Author Picture

As the world evolves, mankind has found better ways to use technology to improve daily operations. The healthcare system is no stranger to technological advancements. They are better for it! But with an improvement in technology comes advancement in cybercrime. The healthcare system has suffered greatly in the last decade at the hands of cybercriminals. Hacking has been the leading cause of healthcare data breaches.  

Electronic Health Records 

Electronic health records (EHRs) systems have helped the healthcare industry replace paper-based systems. With EHRs, patients get better care, more patient collaboration, better disease diagnosis, better practice efficiency and more constant access to their health information. It has also transformed the way we communicate because of smartphones and other web-based smart gadgets With the help of these gadgets, people can quickly and conveniently access a wide range of internet services. One of these is healthcare. Healthcare data has become increasingly electronic, dispersed, and mobile in the last few years. These developments would not have been possible if it weren’t for the Internet of Medical Things (IOMT).  

Healthcare Data Breaches 

Healthcare organizations collect sensitive data from their patients and store it on network servers so that it is always available and helps with patient care, but as with all good things, there is a bad side to this one as well. It has also become a major cause of privacy breaches due to the widespread usage of smartphones and other smart gadgets. These databases can be accessed by unauthorized parties due to software vulnerabilities, security flaws, and human mistakes. As a result, data breaches occur, allowing unauthorized access to private information. In some cases, insider attacks result in the loss, theft, or disclosure of sensitive healthcare data because of harm to protected health information. On the dark web, a single patient’s whole record file can fetch hundreds of dollars. The healthcare industry is among the worst-affected industries when it comes to data breaches. 

Healthcare Data Breaches Is At An All-Time High 

The total number of people affected by healthcare data breaches from 2005 to 2019 was 249.09 million, according to various practitioners. In the last five years alone, 157.40 million people were affected. There were 2,216 data breaches reported from 65 countries in 2018; 536 of these were in the healthcare sector. In light of this, it may be concluded that the healthcare industry has had the most breaches of any industry. In 2019, 86 countries reported a total of 2,013 data breaches; 505 healthcare data breaches resulted in 41.2 million information being stolen, leaked, or illegally released.  

While a healthcare industry breach costs $6.45 million on average, an average data breach costs $3.92 million. When compared to other countries, this cost was the greatest in the United States. Normally, a data breach would bring in $8.19 million in revenue for the company. However, the average cost of a healthcare data breach in the United States is $15 million. Between 2014 and 2019, the average cost of a data breach climbed by 12%, while the average cost of a compromised record increased by 3.4%. According to a report by the Centers for Medicare and Medicaid Services (CMS), healthcare data breach costs rose by 19.4% between 2010 and 2013. 

According to a survey by cybersecurity startup Critical Insights, the number of patients’ protected health information (PHI) exposed in 2021 will be the most ever. 45 million people were harmed by healthcare attacks by 2021, up from 34 million in 2020. According to the analysis, which examines breach data disclosed to the U.S. Department of Health and Human Services (HHS) by healthcare institutions, that number has tripled in just three years, from 14 million in 2018. The number of people impacted has climbed by 32% since 2020, indicating that each year, more records are compromised. Although the total number of violations only increased by 2.4% from 663 in 2020 to 679 in 2021, they nevertheless reached historic highs. According to John Delano, healthcare cybersecurity consultant at Critical Insight and vice president at Christus Health, “whether the attack vector is ransomware, credential harvesting or stealing devices, the healthcare industry is a prime target for attackers to monetize PHI and sell on the Dark Web or hold an entity ransom unable to deliver patient care. As we continue into 2022, healthcare organizations need to be on guard not only of their cybersecurity posture but also of third-party vendors that have access to data and networks. We are seeing more awareness and proactive approaches to cybersecurity within this sector, but there is still a long way to go.” 

Largest Healthcare Data Breaches (2009-2021) 

Rank Name of Covered Entity Year Covered Entity Type Individuals Affected Type of Breach 
Anthem Inc. 2015 Health Plan 78,800,000 Hacking/IT Incident 
American Medical Collection Agency 2019 Business Associate 26,059,725 Hacking/IT Incident 
Premera Blue Cross 2015 Health Plan 11,000,000 Hacking/IT Incident 
Excellus Health Plan, Inc. 2015 Health Plan 10,000,000 Hacking/IT Incident 
Science Applications International Corporation (SA 2011 Business Associate 4,900,000 Loss 
University of California, Los Angeles Health 2015 Healthcare Provider 4,500,000 Hacking/IT Incident 
Community Health Systems Professional Services Corporations 2014 Business Associate 4,500,000 Hacking/IT Incident 
Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group 2013 Healthcare Provider 4,029,530 Theft 
Medical Informatics Engineering 2015 Business Associate 3,900,000 Hacking/IT Incident 
10 Banner Health 2016 Healthcare Provider 3,620,000 Hacking/IT Incident 
11 Florida Healthy Kids Corporation 2021 Health Plan 3,500,000 Hacking/IT Incident 
12 Trinity Health 2020 Business Associate 3,320,726 Hacking/IT Incident 
13 Newkirk Products, Inc. 2016 Business Associate 3,466,120 Hacking/IT Incident 
14 20/20 Eye Care Network, Inc 2021 Business Associate 3,253,822 Hacking/IT Incident 
15 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. 2019 Health Plan 2,964,778 Hacking/IT Incident 
16 AccuDoc Solutions, Inc. 2018 Business Associate 2,652,537 Hacking/IT Incident 
17 Forefront Dermatology, S.C. 2021 Healthcare Provider 2,413,553 Hacking/IT Incident 
18 21st Century Oncology 2016 Healthcare Provider 2,213,597 Hacking/IT Incident 
19 Xerox State Healthcare, LLC 2014 Business Associate 2,000,000 Unauthorized Access/Disclosure 
20 IBM 2011 Business Associate 1,900,000 Unknown 
21 Dental Care Alliance, LLC 2021 Business Associate 1,723,375 Hacking/IT Incident 
22 GRM Information Management Services 2011 Business Associate 1,700,000 Theft 
23 NEC Networks, LLC d/b/a CaptureRx 2021 Business Associate 1,656,569 Hacking/IT Incident 
24 Inmediata Health Group, Corp. 2019 Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure 
25 Eskenazi Health 2021 Healthcare Provider 1,515,918 Hacking/IT Incident 
Source: HIPAA Journal.

While dealing with pandemic-related events, healthcare IT departments may not have the time or resources to keep up with basic security measures or uncover vulnerabilities that go undetected for weeks. It’s not time for hospital security to relax. Attackers are focusing on larger targets. Complex ransomware exploits are growing. Fraudsters are targeting business partners, health plans, and outpatient facilities to exploit supply chain security gaps. Healthcare institutions should have a full risk management policy and categorize business associates by the hazard they bring. 

Several measures can be taken by healthcare institutions in order to reduce the risk of a data breach. In the case of a ransomware attack, the best course of action is to encrypt sensitive health information so that it cannot be accessed, read, or deciphered. The Office for Civil Rights will not have to be notified of the attack as a result of this. Two-factor authentication on privileged accounts is another step that should be taken to protect against credentials being stolen. Other steps should be taken as well, such as checking all storage volumes (cloud and on-premises) for appropriate permissions and eliminating Shadow IT environments created as workarounds. 

Related article: Preventing Healthcare Data Breaches with HITRUST. 

Helping Your Organization to Protect PHI 

Contact I.S. Partners today to begin developing a security and compliance strategy to protect your organization from cyberattacks and to better safeguard patient data.

Get a Quote Try our Compliance Checker

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the form below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235 or book a meeting with one of our experts.

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal