Privacy Briefs: September 2023

Health Care Compliance Association (HCCA)

Health Care Compliance Association (HCCA)

[author: Jane Anderson]

Report on Patient Privacy Volume 23, no. 9 (September 2023)

The number of data breaches affecting health care providers declined in the second half of 2022, consistent with a downward trend over the past two years, according to a report from cybersecurity firm Critical Insight. Total breaches dropped 9% between the first six months of 2022 and the second half of the year and, in fact, have been declining since a high-water mark at the height of the pandemic, the report found. However, a deeper dive into the data reveals that breach totals still are higher than pre-pandemic levels, breaches are affecting more individuals, and hackers are shifting their tactics to attack weak links in the health care system supply chain—most notably attacking electronic health record systems—the report found. There was a 35% increase in total records affected in the second half of 2022, the analysis said. “In other words, [there were] fewer breaches, but larger breaches, reflecting consolidation within the industry and the evolving tactics of attackers,” the report said. Providers are the top target: some 69% of breaches in the second half of 2022 involved health care providers, the report said. However, hackers are stepping up their attacks on business associates, Critical Insight said. In 2020, business associates accounted for just 9% of breaches; in 2022, they account for 17% of breaches, the report said. “Historically, breaches associated with business associates involve more records per breach,” Critical Insight said.[1]

Breaches in health care represent the most expensive data breaches, with the average cost of a health care breach reaching nearly $11 million in 2023, according to IBM Security’s Cost of a Data Breach report. Across all industries, the average cost of a data breach reached an all-time high in 2023 of $4.45 million, representing a 2.3% increase from the 2022 cost of $4.35 million, the report said. “Taking a long-term view, the average cost has increased 15.3% from $3.86 million in the 2020 report,” IBM Security said. The average cost of a breach in health care jumped 8.2% from 2022 to 2023, and over the past three years, has grown 53.3% overall, the report said.[2]

New Jersey-based Jefferson Health is warning patients to keep an eye on their credit reports following a potential data breach at Jefferson’s Cherry Hill Hospital. In June, the health system said, a service technician performing routine service discovered that a portable backup device had disappeared from a DEXA scan machine, which measures bone density. It’s not clear what happened to the device, according to Jefferson Health. “Through this process, Jefferson has determined that the protected health information found on this drive that may be viewable could include names, dates of birth, medical record numbers, the date of studies, and, in some cases, mailing addresses,” the health system said in a statement. “Diagnosis, phone numbers, Social Security numbers, insurance or driver’s license numbers and the actual scans are not viewable without the appropriate credentials, exact system software and additional technology.” Jefferson Health is mailing notifications to patients whose information was contained on this backup device and is urging patients to monitor their credit reports and to place a fraud alert with credit bureaus.[3]

Five states lead the pack when it comes to health care data breaches: California (558 health care breach reports since 2009), Texas (451 breach reports), New York (366 breach reports), Florida (326 breach reports) and Pennsylvania (249 breach reports), according to cybersecurity firm Surfshark. “The cybersecurity issues in these states are not limited to just healthcare breaches – they are the most heavily affected states by all major types of cybercrime, including ransomware, phishing, investment fraud, etc.,” the company said in a report. Since 2009, there have been more than 5,500 health data breach reports, according to Surfshark’s research.[4]

An attorney who filed a class-action lawsuit against Vanderbilt University Medical Center (VUMC) for disclosing transgender patients’ personal health information to the Tennessee attorney general said the HHS Office for Civil Rights (OCR) is investigating the incident. Court filings recently revealed that Attorney General Jonathan Skrmetti opened the investigation last year into VUMC’s Clinic for Transgender Health, issuing three separate civil investigative demands ordering the clinic to turn over its records. The demands came after conservative forces rallied at the state Capitol against gender-affirming care for minors, and Gov. Bill Lee (R) called for an investigation of the clinic. However, Skrmetti said he opened an investigation into Vanderbilt’s transgender clinic after he viewed a video in which the clinic’s founder described manipulating billing codes to receive payment from insurance companies that don’t cover transgender care. “This is a fraud investigation,” Skrmetti told local News Channel 5. Attorney Abby Rubenfeld, part of the team that filed a class-action lawsuit filed on July 24 against Vanderbilt alleging that it failed to safeguard the privacy of its patients in the transgender clinic, said that she had spoken with OCR investigators and “this is a priority for them.” Rubenfeld said that HIPAA allows medical records to be released for a civil investigation but that Vanderbilt provided more information to the attorney general’s office than was required.[5]

The Missouri Department of Social Services (DSS) said that a May data breach involving Progress Software’s MOVEit Transfer software could affect people who get health insurance through Missouri Medicaid or MOHealthNet. IBM Consulting, which operates as a vendor providing services to the Missouri state agency, uses MOVEit and was impacted by the data breach, the state said. IBM notified the state on June 2, the state said and told state officials that it had stopped using the MOVEit Transfer application while investigating to determine if any DSS data had been accessed. “The data vulnerability did not directly impact any DSS systems, but impacted data belonging to DSS,” the department said. “The incident involved a critical vulnerability in MOVEit Transfer, a third-party software application used by IBM. The MOVEit vulnerability has impacted many organizations in the United States and around the world.” The Missouri state agency said that an unauthorized party may have accessed Medicaid participant protected health information in this security incident. Information involved in the incident may include an individual’s name, department client number, date of birth, possible benefit eligibility status or coverage, and medical claims information. “DSS is still reviewing the files associated with this incident,” the state agency said in a statement. “This will take us some time to complete. These files are large, are not in plain English, and are not easily readable because of how they are formatted. We are working to analyze these files as quickly as possible, and will contact additional people individually should we determine during this review that different or additional information or individuals were potentially impacted.”[6]

The Security and Exchange Commission’s (SEC) rule requiring publicly traded companies to quickly disclose cybersecurity breaches will pose unique risks for the health care sector, data privacy and cybersecurity attorneys say. “The health care industry is going to be held to a higher standard,” said Bess Hinson, a privacy and cybersecurity attorney for Holland & Knight in Atlanta. The SEC’s requirement to report breaches within four business days means higher for cybersecurity training and management costs, attorneys said. In addition, complying with the rule will mean that companies won’t always have time to halt breaches before reporting them. “Even the most technically sophisticated information security team will find it difficult to collect sufficient evidence to provide definitive notice of cybersecurity events in only four days,” said Meghan O’Connor, Mark Bina and Rachel Weiss, attorneys at Quarles & Brady LLP, in a statement about ways businesses can prepare for the SEC rule. The final SEC rule—published in the Federal Register on Aug. 4—reflects the agency’s belief that cybersecurity incidents have increased in size and severity and that oversight will inform investors of incidents and mitigate their losses.[7]

1 Critical Insight, Healthcare Data Cyber Breach Report, 1H 2023,

2 IBM Security, Cost of a Data Breach Report 2023,

3 Jefferson Health, “Jefferson Health Notifies Patients of Privacy Incident,” news release, August 15, 2023,

4 Surfshark, “Health data breaches have been rising in the U.S.,” report, August 8, 2023,

5 Nick Beres, “Lawyer: Feds now investigating release of trans medical records by Vanderbilt,” News Channel 5 Nashville, August 10, 2023,

6 Missouri Department of Social Services, “Department of Social Services encourages Missourians to monitor and protect their identity after third-party cyberattack,” news release, August 8, 2023,

7 Nyah Phengsitthy, “SEC Cybersecurity Rule Increases Costs, Risks for Health Care,” Bloomberg Law, August 10, 2023,

[View source.]

Written by:

Health Care Compliance Association (HCCA)

Health Care Compliance Association (HCCA) on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide