 months, an average of 11.42 million records were breached each month with a median of 8.49 million breached records per month.
Largest Healthcare Data Breaches in May 2024
In May 2024, 20 data breaches of 10,000 or more records were reported to OCR, including 8 breaches of 100,000 or more records and two breaches over 2.5 million records. The largest data breach was reported by A&A Services, a Nebraska-based Medication Benefit Management solution provider that operates as Sav-Rx. The cyberattack was not reported as a ransomware attack, but ransomware is suspected of being used based on the wording of its breach notice. Sav-Rx confirmed that data was stolen in the attack and up to 2,812,336 individuals were affected.
WebTPA, a Texas-based provider of administration services to health insurance and benefit plans, did not state the nature of its hacking incident nor whether health plan member data was obtained in the attack. While the intrusion was reported in May, the attack happened more than a year previously, with hackers having access to its network for 6 days in April 2023. There was a similar delay in issuing notification letters about a hacking incident at the Illinois-based EMS service provider Superior Air-Ground Ambulance Service. Notifications were mailed in May 2024, with hackers accessing its network for 9 days in May 2023. The records of 858,238 users of its services were exposed in the attack.
United Seating and Mobility, L.L.C., a provider of wheelchair and mobility equipment that does business as Numotion, was able to issue notification letters in a much more reasonable time frame. It discovered the ransomware attack on March 2, 2024, and issued notification letters in May. Hackers had access to its network for 3 days from February 29, 2024.
The next two largest data breaches occurred at the San Antonio, TX, healthcare provider CentroMed and Affiliated Dermatologists and Dermatologic Surgeons in New Jersey. These were both extortion-only incidents affecting 400,000 and 380,000 individuals respectively. Hackers accessed their networks, stole data, and demanded a ransom to prevent the data from being leaked. Ransomware was not used in either of these incidents.
At the time of compiling the data for this data breach report, 6 data breaches had been reported to OCR as affecting 500 or 501 individuals. These numbers are commonly used as placeholders to meet reporting requirements when the total number of affected individuals has yet to be determined.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| A&A Services d/b/a Sav-Rx | NE | Business Associate | 2,812,336 | Ransomware attack – data theft confirmed |
| WebTPA Employer Services, LLC (“WebTPA”) | TX | Business Associate | 2,518,533 | Hacked network server |
| Superior Air-Ground Ambulance Service, Inc. | IL | Healthcare Provider | 858,238 | Hacked network server |
| United Seating and Mobility, L.L.C., d/b/a Numotion | TN | Healthcare Provider | 602,265 | Ransomware attack – data theft confirmed |
| El Centro Del Barrio d/b/a CentroMed | TX | Healthcare Provider | 400,000 | Data theft and extortion incident (Karakurt threat group) |
| Affiliated Dermatologists and Dermatologic Surgeons, P.A. | NJ | Healthcare Provider | 380,000 | Data theft and extortion incident – no file encryption |
| AmerisourceBergen Specialty Group, LLC | PA | Healthcare Provider | 252,214 | Hacked network server – Data theft confirmed |
| MedStar Health, Inc. | MD | Healthcare Provider | 183,079 | Unauthorized access to employee email accounts |
| Trionfo Solutions, LLC | IL | Business Associate | 81,588 | Hacked network server |
| Victoria Eye Center/Victoria Surgery Center/Victoria Vision Center | TX | Healthcare Provider | 80,000 | Ransomware attack – data theft confirmed |
| Adventist Health Tulare | CA | Healthcare Provider | 70,802 | Hacking incident at business associate (Signature Performance) – Data theft confirmed |
| Hypertension-Nephrology Associates, P.C. | PA | Healthcare Provider | 39,491 | Data theft and extortion incident – no file encryption |
| Columbia University Irving Medical Center | NY | Healthcare Provider | 29,629 | Exposed file on the Internet – Unauthorized access confirmed |
| Brockton Area Multi Services, Inc. | MA | Healthcare Provider | 21,537 | Hacked network server |
| Omni Healthcare Financial Holdings | NC | Business Associate | 16,852 | Ransomware attack |
| UnitedHealthcare Insurance Company | CT | Business Associate | 16,665 | Unauthorized access to paper records |
| Texas Panhandle Centers | TX | Healthcare Provider | 16,394 | Hacked network server – Data theft confirmed |
| Lakeview Health Systems, LLC | FL | Healthcare Provider | 10,772 | Hacked network server |
| Call 4 Health, Inc. | FL | Business Associate | 10,434 | Break-in and theft of password-protected laptop computers |
| University of Chicago Medical Center | IL | Healthcare Provider | 10,332 | Unauthorized access to employee email accounts |
Data Breach Causes and Location of Compromised PHI
Hacking and other IT incidents were the cause of the majority of data breaches reported in May, accounting for 76.5% of reported breaches and 99.3% of all breached records. The records of 8,407,641 individuals were compromised in these incidents, with an average breach size of 215,581 records and a median breach size of 7,260 records. The number of hacking/it incidents fell by 11.4% from April 2024, but there was a 338% month-over-month increase in breached records.
There were 11 unauthorized access/disclosure incidents involving the records of 58,939 individuals, 0.7% of the month’s breached records. The average breach size was 5,358 records and the median breach size was 1,427 records. Unauthorized access/disclosure incidents were up 21.6% month-over-month, but despite that increase, the number of records breached in these types of incidents fell by 22,683%. Only one theft incident was reported – a stolen laptop computer containing the unencrypted data of 1,880 individuals.
The most common location of breached protected health information was network servers; however, May was a particularly bad month for email account breaches, with one-third of the month’s data breaches involving hacked email accounts. Most email breaches are preventable if email best practices are adhered to, such as implementing phishing-resistant multi-factor authentication.
Where did the Data Breaches Occur?
The OCR breach portal lists data breaches by the reporting entity and shows there were 38 data breaches reported by healthcare providers involving 2,992,405 records (average: 78,748 records; median 2,166 records), 10 data breaches at business associates involving 5,465,269 records (average: 546,527 records; median: 13,1550 records), 2 breaches at health plans involving 9,692 records (average/median: 4,846 records), and 1 breach at a healthcare clearinghouse involving 1,094 records.
The figures for HIPAA-covered entities include some data breaches at business associates, as some covered entities choose not to delegate the responsibility for issuing notifications to the business associate who experienced the breach. As such, business associate data breaches are underrepresented in the raw OCR data.
Each month, the HIPAA Journal determines where the breach occurred to better reflect the number of data breaches occurring at business associates. In May 2024, there were 37 data breaches at healthcare providers, 12 at business associates, 1 health plan breach, and 1 breach at a healthcare clearinghouse. While business associate data breaches only accounted for 23.5% of the month’s breaches, they involved 5,545,262 healthcare records – 65.5% of the month’s total. Healthcare provider breaches affected 2,921,603 patients, 1,094 individuals were affected by a breach at a healthcare clearinghouse, and the health plan breach affected at least 501 individuals.
Geographical Distribution of Healthcare Data Breaches
Data breaches of 500 or more records were reported by HIPAA-regulated entities in 20 U.S. states in May, with Florida, Illinois, and Tennessee the worst affected states, with 5 reported data breaches each. While those states shared the top spot in terms of the number of breaches, Florida only had 24,564 records breached whereas 605,667 records were breached in Tennessee, and 952,538 records were breached in Illinois. The top two states in terms of breached records were Texas with 3,014,927 records breached and Nebraska with 2,812,837 breached records.
| State | Breaches |
| Florida, Illinois & Tennessee | 5 |
| California, New York, Pennsylvania & Texas | 4 |
| Connecticut & Massachusetts | 3 |
| Minnesota, Nebraska, & Oregon | 2 |
| Alabama, Arizona, Arkansas, Maryland, Michigan, New Jersey, North Carolina, & Wisconsin | 1 |
HIPAA Enforcement Activity in April 2024
No settlements or civil monetary penalties were announced by OCR in May 2024, with the year’s total remaining on 4 enforcement actions and $4,925,000 in penalties paid to resolve alleged HIPAA violations. State Attorneys General also enforce HIPAA compliance, but no penalties were imposed in May.
