Healthcare organizations have reported a record number of data breaches this year — and the full scope of the high-profile ransomware attack on Change Healthcare is still unknown.
Investigating cyberattacks or other types of breaches can take time, and companies generally have 60 days to notify the government about exposures affecting more than 500 people's protected health information. As a result, reports may appear on the Health and Human Services' Office for Civil Rights breach portal months after the corresponding incidents took place.
Related: There's no relief from healthcare hackers in 2024
Through June 30, 387 data breaches, affecting more than 45 million people, were reported on the portal — the highest number of incidents in the first six months of any year since OCR began publishing cases in 2010. By comparison, about 50 million individuals were affected by 357 breaches reported in the first half of 2023.
United HealthGroup's Change Healthcare has not yet officially reported how many people were affected by its February data breach, which caused widespread disruption of hospitals, pharmacies, nursing homes and other providers. In April the company said it had paid a ransom to protect patient data.
HHS' Office for Civil Rights said in May the agency would not consider the 60-day reporting requirement countdown to have started until Change Healthcare or UnitedHealth Group contacted companies whose data had been stolen. Change Healthcare said in June it had begun notifying affected business partners.
A UnitedHealth Group spokesperson directed Modern Healthcare to CEO Andrew Witty's testimony during a pair of May congressional hearings and the company's July earnings call in response to a request for comment on the Change Healthcare incident. The spokesperson said UnitedHealth Group is committed to notifying potentially affected people as quickly as possible and that more than 90% of the files have been reviewed. Change Healthcare is also in regular communication with federal regulators regarding the notification process, the spokesperson said.
Meanwhile, St. Louis-based health system Ascension reported a May ransomware attack to the government on July 3. The report said 500 individuals were affected, the minimum number required for a breach to appear on the portal. The provider, which operates 140 hospitals across 19 states and Washington, D.C., released a statement June 14 saying its investigation is ongoing.
Ascension did not respond to requests for comment.
The biggest reported breach in the first six months of 2024 involved Kaiser Foundation Health Plan and affected 13.4 million individuals. The Oakland, California-based health system's insurance arm said technology on its websites and mobile apps may have captured data including names and internet protocol addresses, according to an April statement. The data may have been shared with Google, Microsoft Bing and X, the company said, but no passwords, Social Security numbers or financial information were exposed.