Analysis: Third-Party Health Data Breaches Dominated in 2022

January 11, 2023 CynergisTek, Inc.

Hacking and business associate incidents were the crux of many of the largest health data breaches reported to federal regulators in 2022, foreshadowing the top risks and threats that will more than likely continue to plague healthcare entities and their vendors this year.

In 2022, some 701 major breaches affected nearly 59 million individuals, according to a snapshot on Tuesday of the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.

Hacking/IT incidents dominated, and 549 such breaches affected nearly 44 million people. That means hacking/IT incidents, such as ransomware attacks, accounted for nearly 80% of the breaches reported and were responsible for about 75% of people affected by all major health data breaches in 2022.

The largest of those incidents - and the biggest breach posted on the HHS site overall in 2022 - was an apparent ransomware attack on a mailing and printing services vendor, Wisconsin-based OneTouchPoint, which affected 4.1 million individuals.

Overall, 249 reported breaches involved business associates, affecting a total of nearly 24.1 million people. Vendors were at the center of nearly 36% of the reported breaches and responsible for about 42% of those people affected.

Other hacking incidents that hit business associates amounted to superspreaders, affecting their covered entity clients and ultimately their patients.

For instance, a hacking incident involving cloud-based Eye Care Leaders detected in December 2021, resulted in dozens of covered entity clients reporting breaches affecting more than 3 million individuals in 2022.

"We continue to see ransomware incidents, including exfiltration of protected health information and extortion, as the most prevalent threat to HIPAA-covered entities and business associates, followed closely by business email compromise incidents," says privacy attorney Iliana Peters of the law firm Polsinelli.

The largest business email compromise breach appearing on the HHS OCR website in 2022 was reported last March by Illinois-based Christie Business Holdings Company, P.C, which operates Christie Clinic, affecting nearly 503,000 individuals (see: Illinois Clinic Says Nearly 503,000 Affected in Email Breach).

Other Incidents

Unauthorized access/disclosure breaches were the second-most-common type of breach reported, and 113 such incidents affected more than 7.5 million individuals.

Three of those breaches - reported by North Carolina-based WakeMed Health and Hospitals; Advocate Aurora Health, a Midwest health system; and Indiana-based Community Health Network - accounted for nearly 5 million of those affected by unauthorized access/disclosure incidents - each involving the healthcare providers' use by the Meta Pixel tracking code in their websites (see: Judge Denies Motion to Stop Health Data Scraping by Meta).

Meta faces a proposed consolidated class action lawsuit in a San Francisco federal court alleging that Facebook's parent company violated medical privacy laws by obtaining data from its web tracking Pixel tool embedded into patient portals and scheduling apps.

On the brighter side, breaches involving theft or loss of unencrypted computing devices/media continued to drop in 2022. Only 23 such incidents were reported, affecting a total of nearly 316,000 individuals.

The HHS OCR website in total shows 5,146 major health data breaches affecting more than 382 million individuals reported since September 2009.

Continue reading for an overview of 2022's 10 largest health data breaches and what's at stake here

About the Author

CynergisTek, Inc.

CynergisTek is a top-ranked cybersecurity consulting firm dedicated to serving the information assurance needs of healthcare. CynergisTek offers specialized services and solutions to help organizations achieve privacy, security, and compliance goals. The company has been recognized by KLAS in the 2016 and 2018 Cybersecurity reports as a top performing firm in healthcare cybersecurity, as well as the 2017 Best in KLAS winner for Cybersecurity Advisory Services.

Follow on Twitter Follow on Linkedin Visit Website More Content by CynergisTek, Inc.
Previous Article
Change, Opportunities, and Threats: Healthcare Innovation's State of the Industry Survey
Change, Opportunities, and Threats: Healthcare Innovation's State of the Industry Survey

This article shares some of the highlight results from Healthcare Innovation's annual survey, with analysis...

Next Article
2023 Predictions From Health Executives
2023 Predictions From Health Executives

Jon Moore shares his predictions for 2023 cybersecurity supply chain risk