87 million patients have experienced a data breach in 2023 so far

2023 is turning out to be a big year for healthcare data breaches with more than 87 million patients experiencing unauthorized access to their healthcare records thus far.   

According to a new analysis of government data conducted by AtlasVPN, the number of affected patients in 2023 is more than twice that of 2022, adding evidence to the trend of bigger and more frequent breaches of organizational security. 

In the first three quarters of 2023, the Office of Civil Rights (OCR) received notification of 480 data breaches. Organizations do not have to report breaches of fewer than 500 records to OCR. 

From January to June, these events exposed the data of 41 million individuals. But in Q3, hackers upped their game by stealing data of 45 million more people, contributing to one of the worst quarters in healthcare security history over the past decade. 

The massive HCA Healthcare breach, which affected at least 11 million people, contributed significantly to the high total for the quarter. The data included names, addresses, emails, phone numbers, and dates of birth, as well as patient service dates, locations, and next appointment dates, but does not appear to include clinical data, payment information, or highly sensitive elements like social security numbers, HCA said at the time.  

2023 also brought the breach of the MOVEit file transfer system, which has affected millions of Medicare and Medicaid beneficiaries, as well as an uncertain number of people with health data held by hundreds or thousands of client companies. Some experts have been counting each of these as independent incidents, while others have been attempting to tally all affected healthcare organizations. Across industries, the MOVEit event likely impacted more than 66 million people. 

Unsurprisingly, the most populated states in the nation, as well as those with notable healthcare hubs, were most often hit with confirmed healthcare breaches in 2023. California, New York, Texas, Massachusetts, and Pennsylvania made up the top five states affected this year so far. 

Hackers still have a long way to go before they beat the record for the number of data breaches in a year, however. That distinction is held by 2021, when 715 reportable attacks occurred, according to historical data from The HIPAA Journal.   

But the overall worst year in recent cybersecurity took place in 2015, when the legendary Anthem event exposed data on 78.8 million members. The crisis was soon followed by two other health plan exposures: Premera Blue Cross (11 million members) and Excellus Health Plan (10 million members), making it a very dark time for the health plan cybersecurity community. 

To prevent unwanted time in the headlines, healthcare organizations need to take a preventive stance on cybersecurity.  

Providers, payers, health IT companies, and other stakeholders should be aware of potential vulnerabilities in their infrastructure – and the infrastructure of their partners and business associates – and have a comprehensive plan for combatting threats and responding to a cyberattack. 

These may include using multifactor authentication on accounts and devices, staying consistent with patches and software upgrades, educating staff about phishing attempts, and developing cloud environments with adequate identity and access management protocols to avoid unauthorized data access. 

While data breaches in healthcare are generally regarded as a matter of “when,” not “if,” organizations should do everything in their power to reduce the impact of cyberattacks and avoid joining the list of biggest breaches in 2023 and beyond. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.