• Sign In
  • Get Started
HomeBlog4 of the Most Common Ways Private Health Information Was Breached in 2022

4 of the Most Common Ways Private Health Information Was Breached in 2022

Health data breaches risk the personal information of millions. We used Office for Civil Rights data to find the four most common breaches in 2022.
Jill Jaracz

by Jill Jaracz

April 20, 2023
Health Information Breach
Contents
1. Hacking/IT Incident2. Unauthorized Access/Disclosure3. Theft4. Loss

When cybercriminals want a lucrative target, many go after healthcare data. Healthcare is the most targeted sector for cyber criminals seeking to steal and sell Americans' private information. Attacks in this sector have doubled since 2016 and are beginning to have increasingly severe consequences for privacy and patient outcomes.

According to the Center for Internet Security, criminals are motivated to steal health-related data because people can't change their medical history. Criminals use the information to create scams targeting individuals or make fraudulent insurance claims.

Drata used reports on health data breaches from the Health and Human Services Department's Office for Civil Rights to find the four most common culprits in 2022.

The analysis includes breaches of unsecured protected health information affecting 500 or more people and is limited to those that were submitted to the Secretary of Health and Human Services within the calendar year 2022. Breaches come from various locations, including emails, servers, portable electronics, paper, and film.

Few breaches came from improper disposal of medical files—just four breaches in 2022 fell into this category.

There were more than 700 health data breaches in the United States in 2022, affecting more than 52 million people. Of those, only 1 in 5 has been resolved, by addressing the causes of the breach or assisting its victims with protecting themselves, or both. Most breaches remain under investigation.

GET AUDIT READY FASTER


Learn how workflow automation can streamline the process of achieving SOC 2 compliance.

1. Hacking/IT Incident

ransomware
  • Number of breaches: 564 (19% resolved, 81% under investigation)

  • Individuals affected: 44.2 million

  • Most common locations of breached information: Network server; email

Electronic record-keeping is relatively new in the healthcare industry. In 2008, just 9% of hospitals and 17% of office-based physicians used a certified electronic health records system. But by 2021, 96% of hospitals and 78% of office-based physicians used them, according to the Office of the National Coordinator for Health Information Technology.

Because the industry has less experience protecting electronic data, its companies also have less experience with cybersecurity, which means criminals have had an easier time hacking into servers and emails to steal information.

One such attack occurred in April 2022, when OneTouchPoint, a Wisconsin-based mailing and printing services provider for healthcare organizations, discovered a ransomware attack that left encrypted files on its servers.

The compromised systems contained personal health information such as names, addresses, birth dates, family histories, medications, and specific health services belonging to more than 2.6 million people seen by at least 34 organizations, including Humana, Kaiser Permanente, and several Blue Cross Blue Shield affiliates.

REDUCE GDPR COMPLEXITY


Mitigate business risk and reduce complexity with a complete GDPR control library and a team of experts.

2. Unauthorized Access/Disclosure

Unauthorized access/disclosure
  • Number of breaches: 115 (23% resolved, 77% under investigation)

  • Individuals affected: 7.7 million

  • Most common locations of breached information: Paper/films; network server

Breaches don't always happen when a bad actor from outside a company infiltrates a server. Employees can also conduct data breaches if they access information stored in electronic health records when it's not part of their job to do so. Healthcare companies can also inadvertently disclose patient information to other entities.

That's what happened with Advocate Aurora Health, a Chicago-area company that operates 27 hospitals.

In October 2022, the company disclosed a data breach that occurred through its use of tracking pixels provided by Google and Meta, Facebook's parent company. The pixels were supposed to help Advocate Aurora Health understand users' interaction with its websites, but they also sent health information—which by law should have been protected—belonging to 3 million patients to Facebook and Google.

3. Theft

Theft
  • Number of breaches: 22 (14% resolved, 86% under investigation)

  • Individuals affected: 462,035

  • Most common locations of breached information: Portable electronic devices; paper/films

Doctors and other healthcare providers must keep medical records on file in case they have to defend against a medical malpractice lawsuit. Each state sets the length of time that's required, which is generally five to 10 years, but there are some extremes, such as the 30 years required for hospitals in Massachusetts.

The slow adoption of electronic health records means a lot of paper files and microfilms are sitting in storage and can be vulnerable to theft.

That was the case for SAC Health System, which in March 2022 discovered that someone had broken into one of its off-site storage facilities. The loss included six boxes of paper documents that may have included patients' personally identifiable information and codes for their health diagnoses. Nearly 150,000 people were affected by this breach.

HIPAA COMPLIANCE AUTOMATION SOFTWARE


Save time managing HIPPA compliance with policies pre-mapped to controls and automated monitoring.

4. Loss

Loss
  • Number of breaches: 12 (42% resolved, 58% under investigation)

  • Individuals affected: 20,306

  • Most common locations of breached information: Portable electronic devices

Human error can also account for a portion of data breaches when information is lost. Sometimes this occurs when patient health information is put on a USB storage device or another external data storage device that goes missing. Other times, documents that are shipped never make it to their destination.

In one case, Virginia-based healthcare provider The Art and Science of Dermatology discovered that a computer was missing from its offices and could have been breached by an unauthorized user. In this instance, 4,500 patients' health information was vulnerable to theft.

Trusted Newsletter
Resources for you
Navigating the Future of GRC List

Navigating the Future of GRC: Top Insights for 2025

Bridging the GRC and DevOps Gap List

From Roadblocks to Releases: Bridging the GRC and DevOps Gap

Not everyone is keen on artificial intelligence List

Not Everyone is Keen on Artificial Intelligence: Why Some Businesses are Skeptical

Jill Jaracz
Jill Jaracz
Technical Writer

2023 Compliance Trends Report

Drata surveyed 300 established and enterprise organizations to tap the pulse of the state of risk and compliance. In doing so, we identified related trends, perceptions, and how compliance impacts the business. This year, the primary takeaway is that a mature compliance program will accelerate a business, not slow it down.

Access Report
Image - 2023 Compliance Trends Report
Related Resources
List 13 states with comprehensive privacy laws

These Are the 13 States With Comprehensive Consumer Privacy Protection Laws

Privacy by Design is Crucial to AI

Privacy by Design Is Crucial to the Future of AI

Trust & Privacy by Design Drata-s AI Philosophy (1)

Trust and Privacy by Design: Drata's AI Philosophy

How AI impacts privacy

The AI Dilemma: Harnessing the Power of AI While Protecting Privacy