- The number of patient records exposed in data breaches doubled in 2023 compared to 2022, even as the count of breaches declined slightly, according to a report by cybersecurity firm Fortified Health Security.
- The report, which analyzed data from the HHS’ Office for Civil Rights, found that more than 116 million records were compromised across 655 breaches — a “significant peak in patient data exposure” that eclipsed an earlier high point in 2015, when three major breaches contributed to a spike in divulged health records.
- Last year also saw an increase in the number of large data breaches. In 2023, sixteen breaches exposed more than two million patient records each, compared with only three in 2022.
The spike in exposed records and large breaches last year suggests that once bad actors gain access to healthcare organizations’ networks, they’re taking even larger sets of patient data, according to the Fortified report.
Breaches stemming from hacking and IT incidents, which include malware, ransomware and phishing attacks, have soared over the past decade, making up 80% of reported breaches last year. Meanwhile, physical thefts of records have declined as organizations shift to electronic health record systems.
The number of business associates, or outside people or organizations that perform work for entities covered by HIPAA like health plans or providers, are increasingly involved in data breaches, too. Business associate breaches increased by 22% year over year in 2023, according to the report.
Healthcare data breaches dipped slightly last year but are generally on the rise
Cybersecurity has become a significant challenge for healthcare organizations as the industry digitizes and hackers look to exploit the wealth of valuable personal information.
Over the past decade, more than 5,100 healthcare breaches have compromised data from about 489 million patient records across the country, according to the report.
Those breaches can have major consequences for both providers and patients. The average cost of a healthcare breach reached nearly $11 million in 2023, increasing more than 50% since 2020, according to a recent report from the Ponemon Institute and IBM Security.
Ransomware attacks, where hackers demand payment to return access to critical systems and data, can disrupt hospital operations for weeks, potentially endangering patients.
Ardent Health Services was forced to divert emergency care to nearby facilities in multiple states and put elective procedures on hold after an attack on Thanksgiving. The hospital operator announced this month it was able to fully restore access to its MyChart patient portal.
As breaches become more commonplace, regulators have shown increased interest in pushing healthcare organizations to boost their cybersecurity measures.
The HHS released a working paper late last year that included proposing hospital cybersecurity standards through Medicare and Medicaid. The Biden administration could soon unveil new requirements for hospitals, according to reporting by the Messenger.