The health care industry is a prime target for cybercrime due to the abundance of sensitive information it holds, such as Social Security numbers, birth dates, and health insurance details. With many systems connected to the internet and inadequate security measures in place, health care institutions are attractive to hackers seeking to exploit vulnerabilities.
Free NPI Lookup recently analyzed data from the Department of Health and Human Services and other sources to investigate the prevalence of health care data breaches over the past decade. In 2023, there were a staggering 725 large data breaches at hospitals and other organizations, surpassing the previous year’s record of 720 breaches, as reported in January 2024 by The HIPAA Journal. Moreover, over 133 million records were compromised, more than double the figure from the preceding year. The severity of the situation is highlighted by the fact that in 2023, more than 370,000 records were breached daily.
The high value of health care data and the potential impact on patient safety make this sector particularly appealing to hackers. Ransomware attacks, where hackers disrupt operations until a ransom is paid, can lead to delays in medical procedures, diverted ambulances, and offline monitoring equipment, risking patient lives. Despite warnings from law enforcement agencies like the FBI advising against paying ransoms, institutions like Change Healthcare have reportedly succumbed to these demands, with the company allegedly paying $22 million in ransom.
In addition to the immediate risks, health care data breaches can have long-lasting consequences as fraudulent use of this information may go undetected for extended periods. Unlike financial data that can be swiftly monitored and controlled by credit companies, health care data poses a challenge in terms of detection and rectification. Hackers continue to target health care data due to its value and the industry’s increasing reliance on digital technologies, making it a prime target for cyber threats.
The Department of Health and Human Services identifies hacking and ransomware as the primary cyber threats to the health care sector, with attacks becoming more frequent and sophisticated. The number of ransomware attacks against the global health care sector nearly doubled in 2023 compared to the previous year, with a significant rise in hacking incidents and ransomware demands. High-profile breaches, such as those affecting the Kaiser Foundation Health Plan and Concentra Health Services, underscore the pervasive nature of cyber threats within the health care industry.
In 2023, approximately 9 million records were compromised, revealing patient data such as names, addresses, birth dates, Social Security numbers, and more. A&A Services, operating as Sav-Rx, reportedly paid a ransom following a ransomware attack, as indicated by The HIPAA Journal. The company claimed that the stolen data was destroyed, allowing them to resume operations promptly without prescription delays.
Notably, INTEGRIS Health’s Oklahoma patients were directly contacted by hackers who demanded $50 from each individual under threat of selling their data on the dark web. The hackers included personal details like addresses, phone numbers, birth dates, and Social Security numbers in their emails as proof of possession.
The healthcare industry faces significant security challenges, with breaches being the costliest compared to other sectors. While the average cost of a healthcare data breach slightly decreased from 2023 to 2024, it remains substantially higher than the industry average. Critics argue that healthcare organizations lag in cybersecurity measures, including routine patch installations, and may struggle financially to afford cybersecurity resources.
Efforts are being made to address these issues, such as proposed revisions to the HIPAA rule to better address cybersecurity and potential ties between Medicaid/Medicare funding and enhanced cybersecurity protocols. Initiatives like the UPGRADE program aim to equip hospitals with IT tools to defend against cyber threats. Private sector collaborations, like Microsoft providing grants and Google offering advice and discounts to rural hospitals, contribute to bolstering cybersecurity measures.
Moreover, New York has proposed cybersecurity enhancements for hospitals and financial support for implementing improvements. However, additional resources are crucial to elevate cybersecurity standards in healthcare, as emphasized by former health official Iliana Peters. The ongoing efforts underscore the importance of prioritizing cybersecurity alongside patient care in the healthcare industry.
