In 2023, the healthcare sector saw a significant rise in data breaches, with 727 incidents impacting nearly 133 million individuals—a double increase from the previous year. This trend continued into 2024, with 116 breaches reported in just the first quarter, affecting over 13 million individuals.
March 2024 set a new record for healthcare data breaches. The HIPAA Journal reported a significant uptick, noting 93 breaches of 500 or more records reported to the HHS Office for Civil Rights (a 50% increase from February 2024 and a 41% increase YoY from March 2023). This marked the highest number of breaches reported in a single month since before the COVID-19 shutdown in 2020.
In 2024, healthcare CIOs and CTOs are focused on driving operational and financial efficiencies with strategic tech investments, from implementing EMR/ERP systems to managing supply chain risks and using AI to streamline patient care and operation. Cybersecurity is a top priority for safeguarding patient data and system integrity in a complex vendor ecosystem. IT security and data protection are the primary investments for 28% of healthcare leaders in 2024, as noted in a recent Gartner report.
Cyberattacks, especially ransomware and hacking, severely threaten healthcare data security. As reported by the HIPAA Journal, by December 2023, ransomware and hacking accounted for 83.78% of all data breaches in the healthcare sector, compromising 99.79% of affected records. In early 2024, over 5 million records were compromised in just one month.
MCNA Dental suffered a data breach from the LockBit ransomware group. The breach affected 9 million individuals and resulted in compromised personal information such as Social Security numbers. Despite a $10 million ransom demand, MCNA did not pay, and some data was leaked in April 2023.
In 2023, Change Healthcare, a UnitedHealth Group subsidiary, was hit by a major ransomware attack by the Blackcat group. The breach led to unauthorized access to the IT network, impacting a system that processes 15 billion billing transactions a year and processes about 50% of U.S. medical claims.
In a statement on April 22, 2024, UnitedHealth said the cyberattack may “cover a substantial proportion of people in America,” with estimates hovering over 100 million Americans impacted.
Insider threats often go unnoticed but play a significant role in data breaches, with unauthorized access by insiders accounting for 93% of reported incidents in 2023. Moreover, human factors such as social engineering, human errors, and misuse of privileges influenced 74% of all breaches, as indicated in Verizon's 2023 Data Breach Investigations Report.
In 2020, a former employee at Montefiore Medical Center stole patient data, impacting over 4,000 patients. The data were used to purchase goods and fraudulent credit lines, impacting both the affected patients and the medical center's reputation.
The HCA Healthcare data breach, reported in July 2023, involved an unauthorized party making a list of certain patient information available on an online forum. The compromised data included various personal details such as names, locations, contact information, and appointment dates. The breach resulted from theft from an external storage location used for email formatting automation.
The WHO reports that supply chain attacks tripled in Q1 2024 compared to Q1 2023. Healthcare organizations rely on a web of suppliers and service providers to deliver care and manage operations. Each entity in this network is a potential cybercriminal target. With varying levels of cybersecurity maturity, third-party vendors can inadvertently become the Achilles' heel of data security.
A prime example of this occurred in 2020, when Blackbaud, a cloud computing provider renowned for its services to non-profits, including healthcare, fell victim to a cyberattack. This breach potentially exposed sensitive information from hundreds of healthcare entities relying on Blackbaud's solutions.
In 2023, a prominent healthcare software vendor, Accellion, was breached, impacting numerous organizations worldwide, including those in the healthcare sector. The attackers exploited vulnerabilities in Accellion's file transfer application to access sensitive data.
Like supply chain vulnerabilities, healthcare companies' business tools pose a significant risk. In March 2024, the HHS issued a major update, providing new guidance on the use of online tracking technologies by HIPAA-covered entities and their partners. This update aimed to clarify how HIPAA regulations extend to data collected through cookies, device identifiers, etc, used on websites, mobile apps, and other platforms connecting to outlets like Google, Meta (Facebook), and TikTok.
In 2022, Advocate Aurora Health and Novant Health experienced data exposure incidents caused by misconfigured tracking tools on patient portals and websites. Advocate Aurora Health impacted 3 million individuals, while Novant Health impacted 1.3 million.
In 2023, Cerebral's health app experienced a data breach that affected 3.1 million users. The breach stemmed from third-party tracking pixels implemented on Cerebral's platform without securing HIPAA-required assurances from subcontractors, resulting in unauthorized PHI disclosure.
IoT devices in healthcare are a leading entry point for cyberattacks, with 70% of breaches in 2023 linked to vulnerable network servers (HIPAA Journal). These devices include printers, routers, and IP cameras and often lack sufficient security measures, making them vulnerable to hacking attempts.
In 2023, Ardent Health Services suffered a major cybersecurity breach when hackers took advantage of a vulnerability in its IoT infrastructure. By hacking the hospital's networked temperature control systems, the breach allowed unauthorized access to the network and sensitive patient data.
In 2024, Medtronic faced a critical issue when unauthorized users remotely accessed a series of networked insulin pumps due to unsecured wireless connectivity. This allowed the attackers to manipulate dosage controls, posing a direct threat to patient safety.
Printers are often overlooked in a company's security strategy but are "lucky charm" endpoints and targets for cyber-attacks. Recent reports show that insecure printing practices in companies lead to data loss and intellectual property theft: Only 1 in 5 IT decision-makers are confident about print infrastructure security, while 64% of companies report data loss due to insecure printing practices.
With 61% of organizations reporting data loss from unsecured printers in 2023, robust security protocols for these peripheral devices are crucial.
In 2021, Eskenazi Health suffered a ransomware attack by a group called Vice Society. The attackers exploited a security vulnerability known as PrintNightmare in Microsoft Windows servers to gain system privileges and install malware or ransomware. This led to the hospital shutting down its networks and ER, causing delays in procedures and diverting ambulances to other hospitals.
In 2022, OneTouchPoint, a major printing vendor, revealed that nearly 2.7 million individuals were affected by a breach. The breach impacted the vendor's healthcare clients, including 38 health plans, potentially exposing PHI. At least one health plan not on the reported list, Common Ground Healthcare Collaborative, reported 133,714 individuals affected by the OneTouchPoint hacking incident to HHS.
Despite the crucial role of the HIPAA Security Rule in safeguarding sensitive health data, many healthcare organizations face challenges in meeting compliance standards. The HHS OCR is entrusted with enforcing HIPAA regulations and has handled over 353,000 complaints in 2023 alone. This led to civil money penalties and settlements, resulting in fines totaling around $142.53 million.
In 2024, Montefiore Medical Center faced a significant HIPAA violation settlement, fined $4.75 million by the OCR for failing to conduct an adequate risk analysis and implement procedures to review records post a security breach. This breach involved a former employee who improperly accessed and stole the data of 12,517 patients.
