April 2023 Breach Report

Each month, we review healthcare breaches posted on the Office for Civil Rights (OCR) online breach portal to determine the leading causes and how the incidents could have been prevented. The OCR publicly posts healthcare breaches that affected 500 or more individuals to ensure that all affected patients know their information could have been potentially compromised.

Based on the current numbers, April 2023 was a good month for the good guys as only 4,419,577 records containing patients’ protected health information (PHI) were breached, continuing a two-month downward trend. Hacking/IT was the cause of the most significant amount of PHI breached in April 2023, with more than 4,311,642 records.

In April 2023, there were 50 large-scale breaches reported, 29 of which affected healthcare providers. These 29 incidents compromised the PHI of 256,336 individuals, representing 5.8% of patients affected by the April incidents. 

Business associates reported 13 incidents that affected 4,077,019 patients, representing 92.2% of patients affected. 

Eight health plans also reported incidents affecting 86,222 patients, representing 2.0% of affected patients. 

Hacking/IT incidents were responsible for 35 breaches reported in April 2023. There were 12 breaches caused by unauthorized access or disclosure of PHI, and two incidents involving theft of PHI.

April 2023 Healthcare Breaches and Hacking

The 35 hacking incidents reported in April affected the PHI of 4,311,642 patients. These 35 incidents represented 98% of all documented records breached during the month.

Entities affected by hacking:

  • 17 healthcare providers, 140,607 patients, 3.3% of patients affected by hacking
  • 11 business associates, 4,063,393 patients, 94.2% of patients affected by hacking
  • 6 health plans, 75,676 patients, 1.8% of patients affected by hacking

Types of hacking incidents:

  • 15 hacks of network servers, 871,401 patients, 20.2% of patients affected by hacking
  • 9 email hacks, 116,900 patients, 2.7% of patients affected by hacking

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Easiest to Do Business With

How to Prevent Hacking Incidents

As hacking incidents have become the leading cause behind healthcare breaches for several years, minimizing your risk of being targeted is crucial.

Security Risk Assessments and Remediation

Security risk assessments (SRAs) are vital for security and compliance. An SRA aims to identify weaknesses and vulnerabilities in your security practices to prepare yourself against potential threats. Once SRAs have been conducted, it is essential to create remediation plans to address any identified deficiencies.

Employee Cybersecurity Training

A significant portion of hacking incidents results from phishing emails. Employee cybersecurity training is essential to your organization’s overall security posture. Employees should be trained on recognizing phishing attempts and what to do if they suspect an incident has occurred.

April 2023 Healthcare Breaches and Unauthorized Access or Disclosure

Incidents of unauthorized access or disclosures of PHI can occur in two ways – an authorized employee accesses PHI inappropriately, or an unauthorized party gains access to PHI. April 2023 recorded 12 incidents of unauthorized access or disclosure of PHI. These incidents affected 104,113 patients, representing 2.4% of the breached records reported in April.

Entities affected by unauthorized access or disclosure:

  • 9 Healthcare providers, 89,290 patients, 86.0% of patients affected by unauthorized access or disclosure 
  • 2 Health plan, 10,546 patients, 10.0% of patients affected by unauthorized access or disclosure 
  • 1 Business associate, 4,277 patients, 4.1% of patients affected by unauthorized access or disclosure

Types of unauthorized access or disclosure:

  • 2 electronic medical records incident, 1,535 patients, 1.5% of patients affected by unauthorized access or disclosure
  • 3 network server and other incidents, 63,472 patients, 61.0%% of patients affected by unauthorized access or disclosure
  • 2 email incidents, 5,802 patients, 5.6% of patients affected by unauthorized access or disclosure
  • 5 paper/film, 33,304 patients, 32.0% of patients affected by unauthorized access or disclosure

How to Prevent Unauthorized Access or Disclosure

As we mentioned, there are two ways in which unauthorized access or disclosures occur – inappropriate employee access or unauthorized access by another entity.

Policies and Procedures and Employee Training

HIPAA policies and procedures are essential to HIPAA compliance as they guide employees on what is appropriate. HIPAA requires employee use and disclosure of PHI to be limited to the minimum necessary to perform their job functions. Your policies and procedures should dictate this, and employees should be trained on the policies and procedures to be aware of their obligations. 

User Authentication, Access Controls, and Audit Controls

To ensure adherence to the minimum necessary standard, you must implement user authentication, access controls, and audit controls. User authentication provides unique login credentials for each employee, while access controls enable administrators to designate different PHI access levels using those unique login credentials. Also, based on the implementation of unique login credentials, audit controls track access to data to ensure that PHI is accessed appropriately by each employee.

April 2023 Healthcare Breaches and Other Causes

In April 2023, two healthcare providers reported the theft of paper/films to OCR that affected 3,321 individuals, representing less than 0.08% of the breached records reported. 

Also in April 2023, one healthcare provider reported the improper disposal of a desktop computer to OCR that affected 501 individuals, representing less than 0.01% of the breached records reported. 

Prevent HIPAA Breaches

Don’t fall victim to breaches. Protect your business by becoming compliant today!