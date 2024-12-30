Of the 421 hacking/IT incidents and unauthorized access/disclosure incidents attributed to healthcare providers across the United States reported to the U.S. Department of Health and Human Services this year, the top 15 data breaches affected 24,755,791 individuals.

WHY IT MATTERS

This year's top two largest healthcare data breaches are Change Healthcare, with 100 million individuals affected, and Kaiser Foundation Health Plan, with 13.4 million individuals affected, according to a list of the 10 largest U.S. health data breaches in 2024. While these breaches far exceeded the impact across all types of HIPAA-covered entities, healthcare providers' network servers were still a prime target for hacking or unauthorized access/disclosure, based on a search of the breach portal's data through December 30.

According to the HHS list of cases currently under investigation, the following 15 healthcare provider organizations suffered catastrophic health data breaches this year:

Of note, the federal health data breach portal does not yet contain information on an alleged massive breach of a recent cyberattack on PIH Health. The California-based health system is posting regular website updates after a December 1 cyber incident but declined to comment on an alleged circulating ransom letter, as reported by the Whittier Daily News.

In the typewritten letter, the hackers claimed to have stolen about two terabytes of data, including 17 million patient records that contain personal and medical information, photos, patient notes and more, according to the December 14 story.

If a forensic investigation determines that data has indeed been exposed, that would push the number of individuals affected in the top 15 data breaches targeting healthcare providers across the United States in 2024 to more than 40 million individuals.

THE LARGER TREND

UnitedHealth Group said in May that it's rebuilding Change Healthcare with cloud-based security after it was devastated by a far-reaching ransomware attack by the ALPHV ransomware gang on February 21.

However, the massive payments clearinghouse outage not only exposed the most electronic protected health information of any healthcare data breach in history but also dramatically hobbled patient care, leaving healthcare providers seeking to avoid treatment delays with overwhelming financial burdens.

To address the growing threat of healthcare cyberattacks, HHS and the Office for Civil Rights announced a Notice of Proposed Rulemaking on Friday to modify the Security Standards for the Protection of Electronic Protected Health Information under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009.

Included are several new proposals that would require HIPAA-covered entities to encrypt ePHI with few exceptions, implement multifactor authentication and inventory its technology assets.

"Cyberattacks continue to impact the healthcare sector, with rampant escalation in ransomware and hacking causing significant increases in the number of large breaches reported to OCR annually," OCR Director Melanie Fontes Rainer said in a statement about the first HIPAA Security Rule update since 2013.

