Trends in Healthcare Data Breach and Litigation According to BakerHostetler

BakerHostetler has published its Data Security Incident Response Report 10th edition, which provides information from the cases managed by the law firm. The report offers information on the present status of cyber threats and litigation.

Data Breach Observations

  • 28% of data breach incidents occur in the healthcare sector
  • 17% occur in finance and insurance
  • 15% in the business and professional services
  • 13% in education

The identified causes of all cases of security breaches in 2023, based on the cases that BakerHostetler handled, were

  • network attacks – 51%
  • business email compromise incidents – 26%
  • inadvertent disclosures – 26%

Cybercriminals are becoming much better at masking their trails since the cause of 36% of network attacks is not identifiable. The primary identified causes of these attacks were

  • vulnerability exploitation – 25%
  • phishing – 9%
  • brute force or credential stuffing – 5%
  • misconfigurations – 4%
  • RDP compromise – 3%
  • Social engineering – 3%

Successful network attacks involved the use of ransomware, 57% of which included data extraction, and 46% installed malware.

The average ransom demand in all industries was $2,644,647, while the average ransom payment was $747,651. The healthcare industry showed higher numbers with a $3,492,434 average ransom demand and a $857,933 average ransom payment. Acceptable data restoration in healthcare took 13.4 days and there were 158,362 notification letters sent on average. Like in other data, the proportion of victims giving ransom payments dropped. Only 27% of victims paid a ransom in 2023, which dropped from 40% in 2022.

There was a substantial rise in data breaches happening at business associates. In 2023, 60% of the breaches involving 500 or more records were reported by business associates to the HHS’ Office for Civil Rights (OCR), which is higher than the 35% in 2022. The size of healthcare data breaches also increased by about 200%, from 56.9 million individuals in 2022 to 144.5 million in 2023. The median time associated with data breaches were

  • 2 days from the incident to discovery
  • 0 days from discovery to containment
  • 33 days from containment to finish the forensic investigation
  • 60 days from discovery to sending notification

The average time from the data breach to its discovery was 42 days and from discovery to sending notification was 75 days.

Phishing and social engineering attacks are becoming more advanced. New social engineering tricks that are commonly used have threat actors calling IT helpdesks to ask for password resets and register new devices to receive the MFA codes. Some business email compromise attacks happened because of QR code phishing attacks (Quishing), and several phishing attacks happened through SMS messages (smishing). Although multifactor authentication was enough to deter hackers from accessing email accounts, MFA is more and more bypassed during attacks. 43% of incidents or 98,504 issued notifications. Of the 493 incidents that sent notifications, 58% ended in legal cases, which is higher than the 42 in 2022.

Escalating Class Action Lawsuits Involving Tracking Technologies

More class action lawsuits involving website tracking technology breaches are being filed, particularly against healthcare companies after the HHS’ Office for Civil Rights published guidance stating that these technologies violated HIPAA. The Federal Trade Commission (FTC) is also going after companies that employ the technology without telling clients.

BakerHostetler is handling over 300 privacy or data security cases with around 100 of those legal cases associated with data breaches resulting from the use of tracking technologies. Over 200 legal cases have already been filed against healthcare companies as a result of using tracking technologies. 75% or 150 cases were filed in court last year. A lot of these legal cases are in the early developments. To date, just one case has been given class certification and one was denied class certification. The schedule of the first trial in a healthcare website tracking technology case will happen this summer. A few lawsuits were quickly resolved, with each person due to get about $4 to $5. Since the announcement of those settlements, the initial demands for damages have increased.

Observations on OCR Enforcement

After three years of somewhat high incidents of enforcement actions, there was a drop in OCR enforcement activity in 2023. In 2023, enforcement actions involving HIPAA Right of Access violations notably dropped to 4 compared to the average of 14 in the past three years. Although enforcement actions for other HIPAA violations increased, from 3 in 2021 to 10 in 2023, OCR only enforced 11 penalties in 2023 to take care of HIPAA violations, compared to typically 19 in the three past years. BakerHostetler believes the drop in enforcement actions might be because of OCR concentrating on a different enforcement priority. OCR has given guidance on HIPAA compliance regarding website tracking technologies, and BakerHostelter indicates that may currently be OCR’s enforcement priority.