Many health systems and healthcare companies have suffered cyberattacks, or they’ve been affected by a breach of a vendor in the first six months of the year. Millions of Americans have been affected.
More than 31 million Americans have been affected by the 10 largest breaches of health data in the first half of the year.
And that comes with a big caveat.
It’s still unclear how many people may have been impacted by two high-profile cyberattacks: the ransomware attacks of Change Healthcare, a subsidiary of UnitedHealth Group, and the Ascension health system. So that number is likely to grow significantly.
Plus, that’s only looking at the impact of the biggest breaches. Millions more have been affected by other attacks or the unauthorized disclosure of private information. There have been 341 breaches reported to the Department of Health and Human Services in the first half of the year, according to the department’s database.
The Change Healthcare attack caused widespread disruption for hospitals and other providers, because the company provides so many business functions for so many providers, including processing claims and prescriptions. UnitedHealth has said the number of individuals affected “could cover a substantial portion of people in America.”
Change Healthcare discovered the attack in February, and lawmakers have pressed UnitedHealth for clarity on how many people have been affected. The Department of Veterans Affairs has warned that as many as 15 million veterans may be affected.
Ascension has also been working to recover from its attack on May 8, and said in mid-June that it has restored its electronic health records across the system. The attack affected patient care, as some hospitals had to divert ambulances and some non-emergency surgeries were postponed. Ascension operates 140 hospitals and scores of other healthcare sites in 19 states and Washington, D.C.
Wes Wright, chief healthcare officer of Ordr, Inc., a cybersecurity firm, says healthcare organizations are vulnerable because so many records are digital.
But he says recent high-profile attacks underscore some basic problems with many healthcare organizations in their approach to cybersecurity, including segmenting systems so a breach in one area doesn’t take down an entire health system.
“It's all about fundamentals,” Wright tells Chief Healthcare Executive®. “I mean, where we're getting beaten is in the blocking and the tackling.”
The Health Department’s Office of Civil Rights requires organizations to report any breach of health data involving more than 500 individuals. As of July 1, Change Healthcare and Ascension haven’t reported their estimate of the individuals attacked.
Still, several organizations have reported breaches that affected more than 1 million individuals. In 2023, the number of large breaches reported to the government affected more than 134 million people, more than 1 in 3 Americans, an increase of 141% from 2022, according to the department.
The full impact of this year’s attacks won’t be known for some time, but clearly cybersecurity remains a stubborn problem for hospitals, health systems and other providers.
Here’s a look at the 10 largest data breaches that have been reported to the health department’s database in the first half of 2024. Most involve cyberattacks, but a couple involve the inadvertent disclosure of private health information.
It’s also worth noting some breaches involve vendors working with hospitals and other providers, and that’s a growing area of concern in cybersecurity.
1. Kaiser Permanente
The California-based health system says as many as 13.4 million Americans may have been affected by a data breach.
Kaiser Permanente says online technologies may have sent personal information to other parties, including Google, Bing, and X. The personal data may have been sent when patients and members accessed websites or mobile applications. Other similar breaches have occurred.
Kaiser Permanente’s health plan has about 12.5 million members, and the organization also operates 40 hospitals in several states.
The system said in late April that there’s no evidence that there has been any misuse of patient information, but notified individuals “out of an abundance of caution.”
“We apologize that this incident occurred,” Kaiser Permanente said in a statement.
2. Concentra Health Services
The Texas-based company, a division of Select Medical, says it has been impacted by a breach that affected nearly 4 million people, the health department said. Concentra said the breach occurred due to a third party, Perry Johnson & Associates, Inc.
“This event occurred solely at PJ&A and was not the result of any activities or inactions on Concentra’s part,” Concentra said in a statement in February.
Concentra offers occupational medicine, urgent care, physical therapy and other services at more than 540 medical centers. The company also serves employers and operates more than 140 onsite facilities.
PJ&A, which provides medical transcription services to healthcare organizations, said it uncovered a breach of private health information. The company says it has added security measures to prevent future attacks.
3. Sav-Rx
A&A Services, doing business as Sav-Rx, was hit with a cyberattack and estimates that 2.8 million individuals have been affected, according to the health department.
In a message to customers on its website, Sav-Rx said, “an unauthorized third party was able to access certain non-clinical systems and obtain certain files that contained personal information. However, in conjunction with third-party experts, we have confirmed that any data acquired from our IT system was destroyed and not further disseminated.”
The company is offering free credit monitoring and identity theft protection to customers for two years.
Sav-Rx said it conducted a thorough investigation and says they aren’t aware of third parties using the data. The company said it concluded its investigation April 30.
4. WebTPA
WebTPA Employer Services, LLC, which handles administrative services for benefits plans and insurance companies, experienced a data breach affecting more than 2.5 million people, according to the health department.
The company said in a statement that it detected suspicious activity on its network in late December and launched an investigation, which found that an unauthorized party may have obtained personal information. WebTPA said the investigation into the extent of the breach was completed in March 2024.
The company, which is based in Texas, said it’s providing two years of identity monitoring services to customers. The information accessed included names, Social Security numbers, and insurance information, among others, the company said.
5. INTEGRIS Health
The Oklahoma health system suffered a cyberattack affecting nearly 2.4 million people, the health department says.
INTEGRIS said in a message to patients and community members that intruders accessed private health information, including Social Security numbers and birth dates. However, the system said no financial information or payment information was accessed.
The health system also said some individuals were by a group claiming responsibility for the breach, but urged individuals not to respond or engage with the group.
6. Medical Management Resource Group
The organization suffered a breach affecting more than 2.3 million people, the health department says.
The company, based in Arizona, does business as American Vision Partners and was the victim of a hacking incident that was discovered on Jan. 16, 2024, according to the Maine Attorney General’s office.
The exposed information varies for different individuals, but could have included Social Security numbers, dates of birth, banking information and passport information. American Vision Partners is an eye care management organization.
7. Geisinger
The Pennsylvania health system suffered a data breach that has affected more than 1.2 million individuals, according to the health department.
Geisinger said last week that the breach is tied to a cybersecurity incident involving Nuance Communications, an outside vendor. The data was accessed by a former Nuance employee.
“On Nov. 29, 2023, Geisinger discovered and immediately notified Nuance that a former Nuance employee had accessed certain Geisinger patient information two days after the employee had been terminated,” Geisinger said in a statement. “Upon learning this, Nuance permanently disconnected its former employee’s access to Geisinger’s records.”
Geisinger disclosed the breach on June 24, and the health system said Nuance waited to inform those affected at the behest of authorities.
“Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident until now,” Geisinger said. “The former Nuance employee has been arrested and is facing federal charges.”
Geisinger is advising patients to review statements from their health plan and reach out to their insurance company if they are billed for services they didn’t receive.
8. Eastern Radiologists, Inc.
The North Carolina organization suffered a cybersecurity incident affecting more than 880,000 people, according to the health department.
Eastern Radiologists began notifying patients in early March about the breach and said an unauthorized party managed to access or copy some private information from patients, according to WITN-TV of Greenville, N.C.
The company provides services for 17 hospitals and 7 outpatient facilities.
9. Superior Air-Ground Ambulance Service, Inc.
The Illinois-based company experienced a cyberattack that affected more than 850,000 people, the health department says.
In a notice about the incident, Superior said the intruder gained access to a host of different records. The information varies for those affected, but for some individuals, the records included their diagnosis, treatment information, health insurance information, Social Security and driver’s license numbers.
Superior said it has reviewed procedures and taken steps to improve its security. The company provides EMS services in five states.
10. UNITE HERE
The New York labor union suffered a cyberattack that affected more than 790,000 individuals, according to the health department.
In a public notice, UNITE HERE says the actor likely accessed Social Security numbers, financial data and medical information, among other records. The organization says it has found no evidence of identity theft or fraud in connection with the incident.
UNITE HERE is offering credit monitoring and identity theft protection and says it is working “to lower the chances of something like this happening again.”
In addition, UNITE HERE offered versions of its public notice in more than a dozen languages, including Spanish, Arabic, Chinese and Russian. The union represents 300,000 people in a host of industries.