Updated on June 21, 2022 by Robert Godard
Table of Contents
As the world evolves, mankind has found better ways to use technology to improve daily operations. The healthcare system is no stranger to technological advancements. They are better for it! But with an improvement in technology comes advancement in cybercrime. The healthcare system has suffered greatly in the last decade at the hands of cybercriminals. Hacking has been the leading cause of healthcare data breaches.
Electronic Health Records
Electronic health records (EHRs) systems have helped the healthcare industry replace paper-based systems. With EHRs, patients get better care, more patient collaboration, better disease diagnosis, better practice efficiency and more constant access to their health information. It has also transformed the way we communicate because of smartphones and other web-based smart gadgets With the help of these gadgets, people can quickly and conveniently access a wide range of internet services. One of these is healthcare. Healthcare data has become increasingly electronic, dispersed, and mobile in the last few years. These developments would not have been possible if it weren’t for the Internet of Medical Things (IOMT).
Healthcare Data Breaches
Healthcare organizations collect sensitive data from their patients and store it on network servers so that it is always available and helps with patient care, but as with all good things, there is a bad side to this one as well. It has also become a major cause of privacy breaches due to the widespread usage of smartphones and other smart gadgets. These databases can be accessed by unauthorized parties due to software vulnerabilities, security flaws, and human mistakes. As a result, data breaches occur, allowing unauthorized access to private information. In some cases, insider attacks result in the loss, theft, or disclosure of sensitive healthcare data because of harm to protected health information. On the dark web, a single patient’s whole record file can fetch hundreds of dollars. The healthcare industry is among the worst-affected industries when it comes to data breaches.
Healthcare Data Breaches Is At An All-Time High
The total number of people affected by healthcare data breaches from 2005 to 2019 was 249.09 million, according to various practitioners. In the last five years alone, 157.40 million people were affected. There were 2,216 data breaches reported from 65 countries in 2018; 536 of these were in the healthcare sector. In light of this, it may be concluded that the healthcare industry has had the most breaches of any industry. In 2019, 86 countries reported a total of 2,013 data breaches; 505 healthcare data breaches resulted in 41.2 million information being stolen, leaked, or illegally released.
While a healthcare industry breach costs $6.45 million on average, an average data breach costs $3.92 million. When compared to other countries, this cost was the greatest in the United States. Normally, a data breach would bring in $8.19 million in revenue for the company. However, the average cost of a healthcare data breach in the United States is $15 million. Between 2014 and 2019, the average cost of a data breach climbed by 12%, while the average cost of a compromised record increased by 3.4%. According to a report by the Centers for Medicare and Medicaid Services (CMS), healthcare data breach costs rose by 19.4% between 2010 and 2013.
According to a survey by cybersecurity startup Critical Insights, the number of patients’ protected health information (PHI) exposed in 2021 will be the most ever. 45 million people were harmed by healthcare attacks by 2021, up from 34 million in 2020. According to the analysis, which examines breach data disclosed to the U.S. Department of Health and Human Services (HHS) by healthcare institutions, that number has tripled in just three years, from 14 million in 2018. The number of people impacted has climbed by 32% since 2020, indicating that each year, more records are compromised. Although the total number of violations only increased by 2.4% from 663 in 2020 to 679 in 2021, they nevertheless reached historic highs. According to John Delano, healthcare cybersecurity consultant at Critical Insight and vice president at Christus Health, “whether the attack vector is ransomware, credential harvesting or stealing devices, the healthcare industry is a prime target for attackers to monetize PHI and sell on the Dark Web or hold an entity ransom unable to deliver patient care. As we continue into 2022, healthcare organizations need to be on guard not only of their cybersecurity posture but also of third-party vendors that have access to data and networks. We are seeing more awareness and proactive approaches to cybersecurity within this sector, but there is still a long way to go.”
Largest Healthcare Data Breaches (2009-2021)
| Rank | Name of Covered Entity | Year | Covered Entity Type | Individuals Affected | Type of Breach |
| 1 | Anthem Inc. | 2015 | Health Plan | 78,800,000 | Hacking/IT Incident |
| 2 | American Medical Collection Agency | 2019 | Business Associate | 26,059,725 | Hacking/IT Incident |
| 3 | Premera Blue Cross | 2015 | Health Plan | 11,000,000 | Hacking/IT Incident |
| 4 | Excellus Health Plan, Inc. | 2015 | Health Plan | 10,000,000 | Hacking/IT Incident |
| 5 | Science Applications International Corporation (SA | 2011 | Business Associate | 4,900,000 | Loss |
| 6 | University of California, Los Angeles Health | 2015 | Healthcare Provider | 4,500,000 | Hacking/IT Incident |
| 7 | Community Health Systems Professional Services Corporations | 2014 | Business Associate | 4,500,000 | Hacking/IT Incident |
| 8 | Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group | 2013 | Healthcare Provider | 4,029,530 | Theft |
| 9 | Medical Informatics Engineering | 2015 | Business Associate | 3,900,000 | Hacking/IT Incident |
| 10 | Banner Health | 2016 | Healthcare Provider | 3,620,000 | Hacking/IT Incident |
| 11 | Florida Healthy Kids Corporation | 2021 | Health Plan | 3,500,000 | Hacking/IT Incident |
| 12 | Trinity Health | 2020 | Business Associate | 3,320,726 | Hacking/IT Incident |
| 13 | Newkirk Products, Inc. | 2016 | Business Associate | 3,466,120 | Hacking/IT Incident |
| 14 | 20/20 Eye Care Network, Inc | 2021 | Business Associate | 3,253,822 | Hacking/IT Incident |
| 15 | Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. | 2019 | Health Plan | 2,964,778 | Hacking/IT Incident |
| 16 | AccuDoc Solutions, Inc. | 2018 | Business Associate | 2,652,537 | Hacking/IT Incident |
| 17 | Forefront Dermatology, S.C. | 2021 | Healthcare Provider | 2,413,553 | Hacking/IT Incident |
| 18 | 21st Century Oncology | 2016 | Healthcare Provider | 2,213,597 | Hacking/IT Incident |
| 19 | Xerox State Healthcare, LLC | 2014 | Business Associate | 2,000,000 | Unauthorized Access/Disclosure |
| 20 | IBM | 2011 | Business Associate | 1,900,000 | Unknown |
| 21 | Dental Care Alliance, LLC | 2021 | Business Associate | 1,723,375 | Hacking/IT Incident |
| 22 | GRM Information Management Services | 2011 | Business Associate | 1,700,000 | Theft |
| 23 | NEC Networks, LLC d/b/a CaptureRx | 2021 | Business Associate | 1,656,569 | Hacking/IT Incident |
| 24 | Inmediata Health Group, Corp. | 2019 | Healthcare Clearing House | 1,565,338 | Unauthorized Access/Disclosure |
| 25 | Eskenazi Health | 2021 | Healthcare Provider | 1,515,918 | Hacking/IT Incident |
While dealing with pandemic-related events, healthcare IT departments may not have the time or resources to keep up with basic security measures or uncover vulnerabilities that go undetected for weeks. It’s not time for hospital security to relax. Attackers are focusing on larger targets. Complex ransomware exploits are growing. Fraudsters are targeting business partners, health plans, and outpatient facilities to exploit supply chain security gaps. Healthcare institutions should have a full risk management policy and categorize business associates by the hazard they bring.
Several measures can be taken by healthcare institutions in order to reduce the risk of a data breach. In the case of a ransomware attack, the best course of action is to encrypt sensitive health information so that it cannot be accessed, read, or deciphered. The Office for Civil Rights will not have to be notified of the attack as a result of this. Two-factor authentication on privileged accounts is another step that should be taken to protect against credentials being stolen. Other steps should be taken as well, such as checking all storage volumes (cloud and on-premises) for appropriate permissions and eliminating Shadow IT environments created as workarounds.
Related article: Preventing Healthcare Data Breaches with HITRUST.
Helping Your Organization to Protect PHI
Contact I.S. Partners today to begin developing a security and compliance strategy to protect your organization from cyberattacks and to better safeguard patient data.
