Mid-year 2022: 20M patients' data exposed in healthcare breaches

Nearly 20 million patients had their personal and health information exposed in data breaches reported to the federal government in the first half of 2022, according to a Modern Healthcare analysis.

As of Tuesday, the Health and Human Services Department's Office for Civil Rights lists 338 breach reports submitted to the agency by healthcare providers, insurers and their business associates through the end of June. The tally represents the second-highest number of breach reports filed in the first half of a year, following last year's 368 reports.

A cyberattack at Shields Health Care Group in March is the largest incident reported so far this year, potentially compromising data on an estimated 2 million patients.

Four of the 10 largest data breaches were reported to the Office for Civil Rights last month, affecting more than 4 million patients. Healthcare entities governed by the Health Insurance Portability and Accountability Act must disclose data breaches within 60 days of discovering them, meaning some of the incidents reported in June may have occurred in April or earlier.

A breach at software company Eye Care Leaders in December potentially affected nearly 1.3 million patients at Texas Tech University Health Sciences Center. Eye Care Leaders shared final results of its forensic investigation with the medical school in April, according to a notice from the center, and the school reported it to the Office for Civil Rights in June.

Baptist Medical Center in Texas discovered a cyberattack in April, in which a hacker accessed and removed data from the hospital's network between March 31 and April 24, according to a notice from the hospital. The incident, which Baptist Medical Center reported in June, potentially exposed data on roughly 1.2 million patients.

Nearly 80% of data breaches reported to the Office for Civil Rights in the first half of the year—including the incidents at Shields Health Care Group, Texas Tech University Health Sciences Center and Baptist Medical Center—were attributed to hacking or IT problems. The remainder stemmed from improper disposal, loss, theft or unauthorized access.