HHS Wall of Shame Analysis 2009–2023 — Things Ain’t Getting Better (Part 1/2)

By Axel Wirth, Medcrypt Chief Security Strategist

We now have 13 full years of healthcare breach data available for analysis (due to the HIPAA reporting mandates of breaches over 500 records). In general, we can say that things are not getting better — in fact, some of the ransomware-driven trends of the previous years continued through 2023. But there are also some shifts and changes that are worth highlighting.

• Overall, the number of reported breaches stayed flat with a total of 733 breaches reported for 2023 (+2.9% from 2022).
• Healthcare Provider reported breaches have slightly improved (-8% but still accounting for 62% of all breaches) but Business Associate breaches continued their growth trend of the last few years (+33.6%, accounting now for 23% of reported breaches).
• The category of Hacking/IT incident now counts for 80% of all breaches, likely attributable to the continued onslaught of ransomware attacks on the healthcare industry.

Trends in breached records

So — are things looking up since the number of breaches has been stable for the past 3 years? Unfortunately not, as there are some quite concerning trends when we look at the number of breached records.

• 2023 set a new record (a remarkable 2.6-fold increase over 2022) in the number of individuals affected: 134,787,438 records. To put this in perspective, that is the equivalent of 40% of the US population.
• This makes 2023 the year with the highest number of breached records ever reported since 2009, even exceeding the previous record of 102,919,905 set in 2015 (which was an outlier as it was largely driven by a single large breach of 78.8M records).
• Business Associates dominate the picture contributing 57% of the breached records.
• We also see an overall increase in large breaches over 1M records with 26 reported for 2023, more than doubling the number from 2022 (11) and 2021 (10) and in the 0–6 range in the years before.
• Of those large breaches, 16 have been attributed to Business Associates, 6 to Healthcare Providers and 4 to Health Plans.

Where do we go from here?

In conclusion, these numbers show that the cybersecurity posture of the healthcare sector continues to be challenged. The industry continues to suffer from a growing number of ransomware attacks that are increasingly targeted and malicious, as indicated by the growing number of records compromised. Further, in line with general cyber threat trends, we are seeing a shift towards supply chain attacks with Business Associate breaches now accounting for the majority of total breached records; as well as increasing efficiency of ransomware attacks leading to more large breaches over 1M records.

HHS has been collecting breach data since Sept. 2009 and has so far logged 5,869 breach events that have compromised a total of 499,055,747 records. The real numbers are actually even worse as a) HHS only publishes detailed data for breaches over 500 records (smaller breaches need to be reported annually but are not published), and b) reporting is limited to security events that include a breach of data, i.e., non-breach security events are not included.

Understandably, the security posture of the healthcare industry is of concern and as a result we have seen a wide range of responses from governments and agencies, as we will discuss in Part 2 of this blog.

Looking for support meeting FDA cybersecurity requirements to secure medical devices by design and improve patient safety? Connect with Medcrypt for the ways we can help your organization. Email us at info@medcrypt.com and visit our website.

‍