15 million patients impacted by healthcare data breaches in April 2024

The healthcare industry was reeling from a series of data breaches that affected 15 million patients in April 2024. 

The scope of the April 2024 data breaches

The Office for Civil Rights (OCR) Breach Portal reported 54 incidents affecting 15,349,203 patients in April 2024. The healthcare industry was the target of this onslaught, with various entities bearing the brunt of the attacks.

Health plans hardest hit

The most affected group was health plans, which reported 6 incidents affecting 13.9 million patients. This proves the vulnerability of these organizations, which often maintain vast troves of sensitive patient data, making them prime targets for cybercriminals.

Providers and business associates 

Healthcare providers were not spared, reporting 34 incidents that affected 1 million patients. Furthermore, business associates and entities that provide services to covered healthcare organizations, also felt the impact, with 12 incidents affecting 274,475 patients. 

Understanding the causes

The April 2024 healthcare data breaches were primarily driven by two distinct types of incidents: unauthorized access or disclosure and hacking.

Unauthorized access or disclosure

Surprisingly, incidents of unauthorized access or disclosure of protected health information (PHI) emerged as the leading cause, affecting a staggering 13,428,243 patients, or 87.48% of those impacted. This can be largely attributed to a single incident reported by Kaiser Foundation Health Plan, which affected a whopping 13.4 million patients.

Hacking incidents

While hacking was not the top cause, it still played a major role, with 44 incidents affecting 1,919,637 patients, or 12.51% of the total affected. These hacking incidents were reported by a range of entities, including healthcare providers, business associates, health plans, and even a healthcare clearinghouse.

Preventing unauthorized access and disclosure

To mitigate the risk of unauthorized access or disclosure of PHI, healthcare organizations should implement the following:

• Policies and procedures: Establishing clear HIPAA policies and procedures that dictate appropriate employee use and disclosure of PHI, ensuring adherence to the "minimum necessary" standard.
• Effective employee training: Employees must be made aware of their obligations and responsibilities regarding PHI, empowering them to recognize and report any suspicious activities.
• Access controls and audit mechanisms: Unique login credentials, granular access permissions, and audit trails can help organizations monitor and control PHI access, ensuring it is used only for legitimate purposes.

Mitigating the threat of hacking

As hacking incidents have been a persistent challenge for the healthcare industry, organizations must take proactive steps to minimize their exposure to these threats:

Security risk assessments

Conducting thorough security risk assessments helps identify vulnerabilities and weaknesses in an organization's security practices, enabling the development of targeted remediation plans.

Employee cybersecurity training

Recognizing that a large portion of hacking incidents stem from phishing attacks, employees must be equipped with the knowledge and skills to identify and respond appropriately to potential phishing attempts.

Implementing secure disposal practices

Organizations must ensure that both physical and electronic PHI are disposed of in a manner that renders the data unreadable, unusable, and inaccessible, in accordance with HIPAA guidelines.

The path forward

The April 2024 healthcare data breaches remind the industry of the threats and the urgent need for a proactive approach to data security. This includes: 

Fostering a culture of cybersecurity

Beyond implementing technical controls, healthcare organizations must cultivate a culture of cybersecurity awareness and vigilance among their employees. This involves ongoing training, and regular security updates.

Collaboration and information sharing

Recognizing the healthcare system's interconnected nature, industry-wide collaboration and information sharing are necessary. By sharing best practices, threat intelligence, and lessons learned, healthcare organizations can collectively strengthen their defenses and stay ahead of emerging threats.

Embracing emerging technologies

Healthcare organizations must be proactive in embracing emerging technologies and security solutions. From advanced data encryption to artificial intelligence-powered threat detection, using cutting-edge tools can provide an edge in the battle against cyber attackers.

In the news

In April 2024, the healthcare landscape faced its most substantial breach of the month as US health giant Kaiser Permanente disclosed a staggering data breach impacting approximately 13.4 million current and former members. The breach compromised a trove of personal information, ranging from names to IP addresses and detailed interaction data, which may have been illicitly shared with third-party advertisers.

The breach, disclosed by Kaiser Permanente on April 12, 2024, was traced to unauthorized access and disclosure via a network server, according to the U.S. Department of Health and Human Services. It was found that the breach stemmed from an online tracking code embedded within Kaiser's websites and mobile applications. This insidious code potentially transmitted a wealth of member information, including their identities, online behaviors, and even health-related search queries, to third-party vendors such as Google, Microsoft, and X (formerly Twitter).

Beyond the immediate impact on data security, this breach shows the vulnerabilities within healthcare cybersecurity, prompting urgent calls for regulatory reform and enhanced data protection measures. The breach poses alarming risks for individuals affected, from potential misuse of sensitive data to the specter of identity theft and targeted advertising based on health concerns.

Read more: Kaiser Permanente breach exposes millions to third-party advertisers 

FAQs

Are healthcare breaches subject to HIPAA regulations? 

Yes, healthcare breaches are subject to HIPAA (Health Insurance Portability and Accountability Act) regulations, which set standards for the protection of sensitive patient information.

Do I need consent to disclose information related to healthcare breaches?

Yes, obtaining consent is necessary to disclose information related to healthcare breaches, as it ensures compliance with patient privacy rights and HIPAA regulations.

What tools or methods can I use to prevent and address healthcare breaches?

Healthcare professionals can use encryption software, access controls, secure communication platforms, and regular security audits to prevent and address healthcare breaches effectively. Additionally, maintaining updated security protocols and employee training is necessary in safeguarding sensitive patient data.

Learn more: HIPAA Compliant Email: The Definitive Guide