With 385M patient records exposed, cybersecurity experts sound alarm on breach surge
Healthcare companies more than ever are using electronic records and tapping digital services. That’s also creating more opportunities for cybercriminals — who already have exposed the private medical information of millions of patients — and bolsters the case for the industry to make security priority No. 1, experts say.
Healthcare breaches have exposed 385 million patient records from 2010 to 2022, federal records show, though individual patient records could be counted multiple times.
Hacking incidents, a type of breach, at healthcare firms have skyrocketed in the past five years as cybercriminals demand ransoms in exchange for restoring access to sensitive medical data.
Hacking or IT incident is the most common breach type
While healthcare companies have to improve their cybersecurity given the rise in breaches and cyberattacks, regulators need to raise the bar on cybersecurity standards, experts told Healthcare Dive.
"Could all these organizations do a better job? Absolutely," said Jim Trainor, former assistant director of the Cyber Division at the Federal Bureau of Investigation and who is now a senior vice president of Aon Cyber Solutions, a global professional services firm.
Disrupting any one of the nation's 16 critical infrastructure sectors, including the healthcare industry, poses a national security threat. These sectors are vital to daily life for millions of Americans and disabling them would have a debilitating effect on society, according to the Cybersecurity and Infrastructure Security Agency, or CISA, the country's cyber defense agency.
Cyberattacks that disrupt hospital operations put patients' lives at risk. The FBI said that the healthcare industry was hit the hardest by ransomware attacks in 2021 compared to other critical infrastructure. And the threats come as hospitals struggle with staffing shortages and financial pressures exacerbated by the COVID-19 pandemic.
In the wake of a ransomware attack on one of the nation's largest hospital operators last year, Healthcare Dive analyzed more than 5,000 breaches reported over the past 13 years to the HHS Office for Civil Rights, the agency tasked with enforcing privacy and security laws in the healthcare sector.
A breach is a broad term for when protected health information that can identify patients is improperly revealed or used. A hacking or IT incident is a type of breach that involves a technical intrusion, according to the HHS, and is just one type of breach tracked by the agency.
The number of breaches has increased almost every year since reporting first began in 2009. Healthcare Dive confined its analysis to breaches that affected more than 500 people in each incident.
The number of breaches reported each year more than tripled from nearly 200 in 2010, the first full year that data was available, to more than 700 in 2022.
More than 52 million people* had their private health information exposed in 2022 in more than 700 breaches, up from about 6 million people in 2010. *One person could be counted multiple times if exposed in multiple breaches.
The upward trend is more apparent if the 2015 Anthem breach is excluded.
The size of each breach — or the median number of people affected in each incident — has also jumped since 2018. The median is the midpoint between the largest and smallest breach and is less distorted by outliers.
Last year, the median breach affected more than 6,200 people, more than twice the size of the median breach in 2018.
Breaches can dramatically range in size in terms of the number of people affected in each incident.
The vast majority of reported breaches affect fewer than 65,000 people.
The second-largest breach disclosed since reporting first began in late 2009 affected 11.5 million individuals.
The largest reported breach occurred in 2015 and exposed the private health information of almost 79 million people through a cyberattack against Anthem, one of the nation's largest insurers. An investigation by regulators found that Anthem, now known as Elevance, did not have adequate protections in place to ward off cyberattacks. Anthem later agreed to pay a $16 million settlement with HHS OCR.
Cyberattackers infiltrated Anthem's IT systems through spear phishing emails sent to an Anthem subsidiary. Attackers stole patient information including full names, social security numbers, addresses, birth dates, emails and employment information, according to HHS OCR.
Health insurers, providers, clearinghouses and business associates are required to notify the HHS OCR when breaches occur. If a breach affects the private health information of more than 500 people, covered entities have 60 days to notify regulators.
The rise in breaches comes as healthcare companies have increasingly adopted digital services over the past decade, leaning more heavily on health information technology.
The use of electronic health records by hospitals, especially, has soared since 2010, when providers began to take advantage of federal incentive programs that made billions of dollars available to those that opted to use EHRs.
EHR adoption rate jumped to almost 100% within four years
Still, that connectivity can lead to cyber vulnerabilities and create avenues to access protected data, they said.
During just one episode of care, multiple entities may access a patient's information, including doctors, hospitals, X-ray facilities and insurance companies, Aon Cyber Solutions’ Trainor said.
"The complexity of the network to facilitate the events is unbelievable," Trainor said.
A rush to remote work fueled more entry points for attackers
The hospital sector became even more vulnerable during the pandemic, which dramatically accelerated the use of network- and internet-connected devices, said John Riggi, who advises the American Hospital Association on cybersecurity and risk. As non-clinical employees pivoted to working from home, hospitals increased their reliance on third-party and cloud services.
It led to an "expanded digital attack surface," said Riggi, who previously served as an FBI section chief overseeing cyber issues.
Hospitals' dependency on third-party technology also makes them more vulnerable because they don't have total control over the security of third-party tools, Riggi added. As a result, hospitals have to wait for vendors to send patches for connected medical devices and are prohibited from patching problems themselves.
The chain is only as strong as its weakest link and there are so many weak links.
"The key is we are being attacked by foreign adversaries. The vast majority of compromised records are from hostile acts, meaning foreign-based adversaries that even the FBI can't put their hands on," Riggi said.
"It becomes very, very difficult to secure this expanded attack surface under increased fire during a pandemic," Riggi added.
Israel Barak, chief information security officer at Cybereason, a cybersecurity firm based in Boston, added that many healthcare companies lack robust cybersecurity programs.
"The chain is only as strong as its weakest link and there are so many weak links," Barak said.
This makes healthcare an easy and profitable target for cyberattackers, he added.
When breaches do occur, "the blast radius is bigger because of the information sharing," said Christina Powers, partner at West Monroe who leads the firm's Cybersecurity Advisory for Private Equity Program.
That may explain why the average breach size has surged in recent years, Powers added.
To be sure, not all breaches are the result of cyberattackers.
The federal government tracks a handful of breach types: hacking/IT incident, which can include cyberattacks; improper disposal; loss; theft; and unauthorized access/disclosure.
The second-most common type of breach in recent years is the result of unauthorized access or disclosure, which can occur when an employee accesses records outside of their job duties, according to Healthcare Dive's analysis. It can also include when patient information is exposed through misdirected communications.
Other types include loss or theft, such as when laptops or thumb drives are left in public places or stolen.
Rich data, profitable targets
Ransomware attacks are a top threat facing the industry because healthcare organizations are profitable targets, according to security experts.
In a ransomware attack, hackers lock out healthcare institutions from critical files and information and hold it hostage while demanding a payment in exchange for a decryption key to unlock the files.
Cybercriminals know healthcare organizations will feel pressure to rapidly restore access to lifesaving systems and technology.
Providers are more likely to pay a ransom when the disruption threatens patient care, such as when emergency rooms are shut down or when facilities are forced to reroute patients, Aon Cyber Solutions’ Trainor said.
The FBI has warned that these attacks can put patients at risk by delaying access to care and vital information.
A newborn died allegedly as result of a ransomware attack that disabled computers on every floor of an Alabama hospital and strained resources, according to The Wall Street Journal. The report said that Teiranni Kidd's daughter died months after she was delivered with the umbilical cord around her neck.
A 2021 survey of nearly 600 IT and health executives at provider organizations showed that ransomware attacks had a significant impact on patient care. Of those that experienced a ransomware attack, the majority reported longer lengths of stay; delays in procedures and tests; and diversions. More than one-third of respondents cited increased complications and almost one-quarter flagged increased mortality rates.
For ransomware criminals, 'it's all about ROI'
Ransomware attacks on healthcare organizations have increased in frequency and severity since 2016, researchers found and tracked through the database, THREAT, or Tracking Healthcare Ransomware Events and Traits.
"It's all about ROI" for these criminals, Trainor said.
In addition, it can be difficult to deter bad actors, who can launch attacks from other countries and are often outside the reach of U.S. law enforcement, according to security experts.
In September, three Iranians were charged with attempting to launch a cyberattack on Boston Children's Hospital, one of the largest pediatric medical centers in the country.
FBI Director Christopher Wray later characterized the foiled incident as "one of the most despicable cyberattacks I've ever seen."
While the FBI was able to intervene before the attack was committed, the incident raised concerns about nation-state attacks on healthcare operators in the U.S.
"I do think we need to be prepared about the possibility of disruptive or destructive attacks by nation-states on healthcare, too," said Morgan Demboski, a threat intelligence analyst for IronNet, a cybersecurity firm based in McLean, Virginia.
Attacks can be motivated by cyberespionage as well, Demboski added.
Some nation-states aimed to steal vaccine-related information and other medical research linked to the coronavirus to boost their own commercial sector, Demboski said.
Amid this threat landscape, healthcare firms should upgrade their cyber preparedness and may need a push from federal regulators, security experts said.
... the level of security across the industry is not where it needs to be to protect patients' healthcare information.
On March 1, President Joe Biden unveiled a sweeping national cybersecurity strategy that seeks to improve the nation's cyber defenses. The policy goal calls for establishing minimum cybersecurity standards across critical infrastructure, including the healthcare industry.
The policy plan, while not an executive order, will serve as a guide for federal agencies and lawmakers to enact cyber requirements.
Raising the bar on cybersecurity standards is critically important for healthcare companies, security experts said.
"I think we need to set a higher regulatory standard for healthcare organizations," Cybereason's Barak said.
To be sure, raising the bar will likely come with financial consequences for hospitals and may raise healthcare prices, Trainor said.
Still, Trainor added, "the level of security across the industry is not where it needs to be to protect patients' healthcare information."
Healthcare Dive downloaded the health breaches dataset from the HHS (Archive -> Research Report) on March 2, 2023. The data serves as a living document, which the OCR may update after each investigation. Covered entities have 60 days to report breaches that affect more than 500 people to the OCR. Breaches involving fewer than 500 people may be reported on an annual basis and are not included in the downloadable data.
Dates of breaches mentioned in the charts refer to the date when a breach report was submitted.
News graphics developer Julia Himmel and visuals editor Shaun Lucas also contributed to this piece.