Odds are, you’ve gotten at least one of the unnerving letters in your mailbox this year: “We’re writing to inform you of a cybersecurity incident,” it might start. It’s the standard notice many health care organizations are required to provide when your protected health information gets exposed — and in 2023, data leaks, hacks, and mishandling led more of them to be delivered than ever before.
As many as 116 million individuals have been impacted by large health data breaches reported to the Department of Health and Human Services this year, according to records from its Office for Civil Rights as of December 21. That number has more than doubled over recent counts, driven primarily by a surge in hacking and ransomware attacks on health care organizations regulated by the privacy rule HIPAA.
Since 2009, OCR has issued reports on large data breaches — those that impact 500 or more patients — which appear on its public “wall of shame.” The last record for individual impact was set in 2015, when three data breaches at health plans Anthem, Premera Blue Cross, and Excellus impacted tens of millions of patients each. It was a massive outlier, driving the total individuals impacted by large health breaches over 112 million.
This article is exclusive to STAT+ subscribers
Unlock this article — and get additional analysis of the technologies disrupting health care — by subscribing to STAT+.
Already have an account? Log in
Already have an account? Log in
To submit a correction request, please visit our Contact Us page.
STAT encourages you to share your voice. We welcome your commentary, criticism, and expertise on our subscriber-only platform, STAT+ Connect