The healthcare sector is one of the most frequently targeted industries by cybercrime, and that trend shows no signs of slowing down in 2023.
According to the U.S. government’s OCR (Office for Civil Rights), healthcare firms reported 145 data breaches in the first three months of 2023.
It follows 707 incidents last year, in which 51.9 million records were stolen.
It’s no surprise that the healthcare sector is such a common target. Stolen medical records give hackers a vast amount of information, such as people’s names, dates of birth, addresses, and Social Security numbers.
With this in mind, you can see why 95% of all identity theft incidents reportedly come from compromised healthcare records.
Some reports suggest that these records are 50 times more valuable than credit card data, with crooks selling the information on the dark web to facilitate schemes such as tax fraud.
What types of healthcare data breaches are most common?
Thanks to the HIPAA (Health Insurance Portability and Accountability Act), there is more transparency around healthcare data breaches than there is with other sectors.
Any organization that deals with healthcare data — whether that’s a hospital, private practice, medical supplier, or other institution — must report security incidents in which the PHI (protected health information) of 500 or more people is compromised.
These records are made public by the OCR, and according to its figures, the most common forms of healthcare data breaches in 2022 were:
· Hacking and IT incidents: 555
· Unauthorized access or disclosure: 113
· Physical theft: 35
· Improper disposal of records: 4
The OCR also requires organizations to provide specific details about each incident. Hacking and IT incidents were often the result of cyber attacks on the victim’s network server. These incidents are often done using malware, with these attacks accounting for 399 incidents, or 56% of the total number of reported data breaches.
Top healthcare phishing data breaches
Phishing is another leading cause of data breaches, and it’s especially prominent in the healthcare sector. According to the OCR, in 2022, there were 165 instances of phishing scams and similar techniques designed to steal login credentials.
The attacks are a form of social engineering in which a criminal hacker pretends to be a legitimate person or business in an attempt to steal sensitive information.
Crooks usually attack via email, urging the recipient to download an attachment containing malware or follow a link to a bogus website, where the target is asked to provide their login credentials.
Research conducted by Carasoft and shared by the U.S. government shows that phishing attacks were used in 45% of all healthcare data breaches.
These attacks are almost three times more common than the next leading cause of data breach, ransomware, and those attacks themselves often begin with phishing emails that contain the malicious software.
Healthcare data breach statistics per year
There were 707 publicly disclosed data breaches among healthcare firms in 2022. According to one report, the sector accounted for 20% of all publicly-reported data breaches, making it the most vulnerable to cyberattacks, ahead of the public sector (16%), technology (11%), education (9%), and professional services (6%).
Perhaps surprisingly, this annual total actually represents a year-over-year decrease from 2021 (715) – albeit of only 1.1%.
However, it’s the second largest amount of data breaches ever recorded in the healthcare sector, and it continues a dramatic upward trend that began in 2019.
- 2013: 277
- 2014: 314
- 2015: 270
- 2016: 329
- 2017: 358
- 2018: 369
- 2019: 512
- 2020: 663
- 2021: 715
- 2022: 707
Looking at these figures, it’s hard not to notice a correlation between this trend and the start of the COVID-19 pandemic. This might not be a coincidence.
A study published by the U.S. government’s National Library of Medicine was one of the first to spot the pattern, noting that “health providers struggled providing non-pandemic care to their patients due to the overwhelmed healthcare system and large number of COVID-19 diagnosed patients who needed immediate attention.”
To address these challenges, many organizations were forced to implement hybrid and remote work environments, such as electronic health systems, telehealth platforms, and remote collaboration tools. However, the implementation of these controls “meant to protect the security and privacy of PHI did not keep up with the new attack vectors created by the newly implemented technologies.”
A separate study found that the U.S. healthcare industry saw a 25% increase in successful cyberattacks during the pandemic. This was despite several cyber criminal gangs stating that they weren’t going to target hospitals due to the stress they were under to contain the virus.
However, their promise didn’t last long — almost twice as many data breaches were reported during the height of the pandemic compared to the previous two years.
In one incident — a ransomware attack against Dusseldorf University Hospital in Germany — a patient with a life-threatening illness was redirected to another facility after cyber criminals disabled the hospital’s systems. With its servers offline and its data encrypted, the hospital was unable to treat her, and she was sent to a facility in Wuppertal, 19 miles away. However, she died en route to the facility, in what was reported to be the first death directly related to a cyber attack.
Biggest healthcare data breaches
Healthcare data breaches are often smaller in scope than other industries. The largest healthcare data breach in 2022, at OneTouchPoint, affected 4.1 million people, which is not even close to the biggest incidents of the year — or the biggest healthcare data breaches of all time, as shown below.
This is because healthcare firms typically have fewer patients/customers, as they are almost always catering to people in the local area who visit their practices for medical reasons.
Nonetheless, they tend to process extensive records — including vast quantities of sensitive personal data, such as medical records and financial data — which means healthcare data breaches could be more damaging to affected individuals.
Since January 2022, there have been 21 reported cases in which healthcare firms compromised over one million records, and a further 22 cases in which more than 500,000 records have been breached.
The five biggest healthcare data breaches of all time are:
1. Anthem (78 million)
2. Optum360 (11.5 million)
3. Premera Blue Cross (11 million)
4. Laboratory Corporation of America Holdings (10.2 million)
5. Excellus Health Plan (9.3 million)
HIPAA data breach penalties and fines
Data protection practices in the healthcare sector are regulated by the HIPAA Privacy Rule and enforced by the OCR.
Under its rules, there are four tiers by which data breaches and other compliance failures are judged and penalized.
The lowest tier relates to breaches that the organization was unaware of and couldn’t have been expected to foresee, while the upper tiers relate to incidents that the organization should have been aware of (e.g. those caused by compliance failures).
Unlike many other data protection laws, penalties for HIPAA data breaches are classed “per violation,” which can relate to specific areas of non-compliance or individual compromised records.
There are different thresholds for fines per category:
- Tier 1: $100–$50,000 per violation
- Tier 2: $1,000–$50,000 per violation
- Tier 3: $10,000–$50,000 per violation
- Tier 4: $50,000 or more per violation
In total, the OCR has issued $65,658,440 in HIPAA fines over the past five years. This includes $2,170,140 in 2022, with the largest penalty given to Oklahoma State University’s Center for Health Services, which was forced to pay $875,000 after criminal hackers compromised its server.
The incident, which affected almost 280,000 people, is thought to have occurred in November 2017 and took almost five years for a settlement to be reached.
This demonstrates the difficulties that regulators face when investigating security incidents. Similar backlogs are seen across the world, as there are simply too many breaches for departments to keep track of.
State attorneys also assist with HIPAA enforcement, but there are still 875 data breaches still under investigation, including 91 incidents that occurred in 2022.
Why it’s important to find a solution that protects your healthcare organization
There are many steps healthcare firms can take to secure health data and prevent data breaches. Staff awareness training is frequently cited as the backbone of any effective security system, as it can help employees prevent mistakes that facilitate cyber attacks.
For instance, phishing attacks rely on employees falling for the attacker’s bait, while negligent employees could leave information unprotected in cloud servers.
Although training is important, healthcare firms’ biggest challenge is to invest in cybersecurity and identity management technology. According to the 2022 HIMSS Healthcare Cybersecurity Survey, a third of organizations said their budget either decreased or remained the same last year, while another report estimated that the sector spends only 5% of its budget on cybersecurity.
By comparison, the U.S. government spends 15% of its budget on cybersecurity, while the average organization spends 9.9%.
With figures like that, it shouldn’t be surprising to hear that, as recently as 2021, 73% of healthcare providers used legacy operating systems. These are out-of-date platforms, such as Windows 7, that no longer support updates and are therefore vulnerable to cyber attacks.
That might explain why 79% of all data breaches in the healthcare sector relate to hacking and IT incidents.
If the industry wants to avoid growing costs for data breaches, it must reconsider its approach to cybersecurity. Healthcare providers process vast quantities of sensitive information as part of Know Your Patient processes, and patients place their trust in medical professionals when handing over that data.
To maintain that trust, the sector must do a better job protecting patients’ data, and investments in cybersecurity technology and identity management are a crucial step in achieving that goal.